Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVR/ Red dot with white x in toolbar cant do anything


  • This topic is locked This topic is locked
49 replies to this topic

#1 acentx76

acentx76

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 02 December 2009 - 11:56 AM

Got a virus. Ran trend micro housecall twice. The first time it found 12 files and deleted them but the second time it ran found nothing and im still infected. Ill start with what I cant do. cant f11 on satup and safe mode isnt working right. Cant start task manager(disabled by administrator). Cant recover(disabled by domain group). Cant run regedit(disabled) Cant use my cd driver(wont detect it) Had mcafee but it was infected and i deleted it. Cant run microsoft mal software remoal tool or kaspersky. They will run and dissapear quickly but i know they are still running because i have a security task manager program and i can see the .exe file going. some of my options are missing like show hidden folders and other things. Tried to fix the recover with running gpedit or something like that but i didnt have the system option under amdin templates. I get a popup when windows is loading that says security warning and im infected with worm.win32.skynet. My windows security has been disabled. i tried to run the dds but i get a popup that says application cannot be executed the file is infected please activate your antivirus software. i was able to run root repeal and i enclosed the file report. I hope i have given enough info for help.

Attached Files

  • Attached File  ark.txt   88.25KB   17 downloads


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:15 PM

Posted 02 December 2009 - 05:51 PM

Hi acentx76,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Please firs post the OTL logs then start with running GMER.
  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.

  • Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop.
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Click Run Scan button.
    • Two reports will open, copy and paste them to your reply:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
  • Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Disconnect from the Internet and close all running programs.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
      • Sections
      • IAT/EAT
      • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
      • Show All (this one also should be unchecked)
    • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
    • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
    • Save the file as gmer.log and copy/paste the contents in your next reply.


#3 acentx76

acentx76
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 02 December 2009 - 06:15 PM

Wont change or download anything unless you tell me to. I have tried for three days to fix this. IF you tell me to walk through a wall to fix this i will. Ran defogger and it seemed to run fine. Here is my first two logs got to disconnect and run gmer. Tried to run gmer and it did what some other programs did. I would double click it and it would just stop but i know it is still running because i have a program called killitall that shows what is running and gmer.exe was running it just wasn't doing anything. Here are the three logs i could generate. Also i have an idea when I was infected it was November 30 at around 1 if that helps.

defogger_disable by jpshortstuff (28.11.09.2)
Log created at 16:56 on 02/12/2009 (User)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
Unable to read sptd.sys
SPTD -> Disabled (Service running -> reboot required)


-=E.O.F=-



OTL Extras logfile created on: 12/2/2009 5:05:35 PM - Run 1
OTL by OldTimer - Version 3.1.11.4 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.48 Mb Total Physical Memory | 582.70 Mb Available Physical Memory | 60.79% Memory free
2.26 Gb Paging File | 1.98 Gb Available in Paging File | 87.61% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 186.30 Gb Total Space | 51.51 Gb Free Space | 27.65% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 5.49 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive J: | 5.56 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: DESK1
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.reg [@ = regfile] -- regedit.exe "%1"

[HKEY_USERS\S-1-5-21-1060284298-152049171-682003330-1007\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [open] -- regedit.exe "%1"
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"7518:TCP" = 7518:TCP:*:Enabled:BitComet 7518 TCP
"7518:UDP" = 7518:UDP:*:Enabled:BitComet 7518 UDP

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BitComet\BitComet.exe" = C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet.exe -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- File not found
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Piolet\Piolet.exe" = C:\Program Files\Piolet\Piolet.exe:*:Enabled:Piolet -- File not found
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Explorer -- (Microsoft Corporation)
"C:\Program Files\Electronic Arts\EADM\Core.exe" = C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager -- (Electronic Arts)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{14BEB6DF-A499-4A38-8E06-E173BCD5C087}" = ScannerCopy
"{17293791-C82E-476C-9997-9A0FF234A19B}" = HP Product Assistant
"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{20FBC0A0-3160-4F14-83ED-3A74BB6B8C31}" = TrayApp
"{2E8428AD-6CD2-4031-916A-3CF9BBF2DEC9}" = Unload
"{2FEA102C-F535-4513-009B-57B165013C18}" = Tiger Woods PGA TOUR 08
"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3762DB2D-71BD-421F-9E55-C74DA7DF4D07}" = CueTour
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme
"{5C1DA723-24FC-48AD-93BA-925695C3EF26}" = Logitech Gaming Software
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{644D04A2-C682-4FD5-977D-03B804C4B9C5}" = CreativeProjects
"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan
"{68963635-14A4-48D9-B431-DF3A74D1AAE1}" = Destinations
"{700A6597-3CE6-49C1-AA75-846B24CDA66D}" = BufferChm
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74DC0593-6BC6-4001-AD5F-D810AFB68D86}" = HP Update
"{7694E0B1-2332-448B-9235-929F84B41E3F}" = Active@ ISO Burner
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7AD25C9F-9957-4D1C-95EF-9BCD09F6D31B}" = HPSystemDiagnostics
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{84CDF5A8-1D57-4B69-BAB6-1F11D8923375}" = SkinsHP1
"{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8BC3B99B-A6BE-4A0B-8535-B1B94BA4B1B1}" = DocProc
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ULTIMATER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ULTIMATER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ULTIMATER_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ULTIMATER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ULTIMATER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002E-0000-0000-0000000FF1CE}" = Microsoft Office Ultimate 2007
"{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{9FA93155-472F-4778-87A8-95244FD1535D}" = OLYMPUS Master 2
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3BC1DBD-64D6-4EBC-0091-24C811662D40}" = Madden NFL 08
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B911B811-BA3E-46D4-90F8-6F3338359651}" = Director
"{BA26FFA5-6D47-47DB-BE56-34C357B5F8CC}" = The Sims™ 3 World Adventures
"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDFCF124-115F-4976-8BF4-08C89187A146}" = WebReg
"{CE0C8CC5-E396-442B-A50E-D1D374A9E820}" = DocumentViewer
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D42B6F90-1084-4C9B-AF28-958926E6E32E}" = LP_Flash
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F2B5A2A7-2DF9-4361-8BD5-362714528B51}" = NHL® 09
"{FC22D020-3005-4715-8DF9-F3EDE81DEB3D}" = CreativeProjectsTemplates
"7-Zip" = 7-Zip 4.65
"Across Lite 2.0" = Across Lite 2.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"Agere Systems Soft Modem" = Agere Systems PCI-SV92PP Soft Modem
"Any Video Converter Professional_is1" = Any Video Converter Professional 2.7.3
"ATT-HSI" = ATT-HSI
"ATT-SST" = AT&T Self Support Tool
"CCleaner" = CCleaner
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"EADM" = EA Download Manager
"EndItAll_is1" = EndItAll 2.0
"HP Photo & Imaging" = HP Image Zone 4.7
"ie8" = Windows Internet Explorer 8
"LimeWire" = LimeWire 5.3.6
"Magic ISO Maker v5.5 (build 0276)" = Magic ISO Maker v5.5 (build 0276)
"Magic Video Converter_is1" = Magic Video Converter Trial Version (English) 8.0.2.18
"MagicDisc 2.7.106" = MagicDisc 2.7.106
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Drivers" = NVIDIA Drivers
"Picasa 3" = Picasa 3
"Security Task Manager" = Security Task Manager 1.7h
"Turkey Dance 2" = Turkey Dance 2
"ULTIMATER" = Microsoft Office Ultimate 2007 Subscription
"uTorrent" = µTorrent
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XP Codec Pack" = XP Codec Pack
"Yahoo! Mail" = AT&T Yahoo! Internet Mail
"YInstHelper" = Yahoo! Install Manager

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1060284298-152049171-682003330-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{4B35F00C-E63D-40DC-9839-DF15A33EAC46}" = Grand Theft Auto Vice City
"G2GPoker" = G2GPoker
"Move Media Player" = Move Media Player
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/1/2009 7:38:26 PM | Computer Name = DESK1 | Source = Application Error | ID = 1000
Description = Faulting application superantispyware.exe, version 4.31.0.1000, faulting
module superantispyware.exe, version 4.31.0.1000, fault address 0x000a2c45.

Error - 12/1/2009 7:40:48 PM | Computer Name = DESK1 | Source = Application Error | ID = 1000
Description = Faulting application mrt.exe, version 0.0.0.0, faulting module , version
0.0.0.0, fault address 0x00000000.

Error - 12/1/2009 7:41:01 PM | Computer Name = DESK1 | Source = Application Error | ID = 1000
Description = Faulting application superantispyware.exe, version 4.31.0.1000, faulting
module superantispyware.exe, version 4.31.0.1000, fault address 0x000a2c45.

Error - 12/1/2009 8:39:25 PM | Computer Name = DESK1 | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module kernel32.dll,
version 5.1.2600.5781, fault address 0x00039ac5.

Error - 12/1/2009 8:41:03 PM | Computer Name = DESK1 | Source = Application Error | ID = 1004
Description = Faulting application csrss.exe, version 0.0.0.0, faulting module kernel32.dll,
version 5.1.2600.5781, fault address 0x00039ac5.

Error - 12/1/2009 9:10:33 PM | Computer Name = DESK1 | Source = MsiInstaller | ID = 1013
Description = Product: Kaspersky Anti-Virus 2010 -- You must restart your computer
before proceeding with the installation.

Error - 12/1/2009 10:16:22 PM | Computer Name = DESK1 | Source = MBAMService | ID = 131073
Description =

Error - 12/2/2009 1:05:21 AM | Computer Name = DESK1 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash10c.ocx, version 10.0.32.18, fault address 0x000c7e05.

Error - 12/2/2009 6:42:53 PM | Computer Name = DESK1 | Source = MBAMService | ID = 131073
Description =

Error - 12/2/2009 7:01:57 PM | Computer Name = DESK1 | Source = Windows Product Activation | ID = 1010
Description = The Windows license was restored due to a system error. You might
need to reactivate your Windows product.

[ Application Events ]
Error - 12/1/2009 7:38:26 PM | Computer Name = DESK1 | Source = Application Error | ID = 1000
Description = Faulting application superantispyware.exe, version 4.31.0.1000, faulting
module superantispyware.exe, version 4.31.0.1000, fault address 0x000a2c45.

Error - 12/1/2009 7:40:48 PM | Computer Name = DESK1 | Source = Application Error | ID = 1000
Description = Faulting application mrt.exe, version 0.0.0.0, faulting module , version
0.0.0.0, fault address 0x00000000.

Error - 12/1/2009 7:41:01 PM | Computer Name = DESK1 | Source = Application Error | ID = 1000
Description = Faulting application superantispyware.exe, version 4.31.0.1000, faulting
module superantispyware.exe, version 4.31.0.1000, fault address 0x000a2c45.

Error - 12/1/2009 8:39:25 PM | Computer Name = DESK1 | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module kernel32.dll,
version 5.1.2600.5781, fault address 0x00039ac5.

Error - 12/1/2009 8:41:03 PM | Computer Name = DESK1 | Source = Application Error | ID = 1004
Description = Faulting application csrss.exe, version 0.0.0.0, faulting module kernel32.dll,
version 5.1.2600.5781, fault address 0x00039ac5.

Error - 12/1/2009 9:10:33 PM | Computer Name = DESK1 | Source = MsiInstaller | ID = 1013
Description = Product: Kaspersky Anti-Virus 2010 -- You must restart your computer
before proceeding with the installation.

Error - 12/1/2009 10:16:22 PM | Computer Name = DESK1 | Source = MBAMService | ID = 131073
Description =

Error - 12/2/2009 1:05:21 AM | Computer Name = DESK1 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash10c.ocx, version 10.0.32.18, fault address 0x000c7e05.

Error - 12/2/2009 6:42:53 PM | Computer Name = DESK1 | Source = MBAMService | ID = 131073
Description =

Error - 12/2/2009 7:01:57 PM | Computer Name = DESK1 | Source = Windows Product Activation | ID = 1010
Description = The Windows license was restored due to a system error. You might
need to reactivate your Windows product.

