Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't update any antivirus programs / Possbile Rootkit


  • This topic is locked This topic is locked
31 replies to this topic

#1 srs2004

srs2004

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 07 January 2010 - 02:26 AM

I'm having a problem updating any antivirus programs. It says no network connection available but surfing the net and downloading stuffs are fine.
I'm currently using Trend Internet Security 2009, and tried others with no luck, i even reinstall all of them one by one, but i still can't update it.
I also tried Malware Anti-malware, but after the scan, it still the same.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Raymond Enriquez at 15:13:28.57 on Fri 01/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.63.1033.18.3062.2247 [GMT 8:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sttray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Raymond Enriquez\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mWinlogon: UIHost=c:\windows\system32\logonui.exe
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256631826640
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://jeg.dipmap.com:8080/cab/OCXChecker_8320.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: {CC59193D-C3BC-4A5D-A369-6776F9249880} = 58.69.254.72,58.69.254.137
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2010-1-8 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2010-1-8 5248]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-1-4 235344]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-1-5 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-1-5 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2010-1-5 677128]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-1-4 19160]
R4 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys --> c:\windows\system32\drivers\avgarkt.sys [?]
R4 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\avgarcln.sys --> c:\windows\system32\drivers\AvgArCln.sys [?]

=============== Created Last 30 ================

2010-01-08 04:48:44 5248 ----a-w- c:\windows\system32\drivers\d347prt.sys
2010-01-08 04:48:44 155136 ----a-w- c:\windows\system32\drivers\d347bus.sys
2010-01-08 04:48:42 0 d-----w- c:\program files\D-Tools
2010-01-08 04:48:29 0 d-----w- c:\windows\Downloaded Installations
2010-01-08 03:54:48 0 d-----w- c:\program files\ThreatFire
2010-01-07 12:03:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Age of Empires 3
2010-01-06 19:36:20 0 d-----w- c:\windows\RegisteredPackages
2010-01-06 19:32:53 0 d-----w- c:\program files\Microsoft Games
2010-01-05 20:06:39 2162 ----a-w- c:\windows\system32\tmp.reg
2010-01-05 16:45:40 0 d-----w- c:\program files\TrendMicro
2010-01-05 09:19:44 50192 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-01-05 09:19:44 50192 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-01-05 09:19:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Trend Micro
2010-01-05 09:19:02 0 d-----w- c:\program files\Trend Micro
2010-01-05 09:17:30 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-05 09:16:15 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2010-01-05 09:16:15 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2010-01-05 09:16:15 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
2010-01-05 09:15:04 661808 ----a-w- c:\windows\system32\UfWSC.cpl
2010-01-05 09:15:00 80400 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-01-04 14:35:54 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-04 14:35:49 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-04 14:35:49 0 d-----w- c:\docume~1\raymon~1\applic~1\SUPERAntiSpyware.com
2010-01-04 13:59:50 0 d-----w- c:\windows\pss
2010-01-04 12:15:48 0 d-----w- c:\docume~1\raymon~1\applic~1\Malwarebytes
2010-01-04 12:15:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-04 12:15:42 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 12:15:42 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-04 12:15:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-04 12:01:38 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-01-04 12:01:38 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-01-04 12:01:38 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-01-04 12:01:38 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-01-04 12:01:38 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-01-04 12:01:22 0 d-----w- c:\docume~1\raymon~1\applic~1\Simply Super Software
2010-01-04 11:35:12 0 d-sha-r- C:\cmdcons
2010-01-04 11:33:52 98816 ----a-w- c:\windows\sed.exe
2010-01-04 11:33:52 77312 ----a-w- c:\windows\MBR.exe
2010-01-04 11:33:52 261632 ----a-w- c:\windows\PEV.exe
2010-01-04 11:33:52 161792 ----a-w- c:\windows\SWREG.exe
2010-01-04 10:16:50 195456 ------w- c:\windows\system32\MpSigStub.exe
2010-01-04 09:04:01 0 d-----w- c:\program files\Half-Life 2 Ultimate Edition 7
2009-12-31 16:20:38 0 d-----w- c:\program files\YouTube Downloader
2009-12-30 15:31:54 284 ----a-w- c:\windows\GvSaveImage.ini
2009-12-30 15:31:54 165 ----a-w- c:\windows\GeoLan.ini
2009-12-30 15:31:48 0 d-----w- c:\program files\GeoOCX
2009-12-28 11:49:54 0 d-----w- c:\program files\Makena
2009-12-22 20:46:16 0 d-----w- c:\windows\system32\Adobe
2009-12-18 23:40:12 983 ----a-w- c:\windows\eReg.dat
2009-12-11 09:18:24 0 d-----w- c:\program files\ImTOO

==================== Find3M ====================

2009-12-14 12:02:42 28072 ----a-w- c:\windows\fonts\theresignhead_1.ttf
2009-12-14 12:02:42 24904 ----a-w- c:\windows\fonts\theresigntext_2.ttf
2009-12-14 12:02:42 24732 ----a-w- c:\windows\fonts\therechat.ttf
2009-12-14 12:02:42 24584 ----a-w- c:\windows\fonts\nockc___.ttf
2009-12-14 12:02:42 24356 ----a-w- c:\windows\fonts\theresigntext_1.ttf
2009-12-14 12:02:42 23208 ----a-w- c:\windows\fonts\theresignhead_3.ttf
2009-12-14 12:02:42 22436 ----a-w- c:\windows\fonts\theresignhead_2.ttf
2009-11-20 20:32:14 278120 ----a-w- c:\windows\system32\nvmccs.dll
2009-11-20 20:32:14 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2009-11-20 20:32:14 145000 ----a-w- c:\windows\system32\nvcolor.exe
2009-11-20 20:32:14 12669544 ----a-w- c:\windows\system32\nvcpl.dll
2009-11-20 20:32:14 110184 ----a-w- c:\windows\system32\nvmctray.dll
2009-11-20 20:32:10 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-11-19 21:42:56 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-11-11 12:23:44 393216 ----a-w- c:\windows\system32\GXJPG.dll
2009-11-06 10:59:54 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 10:59:54 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-11-02 18:05:36 167064 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-02 18:05:34 71832 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-10-30 15:36:22 1179648 ----a-w- c:\windows\system32\GXAVCD.dll
2009-10-30 15:36:22 1179648 ----a-w- c:\windows\system32\GXAVC.dll
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\wininet.dll
2009-10-28 18:49:34 1122304 ----a-w- c:\windows\system32\GXAMP4D.dll
2009-10-28 18:49:34 1122304 ----a-w- c:\windows\system32\GXAMP4.dll
2009-10-27 09:37:24 68953 ----a-w- c:\windows\hpoins05.dat
2009-10-27 08:26:55 2275840 ----a-w- c:\windows\system32\TUKernel.exe
2009-10-26 18:19:17 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2009-10-26 18:19:15 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-10-26 17:28:39 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-26 10:50:00 610304 ----a-w- c:\windows\system32\GeoCodecD.dll
2009-10-26 10:50:00 610304 ----a-w- c:\windows\system32\GeoCodec.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 19:43:42 778240 ----a-w- c:\windows\system32\GX264D.dll
2009-10-12 19:43:42 778240 ----a-w- c:\windows\system32\GX264.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 04:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 15:13:45.26 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 srs2004

srs2004
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 09 January 2010 - 09:34 AM

anyone please? =(


===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Edited by elise025, 10 January 2010 - 08:43 AM.


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:55 AM

Posted 14 January 2010 - 09:56 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 srs2004

srs2004
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 14 January 2010 - 09:01 PM

Hi myrti, thanks for your response...
The problem was i can't update any antivirus that i've installed in my comptuter (Trend Micro Internet Security 2009, Norton Antivirus etc..) I first thought that my program is only corrupted then I tried reinstalling my antivirus, but its still the same... So I search in google to find out what's happening on my computer and found out that there is a virus/rootkit similar to my situation except that i can't still browse the antivirus websites (Trend, Norton, Kaspersky)..

