Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit (H8SRT and TDSS)


  • This topic is locked This topic is locked
15 replies to this topic

#1 Malleus Maleficarum

Malleus Maleficarum

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 07 January 2010 - 11:07 PM

Referred from here: http://www.bleepingcomputer.com/forums/t/284476/infected-with-rootkit-h8srtdsys-redirecting-search-engines/ ~ OB

Fake warnings are being displayed sometimes. "Symantec auto protect is disabled."
Occasional search engine redirects. A handful of different sites.
Two weeks ago I had the malware, "Malware Defense." This was obviously when all this started :|
I also believe that I'm infected with a Trojan that keeps downloading this nonsense onto my computer.
Help would be greatly appreciated. I will return the favor.


DDS LOG

DDS (Ver_09-12-01.01) - NTFSx86
Run by Keith at 21:35:07.25 on Thu 01/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.736 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Keith\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/home.php
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234503021218
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234712277734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\keith\applic~1\mozilla\firefox\profiles\h9zbmgz2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\keith\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\keith\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\keith\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-1-4 1858144]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-27 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100107.006\naveng.sys [2010-1-7 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100107.006\navex15.sys [2010-1-7 1323568]
S3 cpuz130;cpuz130;\??\c:\docume~1\keith\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\keith\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2010-01-07 21:19:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:18:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 21:12:22 0 d--h--w- c:\windows\PIF
2010-01-07 00:44:21 400384 ------w- c:\windows\system32\drivers\alcxsens.sys
2010-01-07 00:44:18 1048 ------w- c:\windows\system32\drivers\alcxinit.dat
2010-01-06 23:54:50 44 ----a-w- c:\windows\system32\msssc.dll
2010-01-06 23:54:33 0 d-----w- C:\swsetup
2010-01-06 19:05:55 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2010-01-06 15:10:36 16904 ----a-w- c:\windows\system32\drivers\KLMD.sys
2010-01-06 14:54:26 4122368 ----a-r- c:\windows\system32\drivers\ALCXWDM.SYS
2010-01-06 14:54:03 0 d-----w- c:\program files\Realtek AC97
2010-01-06 14:53:59 6964736 ----a-w- c:\windows\system32\RTLCPL.EXE
2010-01-06 14:53:59 141016 ----a-w- c:\windows\system32\ALSNDMGR.WAV
2010-01-06 14:53:56 65024 ----a-w- c:\windows\SOUNDMAN.EXE
2010-01-06 14:53:56 155648 ----a-w- c:\windows\system32\RTLCPAPI.dll
2010-01-06 14:53:56 14250496 ----a-w- c:\windows\system32\ALSNDMGR.CPL
2010-01-06 14:53:55 217088 ----a-w- c:\windows\Alcrmv.exe
2010-01-06 14:53:55 208896 ------w- c:\windows\alcupd.exe
2010-01-06 00:35:51 0 d-----w- c:\program files\Bonjour
2010-01-05 20:03:39 0 d-----w- c:\windows\system32\NtmsData
2010-01-05 18:23:41 0 dc-h--w- c:\windows\ie8
2010-01-05 17:55:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-05 15:35:09 0 d-----w- c:\program files\ESET
2010-01-05 05:11:21 0 d-----w- C:\ISeeYouXP
2010-01-05 05:11:05 0 d-----w- c:\program files\CCleaner
2010-01-05 05:08:53 0 d-----w- c:\program files\a-squared HiJackFree
2010-01-05 03:25:03 0 d-----w- c:\windows\SxsCaPendDel
2010-01-05 03:05:45 0 d-----w- c:\program files\a-squared Free
2010-01-05 01:09:02 136 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-01-05 01:08:34 2136 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-01-05 00:48:49 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-01-05 00:46:59 0 d-----w- c:\program files\common files\iS3
2010-01-05 00:46:59 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-01-04 22:27:34 0 d-----w- c:\docume~1\keith\applic~1\runic games
2010-01-04 22:20:00 0 d-----w- c:\program files\Runic Games
2010-01-03 22:12:20 0 d-----w- c:\program files\common files\DivX Shared
2009-12-31 15:32:11 0 d-sh--w- c:\documents and settings\keith\PrivacIE
2009-12-31 15:29:50 0 d-sh--w- c:\documents and settings\keith\IETldCache
2009-12-31 07:00:04 0 d-----w- c:\windows\ie8updates
2009-12-31 06:54:39 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-31 06:54:39 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-31 06:54:14 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-12-29 23:00:17 0 d-----w- c:\program files\Lame for Audacity
2009-12-23 15:25:16 0 d-----w- c:\docume~1\keith\applic~1\Malwarebytes
2009-12-23 15:21:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-23 15:21:51 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-23 08:35:42 246 ----a-w- c:\windows\system32\srcr.dat
2009-12-22 18:51:39 27672 ----a-w- c:\windows\system32\drivers\Entech.sys
2009-12-22 18:51:39 0 d-----w- c:\windows\system32\Futuremark
2009-12-22 18:51:39 0 d-----w- c:\program files\common files\Futuremark Shared
2009-12-09 03:42:08 0 d-----w- c:\windows\pss

==================== Find3M ====================

2010-01-05 17:55:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-14 00:47:32 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47:28 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47:28 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47:28 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47:28 696320 ----a-w- c:\windows\system32\DivX.dll
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

============= FINISH: 21:35:48.82 ===============

Attached Files


Edited by Orange Blossom, 08 January 2010 - 10:20 AM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:20 PM

Posted 14 January 2010 - 03:00 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Malleus Maleficarum

Malleus Maleficarum
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 16 January 2010 - 09:23 PM

Hey myrti. Thanks for responding on my cry for help. My problems/symptoms seem to keep changing. My symantec seems to pick up some things and clean them and not pick up the things that are causing the problems. I lost my audio and my computer gets really slow at some random times. Even when nothing's running. I think I lost my audio because I uninstalled this program called SoundMAX. It must have deleted my audio driver and sound mixer when it uninstalled. The problem is I can't reinstall the driver I need. The computer will just reboot. Symantec every 6 hours or so finds two trojans with the name H8STRD.

OTL:
OTL logfile created on: 1/16/2010 8:07:21 PM - Run 1
OTL by OldTimer - Version 3.1.25.1 Folder = C:\Documents and Settings\Keith\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 58.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 37.66 Gb Free Space | 50.53% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KEITHPC
Current User Name: Keith
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/15 20:30:30 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Keith\Desktop\OTL.exe
PRC - [2010/01/05 11:55:08 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2010/01/05 11:55:08 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/10/01 16:03:14 | 01,858,144 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe
PRC - [2009/07/09 11:22:18 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/05/09 13:09:24 | 00,606,720 | ---- | M] (http://tortoisesvn.net) -- C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/14 04:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/09/27 20:33:44 | 00,125,168 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2006/09/27 20:33:32 | 01,813,232 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2006/09/27 20:33:22 | 00,031,472 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2006/07/19 19:26:12 | 00,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2006/07/19 19:26:06 | 00,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2006/07/19 19:26:04 | 00,052,896 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2006/04/11 17:13:38 | 01,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PRC - [2005/09/20 09:36:20 | 00,114,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2005/09/20 09:32:24 | 00,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe


========== Modules (SafeList) ==========

MOD - [2010/01/15 20:30:30 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Keith\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (Viewpoint Manager Service)
SRV - [2010/01/05 11:55:08 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/10/01 16:03:14 | 01,858,144 | ---- | M] (Emsi Software GmbH) [Auto | Running] -- C:\Program Files\a-squared Free\a2service.exe -- (a2free)
SRV - [2009/09/23 16:53:58 | 00,651,720 | ---- | M] (Macrovision Europe Ltd.) [Disabled | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/07/09 11:22:18 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/09/27 20:33:38 | 00,116,464 | ---- | M] (symantec) [Disabled | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/09/27 20:33:32 | 01,813,232 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/09/27 20:33:22 | 00,031,472 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/09/02 16:36:33 | 02,528,960 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE -- (LiveUpdate)
SRV - [2006/08/07 16:03:02 | 00,214,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2006/07/19 19:26:12 | 00,169,632 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2006/07/19 19:26:06 | 00,192,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/04/11 17:13:38 | 01,160,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2005/10/28 06:41:52 | 00,491,520 | ---- | M] ( ) [On_Demand | Stopped] -- C:\WINDOWS\System32\dlcccoms.exe -- (dlcc_device)
SRV - [2003/03/09 20:31:02 | 00,065,795 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2009/12/14 08:59:54 | 01,323,568 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100116.005\NAVEX15.SYS -- (NAVEX15)
DRV - [2009/12/14 08:59:54 | 00,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100116.005\NAVENG.SYS -- (NAVENG)
DRV - [2009/08/28 18:42:52 | 00,040,448 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2009/08/27 02:00:00 | 00,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/08/27 02:00:00 | 00,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/05/18 13:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/11/06 10:37:28 | 00,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/09/24 10:40:22 | 04,122,368 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2008/04/13 21:09:16 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/08/20 11:05:02 | 00,027,672 | ---- | M] (EnTech Taiwan) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Entech.sys -- (ENTECH)
DRV - [2006/09/18 17:55:28 | 00,109,744 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2006/09/06 14:41:20 | 00,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2006/09/06 14:41:20 | 00,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2006/08/07 16:02:26 | 00,195,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2006/08/07 16:02:22 | 00,024,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2006/04/11 17:13:34 | 00,389,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2006/03/01 20:30:54 | 00,618,880 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
DRV - [2005/09/20 10:00:54 | 01,302,332 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2005/05/06 14:42:26 | 01,339,776 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
DRV - [2005/05/06 14:40:50 | 00,047,360 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
DRV - [2005/05/06 14:40:20 | 00,036,880 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)
DRV - [2005/02/11 22:46:22 | 00,371,712 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2004/02/10 15:49:14 | 00,154,112 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel®
DRV - [2003/03/09 20:31:02 | 00,021,456 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2003/03/09 20:31:02 | 00,016,080 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2003/03/09 20:31:00 | 00,051,024 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hpzid412.sys -- (HPZid412)
DRV - [2001/08/23 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001/08/17 18:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1409082233-1960408961-1417001333-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php
IE - HKU\S-1-5-21-1409082233-1960408961-1417001333-1004\S-1-5-21-1409082233-1960408961-1417001333-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1409082233-1960408961-1417001333-1004\S-1-5-21-1409082233-1960408961-1417001333-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.facebook.com/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.5


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/06 17:32:17 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/06 17:32:16 | 00,000,000 | ---D | M]