[ OSession Events ]
Error - 9/24/2009 3:41:18 PM | Computer Name = DESK1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 18
seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/24/2009 3:41:29 PM | Computer Name = DESK1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 4
seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/24/2009 3:41:45 PM | Computer Name = DESK1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 8
seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/24/2009 3:41:52 PM | Computer Name = DESK1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2
seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/24/2009 3:42:02 PM | Computer Name = DESK1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 6
seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/24/2009 3:42:08 PM | Computer Name = DESK1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3
seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/24/2009 3:42:18 PM | Computer Name = DESK1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 6
seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/24/2009 3:42:23 PM | Computer Name = DESK1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3
seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/24/2009 3:42:29 PM | Computer Name = DESK1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 12/2/2009 5:27:09 PM | Computer Name = DESK1 | Source = Service Control Manager | ID = 7034
Description = The Terminal Services service terminated unexpectedly. It has done
this 1 time(s).

Error - 12/2/2009 5:29:53 PM | Computer Name = DESK1 | Source = Service Control Manager | ID = 7000
Description = The McciCMService service failed to start due to the following error:
%%2

Error - 12/2/2009 5:29:53 PM | Computer Name = DESK1 | Source = Service Control Manager | ID = 7023
Description = The SSHNAS service terminated with the following error: %%126

Error - 12/2/2009 5:29:53 PM | Computer Name = DESK1 | Source = Service Control Manager | ID = 7000
Description = The Windows Search service failed to start due to the following error:
%%2

Error - 12/2/2009 5:29:53 PM | Computer Name = DESK1 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM
Service service to connect.

Error - 12/2/2009 5:29:53 PM | Computer Name = DESK1 | Source = Service Control Manager | ID = 7000
Description = The IMAPI CD-Burning COM Service service failed to start due to the
following error: %%1053

Error - 12/2/2009 6:44:02 PM | Computer Name = DESK1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 12/2/2009 7:03:30 PM | Computer Name = DESK1 | Source = Service Control Manager | ID = 7000
Description = The McciCMService service failed to start due to the following error:
%%2

Error - 12/2/2009 7:03:30 PM | Computer Name = DESK1 | Source = Service Control Manager | ID = 7023
Description = The SSHNAS service terminated with the following error: %%126

Error - 12/2/2009 7:03:30 PM | Computer Name = DESK1 | Source = Service Control Manager | ID = 7000
Description = The Windows Search service failed to start due to the following error:
%%2

[ System Events ]
Error - 12/2/2009 5:27:09 PM | Computer Name = DESK1 | Source = Service Control Manager | ID = 7034
Description = The Terminal Services service terminated unexpectedly. It has done
this 1 time(s).

Error - 12/2/2009 5:29:53 PM | Computer Name = DESK1 | Source = Service Control Manager | ID = 7000
Description = The McciCMService service failed to start due to the following error:
%%2

Error - 12/2/2009 5:29:53 PM | Computer Name = DESK1 | Source = Service Control Manager | ID = 7023
Description = The SSHNAS service terminated with the following error: %%126

Error - 12/2/2009 5:29:53 PM | Computer Name = DESK1 | Source = Service Control Manager | ID = 7000
Description = The Windows Search service failed to start due to the following error:
%%2

Error - 12/2/2009 5:29:53 PM | Computer Name = DESK1 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM
Service service to connect.

Error - 12/2/2009 5:29:53 PM | Computer Name = DESK1 | Source = Service Control Manager | ID = 7000
Description = The IMAPI CD-Burning COM Service service failed to start due to the
following error: %%1053

Error - 12/2/2009 6:44:02 PM | Computer Name = DESK1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 12/2/2009 7:03:30 PM | Computer Name = DESK1 | Source = Service Control Manager | ID = 7000
Description = The McciCMService service failed to start due to the following error:
%%2

Error - 12/2/2009 7:03:30 PM | Computer Name = DESK1 | Source = Service Control Manager | ID = 7023
Description = The SSHNAS service terminated with the following error: %%126

Error - 12/2/2009 7:03:30 PM | Computer Name = DESK1 | Source = Service Control Manager | ID = 7000
Description = The Windows Search service failed to start due to the following error:
%%2


< End of report >



OTL logfile created on: 12/2/2009 5:05:35 PM - Run 1
OTL by OldTimer - Version 3.1.11.4 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.48 Mb Total Physical Memory | 582.70 Mb Available Physical Memory | 60.79% Memory free
2.26 Gb Paging File | 1.98 Gb Available in Paging File | 87.61% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 186.30 Gb Total Space | 51.51 Gb Free Space | 27.65% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 5.49 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive J: | 5.56 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: DESK1
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/02 17:04:36 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/08/26 19:02:24 | 00,014,336 | ---- | M] (Agere Systems) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe
PRC - [2008/04/14 04:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/05/09 14:50:00 | 00,131,139 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2004/09/29 12:14:36 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe


========== Modules (SafeList) ==========

MOD - [2009/12/02 17:04:36 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
MOD - [2008/04/14 04:42:02 | 00,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp60.dll


========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (WSearch)
SRV - File not found -- -- (McciCMService)
SRV - [2008/11/20 13:18:52 | 00,136,120 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/10/25 10:44:08 | 00,065,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2008/08/26 19:02:24 | 00,014,336 | ---- | M] (Agere Systems) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/05/09 14:50:00 | 00,131,139 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2005/04/03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/09/29 12:14:36 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2009/05/15 10:23:39 | 00,721,904 | ---- | M] () -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/02/24 17:42:14 | 00,116,736 | ---- | M] (MagicISO, Inc.) -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2009/02/11 12:40:40 | 05,028,352 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/11/20 13:19:06 | 00,043,872 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/10/29 20:43:44 | 01,204,128 | ---- | M] (Agere Systems) -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2008/07/28 16:26:30 | 00,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2008/07/28 16:26:30 | 00,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2008/04/13 21:09:16 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/13 21:06:06 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/04/16 20:46:00 | 00,033,792 | ---- | M] (Advanced Micro Devices) -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2006/05/09 14:50:00 | 03,535,680 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/03/03 13:31:04 | 00,013,056 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/03/03 13:31:02 | 00,034,176 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/12/12 16:27:00 | 00,019,072 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)
DRV - [2005/04/12 18:21:32 | 00,022,240 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\WmFilter.sys -- (WmFilter)
DRV - [2005/04/12 18:21:28 | 00,010,144 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\WmBEnum.sys -- (WmBEnum)
DRV - [2005/04/12 18:21:28 | 00,005,600 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\WmVirHid.sys -- (WmVirHid)
DRV - [2005/04/12 18:21:26 | 00,045,504 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\WmXlCore.sys -- (WmXlCore)
DRV - [2004/12/14 10:07:44 | 00,051,120 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412)
DRV - [2004/12/14 10:07:44 | 00,021,744 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2004/12/14 10:07:44 | 00,016,496 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2001/08/23 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-21-1060284298-152049171-682003330-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.net
IE - HKU\S-1-5-21-1060284298-152049171-682003330-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-1060284298-152049171-682003330-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1060284298-152049171-682003330-1007\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-1060284298-152049171-682003330-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1060284298-152049171-682003330-1007\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-1060284298-152049171-682003330-1007\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1060284298-152049171-682003330-1007\S-1-5-21-1060284298-152049171-682003330-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1060284298-152049171-682003330-1007\S-1-5-21-1060284298-152049171-682003330-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>


