Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with tdlcmd.dll/tdlclk.dll


  • This topic is locked This topic is locked
16 replies to this topic

#1 Robert Cranston

Robert Cranston

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 28 November 2009 - 12:37 PM

Hi,
I have read through a number of postings and think I have a similar issue to a few others in here.
Logging onto my machine today, every application I try and launch I get an issue with a "Bad Image"
and it complains about tdlcmd.dll

I have run a few different programs to try and clean this up (Anti-Mallware, Super Anti-Spyware, and I have CA Anti-Virus running all the time), but no luck.

I ran RootRepeal after reading a few posts and it seems to have located the issue. I was about to look at running ComboFix, but to be honest my windows knowledge is good, but not quite at the level where I can resurrect a PC if it is dead.

I have the RootRepeal and HijackThis logs if needed.

If anyone can lend a hand it would be greatly appreciated.

Thanks in advance.

DDS Logs Below:

DDS (Ver_09-11-24.02) - NTFSx86
Run by Robert at 18:01:36.64 on 28/11/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1169 [GMT 0:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:Program FilesCheckPointSecuRemotebinSR_Service.exe
C:Program FilesCheckPointSecuRemotebinSR_Watchdog.exe
svchost.exe
svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:Program FilesCheckPointSecuRemotebinSR_GUI.Exe
svchost.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesCreativeSBAudigy2ZSSurround MixerCTSysVol.exe
C:Program FilesCreativeSBAudigy2ZSDVDAudioCTDVDDet.EXE
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesCAeTrust EZ ArmoreTrust EZ AntivirusCAVRID.exe
C:Program FilesCAeTrust EZ ArmoreTrust EZ AntivirusISafe.exe
C:Program FilesMicrosoft IntelliType Protype32.exe
C:WINDOWSsystem32CTsvcCDA.exe
C:Program FilesMicrosoft IntelliPointpoint32.exe
C:Program FilesJavajre6binjusched.exe
C:WINDOWSSystem32svchost.exe -k HTTPFilter
C:Program FilesCACA Internet Security Suitecctraycctray.exe
C:Program FilesSaitekSD6SoftwareProfilerU.exe
C:Program FilesSaitekSD6SoftwareSaiMfd.exe
C:WINDOWSsystem32CTHELPER.EXE
C:WINDOWSsystem32RunDll32.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesCreativeMediaSourceRemoteControlRCMan.EXE
C:Program FilesMicrosoft MoneySystemmnyexpr.exe
C:Program FilesAIM6aim6.exe
C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesWindows LiveMessengermsnmsgr.exe
C:WINDOWSsystem32CNAB4RPK.EXE
C:Program Fileslotusnotesntmulti.exe
C:Program FilesNDASSystemndassvc.exe
C:WINDOWSsystem32nvsvc32.exe
C:Program FilesPS3 Media Serverwin32servicewrapper.exe
C:Program FilesNDASSystemndasmgmt.exe
C:Program FilesPerSonoperstray.exe
C:U.S.R.TurboGWLANUSRWLANG.exe
C:Program FilesWinZipWZQKPICK.EXE
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Program FilesCAeTrust EZ ArmoreTrust EZ AntivirusVetMsg.exe
C:Program FilesViewpointCommonViewpointService.exe
C:WINDOWSsystem32MsPMSPSv.exe
C:Program FilesAIM6aolsoftware.exe
C:Program FilesWindows LiveContactswlcomm.exe
C:Program FilesCACA Internet Security Suiteccprovsp.exe
C:Documents and SettingsRobertDesktopRootRepeal.exe
C:WINDOWSsystem32notepad.exe
C:WINDOWSsystem32java.exe
C:Program FilesSling MediaSlingAgentSlingAgentService.exe
C:WINDOWSsystem32wscntfy.exe
C:Documents and SettingsRobertLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsRobertLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsRobertLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsRobertLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsRobertLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsRobertMy DocumentsDownloadsdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 7.0activexAcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program filescommon filesmicrosoft sharedwindows liveWindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
uRun: [CTFMON.EXE] c:windowssystem32ctfmon.exe
uRun: [RemoteCenter] c:program filescreativemediasourceremotecontrolRCMan.EXE
uRun: [MoneyAgent] "c:program filesmicrosoft moneysystemmnyexpr.exe"
uRun: [updateMgr] "c:program filesadobeacrobat 7.0readerAdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [Google Update] "c:documents and settingsrobertlocal settingsapplication datagoogleupdateGoogleUpdate.exe" /c
uRun: [Aim6] "c:program filesaim6aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
uRun: [SUPERAntiSpyware] c:program filessuperantispywareSUPERAntiSpyware.exe
uRun: [msnmsgr] "c:program fileswindows livemessengermsnmsgr.exe" /background
uRun: [NBJ] "c:program filesaheadnero backitupNBJ.exe"
mRun: [CTSysVol] c:program filescreativesbaudigy2zssurround mixerCTSysVol.exe /r
mRun: [CTDVDDET] c:program filescreativesbaudigy2zsdvdaudioCTDVDDet.EXE
mRun: [SBDrvDet] c:program filescreativesb drive detSBDrvDet.exe /r
mRun: [CAVRID] "c:program filescaetrust ez armoretrust ez antivirusCAVRID.exe"
mRun: [eTrust PestPatrol Active Protection] none
mRun: [NeroFilterCheck] c:windowssystem32NeroCheck.exe
mRun: [type32] "c:program filesmicrosoft intellitype protype32.exe"
mRun: [IntelliPoint] "c:program filesmicrosoft intellipointpoint32.exe"
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [cctray] "c:program filescaca internet security suitecctraycctray.exe"
mRun: [ProfilerU] c:program filessaiteksd6softwareProfilerU.exe
mRun: [SaiMfd] c:program filessaiteksd6softwareSaiMfd.exe
mRun: [CTXFIREG] CTxfiReg.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [Launch Ai Booster] "c:program filesasusai boosterOverClk.exe"
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:program filesmalwarebytes' anti-malwarembam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:windowssystem32CTFMON.EXE
StartupFolder: c:docume~1alluse~1startm~1programsstartupadober~1.lnk - c:program filesadobeacrobat 7.0readerreader_sl.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupmicros~1.lnk - c:program filesmicrosoft officeoffice10OSA.EXE
StartupFolder: c:docume~1alluse~1startm~1programsstartupndasde~1.lnk - c:program filesndassystemndasmgmt.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupperstray.lnk - c:program filespersonoperstray.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupusrobo~1.lnk - c:u.s.r.turbogwlanUSRWLANG.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupwinzip~1.lnk - c:program fileswinzipWZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:progra~1mi1933~1office10EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%bdoscandel.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:program filesaimaim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
LSP: c:windowssystem32VetRedir.dll
Trusted Zone: microsoft.comoffice
DPF: Microsoft XML Parser for Java - file://c:windowsjavaclassesxmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111411904687
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:program filescommon filesmicrosoft sharedweb foldersPKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:progra~1common~1skypeSKYPE4~1.DLL
Notify: !SASWinLogon - c:program filessuperantispywareSASWINLO.DLL
Notify: ckpNotify - ckpNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:program filessuperantispywareSASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:docume~1robertapplic~1mozillafirefoxprofiles2gio7ih4.default
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - plugin: c:documents and settingsrobertlocal settingsapplication datagoogleupdate1.2.183.13npGoogleOneClick8.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpicaN.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpmozax.dll
FF - plugin: c:program filesmozilla firefoxpluginsNPMyGlSh.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpViewpoint.dll
FF - plugin: c:program filesviewpointviewpoint media playernpViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 lpx;LPX Protocol;c:windowssystem32driverslpx.sys [2005-2-9 109184]
R0 pxscan;pxscan;c:windowssystem32driverspxscan.sys --> c:windowssystem32driverspxscan.sys [?]
R1 FW1;SecuRemote Miniport;c:windowssystem32driversfw.sys [2007-5-24 2234800]
R1 lfsfilt;Lean File Sharing;c:windowssystem32driverslfsfilt.sys [2006-3-11 120704]
R1 SASDIFSV;SASDIFSV;c:program filessuperantispywaresasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:program filessuperantispywareSASKUTIL.SYS [2009-4-28 74480]
R2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:windowssystem32driversCdpPacket.sys [2004-9-3 35693]
R2 CP_OMDRV;Check Point Office Mode Module;c:windowssystem32driversomdrv.sys [2007-5-24 36368]
R2 PfDetNT;PfDetNT;c:windowssystem32driverspfmodnt.sys [2008-7-7 15896]
R2 PS3 Media Server;PS3 Media Server;c:program filesps3 media serverwin32servicewrapper.exe [2008-8-17 217088]
R2 pxrts;pxrts;c:windowssystem32driverspxrts.sys --> c:windowssystem32driverspxrts.sys [?]
R2 SlingAgentService;SlingAgentService;c:program filessling mediaslingagentslingagentservice.exe --> c:program filessling