[2009/03/04 12:30:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\Mozilla\Extensions
[2009/03/04 12:30:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/01/16 16:03:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\Mozilla\Firefox\Profiles\h9zbmgz2.default\extensions
[2009/12/15 18:17:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Keith\Application Data\Mozilla\Firefox\Profiles\h9zbmgz2.default\extensions\personas@christopher.beard
[2010/01/16 16:03:23 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/07/23 12:10:39 | 00,238,776 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll
[2007/04/16 11:07:12 | 00,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: (291839 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10050 more lines...
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (no name) - SITEguard - No CLSID value found.
O3 - HKU\S-1-5-21-1409082233-1960408961-1417001333-1004\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-1409082233-1960408961-1417001333-1004\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [nltide_3] C:\WINDOWS\System32\advpack.dll (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [nltide_3] C:\WINDOWS\System32\advpack.dll (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [nltide_3] C:\WINDOWS\System32\advpack.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [nltide_3] C:\WINDOWS\System32\advpack.dll (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-1409082233-1960408961-1417001333-1004\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-1409082233-1960408961-1417001333-1004\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-1409082233-1960408961-1417001333-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1409082233-1960408961-1417001333-1004_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-1409082233-1960408961-1417001333-1004_Classes\Software\Policies\Microsoft\Internet Explorer\restrictions present
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1409082233-1960408961-1417001333-1004\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1234503021218 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1234712277734 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Keith\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Keith\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/12 22:33:11 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/15 20:30:30 | 00,547,328 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Keith\Desktop\OTL.exe
[2010/01/07 21:37:13 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Keith\Desktop\RootRepeal.exe
[2010/01/07 15:19:01 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 15:18:58 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/07 15:12:22 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/01/06 18:44:21 | 00,400,384 | ---- | C] (Sensaura) -- C:\WINDOWS\System32\drivers\alcxsens.sys
[2010/01/06 17:54:33 | 00,000,000 | ---D | C] -- C:\swsetup
[2010/01/06 13:05:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2010/01/06 09:10:36 | 00,016,904 | ---- | C] (Kaspersky Lab, Parshin Yury) -- C:\WINDOWS\System32\drivers\KLMD.sys
[2010/01/06 08:54:26 | 04,122,368 | R--- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\ALCXWDM.SYS
[2010/01/06 08:54:03 | 00,000,000 | ---D | C] -- C:\Program Files\Realtek AC97
[2010/01/06 08:53:56 | 14,250,496 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\ALSNDMGR.CPL
[2010/01/06 08:53:56 | 00,065,024 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
[2010/01/06 08:53:55 | 00,208,896 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\alcupd.exe
[2010/01/05 18:35:51 | 00,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/01/05 14:03:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/01/05 12:23:41 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/01/05 11:55:36 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/01/05 11:55:36 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/01/05 11:55:36 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/01/05 11:55:36 | 00,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/01/05 09:35:09 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/01/04 23:15:40 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Keith\Recent
[2010/01/04 23:11:21 | 00,000,000 | ---D | C] -- C:\ISeeYouXP
[2010/01/04 23:11:05 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/01/04 23:08:53 | 00,000,000 | ---D | C] -- C:\Program Files\a-squared HiJackFree
[2010/01/04 21:25:03 | 00,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2010/01/04 21:05:45 | 03,995,456 | ---- | C] (Emsi Software GmbH) -- C:\Documents and Settings\Keith\Desktop\a2free.exe
[2010/01/04 21:05:45 | 00,000,000 | ---D | C] -- C:\Program Files\a-squared Free
[2010/01/04 21:05:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Keith\My Documents\a-squared Free
[2010/01/04 18:48:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2010/01/04 18:46:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2010/01/04 18:46:59 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2010/01/04 18:43:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla
[2010/01/04 18:43:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Mozilla
[2010/01/04 16:27:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Keith\Application Data\runic games
[2010/01/04 16:20:00 | 00,000,000 | ---D | C] -- C:\Program Files\Runic Games
[2010/01/04 16:20:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Runic
[2010/01/03 21:08:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Keith\Local Settings\Application Data\Threat Expert
[2010/01/03 21:02:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/01/03 20:19:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Keith\Local Settings\Application Data\Deployment
[2010/01/03 16:12:20 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\DivX Shared
[2010/01/01 22:33:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Keith\My Documents\My Fragments
[2009/12/31 09:32:11 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Keith\PrivacIE
[2009/12/31 09:29:50 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Keith\IETldCache
[2009/12/31 01:00:04 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2009/12/31 00:16:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Keith\Desktop\Pictures
[2009/12/29 17:00:17 | 00,000,000 | ---D | C] -- C:\Program Files\Lame for Audacity
[2009/12/29 16:56:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Keith\My Documents\lame-398-2
[2009/12/23 09:25:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Keith\Application Data\Malwarebytes
[2009/12/23 09:21:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/23 09:21:51 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/22 12:51:39 | 00,027,672 | ---- | C] (EnTech Taiwan) -- C:\WINDOWS\System32\drivers\Entech.sys
[2009/12/22 12:51:39 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Futuremark Shared
[2009/12/22 12:51:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Futuremark
[2009/08/04 10:59:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/07/23 02:00:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/03/13 09:39:26 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/02/25 21:08:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/02/19 19:24:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2009/02/14 13:17:27 | 00,638,976 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccpmui.dll
[2009/02/14 13:17:25 | 01,134,592 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccusb1.dll
[2009/02/14 13:17:25 | 00,483,328 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcclmpm.dll
[2009/02/14 13:17:25 | 00,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcccomm.dll
[2009/02/14 13:17:25 | 00,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccpplc.dll
[2009/02/14 13:17:24 | 00,774,144 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcchbn3.dll
[2009/02/14 13:17:24 | 00,704,512 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcccomc.dll
[2009/02/14 13:17:24 | 00,155,648 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccprox.dll
[2009/02/14 13:17:23 | 01,183,744 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccserv.dll
[2009/02/12 22:33:09 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\Documents and Settings\Keith\My Documents\*.tmp files -> C:\Documents and Settings\Keith\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/16 19:05:36 | 00,099,463 | ---- | M] () -- C:\Documents and Settings\Keith\Desktop\native.png
[2010/01/16 19:05:35 | 08,126,464 | -H-- | M] () -- C:\Documents and Settings\Keith\NTUSER.DAT
[2010/01/15 20:30:30 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Keith\Desktop\OTL.exe
[2010/01/13 21:08:04 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/12 18:21:59 | 00,020,523 | ---- | M] () -- C:\Documents and Settings\Keith\My Documents\AP Euro Ch.22 packet.docx
[2010/01/12 15:47:56 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/12 15:32:04 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/12 15:31:56 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/12 15:30:57 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Keith\ntuser.ini
[2010/01/12 15:30:50 | 04,302,826 | -H-- | M] () -- C:\Documents and Settings\Keith\Local Settings\Application Data\IconCache.db
[2010/01/12 15:25:00 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/10 20:54:32 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/01/10 17:14:56 | 00,010,096 | ---- | M] () -- C:\Documents and Settings\Keith\Desktop\Ads.docx
[2010/01/10 17:14:41 | 00,002,515 | ---- | M] () -- C:\Documents and Settings\Keith\Desktop\Microsoft Office Word 2007.lnk
[2010/01/10 02:09:00 | 00,000,354 | ---- | M] () -- C:\WINDOWS\tasks\Driver Robot.job
[2010/01/08 11:09:37 | 00,002,193 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Steam.lnk
[2010/01/07 21:37:19 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\settings.dat
[2010/01/07 21:37:14 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Keith\Desktop\RootRepeal.exe
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/07 15:19:04 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/06 17:54:50 | 00,000,044 | ---- | M] () -- C:\WINDOWS\System32\msssc.dll
[2010/01/06 17:32:20 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/01/06 09:10:36 | 00,016,904 | ---- | M] (Kaspersky Lab, Parshin Yury) -- C:\WINDOWS\System32\drivers\KLMD.sys
[2010/01/05 18:30:54 | 00,066,928 | ---- | M] () -- C:\Documents and Settings\Keith\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/01/05 14:14:38 | 00,293,376 | ---- | M] () -- C:\Documents and Settings\Keith\Desktop\nwrogtud.exe
[2010/01/05 14:09:03 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Keith\Desktop\dds.scr
[2010/01/05 13:54:13 | 00,000,688 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/01/05 13:54:13 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/05 13:54:13 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2010/01/05 11:55:08 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/01/05 11:55:08 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/01/05 11:55:08 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/01/05 11:55:08 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/01/05 11:55:07 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/01/05 06:39:38 | 00,019,019 | ---- | M] () -- C:\Documents and Settings\Keith\My Documents\Swamp Nurse draft.docx
[2010/01/05 06:33:46 | 00,263,024 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/01/04 23:17:11 | 00,064,188 | ---- | M] () -- C:\Documents and Settings\Keith\My Documents\cc_20100104_231655.reg
[2010/01/04 20:03:12 | 00,002,136 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/01/04 19:09:02 | 00,000,136 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpfr2.cfg
[2010/01/03 21:58:51 | 00,002,549 | ---- | M] () -- C:\Documents and Settings\Keith\Desktop\Microsoft Office Excel 2007.lnk
[2010/01/03 21:58:51 | 00,002,539 | ---- | M] () -- C:\Documents and Settings\Keith\Desktop\Microsoft Office PowerPoint 2007.lnk
[2010/01/03 16:43:01 | 00,087,552 | ---- | M] () -- C:\Documents and Settings\Keith\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/03 16:13:35 | 00,000,795 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DivX Player.lnk
[2010/01/02 14:09:12 | 03,995,456 | ---- | M] (Emsi Software GmbH) -- C:\Documents and Settings\Keith\Desktop\a2free.exe
[2009/12/29 15:20:20 | 00,010,524 | ---- | M] () -- C:\Documents and Settings\Keith\Desktop\Stufffffff.docx
[2009/12/28 10:08:05 | 00,000,488 | ---- | M] () -- C:\hpfr5550.xml
[2009/12/23 02:34:41 | 00,000,008 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\Documents and Settings\Keith\My Documents\*.tmp files -> C:\Documents and Settings\Keith\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/16 19:05:35 | 00,099,463 | ---- | C] () -- C:\Documents and Settings\Keith\Desktop\native.png
[2010/01/12 18:21:58 | 00,020,523 | ---- | C] () -- C:\Documents and Settings\Keith\My Documents\AP Euro Ch.22 packet.docx
[2010/01/10 17:14:55 | 00,010,096 | ---- | C] () -- C:\Documents and Settings\Keith\Desktop\Ads.docx
[2010/01/07 21:37:19 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\settings.dat
[2010/01/07 15:19:04 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/06 18:44:18 | 00,001,048 | ---- | C] () -- C:\WINDOWS\System32\drivers\alcxinit.dat
[2010/01/06 17:54:50 | 00,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2010/01/06 08:53:59 | 06,964,736 | ---- | C] () -- C:\WINDOWS\System32\RTLCPL.EXE
[2010/01/06 08:53:59 | 00,141,016 | ---- | C] () -- C:\WINDOWS\System32\ALSNDMGR.WAV
[2010/01/06 08:53:56 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2010/01/06 08:53:55 | 00,217,088 | ---- | C] () -- C:\WINDOWS\Alcrmv.exe
[2010/01/06 08:47:54 | 00,000,354 | ---- | C] () -- C:\WINDOWS\tasks\Driver Robot.job
[2010/01/05 14:14:37 | 00,293,376 | ---- | C] () -- C:\Documents and Settings\Keith\Desktop\nwrogtud.exe
[2010/01/05 14:08:57 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Keith\Desktop\dds.scr
[2010/01/05 11:53:34 | 00,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/01/05 03:00:44 | 00,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/01/04 23:16:59 | 00,064,188 | ---- | C] () -- C:\Documents and Settings\Keith\My Documents\cc_20100104_231655.reg
[2010/01/04 19:09:02 | 00,000,136 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpfr2.cfg
[2010/01/04 19:08:34 | 00,002,136 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/01/03 22:23:12 | 00,019,019 | ---- | C] () -- C:\Documents and Settings\Keith\My Documents\Swamp Nurse draft.docx
[2010/01/03 16:13:35 | 00,000,795 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DivX Player.lnk
[2009/12/29 15:20:20 | 00,010,524 | ---- | C] () -- C:\Documents and Settings\Keith\Desktop\Stufffffff.docx
[2009/12/23 02:34:41 | 00,000,008 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2009/08/29 11:27:54 | 00,000,228 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/07/21 10:19:44 | 00,002,272 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/07/20 20:28:49 | 00,139,152 | ---- | C] () -- C:\Documents and Settings\Keith\Application Data\PnkBstrK.sys
[2009/03/02 19:54:02 | 00,087,552 | ---- | C] () -- C:\Documents and Settings\Keith\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/19 18:51:26 | 00,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2009/02/14 13:17:27 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\dlccins.dll
[2009/02/14 13:17:27 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\dlccinsr.dll
[2009/02/14 13:17:26 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlccvs.dll
[2009/02/14 13:17:22 | 00,430,080 | ---- | C] () -- C:\WINDOWS\System32\dlccutil.dll
[2009/02/14 13:17:22 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\dlcccu.dll
[2009/02/14 13:17:22 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\dlcccur.dll
[2009/02/14 13:17:19 | 00,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlccinsb.dll
[2009/02/14 13:17:19 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\dlcccub.dll
[2009/02/14 13:17:18 | 00,131,072 | ---- | C] () -- C:\WINDOWS\System32\dlccjswr.dll
[2009/02/14 10:58:59 | 00,002,528 | ---- | C] () -- C:\WINDOWS\FCIC.INI
[2009/02/13 09:35:54 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2009/02/12 23:05:13 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2007/09/27 10:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/01/22 02:24:50 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\dlcccfg.dll
[2005/04/01 11:44:16 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\dlcccnv4.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >


EXTRAS:
OTL Extras logfile created on: 1/16/2010 8:07:21 PM - Run 1
OTL by OldTimer - Version 3.1.25.1 Folder = C:\Documents and Settings\Keith\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 58.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 37.66 Gb Free Space | 50.53% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KEITHPC
Current User Name: Keith
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1409082233-1960408961-1417001333-1004\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"57307:TCP" = 57307:TCP:*:Enabled:Pando Media Booster
"57307:UDP" = 57307:UDP:*:Enabled:Pando Media Booster
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724
"57307:TCP" = 57307:TCP:*:Enabled:Pando Media Booster
"57307:UDP" = 57307:UDP:*:Enabled:Pando Media Booster

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Nexon\Combat Arms\CombatArms.exe" = C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe -- File not found
"C:\Nexon\Combat Arms\Engine.exe" = C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- (AOL LLC)
"C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe" = C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe:LocalSubNet:Enabled:Ad-Aware -- File not found
"C:\Program Files\Common Files\PocketSoft\RTPatch\AutoRTP\artpschd.exe" = C:\Program Files\Common Files\PocketSoft\RTPatch\AutoRTP\artpschd.exe:*:Enabled:artpschd -- File not found
"C:\Documents and Settings\Keith\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" = C:\Documents and Settings\Keith\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe:*:Enabled:Main program for Octoshape client -- (Octoshape ApS)
"C:\Program Files\World of Warcraft\Launcher.exe" = C:\Program Files\World of Warcraft\Launcher.exe:*:Disabled:Blizzard Launcher -- File not found
"C:\Program Files\World of Warcraft Public Test\Launcher.exe" = C:\Program Files\World of Warcraft Public Test\Launcher.exe:*:Enabled:Blizzard Launcher -- File not found
"C:\Program Files\World of Warcraft\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\WINDOWS\system32\PnkBstrA.exe" = C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA -- File not found
"C:\WINDOWS\system32\PnkBstrB.exe" = C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB -- File not found
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe" = C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager -- (Nexon)
"C:\Nexon\Combat Arms\CombatArms.exe" = C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe -- File not found
"C:\Nexon\Combat Arms\Engine.exe" = C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe -- File not found
"C:\Nexon\Combat Arms\NMService.exe" = C:\Nexon\Combat Arms\NMService.exe:*:Enabled:Nexon Messenger Core -- File not found
"C:\Program Files\Steam\steamapps\keiththornton_hotmail\counter-strike\hl.exe" = C:\Program Files\Steam\steamapps\keiththornton_hotmail\counter-strike\hl.exe:*:Enabled:Half-Life Launcher -- (Valve)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{33CFCF98-F8D6-4549-B469-6F4295676D83}" = Symantec AntiVirus
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{5B35C417-2649-11D6-83D1-0050FC01225C}" = FirstClass® Client
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}" = HP Photo and Imaging 2.0 - All-in-One Drivers
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{82DFB852-9594-4668-9C66-28BB6E94BCB2}" = hp psc 2100 series
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9867A917-5D17-40DE-83BA-BEA5293194B1}" = HP Photo and Imaging 2.0 - All-in-One
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-1033-F400-7760-000000000004}" = Adobe Acrobat 9 Pro - English, Français, Deutsch
"{AC76BA86-1033-F400-7760-000000000004}_920" = Adobe Acrobat 9.2.0 - CPSID_50026
"{AC76BA86-1033-F400-7760-000000000004}{AC76BA86-1033-F400-7760-000000000004}" = Adobe Acrobat 9 Pro - English, Français, Deutsch
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{BEE64C14-BEF1-4610-8A68-A16EAA47B882}" = Futuremark SystemInfo
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{F5346614-B7C4-4E94-826A-E2363155233D}" = EasyCleaner
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FCA37CD2-7BA4-4A5A-8979-B64EA712F4CB}" = TortoiseSVN 1.6.2.16344 (32 bit)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AIM_6" = AIM 6
"a-squared Free_is1" = a-squared Free 4.5
"a-squared HiJackFree_is1" = a-squared HiJackFree 3.1
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.9 (Unicode)
"CCleaner" = CCleaner
"Dell Photo AIO Printer 924" = Dell Photo AIO Printer 924
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ESET Online Scanner" = ESET Online Scanner v3
"HP PSC 2100 Series" = HP Photo and Imaging 2.0 - hp psc 2100 series
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"Intel® 537EP V9x DF PCI Modem" = Intel® 537EP V9x DF PCI Modem
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"LiveUpdate" = LiveUpdate 3.1 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PROSet" = Intel® PRO Network Adapters and Drivers
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1409082233-1960408961-1417001333-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.0.0.320
"Move Media Player" = Move Media Player
"Octoshape Streaming Services" = Octoshape Streaming Services
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/8/2010 1:56:50 PM | Computer Name = KEITHPC | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Risk: EICAR Test String in File: C:\Documents
and Settings\Keith\Desktop\fakevirus.exe by: Auto-Protect scan. Action: Cleaned
by Deletion. Action Description:

Error - 1/8/2010 1:56:50 PM | Computer Name = KEITHPC | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: EICAR Test String in File: C:\Documents and Settings\Keith\Desktop\fakevirus.exe
by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description:

Error - 1/8/2010 1:56:50 PM | Computer Name = KEITHPC | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Risk: EICAR Test String in File: C:\Documents
and Settings\Keith\Desktop\fakevirus.exe by: Auto-Protect scan. Action: Cleaned
by Deletion. Action Description:

Error - 1/11/2010 1:57:31 AM | Computer Name = KEITHPC | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\Rtvscan.exe Event Info: Terminate Process Action Taken: Blocked Actor
Process: C:\WINDOWS\system32\taskmgr.exe (PID 3948) Time: Sunday, January 10, 2010
11:57:31 PM

Error - 1/11/2010 11:23:48 AM | Computer Name = KEITHPC | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Risk: Trojan.Vundo in File: Unavailable by: Invalid
: (15) scan. Action: Delete failed. Action Description: The file was left unchanged.