[2009/09/30 08:55:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2009/09/23 08:18:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKU\S-1-5-21-1060284298-152049171-682003330-1007\..\Toolbar\WebBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
O3 - HKU\S-1-5-21-1060284298-152049171-682003330-1007\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No CLSID value found.
O3 - HKU\S-1-5-21-1060284298-152049171-682003330-1007\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O4 - HKLM..\Run: [bojudoboh] C:\WINDOWS\System32\yubihimo.DLL File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [OM2_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe (OLYMPUS IMAGING CORP.)
O4 - HKLM..\Run: [winupdate86.exe] C:\WINDOWS\System32\winupdate86.exe File not found
O4 - HKU\.DEFAULT..\RunOnce: [_nltide_3] C:\WINDOWS\System32\advpack.dll (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [_nltide_3] C:\WINDOWS\System32\advpack.dll (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [_nltide_3] C:\WINDOWS\System32\advpack.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [_nltide_3] C:\WINDOWS\System32\advpack.dll (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-1060284298-152049171-682003330-1007\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-1060284298-152049171-682003330-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1060284298-152049171-682003330-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O7 - HKU\S-1-5-21-1060284298-152049171-682003330-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-21-1060284298-152049171-682003330-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\S-1-5-21-1060284298-152049171-682003330-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-21-1060284298-152049171-682003330-1007_Classes\Software\Policies\Microsoft\Internet Explorer\Recovery present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1060284298-152049171-682003330-1007\..Trusted Domains: //@surf.mar@/ ([]money in Local intranet)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx (SpinTop DRM Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab (GMNRev Class)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx2.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (c:\windows\system32\perosaro.dll) - C:\WINDOWS\System32\perosaro.dll File not found
O20 - AppInit_DLLs: (jihizeda.dll) - File not found
O20 - AppInit_DLLs: (c:\windows\system32\yubihimo.dll) - C:\WINDOWS\System32\yubihimo.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-1060284298-152049171-682003330-1007 Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\__c0021906: DllName - C:\WINDOWS\system32\__c0021906.dat - C:\WINDOWS\System32\__c0021906.dat File not found
O20 - Winlogon\Notify\__c0047FA7: DllName - C:\WINDOWS\system32\__c0047FA7.dat - C:\WINDOWS\System32\__c0047FA7.dat File not found
O20 - Winlogon\Notify\__c005EF1F: DllName - C:\WINDOWS\system32\__c005EF1F.dat - C:\WINDOWS\System32\__c005EF1F.dat File not found
O20 - Winlogon\Notify\__c0068F3E: DllName - C:\WINDOWS\system32\__c0068F3E.dat - C:\WINDOWS\System32\__c0068F3E.dat File not found
O20 - Winlogon\Notify\__c006E754: DllName - C:\WINDOWS\system32\__c006E754.dat - C:\WINDOWS\System32\__c006E754.dat File not found
O20 - Winlogon\Notify\__c0077D40: DllName - C:\WINDOWS\system32\__c0077D40.dat - C:\WINDOWS\System32\__c0077D40.dat File not found
O20 - Winlogon\Notify\__c00A5FF8: DllName - C:\WINDOWS\system32\__c00A5FF8.dat - C:\WINDOWS\System32\__c00A5FF8.dat File not found
O20 - Winlogon\Notify\__c00B3A1E: DllName - C:\WINDOWS\system32\__c00B3A1E.dat - C:\WINDOWS\System32\__c00B3A1E.dat File not found
O20 - Winlogon\Notify\__c00CF67: DllName - C:\WINDOWS\system32\__c00CF67.dat - C:\WINDOWS\System32\__c00CF67.dat File not found
O20 - Winlogon\Notify\__c00E3BEC: DllName - C:\WINDOWS\system32\__c00E3BEC.dat - C:\WINDOWS\System32\__c00E3BEC.dat File not found
O20 - Winlogon\Notify\__c00F7E40: DllName - C:\WINDOWS\system32\__c00F7E40.dat - C:\WINDOWS\System32\__c00F7E40.dat File not found
O21 - SSODL: bevoyofod - {b37a4d94-d395-4497-be18-4c50dc144d57} - CLSID or File not found.
O21 - SSODL: fewolipid - {1ffa3e5a-616d-4a97-a081-5d9647bdea9c} - CLSID or File not found.
O21 - SSODL: nusuremah - {3ac43900-3bfa-476a-8808-ebe6ce18e8f8} - C:\WINDOWS\System32\yubihimo.dll File not found
O22 - SharedTaskScheduler: {1ffa3e5a-616d-4a97-a081-5d9647bdea9c} - mujuzedij - Reg Error: Key error. File not found
O22 - SharedTaskScheduler: {3ac43900-3bfa-476a-8808-ebe6ce18e8f8} - kupuhivus - C:\WINDOWS\System32\yubihimo.dll File not found
O22 - SharedTaskScheduler: {b37a4d94-d395-4497-be18-4c50dc144d57} - mujuzedij - Reg Error: Key error. File not found
O22 - SharedTaskScheduler: {B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - jkshf8a3rudbfa873fudfhbdugf87whjdb - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/08 17:59:05 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/10/14 02:23:09 | 00,054,544 | R--- | M] (Electronic Arts) - I:\Autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2009/09/21 13:58:33 | 00,000,049 | R--- | M] () - I:\Autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2009/04/29 20:57:32 | 00,054,544 | R--- | M] (Electronic Arts) - J:\Autorun.exe -- [ UDF ]
O32 - AutoRun File - [2008/10/21 17:48:37 | 00,000,045 | R--- | M] () - J:\Autorun.inf -- [ UDF ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/02 17:04:25 | 00,535,552 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2009/12/02 16:38:44 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/02 16:38:43 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/02 16:38:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/02 15:11:47 | 04,045,544 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\User\Desktop\zztoy.exe
[2009/12/02 10:17:31 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\User\Desktop\RootRepeal.exe
[2009/12/01 20:14:40 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-MalwareBAD!!!
[2009/12/01 19:31:17 | 00,315,408 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2009/12/01 19:15:30 | 00,019,472 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klmouflt.sys
[2009/12/01 19:15:27 | 00,036,880 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klbg.sys
[2009/12/01 19:14:29 | 00,032,272 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klim5.sys
[2009/12/01 18:36:51 | 00,000,000 | ---D | C] -- C:\Program Files\EndItAll
[2009/12/01 18:27:01 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\User\Recent
[2009/12/01 18:13:05 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/12/01 02:08:43 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot
[2009/12/01 00:05:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
[2009/11/30 18:52:46 | 00,000,000 | -H-D | C] -- C:\Program Files\Uninstall Information
[2009/11/30 13:46:43 | 00,000,000 | -HSD | C] -- C:\WINDOWS\System32\lowsec
[2009/11/28 11:00:05 | 00,000,000 | ---D | C] -- C:\Program Files\XP Codec Pack
[2009/11/25 18:05:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\Any Video Converter Professional
[2009/11/25 17:11:22 | 00,202,072 | R--- | C] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2.cid
[2009/11/25 17:10:14 | 00,000,000 | ---D | C] -- C:\WINDOWS\Cache
[2009/11/25 17:10:11 | 00,000,000 | ---D | C] -- C:\Program Files\Coupons
[2009/11/19 16:07:22 | 00,000,000 | ---D | C] -- C:\Program Files\Electronic Arts
[2009/11/19 16:07:21 | 00,000,000 | -H-D | C] -- C:\Program Files\InstallShield Installation Information
[2009/11/11 22:14:29 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\turkeythanksgiving_3113666 dir
[2009/11/08 11:49:05 | 00,229,376 | R--- | C] (Hewlett-Packard Co.) -- C:\WINDOWS\System32\hpovst08.dll
[2009/11/08 11:24:09 | 00,069,632 | ---- | C] (HP) -- C:\WINDOWS\System32\HPZipm12.exe
[2009/11/04 11:56:42 | 00,017,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2009/11/03 17:34:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\Electronic Arts
[2009/11/02 22:59:38 | 00,038,400 | ---- | C] (Digital Workshop) -- C:\WINDOWS\DWUninst.exe
[2004/11/24 12:25:52 | 00,335,872 | ---- | C] ( ) -- C:\WINDOWS\System32\drvc.dll
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\User\*.tmp files -> C:\Documents and Settings\User\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/02 17:04:36 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2009/12/02 17:03:31 | 00,000,658 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/02 17:03:31 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2009/12/02 17:03:31 | 00,000,000 | ---- | M] () -- C:\WINDOWS\SYSTEM.INI
[2009/12/02 17:03:15 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2009/12/02 17:02:37 | 00,000,274 | -H-- | M] () -- C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
[2009/12/02 17:02:37 | 00,000,238 | -H-- | M] () -- C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
[2009/12/02 17:02:27 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\rusojonu
[2009/12/02 17:02:03 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/02 17:01:57 | 00,002,126 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/02 17:01:56 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/02 16:57:07 | 06,291,456 | ---- | M] () -- C:\Documents and Settings\User\ntuser.dat
[2009/12/02 16:57:07 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\User\ntuser.ini
[2009/12/02 16:56:51 | 00,000,020 | ---- | M] () -- C:\Documents and Settings\User\defogger_reenable
[2009/12/02 16:38:47 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/02 15:31:22 | 06,391,438 | -H-- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\IconCache.db
[2009/12/02 15:11:53 | 04,045,544 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\User\Desktop\zztoy.exe
[2009/12/02 13:44:31 | 00,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{A248D751-AC8E-4739-BF89-F4C84EE3E10B}.job
[2009/12/02 13:30:46 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\User\Desktop\dds.pif
[2009/12/02 11:55:57 | 00,002,713 | -HS- | M] () -- C:\WINDOWS\System32\yakiyayi.dll
[2009/12/02 10:20:34 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\User\Desktop\dds.scr
[2009/12/02 10:17:32 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\User\Desktop\RootRepeal.exe
[2009/12/01 23:55:49 | 00,092,672 | -HS- | M] () -- C:\WINDOWS\System32\jutepeso.dll
[2009/12/01 23:55:49 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\gimuhohe.dll
[2009/12/01 21:49:36 | 00,001,486 | ---- | M] () -- C:\Documents and Settings\User\Desktop\MagicISO.lnk
[2009/12/01 19:01:01 | 00,315,408 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2009/12/01 18:36:52 | 00,000,630 | ---- | M] () -- C:\Documents and Settings\User\Desktop\EndItAll.lnk
[2009/12/01 18:13:05 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\User\Desktop\CCleaner.lnk
[2009/12/01 11:55:39 | 00,062,464 | -HS- | M] () -- C:\WINDOWS\System32\rarunuku.dll
[2009/12/01 11:55:39 | 00,053,760 | -HS- | M] () -- C:\WINDOWS\System32\palozora.dll
[2009/12/01 11:21:34 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\housecall.guid.cache
[2009/11/30 21:11:38 | 00,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2009/11/29 17:16:58 | 00,128,512 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/25 17:11:22 | 00,202,072 | R--- | M] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2.cid
[2009/11/19 17:06:44 | 00,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\EA Download Manager.lnk
[2009/11/19 16:39:19 | 00,001,883 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\The Sims™ 3 World Adventures.lnk
[2009/11/19 16:19:15 | 00,001,723 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\The Sims™ 3.lnk
[2009/11/19 16:16:27 | 00,068,824 | ---- | M] () -- C:\WINDOWS\CouponPrinter.ocx
[2009/11/14 09:33:47 | 00,267,800 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/13 15:57:13 | 00,069,232 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/11/11 19:10:35 | 00,001,488 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Shutdown.lnk
[2009/11/10 07:06:02 | 00,001,292 | ---- | M] () -- C:\msclgmis.inf
[2009/11/09 10:37:08 | 00,000,074 | ---- | M] () -- C:\WINDOWS\control.ini
[2009/11/08 11:57:30 | 00,068,877 | ---- | M] () -- C:\WINDOWS\hpoins05.dat.temp
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\User\*.tmp files -> C:\Documents and Settings\User\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/02 17:03:15 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\NvApps.xml
[2009/12/02 17:01:57 | 00,002,126 | ---- | C] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/02 16:56:45 | 00,000,020 | ---- | C] () -- C:\Documents and Settings\User\defogger_reenable
[2009/12/02 16:38:47 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/02 13:30:20 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\User\Desktop\dds.pif
[2009/12/02 11:55:57 | 00,002,713 | -HS- | C] () -- C:\WINDOWS\System32\yakiyayi.dll
[2009/12/02 10:16:01 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\User\Desktop\dds.scr
[2009/12/01 23:55:49 | 00,092,672 | -HS- | C] () -- C:\WINDOWS\System32\jutepeso.dll
[2009/12/01 23:55:49 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\gimuhohe.dll
[2009/12/01 18:36:52 | 00,000,630 | ---- | C] () -- C:\Documents and Settings\User\Desktop\EndItAll.lnk
[2009/12/01 18:13:05 | 00,001,548 | ---- | C] () -- C:\Documents and Settings\User\Desktop\CCleaner.lnk
[2009/12/01 11:55:39 | 00,062,464 | -HS- | C] () -- C:\WINDOWS\System32\rarunuku.dll
[2009/12/01 11:55:39 | 00,053,760 | -HS- | C] () -- C:\WINDOWS\System32\palozora.dll
[2009/12/01 11:21:34 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\housecall.guid.cache
[2009/11/30 13:51:34 | 00,000,274 | -H-- | C] () -- C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
[2009/11/30 13:51:27 | 00,000,238 | -H-- | C] () -- C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
[2009/11/28 11:00:12 | 00,421,888 | ---- | C] () -- C:\WINDOWS\System32\ac3filter.acm
[2009/11/19 16:39:18 | 00,001,883 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\The Sims™ 3 World Adventures.lnk
[2009/11/19 16:20:45 | 00,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\EA Download Manager.lnk
[2009/11/19 16:19:15 | 00,001,723 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\The Sims™ 3.lnk
[2009/11/11 19:09:13 | 00,001,488 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Shutdown.lnk
[2009/11/09 22:21:03 | 00,068,824 | ---- | C] () -- C:\WINDOWS\CouponPrinter.ocx
[2009/11/08 11:56:40 | 00,019,696 | ---- | C] () -- C:\WINDOWS\hpomdl05.dat
[2009/11/02 22:59:38 | 00,276,044 | ---- | C] () -- C:\WINDOWS\System32\Turkey Dance 2.scr
[2009/09/02 11:55:55 | 00,025,600 | -HS- | C] () -- C:\WINDOWS\System32\ravezula.dll
[2009/09/02 11:55:54 | 00,045,568 | -HS- | C] () -- C:\WINDOWS\System32\yejenujo.dll
[2009/09/02 11:55:54 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\yemopego.dll
[2009/09/01 23:55:41 | 00,006,144 | -HS- | C] () -- C:\WINDOWS\System32\dovukipo.dll
[2009/09/01 23:55:41 | 00,003,072 | -HS- | C] () -- C:\WINDOWS\System32\gimujuri.dll
[2009/09/01 23:55:40 | 00,045,056 | -HS- | C] () -- C:\WINDOWS\System32\lelimafu.dll
[2009/09/01 11:55:43 | 00,053,760 | -HS- | C] () -- C:\WINDOWS\System32\matiberi.dll
[2009/09/01 11:55:43 | 00,053,760 | -HS- | C] () -- C:\WINDOWS\System32\dukovolo.dll
[2009/09/01 11:55:28 | 00,010,240 | -HS- | C] () -- C:\WINDOWS\System32\vinomisu.dll
[2009/09/01 11:55:26 | 00,032,768 | -HS- | C] () -- C:\WINDOWS\System32\wayebomi.dll
[2009/09/01 11:55:25 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\peyeduli.dll
[2009/08/30 13:52:05 | 00,045,056 | -HS- | C] () -- C:\WINDOWS\System32\yafodini.dll
[2009/08/30 13:52:05 | 00,019,456 | -HS- | C] () -- C:\WINDOWS\System32\zefukava.dll
[2009/08/28 14:42:36 | 00,226,816 | ---- | C] () -- C:\WINDOWS\System32\taskdlg.dll
[2009/08/28 14:13:50 | 00,226,816 | ---- | C] () -- C:\WINDOWS\System32\iasrgwiz.dll
[2009/08/03 14:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/05/27 10:46:11 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2009/05/13 07:10:18 | 00,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/05/03 14:16:01 | 00,000,122 | ---- | C] () -- C:\WINDOWS\kaillera.ini
[2009/05/02 15:24:04 | 00,721,904 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/05/02 12:52:14 | 00,128,512 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/21 12:19:06 | 00,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009/04/21 10:23:26 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/04/19 15:00:35 | 00,000,127 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\fusioncache.dat
[2009/04/19 14:22:24 | 00,010,201 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/12/19 08:15:58 | 04,338,246 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2008/12/17 10:41:18 | 00,884,237 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll
[2008/12/17 10:22:58 | 00,093,184 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2008/12/17 10:22:48 | 00,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/12/17 10:17:34 | 00,239,247 | ---- | C] () -- C:\WINDOWS\System32\ff_theora.dll
[2008/12/17 09:59:54 | 00,560,802 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2008/12/11 04:27:02 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/04/14 04:41:58 | 00,000,000 | -HS- | C] () -- C:\WINDOWS\System32\calc.dll
[2007/09/27 09:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 09:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 09:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/05/09 14:50:00 | 01,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/05/09 14:50:00 | 01,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/05/09 14:50:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/05/09 14:50:00 | 00,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/05/09 14:50:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/05/09 14:50:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/05/09 14:50:00 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2004/10/03 10:50:54 | 00,129,024 | ---- | C] () -- C:\WINDOWS\System32\ff_mpeg2enc.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 96 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:52B72A7C
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\User\Desktop\dds.scr:SummaryInformation
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5B132D3E
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D79367EB
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AFFC859A
< End of report >

Edited by acentx76, 02 December 2009 - 06:41 PM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:15 PM

Posted 02 December 2009 - 08:22 PM

Please don't edit the post. Because I don't get notified when you edit the post and I might miss your post or the edited part. Thanks.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • Empty all p2p (LimeWire, uTorrent, etc...) active download folders. They might contain infected files. Please avoid using these p2p applications until the system is clean. Using these applications at this stage might lead to reinfection or infecting other users.