mediaslingagentSlingAgentService.exe [?]
R2 uacFlt;Plantronics USB Audio Adapter EQ Filter Driver;c:windowssystem32driversuacflt.sys [2005-11-7 20296]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:program filesviewpointcommonViewpointService.exe [2008-11-23 24652]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:windowssystem32driversvnasc.sys [2007-5-24 110032]
R2 VPN-1;VPN-1 Module;c:windowssystem32driversvpn.sys [2007-5-24 673456]
R3 cmudax;C-Media High Definition Audio Interface;c:windowssystem32driverscmudax.sys [2005-5-12 1287296]
R3 COMMONFX.SYS;COMMONFX.SYS;c:windowssystem32driversCOMMONFX.sys [2008-6-27 99352]
R3 Cpmt;Cisco Media Termination;c:windowssystem32driversCpmt.sys [2004-9-3 1915837]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:windowssystem32driversCTAUDFX.sys [2008-6-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:windowssystem32driversCTSBLFX.sys [2008-6-27 566296]
R3 ndasbus;NDAS Bus Driver;c:windowssystem32driversndasbus.sys [2005-2-9 38656]
R3 ndasscsi;NDAS SCSI Miniport Driver;c:windowssystem32driversndasscsi.sys [2005-2-9 90752]
R3 pxkbf;pxkbf;c:windowssystem32driverspxkbf.sys --> c:windowssystem32driverspxkbf.sys [?]
R3 QCEmerald;Logitech QuickCam Web;c:windowssystem32driversOVCE.sys [2007-9-13 31872]
R3 SaiH8000;SaiH8000;c:windowssystem32driversSaiH8000.sys [2006-10-25 56576]
R3 SASENUM;SASENUM;c:program filessuperantispywareSASENUM.SYS [2009-4-28 7408]
S2 SharedAccessTapiSrv;Windows Firewall/Internet Connection Sharing (ICS) SharedAccessTapiSrv;c:windowssystem3212520437v.exe srv -->

c:windowssystem3212520437v.exe srv [?]
S3 ASUSHWIO;ASUSHWIO;??c:windowssystem32driversasushwio.sys --> c:windowssystem32driversASUSHWIO.sys [?]
S3 COMMONFX;COMMONFX;c:windowssystem32driversCOMMONFX.sys [2008-6-27 99352]
S3 CTAUDFX;CTAUDFX;c:windowssystem32driversCTAUDFX.sys [2008-6-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:windowssystem32driversCTERFXFX.sys [2008-6-27 100888]
S3 CTERFXFX;CTERFXFX;c:windowssystem32driversCTERFXFX.sys [2008-6-27 100888]
S3 CTSBLFX;CTSBLFX;c:windowssystem32driversCTSBLFX.sys [2008-6-27 566296]
S3 Sling_Audio;SlingProjector Audio Device;c:windowssystem32driversSlingAudio.sys [2008-10-1 19072]
S3 SlingAudioBusenum;Sling Audio Bus Enumerator;c:windowssystem32driversSlingAudioBus.sys [2008-7-15 23168]

=============== Created Last 30 ================

2009-11-28 08:34:47 53136 ----a-w- c:windowssystem32PxSecure.dll-32987234
2009-11-28 08:08:11 4958588 ----a-w- c:windows{00000001-00000000-00000009-00001102-00000004-20021102}.BAK
2009-11-28 07:18:27 0 d-----w- c:program filesSysProt
2009-11-27 22:34:37 161296 ----a-w- c:windowssystem32driverstmcomm.sys
2009-11-08 23:04:06 0 d-----w- c:program filesWindows Media Connect 2

==================== Find3M ====================

2009-10-13 19:36:02 739752 ----a-w- c:windowssystem32driversvetefile.sys
2009-10-13 19:36:02 133576 ----a-w- c:windowssystem32driversveteboot.sys
2009-09-07 21:02:09 26152 ----a-w- c:docume~1robertapplic~1GDIPFONTCACHEV1.DAT
2007-03-08 10:16:46 7667714 ----a-w- c:program filesCiscoSystems.zip.NOEXEC

============= FINISH: 18:06:36.98 ===============


RootRepeal Log:
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/28 08:47
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:WINDOWSSystem32Driversdump_atapi.sys
Address: 0xB6882000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:WINDOWSSystem32Driversdump_WMILIB.SYS
Address: 0xF79FF000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:WINDOWSsystem32driversrootrepeal.sys
Address: 0xB4303000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:program filescheckpointsecuremotelogsr_service-000688.loginitial_ptr
Status: Size mismatch (API: 1004, Raw: 988)

Path: c:program filescheckpointsecuremotelogsr_service-000688.logptr
Status: Size mismatch (API: 1928, Raw: 1896)

SSDT
-------------------
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:WINDOWSSystem32driverspxrts.sys" at address 0xb43241cc

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:WINDOWSSystem32driverspxrts.sys" at address 0xb4324206

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:WINDOWSSystem32driverspxrts.sys" at address 0xb432451a

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:WINDOWSSystem32driverspxrts.sys" at address 0xb43243f6

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:WINDOWSSystem32driverspxrts.sys" at address 0xb4324292

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:WINDOWSSystem32driverspxrts.sys" at address 0xb432418e

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:WINDOWSSystem32driverspxrts.sys" at address 0xb432464e

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:WINDOWSSystem32driverspxrts.sys" at address 0xb4324316

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:WINDOWSSystem32driverspxrts.sys" at address 0xb432434e

Stealth Objects
-------------------
Object: Hidden Module [Name: tdlclk.dll]
Process: Explorer.EXE (PID: 944) Address: 0x10000000 Size: 20480

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:WINDOWSSystem32driverspxrts.sys" at address 0xb4324cec

#: 233 Function Name: NtGdiOpenDCW
Status: Hooked by "C:WINDOWSSystem32driverspxrts.sys" at address 0xb4324d60

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:WINDOWSSystem32driverspxrts.sys" at address 0xb4324c78

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:WINDOWSSystem32driverspxrts.sys" at address 0xb4324c36

#: 389 Function Name: NtUserGetClipboardData
Status: Hooked by "C:WINDOWSSystem32driverspxrts.sys" at address 0xb4324e4c

#: 404 Function Name: NtUserGetForegroundWindow
Status: Hooked by "C:WINDOWSSystem32driverspxrts.sys" at address 0xb4324b42

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:WINDOWSSystem32driverspxrts.sys" at address 0xb4324b90

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:WINDOWSSystem32driverspxrts.sys" at address 0xb4324bc2

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "C:WINDOWSSystem32driverspxrts.sys" at address 0xb4324c04

#: 483 Function Name: NtUserQueryWindow
Status: Hooked by "C:WINDOWSSystem32driverspxrts.sys" at address 0xb4324ef0

#: 508 Function Name: NtUserSetClipboardData
Status: Hooked by "C:WINDOWSSystem32driverspxrts.sys" at address 0xb4324e1c

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:WINDOWSSystem32driverspxrts.sys" at address 0xb4324e9a

#: 592 Function Name: NtUserWindowFromPoint
Status: Hooked by "C:WINDOWSSystem32driverspxrts.sys" at address 0xb4324f6a

==EOF==

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 28 November 2009 - 03:04 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:45 AM

Posted 05 December 2009 - 06:09 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#3 Robert Cranston

Robert Cranston
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 06 December 2009 - 04:55 AM

Hi, I am here. Thanks for getting back to me.
Still having the same issues, so eager for any help you can provide.