Error - 1/11/2010 11:23:52 AM | Computer Name = KEITHPC | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Risk: Trojan.Vundo in File: Unavailable by: Invalid
: (15) scan. Action: Delete failed : Leave Alone failed. Action Description:


Error - 1/11/2010 11:24:24 AM | Computer Name = KEITHPC | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\DoScan.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
C:\WINDOWS\system32\taskmgr.exe (PID 4060) Time: Monday, January 11, 2010 9:24:24
AM

Error - 1/11/2010 11:24:39 AM | Computer Name = KEITHPC | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\Rtvscan.exe Event Info: Terminate Process Action Taken: Blocked Actor
Process: C:\WINDOWS\system32\taskmgr.exe (PID 4060) Time: Monday, January 11, 2010
9:24:39 AM

Error - 1/11/2010 9:26:28 PM | Computer Name = KEITHPC | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\Rtvscan.exe Event Info: Terminate Process Action Taken: Blocked Actor
Process: C:\WINDOWS\system32\taskmgr.exe (PID 4060) Time: Monday, January 11, 2010
7:26:28 PM

Error - 1/11/2010 9:26:45 PM | Computer Name = KEITHPC | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\Rtvscan.exe Event Info: Terminate Process Action Taken: Blocked Actor
Process: C:\WINDOWS\system32\taskmgr.exe (PID 4060) Time: Monday, January 11, 2010
7:26:45 PM

[ System Events ]
Error - 1/6/2010 3:23:42 PM | Computer Name = KEITHPC | Source = System Error | ID = 1003
Description = Error code 1000007e, parameter1 c0000005, parameter2 af6a946d, parameter3
f78d6a74, parameter4 f78d6770.

Error - 1/6/2010 3:23:44 PM | Computer Name = KEITHPC | Source = System Error | ID = 1003
Description = Error code 1000007e, parameter1 c0000005, parameter2 b081a46d, parameter3
f78d2a74, parameter4 f78d2770.

Error - 1/6/2010 3:30:23 PM | Computer Name = KEITHPC | Source = Service Control Manager | ID = 7024
Description = The Windows Search service terminated with service-specific error
2147749155 (0x80040D23).

Error - 1/6/2010 8:02:52 PM | Computer Name = KEITHPC | Source = System Error | ID = 1003
Description = Error code 1000007e, parameter1 c0000005, parameter2 b058546d, parameter3
f78c2a74, parameter4 f78c2770.

Error - 1/6/2010 8:03:07 PM | Computer Name = KEITHPC | Source = System Error | ID = 1003
Description = Error code 1000007e, parameter1 c0000005, parameter2 afdd546d, parameter3
f78cea74, parameter4 f78ce770.

Error - 1/6/2010 8:31:51 PM | Computer Name = KEITHPC | Source = System Error | ID = 1003
Description = Error code 1000007e, parameter1 c0000005, parameter2 aff7546d, parameter3
f78cea74, parameter4 f78ce770.

Error - 1/6/2010 8:56:53 PM | Computer Name = KEITHPC | Source = System Error | ID = 1003
Description = Error code 1000007e, parameter1 c0000005, parameter2 b038746d, parameter3
f78c6a74, parameter4 f78c6770.

Error - 1/7/2010 6:36:24 PM | Computer Name = KEITHPC | Source = System Error | ID = 1003
Description = Error code 1000007e, parameter1 c0000005, parameter2 b004846d, parameter3
f78c6a74, parameter4 f78c6770.

Error - 1/11/2010 9:26:39 PM | Computer Name = KEITHPC | Source = Service Control Manager | ID = 7034
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).

Error - 1/14/2010 5:33:39 PM | Computer Name = KEITHPC | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
DONNYLAPTOP that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{4F1E5527-58E0-48. The master browser is stopping or an election is
being forced.


< End of report >


Thank you for taking your time to help me.

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:20 PM

Posted 16 January 2010 - 09:33 PM

Hi,

please provide a log from gmer as well:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 Malleus Maleficarum

Malleus Maleficarum
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 17 January 2010 - 01:07 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-17 10:10:45
Windows 5.1.2600 Service Pack 3
Running: nwrogtud.exe; Driver: C:\DOCUME~1\Keith\LOCALS~1\Temp\fxtdqpow.sys


---- System - GMER 1.0.15 ----

SSDT 8963AD18 ZwAlertResumeThread
SSDT 8963AE90 ZwAlertThread
SSDT 8970A8C8 ZwAllocateVirtualMemory
SSDT 89819948 ZwConnectPort
SSDT 89633BB0 ZwCreateMutant
SSDT 8965E8E8 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB1E92350]
SSDT 8963BBA0 ZwFreeVirtualMemory
SSDT 896340E8 ZwImpersonateAnonymousToken
SSDT 8963ABA0 ZwImpersonateThread
SSDT 8980C190 ZwMapViewOfSection
SSDT 89633A38 ZwOpenEvent
SSDT 8963BD10 ZwOpenProcessToken
SSDT 8963B6F8 ZwOpenThreadToken
SSDT 89720DD8 ZwQueryValueKey
SSDT 8963C9F0 ZwResumeThread
SSDT 8963B560 ZwSetContextThread
SSDT 8963B880 ZwSetInformationProcess
SSDT 8963B3C8 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB1E92580]
SSDT 89633960 ZwSuspendProcess
SSDT 8963A008 ZwSuspendThread
SSDT 8963BE90 ZwTerminateProcess
SSDT 8963B240 ZwTerminateThread
SSDT 8963BA18 ZwUnmapViewOfSection
SSDT 89709F30 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 120 804E277C 4 Bytes CALL 65D78D69
.text ntoskrnl.exe!_abnormal_termination + 151 804E27AD 3 Bytes JMP D8195863
.text ntoskrnl.exe!_abnormal_termination + 1B0 804E280C 4 Bytes CALL D4D78B51
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF77AA720]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[236] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\a-squared Free\a2service.exe[1068] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0045495D C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\sysaudio \Device\sysaudio B153D0F7

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.15 ----


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:20 PM

Posted 17 January 2010 - 01:28 PM

Hi,

please run COmboFix next:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What happens when you try to reinstall the sound driver? What error message do you get?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 Malleus Maleficarum

Malleus Maleficarum
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 17 January 2010 - 08:02 PM

ComboFix 10-01-16.04 - Keith 01/17/2010 18:49:04.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.834 [GMT -6:00]
Running from: c:\documents and settings\Keith\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\msssc.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-18 to 2010-01-18 )))))))))))))))))))))))))))))))
.