  • I see on the log the Coupon Printer for Windows is installed on your computer:
    This program is known to be bundled with adware/spyware.

    For more information please see this:
    A Closer Look at Coupons.com

    To uninstall Coupon Printer for Windows:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    Coupon Printer for Windows

  • Download The Avenger by Swandog46 from here.
    • Unzip/extract it to a folder on your desktop.
    • Double click on avenger.exe to run The Avenger.
    • Click OK.
    • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
    • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
      Comment:
      start to process
      
      Drivers to delete:
      H8SRTd.sys
      
      Files to delete:
      C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
      C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
      C:\WINDOWS\System32\rusojonu
      C:\WINDOWS\System32\yakiyayi.dll
      C:\WINDOWS\System32\jutepeso.dll
      C:\WINDOWS\System32\gimuhohe.dll
      C:\WINDOWS\System32\rarunuku.dll
      C:\WINDOWS\System32\palozora.dll
      C:\WINDOWS\CouponPrinter.ocx
      C:\WINDOWS\System32\gimujuri.dll
      C:\WINDOWS\System32\lelimafu.dll
      C:\WINDOWS\System32\matiberi.dll
      C:\WINDOWS\System32\dukovolo.dll
      C:\WINDOWS\System32\vinomisu.dll
      C:\WINDOWS\System32\wayebomi.dll
      C:\WINDOWS\System32\peyeduli.dll
      C:\WINDOWS\System32\yafodini.dll
      C:\WINDOWS\System32\zefukava.dll
      C:\WINDOWS\system32\h8srtcfg.dat
      C:\WINDOWS\system32\H8SRToexpaigakd.dll
      C:\WINDOWS\system32\H8SRTpwasvsvunk.dll
      C:\WINDOWS\system32\H8SRTqjnqrhomxg.dat
      C:\WINDOWS\system32\H8SRTyuowrquvjw.dll
      C:\WINDOWS\Temp\H8SRTf519.tmp
      C:\WINDOWS\Temp\H8SRT14c6.tmp
      C:\WINDOWS\Temp\H8SRT9df5.tmp
      C:\WINDOWS\system32\drivers\H8SRTynmwmxaido.sys
      I:\Autorun.exe
      I:\Autorun.inf
      J:\Autorun.exe
      J:\Autorun.inf
      
      Folders to delete:
      C:\Program Files\Coupons
    • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
    • Click the Execute button.
    • You will be asked Are you sure you want to execute the current script?.
    • Click Yes.
    • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot.  Reboot now?.
    • Click Yes.
    • Your PC will now be rebooted.
    • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
    • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
    • Please post this log in your next reply.
  • Please open OTL.
    • Copy the text in code box and paste it to Custom Scans/Fixes section:

      :Services
      H8SRTd.sys
      :files
      C:\Program Files\Coupons
      C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
      C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
      C:\WINDOWS\System32\rusojonu
      C:\WINDOWS\System32\yakiyayi.dll
      C:\WINDOWS\System32\jutepeso.dll
      C:\WINDOWS\System32\gimuhohe.dll
      C:\WINDOWS\System32\rarunuku.dll
      C:\WINDOWS\System32\palozora.dll
      C:\WINDOWS\CouponPrinter.ocx
      C:\WINDOWS\System32\gimujuri.dll
      C:\WINDOWS\System32\lelimafu.dll
      C:\WINDOWS\System32\matiberi.dll
      C:\WINDOWS\System32\dukovolo.dll
      C:\WINDOWS\System32\vinomisu.dll
      C:\WINDOWS\System32\wayebomi.dll
      C:\WINDOWS\System32\peyeduli.dll
      C:\WINDOWS\System32\yafodini.dll
      C:\WINDOWS\System32\zefukava.dll
      C:\WINDOWS\system32\h8srtcfg.dat
      C:\WINDOWS\system32\H8SRToexpaigakd.dll
      C:\WINDOWS\system32\H8SRTpwasvsvunk.dll
      C:\WINDOWS\system32\H8SRTqjnqrhomxg.dat
      C:\WINDOWS\system32\H8SRTyuowrquvjw.dll
      C:\WINDOWS\Temp\H8SRTf519.tmp
      C:\WINDOWS\Temp\H8SRT14c6.tmp
      C:\WINDOWS\Temp\H8SRT9df5.tmp
      C:\WINDOWS\system32\drivers\H8SRTynmwmxaido.sys
      I:\Autorun.exe
      I:\Autorun.inf
      J:\Autorun.exe
      J:\Autorun.inf
      
      :otl
      O3 - HKU\S-1-5-21-1060284298-152049171-682003330-1007\..\Toolbar\WebBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
      O3 - HKU\S-1-5-21-1060284298-152049171-682003330-1007\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No CLSID value found.
      O3 - HKU\S-1-5-21-1060284298-152049171-682003330-1007\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
      O4 - HKLM..\Run: [bojudoboh] C:\WINDOWS\System32\yubihimo.DLL File not found
      O7 - HKU\S-1-5-21-1060284298-152049171-682003330-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
      O7 - HKU\S-1-5-21-1060284298-152049171-682003330-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
      O7 - HKU\S-1-5-21-1060284298-152049171-682003330-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
      O7 - HKU\S-1-5-21-1060284298-152049171-682003330-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
      O20 - AppInit_DLLs: (c:\windows\system32\perosaro.dll) - C:\WINDOWS\System32\perosaro.dll File not found
      O20 - AppInit_DLLs: (jihizeda.dll) - File not found
      O20 - AppInit_DLLs: (c:\windows\system32\yubihimo.dll) - C:\WINDOWS\System32\yubihimo.dll File not found
      O20 - Winlogon\Notify\__c0021906: DllName - C:\WINDOWS\system32\__c0021906.dat - C:\WINDOWS\System32\__c0021906.dat File not found
      O20 - Winlogon\Notify\__c0047FA7: DllName - C:\WINDOWS\system32\__c0047FA7.dat - C:\WINDOWS\System32\__c0047FA7.dat File not found
      O20 - Winlogon\Notify\__c005EF1F: DllName - C:\WINDOWS\system32\__c005EF1F.dat - C:\WINDOWS\System32\__c005EF1F.dat File not found
      O20 - Winlogon\Notify\__c0068F3E: DllName - C:\WINDOWS\system32\__c0068F3E.dat - C:\WINDOWS\System32\__c0068F3E.dat File not found
      O20 - Winlogon\Notify\__c006E754: DllName - C:\WINDOWS\system32\__c006E754.dat - C:\WINDOWS\System32\__c006E754.dat File not found
      O20 - Winlogon\Notify\__c0077D40: DllName - C:\WINDOWS\system32\__c0077D40.dat - C:\WINDOWS\System32\__c0077D40.dat File not found
      O20 - Winlogon\Notify\__c00A5FF8: DllName - C:\WINDOWS\system32\__c00A5FF8.dat - C:\WINDOWS\System32\__c00A5FF8.dat File not found
      O20 - Winlogon\Notify\__c00B3A1E: DllName - C:\WINDOWS\system32\__c00B3A1E.dat - C:\WINDOWS\System32\__c00B3A1E.dat File not found
      O20 - Winlogon\Notify\__c00CF67: DllName - C:\WINDOWS\system32\__c00CF67.dat - C:\WINDOWS\System32\__c00CF67.dat File not found
      O20 - Winlogon\Notify\__c00E3BEC: DllName - C:\WINDOWS\system32\__c00E3BEC.dat - C:\WINDOWS\System32\__c00E3BEC.dat File not found
      O20 - Winlogon\Notify\__c00F7E40: DllName - C:\WINDOWS\system32\__c00F7E40.dat - C:\WINDOWS\System32\__c00F7E40.dat File not found
      O21 - SSODL: bevoyofod - {b37a4d94-d395-4497-be18-4c50dc144d57} - CLSID or File not found.
      O21 - SSODL: fewolipid - {1ffa3e5a-616d-4a97-a081-5d9647bdea9c} - CLSID or File not found.
      O21 - SSODL: nusuremah - {3ac43900-3bfa-476a-8808-ebe6ce18e8f8} - C:\WINDOWS\System32\yubihimo.dll File not found
      O22 - SharedTaskScheduler: {1ffa3e5a-616d-4a97-a081-5d9647bdea9c} - mujuzedij - Reg Error: Key error. File not found
      O22 - SharedTaskScheduler: {3ac43900-3bfa-476a-8808-ebe6ce18e8f8} - kupuhivus - C:\WINDOWS\System32\yubihimo.dll File not found
      O22 - SharedTaskScheduler: {b37a4d94-d395-4497-be18-4c50dc144d57} - mujuzedij - Reg Error: Key error. File not found
      O22 - SharedTaskScheduler: {B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - jkshf8a3rudbfa873fudfhbdugf87whjdb - Reg Error: Key error. File not found
    • Click Run Fix button.
    • If the fix needed a reboot please do it.
    • After finished a log will open. Copy and paste the log to your reply.


#5 acentx76

acentx76
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 02 December 2009 - 08:42 PM

Sorry my friend won't edit the post after posting again. Think we are making some progress. When I ran the first fix and the computer rebooted i didnt get that message that said I was infected with the worm.win32.skynet. Here are the 2 logs you requested and i didnt have any active downloads to delete and trust me i'm not going to touch anything especially any p2p things until we get this fixed :(


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "H8SRTd.sys" found!
ImagePath: \systemroot\system32\drivers\H8SRTynmwmxaido.sys
Start Type: 4 (Disabled)

Rootkit scan completed.

Driver "H8SRTd.sys" deleted successfully.
File "C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job" deleted successfully.
File "C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job" deleted successfully.
File "C:\WINDOWS\System32\rusojonu" deleted successfully.
File "C:\WINDOWS\System32\yakiyayi.dll" deleted successfully.
File "C:\WINDOWS\System32\jutepeso.dll" deleted successfully.
File "C:\WINDOWS\System32\gimuhohe.dll" deleted successfully.
File "C:\WINDOWS\System32\rarunuku.dll" deleted successfully.
File "C:\WINDOWS\System32\palozora.dll" deleted successfully.

Error: file "C:\WINDOWS\CouponPrinter.ocx" not found!
Deletion of file "C:\WINDOWS\CouponPrinter.ocx" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\System32\gimujuri.dll" deleted successfully.
File "C:\WINDOWS\System32\lelimafu.dll" deleted successfully.
File "C:\WINDOWS\System32\matiberi.dll" deleted successfully.
File "C:\WINDOWS\System32\dukovolo.dll" deleted successfully.
File "C:\WINDOWS\System32\vinomisu.dll" deleted successfully.
File "C:\WINDOWS\System32\wayebomi.dll" deleted successfully.
File "C:\WINDOWS\System32\peyeduli.dll" deleted successfully.
File "C:\WINDOWS\System32\yafodini.dll" deleted successfully.
File "C:\WINDOWS\System32\zefukava.dll" deleted successfully.
File "C:\WINDOWS\system32\h8srtcfg.dat" deleted successfully.
File "C:\WINDOWS\system32\H8SRToexpaigakd.dll" deleted successfully.
File "C:\WINDOWS\system32\H8SRTpwasvsvunk.dll" deleted successfully.
File "C:\WINDOWS\system32\H8SRTqjnqrhomxg.dat" deleted successfully.
File "C:\WINDOWS\system32\H8SRTyuowrquvjw.dll" deleted successfully.
File "C:\WINDOWS\Temp\H8SRTf519.tmp" deleted successfully.
File "C:\WINDOWS\Temp\H8SRT14c6.tmp" deleted successfully.
File "C:\WINDOWS\Temp\H8SRT9df5.tmp" deleted successfully.
File "C:\WINDOWS\system32\drivers\H8SRTynmwmxaido.sys" deleted successfully.