Thanks.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:45 AM

Posted 06 December 2009 - 05:51 AM

tdlcmd.dll and tdlclk.dll are files associated with TDSS which is a nasty rootkit/trojan. Combofix is where we are likely to go but we need to make sure it will run when we want it to.


First let's make sure TDSS is alone

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.


Next please run MBAM


Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop but rename it to mblah.scr
  • Make sure you are connected to the Internet.
  • Double-click on mblah.scr to install the application or, if you are using Vista, right-click and select Run As Administrator on mblah.scr to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#5 Robert Cranston

Robert Cranston
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 06 December 2009 - 08:49 AM

Win32Diag.txt
Running from: C:\Documents and Settings\Robert\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Robert\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!



MBAM Log - It has been finding the same two registry entries every time I reboot for the last week or so.
Malwarebytes' Anti-Malware 1.42
Database version: 3303
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

06/12/2009 13:40:36
mbam-log-2009-12-06 (13-40-36).txt

Scan type: Full Scan (C:\|J:\|)
Objects scanned: 310538
Time elapsed: 2 hour(s), 26 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:45 AM

Posted 06 December 2009 - 10:13 AM

Let's try and remove this threat then

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#7 Robert Cranston

Robert Cranston
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 06 December 2009 - 02:48 PM

Wow, that took a while.
Every operation that Combo-Fix ran resulted in a pop-up telling me about tdlcmd.dll again.
It is still happening after the run through.
Also, it actually re-booted the pc twice during the run. The first was just as combo-fix got up and running, and second it warned me about.

Here is the log:

ComboFix 09-12-06.06 - Robert 06/12/2009 19:02.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1630 [GMT 0:00]
Running from: c:\documents and settings\Robert\Desktop\comfix.exe
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Robert\Application Data\inst.exe
c:\program files\Mozilla Firefox\plugins\NPMyGlSh.dll
c:\windows\system32\1684870983.dat
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\websites.html

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SHAREDACCESSTAPISRV
-------\Legacy_uacFlt
-------\Service_SharedAccessTapiSrv
-------\Service_uacFlt


((((((((((((((((((((((((( Files Created from 2009-11-06 to 2009-12-06 )))))))))))))))))))))))))))))))
.

2009-12-06 18:55 . 2008-04-13 18:40 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-29 17:35 . 2009-11-29 17:35 -------- d-----w- c:\program files\PFPortChecker
2009-11-29 17:05 . 2009-11-29 17:05 -------- d-----w- c:\program files\uTorrent
2009-11-29 16:54 . 2009-11-29 17:11 -------- d-----w- c:\documents and settings\Robert\Application Data\OneSwarm
2009-11-28 07:18 . 2009-11-28 07:18 -------- d-----w- c:\program files\SysProt
2009-11-27 22:34 . 2009-11-27 22:34 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-08 23:04 . 2009-11-08 23:04 -------- d-----w- c:\program files\Windows Media Connect 2
2009-11-08 22:54 . 2009-11-08 22:56 -------- d-----w- c:\windows\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-06 11:06 . 2009-10-20 17:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-04 19:51 . 2009-05-10 15:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-04 19:50 . 2009-10-14 18:20 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-03 16:14 . 2009-05-10 15:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13 . 2009-05-10 15:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-02 07:03 . 2009-10-13 19:36 739696 ----a-w- c:\windows\system32\drivers\vetefile.sys
2009-12-02 07:03 . 2009-10-13 19:36 133520 ----a-w- c:\windows\system32\drivers\veteboot.sys
2009-12-02 07:03 . 2007-04-14 08:24 32240 ----a-w- c:\windows\system32\drivers\vetmonnt.sys
2009-12-02 07:03 . 2007-04-14 08:24 26352 ----a-w- c:\windows\system32\drivers\vet-filt.sys
2009-12-02 07:03 . 2007-04-14 08:24 21488 ----a-w- c:\windows\system32\drivers\vetfddnt.sys
2009-12-02 07:03 . 2007-04-14 08:24 21104 ----a-w- c:\windows\system32\drivers\vet-rec.sys
2009-12-01 22:00 . 2009-05-10 15:25 -------- d-----w- c:\documents and settings\Robert\Application Data\SUPERAntiSpyware.com
2009-12-01 21:56 . 2008-12-26 10:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-01 21:56 . 2009-05-10 15:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-01 21:41 . 2005-03-21 20:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-29 22:41 . 2009-05-19 14:12 -------- d-----w- c:\documents and settings\Robert\Application Data\uTorrent
2009-11-28 17:09 . 2007-10-25 20:19 -------- d-----w- c:\program files\Sling Media
2009-11-09 07:02 . 2007-02-01 11:18 -------- d-----w- c:\documents and settings\Robert\Application Data\ICAClient
2009-11-08 22:43 . 2007-10-21 20:30 -------- d-----w- c:\program files\AviSynth 2.5
2009-10-29 09:59 . 2009-10-29 09:59 -------- d-----w- c:\documents and settings\Work\Application Data\Apple Computer
2009-10-29 08:01 . 2009-10-29 08:01 -------- d-----w- c:\documents and settings\Work\Application Data\Cisco
2009-10-25 20:34 . 2009-10-25 20:24 -------- d-----w- c:\documents and settings\Work\Application Data\ICAClient
2009-10-25 20:32 . 2007-02-01 11:18 -------- d-----w- c:\program files\Citrix
2009-10-25 19:50 . 2009-10-25 19:50 -------- d-----w- c:\documents and settings\Work\Application Data\CheckPoint
2009-10-25 19:36 . 2005-08-15 21:40 -------- d-----w- c:\program files\CheckPoint
2009-10-25 19:26 . 2009-10-25 19:26 -------- d-----w- c:\documents and settings\Work\Application Data\Malwarebytes
2009-10-18 10:45 . 2006-02-11 13:42 -------- d-----w- c:\documents and settings\Robert\Application Data\Ahead
2009-10-18 10:12 . 2007-10-22 18:41 -------- d-----w- c:\documents and settings\Robert\Application Data\Vso
2009-10-13 20:41 . 2005-04-02 14:56 -------- d-----w- c:\documents and settings\Robert\Application Data\Apple Computer
2009-10-13 19:36 . 2007-10-25 21:23 1541416 ----a-w- c:\documents and settings\All Users\Application Data\CA\Consumer\AV\tmp\vete_tmp.dll
2009-10-10 19:13 . 2009-10-10 18:54 -------- d-----w- c:\program files\PS3 Media Server
2009-10-10 18:48 . 2009-10-10 18:47 -------- d-----w- c:\program files\iTunes
2009-10-10 18:48 . 2009-10-10 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-10 18:47 . 2005-04-02 14:54 -------- d-----w- c:\program files\iPod
2009-10-10 18:47 . 2007-07-10 21:16 -------- d-----w- c:\program files\Common Files\Apple
2009-10-10 18:43 . 2009-10-10 18:42 -------- d-----w- c:\program files\QuickTime
2009-10-10 18:36 . 2009-10-10 18:36 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-20 15:41 . 2005-09-10 11:45 26736 ----a-w- c:\documents and settings\Robert\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-03-08 10:16 . 2007-03-08 10:16 7667714 ----a-w- c:\program files\CiscoSystems.zip.NOEXEC
2005-03-21 12:48 . 2005-03-26 14:05 44159 ----a-w- c:\program files\mozilla firefox\components\inspector.dll
2008-02-07 21:46 . 2008-02-07 21:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-07 21:46 . 2008-02-07 21:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-07 21:46 . 2008-02-07 21:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-07 21:46 . 2008-02-07 21:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-07 21:46 . 2008-02-07 21:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-07 21:46 . 2008-02-07 21:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-07 21:46 . 2008-02-07 21:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-16 17:27 . 2007-03-16 17:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 17:27 . 2007-03-16 17:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 17:27 . 2007-03-16 17:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 12:47 . 2007-07-20 12:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-07 21:46 . 2008-02-07 21:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1" [X]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 139264]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"Google Update"="c:\documents and settings\Robert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-21 133104]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-01-04 1937408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eTrust PestPatrol Active Protection"="none" [X]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"CAVRID"="c:\program files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2009-12-02 230664]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-14 148888]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-08-01 177392]
"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2007-10-02 233472]
"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2007-10-02 131072]
"CTHelper"="CTHELPER.EXE" [2008-06-27 19456]
"Launch Ai Booster"="c:\program files\ASUS\Ai Booster\OverClk.exe" [2005-06-16 3627520]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NDAS Device Management.lnk - c:\program files\NDAS\System\ndasmgmt.exe [2005-2-10 178688]
Perstray.lnk - c:\program files\PerSono\perstray.exe [2005-11-7 40960]
U.S. Robotics 802.11g Wireless Network Utility.lnk - c:\u.s.r.turbogwlan\USRWLANG.exe [2005-3-21 806912]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-4-25 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2007-05-24 10:13 24665 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Java\\j2re1.4.2_09\\bin\\javaw.exe"=
"c:\\Program Files\\Cisco Systems\\Cisco IP Communicator\\Communicator.exe"=
"c:\\cygwin\\usr\\X11R6\\bin\\XWin.exe"=
"c:\\Program Files\\Java\\jdk1.5.0_06\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\INET Portal\\UserLogin.exe"=
"c:\\cygwin\\bin\\ftp.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Games\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Games\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Games\\World of Warcraft\\WoW-1.3.1.4297-to-1.4.0-enUS-downloader.exe"=
"c:\\Games\\World of Warcraft\\WoW-1.3.0-enUS-downloader.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\CNAB4RPK.EXE"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"47352:TCP"= 47352:TCP:*:Disabled:uTorrent
"47352:UDP"= 47352:UDP:*:Disabled:Utorrent