Here's my OTL.txt:

OTL logfile created on: 1/15/2010 9:41:49 AM - Run 1
OTL by OldTimer - Version 3.1.24.1 Folder = C:\Documents and Settings\Raymond Enriquez\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00003409 | Country: Republic of the Philippines | Language: ENP | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 82.00% Memory free
22.00 Gb Paging File | 22.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 156.25 Gb Total Space | 103.07 Gb Free Space | 65.96% Space Free | Partition Type: NTFS
Drive D: | 141.83 Gb Total Space | 51.96 Gb Free Space | 36.64% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SRS
Current User Name: Raymond Enriquez
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/15 09:41:08 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Raymond Enriquez\Desktop\OTL.exe
PRC - [2010/01/05 17:14:47 | 00,341,256 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe
PRC - [2009/12/30 22:55:18 | 00,235,344 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2009/11/21 04:32:14 | 00,154,216 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2009/10/27 02:19:17 | 00,604,488 | ---- | M] (TuneUp Software) -- C:\WINDOWS\system32\TUProgSt.exe
PRC - [2009/10/21 08:50:12 | 00,995,528 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
PRC - [2009/10/21 08:50:10 | 00,711,248 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
PRC - [2009/10/11 12:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/09/04 08:51:40 | 00,677,128 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
PRC - [2009/03/08 22:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2007/06/13 18:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/08 10:56:32 | 00,303,104 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\sttray.exe
PRC - [2007/06/08 10:56:31 | 00,090,112 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\stacsv.exe
PRC - [2004/09/29 20:14:36 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe


========== Modules (SafeList) ==========

MOD - [2010/01/15 09:41:08 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Raymond Enriquez\Desktop\OTL.exe
MOD - [2006/08/25 23:45:55 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/01/05 17:14:47 | 00,341,256 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe -- (TMBMServer)
SRV - [2009/12/30 22:55:18 | 00,235,344 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2009/11/21 04:32:14 | 00,154,216 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (nvsvc)
SRV - [2009/10/27 02:19:17 | 00,604,488 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\WINDOWS\system32\TUProgSt.exe -- (TuneUp.ProgramStatisticsSvc)
SRV - [2009/10/27 02:19:15 | 00,361,288 | ---- | M] (TuneUp Software) [On_Demand | Stopped] -- C:\WINDOWS\system32\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2009/10/21 08:50:10 | 00,711,248 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe -- (SfCtlCom)
SRV - [2009/09/04 08:51:40 | 00,677,128 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- (TmProxy)
SRV - [2009/07/15 19:48:20 | 00,029,000 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp)
SRV - [2009/06/02 18:10:08 | 00,637,952 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2007/08/03 12:51:18 | 00,382,248 | ---- | M] (Nero AG) [On_Demand | Stopped] -- C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe -- (NMIndexingService)
SRV - [2007/06/08 10:56:31 | 00,090,112 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\WINDOWS\system32\stacsv.exe -- (STacSV)
SRV - [2005/04/04 08:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/09/29 20:14:36 | 00,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2002/12/31 20:00:00 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - [2010/01/05 17:15:00 | 00,080,400 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2009/12/30 22:54:58 | 00,019,160 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2009/11/21 10:34:54 | 10,235,968 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009/05/22 16:02:26 | 00,225,296 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmxpflt.sys -- (tmxpflt)
DRV - [2009/05/22 16:00:40 | 00,036,368 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmpreflt.sys -- (tmpreflt)
DRV - [2009/05/22 15:45:58 | 01,220,120 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vsapint.sys -- (vsapint)
DRV - [2009/05/07 15:04:50 | 00,157,712 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2009/04/29 04:20:06 | 00,044,944 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2009/04/03 07:08:54 | 00,050,192 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmactmon.sys -- (tmactmon)
DRV - [2009/04/03 07:08:52 | 00,050,192 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmevtmgr.sys -- (tmevtmgr)
DRV - [2009/02/09 16:37:56 | 00,007,808 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2009/02/09 16:37:48 | 00,007,808 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys -- (upperdev)
DRV - [2009/02/09 16:37:46 | 00,022,016 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2009/02/09 16:37:46 | 00,017,664 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2008/08/26 18:26:12 | 00,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2007/11/13 18:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/06/08 10:59:05 | 00,254,872 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2007/06/08 10:56:32 | 01,184,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/06/08 10:56:29 | 00,054,272 | ---- | M] (Sonic Focus, Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sfng32.sys -- (sfng32)
DRV - [2007/03/13 21:05:30 | 00,044,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2005/01/08 01:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/12/15 00:36:52 | 00,051,120 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412)
DRV - [2004/12/15 00:36:52 | 00,021,744 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2004/12/15 00:36:52 | 00,016,496 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2004/08/22 16:31:48 | 00,005,248 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\d347prt.sys -- (d347prt)
DRV - [2004/08/22 16:31:10 | 00,155,136 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\d347bus.sys -- (d347bus)
DRV - [2004/08/04 07:08:44 | 00,025,600 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser.sys -- (usbser)
DRV - [2002/12/31 20:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\bkmrksync@nokia.com: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2009/10/27 16:33:18 | 00,000,000 | ---D | M]