Error: could not open file "I:\Autorun.exe"
Deletion of file "I:\Autorun.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open file "I:\Autorun.inf"
Deletion of file "I:\Autorun.inf" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open file "J:\Autorun.exe"
Deletion of file "J:\Autorun.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open file "J:\Autorun.inf"
Deletion of file "J:\Autorun.inf" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: folder "C:\Program Files\Coupons" not found!
Deletion of folder "C:\Program Files\Coupons" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.



========== SERVICES/DRIVERS ==========
No service named H8SRTd.sys was found to stop!
Unable to stop service H8SRTd.sys!
========== FILES ==========
File\Folder C:\Program Files\Coupons not found.
File\Folder C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job not found.
File\Folder C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job not found.
File\Folder C:\WINDOWS\System32\rusojonu not found.
File\Folder C:\WINDOWS\System32\yakiyayi.dll not found.
File\Folder C:\WINDOWS\System32\jutepeso.dll not found.
File\Folder C:\WINDOWS\System32\gimuhohe.dll not found.
File\Folder C:\WINDOWS\System32\rarunuku.dll not found.
File\Folder C:\WINDOWS\System32\palozora.dll not found.
File\Folder C:\WINDOWS\CouponPrinter.ocx not found.
File\Folder C:\WINDOWS\System32\gimujuri.dll not found.
File\Folder C:\WINDOWS\System32\lelimafu.dll not found.
File\Folder C:\WINDOWS\System32\matiberi.dll not found.
File\Folder C:\WINDOWS\System32\dukovolo.dll not found.
File\Folder C:\WINDOWS\System32\vinomisu.dll not found.
File\Folder C:\WINDOWS\System32\wayebomi.dll not found.
File\Folder C:\WINDOWS\System32\peyeduli.dll not found.
File\Folder C:\WINDOWS\System32\yafodini.dll not found.
File\Folder C:\WINDOWS\System32\zefukava.dll not found.
File\Folder C:\WINDOWS\system32\h8srtcfg.dat not found.
File\Folder C:\WINDOWS\system32\H8SRToexpaigakd.dll not found.
File\Folder C:\WINDOWS\system32\H8SRTpwasvsvunk.dll not found.
File\Folder C:\WINDOWS\system32\H8SRTqjnqrhomxg.dat not found.
File\Folder C:\WINDOWS\system32\H8SRTyuowrquvjw.dll not found.
File\Folder C:\WINDOWS\Temp\H8SRTf519.tmp not found.
File\Folder C:\WINDOWS\Temp\H8SRT14c6.tmp not found.
File\Folder C:\WINDOWS\Temp\H8SRT9df5.tmp not found.
File\Folder C:\WINDOWS\system32\drivers\H8SRTynmwmxaido.sys not found.
File\Folder I:\Autorun.exe not found.
File\Folder I:\Autorun.inf not found.
File\Folder J:\Autorun.exe not found.
File\Folder J:\Autorun.inf not found.
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-1060284298-152049171-682003330-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4982D40A-C53B-4615-B15B-B5B5E98D167C}\ not found.
Registry value HKEY_USERS\S-1-5-21-1060284298-152049171-682003330-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29}\ not found.
Registry value HKEY_USERS\S-1-5-21-1060284298-152049171-682003330-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\bojudoboh deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1060284298-152049171-682003330-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoFolderOptions deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1060284298-152049171-682003330-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoSetActiveDesktop deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1060284298-152049171-682003330-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1060284298-152049171-682003330-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\perosaro.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:jihizeda.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\yubihimo.dll deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0021906\ deleted successfully.
Invalid CLSID key: __c0021906
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0047FA7\ deleted successfully.
Invalid CLSID key: __c0047FA7
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c005EF1F\ deleted successfully.
Invalid CLSID key: __c005EF1F
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0068F3E\ deleted successfully.
Invalid CLSID key: __c0068F3E
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c006E754\ deleted successfully.
Invalid CLSID key: __c006E754
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0077D40\ deleted successfully.
Invalid CLSID key: __c0077D40
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00A5FF8\ deleted successfully.
Invalid CLSID key: __c00A5FF8
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00B3A1E\ deleted successfully.
Invalid CLSID key: __c00B3A1E
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00CF67\ deleted successfully.
Invalid CLSID key: __c00CF67
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00E3BEC\ deleted successfully.
Invalid CLSID key: __c00E3BEC
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00F7E40\ deleted successfully.
Invalid CLSID key: __c00F7E40
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\bevoyofod deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b37a4d94-d395-4497-be18-4c50dc144d57}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\fewolipid deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1ffa3e5a-616d-4a97-a081-5d9647bdea9c}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\nusuremah deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3ac43900-3bfa-476a-8808-ebe6ce18e8f8}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{1ffa3e5a-616d-4a97-a081-5d9647bdea9c} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1ffa3e5a-616d-4a97-a081-5d9647bdea9c}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{3ac43900-3bfa-476a-8808-ebe6ce18e8f8} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3ac43900-3bfa-476a-8808-ebe6ce18e8f8}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{b37a4d94-d395-4497-be18-4c50dc144d57} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b37a4d94-d395-4497-be18-4c50dc144d57}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{B45A4B16-23F2-41AD-F4E4-00AAC39C0004} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B45A4B16-23F2-41AD-F4E4-00AAC39C0004}\ not found.

OTL by OldTimer - Version 3.1.11.4 log created on 12022009_193701

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:15 PM

Posted 02 December 2009 - 08:50 PM

Well done. :(

Please download Malwarebytes' Anti-Malware from one of these locations:
malwarebytes.org
majorgeeks.com
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#7 acentx76

acentx76
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 02 December 2009 - 09:13 PM

SUCCESS!! It actually worked. When I went to get the log I looked in quarentine and the files were still there. Can I delete them? Task manager works!! i can change my background again!! System restore is still disabled by group domain though but we have made alot of progress but we still got a few things left. I'm not changing anything just seeing what i can and can't do.



Malwarebytes' Anti-Malware 1.41
Database version: 3283
Windows 5.1.2600 Service Pack 3

12/2/2009 8:05:26 PM
mbam-log-2009-12-02 (20-05-26).txt

Scan type: Quick Scan
Objects scanned: 136061
Time elapsed: 7 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 4
Registry Data Items Infected: 6
Folders Infected: 2
Files Infected: 33

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b45a4b16-23f2-41ad-f4e4-00aac39c0004} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{b45a4b16-23f2-41ad-f4e4-00aac39c0004} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS (Trojan.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Nvchost (Trojan.Goldun) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{af075c58-0954-49cb-b653-24bcc41cdf17}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.182 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{af075c58-0954-49cb-b653-24bcc41cdf17}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.182 -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\LocalService (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\tazodavi.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dovukipo.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mikasova.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yejenujo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yemopego.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\H8SRT72cf.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\305.crack.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\305.crack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\306.keygen.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\306.keygen.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\307.serial.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\307.serial.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\308.setup.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\308.setup.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\309.music.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\309.music.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\310.music2.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\310.music2.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\311.music3.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\311.music3.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\312.music4.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\312.music4.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\ntuser.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.DESK1\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chelsea.DESK1\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\calc.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\GroupPolicy000.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.DESK1\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chelsea.DESK1\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Chelsea.DESK1\Local Settings\Temp\pskfo83wijf89uwuhal8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\H8SRT72df.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:15 PM

Posted 03 December 2009 - 02:15 AM

Great. It is fine you are giving feedback on what is well and what is not functioning.

One or more of the identified infections is a backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Removal Instructions
  • You are missing one important program on that computer: An antivirus.
    This is somewhat suicidal in today's digital world.
    You need to install an antivirus program as soon as you can. Besides the paid antivirus programs there are also some free antivirus programs.
    Please tell me if you have a paid antivirus, otherwise I'm going to recommend you a good free antivirus the next post.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#9 acentx76

acentx76
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 03 December 2009 - 11:34 AM

Went ahead and reinstalled my mcafee security center( i know it's not the best but i get it free from my internet provider). Success!! I now have the system restore ability. I did lose all my earlier restore points though but i guess thats ok. One thing that is still happening that i know of is when i use my google search on my browser it seems to take me to a site called uniqsearch8 or other sites. How do i delele addons or can i just disable them?


ComboFix 09-12-02.08 - User 12/03/2009 10:04.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.573 [GMT -6:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.lnk

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2009-11-03 to 2009-12-03 )))))))))))))))))))))))))))))))
.

