Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus


  • This topic is locked This topic is locked
9 replies to this topic

#1 Abro

Abro

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 30 November 2009 - 07:15 PM

Almost every time I click on a search result in Google, search results are randomly redirected to ad sites, instead of going to the correct webpage. If I click on a link four times, the first three times it will go to an ad site, but the fourth time it goes to the correct site.

Recently, pop-up windows have also been opening on their own, completely unrelated to whether I've clicked on a link or not.

I scanned my computer with Malware Bytes, SuperAntiSpyware, AVG, Kaspersky online, and ESET. All failed to solve the problem.

I scanned with DDS and have attached Attach.txt

I attempted to scan with RootRepeal, but it didn't work. I was able to click on the Report tab, choose the types of scans, and the drive to scan, but when I tried to start the Scan, the program showed "Initializing..." and froze. I was not able to close the program using Ctrl-Alt-Del and had to use the power button to restart.

When I attempted to enter Safe Mode, so I could try RootRepeal there, the computer loaded the drivers but after that flashed a blue screen (it was too fast to see the error), and restarted.

I tried this several times and always had the same results.

Below I have pasted the contents of my DDS.txt:

DDS (Ver_09-11-29.01) - NTFSx86
Run by Owner at 16:06:00.98 on Mon 11/30/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.1750 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Caphyon\Advanced Web Ranking\AWRServer.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Documents and Settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Documents and Settings\Owner\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.babybeddingzone.com/
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ProxyFirewall] c:\program files\proxyfirewall\ProxyFirewall.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [SansaDispatch] c:\documents and settings\owner\application data\sandisk\sansa updater\SansaDispatch.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [UVS12 Preload] c:\program files\corel video editor\uvPL.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\owner\application data\dropbox\bin\Dropbox.exe
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} - hxxps://img.alipay.com/download/2121/aliedit.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\kn9w0kk6.default\
FF - prefs.js: browser.search.selectedEngine - Google.com UnPersonalized
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\kn9w0kk6.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\kn9w0kk6.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\kn9w0kk6.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\winnt_x86-msvc\components\pagespeed.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 AWRServer;Advanced Web Ranking Server;c:\program files\caphyon\advanced web ranking\AWRServer.exe [2009-5-7 113848]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-7-17 269648]
R3 Alidevice;Alidevice;c:\windows\system32\drivers\alidevice.sys [2008-7-13 6656]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-7-17 19160]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-7-17 38224]
S2 gupdate1c9df3dbafe5900;Google Update Service (gupdate1c9df3dbafe5900);c:\program files\google\update\GoogleUpdate.exe [2009-5-27 133104]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-5-23 79360]

=============== Created Last 30 ================

2009-11-30 21:19:42 0 d-----w- C:\VundoFix Backups
2009-11-30 21:13:28 0 d-----w- c:\windows\system32\wbem\Repository
2009-11-30 11:08:42 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2009-11-30 11:08:21 0 d-----w- c:\program files\STOPzilla!
2009-11-30 11:08:21 0 d-----w- c:\program files\common files\iS3
2009-11-30 11:08:21 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-11-30 11:04:35 0 d-----w- c:\program files\AdwareAway
2009-11-30 08:21:05 0 d-----w- C:\autorun.inf
2009-11-30 08:03:56 0 d-----w- c:\docume~1\alluse~1\applic~1\RegAce
2009-11-30 08:03:53 0 d-----w- c:\program files\RegAce
2009-11-30 07:43:06 0 d-----w- c:\program files\Enigma Software Group
2009-11-30 06:48:39 0 d-----w- C:\cmdcons(2)
2009-11-30 05:51:11 0 d-----w- c:\program files\Microsoft IntelliType Pro
2009-11-30 04:04:17 0 d-----w- c:\program files\Trend Micro
2009-11-29 22:02:52 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys.install_backup
2009-11-29 22:02:52 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys.install_backup
2009-11-29 22:02:52 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys.install_backup
2009-11-29 22:02:52 12464 ----a-w- c:\windows\system32\avgrsstx.dll.install_backup
2009-11-29 22:02:48 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys.install_backup
2009-11-29 22:02:48 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys.install_backup
2009-11-29 22:02:03 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9(2)
2009-11-16 22:57:06 0 d-----w- C:\Call.of.Duty.Modern.Warfare.2.PROPER-SKIDROW
2009-11-05 10:41:13 0 d-----w- c:\program files\iPod
2009-11-05 10:40:59 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2009-11-30 20:58:27 105472 ----a-w- c:\windows\system32\drivers\nvatabus.sys
2009-10-21 17:23:04 70984 ----a-w- c:\documents and settings\owner\g2mdlhlpx.exe
2009-10-18 00:30:45 2198 ----a-w- C:\U78.bat
2009-09-12 13:26:42 44704 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-11 14:13:26 136704 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:13:26 136704 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-05 00:44:40 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-05 00:44:40 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-05 00:44:40 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-05 00:29:34 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-05 00:29:34 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-05 00:29:32 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-05 00:29:32 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-05 00:29:30 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-05-22 22:24:10 2 --shatr- c:\windows\winstart.bat

============= FINISH: 16:09:54.90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:14 AM

Posted 01 December 2009 - 07:16 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %SYSTEMDRIVE%\eventlog.dll /s /md5
    %SYSTEMDRIVE%\scecli.dll /s /md5
    %SYSTEMDRIVE%\netlogon.dll /s /md5
    %SYSTEMDRIVE%\cngaudit.dll /s /md5
    %SYSTEMDRIVE%\sceclt.dll /s /md5
    %SYSTEMDRIVE%\ntelogon.dll /s /md5
    %SYSTEMDRIVE%\logevent.dll /s /md5
    %SYSTEMDRIVE%\iaStor.sys /s /md5
    %SYSTEMDRIVE%\nvstor.sys /s /md5
    %SYSTEMDRIVE%\atapi.sys /s /md5
    %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
    %SYSTEMDRIVE%\viasraid.sys /s /md5
    %SYSTEMDRIVE%\AGP440.sys /s /md5
    %SYSTEMDRIVE%\vaxscsi.sys /s /md5
    %SYSTEMDRIVE%\nvatabus.sys /s /md5
    %SYSTEMDRIVE%\viamraid.sys /s /md5
    %SYSTEMDRIVE%\nvata.sys /s /md5
    CREATERESTOREPOINT



  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Abro

Abro
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 01 December 2009 - 07:42 PM

Hi Sam! :(

Thank you so much for responding promptly. I really hope you can help me solve this problem soon.

When I tried to download OTL, I got a warning box that the download was unsafe (I am attaching a screenshot of the warning). I opted to download the software anyway, but because I wasn't sure where the warning box came from, I thought it might be generated by the virus itself. Just wanted to let you know this.

I was able to successfully run the OTL scan and have pasted the log files at the bottom of this message.

The Gmer scan is going to take a very long time, but I did run one scan before with 'Sections' and 'IAT/EAT' unchecked and with only the C:\ drive checked.

I am doing the scan as you instructed with all the options checked (except Show All), but I am pasting my previous Gmer logfile, in case it helps. The full scan will take many hours, so I will post it when it's finished.

Just to confirm, did you want me to scan just the C:\ drive or all drives with Gmer?

-----------
OTL.txt
-----------
OTL logfile created on: 12/1/2009 5:19:43 PM - Run 1
OTL by OldTimer - Version 3.1.11.4 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.68 Gb Available Physical Memory | 84.04% Memory free
4.00 Gb Paging File | 3.34 Gb Available in Paging File | 83.51% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 698.64 Gb Total Space | 374.07 Gb Free Space | 53.54% Space Free | Partition Type: NTFS
Drive D: | 698.63 Gb Total Space | 458.76 Gb Free Space | 65.67% Space Free | Partition Type: NTFS
Drive E: | 465.76 Gb Total Space | 203.48 Gb Free Space | 43.69% Space Free | Partition Type: NTFS
Drive F: | 688.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 3.53 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive K: | 968.38 Mb Total Space | 831.19 Mb Free Space | 85.83% Space Free | Partition Type: FAT
Drive M: | 465.65 Gb Total Space | 88.76 Gb Free Space | 19.06% Space Free | Partition Type: FAT32
Drive O: | 7.73 Gb Total Space | 2.90 Gb Free Space | 37.46% Space Free | Partition Type: FAT32
Drive P: | 7.73 Gb Total Space | 2.08 Gb Free Space | 26.84% Space Free | Partition Type: FAT32

Computer Name: ANONYMOUS
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/01 17:18:15 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2009/11/21 12:17:18 | 00,292,352 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.exe
PRC - [2009/11/12 14:20:55 | 20,918,784 | ---- | M] (Google) -- C:\Program Files\Google\Google Earth\client\googleearth.exe
PRC - [2009/10/31 03:22:07 | 00,136,176 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
PRC - [2009/10/28 20:21:26 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/10/27 18:29:43 | 00,079,872 | ---- | M] (SanDisk Corporation) -- C:\Documents and Settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
PRC - [2009/09/10 13:54:02 | 00,269,648 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2009/09/10 13:54:00 | 00,420,176 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2009/08/27 20:27:42 | 26,784,939 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2009/07/25 04:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/06/27 06:47:23 | 00,160,592 | ---- | M] (Siber Systems) -- C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
PRC - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/05/23 10:50:39 | 00,655,624 | ---- | M] (Acresso Software Inc.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2009/05/22 13:55:01 | 01,921,024 | ---- | M] (Dell Inc.) -- C:\WINDOWS\system32\BCMWLTRY.EXE
PRC - [2009/05/22 13:54:56 | 02,183,168 | ---- | M] (Dell Inc.) -- C:\WINDOWS\system32\WLTRAY.EXE
PRC - [2009/05/22 13:54:56 | 00,024,064 | ---- | M] () -- C:\WINDOWS\system32\WLTRYSVC.EXE
PRC - [2009/05/22 13:47:30 | 00,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2009/05/22 13:26:42 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2009/05/07 04:55:55 | 00,113,848 | ---- | M] (Caphyon) -- C:\Program Files\Caphyon\Advanced Web Ranking\AWRServer.exe
PRC - [2009/04/20 11:17:15 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
PRC - [2009/04/20 11:17:01 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2009/04/17 11:08:00 | 00,053,064 | ---- | M] (TechSmith Corporation) -- C:\Program Files\TechSmith\Snagit 9\TscHelp.exe
PRC - [2009/04/17 11:07:58 | 00,089,928 | ---- | M] (TechSmith Corporation) -- C:\Program Files\TechSmith\Snagit 9\SnagPriv.exe
PRC - [2009/04/17 11:07:56 | 08,824,648 | ---- | M] (TechSmith Corporation) -- C:\Program Files\TechSmith\Snagit 9\SnagitEditor.exe
PRC - [2009/04/17 11:07:54 | 07,226,184 | ---- | M] (TechSmith Corporation) -- C:\Program Files\TechSmith\Snagit 9\Snagit32.exe
PRC - [2009/03/29 02:09:50 | 01,220,608 | ---- | M] (Don HO don.h@free.fr) -- C:\Program Files\Notepad++\notepad++.exe
PRC - [2009/03/15 03:15:16 | 00,180,224 | ---- | M] (PowerISO Computing, Inc.) -- C:\Program Files\PowerISO\PWRISOVM.EXE
PRC - [2009/02/25 23:37:14 | 17,937,768 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
PRC - [2008/12/12 09:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/06/09 09:37:44 | 00,053,392 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PRC - [2008/01/14 10:44:18 | 00,019,968 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\Ctxfihlp.exe
PRC - [2008/01/14 10:44:16 | 00,019,456 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CtHelper.exe
PRC - [2008/01/14 10:41:16 | 00,969,216 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTxfispi.exe
PRC - [2007/05/10 21:46:20 | 00,624,248 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe


========== Modules (SafeList) ==========

MOD - [2009/12/01 17:18:15 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2009/04/20 11:16:40 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5705_x-ww_36cfed49\comctl32.dll
MOD - [2008/01/14 10:44:14 | 00,008,704 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTAGENT.DLL


========== Win32 Services (SafeList) ==========

SRV - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/09/10 13:54:02 | 00,269,648 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2009/07/25 04:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/05/27 19:40:52 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9df3dbafe5900) Google Update Service (gupdate1c9df3dbafe5900)
SRV - [2009/05/23 12:25:34 | 00,079,360 | ---- | M] (Creative Labs) -- C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service)
SRV - [2009/05/23 10:50:39 | 00,655,624 | ---- | M] (Acresso Software Inc.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/05/22 13:54:56 | 00,024,064 | ---- | M] () -- C:\WINDOWS\System32\WLTRYSVC.EXE -- (wltrysvc)
SRV - [2009/05/22 13:26:42 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2009/05/07 04:55:55 | 00,113,848 | ---- | M] (Caphyon) -- C:\Program Files\Caphyon\Advanced Web Ranking\AWRServer.exe -- (AWRServer)
SRV - [2008/12/12 09:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/06/09 09:37:44 | 00,053,392 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2007/08/24 02:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2007/03/20 15:41:24 | 00,153,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)
SRV - [2006/10/26 12:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1645522239-2111687655-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.babybeddingzone.com/
IE - HKU\S-1-5-21-1645522239-2111687655-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-1645522239-2111687655-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1645522239-2111687655-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 54 7D 1E 3D 0D 0E CA 01 [binary data]
IE - HKU\S-1-5-21-1645522239-2111687655-682003330-1003\S-1-5-21-1645522239-2111687655-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google.com UnPersonalized "
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: optout@google.com:1.1
FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:6.9.95
FF - prefs.js..extensions.enabledItems: {6AC85730-7D0F-4de0-B3FA-21142DD85326}:2.0.2
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.5
FF - prefs.js..extensions.enabledItems: {d3127aca-e3b8-4416-9ed8-027db9124fed}:0.55
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.6
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {75CEEE46-9B64-46f8-94BF-54012DE155F0}:0.3.9
FF - prefs.js..extensions.enabledItems: {e3f6c2cc-d8db-498c-af6c-499fb211db97}:1.2
FF - prefs.js..extensions.enabledItems: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a}:1.31
FF - prefs.js..extensions.enabledItems: seotoolbar@seobook.com:1.0.11
FF - prefs.js..extensions.enabledItems: {1280606b-2510-4fe0-97ef-9b5a22eafe30}:0.6.6.2
FF - prefs.js..network.proxy.socks_version: 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2009/05/22 15:09:54 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/06 11:01:16 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/06 11:01:16 | 00,000,000 | ---D | M]