O1 HOSTS File: (768 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 mpa.one.microsoft.com
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UfSeAgnt.exe] C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe (Trend Micro Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1256631826640 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} http://jeg.dipmap.com:8080/cab/OCXChecker_8320.cab (OCXDownloadChecker Control)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Raymond Enriquez\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Raymond Enriquez\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/15 09:40:58 | 00,544,256 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Raymond Enriquez\Desktop\OTL.exe
[2010/01/15 00:30:19 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Raymond Enriquez\Recent
[2010/01/12 17:19:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raymond Enriquez\My Documents\My Albums
[2010/01/10 22:50:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raymond Enriquez\Application Data\Nero
[2010/01/10 22:46:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raymond Enriquez\Local Settings\Application Data\Ahead
[2010/01/10 22:45:21 | 00,000,000 | ---D | C] -- C:\Program Files\Nero
[2010/01/10 22:45:21 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Nero
[2010/01/10 22:45:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Nero
[2010/01/08 15:11:50 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Raymond Enriquez\Desktop\RootRepeal.exe
[2010/01/08 12:48:44 | 00,155,136 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347bus.sys
[2010/01/08 12:48:44 | 00,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347prt.sys
[2010/01/08 12:48:42 | 00,000,000 | ---D | C] -- C:\Program Files\D-Tools
[2010/01/08 12:48:29 | 00,000,000 | ---D | C] -- C:\WINDOWS\Downloaded Installations
[2010/01/07 20:03:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raymond Enriquez\My Documents\My Games
[2010/01/07 20:03:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Age of Empires 3
[2010/01/07 03:36:20 | 00,000,000 | ---D | C] -- C:\WINDOWS\RegisteredPackages
[2010/01/07 03:35:48 | 00,052,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\msdv.sys
[2010/01/07 03:35:48 | 00,052,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msdv.sys
[2010/01/07 03:35:48 | 00,016,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\bdaplgin.ax
[2010/01/07 03:35:48 | 00,016,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\bdaplgin.ax
[2010/01/07 03:35:48 | 00,015,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\mpe.sys
[2010/01/07 03:35:48 | 00,015,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mpe.sys
[2010/01/07 03:35:48 | 00,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ksolay.ax
[2010/01/07 03:35:48 | 00,011,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\bdasup.sys
[2010/01/07 03:35:48 | 00,011,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\bdasup.sys
[2010/01/07 03:35:45 | 00,046,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dxdllreg.exe
[2010/01/07 03:35:44 | 00,031,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pid.dll
[2010/01/07 03:32:53 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Games
[2010/01/06 04:07:42 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2010/01/06 00:45:40 | 00,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/01/06 00:39:21 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/01/05 17:19:44 | 00,050,192 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmevtmgr.sys
[2010/01/05 17:19:44 | 00,050,192 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmactmon.sys
[2010/01/05 17:19:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Trend Micro
[2010/01/05 17:19:02 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/01/05 17:17:30 | 00,157,712 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/01/05 17:16:15 | 01,220,120 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\vsapint.sys
[2010/01/05 17:16:15 | 00,225,296 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmxpflt.sys
[2010/01/05 17:16:15 | 00,036,368 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmpreflt.sys
[2010/01/05 17:15:04 | 00,661,808 | ---- | C] (trend_company_name) -- C:\WINDOWS\System32\UfWSC.cpl
[2010/01/05 17:15:00 | 00,080,400 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmtdi.sys
[2010/01/04 22:35:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/01/04 22:35:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raymond Enriquez\Application Data\SUPERAntiSpyware.com
[2010/01/04 22:35:49 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/01/04 21:59:50 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/01/04 20:15:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raymond Enriquez\Application Data\Malwarebytes
[2010/01/04 20:15:44 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/04 20:15:42 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/04 20:15:42 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/04 20:15:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/04 20:01:38 | 00,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ztvcabinet.dll
[2010/01/04 20:01:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raymond Enriquez\Application Data\Simply Super Software
[2010/01/04 19:35:12 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2010/01/04 19:33:52 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/01/04 19:33:52 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/01/04 19:33:52 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/01/04 19:33:52 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/01/04 19:33:47 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/04 18:16:50 | 00,195,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/01/01 00:20:38 | 00,000,000 | ---D | C] -- C:\Program Files\YouTube Downloader
[2009/12/30 23:31:48 | 00,000,000 | ---D | C] -- C:\Program Files\GeoOCX
[2009/12/23 04:46:16 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2009/10/27 16:38:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/10/27 11:03:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/10/27 02:37:57 | 00,028,759 | ---- | C] ( ) -- C:\WINDOWS\GV_AccessIni_Memory.dll
[2009/10/27 01:31:00 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/10/27 01:31:00 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/15 09:41:08 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Raymond Enriquez\Desktop\OTL.exe
[2010/01/15 09:23:20 | 00,272,470 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/01/15 09:23:19 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/15 09:23:06 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/15 09:23:03 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/15 00:30:24 | 04,456,448 | -H-- | M] () -- C:\Documents and Settings\Raymond Enriquez\NTUSER.DAT
[2010/01/15 00:30:24 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Raymond Enriquez\ntuser.ini
[2010/01/11 18:13:34 | 00,521,444 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/11 18:13:34 | 00,441,458 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/11 18:13:34 | 00,071,458 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/11 14:04:10 | 00,000,049 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/01/11 11:07:13 | 00,023,552 | ---- | M] () -- C:\Documents and Settings\Raymond Enriquez\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/11 10:50:21 | 00,000,284 | ---- | M] () -- C:\WINDOWS\GvSaveImage.ini
[2010/01/11 10:50:21 | 00,000,165 | ---- | M] () -- C:\WINDOWS\GeoLan.ini
[2010/01/11 00:45:35 | 04,844,026 | -H-- | M] () -- C:\Documents and Settings\Raymond Enriquez\Local Settings\Application Data\IconCache.db
[2010/01/11 00:33:12 | 00,008,585 | ---- | M] () -- C:\Documents and Settings\Raymond Enriquez\My Documents\Audio1.nra
[2010/01/10 22:49:44 | 00,002,253 | ---- | M] () -- C:\Documents and Settings\Raymond Enriquez\Desktop\Nero Burning ROM.lnk
[2010/01/08 15:11:53 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Raymond Enriquez\Desktop\RootRepeal.exe
[2010/01/08 14:56:59 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Raymond Enriquez\Desktop\dds.scr
[2010/01/08 12:52:04 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\Raymond Enriquez\Local Settings\Application Data\housecall.guid.cache
[2010/01/08 12:48:43 | 00,000,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DAEMON Tools.lnk
[2010/01/07 03:50:15 | 00,001,809 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Age of Empires III - The Asian Dynasties.lnk
[2010/01/07 03:45:36 | 00,001,809 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Age of Empires III - The WarChiefs.lnk
[2010/01/07 03:36:46 | 00,001,802 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Age of Empires III.lnk
[2010/01/06 04:13:36 | 00,000,768 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/01/06 04:10:05 | 00,002,162 | ---- | M] () -- C:\WINDOWS\System32\tmp.reg
[2010/01/06 03:46:40 | 00,000,193 | -HS- | M] () -- C:\boot.ini
[2010/01/06 00:35:49 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/05 17:19:32 | 00,000,803 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Trend Micro Internet Security.lnk
[2010/01/05 17:15:04 | 00,661,808 | ---- | M] (trend_company_name) -- C:\WINDOWS\System32\UfWSC.cpl
[2010/01/05 17:15:00 | 00,080,400 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmtdi.sys
[2010/01/04 22:01:45 | 00,000,658 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/01/04 20:15:47 | 00,000,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/04 19:44:44 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS.TRB
[2010/01/01 00:10:42 | 00,000,569 | ---- | M] () -- C:\WINDOWS\ULEAD32.INI
[2009/12/30 22:55:24 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/30 22:54:58 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/20 23:45:07 | 00,264,616 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/12/19 23:31:33 | 00,066,096 | ---- | M] () -- C:\Documents and Settings\Raymond Enriquez\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/12/19 17:28:25 | 00,000,983 | ---- | M] () -- C:\WINDOWS\eReg.dat
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/12 10:42:13 | 00,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/01/11 00:17:09 | 00,008,585 | ---- | C] () -- C:\Documents and Settings\Raymond Enriquez\My Documents\Audio1.nra
[2010/01/10 22:49:44 | 00,002,253 | ---- | C] () -- C:\Documents and Settings\Raymond Enriquez\Desktop\Nero Burning ROM.lnk
[2010/01/08 14:56:50 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Raymond Enriquez\Desktop\dds.scr
[2010/01/08 12:52:04 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\Raymond Enriquez\Local Settings\Application Data\housecall.guid.cache
[2010/01/08 12:48:43 | 00,000,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DAEMON Tools.lnk
[2010/01/07 03:50:15 | 00,001,809 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Age of Empires III - The Asian Dynasties.lnk
[2010/01/07 03:45:36 | 00,001,809 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Age of Empires III - The WarChiefs.lnk
[2010/01/07 03:36:46 | 00,001,802 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Age of Empires III.lnk
[2010/01/07 03:35:49 | 00,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2010/01/07 03:35:49 | 00,354,816 | ---- | C] () -- C:\WINDOWS\System32\dllcache\psisdecd.dll
[2010/01/07 03:35:49 | 00,030,208 | ---- | C] () -- C:\WINDOWS\System32\psisrndr.ax
[2010/01/07 03:35:49 | 00,030,208 | ---- | C] () -- C:\WINDOWS\System32\dllcache\psisrndr.ax
[2010/01/07 03:35:48 | 00,052,224 | ---- | C] () -- C:\WINDOWS\System32\msdvbnp.ax
[2010/01/07 03:35:48 | 00,052,224 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msdvbnp.ax
[2010/01/06 04:06:39 | 00,002,162 | ---- | C] () -- C:\WINDOWS\System32\tmp.reg
[2010/01/05 17:19:32 | 00,000,803 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Trend Micro Internet Security.lnk
[2010/01/04 20:15:47 | 00,000,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/04 20:01:38 | 00,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll
[2010/01/04 20:01:38 | 00,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll
[2010/01/04 20:01:38 | 00,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll
[2010/01/04 20:01:38 | 00,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2010/01/04 19:33:52 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/01/04 19:33:52 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/01/04 19:33:52 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/01/04 19:33:52 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/01/04 19:33:52 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/12/30 23:31:54 | 00,000,284 | ---- | C] () -- C:\WINDOWS\GvSaveImage.ini
[2009/12/30 23:31:54 | 00,000,165 | ---- | C] () -- C:\WINDOWS\GeoLan.ini
[2009/12/19 07:40:12 | 00,000,983 | ---- | C] () -- C:\WINDOWS\eReg.dat
[2009/12/05 04:53:58 | 00,683,112 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/11/06 18:58:04 | 00,178,975 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2009/11/02 06:16:18 | 00,000,036 | -H-- | C] () -- C:\Documents and Settings\Raymond Enriquez\Application Data\swk.ini
[2009/10/30 21:15:21 | 00,000,139 | ---- | C] () -- C:\Documents and Settings\Raymond Enriquez\Local Settings\Application Data\fusioncache.dat
[2009/10/29 21:01:51 | 00,000,569 | ---- | C] () -- C:\WINDOWS\ULEAD32.INI
[2009/10/27 17:24:16 | 00,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/10/27 06:54:11 | 00,023,552 | ---- | C] () -- C:\Documents and Settings\Raymond Enriquez\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/27 02:37:57 | 00,253,952 | ---- | C] () -- C:\WINDOWS\JxIni.dll
[2009/10/27 02:37:57 | 00,213,065 | ---- | C] () -- C:\WINDOWS\GV_GeoPTZini.dll
[2009/10/27 02:37:57 | 00,139,264 | ---- | C] () -- C:\WINDOWS\GeoEditAVIDll.dll
[2009/10/27 01:37:01 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/28 03:04:44 | 00,557,003 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2009/08/28 03:04:32 | 00,811,835 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll
[2009/08/28 03:03:52 | 04,456,201 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2009/08/26 02:07:36 | 00,328,334 | ---- | C] () -- C:\WINDOWS\System32\ff_kernelDeint.dll
[2009/08/26 01:38:04 | 00,425,040 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2009/08/26 00:56:56 | 00,829,781 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/08/26 00:37:02 | 00,146,098 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2009/06/03 01:15:44 | 00,113,152 | ---- | C] () -- C:\WINDOWS\System32\ff_unrar.dll
[2009/06/03 01:15:18 | 00,146,944 | ---- | C] () -- C:\WINDOWS\System32\ff_tremor.dll
[2009/06/03 01:15:04 | 00,183,296 | ---- | C] () -- C:\WINDOWS\System32\ff_samplerate.dll
[2009/06/03 01:14:56 | 00,178,688 | ---- | C] () -- C:\WINDOWS\System32\ff_libmad.dll
[2009/06/03 01:14:30 | 00,486,400 | ---- | C] () -- C:\WINDOWS\System32\ff_libfaad2.dll
[2009/06/03 01:13:58 | 00,257,024 | ---- | C] () -- C:\WINDOWS\System32\ff_libdts.dll
[2009/06/03 01:13:50 | 00,142,848 | ---- | C] () -- C:\WINDOWS\System32\ff_liba52.dll
[2009/06/03 01:11:26 | 00,098,304 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2009/06/03 01:11:16 | 00,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/01/11 06:17:32 | 00,163,840 | ---- | C] () -- C:\WINDOWS\System32\ts.dll
[2009/01/11 06:16:56 | 00,148,480 | ---- | C] () -- C:\WINDOWS\System32\mkx.dll
[2009/01/11 06:16:50 | 00,108,032 | ---- | C] () -- C:\WINDOWS\System32\avi.dll
[2009/01/11 06:16:14 | 00,141,312 | ---- | C] () -- C:\WINDOWS\System32\mp4.dll
[2009/01/11 06:15:54 | 00,120,832 | ---- | C] () -- C:\WINDOWS\System32\ogm.dll
[2009/01/11 06:15:44 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\mmfinfo.dll
[2009/01/11 06:15:32 | 00,102,400 | ---- | C] () -- C:\WINDOWS\System32\avss.dll
[2009/01/11 06:15:28 | 00,246,784 | ---- | C] () -- C:\WINDOWS\System32\dxr.dll
[2009/01/11 06:15:12 | 00,097,280 | ---- | C] () -- C:\WINDOWS\System32\avs.dll
[2009/01/11 06:14:08 | 00,079,360 | ---- | C] () -- C:\WINDOWS\System32\mkzlib.dll
[2009/01/11 06:14:06 | 00,023,552 | ---- | C] () -- C:\WINDOWS\System32\mkunicode.dll
[2008/12/04 06:11:50 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/11/07 00:37:32 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/11/07 00:34:00 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/10/07 17:13:30 | 00,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 17:13:22 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 17:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 17:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 17:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 17:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 17:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 17:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 17:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 17:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2007/10/13 17:30:20 | 00,000,137 | ---- | C] () -- C:\WINDOWS\System32\Registration.ini
[2007/07/11 01:10:12 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2004/08/22 17:04:56 | 00,069,120 | ---- | C] () -- C:\WINDOWS\daemon.dll
[2002/12/31 20:00:00 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/17 08:00:00 | 00,007,420 | ---- | C] () -- C:\WINDOWS\UA000011.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
< End of report >