R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [21/03/2005 20:16 24971]
R0 lpx;LPX Protocol;c:\windows\system32\drivers\lpx.sys [09/02/2005 18:18 109184]
R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [24/05/2007 10:13 2234800]
R1 lfsfilt;Lean File Sharing;c:\windows\system32\drivers\lfsfilt.sys [11/03/2006 17:08 120704]
R2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\drivers\CdpPacket.sys [03/09/2004 12:31 35693]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [24/05/2007 10:13 36368]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [07/07/2008 10:37 15896]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [23/11/2008 11:15 24652]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [24/05/2007 10:13 110032]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [24/05/2007 10:13 673456]
R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [12/05/2005 14:39 1287296]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [27/06/2008 19:21 99352]
R3 Cpmt;Cisco Media Termination;c:\windows\system32\drivers\Cpmt.sys [03/09/2004 12:31 1915837]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [27/06/2008 19:21 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [27/06/2008 19:21 566296]
R3 ndasbus;NDAS Bus Driver;c:\windows\system32\drivers\ndasbus.sys [09/02/2005 18:18 38656]
R3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\drivers\ndasscsi.sys [09/02/2005 18:18 90752]
R3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [13/09/2007 20:03 31872]
R3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [25/10/2006 20:40 56576]
S2 PS3 Media Server;PS3 Media Server;c:\program files\PS3 Media Server\win32\service\wrapper.exe [17/08/2008 08:40 217088]
S2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe --> c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [?]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\ASUSHWIO.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [27/06/2008 19:21 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [27/06/2008 19:21 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [27/06/2008 19:21 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [27/06/2008 19:21 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [27/06/2008 19:21 566296]
S3 Sling_Audio;SlingProjector Audio Device;c:\windows\system32\drivers\SlingAudio.sys [01/10/2008 18:48 19072]
S3 SlingAudioBusenum;Sling Audio Bus Enumerator;c:\windows\system32\drivers\SlingAudioBus.sys [15/07/2008 08:28 23168]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: microsoft.com\office
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\2gio7ih4.default\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - plugin: c:\documents and settings\Robert\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-CTXFIREG - CTxfiReg.exe
HKLM-Run-Cmaudio - cmicnfg.cpl
Notify-AtiExtEvent - (no file)
AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-06 19:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x8AB05E31]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74c9b3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e6686
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e6686
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7858bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7865a21
SendHandler -> NDIS.sys @ 0xf784387b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1659004503-1547161642-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:4e,f8,ff,7a,18,5e,31,12,bf,c1,3b,11,fa,6c,56,a2,7d,f8,30,fa,ee,
6c,18,6d,3f,cb,14,1f,f2,8e,55,57,b0,20,2a,a3,7f,5e,19,96,fa,a2,16,28,09,a1,\
"rkeysecu"=hex:d3,c9,45,67,32,6b,61,4e,08,86,7a,03,27,b4,93,0f
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2840)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NDAS\System\ndassvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\CNAB4RPK.EXE
c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
c:\program files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RunDll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
.
**************************************************************************
.
Completion time: 2009-12-06 19:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-06 19:37

Pre-Run: 36,255,375,360 bytes free
Post-Run: 35,898,523,648 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - F26EEFDBB18607660993D7C353A64261

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:45 AM

Posted 06 December 2009 - 05:39 PM

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Please copy the following into the Custom Scans box at the bottom

    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    /md5stop
  • Now click the Run Scan button on the toolbar.
  • Let it run until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it
Post the log in the next reply.

Edited by m0le, 06 December 2009 - 05:41 PM.

Posted Image
m0le is a proud member of UNITE

#9 Robert Cranston

Robert Cranston
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 06 December 2009 - 06:03 PM

Hi,
Before running the commands from your last post, I did a full shutdown.
At this point windows downloaded 39 updates.
I have not seen any updates downloaded for a while, so I am thinking that something done by combo-fix cleared this up.

After this, no more warnings.

Do you still think I should run the commands below?

