Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Defense


  • This topic is locked This topic is locked
8 replies to this topic

#1 TheCallipalegic

TheCallipalegic

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 15 January 2010 - 12:40 AM

My computer was originally infected with the malware defense virus. I was eventually able to remove the majority of the infected files and rootkeys manually. I have McAfee Anti-virus and have recently downloaded Spybot search and destroy, however, my computer is still unable to run either of these programs. Another problem I have been having is I am often redirected from google searches and periodically I recieve a Windows Explorer error message. Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:23 AM, on 1/15/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\McAfee\VirusScan Enterprise\ShStat.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Windows\system32\mfevtps.exe

--
End of file - 1655 bytes




BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:54 AM

Posted 20 January 2010 - 04:24 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:54 AM

Posted 25 January 2010 - 08:55 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:54 AM

Posted 29 January 2010 - 08:18 AM

Hi,

topic reopened, please post your logs.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 TheCallipalegic

TheCallipalegic
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 30 January 2010 - 02:19 AM

Here is the OTL text:

OTL logfile created on: 1/26/2010 5:08:32 AM - Run 1
OTL by OldTimer - Version 3.1.27.0 Folder = C:\Users\Administrator\Desktop
Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 63.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.71 Gb Total Space | 155.45 Gb Free Space | 66.80% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 640.05 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
H: Drive not present or media not loaded
Drive I: | 658.78 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: DCN62SK1
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/26 05:07:44 | 00,548,352 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
PRC - [2010/01/06 20:42:37 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/30 06:57:08 | 00,369,200 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\DTLite.exe
PRC - [2009/06/22 18:45:12 | 00,199,616 | ---- | M] (Vuze Inc.) -- C:\Program Files\Vuze\Azureus.exe
PRC - [2009/04/11 01:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/03/30 16:28:36 | 01,533,808 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
PRC - [2009/03/30 16:28:36 | 00,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
PRC - [2009/02/27 01:04:06 | 00,252,952 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxsrvc.exe
PRC - [2008/09/29 07:07:00 | 00,124,240 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2008/09/29 07:07:00 | 00,067,904 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
PRC - [2008/09/29 07:07:00 | 00,062,800 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
PRC - [2008/09/29 07:07:00 | 00,019,456 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
PRC - [2008/03/14 03:00:00 | 00,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2008/03/14 03:00:00 | 00,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2008/01/20 21:23:48 | 00,202,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
PRC - [2008/01/20 21:21:41 | 00,095,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mobsync.exe