Here's my EXTRAS.txt:

Extras logfile created on: 1/15/2010 9:41:49 AM - Run 1
OTL by OldTimer - Version 3.1.24.1 Folder = C:\Documents and Settings\Raymond Enriquez\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00003409 | Country: Republic of the Philippines | Language: ENP | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 82.00% Memory free
22.00 Gb Paging File | 22.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 156.25 Gb Total Space | 103.07 Gb Free Space | 65.96% Space Free | Partition Type: NTFS
Drive D: | 141.83 Gb Total Space | 51.96 Gb Free Space | 36.64% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SRS
Current User Name: Raymond Enriquez
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:Torrent -- (BitTorrent, Inc.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\FrostWire\FrostWire.exe" = C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire -- (FrostWire Group)
"C:\Program Files\Microsoft Games\Age of Empires III\age3x.exe" = C:\Program Files\Microsoft Games\Age of Empires III\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs -- (Ensemble Studios)
"C:\Program Files\Microsoft Games\Age of Empires III\age3y.exe" = C:\Program Files\Microsoft Games\Age of Empires III\age3y.exe:*:Enabled:Age of Empires III - The Asian Dynasties -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00C5F4F4-62F9-40D7-8000-AD8A9CD0C669}" = Microsoft Games for Windows - LIVE Redistributable
"{0C973594-7DDF-4BD0-84ED-3517F7622037}" = PC Connectivity Solution
"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan
"{0FF18B53-CA57-40BB-B562-21A27B662005}" = 1600
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{14BEB6DF-A499-4A38-8E06-E173BCD5C087}" = ScannerCopy
"{17293791-C82E-476C-9997-9A0FF234A19B}" = HP Product Assistant
"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax
"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 2.5.3
"{1AD5F465-8282-4DAD-B957-E09C0B783D18}" = InstantShare
"{1B680FBA-E317-4E93-AF43-3B59798A4BE0}" = Copy
"{1C08A24C-B168-407E-A826-68FAF5F20710}" = Age of Empires III - The WarChiefs
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{20FBC0A0-3160-4F14-83ED-3A74BB6B8C31}" = TrayApp
"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 17
"{272EC8BA-5A08-4ea1-A189-684466A06B02}" = cp_dwShrek2Albums1
"{2C9EE786-1DDB-4C98-8FA4-B1B9B5A66B77}" = Microsoft Games for Windows - LIVE
"{2E8428AD-6CD2-4031-916A-3CF9BBF2DEC9}" = Unload
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3762DB2D-71BD-421F-9E55-C74DA7DF4D07}" = CueTour
"{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}" = ProductContext
"{3D39E775-DDDA-4327-B747-0BDC5F191331}" = Nokia PC Suite
"{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}" = DAEMON Tools
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{40E12A55-C504-4223-AFAC-7672DBF1ACDE}" = Trend Micro Internet Security
"{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{52D02A2B-03D2-4E34-A358-DC5D951FD296}" = Nokia Connectivity Cable Driver
"{55A29068-F2CE-456C-9148-C869879E2357}" = TuneUp Utilities 2009
"{5E8D588F-307C-4250-B622-26969027319A}" = PanoStandAlone
"{644D04A2-C682-4FD5-977D-03B804C4B9C5}" = CreativeProjects
"{646A65DD-23FC-418E-B9F0-E0500FB42CB1}" = PhotoGallery
"{64FC0C98-B035-4530-B15D-3D30610B6DF1}" = HP Software Update
"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan
"{68963635-14A4-48D9-B431-DF3A74D1AAE1}" = Destinations
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{700A6597-3CE6-49C1-AA75-846B24CDA66D}" = BufferChm
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{718D791F-F4E8-4aa7-98A6-15FDED17BDD0}" = Trend Micro Internet Security
"{724517BD-1DE1-4986-BFCA-C1DFD379E3BC}" = cp_dwShrek2Cards1
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.12.0
"{7AD25C9F-9957-4D1C-95EF-9BCD09F6D31B}" = HPSystemDiagnostics
"{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}" = Age of Empires III
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84CDF5A8-1D57-4B69-BAB6-1F11D8923375}" = SkinsHP1
"{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8AEA4BE2-2B52-41C0-BB7D-9F2D17AF1033}" = Nero 8
"{8BC3B99B-A6BE-4A0B-8535-B1B94BA4B1B1}" = DocProc
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A5B9D22C-755A-4AC6-9904-875E80838BB6}" = CP_AtenaShokunin1Config
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{B911B811-BA3E-46D4-90F8-6F3338359651}" = Director
"{BD29EBAC-AD7D-4b27-B727-4CC6AC52D36B}" = MarketResearch
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C43C1415-3DFC-4089-9A32-0BECF28A6046}" = Age of Empires III - The Asian Dynasties
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB449D5A-7710-47aa-B9F5-352B877C90E6}" = 1600_Help
"{CDFCF124-115F-4976-8BF4-08C89187A146}" = WebReg
"{CE0C8CC5-E396-442B-A50E-D1D374A9E820}" = DocumentViewer
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F4C6CC40-1142-49be-A28C-7BBD36F0B41A}" = 1600Trb
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FC22D020-3005-4715-8DF9-F3EDE81DEB3D}" = CreativeProjectsTemplates
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Codec_264" = GeoVision H264
"Codec_amp4" = GeoVision MPEG4 ASP
"Codec_AVC" = GeoVision MPEG4 AVC
"Codec_jpeg" = GeoVision JPEG
"Codec_mp2" = GeoVision MPEG2
"E8A6D621B6D3FC5D43C68C549D959DE76EEF5D84" = Windows Driver Package - Nokia Modem (06/01/2009 4.1)
"F779F5541ABD99C95C03B0FD5E3C058B22DA0FF7" = Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.3)
"FrostWire" = FrostWire 4.18.3
"GeoADPCM" = GeoVision ADPCM
"GEOXCodec" = GeoVision MPEG4
"HECI" = Intel® Management Engine Interface
"HP Photo & Imaging" = HP Image Zone 4.7
"HPExtendedCapabilities" = HP Extended Capabilities 4.7
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"ImTOO MPEG Encoder" = ImTOO MPEG Encoder
"InstallShield_{1C08A24C-B168-407E-A826-68FAF5F20710}" = Age of Empires III - The WarChiefs
"InstallShield_{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}" = Age of Empires III
"InstallShield_{C43C1415-3DFC-4089-9A32-0BECF28A6046}" = Age of Empires III - The Asian Dynasties
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Media Player - Codec Pack" = Media Player Codec Pack 3.8.0
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Nokia PC Suite" = Nokia PC Suite
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"Ulead Photo Express 3.0 SE" = Ulead Photo Express 3.0 SE
"uTorrent" = Torrent
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WIC" = Windows Imaging Component
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Yahoo! Messenger" = Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/25/2009 3:39:12 PM | Computer Name = SRS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x000000b4.