2010-01-08 21:09 . 2010-01-08 10:50 780288 ----a-w- c:\documents and settings\Keith\Application Data\Octoshape\Octoshape Streaming Services\pmv306a-1001080-0-libOctoshapeClient.dll
2010-01-08 17:57 . 2010-01-08 17:57 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-01-08 16:10 . 2010-01-08 16:10 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-08 03:37 . 2010-01-08 03:37 0 ----a-w- c:\windows\system32\settings.dat
2010-01-07 21:19 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:18 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 21:12 . 2010-01-07 21:12 -------- d--h--w- c:\windows\PIF
2010-01-07 03:08 . 2010-01-07 03:08 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-01-07 02:00 . 2010-01-07 02:00 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-01-07 00:44 . 2004-02-25 01:08 400384 ------w- c:\windows\system32\drivers\alcxsens.sys
2010-01-07 00:44 . 2004-03-05 11:30 1048 ------w- c:\windows\system32\drivers\alcxinit.dat
2010-01-06 23:54 . 2010-01-06 23:54 -------- d-----w- C:\swsetup
2010-01-06 19:05 . 2010-01-06 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2010-01-06 15:10 . 2010-01-06 15:10 16904 ----a-w- c:\windows\system32\drivers\KLMD.sys
2010-01-06 14:54 . 2008-09-24 16:40 4122368 ----a-r- c:\windows\system32\drivers\ALCXWDM.SYS
2010-01-06 14:54 . 2010-01-06 14:57 -------- d-----w- c:\program files\Realtek AC97
2010-01-06 14:53 . 2004-03-20 09:28 6964736 ----a-w- c:\windows\system32\RTLCPL.EXE
2010-01-06 14:53 . 2004-02-27 06:53 65024 ----a-w- c:\windows\SOUNDMAN.EXE
2010-01-06 14:53 . 2004-02-10 05:18 155648 ----a-w- c:\windows\system32\RTLCPAPI.dll
2010-01-06 14:53 . 2006-07-31 17:27 217088 ----a-w- c:\windows\Alcrmv.exe
2010-01-06 14:53 . 2004-02-28 08:14 208896 ------w- c:\windows\alcupd.exe
2010-01-06 00:35 . 2010-01-06 00:35 -------- d-----w- c:\program files\Bonjour
2010-01-05 20:03 . 2010-01-05 20:06 -------- d-----w- c:\windows\system32\NtmsData
2010-01-05 18:23 . 2010-01-05 18:24 -------- dc-h--w- c:\windows\ie8
2010-01-05 17:54 . 2010-01-05 17:54 152576 ----a-w- c:\documents and settings\Keith\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-05 17:54 . 2010-01-05 17:54 79488 ----a-w- c:\documents and settings\Keith\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-05 15:35 . 2010-01-05 15:35 -------- d-----w- c:\program files\ESET
2010-01-05 05:11 . 2010-01-05 05:11 -------- d-----w- C:\ISeeYouXP
2010-01-05 05:11 . 2010-01-05 05:11 -------- d-----w- c:\program files\CCleaner
2010-01-05 05:08 . 2010-01-05 05:09 -------- d-----w- c:\program files\a-squared HiJackFree
2010-01-05 03:25 . 2010-01-05 12:33 -------- d-----w- c:\windows\SxsCaPendDel
2010-01-05 03:05 . 2010-01-06 02:31 -------- d-----w- c:\program files\a-squared Free
2010-01-05 00:48 . 2010-01-05 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-01-05 00:46 . 2010-01-05 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-01-05 00:46 . 2010-01-05 00:46 -------- d-----w- c:\program files\Common Files\iS3
2010-01-05 00:43 . 2010-01-05 00:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2010-01-04 22:27 . 2010-01-04 22:38 -------- d-----w- c:\documents and settings\Keith\Application Data\runic games
2010-01-04 22:20 . 2010-01-04 22:38 -------- d-----w- c:\program files\Runic Games
2010-01-04 03:08 . 2010-01-04 03:08 -------- d-----w- c:\documents and settings\Keith\Local Settings\Application Data\Threat Expert
2010-01-04 03:02 . 2010-01-05 03:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-04 02:19 . 2010-01-04 02:25 -------- d-----w- c:\documents and settings\Keith\Local Settings\Application Data\Deployment
2010-01-03 22:12 . 2010-01-03 22:12 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-01-03 21:44 . 2010-01-03 21:44 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-12-31 15:32 . 2009-12-31 15:32 -------- d-sh--w- c:\documents and settings\Keith\PrivacIE
2009-12-31 15:32 . 2009-12-31 15:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-31 15:29 . 2009-12-31 15:29 -------- d-sh--w- c:\documents and settings\Keith\IETldCache
2009-12-31 07:00 . 2010-01-06 09:00 -------- d-----w- c:\windows\ie8updates
2009-12-31 06:54 . 2009-10-29 07:45 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-31 06:54 . 2009-10-29 07:45 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-31 06:54 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-12-29 23:00 . 2009-12-29 23:00 -------- d-----w- c:\program files\Lame for Audacity
2009-12-23 15:25 . 2010-01-07 21:19 -------- d-----w- c:\documents and settings\Keith\Application Data\Malwarebytes
2009-12-23 15:21 . 2010-01-07 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-23 15:21 . 2010-01-08 16:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-22 18:51 . 2009-12-22 18:51 -------- d-----w- c:\windows\system32\Futuremark
2009-12-22 18:51 . 2009-12-22 18:51 -------- d-----w- c:\program files\Common Files\Futuremark Shared
2009-12-22 18:51 . 2007-08-20 17:05 27672 ----a-w- c:\windows\system32\drivers\Entech.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-18 00:45 . 2009-02-13 15:25 -------- d-----w- c:\program files\Symantec AntiVirus
2010-01-12 21:26 . 2009-02-13 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-10 15:14 . 2009-02-14 16:26 -------- d-----w- c:\program files\Steam
2010-01-09 16:02 . 2009-02-14 16:25 -------- d-----w- c:\documents and settings\Keith\Application Data\uTorrent
2010-01-06 14:53 . 2009-02-13 05:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-06 00:53 . 2009-09-23 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-06 00:30 . 2009-02-17 12:18 66928 ----a-w- c:\documents and settings\Keith\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-05 17:55 . 2009-03-03 04:06 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-05 17:51 . 2009-03-07 20:31 -------- d-----w- c:\program files\DivX
2010-01-05 17:50 . 2009-02-15 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-01-05 05:38 . 2009-02-13 14:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-05 02:03 . 2010-01-05 01:08 2136 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-01-05 01:09 . 2010-01-05 01:09 136 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-01-04 02:41 . 2009-03-04 18:30 -------- d-----w- c:\documents and settings\Keith\Application Data\LimeWire
2010-01-04 01:02 . 2009-09-23 21:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-03 21:45 . 2009-09-23 21:43 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-02 04:57 . 2009-11-11 19:27 -------- d-----w- c:\documents and settings\Keith\Application Data\Audacity
2009-12-31 06:50 . 2009-03-03 04:05 -------- d-----w- c:\program files\Java
2009-11-25 03:42 . 2009-11-25 03:39 -------- d-----w- c:\program files\iTunes
2009-11-25 03:39 . 2009-11-25 03:39 -------- d-----w- c:\program files\iPod
2009-11-25 03:39 . 2009-02-14 16:38 -------- d-----w- c:\program files\Common Files\Apple
2009-11-25 03:32 . 2009-11-25 03:31 -------- d-----w- c:\program files\QuickTime
2009-11-25 03:24 . 2009-11-25 03:24 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-21 15:51 . 2008-04-14 10:41 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 11:08 . 2009-09-23 21:43 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-14 00:47 . 2009-11-14 00:47 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
2009-10-29 07:45 . 2008-04-14 10:42 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-24 13:15 . 2009-08-14 07:16 126970 ----a-w- c:\documents and settings\Keith\Application Data\Move Networks\uninstall.exe
2009-10-24 13:15 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Keith\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-24 13:15 . 2009-10-24 13:15 1407680 ----a-w- c:\documents and settings\Keith\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2009-10-21 05:38 . 2008-04-14 10:42 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-14 10:41 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 05:23 265728 ----a-w- c:\windows\system32\drivers\http.sys
.