========== Modules (SafeList) ==========

MOD - [2010/01/26 05:07:44 | 00,548,352 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
MOD - [2009/04/11 01:21:38 | 01,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/01/06 20:35:17 | 00,321,320 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/12/21 16:26:46 | 00,075,064 | ---- | M] () [Disabled | Stopped] -- C:\Windows\System32\PnkBstrA.exe -- (PnkBstrA)
SRV - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/09/24 20:27:04 | 00,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/08/28 18:42:54 | 00,144,672 | ---- | M] (Apple Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/04/27 05:58:04 | 00,254,042 | ---- | M] (IDT, Inc.) [Disabled | Stopped] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_820ff26a\stacsv.exe -- (STacSV)
SRV - [2009/04/27 05:57:44 | 00,081,920 | ---- | M] (Andrea Electronics Corporation) [Disabled | Stopped] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_820ff26a\AEstSrv.exe -- (AESTFilters)
SRV - [2009/03/30 16:28:36 | 01,533,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2009/01/26 15:31:10 | 01,153,368 | ---- | M] (Safer Networking Ltd.) [Disabled | Stopped] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Disabled | Stopped] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/09/29 07:07:00 | 00,143,088 | ---- | M] (McAfee, Inc.) [Unknown | Stopped] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)
SRV - [2008/09/29 07:07:00 | 00,067,904 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Windows\System32\mfevtps.exe -- (mfevtp)
SRV - [2008/09/29 07:07:00 | 00,062,800 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
SRV - [2008/09/29 07:07:00 | 00,019,456 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe -- (McAfeeEngineService)
SRV - [2008/06/03 14:28:50 | 00,386,328 | ---- | M] (Dell Inc.) [Disabled | Stopped] -- c:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe -- (buttonsvc32)
SRV - [2008/03/14 03:00:00 | 00,103,744 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2008/01/20 21:21:41 | 00,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/07/11 08:33:28 | 00,069,632 | R--- | M] (MicroVision Development, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - [2007/05/31 09:21:24 | 00,379,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2007/05/31 09:21:18 | 00,183,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
SRV - [2006/11/02 07:34:14 | 00,013,312 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\ehome\ehstart.dll -- (ehstart)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - [2009/12/09 17:12:47 | 00,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/08/28 18:42:52 | 00,040,448 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2009/05/18 13:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/04/28 01:20:40 | 00,329,752 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2009/04/27 05:58:22 | 00,398,848 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2009/04/15 21:58:22 | 00,032,808 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cvusbdrv.sys -- (cvusbdrv)
DRV - [2009/04/10 23:42:52 | 00,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (winusb)
DRV - [2009/04/10 23:38:59 | 00,030,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\usbccid.sys -- (USBCCID)
DRV - [2009/04/03 07:25:50 | 00,048,128 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2009/03/30 03:28:44 | 00,133,632 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OA001Ufd.sys -- (OA001Ufd)
DRV - [2009/03/30 03:28:42 | 00,280,096 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OA001Vid.sys -- (OA001Vid)
DRV - [2009/02/27 01:04:26 | 00,112,128 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel®
DRV - [2009/02/27 01:03:50 | 04,568,064 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2009/02/23 01:59:20 | 00,224,384 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1y6032.sys -- (e1yexpress) Intel®
DRV - [2009/02/23 00:51:20 | 00,170,032 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2008/09/29 07:07:00 | 00,340,592 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2008/09/29 07:07:00 | 00,090,360 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2008/09/29 07:07:00 | 00,074,648 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2008/09/29 07:07:00 | 00,064,432 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2008/09/29 07:07:00 | 00,062,704 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2008/09/29 07:07:00 | 00,042,424 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2008/08/07 01:42:46 | 03,662,848 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) Intel®
DRV - [2008/01/20 21:21:35 | 00,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/20 21:21:35 | 00,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/20 21:21:34 | 00,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/20 21:21:34 | 00,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/20 21:21:34 | 00,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/20 21:21:33 | 01,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/20 21:21:33 | 00,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/20 21:21:33 | 00,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2008/01/20 21:21:33 | 00,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2008/01/20 21:21:32 | 00,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/20 21:21:32 | 00,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/20 21:21:32 | 00,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/20 21:21:31 | 00,235,064 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/20 21:21:31 | 00,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/20 21:21:31 | 00,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/20 21:21:31 | 00,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/20 21:21:30 | 00,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/20 21:21:29 | 00,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/20 21:21:29 | 00,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/20 21:21:29 | 00,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/20 21:21:28 | 00,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/20 21:21:27 | 00,179,712 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2008/01/20 21:21:09 | 00,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/20 21:21:09 | 00,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/20 21:21:09 | 00,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2008/01/02 04:32:56 | 00,024,104 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2007/10/23 21:40:30 | 00,209,408 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ianvstor.sys -- (iaNvStor) Intel®
DRV - [2007/09/07 04:13:46 | 00,097,632 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2007/07/26 02:00:00 | 00,043,872 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2007/07/24 01:42:12 | 00,045,056 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2007/07/23 14:05:20 | 00,009,104 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLADResM.SYS -- (DLADResM)
DRV - [2007/07/23 14:04:58 | 00,037,360 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2007/07/23 14:04:56 | 00,098,448 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2007/07/23 14:04:56 | 00,093,552 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2007/07/23 14:04:54 | 00,027,216 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2007/07/23 14:04:52 | 00,032,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2007/07/23 14:04:52 | 00,016,304 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2007/07/23 14:04:50 | 00,108,752 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2007/07/23 13:55:44 | 00,099,808 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2007/07/23 13:49:44 | 00,030,064 | ---- | M] (Roxio) [File_System | System | Running] -- C:\Windows\System32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/07/23 13:49:44 | 00,014,576 | ---- | M] (Roxio) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2007/07/23 13:43:42 | 00,052,000 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\Windows\System32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2007/07/18 02:46:06 | 00,042,496 | ---- | M] (REDC) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2007/07/18 02:46:06 | 00,037,376 | ---- | M] (REDC) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2006/11/02 04:50:35 | 00,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 04:50:35 | 00,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 04:50:19 | 00,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 04:50:17 | 00,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 04:50:11 | 00,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 04:50:09 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 04:50:07 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 04:50:05 | 00,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 04:50:03 | 00,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 04:49:59 | 00,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 04:49:56 | 00,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 03:25:24 | 00,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 03:24:47 | 00,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 03:24:46 | 00,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 03:24:45 | 00,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 03:24:44 | 00,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 03:24:44 | 00,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 02:36:50 | 00,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 02:36:43 | 02,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2006/11/02 01:37:21 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-4232576375-3541886404-682328106-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-4232576375-3541886404-682328106-500\S-1-5-21-4232576375-3541886404-682328106-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {E9A1DEE0-C623-4439-8932-001E7D17607D}:2.1.0.5