[2009/05/22 15:04:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2009/11/29 15:34:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kn9w0kk6.default\extensions
[2009/07/09 16:28:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kn9w0kk6.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
[2009/05/22 15:15:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kn9w0kk6.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
[2009/07/09 16:28:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kn9w0kk6.default\extensions\{75CEEE46-9B64-46f8-94BF-54012DE155F0}
[2009/09/29 09:07:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kn9w0kk6.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2009/06/09 07:14:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kn9w0kk6.default\extensions\{d3127aca-e3b8-4416-9ed8-027db9124fed}
[2009/05/22 15:15:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kn9w0kk6.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2009/10/17 01:29:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kn9w0kk6.default\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
[2009/08/12 10:10:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kn9w0kk6.default\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
[2009/07/21 08:00:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kn9w0kk6.default\extensions\{e1170235-2845-420c-acc3-42261a29dd46}
[2009/09/19 13:43:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kn9w0kk6.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}
[2009/09/19 13:43:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kn9w0kk6.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}-trash
[2009/10/17 01:29:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kn9w0kk6.default\extensions\firebug@software.joehewitt.com
[2009/10/08 12:35:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kn9w0kk6.default\extensions\optout@google.com
[2009/05/25 14:24:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kn9w0kk6.default\extensions\seotoolbar@seobook.com
[2009/07/31 09:15:42 | 00,002,550 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kn9w0kk6.default\searchplugins\googlecom-unpersonalized-.xml
[2009/11/29 15:34:21 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (22 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll (TechSmith Corporation)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (Snagit) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll (TechSmith Corporation)
O3 - HKU\S-1-5-21-1645522239-2111687655-682003330-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1645522239-2111687655-682003330-1003\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe_ID0EYTHM] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.EXE (Dell Inc.)
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\System32\CtHelper.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [CTxfiHlp] C:\WINDOWS\System32\Ctxfihlp.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [UVS12 Preload] C:\Program Files\Corel Video Editor\uvPL.exe (Ulead Systems, Inc.)
O4 - HKU\S-1-5-21-1645522239-2111687655-682003330-1003..\Run: [ProxyFirewall] C:\Program Files\ProxyFirewall\ProxyFirewall.exe File not found
O4 - HKU\S-1-5-21-1645522239-2111687655-682003330-1003..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - HKU\S-1-5-21-1645522239-2111687655-682003330-1003..\Run: [SansaDispatch] C:\Documents and Settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe (SanDisk Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [_nltide_3] C:\WINDOWS\System32\advpack.dll (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [_nltide_3] C:\WINDOWS\System32\advpack.dll (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [_nltide_3] C:\WINDOWS\System32\advpack.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [_nltide_3] C:\WINDOWS\System32\advpack.dll (Microsoft Corporation)
O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
O4 - HKLM..\RunOnceEx: [Title] File not found
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Owner\Application Data\Dropbox\bin\Dropbox.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1645522239-2111687655-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} https://img.alipay.com/download/2121/aliedit.cab (EditCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.77.130 68.87.72.130
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/05/21 14:18:32 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/11/30 01:21:05 | 00,000,000 | ---D | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2009/11/30 01:21:05 | 00,000,000 | ---D | M] - D:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2009/11/30 01:21:06 | 00,000,000 | ---D | M] - E:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2008/04/14 03:00:00 | 00,000,110 | R--- | M] () - F:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2005/06/13 17:40:45 | 00,000,145 | R--- | M] () - G:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2009/11/30 01:21:08 | 00,000,000 | RHSD | M] - K:\autorun.inf -- [ FAT ]
O32 - AutoRun File - [2009/11/30 01:21:08 | 00,000,000 | ---D | M] - M:\autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2009/11/30 01:21:08 | 00,000,000 | RHSD | M] - O:\autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2009/11/30 01:21:08 | 00,000,000 | RHSD | M] - P:\autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{cd11e676-4620-11de-9a86-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{cd11e676-4620-11de-9a86-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{cd11e676-4620-11de-9a86-806d6172696f}\Shell\AutoRun\command - "" = F:\SETUP.EXE -- [2008/04/14 03:00:00 | 01,314,816 | R--- | M] (Microsoft Corporation)
O33 - MountPoints2\{cd11e677-4620-11de-9a86-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{cd11e677-4620-11de-9a86-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{cd11e677-4620-11de-9a86-806d6172696f}\Shell\AutoRun\command - "" = G:\Setup\rsrc\AUTORUN.EXE -- [2005/08/25 16:11:23 | 00,045,056 | R--- | M] ()
O33 - MountPoints2\{cd11e677-4620-11de-9a86-806d6172696f}\Shell\dinstall\command - "" = G:\DirectX\dxsetup.exe -- [2004/07/09 04:08:36 | 00,472,576 | R--- | M] (Microsoft Corporation)
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\SETUP.EXE -- [2008/04/14 03:00:00 | 01,314,816 | R--- | M] (Microsoft Corporation)
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (MACHINE) - File not found
O34 - HKLM BootExecute: (BootExecut) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/05/21 14:18:14 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (68964818152849408)

========== Files/Folders - Created Within 14 Days ==========

[2009/12/01 17:18:15 | 00,535,552 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/11/30 17:43:51 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/11/30 17:41:51 | 03,326,576 | ---- | C] (Piriform Ltd) -- C:\Documents and Settings\Owner\Desktop\ccsetup226.exe
[2009/11/30 16:07:05 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Owner\Desktop\RR.exe
[2009/11/30 14:36:35 | 00,000,000 | ---D | C] -- C:\rsit
[2009/11/30 14:19:42 | 00,000,000 | ---D | C] -- C:\VundoFix Backups
[2009/11/30 13:57:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\JANANNA
[2009/11/30 04:08:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2009/11/30 04:08:21 | 00,000,000 | ---D | C] -- C:\Program Files\STOPzilla!
[2009/11/30 04:08:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2009/11/30 04:08:21 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2009/11/30 04:04:35 | 00,000,000 | ---D | C] -- C:\Program Files\AdwareAway
[2009/11/30 02:00:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\GooredFix Backups
[2009/11/30 01:21:05 | 00,000,000 | ---D | C] -- C:\autorun.inf
[2009/11/30 01:09:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google Updater
[2009/11/30 01:03:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\RegAce
[2009/11/30 01:03:53 | 00,000,000 | ---D | C] -- C:\Program Files\RegAce
[2009/11/30 00:43:06 | 00,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2009/11/29 23:48:39 | 00,000,000 | ---D | C] -- C:\cmdcons(2)
[2009/11/29 23:10:33 | 00,000,000 | ---D | C] -- C:\Avenger
[2009/11/29 22:51:11 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft IntelliType Pro
[2009/11/29 22:33:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\New Folder(2)
[2009/11/29 21:44:31 | 00,000,000 | ---D | C] -- C:\Config.Msi
[2009/11/29 21:31:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\RegRunInfo
[2009/11/29 21:04:17 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/11/29 20:18:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/11/29 20:17:48 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/11/29 17:42:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\SingaporeMath1B_files
[2009/11/29 15:02:52 | 00,360,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys.install_backup
[2009/11/29 15:02:52 | 00,161,800 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgrkx86.sys.install_backup
[2009/11/29 15:02:52 | 00,025,608 | ---- | C] (AVG Technologies ) -- C:\WINDOWS\System32\drivers\AVGIDSxx.sys.install_backup
[2009/11/29 15:02:52 | 00,012,464 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll.install_backup
[2009/11/29 15:02:48 | 00,333,192 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys.install_backup
[2009/11/29 15:02:48 | 00,028,424 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys.install_backup
[2009/11/29 15:02:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9(2)
[2008/01/14 10:44:40 | 00,034,816 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/12/01 17:18:15 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/12/01 17:11:00 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/12/01 16:27:01 | 00,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2009/12/01 15:48:33 | 00,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{A0C51C3B-2246-4452-996C-C93B94879673}.job
[2009/12/01 15:16:45 | 06,553,600 | ---- | M] () -- C:\Documents and Settings\Owner\ntuser.dat
[2009/12/01 14:51:11 | 00,054,784 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/12/01 08:05:00 | 00,000,514 | ---- | M] () -- C:\WINDOWS\tasks\Malwarebytes' Scheduled Scan for Owner.job
[2009/12/01 08:00:00 | 00,000,500 | ---- | M] () -- C:\WINDOWS\tasks\Malwarebytes' Scheduled Update for Owner.job
[2009/12/01 04:27:00 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009/11/30 21:32:06 | 00,284,153 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2009/11/30 20:07:45 | 00,525,946 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/30 20:07:45 | 00,444,358 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/30 20:07:45 | 00,072,108 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/30 20:03:14 | 00,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2009/11/30 20:03:11 | 00,175,033 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/11/30 20:03:02 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/30 20:02:45 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/30 20:02:02 | 00,064,748 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000002-00000000-00000004-00001102-00000005-60021102}.rfx
[2009/11/30 20:02:02 | 00,055,852 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000002-00000000-00000004-00001102-00000005-60021102}.rfx
[2009/11/30 20:02:01 | 00,055,852 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000002-00000000-00000004-00001102-00000005-60021102}.rfx
[2009/11/30 20:01:39 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2009/11/30 19:40:22 | 00,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2009/11/30 17:43:52 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\CCleaner.lnk
[2009/11/30 17:41:55 | 03,326,576 | ---- | M] (Piriform Ltd) -- C:\Documents and Settings\Owner\Desktop\ccsetup226.exe
[2009/11/30 16:22:24 | 06,408,754 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2009/11/30 16:07:07 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Owner\Desktop\RR.exe
[2009/11/30 16:04:31 | 00,524,800 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2009/11/30 14:36:21 | 00,781,909 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RSIT.exe
[2009/11/30 00:34:04 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/11/29 23:14:35 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/11/29 23:14:35 | 00,001,688 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2009/11/29 23:08:14 | 00,724,952 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\avenger.zip
[2009/11/29 23:03:41 | 00,802,912 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/29 21:08:21 | 07,531,052 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\unhackme.zip
[2009/11/29 15:31:05 | 00,000,433 | ---- | M] () -- C:\2.js
[2009/11/29 15:09:32 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/29 15:02:52 | 00,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys.install_backup
[2009/11/29 15:02:52 | 00,161,800 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgrkx86.sys.install_backup
[2009/11/29 15:02:52 | 00,025,608 | ---- | M] (AVG Technologies ) -- C:\WINDOWS\System32\drivers\AVGIDSxx.sys.install_backup
[2009/11/29 15:02:52 | 00,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll.install_backup
[2009/11/29 15:02:48 | 00,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys.install_backup
[2009/11/29 15:02:48 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys.install_backup
[2009/11/26 17:21:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/11/21 12:17:18 | 00,292,352 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.exe
[2 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/30 21:32:25 | 00,292,352 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.exe
[2009/11/30 21:32:05 | 00,284,153 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2009/11/30 19:40:22 | 00,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2009/11/30 17:43:51 | 00,001,548 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\CCleaner.lnk
[2009/11/30 16:04:29 | 00,524,800 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2009/11/30 14:36:21 | 00,781,909 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RSIT.exe
[2009/11/30 01:09:21 | 00,000,868 | ---- | C] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/11/29 23:08:14 | 00,724,952 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\avenger.zip
[2009/11/29 21:08:02 | 07,531,052 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\unhackme.zip
[2009/11/29 20:22:55 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/11/29 20:22:48 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/11/19 15:46:19 | 06,553,600 | ---- | C] () -- C:\Documents and Settings\Owner\ntuser.dat
[2009/10/04 18:05:54 | 00,209,040 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2009/10/04 18:05:54 | 00,204,944 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2009/10/04 18:05:54 | 00,196,752 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2009/10/04 18:05:54 | 00,196,752 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2009/10/04 18:05:54 | 00,192,656 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2009/10/04 18:05:54 | 00,024,720 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2009/08/26 19:52:03 | 00,000,287 | ---- | C] () -- C:\WINDOWS\game.ini
[2009/07/17 16:38:34 | 02,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2009/06/08 19:07:52 | 00,000,177 | ---- | C] () -- C:\WINDOWS\System32\AWRServer.ini
[2009/06/01 19:46:51 | 00,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2009/06/01 19:46:36 | 02,402,304 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2009/05/27 19:55:11 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/05/27 19:55:11 | 00,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/05/27 19:55:11 | 00,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/05/27 19:55:11 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/05/27 19:55:10 | 00,084,480 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/05/24 15:43:18 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\PteVideo.dll
[2009/05/22 15:53:57 | 00,676,224 | R--- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2009/05/22 13:55:16 | 00,753,664 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2009/05/22 13:55:16 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2009/05/22 13:49:31 | 00,003,072 | ---- | C] () -- C:\WINDOWS\CTXFIRES.DLL
[2009/05/22 12:35:29 | 00,121,344 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/20 11:25:16 | 00,210,944 | ---- | C] () -- C:\WINDOWS\System32\msvcrt10.dll
[2008/01/14 11:09:04 | 00,101,135 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2008/01/14 11:09:02 | 00,000,054 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2008/01/14 10:45:32 | 00,043,520 | ---- | C] () -- C:\WINDOWS\System32\CTBurst.dll
[2006/10/02 15:25:18 | 00,000,307 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2002/10/15 15:54:04 | 00,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2002/03/16 17:00:00 | 00,007,420 | ---- | C] () -- C:\WINDOWS\UA000106.DLL

========== LOP Check ==========

[2009/11/30 13:58:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9(2)
[2009/10/04 18:05:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InterVideo
[2009/05/24 15:43:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PicturesToExe
[2009/11/30 01:03:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RegAce
[2009/05/22 15:09:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RoboForm
[2009/11/30 12:23:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2009/11/30 13:23:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2009/05/25 13:14:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TechSmith
[2009/11/30 02:12:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/10/04 18:06:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2009/09/10 17:34:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/05/22 16:57:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/10/04 16:41:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\avidemux
[2009/05/22 17:24:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Blumentals
[2009/08/18 15:43:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Canon
[2009/07/17 17:06:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/12/01 11:48:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Dropbox
[2009/09/16 12:46:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\FileZilla
[2009/06/13 20:50:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\G-Lock Software
[2009/05/22 15:21:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MarketSamurai.6E37012E1CBD7F47B14488FCC715944F3EBDCEDC.1
[2009/10/15 05:23:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Notepad++
[2009/05/24 16:25:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\PADGen
[2009/10/27 18:29:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SanDisk
[2009/10/05 01:55:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Ulead Systems
[2009/05/23 07:52:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\uTorrent
[2009/12/01 15:48:33 | 00,000,422 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{A0C51C3B-2246-4452-996C-C93B94879673}.job
[2009/11/30 20:03:14 | 00,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2008/12/25 18:50:08 | 00,055,808 | ---- | M] (Microsoft Corporation) -- C:\devcon.exe
[2009/02/01 07:09:25 | 00,323,167 | ---- | M] () -- C:\DPsFnshr.exe
[2009/02/01 07:09:29 | 00,279,577 | ---- | M] () -- C:\DSPdsblr.exe
[2008/12/25 18:50:08 | 00,020,992 | ---- | M] () -- C:\makePNF.exe
[2008/12/25 18:50:08 | 00,137,728 | ---- | M] () -- C:\mute.exe
[2009/02/01 07:09:33 | 00,269,947 | ---- | M] () -- C:\pmtimer.exe
[2 C:\*.tmp files -> C:\*.tmp -> ]