Thanks.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:45 AM

Posted 06 December 2009 - 06:07 PM

Yes, still run the program. I need to have confirmation that the drivers are all legitimate.
Posted Image
m0le is a proud member of UNITE

#11 Robert Cranston

Robert Cranston
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 07 December 2009 - 03:15 PM

Thanks again.
Here is the log:

OTL logfile created on: 07/12/2009 06:59:07 - Run 1
OTL by OldTimer - Version 3.1.11.8 Folder = C:\Documents and Settings\Robert\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.41 Gb Available Physical Memory | 70.51% Memory free
3.85 Gb Paging File | 3.38 Gb Available in Paging File | 87.68% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 31.51 Gb Free Space | 13.53% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 298.02 Gb Total Space | 225.27 Gb Free Space | 75.59% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 149.05 Gb Total Space | 112.07 Gb Free Space | 75.19% Space Free | Partition Type: NTFS

Computer Name: DESKTOP
Current User Name: Robert
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Robert\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\vetmsg.exe (CA, Inc.)
PRC - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\cavrid.exe (CA, Inc.)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe (CA, Inc.)
PRC - C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe (CA, Inc.)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\WINDOWS\system32\java.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Windows Live\Contacts\wlcomm.exe (Microsoft Corporation)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\Program Files\AIM6\aim6.exe (AOL LLC)
PRC - C:\Program Files\PS3 Media Server\win32\service\wrapper.exe ()
PRC - C:\WINDOWS\system32\CtHelper.exe (Creative Technology Ltd)
PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\AIM6\aolsoftware.exe (AOL LLC)
PRC - C:\Program Files\Saitek\SD6\Software\SaiMfd.exe (Saitek)
PRC - C:\Program Files\Saitek\SD6\Software\ProfilerU.exe (Saitek)
PRC - C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe (Check Point Software Technologies)
PRC - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe (Check Point Software Technologies)
PRC - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe (Check Point Software Technologies)
PRC - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe (Computer Associates International, Inc.)
PRC - C:\WINDOWS\system32\CNAB4RPK.EXE (CANON INC.)
PRC - C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
PRC - C:\Program Files\NDAS\System\ndasmgmt.exe (XIMETA, Inc.)
PRC - C:\Program Files\NDAS\System\ndassvc.exe (XIMETA, Inc.)
PRC - C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
PRC - C:\U.S.R.TurboGWLAN\USRWLANG.exe (U.S. Robotics)
PRC - C:\Program Files\Microsoft IntelliType Pro\type32.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation)
PRC - C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe (Creative Technology Ltd)
PRC - C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
PRC - C:\Program Files\Microsoft Money\System\mnyexpr.exe (Microsoft Corp.)
PRC - C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe (Creative Technology Ltd)
PRC - C:\Program Files\PerSono\PersTray.exe (Plantronics)
PRC - C:\WINDOWS\system32\MsPMSPSv.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\CTSVCCDA.EXE (Creative Technology Ltd)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Robert\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\ctagent.dll (Creative Technology Ltd)


========== Win32 Services (SafeList) ==========

SRV - (SlingAgentService) -- File not found
SRV - (VETMSGNT) -- C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\vetmsg.exe (CA, Inc.)
SRV - (iPod Service) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (CaCCProvSP) -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe (CA, Inc.)
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (Bonjour Service) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (PS3 Media Server) -- C:\Program Files\PS3 Media Server\win32\service\wrapper.exe ()
SRV - (NVSvc) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (SR_Watchdog) -- C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe (Check Point Software Technologies)
SRV - (SR_Service) -- C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe (Check Point Software Technologies)
SRV - (CAISafe) -- C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe (Computer Associates International, Inc.)
SRV - (Viewpoint Manager Service) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (ndassvc) -- C:\Program Files\NDAS\System\ndassvc.exe (XIMETA, Inc.)
SRV - (WMDM PMSP Service) -- C:\WINDOWS\system32\MsPMSPSv.exe (Microsoft Corporation)
SRV - (Creative Service for CDROM Access) -- C:\WINDOWS\system32\CTSVCCDA.EXE (Creative Technology Ltd)


========== Driver Services (SafeList) ==========

DRV - (VETEFILE) -- C:\WINDOWS\system32\drivers\vetefile.sys (Computer Associates International, Inc.)
DRV - (VETEBOOT) -- C:\WINDOWS\system32\drivers\veteboot.sys (Computer Associates International, Inc.)
DRV - (VETMONNT) -- C:\WINDOWS\system32\drivers\vetmonnt.sys (Computer Associates International, Inc.)
DRV - (VET-FILT) -- C:\WINDOWS\system32\drivers\vet-filt.sys (Computer Associates International, Inc.)
DRV - (VETFDDNT) -- C:\WINDOWS\system32\drivers\vetfddnt.sys (Computer Associates International, Inc.)
DRV - (VET-REC) -- C:\WINDOWS\system32\drivers\vet-rec.sys (Computer Associates International, Inc.)
DRV - (USBAAPL) -- C:\WINDOWS\system32\drivers\usbaapl.sys (Apple, Inc.)
DRV - (GEARAspiWDM) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (SlingAudioBusenum) -- C:\WINDOWS\system32\drivers\SlingAudioBus.sys (SlingMedia Inc.)
DRV - (Sling_Audio) -- C:\WINDOWS\system32\drivers\SlingAudio.sys (SlingMedia Inc.)
DRV - (yukonwxp) -- C:\WINDOWS\system32\drivers\yk51x86.sys (Marvell)
DRV - (PfDetNT) -- C:\WINDOWS\system32\drivers\pfmodnt.sys (Creative Technology Ltd.)
DRV - (hap17v2k) -- C:\WINDOWS\system32\drivers\haP17v2k.sys (Creative Technology Ltd)
DRV - (hap16v2k) -- C:\WINDOWS\system32\drivers\haP16v2k.sys (Creative Technology Ltd)
DRV - (ha10kx2k) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys (Creative Technology Ltd)
DRV - (emupia) -- C:\WINDOWS\system32\drivers\emupia2k.sys (Creative Technology Ltd)
DRV - (ctsfm2k) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys (Creative Technology Ltd)
DRV - (ctprxy2k) -- C:\WINDOWS\system32\drivers\ctprxy2k.sys (Creative Technology Ltd)
DRV - (ossrv) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.)
DRV - (ctdvda2k) -- C:\WINDOWS\system32\drivers\ctdvda2k.sys (Creative Technology Ltd)
DRV - (ctaud2k) Creative Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\ctaud2k.sys (Creative Technology Ltd)
DRV - (ctac32k) -- C:\WINDOWS\system32\drivers\ctac32k.sys (Creative Technology Ltd)
DRV - (CTERFXFX.SYS) -- C:\WINDOWS\System32\drivers\CTERFXFX.SYS (Creative Technology Ltd)
DRV - (CTERFXFX) -- C:\WINDOWS\system32\drivers\CTERFXFX.sys (Creative Technology Ltd)
DRV - (CTSBLFX.SYS) -- C:\WINDOWS\System32\drivers\CTSBLFX.SYS (Creative Technology Ltd)
DRV - (CTSBLFX) -- C:\WINDOWS\system32\drivers\CTSBLFX.sys (Creative Technology Ltd)
DRV - (CTAUDFX.SYS) -- C:\WINDOWS\System32\drivers\CTAUDFX.SYS (Creative Technology Ltd)
DRV - (CTAUDFX) -- C:\WINDOWS\system32\drivers\CTAUDFX.sys (Creative Technology Ltd)
DRV - (COMMONFX.SYS) -- C:\WINDOWS\System32\drivers\COMMONFX.SYS (Creative Technology Ltd)
DRV - (COMMONFX) -- C:\WINDOWS\system32\drivers\COMMONFX.sys (Creative Technology Ltd)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (BVRPMPR5) -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS (Avanquest Software)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (pcouffin) -- C:\WINDOWS\system32\drivers\pcouffin.sys (VSO Software)
DRV - (SaiNtBus) -- C:\WINDOWS\system32\drivers\SaiBus.sys (Saitek)
DRV - (SaiMini) -- C:\WINDOWS\system32\drivers\SaiMini.sys (Saitek)
DRV - (CP_OMDRV) -- C:\WINDOWS\system32\drivers\omdrv.sys (Check Point Software Technologies)
DRV - (FW1) -- C:\WINDOWS\system32\drivers\fw.sys (Check Point Software Technologies)
DRV - (VNASC) -- C:\WINDOWS\system32\drivers\vnasc.sys (Check Point Software Technologies)
DRV - (VPN-1) -- C:\WINDOWS\System32\drivers\vpn.sys (Check Point Software Technologies)
DRV - (PxHelp20) -- C:\WINDOWS\system32\DRIVERS\PxHelp20.sys (Sonic Solutions)
DRV - (cmudax) -- C:\WINDOWS\system32\drivers\cmudax.sys (C-Media Inc.)
DRV - (lfsfilt) -- C:\WINDOWS\system32\drivers\lfsfilt.sys (XIMETA, Inc.)
DRV - (lpx) -- C:\WINDOWS\system32\DRIVERS\lpx.sys (XIMETA, Inc.)
DRV - (ndasscsi) -- C:\WINDOWS\system32\drivers\ndasscsi.sys (XIMETA, Inc.)
DRV - (ndasbus) -- C:\WINDOWS\system32\drivers\ndasbus.sys (XIMETA, Inc.)
DRV - (SaiH8000) -- C:\WINDOWS\system32\drivers\SaiH8000.sys (Saitek)
DRV - (AsIO) -- C:\WINDOWS\system32\drivers\AsIO.sys ()
DRV - (Cpmt) -- C:\WINDOWS\system32\drivers\Cpmt.sys (Cisco Systems, Inc.)
DRV - (CdpPacket) -- C:\WINDOWS\system32\drivers\CdpPacket.sys (Cisco Systems)
DRV - (MTsensor) -- C:\WINDOWS\system32\drivers\ASACPI.sys ()
DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (USR11G) -- C:\WINDOWS\system32\drivers\USR11G.SYS (U.S. Robotics)
DRV - (Point32) -- C:\WINDOWS\system32\drivers\point32.sys (Microsoft Corporation)
DRV - (iteraid) -- C:\WINDOWS\system32\DRIVERS\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (odysseyIM3) -- C:\WINDOWS\system32\drivers\odysseyIM3.sys (Funk Software, Inc.)
DRV - (QCEmerald) -- C:\WINDOWS\system32\drivers\OVCE.sys (Microsoft Corporation)
DRV - (lusbaudio) -- C:\WINDOWS\system32\drivers\OVSound2.sys (Microsoft Corporation)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google.co.uk"
FF - prefs.js..browser.startup.homepage: "http://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-GB:official"
FF - prefs.js..extensions.enabledItems: {77b819fa-95ad-4f2c-ac7c-486b356188a9}:1.5.20090525
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.15
FF - prefs.js..network.proxy.autoconfig_url: "http://planet.instinet.com/proxy.pac"
FF - prefs.js..network.proxy.http: "svukcmqproxy02.isn.instinet.com"
FF - prefs.js..network.proxy.http_port: 8080