2009-12-03 16:11 . 2009-12-03 16:11 -------- d-----w- c:\windows\system32\wbem\snmp
2009-12-03 16:11 . 2009-12-03 16:11 -------- d-----w- c:\windows\system32\xircom
2009-12-03 16:11 . 2009-12-03 16:11 -------- d-----w- c:\program files\microsoft frontpage
2009-12-03 08:02 . 2009-07-16 18:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-12-03 08:01 . 2009-12-03 08:02 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-03 08:01 . 2009-12-03 08:01 -------- d-----w- c:\program files\McAfee.com
2009-12-03 07:22 . 2009-09-30 18:11 288096 ----a-r- c:\documents and settings\User\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-12-03 07:21 . 2009-12-03 07:21 -------- d-----w- c:\documents and settings\User\Application Data\McAfee
2009-12-03 07:20 . 2009-12-03 07:20 -------- dc----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-12-03 07:18 . 2009-11-04 22:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-03 07:18 . 2009-11-04 22:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-12-03 07:18 . 2009-11-04 22:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-12-03 07:17 . 2009-12-03 08:03 -------- d-----w- c:\program files\McAfee
2009-12-03 06:28 . 2009-11-04 22:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-03 06:23 . 2009-12-03 08:04 -------- dc----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-03 06:12 . 2009-12-03 06:13 -------- dc-h--w- c:\windows\ie8
2009-12-03 01:52 . 2009-12-03 01:52 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-12-03 01:37 . 2009-12-03 01:37 -------- dc----w- C:\_OTL
2009-12-02 22:38 . 2009-12-02 22:38 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-01 08:08 . 2009-12-03 08:03 -------- d-----w- c:\windows\system32\CatRoot
2009-12-01 07:52 . 2009-12-01 07:52 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-12-01 06:05 . 2009-12-03 06:01 -------- dc----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-12-01 00:54 . 2009-12-01 00:54 69232 -c--a-w- c:\documents and settings\Administrator.DESK1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-01 00:53 . 2009-12-01 00:53 -------- dc----w- c:\documents and settings\Administrator.DESK1\Application Data\Windows Search
2009-12-01 00:53 . 2009-12-01 00:53 -------- dc----w- c:\documents and settings\Administrator.DESK1\Application Data\AT&T
2009-12-01 00:52 . 2009-12-01 00:52 -------- dcsh--w- c:\documents and settings\Administrator.DESK1\IETldCache
2009-12-01 00:29 . 2009-12-01 00:29 907 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F942F94A19C0F79468FD2B85E5E8677B.dll
2009-11-28 17:00 . 2009-11-28 17:00 -------- d-----w- c:\program files\XP Codec Pack
2009-11-25 23:10 . 2009-11-25 23:10 -------- d-----w- c:\windows\Cache
2009-11-19 22:07 . 2009-11-19 22:33 -------- d-----w- c:\program files\Electronic Arts
2009-11-19 22:07 . 2009-11-19 22:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-12 21:55 . 2009-11-12 21:55 -------- d-----w- c:\documents and settings\Chelsea.DESK1\Local Settings\Application Data\Microsoft Help
2009-11-12 04:14 . 2009-11-20 17:59 -------- d-----w- c:\windows\system32\turkeythanksgiving_3113666 dir
2009-11-08 17:56 . 2004-12-14 16:07 19696 ------w- c:\windows\hpomdl05.dat
2009-11-08 17:49 . 2004-12-14 16:07 229376 ----a-r- c:\windows\system32\hpovst08.dll
2009-11-08 17:24 . 2004-09-29 18:14 69632 ----a-w- c:\windows\system32\HPZipm12.exe
2009-11-04 22:54 . 2009-11-04 22:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-11-04 03:51 . 2009-11-04 03:51 152576 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-03 07:24 . 2009-09-13 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-02 22:41 . 2009-09-09 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-12-02 03:49 . 2009-05-30 05:21 -------- d-----w- c:\program files\MagicISO
2009-12-02 03:06 . 2009-04-21 15:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-01 01:32 . 2009-09-09 04:21 -------- d-----w- c:\program files\Security Task Manager
2009-11-30 22:23 . 2009-06-27 23:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-30 19:44 . 2009-10-07 21:11 -------- d-----w- c:\documents and settings\User\Application Data\uTorrent
2009-11-29 23:14 . 2009-04-28 17:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-11-27 05:44 . 2009-09-05 00:14 -------- d-----w- c:\program files\G2GPoker
2009-11-26 00:37 . 2009-10-17 14:08 -------- d-----w- c:\program files\Magic Video Converter
2009-11-22 03:57 . 2009-04-30 02:42 -------- d-----w- c:\documents and settings\User\Application Data\Move Networks
2009-11-20 17:59 . 2009-06-17 18:39 -------- d-----w- c:\program files\Uniquely Texas Screensaver
2009-11-20 17:56 . 2009-04-21 18:22 -------- d-----w- c:\program files\EA SPORTS
2009-11-19 22:22 . 2009-10-30 01:26 -------- dc----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-11-19 02:46 . 2009-09-23 14:17 -------- d-----w- c:\documents and settings\User\Application Data\LimeWire
2009-11-13 21:57 . 2009-04-19 21:00 69232 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-12 22:01 . 2009-05-28 16:51 69232 ----a-w- c:\documents and settings\Chelsea.DESK1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-12 04:06 . 2009-10-20 16:47 -------- d-----w- c:\program files\Freeze.com
2009-11-08 17:35 . 2009-04-19 20:23 -------- d-----w- c:\program files\HP
2009-11-08 16:42 . 2009-08-16 19:30 -------- d-----w- c:\documents and settings\User\Application Data\HpUpdate
2009-11-01 00:16 . 2009-07-01 16:06 143976 ----a-w- c:\documents and settings\User\Application Data\Move Networks\uninstall.exe
2009-11-01 00:16 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\User\Application Data\Move Networks\plugins\npqmp071701000002.dll
2009-11-01 00:16 . 2009-11-01 00:16 1794456 ----a-w- c:\documents and settings\User\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
2009-10-31 22:43 . 2009-10-31 22:43 10134 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2009-10-29 15:34 . 2009-04-21 16:17 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-26 06:32 . 2009-10-26 06:32 10134 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-10-26 06:32 . 2009-10-26 06:32 -------- d-----w- c:\program files\Microsoft WSE
2009-10-25 16:09 . 2009-09-23 14:17 -------- d-----w- c:\program files\LimeWire
2009-10-23 19:23 . 2009-10-07 22:54 -------- d-----w- c:\documents and settings\Chelsea.DESK1\Application Data\uTorrent
2009-10-23 03:13 . 2009-10-23 02:28 -------- d-----w- c:\documents and settings\User\Application Data\Any Video Converter Professional
2009-10-23 02:29 . 2009-10-23 02:28 -------- d-----w- c:\program files\Any Video Converter Professional
2009-10-23 01:46 . 2009-05-03 20:07 -------- d-----w- c:\program files\DivX
2009-10-23 01:45 . 2009-05-03 20:07 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-22 22:46 . 2009-10-22 22:46 -------- d-----w- c:\documents and settings\Chelsea.DESK1\Application Data\Yahoo!
2009-10-20 16:54 . 2009-10-20 16:54 59992 -c--a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe
2009-10-19 19:00 . 2009-10-19 05:52 697792 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-19 15:19 . 2009-10-19 15:19 -------- d-----w- c:\documents and settings\User\Application Data\InstallShield Installation Information
2009-10-19 15:19 . 2009-10-19 15:19 -------- d-----w- c:\program files\Rockstar Games
2009-10-19 15:19 . 2009-10-19 15:21 344064 ----a-w- c:\documents and settings\User\Application Data\InstallShield Installation Information\{4B35F00C-E63D-40DC-9839-DF15A33EAC46}\_setup.dll
2009-10-18 00:22 . 2009-10-18 00:22 -------- d-----w- c:\program files\OLYMPUS
2009-10-18 00:22 . 2009-10-18 00:22 -------- d-----w- c:\program files\MSXML 4.0
2009-10-16 01:48 . 2009-10-16 01:45 -------- d-----w- c:\documents and settings\User\Application Data\QuitCounter
2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\User\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-10-12 00:31 . 2009-10-12 00:23 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-12 00:31 . 2009-10-12 00:23 -------- d-----w- c:\program files\AVS4YOU
2009-10-12 00:24 . 2009-10-12 00:24 -------- dc----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-10-12 00:24 . 2009-10-12 00:24 -------- d-----w- c:\documents and settings\User\Application Data\AVS4YOU
2009-10-11 10:17 . 2009-06-09 21:24 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-08 18:45 . 2009-10-08 18:45 -------- d-----w- c:\program files\7-Zip
2009-10-07 21:12 . 2009-10-07 21:12 -------- d-----w- c:\program files\uTorrent
2009-09-29 16:09 . 2009-09-29 16:09 126970 ----a-w- c:\documents and settings\Chelsea.DESK1\Application Data\Move Networks\uninstall.exe
2009-09-29 16:09 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Chelsea.DESK1\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-09-25 17:07 . 2009-09-25 16:44 116 ----a-w- c:\documents and settings\User\udpcrawl.tmp
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-20 03:49 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\User\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-09-20 03:49 . 2009-09-20 03:49 1407680 ----a-w- c:\documents and settings\User\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2009-09-11 14:18 . 2008-04-14 10:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 16:47 . 2009-09-10 16:47 27 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4EA42A62D9304AC4784BF238120661FF.dll
2009-09-10 16:47 . 2009-09-10 16:47 75 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1F9ACB2AC6655084791DF7CD39837632.dll
2009-09-09 15:04 . 2009-12-01 00:50 38208 -c--a-w- c:\documents and settings\Administrator.DESK1\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-09-09 15:04 . 2009-08-26 13:36 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-09-04 21:03 . 2008-04-14 10:42 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 16:41 . 2009-09-04 16:41 3584 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-09-02 17:55 . 2009-09-02 17:55 25600 --sha-w- c:\windows\system32\ravezula.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\drivers\atapi.sys

[-] 2008-04-14 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\drivers\asyncmac.sys

[-] 2001-08-23 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys

[-] 2008-04-14 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\drivers\kbdclass.sys
[-] 2008-04-14 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\kbdclass.sys

[-] 2008-04-14 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys

[-] 2008-04-14 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ntfs.sys

[-] 2001-08-23 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys

[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\system32\browser.dll

[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe

[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\netman.dll

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\qmgr.dll

[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll
[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\rpcss.dll
[-] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[-] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\rpcss.dll

[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\services.exe
[-] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\services.exe

[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll

[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\cryptsvc.dll

[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll
[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[-] 2008-04-14 10:41 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\$NtUninstallKB950974$\es.dll

[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll

[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll
[-] 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB959426$\kernel32.dll

[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\linkinfo.dll

[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\lpk.dll

[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\system32\msvcrt.dll

[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll
[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\mswsock.dll
[-] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
[-] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\mswsock.dll

[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\system32\netlogon.dll

[-] 2009-08-05 . 8415D9C7C050E7022AED8ABF281BE4A6 . 2189184 . . [5.1.2600.5857] . . c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2009-08-05 . 8415D9C7C050E7022AED8ABF281BE4A6 . 2189184 . . [5.1.2600.5857] . . c:\windows\system32\ntoskrnl.exe
[-] 2009-08-05 . 8415D9C7C050E7022AED8ABF281BE4A6 . 2189184 . . [5.1.2600.5857] . . c:\windows\system32\dllcache\ntoskrnl.exe
[-] 2009-08-04 . FDE779EA1A564EBFE16F4E0F82B61BAD . 2189312 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3QFE\ntoskrnl.exe
[-] 2009-02-08 . EFE8EACE83EAAD5849A7A548FB75B584 . 2189184 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[-] 2009-02-06 . 7A95B10A73737EBF24139AAA63F5212B . 2189056 . . [5.1.2600.5755] . . c:\windows\$NtUninstallKB971486$\ntoskrnl.exe
[-] 2008-04-14 . 0C89243C7C3EE199B96FCC16990E0679 . 2188928 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\ntoskrnl.exe

[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll

[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\scecli.dll

[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\sfc.dll

[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe

[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\system32\tapisrv.dll

[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll

[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe

[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll

[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe

[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\eventlog.dll

[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

[-] 2001-02-20 19:09 . D36A33C21EEED5A6C1DAECB7C80A1909 . 8192 . . [1.00.2409.7 built by: Lab06_N] . . c:\windows\system32\CTFMON.EXE

[-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\system32\shsvcs.dll

[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll

[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll

[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\ssdpsrv.dll

[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll

[-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\system32\appmgmts.dll

[-] 2001-08-23 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys

[-] 2008-04-14 04:09 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\drivers\aec.sys

[-] 2008-04-14 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys

[-] 2008-04-14 10:41 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\system32\mfc40u.dll

[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\msgsvc.dll

[-] 2008-04-14 10:42 . C7E39EA41233E9F5B86C8DA3A9F1E4A8 . 52224 . . [9.0.1.56] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
[-] 2006-10-19 02:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll

[-] 2009-08-04 . 363B2BBEE0AEDC9E5433616D0AD0236A . 2066176 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3QFE\ntkrnlpa.exe
[-] 2009-08-04 . 7437BA6F538E89381A2E3643AED296C7 . 2066048 . . [5.1.2600.5857] . . c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2009-08-04 . 7437BA6F538E89381A2E3643AED296C7 . 2066048 . . [5.1.2600.5857] . . c:\windows\system32\ntkrnlpa.exe
[-] 2009-08-04 . 7437BA6F538E89381A2E3643AED296C7 . 2066048 . . [5.1.2600.5857] . . c:\windows\system32\dllcache\ntkrnlpa.exe
[-] 2009-02-08 . 5BA7F2141BC6DB06100D0E5A732C617A . 2066048 . . [5.1.2600.5755] . . c:\windows\$NtUninstallKB971486$\ntkrnlpa.exe
[-] 2009-02-06 . 607352B9CB3D708C67F6039097801B5A . 2066176 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[-] 2008-04-14 . 109F8E3E3C82E337BB71B6BC9B895D61 . 2065792 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe

[-] 2008-04-14 10:42 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\ntmssvc.dll

[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\upnphost.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-10-31 95536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-10-31 54576]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-03-08 128512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7518:TCP"= 7518:TCP:BitComet 7518 TCP
"7518:UDP"= 7518:UDP:BitComet 7518 UDP

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/2/2009 3:24 PM 721904]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/3/2009 2:03 AM 203280]
S2 0108051259827324mcinstcleanup;McAfee Application Installer Cleanup (0108051259827324);c:\docume~1\User\LOCALS~1\Temp\010805~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\User\LOCALS~1\Temp\010805~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-12-03 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-03 18:22]