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >
[2008/04/14 05:00:00 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\scecli.dll /s /md5 >
[2008/04/14 05:00:00 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >
[2009/04/20 11:18:21 | 00,407,552 | ---- | M] (Microsoft Corporation) MD5=DAB13813B25B3D009B2AC1194CF5D0A2 -- C:\WINDOWS\system32\netlogon.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >
[2007/09/29 14:03:12 | 00,308,248 | ---- | M] (Intel Corporation) MD5=E5A0034847537EAEE3C00349D5C34C5F -- C:\D\M\I3\IASTOR.SYS
[2008/09/12 10:32:56 | 00,327,192 | ---- | M] (Intel Corporation) MD5=8EF427C54497C5F8A7A645990E4278C7 -- C:\D\M\I4\IaStor.sys

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >

< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[2008/04/14 05:00:00 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >

< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >

< %SYSTEMDRIVE%\nvatabus.sys /s /md5 >
[2006/02/26 08:21:18 | 00,089,856 | ---- | M] (NVIDIA Corporation) MD5=83F0275A21D9772B51CEF57E35AFAE61 -- C:\D\M\NV123\NVATABUS.sys
[2006/04/24 08:52:28 | 00,100,736 | ---- | M] (NVIDIA Corporation) MD5=C03E15101F6D9E82CD9B0E7D715F5DE3 -- C:\D\M\NVTM\NVATABUS.sys
[2009/05/22 13:45:55 | 00,105,472 | ---- | M] (NVIDIA Corporation) MD5=6B37162E91A7005BAA753CB611ACEA2D -- C:\dell\drivers\R164977\IDE\WinXP\sataraid\nvatabus.sys
[2009/11/30 19:51:13 | 00,105,472 | ---- | M] (NVIDIA Corporation) MD5=6B37162E91A7005BAA753CB611ACEA2D -- C:\WINDOWS\system32\drivers\nvatabus.sys
[2009/05/22 13:45:55 | 00,105,472 | ---- | M] (NVIDIA Corporation) MD5=6B37162E91A7005BAA753CB611ACEA2D -- C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\nvatabus.sys
[2009/05/22 13:45:55 | 00,105,472 | ---- | M] (NVIDIA Corporation) MD5=6B37162E91A7005BAA753CB611ACEA2D -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\nvatabus.sys

< %SYSTEMDRIVE%\viamraid.sys /s /md5 >
[2008/07/09 18:19:02 | 00,117,248 | ---- | M] (VIA Technologies inc,.ltd) MD5=00046AA2E396EDC2238556E740A8E5AF -- C:\D\M\V1\viamraid.sys

< %SYSTEMDRIVE%\nvata.sys /s /md5 >
[2009/05/22 13:45:55 | 00,105,472 | ---- | M] (NVIDIA Corporation) MD5=6B37162E91A7005BAA753CB611ACEA2D -- C:\dell\drivers\R164977\IDE\WinXP\sata_ide\nvata.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:53DA0D41
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8CE646EE
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >



------------
Extras.txt
------------
OTL Extras logfile created on: 12/1/2009 5:19:43 PM - Run 1
OTL by OldTimer - Version 3.1.11.4 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.68 Gb Available Physical Memory | 84.04% Memory free
4.00 Gb Paging File | 3.34 Gb Available in Paging File | 83.51% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 698.64 Gb Total Space | 374.07 Gb Free Space | 53.54% Space Free | Partition Type: NTFS
Drive D: | 698.63 Gb Total Space | 458.76 Gb Free Space | 65.67% Space Free | Partition Type: NTFS
Drive E: | 465.76 Gb Total Space | 203.48 Gb Free Space | 43.69% Space Free | Partition Type: NTFS
Drive F: | 688.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 3.53 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive K: | 968.38 Mb Total Space | 831.19 Mb Free Space | 85.83% Space Free | Partition Type: FAT
Drive M: | 465.65 Gb Total Space | 88.76 Gb Free Space | 19.06% Space Free | Partition Type: FAT32
Drive O: | 7.73 Gb Total Space | 2.90 Gb Free Space | 37.46% Space Free | Partition Type: FAT32
Drive P: | 7.73 Gb Total Space | 2.08 Gb Free Space | 26.84% Space Free | Partition Type: FAT32

Computer Name: ANONYMOUS
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.js [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found
.txt [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found

[HKEY_USERS\S-1-5-21-1645522239-2111687655-682003330-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"50900:TCP" = 50900:TCP:*:Enabled:Adobe Version Cue CS3 Server
"50901:TCP" = 50901:TCP:*:Enabled:Adobe Version Cue CS3 Server

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\Caphyon\Advanced Web Ranking\AdvancedWebRanking.exe" = C:\Program Files\Caphyon\Advanced Web Ranking\AdvancedWebRanking.exe:*:Enabled:Advanced Web Ranking -- (Caphyon)
"C:\Program Files\Caphyon\Advanced Web Ranking\AdvancedLinkManager.exe" = C:\Program Files\Caphyon\Advanced Web Ranking\AdvancedLinkManager.exe:*:Enabled:Advanced Link Manager -- (Caphyon)
"C:\Program Files\Caphyon\Advanced Web Ranking\AWRServer.exe" = C:\Program Files\Caphyon\Advanced Web Ranking\AWRServer.exe:*:Enabled:AWR Server -- (Caphyon)
"C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" = C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server -- (Adobe Systems Incorporated)
"C:\Program Files\AliWangWang\AliIM.exe" = C:\Program Files\AliWangWang\AliIM.exe:*:Enabled:AliIM -- File not found
"C:\Program Files\Activision\Call of Duty - World at War\CoDWaWmp.exe" = C:\Program Files\Activision\Call of Duty - World at War\CoDWaWmp.exe:*:Enabled:Call of Duty® - World at War™ -- (Activision Blizzard, Inc.)
"C:\Program Files\Activision\Call of Duty - World at War\CoDWaW.exe" = C:\Program Files\Activision\Call of Duty - World at War\CoDWaW.exe:*:Enabled:Call of Duty® - World at War™ -- (Activision Blizzard, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{0224CACC-994D-45F8-B973-D65056EA9C2F}" = Adobe XMP DVA Panels CS3
"{0327FA9D-975C-448C-A086-577D57BB25B8}" = Adobe Soundbooth CS3 Codecs
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ4803" = CanoScan 4400F
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}" = Adobe After Effects CS3 Presets
"{1D58229F-C505-45CA-8223-F35F3A34B963}" = Adobe Version Cue CS3 Server
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 15
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{367AFBAE-1E43-42E0-A019-13C0EF4B22F8}" = Advanced Web Ranking 6.5
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A6829EF-0791-4FDD-9382-C690DD0821B9}" = Adobe Flash Player 10 ActiveX
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3D7E3EC9-46CF-4359-9289-39CE01DFB82F}" = Adobe Photoshop CS3
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{41E40EFF-20C4-E1B9-827B-8145DBC18E34}" = Market Samurai
"{4458C442-7376-4CF9-AF58-E8CEA6722363}" = Adobe Setup
"{485ACF57-F364-440A-8496-E1E81C8FA1AA}" = Adobe Premiere Pro CS3 Third Party Content
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6B52140A-F189-4945-BFFC-DB3F00B8C589}" = Adobe Flash CS3
"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7ACFB90E-8FD0-4397-AD3A-5195412623A3}" = Adobe Help Viewer CS3
"{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}" = Adobe Dreamweaver CS3
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{88D422DB-E9C7-4E16-9D80-2999F4FD6AD9}" = Adobe Flash Player 9 Plugin
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8FB53850-246A-3507-8ADE-0060093FFEA6}" = Visual Studio Tools for the Office system 3.0 Runtime
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{9074AFC0-CFDA-11DE-B484-005056806466}" = Google Earth
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{A1EFAB42-FFE9-43EA-AA54-1ACAEE8E82E3}" = Content Spinner
"{A254D625} PicturesToExe 5.6_is1" = PicturesToExe 5.6
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-1033-0000-7760-000000000003}" = Adobe Acrobat 8 Professional
"{AC76BA86-1033-F400-7760-000000000004}" = Adobe Acrobat 9 Pro - English, Français, Deutsch
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{AFE83615-88BE-47F6-B3E4-A3FEF8B7B57F}_is1" = xrecode II 1.0.0.52
"{B05DE7B7-0B40-4411-BD4B-222CAE2D8F15}" = Adobe MotionPicture Color Files CS4
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B440D659-FECA-4BDD-A12B-5C9F05790FF3}" = Snagit 9.1.2
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{B671CBFD-4109-4D35-9252-3062D3CCB7B2}" = Adobe SING CS3
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}" = Adobe BridgeTalk Plugin CS3
"{B8B7A4D8-80E1-4DAE-BD33-7FD535BA3931}" = Adobe Encore CS3 Codecs
"{BD32D371-5AA5-4C59-9099-ADD80CA0425E}" = Video Post Robot
"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe ExtendScript Toolkit 2
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C99C0593-3B48-41D9-B42F-6E035B320449}" = Broadcom Management Programs
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 Service Pack 1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0A05794-48C2-4424-A15A-9F20FCFDD374}" = Call of Duty® 2
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{D3B3B9B2-FE73-44CB-8C0A-F737D92F991B}" = Broadcom Gigabit Integrated Controller
"{D5A31AB1-345D-47C7-A87B-036A669F6DF1}" = Adobe XMP Panels CS3
"{D80A6A73-E58A-4673-AFF5-F12D7110661F}" = Call of Duty® - World at War™
"{E3455D9D-A333-4B02-9D21-404A7E6FDD78}" = Article Post Robot
"{E56D39F8-2A9F-44B4-B068-A72E45A073E6}" = Safari
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{E7629A2B-0F48-44C5-A0BE-8352CAAA4FC4}" = PHP Live! Support
"{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler
"{EFE356A6-91C3-450F-A469-504ACA655A7A}_is1" = PADGen 3.0.1.38
"{F0FDF9C9-1DDC-401F-B638-36F1CAE8A875}" = VideoStudio
"{F477D623-9670-430C-87A5-997EF5F66D6D}" = Malwarebytes' Anti-Malware IP Policy Shortcuts
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FC053571-8507-44E4-8B6D-AACEAB8CA57C}" = Sansa Media Converter
"{FC9E08AA-CD59-4C59-BEF9-87E05B9E37D7}" = Adobe Contribute CS3
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}" = Adobe Setup
"{FFC1ADE3-944B-4231-894E-3903C37271D2}" = Adobe Setup
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe_4dcfd9b7e901b57f81f667144603236" = Add or Remove Adobe Creative Suite 3 Master Collection
"Adobe_719d6f144d0c086a0dfa7ff76bb9ac1" = Adobe Photoshop CS3
"Adobe_c3c7fe8b09d497ab2b3fd91c9353390" = Adobe Flash CS3 Professional
"AI RoboForm" = AI RoboForm (All Users)
"AoA Audio Extractor_is1" = AoA Audio Extractor 1.0
"Aspell English Dictionary_is1" = Aspell English Dictionary-0.50-2
"Audacity_is1" = Audacity 1.2.6
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"Call of Duty Modern Warfare 2_is1" = Call of Duty Modern Warfare 2
"CanoScan Toolbox 5.0" = Canon CanoScan Toolbox 5.0
"CCleaner" = CCleaner
"Color Style Studio_is1" = Color Style Studio 2.47
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Console Launcher" = Creative Console Launcher
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"eBook Maestro FREE_is1" = eBook Maestro FREE 1.80
"EbookMaker" = EbookMaker
"Excel Add Data, Text & Characters To All Cells Software_is1" = Excel Add Data, Text & Characters To All Cells Software 7.0
"Fast Blog Finder_is1" = Fast Blog Finder 2.60
"FileZilla Client" = FileZilla Client 3.2.7
"GNU Aspell_is1" = GNU Aspell 0.50-3
"Google Chrome" = Google Chrome
"GTrends - The Second Edition_is1" = GTrends SE 1.7.3
"HijackThis" = HijackThis 2.0.2
"InstallShield_{D0A05794-48C2-4424-A15A-9F20FCFDD374}" = Call of Duty® 2
"InstallShield_{D80A6A73-E58A-4673-AFF5-F12D7110661F}" = Call of Duty® - World at War™
"InstallShield_{F0FDF9C9-1DDC-401F-B638-36F1CAE8A875}" = Corel VideoStudio 12
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 4.8.5
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Malwarebytes' Anti-Malware IP Policy Shortcuts" = Malwarebytes' Anti-Malware IP Policy Shortcuts
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Notepad++" = Notepad++
"NVIDIA Drivers" = NVIDIA Drivers
"PADexpress v1.50_is1" = PADexpress v1.50
"PowerISO" = PowerISO
"PromoSoft_is1" = PromoSoft 1.85
"PROPLUS" = Microsoft Office Professional Plus 2007
"Screensaver Factory 4 Enterprise_is1" = Screensaver Factory 4 Enterprise
"Startwrite" = Startwrite Startwrite 5.0 b209 Demo
"Visual Studio Tools for the Office system 3.0 Runtime" = Visual Studio Tools for the Office system 3.0 Runtime
"VLC media player" = VLC media player 0.9.9
"VobSub" = VobSub v2.23 (Remove Only)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"ZIP 2 Secure EXE" = ZIP 2 Secure EXE

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1645522239-2111687655-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"GoToMeeting" = GoToMeeting 4.1.0.366
"Sansa Updater" = Sansa Updater
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >


--------
Gmer
----------

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-01 02:00:51
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fgrcypog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Alidevice.SYS (Windows NT alipay kernel module/alipay.com)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\nvatabus \Device\Harddisk0\DR0 8ABB8369

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{F3466962-DE45-11DE-9EA3-001E4FC84C7F}.dat 0 bytes
File C:\Documents and Settings\Owner\Local Settings\temp\~DFE376.tmp 16384 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9M4XOOOO\chartbeat[1].js 0 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9M4XOOOO\header-link_add[1].gif 0 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9M4XOOOO\header-menu-poker[1].gif 0 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9M4XOOOO\header-menu-sportsbook-hover[1].gif 0 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9M4XOOOO\header-menu-sportsbook[1].gif 0 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9M4XOOOO\header-navigation-bg[1].gif 0 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9M4XOOOO\image_tracker[1].gif 0 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9M4XOOOO\quant[1].swf 0 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9M4XOOOO\recommendations[1].js 0 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9M4XOOOO\report2_icon_small[1].gif 0 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9M4XOOOO\asrock-h66de3[1].jpg 0 bytes
File C:\WINDOWS\system32\drivers\nvatabus.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by Abro, 01 December 2009 - 08:00 PM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:14 AM

Posted 02 December 2009 - 08:51 AM

OTL is safe. The Gmer log you posted is just what I needed to see.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Abro

Abro
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 02 December 2009 - 12:39 PM

Hi Sam :(

Thank you for your instructions today.