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/05/14 12:28:02 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/12/06 23:25:09 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/20 08:10:53 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/06 19:17:57 | 00,000,000 | ---D | M]

[2008/03/07 21:12:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\Mozilla\Extensions
[2008/03/07 21:12:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/11/29 17:23:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\2gio7ih4.default\extensions
[2009/06/21 12:24:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\2gio7ih4.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2008/06/19 19:26:57 | 00,000,908 | ---- | M] () -- C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\2gio7ih4.default\searchplugins\IMDB.xml
[2009/11/27 19:47:06 | 00,002,143 | ---- | M] () -- C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\2gio7ih4.default\searchplugins\marketwatch.xml
[2008/07/12 08:17:49 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/08 19:38:15 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/11/08 19:38:09 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/11/08 19:38:09 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2005/03/21 12:48:00 | 00,044,159 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\inspector.dll
[2008/02/07 21:46:38 | 00,013,624 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\cgpcfg.dll
[2008/02/07 21:46:12 | 00,087,360 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\CgpCore.dll
[2008/02/07 21:46:20 | 00,091,448 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\confmgr.dll
[2008/02/07 21:46:16 | 00,021,824 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\ctxlogging.dll
[2008/02/07 21:46:56 | 00,206,136 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\ctxmui.dll
[2008/02/07 21:46:18 | 00,031,544 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\icafile.dll
[2008/02/07 21:46:36 | 00,040,248 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\icalogon.dll
[2007/03/16 17:27:00 | 00,479,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcm80.dll
[2007/03/16 17:27:00 | 00,548,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcp80.dll
[2007/03/16 17:27:00 | 00,626,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcr80.dll
[2006/09/03 12:12:48 | 00,049,152 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
[2009/05/14 12:27:29 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2008/02/07 21:48:26 | 00,419,136 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npicaN.dll
[2007/02/25 10:55:24 | 00,114,688 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
[2009/11/08 19:38:11 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2005/09/24 04:44:16 | 00,077,824 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2009/10/10 18:43:19 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2009/10/10 18:43:19 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2009/10/10 18:43:19 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2009/10/10 18:43:19 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2009/10/10 18:43:19 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2009/10/10 18:43:19 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2009/10/10 18:43:19 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2006/09/05 16:06:14 | 04,100,096 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSibelius.dll
[2007/04/16 17:07:12 | 00,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
[2007/07/20 12:47:44 | 00,981,170 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\sslsdk_b.dll
[2008/02/07 21:46:12 | 00,024,384 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\TcpPServ.dll
[2008/01/04 15:36:50 | 00,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2006/07/05 18:47:38 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2008/01/04 15:36:50 | 00,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2008/03/08 09:35:22 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2008/11/23 11:17:21 | 00,000,759 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2008/04/16 04:08:20 | 00,001,706 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2008/03/28 18:11:14 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2008/01/04 15:36:50 | 00,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O4 - HKLM..\Run: [CAVRID] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe (CA, Inc.)
O4 - HKLM..\Run: [cctray] C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe (CA, Inc.)
O4 - HKLM..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\System32\CtHelper.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [eTrust PestPatrol Active Protection] File not found
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [Launch Ai Booster] C:\Program Files\ASUS\Ai Booster\OverClk.exe ()
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe (Saitek)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe (Saitek)
O4 - HKLM..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [type32] C:\Program Files\Microsoft IntelliType Pro\type32.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Aim6] C:\Program Files\AIM6\aim6.exe (AOL LLC)
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\Robert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [MoneyAgent] C:\Program Files\Microsoft Money\System\mnyexpr.exe (Microsoft Corp.)
O4 - HKCU..\Run: [msnmsgr] C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
O4 - HKCU..\Run: [NBJ] C:\Program Files\Ahead\Nero BackItUp\NBJ.exe (Ahead Software AG)
O4 - HKCU..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe (Creative Technology Ltd)
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe (XIMETA, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Perstray.lnk = C:\Program Files\PerSono\PersTray.exe (Plantronics)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\U.S. Robotics 802.11g Wireless Network Utility.lnk = C:\U.S.R.TurboGWLAN\USRWLANG.exe (U.S. Robotics)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe ()
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000031 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000032 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000033 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: microsoft.com ([office] https in Trusted sites)
O15 - HKCU\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft.com/fwlink/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc2.cab (Office Update Installation Engine)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/scan8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://v5.windowsupdate.microsoft.com/v5co...b?1111411904687 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0014-0002-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.4.2/jinstall-...indows-i586.cab (Java Plug-in 1.4.2_09)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\USERINIT.EXE (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\ckpNotify: DllName - ckpNotify.dll - C:\WINDOWS\System32\ckpNotify.dll (Check Point Software Technologies)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - ( schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - ( digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - ( msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/03/21 19:39:47 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/04/25 11:40:00 | 00,000,000 | ---D | M] - G:\autorun -- [ FAT32 ]
O32 - AutoRun File - [2008/02/25 10:30:42 | 00,000,054 | -H-- | M] () - G:\autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/06 23:31:48 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/12/06 23:23:58 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2009/12/06 23:23:54 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/12/06 23:23:46 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/12/06 23:22:19 | 00,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll
[2009/12/06 23:22:19 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll
[2009/12/06 23:22:18 | 00,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe
[2009/12/06 23:22:17 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll
[2009/12/06 23:22:14 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll
[2009/12/06 23:22:14 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll
[2009/12/06 23:04:24 | 00,537,088 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Robert\Desktop\OTL.exe
[2009/12/06 18:55:16 | 00,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\atapi.sys
[2009/12/06 18:52:04 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/12/06 18:49:08 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/12/06 18:49:08 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/12/06 18:49:08 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/12/06 18:49:08 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/12/06 18:48:29 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/12/06 18:45:32 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/11/29 17:35:22 | 00,000,000 | ---D | C] -- C:\Program Files\PFPortChecker
[2009/11/29 17:05:42 | 00,000,000 | ---D | C] -- C:\Program Files\uTorrent
[2009/11/29 16:58:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Robert\My Documents\OneSwarm Downloads
[2009/11/29 16:54:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Robert\Application Data\OneSwarm
[2009/11/28 07:18:27 | 00,000,000 | ---D | C] -- C:\Program Files\SysProt
[2009/11/27 22:34:37 | 00,161,296 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009/11/27 22:34:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Robert\Desktop\log
[2009/11/27 20:15:23 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Robert\Recent
[2009/11/27 19:39:38 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Robert\Desktop\RootRepeal.exe
[2009/11/08 23:09:00 | 00,017,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2009/11/08 23:04:06 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Media Connect 2
[2009/11/08 22:54:55 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\UMDF
[2007/10/22 18:41:33 | 00,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Robert\Application Data\pcouffin.sys
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Robert\My Documents\*.tmp files -> C:\Documents and Settings\Robert\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/07 06:51:01 | 00,000,980 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-1547161642-682003330-1004UA.job
[2009/12/07 06:49:16 | 00,522,006 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/07 06:49:16 | 00,441,432 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/07 06:49:16 | 00,071,176 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/07 06:48:21 | 04,958,588 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-00000009-00001102-00000004-20021102}.CDF