2009-12-03 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-03 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: {AF075C58-0954-49CB-B653-24BCC41CDF17} = 193.104.110.38,4.2.2.1,192.168.1.254
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel
AddRemove-NVIDIA Drivers - c:\windows\system32\nvunrm.exe UninstallGUI
AddRemove-Turkey Dance 2 - c:\windows\DWUninst.exe Turkey Dance 2
AddRemove-{7694E0B1-2332-448B-9235-929F84B41E3F} - c:\program files\InstallShield Installation Information\{7694E0B1-2332-448B-9235-929F84B41E3F}\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-03 10:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spuq.sys >>UNKNOWN [0x8658E938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75d1f28
\Driver\ACPI -> ACPI.sys @ 0xf732bcb8
\Driver\atapi -> atapi.sys @ 0xf72c0b40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf71c8bb0
PacketIndicateHandler -> NDIS.sys @ 0xf71d5a21
SendHandler -> NDIS.sys @ 0xf71b387b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-152049171-682003330-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:61,43,ad,15,db,6c,63,87,20,27,26,e0,47,78,2a,d8,dd,cf,89,33,4d,a4,62,
e7,c3,16,82,00,e4,d8,36,21,8a,35,26,3d,f0,00,8f,f1,2c,b5,db,bd,38,ea,bb,5e,\
"??"=hex:2d,aa,84,f3,de,e9,13,a2,fe,42,18,a0,1c,dc,b0,e6

[HKEY_USERS\S-1-5-21-1060284298-152049171-682003330-1007\Software\SecuROM\License information*]
"datasecu"=hex:fd,22,da,1f,bf,83,eb,04,c7,a3,ce,81,f8,ee,b0,1f,f2,03,11,a7,b7,
17,1e,f1,75,37,c2,a6,ad,90,3d,28,77,ea,9b,03,f8,4c,3c,be,35,60,57,7e,cd,45,\
"rkeysecu"=hex:a2,01,4f,54,e6,fe,40,0a,6b,bd,5d,e9,6e,15,6c,ae

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2DCA86A8-FA32-61F7-D04B-E2CED10B4513}\InProcServer32*]
"jahhpjmifbfmflflakkf"=hex:6a,61,6b,68,62,6d,6b,69,64,65,66,66,6b,6b,65,61,62,
66,6b,6b,00,00
"iahhfkoiojlbdjidln"=hex:6a,61,6b,68,62,6d,6b,69,64,65,66,66,6b,6b,65,61,62,66,
6b,6b,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3996)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2009-12-03 10:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-03 16:20

Pre-Run: 54,963,499,008 bytes free
Post-Run: 55,318,720,512 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - BED57324F927F1841CF5E741DE68C248

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:15 PM

Posted 03 December 2009 - 03:22 PM

Do you happen to have access to another computer with Windows XP SP3? What we need is a to copy atapi.sys from a clean computer to the infected one.

#11 acentx76

acentx76
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 03 December 2009 - 03:56 PM

No I don't. What is that file and is there another way to get it??

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:15 PM

Posted 03 December 2009 - 05:19 PM

It is a file patched by a new rootkit. We are going to find a good copy on your computer.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    atapi.sy*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

#13 acentx76

acentx76
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 03 December 2009 - 05:24 PM

Here's the log.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 16:22 on 03/12/2009 by User (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sy*"
C:\cmdcons\ATAPI.SY_ --a--c 49558 bytes [04:59 04/08/2004] [04:59 04/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\W0ZS6YS4\atapi.sys[1].htm --a--- 9123 bytes [22:13 03/12/2009] [22:13 03/12/2009] 5DB18448D160415BCF208D95081DC513
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [05:10 14/04/2008] [05:10 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:15 PM

Posted 03 December 2009 - 05:36 PM

  • Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    @echo off
    md c:\atapiback
    copy /y C:\WINDOWS\system32\drivers\atapi.sys c:\atapiback
    expand C:\cmdcons\ATAPI.SY_ c:\atapi.sys
    del %0
    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: dirlook.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate and double-click dirlook.bat on the desktop.
    • A window flashes. It is normal.
  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    Folder::
    c:\program files\Freeze.com
    RegNull::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2DCA86A8-FA32-61F7-D04B-E2CED10B4513}\InProcServer32*]
    ReglockDel::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2DCA86A8-FA32-61F7-D04B-E2CED10B4513}]
    Registry::
    [-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2DCA86A8-FA32-61F7-D04B-E2CED10B4513}]
    DDS::
    uInternet Connection Wizard,ShellNext = iexplore

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#15 acentx76

acentx76
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 03 December 2009 - 06:05 PM

Here's the log.



ComboFix 09-12-03.02 - User 12/03/2009 16:54.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.566 [GMT -6:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Freeze.com

c:\windows\system32\hid.dll . . . is infected!!

c:\windows\system32\midimap.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-11-03 to 2009-12-03 )))))))))))))))))))))))))))))))
.

2009-12-03 22:48 . 2009-12-03 22:48 -------- dc----w- C:\atapiback
2009-12-03 22:48 . 2004-08-04 04:59 95360 -c--a-w- C:\atapi.sys
2009-12-03 18:50 . 2009-12-03 18:50 -------- d-----w- c:\program files\Java
2009-12-03 18:49 . 2009-12-03 18:49 79488 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-03 16:11 . 2009-12-03 16:11 -------- d-----w- c:\windows\system32\wbem\snmp
2009-12-03 16:11 . 2009-12-03 16:11 -------- d-----w- c:\windows\system32\xircom
2009-12-03 16:11 . 2009-12-03 16:11 -------- d-----w- c:\program files\microsoft frontpage
2009-12-03 08:02 . 2009-07-16 18:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-12-03 08:01 . 2009-12-03 08:02 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-03 08:01 . 2009-12-03 08:01 -------- d-----w- c:\program files\McAfee.com
2009-12-03 07:22 . 2009-09-30 18:11 288096 ----a-r- c:\documents and settings\User\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-12-03 07:21 . 2009-12-03 07:21 -------- d-----w- c:\documents and settings\User\Application Data\McAfee
2009-12-03 07:20 . 2009-12-03 07:20 -------- dc----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-12-03 07:18 . 2009-11-04 22:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-03 07:18 . 2009-11-04 22:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-12-03 07:18 . 2009-11-04 22:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-12-03 07:17 . 2009-12-03 08:03 -------- d-----w- c:\program files\McAfee
2009-12-03 06:28 . 2009-11-04 22:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-03 06:23 . 2009-12-03 08:04 -------- dc----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-03 06:12 . 2009-12-03 06:13 -------- dc-h--w- c:\windows\ie8
2009-12-03 01:52 . 2009-12-03 01:52 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-12-01 08:08 . 2009-12-03 08:03 -------- d-----w- c:\windows\system32\CatRoot
2009-12-01 07:52 . 2009-12-01 07:52 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-12-01 00:54 . 2009-12-01 00:54 69232 -c--a-w- c:\documents and settings\Administrator.DESK1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-01 00:53 . 2009-12-01 00:53 -------- dc----w- c:\documents and settings\Administrator.DESK1\Application Data\Windows Search
2009-12-01 00:53 . 2009-12-01 00:53 -------- dc----w- c:\documents and settings\Administrator.DESK1\Application Data\AT&T
2009-12-01 00:52 . 2009-12-01 00:52 -------- dcsh--w- c:\documents and settings\Administrator.DESK1\IETldCache
2009-12-01 00:29 . 2009-12-01 00:29 907 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F942F94A19C0F79468FD2B85E5E8677B.dll
2009-11-28 17:00 . 2009-11-28 17:00 -------- d-----w- c:\program files\XP Codec Pack
2009-11-25 23:10 . 2009-11-25 23:10 -------- d-----w- c:\windows\Cache
2009-11-19 22:07 . 2009-11-19 22:33 -------- d-----w- c:\program files\Electronic Arts
2009-11-19 22:07 . 2009-11-19 22:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-12 21:55 . 2009-11-12 21:55 -------- d-----w- c:\documents and settings\Chelsea.DESK1\Local Settings\Application Data\Microsoft Help
2009-11-12 04:14 . 2009-11-20 17:59 -------- d-----w- c:\windows\system32\turkeythanksgiving_3113666 dir
2009-11-08 17:56 . 2004-12-14 16:07 19696 ------w- c:\windows\hpomdl05.dat
2009-11-08 17:49 . 2004-12-14 16:07 229376 ----a-r- c:\windows\system32\hpovst08.dll
2009-11-08 17:24 . 2004-09-29 18:14 69632 ----a-w- c:\windows\system32\HPZipm12.exe
2009-11-04 22:54 . 2009-11-04 22:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-11-04 03:51 . 2009-12-03 18:49 152576 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-03 18:50 . 2009-06-09 21:24 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-03 17:32 . 2009-10-31 22:43 10134 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2009-12-03 07:24 . 2009-09-13 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-02 22:41 . 2009-09-09 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-12-02 03:49 . 2009-05-30 05:21 -------- d-----w- c:\program files\MagicISO
2009-12-01 01:32 . 2009-09-09 04:21 -------- d-----w- c:\program files\Security Task Manager
2009-11-30 22:23 . 2009-06-27 23:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-30 19:44 . 2009-10-07 21:11 -------- d-----w- c:\documents and settings\User\Application Data\uTorrent
2009-11-29 23:14 . 2009-04-28 17:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-11-27 05:44 . 2009-09-05 00:14 -------- d-----w- c:\program files\G2GPoker
2009-11-26 00:37 . 2009-10-17 14:08 -------- d-----w- c:\program files\Magic Video Converter
2009-11-22 03:57 . 2009-04-30 02:42 -------- d-----w- c:\documents and settings\User\Application Data\Move Networks
2009-11-20 17:59 . 2009-06-17 18:39 -------- d-----w- c:\program files\Uniquely Texas Screensaver
2009-11-20 17:56 . 2009-04-21 18:22 -------- d-----w- c:\program files\EA SPORTS
2009-11-19 22:22 . 2009-10-30 01:26 -------- dc----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-11-19 02:46 . 2009-09-23 14:17 -------- d-----w- c:\documents and settings\User\Application Data\LimeWire
2009-11-13 21:57 . 2009-04-19 21:00 69232 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-12 22:01 . 2009-05-28 16:51 69232 ----a-w- c:\documents and settings\Chelsea.DESK1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-08 17:35 . 2009-04-19 20:23 -------- d-----w- c:\program files\HP
2009-11-08 16:42 . 2009-08-16 19:30 -------- d-----w- c:\documents and settings\User\Application Data\HpUpdate
2009-11-01 00:16 . 2009-07-01 16:06 143976 ----a-w- c:\documents and settings\User\Application Data\Move Networks\uninstall.exe
2009-11-01 00:16 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\User\Application Data\Move Networks\plugins\npqmp071701000002.dll
2009-11-01 00:16 . 2009-11-01 00:16 1794456 ----a-w- c:\documents and settings\User\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
2009-10-29 15:34 . 2009-04-21 16:17 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-26 06:32 . 2009-10-26 06:32 10134 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-10-26 06:32 . 2009-10-26 06:32 -------- d-----w- c:\program files\Microsoft WSE
2009-10-25 16:09 . 2009-09-23 14:17 -------- d-----w- c:\program files\LimeWire
2009-10-23 19:23 . 2009-10-07 22:54 -------- d-----w- c:\documents and settings\Chelsea.DESK1\Application Data\uTorrent
2009-10-23 03:13 . 2009-10-23 02:28 -------- d-----w- c:\documents and settings\User\Application Data\Any Video Converter Professional
2009-10-23 02:29 . 2009-10-23 02:28 -------- d-----w- c:\program files\Any Video Converter Professional
2009-10-23 01:46 . 2009-05-03 20:07 -------- d-----w- c:\program files\DivX
2009-10-23 01:45 . 2009-05-03 20:07 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-22 22:46 . 2009-10-22 22:46 -------- d-----w- c:\documents and settings\Chelsea.DESK1\Application Data\Yahoo!
2009-10-19 19:00 . 2009-10-19 05:52 697792 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-19 15:19 . 2009-10-19 15:19 -------- d-----w- c:\documents and settings\User\Application Data\InstallShield Installation Information
2009-10-19 15:19 . 2009-10-19 15:19 -------- d-----w- c:\program files\Rockstar Games
2009-10-19 15:19 . 2009-10-19 15:21 344064 ----a-w- c:\documents and settings\User\Application Data\InstallShield Installation Information\{4B35F00C-E63D-40DC-9839-DF15A33EAC46}\_setup.dll
2009-10-18 00:22 . 2009-10-18 00:22 -------- d-----w- c:\program files\OLYMPUS
2009-10-18 00:22 . 2009-10-18 00:22 -------- d-----w- c:\program files\MSXML 4.0
2009-10-16 01:48 . 2009-10-16 01:45 -------- d-----w- c:\documents and settings\User\Application Data\QuitCounter
2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\User\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-10-12 00:31 . 2009-10-12 00:23 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-12 00:31 . 2009-10-12 00:23 -------- d-----w- c:\program files\AVS4YOU
2009-10-12 00:24 . 2009-10-12 00:24 -------- dc----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-10-12 00:24 . 2009-10-12 00:24 -------- d-----w- c:\documents and settings\User\Application Data\AVS4YOU
2009-10-08 18:45 . 2009-10-08 18:45 -------- d-----w- c:\program files\7-Zip
2009-10-07 21:12 . 2009-10-07 21:12 -------- d-----w- c:\program files\uTorrent
2009-09-29 16:09 . 2009-09-29 16:09 126970 ----a-w- c:\documents and settings\Chelsea.DESK1\Application Data\Move Networks\uninstall.exe
2009-09-29 16:09 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Chelsea.DESK1\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-09-25 17:07 . 2009-09-25 16:44 116 ----a-w- c:\documents and settings\User\udpcrawl.tmp
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-20 03:49 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\User\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-09-20 03:49 . 2009-09-20 03:49 1407680 ----a-w- c:\documents and settings\User\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2009-09-11 14:18 . 2008-04-14 10:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 16:47 . 2009-09-10 16:47 27 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4EA42A62D9304AC4784BF238120661FF.dll
2009-09-10 16:47 . 2009-09-10 16:47 75 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1F9ACB2AC6655084791DF7CD39837632.dll
2009-09-09 15:04 . 2009-12-01 00:50 38208 -c--a-w- c:\documents and settings\Administrator.DESK1\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-09-09 15:04 . 2009-08-26 13:36 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-09-02 17:55 . 2009-09-02 17:55 25600 --sha-w- c:\windows\system32\ravezula.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\drivers\atapi.sys