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/06 20:42:39 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/06 20:42:39 | 00,000,000 | ---D | M]

[2009/08/12 21:49:56 | 00,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\mozilla\Extensions
[2010/01/26 04:16:00 | 00,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\mozilla\Firefox\Profiles\kui144my.default\extensions
[2010/01/08 18:25:48 | 00,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\mozilla\Firefox\Profiles\kui144my.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
[2009/08/15 00:38:05 | 00,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\mozilla\Firefox\Profiles\kui144my.default\extensions\DTToolbar@toolbarnet.com
[2010/01/26 04:16:00 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/01/14 23:53:53 | 00,000,734 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKU\S-1-5-21-4232576375-3541886404-682328106-500\..\Toolbar\WebBrowser: (Ask Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKU\S-1-5-21-4232576375-3541886404-682328106-500\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O4 - HKU\S-1-5-21-4232576375-3541886404-682328106-500..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
O7 - HKU\S-1-5-21-4232576375-3541886404-682328106-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2000/09/20 15:55:56 | 00,827,392 | R--- | M] () - G:\AUTORUN.EXE -- [ CDFS ]
O32 - AutoRun File - [2000/07/06 15:04:48 | 00,000,135 | R--- | M] () - G:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2001/08/13 16:05:24 | 01,572,864 | R--- | M] () - I:\Autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2001/07/25 17:36:12 | 00,000,135 | R--- | M] () - I:\Autorun.inf -- [ CDFS ]
O33 - MountPoints2\{3860c8ad-895d-11de-b609-0024e8c23133}\Shell - "" = AutoRun
O33 - MountPoints2\{3860c8ad-895d-11de-b609-0024e8c23133}\Shell\AutoRun\command - "" = G:\AUTORUN.EXE -- [2000/09/20 15:55:56 | 00,827,392 | R--- | M] ()
O33 - MountPoints2\{3860c8ad-895d-11de-b609-0024e8c23133}\Shell\readit\command - "" = notepad readme.doc
O33 - MountPoints2\{b14d8ba9-00df-11df-ba4c-c6d3a437aeb1}\Shell - "" = AutoRun
O33 - MountPoints2\{b14d8ba9-00df-11df-ba4c-c6d3a437aeb1}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{d684ddb7-89b9-11de-82dd-0024e8c23133}\Shell - "" = AutoRun
O33 - MountPoints2\{d684ddb7-89b9-11de-82dd-0024e8c23133}\Shell\AutoRun\command - "" = I:\Autorun.exe -- [2001/08/13 16:05:24 | 01,572,864 | R--- | M] ()
O33 - MountPoints2\{d684ddb7-89b9-11de-82dd-0024e8c23133}\Shell\readit\command - "" = notepad readme.doc
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/26 05:07:44 | 00,548,352 | ---- | C] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
[2010/01/22 05:33:56 | 01,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2010/01/22 05:33:56 | 01,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2010/01/22 05:33:56 | 00,594,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2010/01/22 05:33:56 | 00,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010/01/22 05:33:56 | 00,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2010/01/22 05:33:56 | 00,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2010/01/22 05:33:56 | 00,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2010/01/22 05:33:56 | 00,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2010/01/22 05:33:56 | 00,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2010/01/22 05:33:56 | 00,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2010/01/22 05:33:56 | 00,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2010/01/22 05:33:56 | 00,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010/01/22 05:33:56 | 00,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2010/01/22 05:33:56 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2010/01/16 16:38:41 | 00,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\WinRAR
[2010/01/16 16:38:10 | 00,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2010/01/14 23:44:45 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/01/14 04:32:46 | 00,726,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2010/01/14 03:52:31 | 00,000,000 | ---D | C] -- C:\Windows\pss
[2010/01/14 03:39:36 | 00,056,816 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
[2010/01/14 03:18:39 | 00,156,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msls31.dll
[2010/01/14 03:18:39 | 00,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\admparse.dll