------- Sigcheck -------


[-] 2008-08-15 . 9835B339826E0B5423F3CCF5DC774756 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-05 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-10-03 04:32 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-10-03 09:08 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 17:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-07-09 20:07 49968 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 22:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"SavRoam"=3 (0x3)
"idsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\Keith\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Steam\\steamapps\\keiththornton_hotmail\\counter-strike\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"57307:TCP"= 57307:TCP:Pando Media Booster
"57307:UDP"= 57307:UDP:Pando Media Booster

R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [1/4/2010 9:05 PM 1858144]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 7:04 PM 102448]
S3 cpuz130;cpuz130;\??\c:\docume~1\Keith\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Keith\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - fxtdqpow
.
Contents of the 'Scheduled Tasks' folder

2010-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-10-08 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 2100 series272A572217594EBCF1CEE215E352B92AD073FDE4251643939.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/home.php
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Keith\Application Data\Mozilla\Firefox\Profiles\h9zbmgz2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Keith\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Keith\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Keith\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
MSConfigStartUp-SoundMAXPnP - c:\program files\Analog Devices\Core\smax4pnp.exe
AddRemove-{F46BF5EA-0B4E-4A41-8C4B-3B127346E30F} - c:\documents and settings\Keith\Local Settings\Application Data\{EE3F443B-183B-4764-9F63-0CB18736ED34}\NBCDirectInstaller.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-17 18:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-01-17 18:58:09
ComboFix-quarantined-files.txt 2010-01-18 00:57

Pre-Run: 40,557,842,432 bytes free
Post-Run: 40,716,689,408 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 00426343D27B5B904050D531B3CE34F8


I don't even get an error message. The driver I try to install is Reltek AC97 Audio. Right when it's about to finish installing the computer will just reboot. I tried to system restore and the system restore will work until the computer reboots and windows will say that the system restore could not be completed. Doesn't give a reason.

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:20 PM

Posted 17 January 2010 - 08:34 PM

Hi,

please run TFC:
Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB). Before running, it will stop Explorer and all other running apps. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files.

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

And the following script with ComboFix:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
MIA::
c:\windows\System32\wscntfy.exe
Driver::
cpuz130


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Do you see a blue screen flash when you reboot during the reinstall of your audio driver? Do you have your windows cd close by? We may need it.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 Malleus Maleficarum

Malleus Maleficarum
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 18 January 2010 - 09:23 AM

ComboFix 10-01-17.02 - Keith 01/18/2010 8:02.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.963 [GMT -6:00]
Running from: c:\documents and settings\Keith\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Keith\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-12-18 to 2010-01-18 )))))))))))))))))))))))))))))))
.