I downloaded and ran TDSSKiller. It found and cured an infected driver and then asked me to reboot, which I did.

Please let me know what to do next.

Here's the contents of the TDSSKiller.txt:

Host Name: ANONYMOUS
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Ahsen Abro
Registered Organization: Kudlee, Inc.
Product ID: 76487-640-1457236-23834
Original Install Date: 5/21/2009, 3:18:41 PM
System Up Time: 0 Days, 9 Hours, 2 Minutes, 1 Seconds
System Manufacturer: Dell Inc.
System Model: Dell XPS720
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 15 Stepping 11 GenuineIntel ~3000 Mhz
BIOS Version: DELL - d
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-07:00) Mountain Time (US & Canada)
Total Physical Memory: 3,069 MB
Available Physical Memory: 2,061 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,000 MB
Virtual Memory: In Use: 48 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\ANONYMOUS
Hotfix(s): 398 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: File 1
[04]: File 1
[05]: File 1
[06]: File 1
[07]: File 1
[08]: File 1
[09]: File 1
[10]: File 1
[11]: File 1
[12]: File 1
[13]: File 1
[14]: File 1
[15]: File 1
[16]: File 1
[17]: File 1
[18]: File 1
[19]: File 1
[20]: File 1
[21]: File 1
[22]: File 1
[23]: File 1
[24]: File 1
[25]: File 1
[26]: File 1
[27]: File 1
[28]: File 1
[29]: File 1
[30]: File 1
[31]: File 1
[32]: File 1
[33]: File 1
[34]: File 1
[35]: File 1
[36]: File 1
[37]: File 1
[38]: File 1
[39]: File 1
[40]: File 1
[41]: File 1
[42]: File 1
[43]: File 1
[44]: File 1
[45]: File 1
[46]: File 1
[47]: File 1
[48]: File 1
[49]: File 1
[50]: File 1
[51]: File 1
[52]: File 1
[53]: File 1
[54]: File 1
[55]: File 1
[56]: File 1
[57]: File 1
[58]: File 1
[59]: File 1
[60]: File 1
[61]: File 1
[62]: File 1
[63]: File 1
[64]: File 1
[65]: File 1
[66]: File 1
[67]: File 1
[68]: File 1
[69]: File 1
[70]: File 1
[71]: File 1
[72]: File 1
[73]: File 1
[74]: File 1
[75]: File 1
[76]: File 1
[77]: File 1
[78]: File 1
[79]: File 1
[80]: File 1
[81]: File 1
[82]: File 1
[83]: File 1
[84]: File 1
[85]: File 1
[86]: File 1
[87]: File 1
[88]: File 1
[89]: File 1
[90]: File 1
[91]: File 1
[92]: File 1
[93]: File 1
[94]: File 1
[95]: File 1
[96]: File 1
[97]: File 1
[98]: File 1
[99]: File 1
[100]: File 1
[101]: File 1
[102]: File 1
[103]: File 1
[104]: File 1
[105]: File 1
[106]: File 1
[107]: File 1
[108]: File 1
[109]: File 1
[110]: File 1
[111]: File 1
[112]: File 1
[113]: File 1
[114]: File 1
[115]: File 1
[116]: File 1
[117]: File 1
[118]: File 1
[119]: File 1
[120]: File 1
[121]: File 1
[122]: File 1
[123]: File 1
[124]: File 1
[125]: File 1
[126]: File 1
[127]: File 1
[128]: File 1
[129]: File 1
[130]: File 1
[131]: File 1
[132]: File 1
[133]: File 1
[134]: File 1
[135]: File 1
[136]: File 1
[137]: File 1
[138]: File 1
[139]: File 1
[140]: File 1
[141]: File 1
[142]: File 1
[143]: File 1
[144]: File 1
[145]: File 1
[146]: File 1
[147]: File 1
[148]: File 1
[149]: File 1
[150]: File 1
[151]: File 1
[152]: File 1
[153]: File 1
[154]: File 1
[155]: File 1
[156]: File 1
[157]: File 1
[158]: File 1
[159]: File 1
[160]: File 1
[161]: File 1
[162]: File 1
[163]: File 1
[164]: File 1
[165]: File 1
[166]: File 1
[167]: File 1
[168]: File 1
[169]: File 1
[170]: File 1
[171]: File 1
[172]: File 1
[173]: File 1
[174]: File 1
[175]: File 1
[176]: File 1
[177]: File 1
[178]: File 1
[179]: File 1
[180]: File 1
[181]: File 1
[182]: File 1
[183]: File 1
[184]: File 1
[185]: File 1
[186]: File 1
[187]: Q147222
[188]: Q282784 - Windows XP Hotfix (SP1) [See Q282784 for more information]
[189]: M953297 - Update
[190]: KB887606_26 - Update
[191]: KB892130 - Update
[192]: KB928788
[193]: KB929399
[194]: KB929773
[195]: KB932390
[196]: KB933547
[197]: KB935551
[198]: KB935552
[199]: KB939209
[200]: KB928788 - Update
[201]: KB929399 - Update
[202]: KB929773 - Update
[203]: KB932390 - Update
[204]: KB933547 - Update
[205]: KB935551 - Update
[206]: KB935552 - Update
[207]: KB939209 - Update
[208]: KB954155_WM9
[209]: KB968816_WM9
[210]: KB973540_WM9
[211]: KB939683
[212]: KB944882_WM11
[213]: KB952069_WM9
[214]: KB954067_WM11
[215]: KB954154_WM11
[216]: KB959772_WM11
[217]: KB939683 - Update
[218]: KB944882_WM11 - Update
[219]: KB952069_WM9
[220]: KB954067_WM11 - Update
[221]: KB954154_WM11 - Update
[222]: KB959772_WM11 - Update
[223]: KB941569
[224]: KB909520 - Update
[225]: ie8 - Update
[226]: KB941569 - Update
[227]: KB969897-IE8 - Update
[228]: KB971961-IE8 - Update
[229]: KB972260-IE8 - Update
[230]: KB974455-IE8 - Update
[231]: KB976749-IE8 - Update
[232]: Q282784 - Update
[233]: MSCompPackV1 - Update
[234]: KB943729 - Update
[235]: KB898461 - Update
[236]: KB281981 - Update
[237]: KB889320-v2 - Update
[238]: KB915800-v4 - Update
[239]: KB922120-v6 - Update
[240]: KB923561 - Update
[241]: KB927436-v2 - Update
[242]: KB932716-v2 - Update
[243]: KB934401 - Update
[244]: KB938759 - Update
[245]: KB940648 - Update
[246]: KB942288-v3 - Update
[247]: KB943232-v2 - Update
[248]: KB944043-v3 - Update
[249]: KB945060-v3 - Update
[250]: KB9451