Error - 11/27/2009 5:53:00 AM | Computer Name = SRS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x00000039.

Error - 11/27/2009 7:17:29 AM | Computer Name = SRS | Source = Application Hang | ID = 1002
Description = Hanging application Tropico 3 Trainer +18.exe, version 1.0.0.0, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/28/2009 8:34:52 AM | Computer Name = SRS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x0000009f.

Error - 12/1/2009 7:12:10 AM | Computer Name = SRS | Source = Application Hang | ID = 1002
Description = Hanging application left4dead2.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/1/2009 5:51:52 PM | Computer Name = SRS | Source = Application Error | ID = 1000
Description = Faulting application left4dead2.exe, version 0.0.0.0, faulting module
tier0.dll, version 0.0.0.0, fault address 0x000057c5.

Error - 12/1/2009 6:06:52 PM | Computer Name = SRS | Source = Application Hang | ID = 1002
Description = Hanging application left4dead2.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/4/2009 4:36:57 PM | Computer Name = SRS | Source = Application Error | ID = 1000
Description = Faulting application gtaiv.exe, version 1.0.4.0, faulting module gtaiv.exe,
version 1.0.4.0, fault address 0x000538d6.

Error - 12/4/2009 4:39:41 PM | Computer Name = SRS | Source = Application Error | ID = 1000
Description = Faulting application gtaiv.exe, version 1.0.4.0, faulting module gtaiv.exe,
version 1.0.4.0, fault address 0x000538d6.

Error - 12/4/2009 4:40:07 PM | Computer Name = SRS | Source = Application Error | ID = 1001
Description = Fault bucket 1327534158.

[ System Events ]
Error - 1/7/2010 11:02:57 PM | Computer Name = SRS | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip tmtdi

Error - 1/7/2010 11:04:26 PM | Computer Name = SRS | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 1/7/2010 11:04:33 PM | Computer Name = SRS | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/7/2010 11:30:45 PM | Computer Name = SRS | Source = Service Control Manager | ID = 7034
Description = The MBAMService service terminated unexpectedly. It has done this
1 time(s).

Error - 1/9/2010 10:48:32 AM | Computer Name = SRS | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 1/10/2010 12:33:52 PM | Computer Name = SRS | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 1/10/2010 12:33:58 PM | Computer Name = SRS | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 1/11/2010 10:39:25 PM | Computer Name = SRS | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 1/11/2010 5:23:52 AM | Computer Name = SRS | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 1/13/2010 5:23:53 AM | Computer Name = SRS | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

[ TuneUp Events ]
Error - 1/10/2010 10:40:19 AM | Computer Name = SRS | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2010-01-10 22:40:19', '\device\harddiskvolume1\program
files\malwarebytes' anti-malware\mbamservice.exe','1352',0)

Error - 1/10/2010 7:13:11 PM | Computer Name = SRS | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2010-01-11 07:13:11', '\device\harddiskvolume1\program
files\malwarebytes' anti-malware\mbamservice.exe','1876',0)

Error - 1/11/2010 10:37:27 PM | Computer Name = SRS | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2010-01-12 10:37:27', '\device\harddiskvolume1\program
files\malwarebytes' anti-malware\mbamservice.exe','1920',0)

Error - 1/11/2010 5:22:46 AM | Computer Name = SRS | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2010-01-11 17:22:46', '\device\harddiskvolume1\program
files\malwarebytes' anti-malware\mbamservice.exe','556',0)

Error - 1/11/2010 9:24:34 PM | Computer Name = SRS | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2010-01-12 09:24:34', '\device\harddiskvolume1\program
files\malwarebytes' anti-malware\mbamservice.exe','1884',0)

Error - 1/12/2010 1:38:27 AM | Computer Name = SRS | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2010-01-12 13:38:27', '\device\harddiskvolume1\program
files\malwarebytes' anti-malware\mbamservice.exe','1884',0)

Error - 1/12/2010 11:42:43 PM | Computer Name = SRS | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2010-01-13 11:42:43', '\device\harddiskvolume1\program
files\malwarebytes' anti-malware\mbamservice.exe','1956',0)

Error - 1/13/2010 3:04:50 AM | Computer Name = SRS | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2010-01-13 15:04:50', '\device\harddiskvolume1\program
files\malwarebytes' anti-malware\mbamservice.exe','1940',0)

Error - 1/14/2010 3:19:52 AM | Computer Name = SRS | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2010-01-14 15:19:52', '\device\harddiskvolume1\program
files\malwarebytes' anti-malware\mbamservice.exe','1900',0)

Error - 1/14/2010 9:23:17 PM | Computer Name = SRS | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2010-01-15 09:23:17', '\device\harddiskvolume1\program
files\malwarebytes' anti-malware\mbamservice.exe','1944',0)


< End of report >

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:55 AM

Posted 14 January 2010 - 09:09 PM

Hi,

please run defogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

And afterwards run gmer:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 srs2004

srs2004
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 14 January 2010 - 09:48 PM

i can't run gmer either from normal or safe mode.. it stucks at the beginning of the scan...After that, the computer gets really slow and having a hard time restarting.. i posted a screenshot of the problem..

Attached Files



#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:55 AM

Posted 14 January 2010 - 10:15 PM

Hi,

this happens sometimes, please provide logs from mbr and rootrepeal instead:

Rootrepeal:
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click on your desktop.
  • Click on the report tab, then click scan
  • Check all seven boxes:
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Shadow SSDT
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.

mbr:

Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -t >>"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 srs2004

srs2004
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 14 January 2010 - 10:38 PM

Here it is, Rootrepeal:

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2010/01/15 11:28
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name:
Image Path:
Address: 0xB7EE5000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB43D6000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB85CC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB307A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Raymond Enriquez\Desktop\error.JPG
Status: Invisible to the Windows API!

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "d347bus.sys" at address 0xb7f8e818

#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x88f09dc0

#: 045 Function Name: NtCreatePagingFile
Status: Hooked by "d347bus.sys" at address 0xb7f82a20

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x88f092c0

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x88f09580

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x88f0ac20

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x88f0a340

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x88f0a600

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "d347bus.sys" at address 0xb7f832a8

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "d347bus.sys" at address 0xb7f8e910

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x88f0adc0

#: 119 Function Name: NtOpenKey
Status: Hooked by "d347bus.sys" at address 0xb7f8e794

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x88f09840

#: 160 Function Name: NtQueryKey
Status: Hooked by "d347bus.sys" at address 0xb7f832c8

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "d347bus.sys" at address 0xb7f8e866

#: 241 Function Name: NtSetSystemPowerState
Status: Hooked by "d347bus.sys" at address 0xb7f8e0b0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x88f0a080

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x88f09b00

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x88f0aa80

Stealth Objects
-------------------
Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_READ]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x8a233860 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a2336a0 Size: 99

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x892ab810 Size: 11

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]
Process: System Address: 0x8a2925f8 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x89b80c40 Size: 11

Object: Hidden Code [Driver: 00, IRP_MJ_READ]
Process: System Address: 0x8a0bcea8 Size: 11

Object: Hidden Code [Driver: Msfsȅఈ䵃慖, IRP_MJ_READ]
Process: System Address: 0x8a217ea8 Size: 11

Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]
Process: System Address: 0x8a288b20 Size: 11

Object: Hidden Code [Driver: CdfsЅఐ卆浩, IRP_MJ_READ]
Process: System Address: 0x8a38a7a0 Size: 11

Shadow SSDT
-------------------
#: 548 Function Name: NtUserSetWindowsHookAW
Status: Hooked by "<unknown>" at address 0x88f0b420

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x88f0b240

==EOF==

MBR:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A233860]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a233860
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

Edited by srs2004, 14 January 2010 - 10:41 PM.


#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:55 AM

Posted 14 January 2010 - 10:45 PM

Hi,

it seems you ran fixmbr before. Do you recall when this was? Did you run any other tools recently?

Please run a new scan:
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -t >"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 srs2004

srs2004
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 14 January 2010 - 10:52 PM

I just done it today two times, the first test was incomplete because I forgot to put everything in the command and accidentally hit the enter button.. Before posting up on this forum, i already tried running combofix and malwarebytes anti-malware within last week..

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A233860]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a233860
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

Edited by srs2004, 14 January 2010 - 10:54 PM.


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:55 AM

Posted 15 January 2010 - 03:48 PM

Hi,

can you please provide the log from ComboFix when you first ran it?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 srs2004

srs2004
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 15 January 2010 - 11:59 PM

Here's the log of my COMBOFIX:

AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\msgsvc.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-05 to 2010-01-05 )))))))))))))))))))))))))))))))
.