[2010/01/14 03:18:39 | 00,048,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtmler.dll
[2010/01/14 03:18:39 | 00,018,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\corpol.dll
[2010/01/14 03:18:38 | 00,348,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtmsft.dll
[2010/01/14 03:18:38 | 00,229,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2010/01/14 03:18:38 | 00,216,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtrans.dll
[2010/01/14 03:18:38 | 00,208,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WinFXDocObj.exe
[2010/01/14 03:18:38 | 00,193,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msrating.dll
[2010/01/14 03:18:38 | 00,163,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakui.dll
[2010/01/14 03:18:38 | 00,125,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakeng.dll
[2010/01/14 03:18:38 | 00,094,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inseng.dll
[2010/01/14 03:18:38 | 00,066,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wextract.exe
[2010/01/14 03:18:38 | 00,043,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2010/01/14 03:18:38 | 00,034,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\imgutil.dll
[2010/01/14 03:18:37 | 00,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010/01/14 03:18:37 | 00,445,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2010/01/14 03:18:37 | 00,420,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2010/01/14 03:18:37 | 00,128,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\advpack.dll
[2010/01/14 03:18:37 | 00,105,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2010/01/14 03:18:37 | 00,046,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\pngfilt.dll
[2010/01/14 03:18:36 | 03,698,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dat
[2010/01/14 03:18:36 | 00,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2010/01/14 03:18:36 | 00,169,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iexpress.exe
[2010/01/14 03:18:36 | 00,109,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PDMSetup.exe
[2010/01/14 03:18:36 | 00,107,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RegisterIEPKEYs.exe
[2010/01/14 03:18:36 | 00,107,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\SetIEInstalledDate.exe
[2010/01/14 03:18:36 | 00,103,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\SetDepNx.exe
[2010/01/14 03:18:18 | 00,233,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\DreamScene.dll
[2010/01/14 03:18:11 | 03,851,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_39.dll
[2010/01/14 03:17:50 | 00,000,000 | ---D | C] -- C:\Program Files\BitLocker
[2010/01/14 03:17:29 | 01,171,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\SecureKeyBackupCPL.dll
[2010/01/14 03:17:18 | 00,675,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\gpprefcl.dll
[2010/01/14 03:16:10 | 00,000,000 | ---D | C] -- C:\Windows\System32\WindowsPowerShell
[2010/01/14 03:15:48 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2010/01/14 02:59:15 | 00,000,000 | ---D | C] -- C:\Windows\System32\vmm32
[2010/01/13 09:49:13 | 00,156,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\t2embed.dll
[2010/01/13 09:49:13 | 00,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\fontsub.dll
[2010/01/12 06:50:46 | 00,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/01/12 06:50:46 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/01/10 02:34:28 | 00,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/01/10 02:23:17 | 00,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Threat Expert
[2010/01/10 02:20:05 | 00,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010/01/08 22:07:42 | 00,000,000 | ---D | C] -- C:\Users\Administrator\Documents\Azureus Downloads
[2010/01/08 21:27:43 | 00,000,000 | ---D | C] -- C:\ProgramData\Symantec
[2010/01/08 21:27:43 | 00,000,000 | ---D | C] -- C:\ProgramData\Norton
[2010/01/08 21:27:42 | 00,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
[2010/01/08 18:26:14 | 00,000,000 | ---D | C] -- C:\ProgramData\Azureus
[2010/01/08 18:26:11 | 00,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Azureus
[2010/01/08 18:25:49 | 00,000,000 | ---D | C] -- C:\Program Files\Vuze
[2010/01/08 18:25:48 | 00,000,000 | ---D | C] -- C:\Program Files\AskBarDis
[2009/12/29 15:16:13 | 00,000,000 | ---D | C] -- C:\Impressions Games