[2009/12/07 06:47:23 | 00,186,097 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/12/07 06:46:31 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/07 06:45:04 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/07 06:44:31 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/07 06:44:23 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/07 06:44:19 | 00,134,872 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/12/06 23:46:15 | 00,031,056 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000001-00000000-00000009-00001102-00000004-20021102}.rfx
[2009/12/06 23:46:15 | 00,031,056 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000001-00000000-00000009-00001102-00000004-20021102}.rfx
[2009/12/06 23:46:15 | 00,030,528 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000001-00000000-00000009-00001102-00000004-20021102}.rfx
[2009/12/06 23:46:15 | 00,030,528 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000001-00000000-00000009-00001102-00000004-20021102}.rfx
[2009/12/06 23:46:15 | 00,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000001-00000000-00000009-00001102-00000004-20021102}.rfx
[2009/12/06 23:05:37 | 05,505,024 | -H-- | M] () -- C:\Documents and Settings\Robert\NTUSER.DAT
[2009/12/06 23:05:37 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Robert\ntuser.ini
[2009/12/06 23:05:31 | 04,958,588 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-00000009-00001102-00000004-20021102}.BAK
[2009/12/06 23:04:26 | 00,537,088 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Robert\Desktop\OTL.exe
[2009/12/06 22:54:59 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/06 21:37:44 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/12/06 21:37:41 | 00,228,864 | ---- | M] () -- C:\Documents and Settings\Robert\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/06 19:27:10 | 00,000,259 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/12/06 19:23:42 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/12/06 18:52:18 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/12/06 17:51:03 | 00,000,928 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-1547161642-682003330-1004Core.job
[2009/12/06 11:10:43 | 00,047,616 | ---- | M] () -- C:\Documents and Settings\Robert\Desktop\Win32kDiag.exe
[2009/12/04 20:08:17 | 00,292,352 | ---- | M] () -- C:\Documents and Settings\Robert\Desktop\rr619wmo.exe
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/02 07:03:05 | 00,739,696 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\vetefile.sys
[2009/12/02 07:03:04 | 00,133,520 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\veteboot.sys
[2009/12/02 07:03:04 | 00,032,240 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\vetmonnt.sys
[2009/12/02 07:03:04 | 00,026,352 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\vet-filt.sys
[2009/12/02 07:03:04 | 00,021,488 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\vetfddnt.sys
[2009/12/02 07:03:04 | 00,021,104 | ---- | M] (Computer Associates International, Inc.) -- C:\WINDOWS\System32\drivers\vet-rec.sys
[2009/11/29 21:26:58 | 00,030,720 | ---- | M] () -- C:\Documents and Settings\Robert\Desktop\To our family and friends.doc
[2009/11/29 17:35:23 | 00,000,742 | ---- | M] () -- C:\Documents and Settings\Robert\Desktop\PFPortChecker.lnk
[2009/11/29 17:05:42 | 00,000,630 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\µTorrent.lnk
[2009/11/28 18:08:30 | 00,004,224 | ---- | M] () -- C:\Documents and Settings\Robert\Desktop\Attach.zip
[2009/11/28 18:05:03 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/11/28 08:47:04 | 00,000,015 | ---- | M] () -- C:\Documents and Settings\Robert\Desktop\settings.dat
[2009/11/28 08:34:16 | 00,000,049 | ---- | M] () -- C:\WINDOWS\WININIT.INI
[2009/11/27 22:34:36 | 00,161,296 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009/11/27 20:13:42 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\Robert\Desktop\CCleaner.lnk
[2009/11/22 21:10:27 | 00,000,096 | ---- | M] () -- C:\WINDOWS\System\cmicnfg.ini
[2009/11/17 19:10:01 | 00,069,714 | ---- | M] () -- C:\Documents and Settings\Robert\My Documents\cc_20091117_190903.reg
[2009/11/17 07:52:00 | 00,002,346 | ---- | M] () -- C:\Documents and Settings\Robert\Desktop\Google Chrome.lnk
[2009/11/14 01:47:57 | 00,260,608 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/11/09 06:58:24 | 00,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2009/11/09 06:58:24 | 00,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2009/11/08 23:06:13 | 00,000,675 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/08 22:57:34 | 00,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2009/11/08 22:54:58 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Robert\My Documents\*.tmp files -> C:\Documents and Settings\Robert\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/06 22:41:40 | 00,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/12/06 18:52:16 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/12/06 18:52:07 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/12/06 18:49:08 | 00,260,608 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/12/06 18:49:08 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/12/06 18:49:08 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/12/06 18:49:08 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/12/06 18:49:08 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/12/06 11:10:42 | 00,047,616 | ---- | C] () -- C:\Documents and Settings\Robert\Desktop\Win32kDiag.exe
[2009/12/04 20:08:16 | 00,292,352 | ---- | C] () -- C:\Documents and Settings\Robert\Desktop\rr619wmo.exe
[2009/11/29 21:18:17 | 00,030,720 | ---- | C] () -- C:\Documents and Settings\Robert\Desktop\To our family and friends.doc
[2009/11/29 17:35:23 | 00,000,742 | ---- | C] () -- C:\Documents and Settings\Robert\Desktop\PFPortChecker.lnk
[2009/11/29 17:05:42 | 00,000,630 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\µTorrent.lnk
[2009/11/28 18:08:30 | 00,004,224 | ---- | C] () -- C:\Documents and Settings\Robert\Desktop\Attach.zip
[2009/11/28 08:08:11 | 04,958,588 | ---- | C] () -- C:\WINDOWS\{00000001-00000000-00000009-00001102-00000004-20021102}.BAK
[2009/11/27 19:39:42 | 00,000,015 | ---- | C] () -- C:\Documents and Settings\Robert\Desktop\settings.dat
[2009/11/17 19:09:10 | 00,069,714 | ---- | C] () -- C:\Documents and Settings\Robert\My Documents\cc_20091117_190903.reg
[2009/11/08 22:54:58 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2008/12/26 12:50:11 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2008/12/26 12:50:11 | 00,004,962 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2008/12/26 12:50:10 | 00,005,120 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp64.sys
[2008/12/26 12:50:10 | 00,003,328 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp32.sys
[2008/10/07 09:13:30 | 00,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/06/27 18:05:08 | 00,049,565 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2008/06/27 18:05:06 | 00,000,054 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2008/06/27 17:27:54 | 00,043,520 | ---- | C] () -- C:\WINDOWS\System32\CTBurst.dll
[2008/06/20 21:19:34 | 00,000,049 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008/05/16 14:01:00 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/05/16 14:01:00 | 01,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/05/16 14:01:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/05/16 14:01:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/05/16 14:01:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2008/02/04 18:23:10 | 00,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2008/01/09 14:01:48 | 00,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2007/10/22 18:41:53 | 00,000,034 | ---- | C] () -- C:\Documents and Settings\Robert\Application Data\pcouffin.log
[2007/10/22 18:41:33 | 00,007,887 | ---- | C] () -- C:\Documents and Settings\Robert\Application Data\pcouffin.cat
[2007/10/22 18:41:33 | 00,001,144 | ---- | C] () -- C:\Documents and Settings\Robert\Application Data\pcouffin.inf
[2007/08/13 20:45:02 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\ctmmactl.dll
[2007/05/24 10:14:02 | 00,004,133 | ---- | C] () -- C:\WINDOWS\entrust.ini
[2007/05/24 10:13:48 | 00,106,584 | ---- | C] () -- C:\WINDOWS\System32\fwnetcfg.dll
[2007/03/12 21:05:12 | 00,005,120 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2007/03/12 21:05:12 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2007/03/08 10:16:42 | 07,667,714 | ---- | C] () -- C:\Program Files\CiscoSystems.zip.NOEXEC
[2007/03/01 17:47:03 | 01,489,528 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/03/01 17:47:03 | 01,130,002 | ---- | C] () -- C:\WINDOWS\System32\libmp3lame-0.dll
[2007/03/01 17:47:03 | 00,794,773 | ---- | C] () -- C:\WINDOWS\System32\libogg-0.dll
[2007/02/01 11:18:30 | 00,000,094 | ---- | C] () -- C:\WINDOWS\webica.ini
[2006/12/30 19:52:23 | 00,002,994 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/10/02 17:25:18 | 00,000,307 | ---- | C] () -- C:\WINDOWS\System32\kill.ini
[2006/05/13 09:22:40 | 00,000,129 | ---- | C] () -- C:\Documents and Settings\Robert\Local Settings\Application Data\fusioncache.dat
[2005/09/23 21:05:32 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PestPatrol5.INI
[2005/05/03 15:53:50 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\xmltok.dll
[2005/05/03 15:53:50 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\xmlparse.dll
[2005/05/03 10:26:52 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/04/16 18:11:50 | 00,000,155 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2005/04/06 19:26:44 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/03/27 18:04:15 | 00,005,632 | ---- | C] () -- C:\WINDOWS\System32\CNMVS50.DLL
[2005/03/23 13:53:59 | 00,000,102 | ---- | C] () -- C:\WINDOWS\VSWizard.ini
[2005/03/21 20:04:59 | 00,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2005/03/21 20:04:58 | 00,006,439 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2005/03/21 13:44:09 | 00,228,864 | ---- | C] () -- C:\Documents and Settings\Robert\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/03/21 12:50:08 | 00,000,085 | ---- | C] () -- C:\WINDOWS\usrwiz.ini
[2005/03/21 12:29:28 | 00,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2005/03/21 12:28:26 | 00,043,517 | ---- | C] () -- C:\WINDOWS\System32\e10kxwdm.ini
[2005/03/21 12:28:16 | 00,005,515 | ---- | C] () -- C:\WINDOWS\System32\ENSDEF.INI
[2005/03/21 12:26:36 | 00,000,136 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2003/02/18 18:26:28 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll

========== LOP Check ==========

[2008/11/23 11:15:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2006/12/18 08:36:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA
[2006/05/13 09:28:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\QubeSoft
[2008/11/14 21:51:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Saitek
[2008/12/30 18:01:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sling Media
[2008/11/23 11:15:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/03/14 21:39:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2009/10/10 18:48:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/04/21 21:18:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2008/11/23 11:17:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\acccore
[2005/03/29 20:33:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\Aim
[2008/12/26 22:46:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\Amazon
[2007/03/29 05:38:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\BitTorrent
[2006/06/14 17:52:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\CheckPoint
[2005/11/07 21:17:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\Cisco
[2007/10/23 20:40:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\DVDFab
[2009/11/09 07:02:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\ICAClient
[2005/03/23 13:54:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\Leadertech
[2005/11/18 21:05:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\Lionhead Studios
[2009/11/29 17:11:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\OneSwarm
[2006/10/04 21:13:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\Petroglyph
[2009/01/31 11:50:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\Red Kawa
[2009/01/02 23:14:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\Sling Media
[2006/03/04 22:40:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\Subversion
[2005/04/20 19:43:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\Thunderbird
[2009/11/29 22:41:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\uTorrent
[2009/10/18 10:12:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\Vso
[2009/04/19 20:21:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\Xilisoft Corporation

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: AGP440.SYS >
[2008/04/13 18:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 18:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 18:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/13 18:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 18:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 18:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 18:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 12:00:00 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2005/06/06 13:02:38 | 00,028,789 | R--- | M] () MD5=36971E8ED4D19CC0A7051079B039C204 -- C:\ActivePerl\ActivePerl-5.8.7.813-MSWin32-x86-148120\perl\site\lib\auto\Win32\EventLog\EventLog.dll
[2005/06/06 13:02:38 | 00,028,789 | ---- | M] () MD5=36971E8ED4D19CC0A7051079B039C204 -- C:\ActivePerl\site\lib\auto\Win32\EventLog\EventLog.dll
[2008/04/14 00:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 00:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 00:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 12:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 00:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 00:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 00:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 12:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 12:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 00:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 00:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 00:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
< End of report >

Attached Files


Edited by Robert Cranston, 07 December 2009 - 03:46 PM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:45 AM

Posted 07 December 2009 - 04:22 PM

That's the confirmation I needed. :(

Please run ESET which can remove pesky infected files and smaller infections

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Thanks, nearly there
Posted Image
m0le is a proud member of UNITE

#13 Robert Cranston

Robert Cranston
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 08 December 2009 - 07:27 AM

Two issues, the first time I ran it, I left it on overnight and the next day the PC had rebooted, so no idea what it found.
Ran it again this morning, and it has returned back saying "No Threats Found".

Hopefully this is good.

Thanks,
Rob

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:45 AM

Posted 08 December 2009 - 07:47 AM

Yes, that's good, Robert :(


Your log is clean. Good stuff! :(

Let's firstly do some housekeeping

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    Posted Image
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
Here's a list of ways you can avoid problems in the future:

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


That's it Robert, happy surfing!

Cheers,


m0le
Posted Image
m0le is a proud member of UNITE

#15 Robert Cranston

Robert Cranston
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 08 December 2009 - 03:30 PM

Thanks again for all the help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users