NetWork Card(s): 3 NIC(s) Installed.
[01]: Broadcom NetXtreme 57xx Gigabit Controller
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 10.1.10.1
IP address(es)
[01]: 10.1.10.12
[02]: Dell Wireless 1505 Draft 802.11n WLAN Mini-Card
Connection Name: Wireless Network Connection
[03]: 1394 Net Adapter
Connection Name: 1394 Connection
DHCP Enabled: Yes
DHCP Server: N/A
IP address(es)
10:32:16:453 3956 ForceUnloadDriver: NtUnloadDriver error 2
10:32:16:453 3956 ForceUnloadDriver: NtUnloadDriver error 2
10:32:16:453 3956 ForceUnloadDriver: NtUnloadDriver error 2
10:32:16:468 3956 main: Driver KLMD successfully dropped
10:32:16:531 3956 main: Driver KLMD successfully loaded
10:32:16:531 3956
Scanning Registry ...
10:32:16:531 3956 ScanServices: Searching service UACd.sys
10:32:16:531 3956 ScanServices: Open/Create key error 2
10:32:16:531 3956 ScanServices: Searching service TDSSserv.sys
10:32:16:531 3956 ScanServices: Open/Create key error 2
10:32:16:531 3956 ScanServices: Searching service gaopdxserv.sys
10:32:16:531 3956 ScanServices: Open/Create key error 2
10:32:16:531 3956 ScanServices: Searching service gxvxcserv.sys
10:32:16:531 3956 ScanServices: Open/Create key error 2
10:32:16:531 3956 ScanServices: Searching service MSIVXserv.sys
10:32:16:531 3956 ScanServices: Open/Create key error 2
10:32:16:531 3956 UnhookRegistry: Kernel module file name: C:\windows\system32\ntkrnlpa.exe, base addr: 804D7000
10:32:16:546 3956 UnhookRegistry: Kernel local addr: 1050000
10:32:16:546 3956 UnhookRegistry: KeServiceDescriptorTable addr: 10D5700
10:32:16:593 3956 UnhookRegistry: KiServiceTable addr: 107D460
10:32:16:609 3956 UnhookRegistry: NtEnumerateKey service number (local): 47
10:32:16:609 3956 UnhookRegistry: NtEnumerateKey local addr: 119D022
10:32:16:625 3956 KLMD_OpenDevice: Trying to open KLMD device
10:32:16:625 3956 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
10:32:16:625 3956 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
10:32:16:625 3956 KLMD_ReadMem: Trying to ReadMemory 0x805002C9[0x4]
10:32:16:625 3956 UnhookRegistry: NtEnumerateKey service number (kernel): 47
10:32:16:625 3956 KLMD_ReadMem: Trying to ReadMemory 0x8050457C[0x4]
10:32:16:625 3956 UnhookRegistry: NtEnumerateKey real addr: 80624022
10:32:16:625 3956 UnhookRegistry: NtEnumerateKey calc addr: 80624022
10:32:16:625 3956 UnhookRegistry: No SDT hooks found on NtEnumerateKey
10:32:16:625 3956 KLMD_ReadMem: Trying to ReadMemory 0x80624022[0xA]
10:32:16:625 3956 UnhookRegistry: No splicing found on NtEnumerateKey
10:32:16:625 3956
Scanning Kernel memory ...
10:32:16:625 3956 KLMD_OpenDevice: Trying to open KLMD device
10:32:16:625 3956 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
10:32:16:625 3956 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
10:32:16:625 3956 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8AC27CF8
10:32:16:625 3956 DetectCureTDL3: KLMD_GetDeviceObjectList returned 20 DevObjects
10:32:16:625 3956 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 8AB1F030
10:32:16:625 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AB1F030
10:32:16:625 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AB1F030[0x38]
10:32:16:625 3956 DetectCureTDL3: DRIVER_OBJECT addr: 8AC27CF8
10:32:16:625 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AC27CF8[0xA8]
10:32:16:625 3956 KLMD_ReadMem: Trying to ReadMemory 0xE16AD2D0[0x208]
10:32:16:625 3956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:32:16:625 3956 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
10:32:16:625 3956 DetectCureTDL3: IrpHandler (1) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
10:32:16:625 3956 DetectCureTDL3: IrpHandler (3) addr: BA908D1F
10:32:16:625 3956 DetectCureTDL3: IrpHandler (4) addr: BA908D1F
10:32:16:625 3956 DetectCureTDL3: IrpHandler (5) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (6) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (7) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (8) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (9) addr: BA9092E2
10:32:16:625 3956 DetectCureTDL3: IrpHandler (10) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (11) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (12) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (13) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (14) addr: BA9093BB
10:32:16:625 3956 DetectCureTDL3: IrpHandler (15) addr: BA90CF28
10:32:16:625 3956 DetectCureTDL3: IrpHandler (16) addr: BA9092E2
10:32:16:625 3956 DetectCureTDL3: IrpHandler (17) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (18) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (19) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (20) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (21) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (22) addr: BA90AC82
10:32:16:625 3956 DetectCureTDL3: IrpHandler (23) addr: BA90F99E
10:32:16:625 3956 DetectCureTDL3: IrpHandler (24) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (25) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (26) addr: 804F4562
10:32:16:625 3956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
10:32:16:625 3956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
10:32:16:625 3956 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 8A924030
10:32:16:625 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A924030
10:32:16:625 3956 KLMD_ReadMem: Trying to ReadMemory 0x8A924030[0x38]
10:32:16:625 3956 DetectCureTDL3: DRIVER_OBJECT addr: 8AC27CF8
10:32:16:625 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AC27CF8[0xA8]
10:32:16:625 3956 KLMD_ReadMem: Trying to ReadMemory 0xE16AD2D0[0x208]
10:32:16:625 3956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:32:16:625 3956 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
10:32:16:625 3956 DetectCureTDL3: IrpHandler (1) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
10:32:16:625 3956 DetectCureTDL3: IrpHandler (3) addr: BA908D1F
10:32:16:625 3956 DetectCureTDL3: IrpHandler (4) addr: BA908D1F
10:32:16:625 3956 DetectCureTDL3: IrpHandler (5) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (6) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (7) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (8) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (9) addr: BA9092E2
10:32:16:625 3956 DetectCureTDL3: IrpHandler (10) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (11) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (12) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (13) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (14) addr: BA9093BB
10:32:16:625 3956 DetectCureTDL3: IrpHandler (15) addr: BA90CF28
10:32:16:625 3956 DetectCureTDL3: IrpHandler (16) addr: BA9092E2
10:32:16:625 3956 DetectCureTDL3: IrpHandler (17) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (18) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (19) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (20) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (21) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (22) addr: BA90AC82
10:32:16:625 3956 DetectCureTDL3: IrpHandler (23) addr: BA90F99E
10:32:16:625 3956 DetectCureTDL3: IrpHandler (24) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (25) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (26) addr: 804F4562
10:32:16:625 3956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
10:32:16:625 3956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
10:32:16:625 3956 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8A9D7030
10:32:16:625 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A9D7030
10:32:16:625 3956 KLMD_ReadMem: Trying to ReadMemory 0x8A9D7030[0x38]
10:32:16:625 3956 DetectCureTDL3: DRIVER_OBJECT addr: 8AC27CF8
10:32:16:625 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AC27CF8[0xA8]
10:32:16:625 3956 KLMD_ReadMem: Trying to ReadMemory 0xE16AD2D0[0x208]
10:32:16:625 3956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:32:16:625 3956 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
10:32:16:625 3956 DetectCureTDL3: IrpHandler (1) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
10:32:16:625 3956 DetectCureTDL3: IrpHandler (3) addr: BA908D1F
10:32:16:625 3956 DetectCureTDL3: IrpHandler (4) addr: BA908D1F
10:32:16:625 3956 DetectCureTDL3: IrpHandler (5) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (6) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (7) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (8) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (9) addr: BA9092E2
10:32:16:625 3956 DetectCureTDL3: IrpHandler (10) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (11) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (12) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (13) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (14) addr: BA9093BB
10:32:16:625 3956 DetectCureTDL3: IrpHandler (15) addr: BA90CF28
10:32:16:625 3956 DetectCureTDL3: IrpHandler (16) addr: BA9092E2
10:32:16:625 3956 DetectCureTDL3: IrpHandler (17) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (18) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (19) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (20) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (21) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (22) addr: BA90AC82
10:32:16:625 3956 DetectCureTDL3: IrpHandler (23) addr: BA90F99E
10:32:16:625 3956 DetectCureTDL3: IrpHandler (24) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (25) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (26) addr: 804F4562
10:32:16:625 3956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
10:32:16:625 3956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
10:32:16:625 3956 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 8A935920
10:32:16:625 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A935920
10:32:16:625 3956 KLMD_ReadMem: Trying to ReadMemory 0x8A935920[0x38]
10:32:16:625 3956 DetectCureTDL3: DRIVER_OBJECT addr: 8AC27CF8
10:32:16:625 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AC27CF8[0xA8]
10:32:16:625 3956 KLMD_ReadMem: Trying to ReadMemory 0xE16AD2D0[0x208]
10:32:16:625 3956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:32:16:625 3956 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
10:32:16:625 3956 DetectCureTDL3: IrpHandler (1) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
10:32:16:625 3956 DetectCureTDL3: IrpHandler (3) addr: BA908D1F
10:32:16:625 3956 DetectCureTDL3: IrpHandler (4) addr: BA908D1F
10:32:16:625 3956 DetectCureTDL3: IrpHandler (5) addr: 804F4562
10:32:16:625 3956 DetectCureTDL3: IrpHandler (6) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (7) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (8) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (9) addr: BA9092E2
10:32:16:640 3956 DetectCureTDL3: IrpHandler (10) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (11) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (12) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (13) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (14) addr: BA9093BB
10:32:16:640 3956 DetectCureTDL3: IrpHandler (15) addr: BA90CF28
10:32:16:640 3956 DetectCureTDL3: IrpHandler (16) addr: BA9092E2
10:32:16:640 3956 DetectCureTDL3: IrpHandler (17) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (18) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (19) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (20) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (21) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (22) addr: BA90AC82
10:32:16:640 3956 DetectCureTDL3: IrpHandler (23) addr: BA90F99E
10:32:16:640 3956 DetectCureTDL3: IrpHandler (24) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (25) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (26) addr: 804F4562
10:32:16:640 3956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
10:32:16:640 3956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
10:32:16:640 3956 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 8A848030
10:32:16:640 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A848030
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0x8A848030[0x38]
10:32:16:640 3956 DetectCureTDL3: DRIVER_OBJECT addr: 8AC27CF8
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AC27CF8[0xA8]
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0xE16AD2D0[0x208]
10:32:16:640 3956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:32:16:640 3956 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
10:32:16:640 3956 DetectCureTDL3: IrpHandler (1) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
10:32:16:640 3956 DetectCureTDL3: IrpHandler (3) addr: BA908D1F
10:32:16:640 3956 DetectCureTDL3: IrpHandler (4) addr: BA908D1F
10:32:16:640 3956 DetectCureTDL3: IrpHandler (5) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (6) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (7) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (8) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (9) addr: BA9092E2
10:32:16:640 3956 DetectCureTDL3: IrpHandler (10) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (11) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (12) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (13) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (14) addr: BA9093BB
10:32:16:640 3956 DetectCureTDL3: IrpHandler (15) addr: BA90CF28
10:32:16:640 3956 DetectCureTDL3: IrpHandler (16) addr: BA9092E2
10:32:16:640 3956 DetectCureTDL3: IrpHandler (17) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (18) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (19) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (20) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (21) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (22) addr: BA90AC82
10:32:16:640 3956 DetectCureTDL3: IrpHandler (23) addr: BA90F99E
10:32:16:640 3956 DetectCureTDL3: IrpHandler (24) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (25) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (26) addr: 804F4562
10:32:16:640 3956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
10:32:16:640 3956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
10:32:16:640 3956 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 8A822C68
10:32:16:640 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A822C68
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0x8A822C68[0x38]
10:32:16:640 3956 DetectCureTDL3: DRIVER_OBJECT addr: 8AC27CF8
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AC27CF8[0xA8]
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0xE16AD2D0[0x208]
10:32:16:640 3956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:32:16:640 3956 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
10:32:16:640 3956 DetectCureTDL3: IrpHandler (1) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
10:32:16:640 3956 DetectCureTDL3: IrpHandler (3) addr: BA908D1F
10:32:16:640 3956 DetectCureTDL3: IrpHandler (4) addr: BA908D1F
10:32:16:640 3956 DetectCureTDL3: IrpHandler (5) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (6) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (7) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (8) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (9) addr: BA9092E2
10:32:16:640 3956 DetectCureTDL3: IrpHandler (10) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (11) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (12) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (13) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (14) addr: BA9093BB
10:32:16:640 3956 DetectCureTDL3: IrpHandler (15) addr: BA90CF28
10:32:16:640 3956 DetectCureTDL3: IrpHandler (16) addr: BA9092E2
10:32:16:640 3956 DetectCureTDL3: IrpHandler (17) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (18) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (19) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (20) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (21) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (22) addr: BA90AC82
10:32:16:640 3956 DetectCureTDL3: IrpHandler (23) addr: BA90F99E
10:32:16:640 3956 DetectCureTDL3: IrpHandler (24) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (25) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (26) addr: 804F4562
10:32:16:640 3956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
10:32:16:640 3956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
10:32:16:640 3956 DetectCureTDL3: 6 Curr stack PDEVICE_OBJECT: 8A864030
10:32:16:640 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A864030
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0x8A864030[0x38]
10:32:16:640 3956 DetectCureTDL3: DRIVER_OBJECT addr: 8AC27CF8
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AC27CF8[0xA8]
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0xE16AD2D0[0x208]
10:32:16:640 3956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:32:16:640 3956 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
10:32:16:640 3956 DetectCureTDL3: IrpHandler (1) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
10:32:16:640 3956 DetectCureTDL3: IrpHandler (3) addr: BA908D1F
10:32:16:640 3956 DetectCureTDL3: IrpHandler (4) addr: BA908D1F
10:32:16:640 3956 DetectCureTDL3: IrpHandler (5) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (6) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (7) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (8) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (9) addr: BA9092E2
10:32:16:640 3956 DetectCureTDL3: IrpHandler (10) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (11) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (12) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (13) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (14) addr: BA9093BB
10:32:16:640 3956 DetectCureTDL3: IrpHandler (15) addr: BA90CF28
10:32:16:640 3956 DetectCureTDL3: IrpHandler (16) addr: BA9092E2
10:32:16:640 3956 DetectCureTDL3: IrpHandler (17) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (18) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (19) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (20) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (21) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (22) addr: BA90AC82
10:32:16:640 3956 DetectCureTDL3: IrpHandler (23) addr: BA90F99E
10:32:16:640 3956 DetectCureTDL3: IrpHandler (24) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (25) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (26) addr: 804F4562
10:32:16:640 3956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
10:32:16:640 3956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
10:32:16:640 3956 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 8A743240
10:32:16:640 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A743240
10:32:16:640 3956 DetectCureTDL3: 7 Curr stack PDEVICE_OBJECT: 8A657EA0
10:32:16:640 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A657EA0
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0x8A657EA0[0x38]
10:32:16:640 3956 DetectCureTDL3: DRIVER_OBJECT addr: 8A78D788
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0x8A78D788[0xA8]
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0xE21A2188[0x208]
10:32:16:640 3956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
10:32:16:640 3956 DetectCureTDL3: IrpHandler (0) addr: A33F8218
10:32:16:640 3956 DetectCureTDL3: IrpHandler (1) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (2) addr: A33F8218
10:32:16:640 3956 DetectCureTDL3: IrpHandler (3) addr: A33F823C
10:32:16:640 3956 DetectCureTDL3: IrpHandler (4) addr: A33F823C
10:32:16:640 3956 DetectCureTDL3: IrpHandler (5) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (6) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (7) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (8) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (9) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (10) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (11) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (12) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (13) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (14) addr: A33F8180
10:32:16:640 3956 DetectCureTDL3: IrpHandler (15) addr: A33F39E6
10:32:16:640 3956 DetectCureTDL3: IrpHandler (16) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (17) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (18) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (19) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (20) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (21) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (22) addr: A33F75F0
10:32:16:640 3956 DetectCureTDL3: IrpHandler (23) addr: A33F5A6E
10:32:16:640 3956 DetectCureTDL3: IrpHandler (24) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (25) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (26) addr: 804F4562
10:32:16:640 3956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\usbstor.sys
10:32:16:640 3956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\usbstor.sys
10:32:16:640 3956 DetectCureTDL3: 8 Curr stack PDEVICE_OBJECT: 8A5B8AB8
10:32:16:640 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A5B8AB8
10:32:16:640 3956 DetectCureTDL3: 8 Curr stack PDEVICE_OBJECT: 8A9D7EA0
10:32:16:640 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A9D7EA0
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0x8A9D7EA0[0x38]
10:32:16:640 3956 DetectCureTDL3: DRIVER_OBJECT addr: 8A78D788
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0x8A78D788[0xA8]
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0xE21A2188[0x208]
10:32:16:640 3956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
10:32:16:640 3956 DetectCureTDL3: IrpHandler (0) addr: A33F8218
10:32:16:640 3956 DetectCureTDL3: IrpHandler (1) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (2) addr: A33F8218
10:32:16:640 3956 DetectCureTDL3: IrpHandler (3) addr: A33F823C
10:32:16:640 3956 DetectCureTDL3: IrpHandler (4) addr: A33F823C
10:32:16:640 3956 DetectCureTDL3: IrpHandler (5) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (6) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (7) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (8) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (9) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (10) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (11) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (12) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (13) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (14) addr: A33F8180
10:32:16:640 3956 DetectCureTDL3: IrpHandler (15) addr: A33F39E6
10:32:16:640 3956 DetectCureTDL3: IrpHandler (16) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (17) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (18) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (19) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (20) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (21) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (22) addr: A33F75F0
10:32:16:640 3956 DetectCureTDL3: IrpHandler (23) addr: A33F5A6E
10:32:16:640 3956 DetectCureTDL3: IrpHandler (24) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (25) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (26) addr: 804F4562
10:32:16:640 3956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\usbstor.sys
10:32:16:640 3956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\usbstor.sys
10:32:16:640 3956 DetectCureTDL3: 9 Curr stack PDEVICE_OBJECT: 8A82AAB8
10:32:16:640 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A82AAB8
10:32:16:640 3956 DetectCureTDL3: 9 Curr stack PDEVICE_OBJECT: 8AB1F740
10:32:16:640 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AB1F740
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AB1F740[0x38]
10:32:16:640 3956 DetectCureTDL3: DRIVER_OBJECT addr: 8A78D788
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0x8A78D788[0xA8]
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0xE21A2188[0x208]
10:32:16:640 3956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
10:32:16:640 3956 DetectCureTDL3: IrpHandler (0) addr: A33F8218
10:32:16:640 3956 DetectCureTDL3: IrpHandler (1) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (2) addr: A33F8218
10:32:16:640 3956 DetectCureTDL3: IrpHandler (3) addr: A33F823C
10:32:16:640 3956 DetectCureTDL3: IrpHandler (4) addr: A33F823C
10:32:16:640 3956 DetectCureTDL3: IrpHandler (5) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (6) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (7) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (8) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (9) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (10) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (11) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (12) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (13) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (14) addr: A33F8180
10:32:16:640 3956 DetectCureTDL3: IrpHandler (15) addr: A33F39E6
10:32:16:640 3956 DetectCureTDL3: IrpHandler (16) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (17) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (18) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (19) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (20) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (21) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (22) addr: A33F75F0