2010-01-04 14:05 . 2009-12-11 18:05 3613560 ----a-w- c:\documents and settings\Raymond Enriquez\Application Data\Simply Super Software\Trojan Remover\gbt5.exe
2010-01-04 12:15 . 2010-01-04 12:15 -------- d-----w- c:\documents and settings\Raymond Enriquez\Application Data\Malwarebytes
2010-01-04 12:15 . 2009-12-30 14:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-04 12:15 . 2010-01-04 12:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-04 12:15 . 2010-01-04 12:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-04 12:15 . 2009-12-30 14:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 12:01 . 2006-06-19 12:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-01-04 12:01 . 2006-05-25 14:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-01-04 12:01 . 2005-08-26 00:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-01-04 12:01 . 2003-02-02 19:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-01-04 12:01 . 2002-03-06 00:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-01-04 12:01 . 2010-01-04 12:01 -------- d-----w- c:\documents and settings\Raymond Enriquez\Application Data\Simply Super Software
2010-01-04 10:16 . 2009-11-02 20:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2010-01-04 09:04 . 2010-01-04 09:18 -------- d-----w- c:\program files\Half-Life 2 Ultimate Edition 7
2009-12-31 16:20 . 2009-12-31 16:20 -------- d-----w- c:\program files\YouTube Downloader
2009-12-30 15:31 . 2009-12-30 15:31 -------- d-----w- c:\program files\GeoOCX
2009-12-28 11:49 . 2009-12-28 11:49 -------- d-----w- c:\program files\Makena
2009-12-22 20:46 . 2009-12-23 11:34 -------- d-----w- c:\windows\system32\Adobe
2009-12-18 23:40 . 2009-12-19 09:28 983 ----a-w- c:\windows\eReg.dat
2009-12-11 09:21 . 2009-12-11 09:21 -------- d-----w- c:\documents and settings\Raymond Enriquez\Local Settings\Application Data\WMTools Downloaded Files
2009-12-11 09:18 . 2009-12-11 09:18 -------- d-----w- c:\program files\ImTOO
2009-12-08 22:26 . 2009-12-08 22:26 -------- d-----w- c:\windows\system32\v8300
2009-12-08 22:26 . 2009-12-08 22:26 -------- d-----w- c:\windows\system32\v8320
2009-12-08 22:25 . 2009-08-04 19:09 311296 ----a-w- c:\windows\VISCA.dll
2009-12-08 22:25 . 2009-06-19 19:13 275456 ----a-w- c:\windows\PTZRUI.dll
2009-12-08 22:25 . 2009-12-08 22:25 -------- d-----w- c:\windows\GeoOCX
2009-12-08 14:51 . 2009-12-08 15:00 -------- d-----w- c:\documents and settings\Raymond Enriquez\Application Data\Winamp
2009-12-08 14:51 . 2009-12-08 14:52 -------- d-----w- c:\program files\Winamp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-05 10:12 . 2010-01-04 14:35 -------- d-----w- c:\documents and settings\Raymond Enriquez\Application Data\SUPERAntiSpyware.com
2010-01-05 10:12 . 2010-01-04 14:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-05 10:12 . 2009-11-03 13:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-05 10:09 . 2009-10-26 19:02 -------- d-----w- c:\documents and settings\Raymond Enriquez\Application Data\uTorrent
2010-01-05 09:29 . 2010-01-05 09:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2010-01-05 09:19 . 2010-01-05 09:19 -------- d-----w- c:\program files\Trend Micro
2010-01-05 09:15 . 2010-01-05 09:15 80400 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-01-04 14:35 . 2010-01-04 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-04 14:11 . 2009-10-26 17:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-04 14:06 . 2009-11-25 08:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-30 15:31 . 2009-10-26 17:52 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-19 15:31 . 2009-10-26 17:48 66096 ----a-w- c:\documents and settings\Raymond Enriquez\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-10 17:43 . 2009-12-04 20:53 683112 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-04 21:01 . 2009-12-04 19:55 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-12-04 20:35 . 2009-12-04 20:35 -------- d--h--r- c:\documents and settings\Raymond Enriquez\Application Data\SecuROM
2009-11-28 22:00 . 2009-11-28 22:00 -------- d-----w- c:\program files\Illu
2009-11-27 11:11 . 2009-11-27 11:08 -------- d-----w- c:\documents and settings\Raymond Enriquez\Application Data\Tropico 3
2009-11-25 19:19 . 2009-10-27 08:37 -------- d-----w- c:\documents and settings\Raymond Enriquez\Application Data\Nokia
2009-11-25 09:19 . 2009-11-20 13:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-25 08:57 . 2009-11-25 08:57 -------- d-----w- c:\documents and settings\Raymond Enriquez\Application Data\Apple Computer
2009-11-25 08:57 . 2009-11-25 08:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-25 08:56 . 2009-11-18 23:49 -------- d-----w- c:\program files\Common Files\Apple
2009-11-24 09:40 . 2009-10-26 22:44 -------- d-----w- c:\program files\Java
2009-11-24 09:39 . 2009-11-24 09:39 152576 ----a-w- c:\documents and settings\Raymond Enriquez\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-24 09:39 . 2009-11-24 09:39 79488 ----a-w- c:\documents and settings\Raymond Enriquez\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-23 18:01 . 2009-11-05 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\BioWare
2009-11-21 16:11 . 2009-11-19 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Test Drive Unlimited
2009-11-20 20:32 . 2009-11-20 20:32 278120 ----a-w- c:\windows\system32\nvmccs.dll
2009-11-20 20:32 . 2009-11-20 20:32 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2009-11-20 20:32 . 2009-11-20 20:32 145000 ----a-w- c:\windows\system32\nvcolor.exe
2009-11-20 20:32 . 2009-11-20 20:32 12669544 ----a-w- c:\windows\system32\nvcpl.dll
2009-11-20 20:32 . 2009-11-20 20:32 110184 ----a-w- c:\windows\system32\nvmctray.dll
2009-11-20 20:32 . 2009-11-20 20:32 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-11-20 13:51 . 2009-11-20 13:51 -------- d-----w- c:\program files\QuickTime
2009-11-20 00:16 . 2009-10-27 09:00 -------- d-----w- c:\documents and settings\Raymond Enriquez\Application Data\FrostWire
2009-11-19 23:28 . 2009-11-19 23:28 0 ----a-w- c:\documents and settings\Raymond Enriquez\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-11-19 21:42 . 2009-11-17 19:43 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-11-18 23:49 . 2009-11-18 23:49 -------- d-----w- c:\program files\Apple Software Update
2009-11-18 23:49 . 2009-11-18 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-11-17 20:40 . 2009-11-17 19:44 -------- d-----w- c:\program files\AGEIA Technologies
2009-11-11 12:23 . 2009-10-26 18:37 393216 ----a-w- c:\windows\system32\GXJPG.dll
2009-11-06 10:59 . 2009-11-06 10:59 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 10:59 . 2009-11-06 10:59 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-11-02 18:05 . 2009-11-02 18:05 167064 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-02 18:05 . 2009-11-02 18:05 71832 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-10-30 15:36 . 2009-10-26 18:37 1179648 ----a-w- c:\windows\system32\GXAVCD.dll
2009-10-30 15:36 . 2009-10-26 18:37 1179648 ----a-w- c:\windows\system32\GXAVC.dll
2009-10-30 13:15 . 2009-10-30 13:15 139 ----a-w- c:\documents and settings\Raymond Enriquez\Local Settings\Application Data\fusioncache.dat
2009-10-29 07:45 . 2002-12-31 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-10-28 23:46 . 2009-10-26 17:30 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-28 18:49 . 2009-10-26 18:37 1122304 ----a-w- c:\windows\system32\GXAMP4D.dll
2009-10-28 18:49 . 2009-10-26 18:37 1122304 ----a-w- c:\windows\system32\GXAMP4.dll
2009-10-27 09:37 . 2009-10-27 09:24 68953 ----a-w- c:\windows\hpoins05.dat
2009-10-27 08:32 . 2009-10-27 08:32 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\pcswpcsi.exe
2009-10-27 08:32 . 2009-10-27 08:32 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstCCD.exe
2009-10-27 08:32 . 2009-10-27 08:32 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-10-27 08:32 . 2009-10-27 08:32 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCS.exe
2009-10-27 08:31 . 2009-10-27 08:32 33773208 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Nokia_PC_Suite_7_1_30_9_eng.exe
2009-10-27 08:26 . 2009-10-27 08:26 2275840 ----a-w- c:\windows\system32\TUKernel.exe
2009-10-27 07:41 . 2009-10-27 07:41 152576 ----a-w- c:\documents and settings\Raymond Enriquez\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-26 22:26 . 2009-10-26 22:26 5535232 ----a-w- c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe
2009-10-26 21:55 . 2009-10-26 21:54 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-10-26 18:19 . 2009-10-26 18:19 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2009-10-26 18:19 . 2009-10-26 18:19 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-10-26 17:28 . 2009-10-26 17:28 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-26 10:50 . 2009-10-26 18:37 610304 ----a-w- c:\windows\system32\GeoCodecD.dll
2009-10-26 10:50 . 2009-10-26 18:37 610304 ----a-w- c:\windows\system32\GeoCodec.dll
2009-10-21 05:38 . 2002-12-31 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2002-12-31 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2002-12-31 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2002-12-31 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 19:43 . 2009-10-26 18:37 778240 ----a-w- c:\windows\system32\GX264D.dll
2009-10-12 19:43 . 2009-10-26 18:37 778240 ----a-w- c:\windows\system32\GX264.dll
2009-10-12 13:38 . 2002-12-31 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2002-12-31 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 04:17 . 2009-10-27 07:42 411368 ----a-w- c:\windows\system32\deploytk.dll
.