2010-01-08 21:09 . 2010-01-08 10:50 780288 ----a-w- c:\documents and settings\Keith\Application Data\Octoshape\Octoshape Streaming Services\pmv306a-1001080-0-libOctoshapeClient.dll
2010-01-08 17:57 . 2010-01-08 17:57 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-01-08 16:10 . 2010-01-08 16:10 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-08 03:37 . 2010-01-08 03:37 0 ----a-w- c:\windows\system32\settings.dat
2010-01-07 21:19 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:18 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 21:12 . 2010-01-07 21:12 -------- d--h--w- c:\windows\PIF
2010-01-07 03:08 . 2010-01-07 03:08 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-01-07 02:00 . 2010-01-07 02:00 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-01-07 00:44 . 2004-02-25 01:08 400384 ------w- c:\windows\system32\drivers\alcxsens.sys
2010-01-07 00:44 . 2004-03-05 11:30 1048 ------w- c:\windows\system32\drivers\alcxinit.dat
2010-01-06 23:54 . 2010-01-06 23:54 -------- d-----w- C:\swsetup
2010-01-06 19:05 . 2010-01-06 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2010-01-06 15:10 . 2010-01-06 15:10 16904 ----a-w- c:\windows\system32\drivers\KLMD.sys
2010-01-06 14:54 . 2008-09-24 16:40 4122368 ----a-r- c:\windows\system32\drivers\ALCXWDM.SYS
2010-01-06 14:54 . 2010-01-06 14:57 -------- d-----w- c:\program files\Realtek AC97
2010-01-06 14:53 . 2004-03-20 09:28 6964736 ----a-w- c:\windows\system32\RTLCPL.EXE
2010-01-06 14:53 . 2004-02-27 06:53 65024 ----a-w- c:\windows\SOUNDMAN.EXE
2010-01-06 14:53 . 2004-02-10 05:18 155648 ----a-w- c:\windows\system32\RTLCPAPI.dll
2010-01-06 14:53 . 2006-07-31 17:27 217088 ----a-w- c:\windows\Alcrmv.exe
2010-01-06 14:53 . 2004-02-28 08:14 208896 ------w- c:\windows\alcupd.exe
2010-01-06 00:35 . 2010-01-06 00:35 -------- d-----w- c:\program files\Bonjour
2010-01-05 20:03 . 2010-01-05 20:06 -------- d-----w- c:\windows\system32\NtmsData
2010-01-05 18:23 . 2010-01-05 18:24 -------- dc-h--w- c:\windows\ie8
2010-01-05 17:54 . 2010-01-05 17:54 152576 ----a-w- c:\documents and settings\Keith\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-05 17:54 . 2010-01-05 17:54 79488 ----a-w- c:\documents and settings\Keith\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-05 15:35 . 2010-01-05 15:35 -------- d-----w- c:\program files\ESET
2010-01-05 05:11 . 2010-01-05 05:11 -------- d-----w- C:\ISeeYouXP
2010-01-05 05:11 . 2010-01-05 05:11 -------- d-----w- c:\program files\CCleaner
2010-01-05 05:08 . 2010-01-05 05:09 -------- d-----w- c:\program files\a-squared HiJackFree
2010-01-05 03:25 . 2010-01-05 12:33 -------- d-----w- c:\windows\SxsCaPendDel
2010-01-05 03:05 . 2010-01-06 02:31 -------- d-----w- c:\program files\a-squared Free
2010-01-05 00:48 . 2010-01-05 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-01-05 00:46 . 2010-01-05 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-01-05 00:46 . 2010-01-05 00:46 -------- d-----w- c:\program files\Common Files\iS3
2010-01-05 00:43 . 2010-01-05 00:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2010-01-04 22:27 . 2010-01-04 22:38 -------- d-----w- c:\documents and settings\Keith\Application Data\runic games
2010-01-04 22:20 . 2010-01-04 22:38 -------- d-----w- c:\program files\Runic Games
2010-01-04 03:08 . 2010-01-04 03:08 -------- d-----w- c:\documents and settings\Keith\Local Settings\Application Data\Threat Expert
2010-01-04 03:02 . 2010-01-05 03:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-04 02:19 . 2010-01-04 02:25 -------- d-----w- c:\documents and settings\Keith\Local Settings\Application Data\Deployment
2010-01-03 22:12 . 2010-01-03 22:12 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-01-03 21:44 . 2010-01-03 21:44 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-12-31 15:32 . 2009-12-31 15:32 -------- d-sh--w- c:\documents and settings\Keith\PrivacIE
2009-12-31 15:32 . 2009-12-31 15:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-31 15:29 . 2009-12-31 15:29 -------- d-sh--w- c:\documents and settings\Keith\IETldCache
2009-12-31 07:00 . 2010-01-06 09:00 -------- d-----w- c:\windows\ie8updates
2009-12-31 06:54 . 2009-10-29 07:45 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-31 06:54 . 2009-10-29 07:45 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-31 06:54 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-12-29 23:00 . 2009-12-29 23:00 -------- d-----w- c:\program files\Lame for Audacity
2009-12-23 15:25 . 2010-01-07 21:19 -------- d-----w- c:\documents and settings\Keith\Application Data\Malwarebytes
2009-12-23 15:21 . 2010-01-07 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-23 15:21 . 2010-01-08 16:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-22 18:51 . 2009-12-22 18:51 -------- d-----w- c:\windows\system32\Futuremark
2009-12-22 18:51 . 2009-12-22 18:51 -------- d-----w- c:\program files\Common Files\Futuremark Shared
2009-12-22 18:51 . 2007-08-20 17:05 27672 ----a-w- c:\windows\system32\drivers\Entech.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-18 14:01 . 2009-02-13 15:25 -------- d-----w- c:\program files\Symantec AntiVirus
2010-01-12 21:26 . 2009-02-13 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-10 15:14 . 2009-02-14 16:26 -------- d-----w- c:\program files\Steam
2010-01-09 16:02 . 2009-02-14 16:25 -------- d-----w- c:\documents and settings\Keith\Application Data\uTorrent
2010-01-06 14:53 . 2009-02-13 05:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-06 00:53 . 2009-09-23 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-06 00:30 . 2009-02-17 12:18 66928 ----a-w- c:\documents and settings\Keith\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-05 17:55 . 2009-03-03 04:06 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-05 17:51 . 2009-03-07 20:31 -------- d-----w- c:\program files\DivX
2010-01-05 17:50 . 2009-02-15 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-01-05 05:38 . 2009-02-13 14:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-05 02:03 . 2010-01-05 01:08 2136 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-01-05 01:09 . 2010-01-05 01:09 136 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-01-04 02:41 . 2009-03-04 18:30 -------- d-----w- c:\documents and settings\Keith\Application Data\LimeWire
2010-01-04 01:02 . 2009-09-23 21:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-03 21:45 . 2009-09-23 21:43 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-02 04:57 . 2009-11-11 19:27 -------- d-----w- c:\documents and settings\Keith\Application Data\Audacity
2009-12-31 06:50 . 2009-03-03 04:05 -------- d-----w- c:\program files\Java
2009-11-25 03:42 . 2009-11-25 03:39 -------- d-----w- c:\program files\iTunes
2009-11-25 03:39 . 2009-11-25 03:39 -------- d-----w- c:\program files\iPod
2009-11-25 03:39 . 2009-02-14 16:38 -------- d-----w- c:\program files\Common Files\Apple
2009-11-25 03:32 . 2009-11-25 03:31 -------- d-----w- c:\program files\QuickTime
2009-11-25 03:24 . 2009-11-25 03:24 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-21 15:51 . 2008-04-14 10:41 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 11:08 . 2009-09-23 21:43 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-14 00:47 . 2009-11-14 00:47 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
2009-10-29 07:45 . 2008-04-14 10:42 916480 ------w- c:\windows\system32\wininet.dll
2009-10-24 13:15 . 2009-08-14 07:16 126970 ----a-w- c:\documents and settings\Keith\Application Data\Move Networks\uninstall.exe
2009-10-24 13:15 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Keith\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-24 13:15 . 2009-10-24 13:15 1407680 ----a-w- c:\documents and settings\Keith\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2009-10-21 05:38 . 2008-04-14 10:42 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-14 10:41 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 05:23 265728 ----a-w- c:\windows\system32\drivers\http.sys
.

------- Sigcheck -------


[-] 2008-08-15 . 9835B339826E0B5423F3CCF5DC774756 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2010-01-18_00.54.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-18 13:51 . 2010-01-18 13:51 16384 c:\windows\Temp\Perflib_Perfdata_1a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-05 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-10-03 04:32 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-10-03 09:08 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 17:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-07-09 20:07 49968 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 22:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"SavRoam"=3 (0x3)
"idsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\Keith\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Steam\\steamapps\\keiththornton_hotmail\\counter-strike\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"57307:TCP"= 57307:TCP:Pando Media Booster
"57307:UDP"= 57307:UDP:Pando Media Booster

R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [1/4/2010 9:05 PM 1858144]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 7:04 PM 102448]
S3 cpuz130;cpuz130;\??\c:\docume~1\Keith\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Keith\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-10-08 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 2100 series272A572217594EBCF1CEE215E352B92AD073FDE4251643939.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/home.php
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Keith\Application Data\Mozilla\Firefox\Profiles\h9zbmgz2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Keith\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Keith\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Keith\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-18 08:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3668)
c:\windows\system32\WININET.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-18 08:14:53
ComboFix-quarantined-files.txt 2010-01-18 14:14
ComboFix2.txt 2010-01-18 00:58

Pre-Run: 40,845,221,888 bytes free
Post-Run: 40,807,923,712 bytes free

- - End Of File - - 38C381D014616F62ADDF9E51E601E2C4

The computer just clicks off no blue screen. It's instant. And I don't have my windows CD. sad.gif Stuff is lost in this house like you wouldn't believe haha.

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:20 PM

Posted 19 January 2010 - 09:52 AM

Hi,

have you tried reinstalling soundmax to fix your audio problem?

Please run systemlook to check for possible replacements of wscntfy.exe:

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    CODE
    :filefind
    wscntfy.*
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 Malleus Maleficarum

Malleus Maleficarum
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 19 January 2010 - 06:43 PM

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 17:30 on 19/01/2010 by Keith (Administrator - Elevation successful)

========== filefind ==========

Searching for "wscntfy.*"
No files found.

-=End Of File=-

I solved the sound problem. smile.gif

Edited by Malleus Maleficarum, 19 January 2010 - 11:36 PM.


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:20 PM

Posted 20 January 2010 - 02:06 PM

Hi,

is there a possibility you could borrow a CD for windows xp professional from a friend?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 Malleus Maleficarum

Malleus Maleficarum
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 20 January 2010 - 02:41 PM

No one that I know of that even has windows xp. Lol.

#14 Malleus Maleficarum

Malleus Maleficarum
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 22 January 2010 - 05:58 PM

Pretty soon I am going to get a new computer. So this topic can be closed now. The computer is much faster than it used to be. Thanks for the help myrti. Appreciate it.

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:20 PM

Posted 23 January 2010 - 11:04 AM

Hi,

before you leave please remove the programs we used:

Please do the following to clean up your PC:
  1. Delete the tools used during the disinfection:
  2. Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTC from the following mirror and save it to your desktop:
    • Double click on
    • Push the large "Cleanup" button.
    • Allow your system to reboot.
  3. If OTC faild to remove all programs from your Desktop, please delete the rest manually.
Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holeswill allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variantsevery single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.
Some more links you might find of interest:Have a nice day
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users