10:32:16:640 3956 DetectCureTDL3: IrpHandler (23) addr: A33F5A6E
10:32:16:640 3956 DetectCureTDL3: IrpHandler (24) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (25) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (26) addr: 804F4562
10:32:16:640 3956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\usbstor.sys
10:32:16:640 3956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\usbstor.sys
10:32:16:640 3956 DetectCureTDL3: 10 Curr stack PDEVICE_OBJECT: 8AA62AB8
10:32:16:640 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AA62AB8
10:32:16:640 3956 DetectCureTDL3: 10 Curr stack PDEVICE_OBJECT: 8A847EA0
10:32:16:640 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A847EA0
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0x8A847EA0[0x38]
10:32:16:640 3956 DetectCureTDL3: DRIVER_OBJECT addr: 8A78D788
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0x8A78D788[0xA8]
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0xE21A2188[0x208]
10:32:16:640 3956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
10:32:16:640 3956 DetectCureTDL3: IrpHandler (0) addr: A33F8218
10:32:16:640 3956 DetectCureTDL3: IrpHandler (1) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (2) addr: A33F8218
10:32:16:640 3956 DetectCureTDL3: IrpHandler (3) addr: A33F823C
10:32:16:640 3956 DetectCureTDL3: IrpHandler (4) addr: A33F823C
10:32:16:640 3956 DetectCureTDL3: IrpHandler (5) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (6) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (7) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (8) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (9) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (10) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (11) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (12) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (13) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (14) addr: A33F8180
10:32:16:640 3956 DetectCureTDL3: IrpHandler (15) addr: A33F39E6
10:32:16:640 3956 DetectCureTDL3: IrpHandler (16) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (17) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (18) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (19) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (20) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (21) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (22) addr: A33F75F0
10:32:16:640 3956 DetectCureTDL3: IrpHandler (23) addr: A33F5A6E
10:32:16:640 3956 DetectCureTDL3: IrpHandler (24) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (25) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (26) addr: 804F4562
10:32:16:640 3956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\usbstor.sys
10:32:16:640 3956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\usbstor.sys
10:32:16:640 3956 DetectCureTDL3: 11 Curr stack PDEVICE_OBJECT: 8A857AB8
10:32:16:640 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A857AB8
10:32:16:640 3956 DetectCureTDL3: 11 Curr stack PDEVICE_OBJECT: 8A784460
10:32:16:640 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A784460
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0x8A784460[0x38]
10:32:16:640 3956 DetectCureTDL3: DRIVER_OBJECT addr: 8A78D788
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0x8A78D788[0xA8]
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0xE21A2188[0x208]
10:32:16:640 3956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
10:32:16:640 3956 DetectCureTDL3: IrpHandler (0) addr: A33F8218
10:32:16:640 3956 DetectCureTDL3: IrpHandler (1) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (2) addr: A33F8218
10:32:16:640 3956 DetectCureTDL3: IrpHandler (3) addr: A33F823C
10:32:16:640 3956 DetectCureTDL3: IrpHandler (4) addr: A33F823C
10:32:16:640 3956 DetectCureTDL3: IrpHandler (5) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (6) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (7) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (8) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (9) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (10) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (11) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (12) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (13) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (14) addr: A33F8180
10:32:16:640 3956 DetectCureTDL3: IrpHandler (15) addr: A33F39E6
10:32:16:640 3956 DetectCureTDL3: IrpHandler (16) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (17) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (18) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (19) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (20) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (21) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (22) addr: A33F75F0
10:32:16:640 3956 DetectCureTDL3: IrpHandler (23) addr: A33F5A6E
10:32:16:640 3956 DetectCureTDL3: IrpHandler (24) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (25) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (26) addr: 804F4562
10:32:16:640 3956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\usbstor.sys
10:32:16:640 3956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\usbstor.sys
10:32:16:640 3956 DetectCureTDL3: 12 Curr stack PDEVICE_OBJECT: 8AB32AB8
10:32:16:640 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AB32AB8
10:32:16:640 3956 DetectCureTDL3: 12 Curr stack PDEVICE_OBJECT: 8A808EA0
10:32:16:640 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A808EA0
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0x8A808EA0[0x38]
10:32:16:640 3956 DetectCureTDL3: DRIVER_OBJECT addr: 8A78D788
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0x8A78D788[0xA8]
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0xE21A2188[0x208]
10:32:16:640 3956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
10:32:16:640 3956 DetectCureTDL3: IrpHandler (0) addr: A33F8218
10:32:16:640 3956 DetectCureTDL3: IrpHandler (1) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (2) addr: A33F8218
10:32:16:640 3956 DetectCureTDL3: IrpHandler (3) addr: A33F823C
10:32:16:640 3956 DetectCureTDL3: IrpHandler (4) addr: A33F823C
10:32:16:640 3956 DetectCureTDL3: IrpHandler (5) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (6) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (7) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (8) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (9) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (10) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (11) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (12) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (13) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (14) addr: A33F8180
10:32:16:640 3956 DetectCureTDL3: IrpHandler (15) addr: A33F39E6
10:32:16:640 3956 DetectCureTDL3: IrpHandler (16) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (17) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (18) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (19) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (20) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (21) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (22) addr: A33F75F0
10:32:16:640 3956 DetectCureTDL3: IrpHandler (23) addr: A33F5A6E
10:32:16:640 3956 DetectCureTDL3: IrpHandler (24) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (25) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (26) addr: 804F4562
10:32:16:640 3956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\usbstor.sys
10:32:16:640 3956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\usbstor.sys
10:32:16:640 3956 DetectCureTDL3: 13 Curr stack PDEVICE_OBJECT: 8A827400
10:32:16:640 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A827400
10:32:16:640 3956 DetectCureTDL3: 13 Curr stack PDEVICE_OBJECT: 8A784EA0
10:32:16:640 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A784EA0
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0x8A784EA0[0x38]
10:32:16:640 3956 DetectCureTDL3: DRIVER_OBJECT addr: 8A78D788
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0x8A78D788[0xA8]
10:32:16:640 3956 KLMD_ReadMem: Trying to ReadMemory 0xE21A2188[0x208]
10:32:16:640 3956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
10:32:16:640 3956 DetectCureTDL3: IrpHandler (0) addr: A33F8218
10:32:16:640 3956 DetectCureTDL3: IrpHandler (1) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (2) addr: A33F8218
10:32:16:640 3956 DetectCureTDL3: IrpHandler (3) addr: A33F823C
10:32:16:640 3956 DetectCureTDL3: IrpHandler (4) addr: A33F823C
10:32:16:640 3956 DetectCureTDL3: IrpHandler (5) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (6) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (7) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (8) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (9) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (10) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (11) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (12) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (13) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (14) addr: A33F8180
10:32:16:640 3956 DetectCureTDL3: IrpHandler (15) addr: A33F39E6
10:32:16:640 3956 DetectCureTDL3: IrpHandler (16) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (17) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (18) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (19) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (20) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (21) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (22) addr: A33F75F0
10:32:16:640 3956 DetectCureTDL3: IrpHandler (23) addr: A33F5A6E
10:32:16:640 3956 DetectCureTDL3: IrpHandler (24) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (25) addr: 804F4562
10:32:16:640 3956 DetectCureTDL3: IrpHandler (26) addr: 804F4562
10:32:16:640 3956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\usbstor.sys
10:32:16:640 3956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\usbstor.sys
10:32:16:656 3956 DetectCureTDL3: 14 Curr stack PDEVICE_OBJECT: 8AB8EC68
10:32:16:656 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AB8EC68
10:32:16:656 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AB8EC68[0x38]
10:32:16:656 3956 DetectCureTDL3: DRIVER_OBJECT addr: 8AC27CF8
10:32:16:656 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AC27CF8[0xA8]
10:32:16:656 3956 KLMD_ReadMem: Trying to ReadMemory 0xE16AD2D0[0x208]
10:32:16:656 3956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:32:16:656 3956 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
10:32:16:656 3956 DetectCureTDL3: IrpHandler (1) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
10:32:16:656 3956 DetectCureTDL3: IrpHandler (3) addr: BA908D1F
10:32:16:656 3956 DetectCureTDL3: IrpHandler (4) addr: BA908D1F
10:32:16:656 3956 DetectCureTDL3: IrpHandler (5) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (6) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (7) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (8) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (9) addr: BA9092E2
10:32:16:656 3956 DetectCureTDL3: IrpHandler (10) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (11) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (12) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (13) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (14) addr: BA9093BB
10:32:16:656 3956 DetectCureTDL3: IrpHandler (15) addr: BA90CF28
10:32:16:656 3956 DetectCureTDL3: IrpHandler (16) addr: BA9092E2
10:32:16:656 3956 DetectCureTDL3: IrpHandler (17) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (18) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (19) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (20) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (21) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (22) addr: BA90AC82
10:32:16:656 3956 DetectCureTDL3: IrpHandler (23) addr: BA90F99E
10:32:16:656 3956 DetectCureTDL3: IrpHandler (24) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (25) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (26) addr: 804F4562
10:32:16:656 3956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
10:32:16:656 3956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
10:32:16:656 3956 DetectCureTDL3: 15 Curr stack PDEVICE_OBJECT: 8AC63C68
10:32:16:656 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AC63C68
10:32:16:656 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AC63C68[0x38]
10:32:16:656 3956 DetectCureTDL3: DRIVER_OBJECT addr: 8AC27CF8
10:32:16:656 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AC27CF8[0xA8]
10:32:16:656 3956 KLMD_ReadMem: Trying to ReadMemory 0xE16AD2D0[0x208]
10:32:16:656 3956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:32:16:656 3956 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
10:32:16:656 3956 DetectCureTDL3: IrpHandler (1) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
10:32:16:656 3956 DetectCureTDL3: IrpHandler (3) addr: BA908D1F
10:32:16:656 3956 DetectCureTDL3: IrpHandler (4) addr: BA908D1F
10:32:16:656 3956 DetectCureTDL3: IrpHandler (5) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (6) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (7) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (8) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (9) addr: BA9092E2
10:32:16:656 3956 DetectCureTDL3: IrpHandler (10) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (11) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (12) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (13) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (14) addr: BA9093BB
10:32:16:656 3956 DetectCureTDL3: IrpHandler (15) addr: BA90CF28
10:32:16:656 3956 DetectCureTDL3: IrpHandler (16) addr: BA9092E2
10:32:16:656 3956 DetectCureTDL3: IrpHandler (17) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (18) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (19) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (20) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (21) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (22) addr: BA90AC82
10:32:16:656 3956 DetectCureTDL3: IrpHandler (23) addr: BA90F99E
10:32:16:656 3956 DetectCureTDL3: IrpHandler (24) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (25) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (26) addr: 804F4562
10:32:16:656 3956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
10:32:16:656 3956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
10:32:16:656 3956 DetectCureTDL3: 16 Curr stack PDEVICE_OBJECT: 8AC1A030
10:32:16:656 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AC1A030
10:32:16:656 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AC1A030[0x38]
10:32:16:656 3956 DetectCureTDL3: DRIVER_OBJECT addr: 8AC27CF8
10:32:16:656 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AC27CF8[0xA8]
10:32:16:656 3956 KLMD_ReadMem: Trying to ReadMemory 0xE16AD2D0[0x208]
10:32:16:656 3956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:32:16:656 3956 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
10:32:16:656 3956 DetectCureTDL3: IrpHandler (1) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
10:32:16:656 3956 DetectCureTDL3: IrpHandler (3) addr: BA908D1F
10:32:16:656 3956 DetectCureTDL3: IrpHandler (4) addr: BA908D1F
10:32:16:656 3956 DetectCureTDL3: IrpHandler (5) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (6) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (7) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (8) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (9) addr: BA9092E2
10:32:16:656 3956 DetectCureTDL3: IrpHandler (10) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (11) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (12) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (13) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (14) addr: BA9093BB
10:32:16:656 3956 DetectCureTDL3: IrpHandler (15) addr: BA90CF28
10:32:16:656 3956 DetectCureTDL3: IrpHandler (16) addr: BA9092E2
10:32:16:656 3956 DetectCureTDL3: IrpHandler (17) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (18) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (19) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (20) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (21) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (22) addr: BA90AC82
10:32:16:656 3956 DetectCureTDL3: IrpHandler (23) addr: BA90F99E
10:32:16:656 3956 DetectCureTDL3: IrpHandler (24) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (25) addr: 804F4562
10:32:16:656 3956 DetectCureTDL3: IrpHandler (26) addr: 804F4562
10:32:16:656 3956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
10:32:16:656 3956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
10:32:16:656 3956 DetectCureTDL3: 17 Curr stack PDEVICE_OBJECT: 8AC6CAB8
10:32:16:656 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AC6CAB8
10:32:16:656 3956 DetectCureTDL3: 17 Curr stack PDEVICE_OBJECT: 8AC1E030
10:32:16:656 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AC1E030
10:32:16:656 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AC1E030[0x38]
10:32:16:656 3956 DetectCureTDL3: DRIVER_OBJECT addr: 8AB92918
10:32:16:656 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AB92918[0xA8]
10:32:16:656 3956 KLMD_ReadMem: Trying to ReadMemory 0xE101FA88[0x208]
10:32:16:656 3956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\nvatabus, Driver Name: nvatabus
10:32:16:656 3956 DetectCureTDL3: IrpHandler (0) addr: BA6BB894
10:32:16:656 3956 DetectCureTDL3: IrpHandler (1) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (2) addr: BA6BB894
10:32:16:656 3956 DetectCureTDL3: IrpHandler (3) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (4) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (5) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (6) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (7) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (8) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (9) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (10) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (11) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (12) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (13) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (14) addr: BA6BB8AE
10:32:16:656 3956 DetectCureTDL3: IrpHandler (15) addr: BA6BBD6E
10:32:16:656 3956 DetectCureTDL3: IrpHandler (16) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (17) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (18) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (19) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (20) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (21) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (22) addr: BA6BBD0E
10:32:16:656 3956 DetectCureTDL3: IrpHandler (23) addr: BA6BBA9C
10:32:16:656 3956 DetectCureTDL3: IrpHandler (24) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (25) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (26) addr: BA6BB874
10:32:16:656 3956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\nvatabus.sys
10:32:16:656 3956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\nvatabus.sys
10:32:16:656 3956 DetectCureTDL3: 18 Curr stack PDEVICE_OBJECT: 8AC1EAB8
10:32:16:656 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AC1EAB8
10:32:16:656 3956 DetectCureTDL3: 18 Curr stack PDEVICE_OBJECT: 8AC26030
10:32:16:656 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AC26030
10:32:16:656 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AC26030[0x38]
10:32:16:656 3956 DetectCureTDL3: DRIVER_OBJECT addr: 8AB92918
10:32:16:656 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AB92918[0xA8]
10:32:16:656 3956 KLMD_ReadMem: Trying to ReadMemory 0xE101FA88[0x208]
10:32:16:656 3956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\nvatabus, Driver Name: nvatabus
10:32:16:656 3956 DetectCureTDL3: IrpHandler (0) addr: BA6BB894
10:32:16:656 3956 DetectCureTDL3: IrpHandler (1) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (2) addr: BA6BB894
10:32:16:656 3956 DetectCureTDL3: IrpHandler (3) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (4) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (5) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (6) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (7) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (8) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (9) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (10) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (11) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (12) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (13) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (14) addr: BA6BB8AE
10:32:16:656 3956 DetectCureTDL3: IrpHandler (15) addr: BA6BBD6E
10:32:16:656 3956 DetectCureTDL3: IrpHandler (16) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (17) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (18) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (19) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (20) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (21) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (22) addr: BA6BBD0E
10:32:16:656 3956 DetectCureTDL3: IrpHandler (23) addr: BA6BBA9C
10:32:16:656 3956 DetectCureTDL3: IrpHandler (24) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (25) addr: BA6BB874
10:32:16:656 3956 DetectCureTDL3: IrpHandler (26) addr: BA6BB874
10:32:16:656 3956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\nvatabus.sys
10:32:16:656 3956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\nvatabus.sys
10:32:16:656 3956 DetectCureTDL3: 19 Curr stack PDEVICE_OBJECT: 8AAE1AB8
10:32:16:656 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AAE1AB8
10:32:16:656 3956 DetectCureTDL3: 19 Curr stack PDEVICE_OBJECT: 8AAE1030
10:32:16:656 3956 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AAE1030
10:32:16:656 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AAE1030[0x38]
10:32:16:656 3956 DetectCureTDL3: DRIVER_OBJECT addr: 8AACB030
10:32:16:656 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AACB030[0xA8]
10:32:16:656 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AC6D030[0x38]
10:32:16:656 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AB92918[0xA8]
10:32:16:656 3956 KLMD_ReadMem: Trying to ReadMemory 0xE101FA88[0x208]
10:32:16:656 3956 DetectCureTDL3: DRIVER_OBJECT name: \Driver\nvatabus, Driver Name: nvatabus
10:32:16:656 3956 DetectCureTDL3: IrpHandler (0) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (1) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (2) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (3) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (4) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (5) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (6) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (7) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (8) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (9) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (10) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (11) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (12) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (13) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (14) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (15) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (16) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (17) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (18) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (19) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (20) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (21) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (22) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (23) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (24) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (25) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: IrpHandler (26) addr: 8AAE5369
10:32:16:656 3956 DetectCureTDL3: All IRP handlers pointed to one addr: 8AAE5369
10:32:16:656 3956 KLMD_ReadMem: Trying to ReadMemory 0x8AAE5369[0x400]
10:32:16:656 3956 TDL3_HookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
10:32:16:656 3956 Driver nvatabus infected by TDSS rootkit ... 10:32:16:656 3956 TDL3_HookCure: Processing driver in memory: nvatabus
10:32:16:656 3956 KLMD_WriteMem: Trying to WriteMemory 0x8AAE53CE[0xD]
10:32:16:656 3956 cured
10:32:16:656 3956 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\nvatabus.sys
10:32:16:656 3956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\nvatabus.sys
10:32:16:671 3956 File C:\WINDOWS\system32\Drivers\nvatabus.sys infected by TDSS rootkit ... 10:32:16:671 3956 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\Drivers\nvatabus.sys
10:32:16:671 3956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\nvatabus.sys
10:32:16:671 3956 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\nvatabus.sys
10:32:16:671 3956 cured
10:32:16:671 3956
Completed