------- Sigcheck -------

[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\termsrv.dll
[-] 2002-12-31 . A77219A971029DC2FB683E8513713803 . 215552 . . [5.1.2600.2055] . . c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" [2007-06-08 303104]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-20 110184]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-10-21 995528]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-12-30 429392]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"idsvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Half-Life 2 Ultimate Edition 7\\Engine3\\hl2.exe"=

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [10/26/2009 6:07 PM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [10/26/2009 6:07 PM 5248]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/4/2010 12:15 PM 235344]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [1/5/2010 9:19 AM 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [1/5/2010 9:16 AM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [1/5/2010 9:19 AM 677128]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/4/2010 12:15 PM 19160]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {CC59193D-C3BC-4A5D-A369-6776F9249880} = 58.69.254.72,58.69.254.137
DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://jeg.dipmap.com:8080/cab/OCXChecker_8320.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-05 16:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A20FA50]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb810cfc3
\Driver\ACPI -> ACPI.sys @ 0xb7f59cb8
\Driver\atapi -> 0x8a20fa50
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel® 82566DC-2 Gigabit Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb7dccba0
PacketIndicateHandler -> NDIS.sys @ 0xb7dd9b21
SendHandler -> NDIS.sys @ 0xb7db787b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-838170752-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:2b,4b,df,d6,33,f1,76,06,c2,e2,0f,1a,3f,34,ff,6a,73,09,6b,50,30,
72,9d,08,a2,db,54,82,15,61,ec,7f,1f,ec,4c,da,25,bb,d6,2d,37,c7,cc,90,af,60,\
"rkeysecu"=hex:f8,30,80,98,6d,08,94,c2,f1,a9,65,7c,88,de,1b,93
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4080)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\WgaTray.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\windows\system32\HPZipm12.exe
c:\windows\sttray.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\windows\system32\STacSV.exe
c:\windows\System32\TUProgSt.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-05 16:39:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-05 16:39
ComboFix2.txt 2010-01-04 13:45

Pre-Run: 104,327,647,232 bytes free
Post-Run: 104,390,070,272 bytes free

- - End Of File - - ADA4F213F9813B37BFBEBE3B92934027

Log of my HIJACKTHIS:

Scan saved at 4:45:57 PM, on 1/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1256631826640
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://jeg.dipmap.com:8080/cab/OCXChecker_8320.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC59193D-C3BC-4A5D-A369-6776F9249880}: NameServer = 58.69.254.72,58.69.254.137
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 5683 bytes

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:55 AM

Posted 16 January 2010 - 06:19 AM

Hi,

please delete the copy of ComboFix you have downloaded and get a new one:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 srs2004

srs2004
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 16 January 2010 - 08:04 AM

Here's the recent combofix.log.....

ComboFix 10-01-15.05 - Raymond Enriquez 01/16/2010 20:53:36.5.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.63.1033.18.3062.2653 [GMT 8:00]
Running from: c:\documents and settings\Raymond Enriquez\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tmp.reg

Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\msgsvc.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-16 to 2010-01-16 )))))))))))))))))))))))))))))))
.