========== Files - Modified Within 30 Days ==========

[2010/01/26 05:08:30 | 02,359,296 | -HS- | M] () -- C:\Users\Administrator\NTUSER.DAT
[2010/01/26 05:07:44 | 00,548,352 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
[2010/01/26 04:13:05 | 00,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/01/26 04:13:05 | 00,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/01/26 04:06:57 | 00,694,964 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/01/26 04:06:57 | 00,598,588 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/01/26 04:06:57 | 00,102,194 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/01/25 05:49:28 | 00,000,039 | ---- | M] () -- C:\Users\Administrator\jagex_runescape_preferences.dat
[2010/01/25 05:21:28 | 00,000,069 | ---- | M] () -- C:\Users\Administrator\jagex_runescape_preferences2.dat
[2010/01/24 14:12:50 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/01/23 22:33:23 | 00,035,840 | ---- | M] () -- C:\Users\Administrator\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/23 03:03:34 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/01/23 03:03:08 | 37,076,78720 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/23 03:02:12 | 00,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2010/01/23 03:02:06 | 00,524,288 | -HS- | M] () -- C:\Users\Administrator\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms
[2010/01/23 03:02:06 | 00,065,536 | -HS- | M] () -- C:\Users\Administrator\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf
[2010/01/23 03:02:03 | 02,048,667 | -H-- | M] () -- C:\Users\Administrator\AppData\Local\IconCache.db
[2010/01/19 23:56:36 | 00,002,231 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/01/18 01:06:48 | 00,002,301 | ---- | M] () -- C:\Users\Public\Desktop\Steam.lnk
[2010/01/14 23:53:53 | 00,000,734 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/01/14 23:44:45 | 00,001,874 | ---- | M] () -- C:\Users\Administrator\Desktop\HijackThis.lnk
[2010/01/14 11:12:06 | 00,181,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2010/01/14 05:36:48 | 00,003,072 | ---- | M] () -- C:\Windows\System32\umstartup.etl
[2010/01/14 05:00:34 | 00,001,905 | ---- | M] () -- C:\Windows\diagwrn.xml
[2010/01/14 05:00:34 | 00,001,905 | ---- | M] () -- C:\Windows\diagerr.xml
[2010/01/14 04:22:09 | 26,059,2208 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/01/10 21:38:01 | 00,000,008 | ---- | M] () -- C:\ProgramData\sysReserve.ini
[2010/01/10 03:25:07 | 00,368,280 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/01/08 18:28:43 | 00,001,633 | ---- | M] () -- C:\Users\Public\Desktop\Vuze.lnk
[2010/01/02 15:30:29 | 00,000,556 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.ics
[2010/01/02 01:33:32 | 00,594,432 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2010/01/02 01:33:32 | 00,055,296 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010/01/02 01:32:51 | 00,025,600 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2010/01/02 01:32:46 | 01,469,440 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2010/01/02 01:32:33 | 00,164,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2010/01/02 01:32:33 | 00,109,056 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2010/01/02 01:32:33 | 00,071,680 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2010/01/02 01:32:32 | 00,184,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2010/01/02 01:32:32 | 00,055,808 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2010/01/02 01:32:26 | 00,387,584 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010/01/01 23:57:00 | 00,133,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2010/01/01 23:56:50 | 00,173,056 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2010/01/01 23:56:14 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2010/01/01 23:55:54 | 01,638,912 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2009/12/29 15:21:31 | 00,000,128 | ---- | M] () -- C:\Windows\Sierra.ini