Results:
10:32:16:671 3956 Infected / Cured drivers in memory: 1 / 1
10:32:16:671 3956 Infected / Cured drivers on disk: 1 / 1
10:32:16:671 3956 Files deleted on next reboot: 0
10:32:16:671 3956 Registry nodes deleted on next reboot: 0
10:32:16:671 3956

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:14 AM

Posted 02 December 2009 - 06:49 PM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Abro

Abro
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 02 December 2009 - 07:17 PM

Hi Sam,

Here's the log from ComboFix:

ComboFix 09-12-02.05 - Owner 12/02/2009 17:03.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.1579 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\CF.exe
.

((((((((((((((((((((((((( Files Created from 2009-11-03 to 2009-12-03 )))))))))))))))))))))))))))))))
.

2009-12-02 19:17 . 2009-12-02 19:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Office Genuine Advantage
2009-12-02 09:02 . 2004-08-04 07:56 13824 ----a-w- c:\windows\system32\wscntfy.exe
2009-12-02 08:59 . 2009-12-02 09:00 -------- d-----w- C:\SP2
2009-12-02 08:16 . 2009-12-02 08:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-12-02 05:57 . 2009-12-02 05:57 -------- d-----w- c:\windows\system32\xircom
2009-12-02 05:57 . 2009-12-02 05:57 -------- d-----w- c:\windows\system32\wbem\snmp
2009-12-02 05:57 . 2009-12-02 05:57 -------- d-----w- c:\windows\system32\oobe
2009-12-02 05:57 . 2009-12-02 05:57 -------- d-----w- c:\program files\microsoft frontpage
2009-12-01 00:43 . 2009-12-01 00:43 -------- d-----w- c:\program files\CCleaner
2009-11-30 21:36 . 2009-11-30 21:36 -------- d-----w- C:\rsit
2009-11-30 21:19 . 2009-11-30 21:19 -------- d-----w- C:\VundoFix Backups
2009-11-30 21:13 . 2009-11-30 21:13 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-30 11:08 . 2009-11-30 19:23 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-11-30 11:08 . 2009-11-30 20:55 -------- d-----w- c:\program files\STOPzilla!
2009-11-30 11:08 . 2009-11-30 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-11-30 11:08 . 2009-11-30 11:08 -------- d-----w- c:\program files\Common Files\iS3
2009-11-30 11:04 . 2009-11-30 11:07 -------- d-----w- c:\program files\AdwareAway
2009-11-30 08:09 . 2009-11-30 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-30 08:03 . 2009-11-30 08:03 -------- d-----w- c:\documents and settings\All Users\Application Data\RegAce
2009-11-30 08:03 . 2009-11-30 08:08 -------- d-----w- c:\program files\RegAce
2009-11-30 07:43 . 2009-11-30 07:43 -------- d-----w- c:\program files\Enigma Software Group
2009-11-30 06:48 . 2009-11-30 20:55 -------- d-----w- C:\cmdcons(2)
2009-11-30 05:51 . 2009-11-30 20:56 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2009-11-30 04:04 . 2009-11-30 21:36 -------- d-----w- c:\program files\Trend Micro
2009-11-29 22:02 . 2009-11-30 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9(2)
2009-11-25 07:28 . 2009-07-31 04:24 1447424 ------w- c:\windows\system32\dllcache\msxml6.dll
2009-11-25 07:28 . 2009-07-31 04:24 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2009-11-16 22:57 . 2009-11-16 23:32 -------- d-----w- C:\Call.of.Duty.Modern.Warfare.2.PROPER-SKIDROW
2009-11-16 02:52 . 2009-11-16 03:09 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\jbquan
2009-11-05 10:41 . 2009-11-05 10:41 -------- d-----w- c:\program files\iPod
2009-11-05 10:40 . 2009-11-05 10:41 -------- d-----w- c:\program files\iTunes
2009-11-05 10:34 . 2009-11-05 10:34 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-02 23:22 . 2009-06-27 23:54 -------- d-----w- c:\documents and settings\Owner\Application Data\Dropbox
2009-12-02 17:32 . 2009-04-20 18:32 105472 ----a-w- c:\windows\system32\drivers\nvatabus.sys
2009-12-02 17:16 . 2009-05-22 22:52 62704 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-02 08:21 . 2009-05-22 22:37 -------- d-----w- c:\program files\Notepad++
2009-12-02 08:06 . 2009-05-22 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-02 08:02 . 2009-05-22 23:22 -------- d-----w- c:\program files\Microsoft Works
2009-12-01 21:51 . 2009-05-27 19:44 54784 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-01 02:40 . 2009-05-28 02:40 -------- d-----w- c:\program files\Google
2009-11-30 20:58 . 2009-07-18 03:11 -------- d-----w- c:\program files\AVG
2009-11-30 20:57 . 2009-05-22 22:24 -------- d-----w- c:\program files\UnHackMe
2009-11-30 20:57 . 2009-05-25 01:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-30 09:12 . 2009-05-29 00:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-29 22:02 . 2009-11-29 22:02 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys.install_backup
2009-11-29 22:02 . 2009-11-29 22:02 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys.install_backup
2009-11-29 22:02 . 2009-11-29 22:02 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys.install_backup
2009-11-29 22:02 . 2009-11-29 22:02 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys.install_backup
2009-11-29 22:02 . 2009-11-29 22:02 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys.install_backup
2009-11-17 05:24 . 2009-08-16 02:14 -------- d-----w- c:\program files\Activision
2009-11-05 10:41 . 2009-05-22 23:52 -------- d-----w- c:\program files\Common Files\Apple
2009-10-28 01:37 . 2009-10-28 01:37 -------- d-----w- c:\program files\SanDisk
2009-10-28 01:37 . 2009-05-22 20:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-28 01:36 . 2009-10-28 01:31 106942640 ----a-w- c:\documents and settings\Owner\Application Data\SanDisk\Sansa Updater\Sansa Media Converter.EXE
2009-10-28 01:29 . 2009-10-28 01:29 354744 ----a-w- c:\documents and settings\Owner\Application Data\SanDisk\Sansa Updater\SansaUpdaterInstall.exe
2009-10-28 01:29 . 2009-10-28 01:29 79872 ----a-w- c:\documents and settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
2009-10-28 01:29 . 2009-10-28 01:29 548792 ----a-w- c:\documents and settings\Owner\Application Data\SanDisk\Sansa Updater\SansaUpdater.exe
2009-10-28 01:29 . 2009-10-28 01:29 -------- d-----w- c:\documents and settings\Owner\Application Data\SanDisk
2009-10-21 17:23 . 2009-10-21 17:23 -------- d-----w- c:\program files\Citrix
2009-10-21 17:23 . 2009-10-21 17:23 70984 ----a-w- c:\documents and settings\Owner\g2mdlhlpx.exe
2009-10-19 18:57 . 2009-10-19 18:57 -------- d-----w- c:\program files\Color Style Studio
2009-10-18 01:11 . 2009-07-18 03:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-18 01:11 . 2009-10-18 01:11 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-18 00:30 . 2009-10-18 00:30 2198 ----a-w- C:\U78.bat
2009-10-15 12:23 . 2009-05-22 22:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Notepad++
2009-10-05 08:55 . 2009-10-05 01:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Ulead Systems
2009-10-05 01:10 . 2009-08-19 22:52 -------- d-----r- c:\program files\Skype
2009-10-05 01:10 . 2009-08-19 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-05 01:06 . 2009-10-05 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-10-05 01:06 . 2009-10-05 01:03 -------- d-----w- c:\program files\Corel Video Editor
2009-10-05 01:05 . 2009-10-05 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\InterVideo
2009-10-05 01:05 . 2009-05-22 20:26 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-05 01:05 . 2009-10-05 01:05 -------- d-----w- c:\program files\Windows Media Components
2009-10-05 01:05 . 2009-10-05 01:04 -------- d-----w- c:\program files\Common Files\Ulead Systems
2009-10-05 01:03 . 2009-10-05 01:03 -------- d-----w- c:\program files\Corel Video
2009-10-04 23:41 . 2009-10-04 23:41 -------- d-----w- c:\documents and settings\Owner\Application Data\avidemux
2009-10-04 09:25 . 2009-05-22 22:38 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-19 20:20 . 2009-09-19 20:20 91663 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\Uninstall.exe
2009-09-19 20:19 . 2009-09-19 20:19 14623184 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\cache\Dropbox-update-0.6.556.exe
2009-09-11 14:13 . 2009-04-20 18:18 136704 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 20:54 . 2009-07-18 03:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 20:53 . 2009-07-18 03:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 16:37 . 2009-09-10 16:37 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-09-05 00:44 . 2009-11-17 06:02 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-05 00:44 . 2009-11-17 06:02 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-05 00:44 . 2009-11-17 06:02 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-05 00:29 . 2009-11-17 06:02 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-05 00:29 . 2009-11-17 06:02 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-05 00:29 . 2009-11-17 06:02 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-05 00:29 . 2009-11-17 06:02 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-05 00:29 . 2009-11-17 06:02 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-04 21:03 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2009-04-20 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\system32\wscntfy.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-12-02_03.28.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-02 17:44 . 2009-12-02 17:44 16384 c:\windows\Temp\Perflib_Perfdata_bc.dat
+ 2009-04-20 18:18 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
- 2009-04-20 18:18 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe
+ 2009-05-31 02:23 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
- 2009-05-31 02:23 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
- 2008-04-14 12:00 . 2009-12-02 03:16 72108 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2009-12-02 17:48 72108 c:\windows\system32\perfc009.dat
+ 2009-05-21 21:18 . 2009-12-02 08:30 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-05-21 21:18 . 2009-12-02 03:11 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-05-21 21:18 . 2009-12-02 08:30 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-05-21 21:18 . 2009-12-02 03:11 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-05-21 21:18 . 2009-12-02 08:30 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-05-21 21:18 . 2009-12-02 03:11 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-05-22 23:26 . 2009-12-02 08:06 35088 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-05-22 23:26 . 2009-10-18 00:52 35088 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-05-22 23:26 . 2009-10-18 00:52 18704 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-05-22 23:26 . 2009-12-02 08:06 18704 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-05-22 23:26 . 2009-10-18 00:52 20240 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-05-22 23:26 . 2009-12-02 08:06 20240 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-04-02 21:23 . 2009-04-02 21:23 10104 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\XLCALL32.DLL
+ 2009-04-04 01:01 . 2009-04-04 01:01 71504 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\XL12CNVP.DLL
+ 2009-04-04 00:57 . 2009-04-04 00:57 21320 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\WRD12EXE.EXE
+ 2006-07-24 15:50 . 2006-07-24 15:50 47920 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\VBAME.DLL
+ 2009-01-07 04:31 . 2009-01-07 04:31 48512 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\PUBTRAP.DLL
+ 2006-07-24 15:50 . 2006-07-24 15:50 92976 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\MSADDNDR.DLL
+ 2006-10-27 02:13 . 2006-10-27 02:13 72472 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\XL12CNVP.DLL
+ 2009-05-22 23:21 . 2009-05-22 23:21 12096 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\WORDPOL.DLL
+ 2006-10-27 03:58 . 2006-10-27 03:58 33080 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\VPREVIEW.EXE
+ 2009-05-22 23:20 . 2009-05-22 23:20 12080 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\VBIDEPOL.DLL
+ 2009-05-22 23:20 . 2009-05-22 23:20 64288 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\VBIDEPIA.DLL
+ 2006-10-27 00:59 . 2006-10-27 00:59 15672 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\SMARTTAGINSTALL.EXE
+ 2006-10-27 00:49 . 2006-10-27 00:49 34104 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\SETLANG.EXE
+ 2006-10-27 01:55 . 2006-10-27 01:55 55056 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\SCANOST.EXE
+ 2006-10-27 01:55 . 2006-10-27 01:55 76576 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\RM.DLL
+ 2006-10-27 01:12 . 2006-10-27 01:12 40424 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\REFIEBAR.DLL
+ 2006-10-27 01:55 . 2006-10-27 01:55 39208 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\RECALL.DLL
+ 2009-05-22 23:21 . 2009-05-22 23:21 12112 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\PPTPOL.DLL
+ 2006-10-27 01:55 . 2006-10-27 01:55 53048 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\OUTLVBA.DLL
+ 2006-10-27 00:59 . 2006-10-27 00:59 18760 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\OPHPROXY.DLL
+ 2006-10-27 00:59 . 2006-10-27 00:59 16728 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\OMUOPTINPS.DLL
+ 2006-10-27 01:00 . 2006-10-27 01:00 23392 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\OISCTRL.DLL
+ 2006-10-27 20:11 . 2006-10-27 20:11 54680 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\OFFRHD.DLL
+ 2009-05-22 23:20 . 2009-05-22 23:20 11544 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\OFFICEPL.DLL
+ 2006-10-27 01:12 . 2006-10-27 01:12 16192 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\NPOFF12.DLL
+ 2009-05-22 23:20 . 2009-05-22 23:20 12104 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\MSTAGPOL.DLL
+ 2009-05-22 23:20 . 2009-05-22 23:20 20280 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\MSTAGPIA.DLL
+ 2006-10-27 00:59 . 2006-10-27 00:59 43832 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\MSSH.DLL
+ 2006-10-27 20:26 . 2006-10-27 20:26 35152 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\MSOSTYLE.DLL
+ 2006-10-27 00:52 . 2006-10-27 00:52 66368 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\MSOMSE.DLL
+ 2006-10-27 01:12 . 2006-10-27 01:12 67896 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\MSOHTMED.EXE
+ 2006-10-27 20:01 . 2006-10-27 20:01 76088 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\MSOHEV.DLL
+ 2006-10-27 00:59 . 2006-10-27 00:59 19768 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\MSMH.DLL
+ 2006-10-27 00:52 . 2006-10-27 00:52 48424 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\MSE7.EXE
+ 2006-10-27 01:12 . 2006-10-27 01:12 89400 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\METCONV.DLL
+ 2006-10-27 02:41 . 2006-10-27 02:41 66368 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\INLAUNCH.DLL
+ 2009-05-22 23:20 . 2009-05-22 23:20 12096 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\GRAPHPOL.DLL
+ 2009-05-22 23:18 . 2009-05-22 23:18 12096 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\EXCELPOL.DLL
+ 2006-10-27 01:12 . 2006-10-27 01:12 53576 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\AUTHZAX.DLL
+ 2006-10-27 02:18 . 2006-10-27 02:18 94016 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\ACCOLK.DLL
+ 2009-12-02 08:02 . 2009-12-02 08:02 10576 c:\windows\assembly\GAC\Policy.11.0.office\12.0.0.0__71e9bce111e9429c\Policy.11.0.Office.dll
+ 2009-12-02 08:02 . 2009-12-02 08:02 11112 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Vbe.Interop.dll
+ 2009-12-02 08:02 . 2009-12-02 08:02 11128 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Word.dll
+ 2009-12-02 08:02 . 2009-12-02 08:02 11136 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.SmartTag\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.SmartTag.dll
+ 2009-12-02 08:02 . 2009-12-02 08:02 11152 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.PowerPoint.dll
+ 2009-12-02 08:02 . 2009-12-02 08:02 11128 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Graph\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Graph.dll
+ 2009-12-02 08:02 . 2009-12-02 08:02 11144 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Excel\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Excel.dll
+ 2009-12-02 08:02 . 2009-12-02 08:02 63336 c:\windows\assembly\GAC\Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
+ 2009-12-02 08:02 . 2009-12-02 08:02 19320 c:\windows\assembly\GAC\Microsoft.Office.Interop.SmartTag\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.SmartTag.dll
- 2008-04-14 12:00 . 2009-12-02 03:16 444358 c:\windows\system32\perfh009.dat
+ 2008-04-14 12:00 . 2009-12-02 17:48 444358 c:\windows\system32\perfh009.dat
+ 2009-08-03 22:07 . 2009-08-03 22:07 230768 c:\windows\system32\OGAEXEC.exe
+ 2009-08-03 22:07 . 2009-08-03 22:07 403816 c:\windows\system32\OGACheckControl.dll
+ 2009-08-03 22:07 . 2009-08-03 22:07 322928 c:\windows\system32\OGAAddin.dll
+ 2009-05-21 16:07 . 2009-12-02 08:15 801656 c:\windows\system32\FNTCACHE.DAT
+ 2009-05-21 21:18 . 2009-12-02 08:30 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-05-21 21:18 . 2009-12-02 03:11 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-12-02 08:04 . 2009-12-02 08:04 119296 c:\windows\Installer\61a2de.msi
+ 2009-05-27 01:53 . 2009-05-27 01:53 579072 c:\windows\Installer\61a29f.msp
- 2009-10-18 00:52 . 2009-10-18 00:52 217864 c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2009-12-02 08:00 . 2009-12-02 08:00 217864 c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
- 2009-05-22 23:26 . 2009-10-18 00:52 888080 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-05-22 23:26 . 2009-12-02 08:06 888080 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-05-22 23:26 . 2009-10-18 00:52 272648 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-05-22 23:26 . 2009-12-02 08:06 272648 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-05-22 23:26 . 2009-12-02 08:06 922384 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pptico.exe
- 2009-05-22 23:26 . 2009-10-18 00:52 922384 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pptico.exe
- 2009-05-22 23:26 . 2009-10-18 00:52 845584 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-05-22 23:26 . 2009-12-02 08:06 845584 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\outicon.exe
- 2009-05-22 23:26 . 2009-10-18 00:52 217864 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\misc.exe
+ 2009-05-22 23:26 . 2009-12-02 08:06 217864 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\misc.exe
- 2009-05-22 23:26 . 2009-10-18 00:52 159504 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-05-22 23:26 . 2009-12-02 08:06 159504 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-04-04 01:11 . 2009-04-04 01:11 408424 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\WINWORD.EXE
+ 2007-06-08 01:51 . 2007-06-08 01:51 125320 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\SSGEN.DLL
+ 2009-03-06 10:41 . 2009-03-06 10:41 589704 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\PUBCONV.DLL
+ 2009-01-08 17:59 . 2009-01-08 17:59 624520 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\PTXT9.DLL
+ 2008-10-25 13:21 . 2008-10-25 13:21 136072 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\PRTF9.DLL
+ 2007-06-08 01:51 . 2007-06-08 01:51 465800 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\OUTLFLTR.DLL
+ 2006-07-24 15:50 . 2006-07-24 15:50 125744 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\MSSTDFMT.DLL
+ 2008-11-04 07:04 . 2008-11-04 07:04 498072 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\MORPH9.DLL
+ 2006-10-27 01:49 . 2006-10-27 01:49 509200 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\WRD12CVR.DLL
+ 2006-10-27 02:07 . 2006-10-27 02:07 368968 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\PPSLAX.DLL
+ 2006-10-27 20:16 . 2006-10-27 20:16 138512 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\OUTLCTL.DLL
+ 2006-10-27 01:55 . 2006-10-27 01:55 254776 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\OLKFSTUB.DLL
+ 2006-10-20 13:37 . 2006-10-20 13:37 637744 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\OGALEGIT.DLL
+ 2009-05-22 23:20 . 2009-05-22 23:20 416544 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\OFFICE.DLL
+ 2006-10-27 00:55 . 2006-10-27 00:55 145688 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\MSTORE.EXE
+ 2006-10-26 19:47 . 2006-10-26 19:47 727840 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\MSPROOF6.DLL
+ 2006-10-26 18:58 . 2006-10-26 18:58 290576 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\MSCDM.DLL
+ 2006-10-27 00:52 . 2006-10-27 00:52 460616 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\MODHELP.DLL
+ 2006-10-27 01:00 . 2006-10-27 01:00 178488 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\IETAG.DLL
+ 2009-05-22 23:20 . 2009-05-22 23:20 150320 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\GRAPHPIA.DLL
+ 2006-10-27 01:55 . 2006-10-27 01:55 154960 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\ENVELOPE.DLL
+ 2006-10-27 01:55 . 2006-10-27 01:55 116544 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\EMABLT32.DLL
+ 2006-10-27 01:12 . 2006-10-27 01:12 106824 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\DSSM.EXE
+ 2009-12-02 08:07 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll
+ 2009-12-02 08:07 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe
+ 2009-12-02 08:02 . 2009-12-02 08:02 423784 c:\windows\assembly\GAC\office\12.0.0.0__71e9bce111e9429c\OFFICE.DLL
+ 2009-12-02 08:02 . 2009-12-02 08:02 870256 c:\windows\assembly\GAC\Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Word.dll
+ 2009-12-02 07:59 . 2009-12-02 07:59 350064 c:\windows\assembly\GAC\Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.PowerPoint.dll
+ 2009-12-02 08:02 . 2009-12-02 08:02 149352 c:\windows\assembly\GAC\Microsoft.Office.Interop.Graph\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Graph.dll
+ 2009-04-20 18:19 . 2009-08-15 00:49 1859712 c:\windows\system32\win32k.sys
+ 2009-04-20 18:18 . 2009-07-31 04:24 1447424 c:\windows\system32\msxml6.dll
+ 2009-04-20 18:18 . 2009-07-31 04:24 1172480 c:\windows\system32\msxml3.dll
+ 2009-04-20 18:18 . 2009-10-22 09:19 5939712 c:\windows\system32\mshtml.dll
+ 2009-08-18 06:33 . 2009-08-18 06:33 1193832 c:\windows\system32\FM20.DLL
+ 2009-04-17 22:20 . 2009-08-15 00:49 1859712 c:\windows\system32\dllcache\win32k.sys
+ 2009-06-10 23:38 . 2009-10-22 09:19 5939712 c:\windows\system32\dllcache\mshtml.dll
+ 2009-08-18 19:58 . 2009-08-18 19:58 8301056 c:\windows\Installer\61a38d.msp
+ 2009-08-18 19:57 . 2009-08-18 19:57 9122304 c:\windows\Installer\61a375.msp
+ 2009-10-16 14:03 . 2009-10-16 14:03 5003776 c:\windows\Installer\61a35d.msp
+ 2009-08-05 14:49 . 2009-08-05 14:49 3457024 c:\windows\Installer\61a347.msp
+ 2009-07-27 11:31 . 2009-07-27 11:31 3738624 c:\windows\Installer\61a30b.msp
+ 2009-08-18 20:08 . 2009-08-18 20:08 1373696 c:\windows\Installer\61a2f4.msp
+ 2009-04-24 19:30 . 2009-04-24 19:30 2583552 c:\windows\Installer\61a2d4.msp
+ 2009-05-27 01:54 . 2009-05-27 01:54 4192768 c:\windows\Installer\61a2bb.msp
+ 2009-04-24 19:29 . 2009-04-24 19:29 9013760 c:\windows\Installer\61a289.msp
+ 2009-04-05 00:10 . 2009-04-05 00:10 1282560 c:\windows\Installer\61a270.msp
+ 2009-04-05 00:10 . 2009-04-05 00:10 7888384 c:\windows\Installer\61a266.msp
+ 2009-04-05 00:10 . 2009-04-05 00:10 9926144 c:\windows\Installer\61a25a.msp
+ 2009-04-04 17:14 . 2009-04-04 17:14 1094656 c:\windows\Installer\61a0cf.msp
+ 2009-04-24 19:28 . 2009-04-24 19:28 4450816 c:\windows\Installer\61a085.msp
+ 2009-05-22 23:26 . 2009-12-02 08:06 1172240 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-05-22 23:26 . 2009-10-18 00:52 1172240 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-05-22 23:26 . 2009-10-18 00:52 1165584 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-05-22 23:26 . 2009-12-02 08:06 1165584 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-04-04 00:57 . 2009-04-04 00:57 4671320 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\WRD12CNV.DLL
+ 2008-11-21 10:12 . 2008-11-21 10:12 3750256 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\VVIEWER.DLL
+ 2008-10-25 16:35 . 2008-10-25 16:35 1847160 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\VVIEWDWG.DLL
+ 2009-02-05 18:36 . 2009-02-05 18:36 1640800 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\OGL.DLL
+ 2009-03-06 10:41 . 2009-03-06 10:41 9589096 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\MSPUB.EXE
+ 2008-11-21 06:06 . 2008-11-21 06:06 1194848 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\FM20.DLL
+ 2006-10-26 19:47 . 2006-10-26 19:47 1512304 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\NLSD0000.DLL
+ 2009-05-22 23:20 . 2009-05-22 23:20 1276720 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\EXCELPIA.DLL
+ 2009-12-02 08:07 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll
+ 2009-12-02 08:02 . 2009-12-02 08:02 1279848 c:\windows\assembly\GAC\Microsoft.Office.Interop.Excel\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Excel.dll
+ 2009-04-20 18:22 . 2009-11-05 17:36 26768832 c:\windows\system32\MRT.exe
+ 2009-08-18 19:50 . 2009-08-18 19:50 12022272 c:\windows\Installer\61a32e.msp
+ 2009-04-05 00:09 . 2009-04-05 00:09 15190016 c:\windows\Installer\61a0f2.msp
+ 2009-04-04 18:36 . 2009-04-04 18:36 21390848 c:\windows\Installer\61a0d0.msp
+ 2009-05-04 14:49 . 2009-05-04 14:49 10955776 c:\windows\Installer\61a0c1.msp
+ 2009-04-04 01:01 . 2009-04-04 01:01 15108448 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\XL12CNV.EXE
+ 2009-04-04 01:11 . 2009-04-04 01:11 17740136 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\WWLIB.DLL
+ 2009-04-04 01:11 . 2009-04-04 01:11 18330984 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6425\EXCEL.EXE
+ 2009-04-05 00:08 . 2009-04-05 00:08 343058432 c:\windows\Installer\61a24d.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ProxyFirewall"="c:\program files\ProxyFirewall\ProxyFirewall.exe" [BU]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-06-27 160592]
"SansaDispatch"="c:\documents and settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-10-28 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-22 13524992]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-05-22 2183168]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"UVS12 Preload"="c:\program files\Corel Video Editor\uvPL.exe" [2008-06-09 397456]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2009-05-22 282624]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-01-14 19456]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2008-01-14 19968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-04-20 128512]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Owner\Application Data\Dropbox\bin\Dropbox.exe [2009-9-19 26784939]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Caphyon\\Advanced Web Ranking\\AdvancedWebRanking.exe"=
"c:\\Program Files\\Caphyon\\Advanced Web Ranking\\AdvancedLinkManager.exe"=
"c:\\Program Files\\Caphyon\\Advanced Web Ranking\\AWRServer.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R2 AWRServer;Advanced Web Ranking Server;c:\program files\Caphyon\Advanced Web Ranking\AWRServer.exe [5/7/2009 4:55 AM 113848]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/17/2009 8:39 PM 269648]
R3 Alidevice;Alidevice;c:\windows\system32\drivers\alidevice.sys [7/13/2008 3:10 PM 6656]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/17/2009 8:39 PM 19160]
S2 gupdate1c9df3dbafe5900;Google Update Service (gupdate1c9df3dbafe5900);c:\program files\Google\Update\GoogleUpdate.exe [5/27/2009 7:40 PM 133104]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [5/23/2009 12:25 PM 79360]
.
Contents of the 'Scheduled Tasks' folder