2010-01-10 14:50 . 2010-01-10 14:50 -------- d-----w- c:\documents and settings\Raymond Enriquez\Application Data\Nero
2010-01-10 14:46 . 2010-01-10 14:46 -------- d-----w- c:\documents and settings\Raymond Enriquez\Local Settings\Application Data\Ahead
2010-01-10 14:45 . 2010-01-10 14:45 -------- d-----w- c:\program files\Common Files\Nero
2010-01-10 14:45 . 2010-01-10 14:45 -------- d-----w- c:\program files\Nero
2010-01-10 14:45 . 2010-01-10 14:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-01-08 04:48 . 2004-08-22 08:31 5248 ----a-w- c:\windows\system32\drivers\d347prt.sys
2010-01-08 04:48 . 2004-08-22 08:31 155136 ----a-w- c:\windows\system32\drivers\d347bus.sys
2010-01-08 04:48 . 2010-01-08 04:48 -------- d-----w- c:\program files\D-Tools
2010-01-08 04:48 . 2010-01-08 04:48 -------- d-----w- c:\windows\Downloaded Installations
2010-01-07 12:03 . 2010-01-07 12:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Age of Empires 3
2010-01-06 19:35 . 2004-07-09 04:26 354816 -c--a-w- c:\windows\system32\dllcache\psisdecd.dll
2010-01-06 19:35 . 2004-07-09 04:26 354816 ----a-w- c:\windows\system32\psisdecd.dll
2010-01-06 19:35 . 2004-07-09 04:26 52096 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2010-01-06 19:35 . 2004-07-09 04:26 52096 ----a-w- c:\windows\system32\drivers\msdv.sys
2010-01-06 19:35 . 2004-07-09 04:26 15104 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2010-01-06 19:35 . 2004-07-09 04:26 15104 ----a-w- c:\windows\system32\drivers\mpe.sys
2010-01-06 19:35 . 2004-07-09 04:26 11392 -c--a-w- c:\windows\system32\dllcache\bdasup.sys
2010-01-06 19:35 . 2004-07-09 04:26 11392 ----a-w- c:\windows\system32\drivers\bdasup.sys
2010-01-06 19:35 . 2002-12-12 00:14 46592 ----a-w- c:\windows\system32\dxdllreg.exe
2010-01-06 19:35 . 2002-08-29 03:41 31744 -c--a-w- c:\windows\system32\dllcache\pid.dll
2010-01-06 19:32 . 2010-01-06 19:32 -------- d-----w- c:\program files\Microsoft Games
2010-01-05 16:45 . 2010-01-05 16:45 -------- d-----w- c:\program files\TrendMicro
2010-01-05 09:19 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-01-05 09:19 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-01-05 09:19 . 2010-01-05 09:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2010-01-05 09:19 . 2010-01-05 09:19 -------- d-----w- c:\program files\Trend Micro
2010-01-05 09:17 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-01-05 09:16 . 2009-05-22 08:02 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2010-01-05 09:16 . 2009-05-22 08:00 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2010-01-05 09:16 . 2009-05-22 07:45 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
2010-01-05 09:15 . 2010-01-05 09:15 80400 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-01-04 14:35 . 2010-01-04 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-04 14:35 . 2010-01-05 10:12 -------- d-----w- c:\documents and settings\Raymond Enriquez\Application Data\SUPERAntiSpyware.com
2010-01-04 14:35 . 2010-01-05 10:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-04 14:05 . 2009-12-11 18:05 3613560 ----a-w- c:\documents and settings\Raymond Enriquez\Application Data\Simply Super Software\Trojan Remover\gbt5.exe
2010-01-04 12:15 . 2010-01-04 12:15 -------- d-----w- c:\documents and settings\Raymond Enriquez\Application Data\Malwarebytes
2010-01-04 12:15 . 2009-12-30 14:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-04 12:15 . 2010-01-04 12:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-04 12:15 . 2010-01-04 12:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-04 12:15 . 2009-12-30 14:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 12:01 . 2006-06-19 12:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-01-04 12:01 . 2006-05-25 14:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-01-04 12:01 . 2005-08-26 00:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-01-04 12:01 . 2003-02-02 19:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-01-04 12:01 . 2002-03-06 00:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-01-04 12:01 . 2010-01-04 12:01 -------- d-----w- c:\documents and settings\Raymond Enriquez\Application Data\Simply Super Software
2010-01-04 10:16 . 2009-11-02 20:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-31 16:20 . 2009-12-31 16:20 -------- d-----w- c:\program files\YouTube Downloader
2009-12-30 15:31 . 2009-12-30 15:31 -------- d-----w- c:\program files\GeoOCX
2009-12-22 20:46 . 2009-12-23 11:34 -------- d-----w- c:\windows\system32\Adobe
2009-12-18 23:40 . 2009-12-19 09:28 983 ----a-w- c:\windows\eReg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-16 11:53 . 2009-10-27 09:00 -------- d-----w- c:\documents and settings\Raymond Enriquez\Application Data\FrostWire
2010-01-06 19:51 . 2009-10-26 17:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-06 19:16 . 2009-10-26 19:02 -------- d-----w- c:\documents and settings\Raymond Enriquez\Application Data\uTorrent
2010-01-05 10:12 . 2009-11-03 13:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-04 14:06 . 2009-11-25 08:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-30 15:31 . 2009-10-26 17:52 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-19 15:31 . 2009-10-26 17:48 66096 ----a-w- c:\documents and settings\Raymond Enriquez\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-11 09:18 . 2009-12-11 09:18 -------- d-----w- c:\program files\ImTOO
2009-12-10 17:43 . 2009-12-04 20:53 683112 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-08 15:00 . 2009-12-08 14:51 -------- d-----w- c:\documents and settings\Raymond Enriquez\Application Data\Winamp
2009-12-08 14:52 . 2009-12-08 14:51 -------- d-----w- c:\program files\Winamp
2009-12-04 21:01 . 2009-12-04 19:55 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-12-04 20:35 . 2009-12-04 20:35 -------- d--h--r- c:\documents and settings\Raymond Enriquez\Application Data\SecuROM
2009-11-28 22:00 . 2009-11-28 22:00 -------- d-----w- c:\program files\Illu
2009-11-27 11:11 . 2009-11-27 11:08 -------- d-----w- c:\documents and settings\Raymond Enriquez\Application Data\Tropico 3
2009-11-25 19:19 . 2009-10-27 08:37 -------- d-----w- c:\documents and settings\Raymond Enriquez\Application Data\Nokia
2009-11-25 09:19 . 2009-11-20 13:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-25 08:57 . 2009-11-25 08:57 -------- d-----w- c:\documents and settings\Raymond Enriquez\Application Data\Apple Computer
2009-11-25 08:57 . 2009-11-25 08:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-25 08:56 . 2009-11-18 23:49 -------- d-----w- c:\program files\Common Files\Apple
2009-11-24 09:40 . 2009-10-26 22:44 -------- d-----w- c:\program files\Java
2009-11-24 09:39 . 2009-11-24 09:39 152576 ----a-w- c:\documents and settings\Raymond Enriquez\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-24 09:39 . 2009-11-24 09:39 79488 ----a-w- c:\documents and settings\Raymond Enriquez\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-23 18:01 . 2009-11-05 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\BioWare
2009-11-21 16:11 . 2009-11-19 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Test Drive Unlimited
2009-11-20 20:32 . 2009-11-20 20:32 278120 ----a-w- c:\windows\system32\nvmccs.dll
2009-11-20 20:32 . 2009-11-20 20:32 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2009-11-20 20:32 . 2009-11-20 20:32 145000 ----a-w- c:\windows\system32\nvcolor.exe
2009-11-20 20:32 . 2009-11-20 20:32 12669544 ----a-w- c:\windows\system32\nvcpl.dll
2009-11-20 20:32 . 2009-11-20 20:32 110184 ----a-w- c:\windows\system32\nvmctray.dll
2009-11-20 20:32 . 2009-11-20 20:32 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-11-20 13:51 . 2009-11-20 13:51 -------- d-----w- c:\program files\QuickTime
2009-11-19 23:28 . 2009-11-19 23:28 0 ----a-w- c:\documents and settings\Raymond Enriquez\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-11-19 21:42 . 2009-11-17 19:43 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-11-18 23:49 . 2009-11-18 23:49 -------- d-----w- c:\program files\Apple Software Update
2009-11-18 23:49 . 2009-11-18 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-11-17 20:40 . 2009-11-17 19:44 -------- d-----w- c:\program files\AGEIA Technologies
2009-11-11 12:23 . 2009-10-26 18:37 393216 ----a-w- c:\windows\system32\GXJPG.dll
2009-11-06 10:59 . 2009-11-06 10:59 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 10:59 . 2009-11-06 10:59 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-11-02 18:05 . 2009-11-02 18:05 167064 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-02 18:05 . 2009-11-02 18:05 71832 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-10-30 15:36 . 2009-10-26 18:37 1179648 ----a-w- c:\windows\system32\GXAVCD.dll
2009-10-30 15:36 . 2009-10-26 18:37 1179648 ----a-w- c:\windows\system32\GXAVC.dll
2009-10-30 13:15 . 2009-10-30 13:15 139 ----a-w- c:\documents and settings\Raymond Enriquez\Local Settings\Application Data\fusioncache.dat
2009-10-29 07:45 . 2002-12-31 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-10-28 23:46 . 2009-10-26 17:30 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-28 18:49 . 2009-10-26 18:37 1122304 ----a-w- c:\windows\system32\GXAMP4D.dll
2009-10-28 18:49 . 2009-10-26 18:37 1122304 ----a-w- c:\windows\system32\GXAMP4.dll
2009-10-27 09:37 . 2009-10-27 09:24 68953 ----a-w- c:\windows\hpoins05.dat
2009-10-27 08:32 . 2009-10-27 08:32 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\pcswpcsi.exe
2009-10-27 08:32 . 2009-10-27 08:32 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstCCD.exe
2009-10-27 08:32 . 2009-10-27 08:32 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-10-27 08:32 . 2009-10-27 08:32 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCS.exe
2009-10-27 08:31 . 2009-10-27 08:32 33773208 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Nokia_PC_Suite_7_1_30_9_eng.exe
2009-10-27 08:26 . 2009-10-27 08:26 2275840 ----a-w- c:\windows\system32\TUKernel.exe
2009-10-27 07:41 . 2009-10-27 07:41 152576 ----a-w- c:\documents and settings\Raymond Enriquez\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-26 22:26 . 2009-10-26 22:26 5535232 ----a-w- c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe
2009-10-26 21:55 . 2009-10-26 21:54 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-10-26 18:19 . 2009-10-26 18:19 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2009-10-26 18:19 . 2009-10-26 18:19 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-10-26 17:28 . 2009-10-26 17:28 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-26 10:50 . 2009-10-26 18:37 610304 ----a-w- c:\windows\system32\GeoCodecD.dll
2009-10-26 10:50 . 2009-10-26 18:37 610304 ----a-w- c:\windows\system32\GeoCodec.dll
2009-10-21 05:38 . 2002-12-31 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2002-12-31 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2002-12-31 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
.

------- Sigcheck -------

[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\termsrv.dll
[-] 2002-12-31 . A77219A971029DC2FB683E8513713803 . 215552 . . [5.1.2600.2055] . . c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" [2007-06-08 303104]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-20 110184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"idsvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"
"NeroFilterCheck"=c:\program files\Common Files\Nero\Lib\NeroCheck.exe
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [1/8/2010 12:48 PM 155136]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/4/2010 8:15 PM 235344]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [1/5/2010 5:19 PM 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [1/5/2010 5:16 PM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [1/5/2010 5:19 PM 677128]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/4/2010 8:15 PM 19160]
S4 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [1/8/2010 12:48 PM 5248]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {CC59193D-C3BC-4A5D-A369-6776F9249880} = 58.69.254.72,58.69.254.137
DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://jeg.dipmap.com:8080/cab/OCXChecker_8320.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-16 21:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A22AB40]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb810cfc3
\Driver\ACPI -> ACPI.sys @ 0xb7f59cb8
\Driver\atapi -> 0x8a22ab40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel® 82566DC-2 Gigabit Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb7de4ba0
PacketIndicateHandler -> NDIS.sys @ 0xb7df1b21
SendHandler -> NDIS.sys @ 0xb7dcf87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-838170752-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:2b,4b,df,d6,33,f1,76,06,c2,e2,0f,1a,3f,34,ff,6a,73,09,6b,50,30,
72,9d,08,a2,db,54,82,15,61,ec,7f,1f,ec,4c,da,25,bb,d6,2d,37,c7,cc,90,af,60,\
"rkeysecu"=hex:f8,30,80,98,6d,08,94,c2,f1,a9,65,7c,88,de,1b,93
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(912)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\windows\system32\STacSV.exe
c:\windows\System32\TUProgSt.exe
c:\windows\system32\wscntfy.exe
c:\windows\sttray.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2010-01-16 21:02:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-16 13:02

Pre-Run: 109,825,318,912 bytes free
Post-Run: 109,937,676,288 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

- - End Of File - - 5DDAE2B3635F366A0519C25CEF99928F

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:55 AM

Posted 16 January 2010 - 10:09 AM

Hi

ComboFix does not seem to see the infection, please run tdsskiller instead:
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users