[-] 2008-04-14 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\drivers\asyncmac.sys

[-] 2001-08-23 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys

[-] 2008-04-14 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\drivers\kbdclass.sys
[-] 2008-04-14 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\kbdclass.sys

[-] 2008-04-14 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys

[-] 2008-04-14 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ntfs.sys

[-] 2001-08-23 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys

[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\system32\browser.dll

[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe

[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\netman.dll

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\qmgr.dll

[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll
[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\rpcss.dll
[-] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[-] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\rpcss.dll

[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\services.exe
[-] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\services.exe

[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll

[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\cryptsvc.dll

[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll
[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[-] 2008-04-14 10:41 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\$NtUninstallKB950974$\es.dll

[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll

[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll
[-] 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB959426$\kernel32.dll

[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\linkinfo.dll

[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\lpk.dll

[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\system32\msvcrt.dll

[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll
[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\mswsock.dll
[-] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
[-] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\mswsock.dll

[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\system32\netlogon.dll

[-] 2009-08-05 . 8415D9C7C050E7022AED8ABF281BE4A6 . 2189184 . . [5.1.2600.5857] . . c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2009-08-05 . 8415D9C7C050E7022AED8ABF281BE4A6 . 2189184 . . [5.1.2600.5857] . . c:\windows\system32\ntoskrnl.exe
[-] 2009-08-05 . 8415D9C7C050E7022AED8ABF281BE4A6 . 2189184 . . [5.1.2600.5857] . . c:\windows\system32\dllcache\ntoskrnl.exe
[-] 2009-08-04 . FDE779EA1A564EBFE16F4E0F82B61BAD . 2189312 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3QFE\ntoskrnl.exe
[-] 2009-02-08 . EFE8EACE83EAAD5849A7A548FB75B584 . 2189184 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[-] 2009-02-06 . 7A95B10A73737EBF24139AAA63F5212B . 2189056 . . [5.1.2600.5755] . . c:\windows\$NtUninstallKB971486$\ntoskrnl.exe
[-] 2008-04-14 . 0C89243C7C3EE199B96FCC16990E0679 . 2188928 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\ntoskrnl.exe

[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll

[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\scecli.dll

[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\sfc.dll

[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe

[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\system32\tapisrv.dll

[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll

[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe

[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll

[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe

[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\eventlog.dll

[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

[-] 2001-02-20 19:09 . D36A33C21EEED5A6C1DAECB7C80A1909 . 8192 . . [1.00.2409.7 built by: Lab06_N] . . c:\windows\system32\CTFMON.EXE

[-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\system32\shsvcs.dll

[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll

[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll

[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\ssdpsrv.dll

[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll

[-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\system32\appmgmts.dll

[-] 2001-08-23 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys

[-] 2008-04-14 04:09 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\drivers\aec.sys

[-] 2008-04-14 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys

[-] 2008-04-14 10:41 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\system32\mfc40u.dll

[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\msgsvc.dll

[-] 2008-04-14 10:42 . C7E39EA41233E9F5B86C8DA3A9F1E4A8 . 52224 . . [9.0.1.56] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
[-] 2006-10-19 02:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll

[-] 2009-08-04 . 363B2BBEE0AEDC9E5433616D0AD0236A . 2066176 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3QFE\ntkrnlpa.exe
[-] 2009-08-04 . 7437BA6F538E89381A2E3643AED296C7 . 2066048 . . [5.1.2600.5857] . . c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2009-08-04 . 7437BA6F538E89381A2E3643AED296C7 . 2066048 . . [5.1.2600.5857] . . c:\windows\system32\ntkrnlpa.exe
[-] 2009-08-04 . 7437BA6F538E89381A2E3643AED296C7 . 2066048 . . [5.1.2600.5857] . . c:\windows\system32\dllcache\ntkrnlpa.exe
[-] 2009-02-08 . 5BA7F2141BC6DB06100D0E5A732C617A . 2066048 . . [5.1.2600.5755] . . c:\windows\$NtUninstallKB971486$\ntkrnlpa.exe
[-] 2009-02-06 . 607352B9CB3D708C67F6039097801B5A . 2066176 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[-] 2008-04-14 . 109F8E3E3C82E337BB71B6BC9B895D61 . 2065792 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe

[-] 2008-04-14 10:42 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\ntmssvc.dll

[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\upnphost.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-12-03_16.17.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-03 22:52 . 2009-12-03 22:52 16384 c:\windows\Temp\Perflib_Perfdata_100.dat
+ 2009-12-03 18:19 . 2005-12-12 22:27 19072 c:\windows\system32\ReinstallBackups\0006\DriverFiles\PS2.sys
+ 2009-12-03 18:19 . 2008-04-14 05:48 52480 c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\i8042prt.sys
- 2009-04-19 20:58 . 2005-12-12 22:27 19072 c:\windows\system32\drivers\PS2.sys
+ 2009-04-19 20:58 . 2005-12-12 23:27 19072 c:\windows\system32\drivers\PS2.sys
- 2008-04-14 05:48 . 2008-04-14 05:48 52480 c:\windows\system32\drivers\i8042prt.sys
+ 2008-04-14 05:48 . 2008-04-14 06:48 52480 c:\windows\system32\drivers\i8042prt.sys
+ 2009-04-28 18:15 . 2009-12-03 20:33 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-04-28 18:15 . 2009-12-03 12:39 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-12-03 16:22 . 2009-12-03 20:33 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-04-28 18:15 . 2009-12-03 12:39 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-12-03 18:43 . 2008-07-08 13:02 17272 c:\windows\ie8updates\KB976749-IE8\spmsg.dll
+ 2009-12-03 18:43 . 2008-07-08 13:02 26488 c:\windows\ie8updates\KB976749-IE8\spcustom.dll
+ 2009-12-03 18:43 . 2008-07-08 13:02 17272 c:\windows\ie8updates\KB971961-IE8\spmsg.dll
+ 2009-12-03 18:43 . 2008-07-08 13:02 26488 c:\windows\ie8updates\KB971961-IE8\spcustom.dll
+ 2008-04-14 10:41 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
- 2008-04-14 10:41 . 2009-03-08 10:33 726528 c:\windows\system32\jscript.dll
+ 2009-12-03 18:50 . 2009-12-03 18:50 149280 c:\windows\system32\javaws.exe
+ 2009-12-03 18:50 . 2009-12-03 18:50 145184 c:\windows\system32\javaw.exe
+ 2009-12-03 18:50 . 2009-12-03 18:50 145184 c:\windows\system32\java.exe
+ 2009-03-08 10:33 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
- 2009-03-08 10:33 . 2009-03-08 10:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-12-03 18:50 . 2009-12-03 18:50 537600 c:\windows\Installer\4d69a.msi
+ 2009-12-03 17:32 . 2009-12-03 17:32 472064 c:\windows\Installer\4a9578.msi
+ 2009-12-03 18:43 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\updspapi.dll
+ 2009-12-03 18:43 . 2008-07-08 13:02 755576 c:\windows\ie8updates\KB976749-IE8\update.exe
+ 2009-12-03 18:43 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll
+ 2009-12-03 18:43 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe
+ 2009-12-03 18:43 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst.exe
+ 2009-12-03 18:43 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\updspapi.dll
+ 2009-12-03 18:43 . 2008-07-08 13:02 755576 c:\windows\ie8updates\KB971961-IE8\update.exe
+ 2009-12-03 18:43 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2009-12-03 18:43 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2009-12-03 18:43 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst.exe
+ 2009-12-03 18:43 . 2009-03-08 10:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2009-12-03 17:32 . 2009-12-03 17:32 769024 c:\windows\Downloaded Installations\{6E57C195-FF3C-4651-A776-1E9185B1D0FE}\HP Product Detection.msi
+ 2008-04-14 10:42 . 2009-10-22 09:19 5939712 c:\windows\system32\mshtml.dll
+ 2009-03-08 10:41 . 2009-10-22 09:19 5939712 c:\windows\system32\dllcache\mshtml.dll
+ 2009-12-03 18:43 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-10-31 95536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-10-31 54576]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-03 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-03-08 128512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7518:TCP"= 7518:TCP:BitComet 7518 TCP
"7518:UDP"= 7518:UDP:BitComet 7518 UDP

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/3/2009 2:03 AM 203280]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/2/2009 3:24 PM 721904]
S2 0108051259827324mcinstcleanup;McAfee Application Installer Cleanup (0108051259827324);c:\docume~1\User\LOCALS~1\Temp\010805~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\User\LOCALS~1\Temp\010805~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-12-03 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-03 18:22]

2009-12-03 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-03 18:22]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: {AF075C58-0954-49CB-B653-24BCC41CDF17} = 193.104.110.38,4.2.2.1,192.168.1.254
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-03 17:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-152049171-682003330-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:61,43,ad,15,db,6c,63,87,20,27,26,e0,47,78,2a,d8,dd,cf,89,33,4d,a4,62,
e7,c3,16,82,00,e4,d8,36,21,8a,35,26,3d,f0,00,8f,f1,2c,b5,db,bd,38,ea,bb,5e,\
"??"=hex:2d,aa,84,f3,de,e9,13,a2,fe,42,18,a0,1c,dc,b0,e6

[HKEY_USERS\S-1-5-21-1060284298-152049171-682003330-1007\Software\SecuROM\License information*]
"datasecu"=hex:fd,22,da,1f,bf,83,eb,04,c7,a3,ce,81,f8,ee,b0,1f,f2,03,11,a7,b7,
17,1e,f1,75,37,c2,a6,ad,90,3d,28,77,ea,9b,03,f8,4c,3c,be,35,60,57,7e,cd,45,\
"rkeysecu"=hex:a2,01,4f,54,e6,fe,40,0a,6b,bd,5d,e9,6e,15,6c,ae
.
Completion time: 2009-12-03 17:02
ComboFix-quarantined-files.txt 2009-12-03 23:02
ComboFix2.txt 2009-12-03 16:20

Pre-Run: 54,939,197,440 bytes free
Post-Run: 55,015,129,088 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 4339A49FC60378E0675EEC2200AFE502




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users