2009-11-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-12-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-28 02:40]

2009-12-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-28 02:40]

2009-12-02 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Owner.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-07-18 20:53]

2009-12-02 c:\windows\Tasks\Malwarebytes' Scheduled Update for Owner.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-07-18 20:53]

2009-12-02 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]

2009-12-02 c:\windows\Tasks\User_Feed_Synchronization-{A0C51C3B-2246-4452-996C-C93B94879673}.job
- c:\windows\system32\msfeedssync.exe [2009-04-20 18:22]

2009-12-02 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-06-01 04:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.babybeddingzone.com/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} - hxxps://img.alipay.com/download/2121/aliedit.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kn9w0kk6.default\
FF - prefs.js: browser.search.selectedEngine - Google.com UnPersonalized
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kn9w0kk6.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kn9w0kk6.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kn9w0kk6.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-02 17:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ProxyFirewall = c:\program files\ProxyFirewall\ProxyFirewall.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
SansaDispatch = c:\documents and settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?=&platform=&is-debug=&rom-version=∂-number=&product-name=&content-class=common_conten

scanning hidden files ...


c:\docume~1\Owner\LOCALS~1\Temp\RGIBE.tmp 7075 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1992)
c:\windows\system32\WININET.dll
c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.3.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-12-02 17:13
ComboFix-quarantined-files.txt 2009-12-03 00:13
ComboFix2.txt 2009-12-02 06:22
ComboFix3.txt 2009-12-02 03:31
ComboFix4.txt 2009-11-30 07:37
ComboFix5.txt 2009-12-03 00:02

Pre-Run: 399,222,792,192 bytes free
Post-Run: 399,234,039,808 bytes free

- - End Of File - - 7702B176C432EFB0029A2143131D43EE





By the way, after I ran the TDSSKiller, Google results are not being redirected anymore and I can boot in Safe Mode. Just thought you'd like to know. But I am not sure if I'm completely free of malware/rootkits.


Awaiting your instructions,


Ahsen.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:14 AM

Posted 02 December 2009 - 07:54 PM

Your log looks good to me! :(

It's time to clean up.
  • Make sure you have an Internet Connection.
  • Double-click OTL.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTL to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


================




Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Abro

Abro
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 02 December 2009 - 09:16 PM

:(

Thank you so much, Sam! You rule! :(

I've completed the cleanup and the computer seems to be fine now.

Again, thank you so much for your time and your help.

Happy holidays!


Ahsen Abro

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:14 AM

Posted 03 December 2009 - 08:51 AM

I'm glad I could help you out! :(

Now that your problem appears to be resolved, this topic will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this topic in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users