========== Files Created - No Company Name ==========

[2010/01/14 23:44:45 | 00,001,874 | ---- | C] () -- C:\Users\Administrator\Desktop\HijackThis.lnk
[2010/01/14 04:53:13 | 37,076,78720 | -HS- | C] () -- C:\hiberfil.sys
[2010/01/14 04:45:02 | 00,001,905 | ---- | C] () -- C:\Windows\diagwrn.xml
[2010/01/14 04:45:02 | 00,001,905 | ---- | C] () -- C:\Windows\diagerr.xml
[2010/01/14 03:19:05 | 00,057,667 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2010/01/14 03:17:30 | 00,000,711 | ---- | C] () -- C:\Windows\System32\CPSOKBTasks.xml
[2010/01/10 02:34:25 | 26,059,2208 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/01/10 00:46:48 | 00,000,008 | ---- | C] () -- C:\ProgramData\sysReserve.ini
[2010/01/08 18:26:01 | 00,001,633 | ---- | C] () -- C:\Users\Public\Desktop\Vuze.lnk
[2009/12/29 15:21:31 | 00,000,128 | ---- | C] () -- C:\Windows\Sierra.ini
[2009/11/06 16:49:26 | 00,038,417 | ---- | C] () -- C:\Users\Administrator\AppData\Roaming\Comma Separated Values (Windows).ADR
[2009/10/14 15:25:02 | 00,043,520 | ---- | C] () -- C:\Windows\System32\CmdLineExt03.dll
[2009/10/14 14:01:36 | 00,197,120 | ---- | C] () -- C:\Windows\patchw32.dll
[2009/08/28 13:07:00 | 01,970,176 | ---- | C] () -- C:\Windows\System32\d3dx9.dll
[2009/08/20 21:42:15 | 00,035,840 | ---- | C] () -- C:\Users\Administrator\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/20 21:35:36 | 00,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/15 00:32:58 | 00,691,696 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys
[2009/08/12 21:47:51 | 00,000,680 | ---- | C] () -- C:\Users\Administrator\AppData\Local\d3d9caps.dat
[2009/08/06 13:56:36 | 00,004,608 | ---- | C] () -- C:\Windows\System32\HdmiCoin.dll
[2009/08/06 10:32:07 | 00,524,288 | -HS- | C] () -- C:\ProgramData\NTUser.dat{1fdcf77b-829e-11de-8129-00216a62571e}.TMContainer00000000000000000002.regtrans-ms
[2009/08/06 10:32:06 | 00,524,288 | -HS- | C] () -- C:\ProgramData\NTUser.dat{1fdcf77b-829e-11de-8129-00216a62571e}.TMContainer00000000000000000001.regtrans-ms
[2009/08/06 10:32:06 | 00,262,144 | ---- | C] () -- C:\ProgramData\NTUser.dat
[2009/08/06 10:32:06 | 00,065,536 | -HS- | C] () -- C:\ProgramData\NTUser.dat{1fdcf77b-829e-11de-8129-00216a62571e}.TM.blf
[2009/08/06 10:32:06 | 00,005,120 | -H-- | C] () -- C:\ProgramData\NTUser.dat.LOG1
[2009/08/06 10:32:06 | 00,000,000 | -H-- | C] () -- C:\ProgramData\NTUser.dat.LOG2
[2009/08/06 10:31:47 | 00,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
[2009/05/21 14:37:05 | 00,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2009/05/21 14:36:56 | 00,167,936 | ---- | C] () -- C:\Windows\System32\nvccoin.dll
[2009/05/21 14:36:30 | 00,876,544 | ---- | C] () -- C:\Windows\System32\TEACico2.dll
[2009/04/27 13:53:38 | 00,000,234 | ---- | C] () -- C:\Windows\wininit.ini
[2008/01/20 21:23:41 | 00,081,158 | ---- | C] () -- C:\Windows\System32\manage-bde.ini.en
[2006/11/02 07:34:20 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:25:44 | 00,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 02:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:DFC5A2B2
< End of report >


And here is the Extras text file:

OTL Extras logfile created on: 1/26/2010 5:08:32 AM - Run 1
OTL by OldTimer - Version 3.1.27.0 Folder = C:\Users\Administrator\Desktop
Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 63.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.71 Gb Total Space | 155.45 Gb Free Space | 66.80% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 640.05 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
H: Drive not present or media not loaded
Drive I: | 658.78 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: DCN62SK1
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-4232576375-3541886404-682328106-500\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0364DBBB-8492-4D72-AF3F-CBE918EAC187}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{0DCA1DD0-A98B-43C4-B82C-93818D4D5223}" = lport=2869 | protocol=6 | dir=in | app=system |
"{0F5A2440-C378-434C-B035-58214A121C8C}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{102B8C83-ADDC-4349-9056-B395E41E9198}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{20E76F1C-C65E-4AAE-801B-781CF11F6311}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{43A30AD5-4B22-45D8-B208-C14FCE57C2F2}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{4D0761EA-1B70-406E-BBE2-7A8DACD9BF4A}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{5089F654-5A9D-479F-8C13-2FF92274E05B}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{5AD45002-BFFC-4A0E-933E-FCD31DF01FD2}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{5C149BDD-E9DD-4D51-BD8A-425B4736D84D}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{5D0B8944-CA48-4DE8-9501-C09BEBE67377}" = lport=137 | protocol=17 | dir=in | app=system |
"{67F099B1-544C-4FF4-9FC8-7C9C23DD15AE}" = lport=2869 | protocol=6 | dir=in | app=system |
"{7E9503A7-BE54-4578-990C-4D822BA8CBDE}" = lport=445 | protocol=6 | dir=in | app=system |
"{82A1C909-D225-40D1-A5D8-19A7ABE94942}" = lport=139 | protocol=6 | dir=in | app=system |
"{87F3CF84-6B0B-4D46-8DE5-57F474FD85AE}" = rport=137 | protocol=17 | dir=out | app=system |
"{88E9E375-5289-479E-B2D5-4B6BD363ED3A}" = lport=138 | protocol=17 | dir=in | app=system |
"{8E8CC31F-8A7A-4AEF-A49B-38C83B7D3161}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{9CE9A962-36D9-4663-86ED-A6E405A2FF14}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{A30AE7C2-F897-408B-8815-7B48DBCC969E}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{BB4B14C4-3554-4A56-B481-D5F08729BFB3}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{BE90A57A-C442-4074-A82E-1DF1F2420260}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{C191DBD1-0547-4689-86E6-C7797AE477B2}" = lport=10243 | protocol=6 | dir=in | app=system |
"{C2A878F1-C4B1-4EC9-8F9A-9D311F234D40}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{C88A6395-3235-44E2-BD7A-569A123486A7}" = rport=10243 | protocol=6 | dir=out | app=system |
"{CB39A3B5-D272-42C7-ADEF-D392834B587B}" = rport=138 | protocol=17 | dir=out | app=system |
"{D4A26279-A824-4B98-BEB9-7A7BA77536FB}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{D72E1C3C-B299-4896-AA2A-36D3AB3A65B7}" = rport=445 | protocol=6 | dir=out | app=system |
"{E178AB4F-8457-4CD7-AD99-BE35F44CE7BE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{F28FDCEB-0B99-4436-8828-F5757DFA3F00}" = rport=139 | protocol=6 | dir=out | app=system |
"{FE4092C1-AA53-4BDD-B701-DCE30D0819EA}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{04B89723-3DD1-451A-932B-C4DCAA487D58}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{08727E61-AE92-49B9-A8A4-254928744C94}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{0CD7E029-C80A-4EDA-B039-F9867D2BF707}" = protocol=17 | dir=in | app=c:\program files\mcafee\common framework\frameworkservice.exe |
"{0CE79F13-3F13-4F00-B5CC-629908647C0B}" = dir=in | app=c:\program files\cyberlink\powerdvd dx\pdvddxsrv.exe |
"{1178EEDD-BDD6-4721-BD44-6220A1EEA15E}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstra.exe |
"{1886DF87-C948-4F31-9056-E70B7FA4B47F}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{1F58F633-3DC0-482D-B789-D55132A06821}" = protocol=6 | dir=in | app=c:\program files\steam\steam.exe |
"{20079FEC-CAD1-4CDE-B27F-915E741FE937}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{28F3E915-2B7C-4EEC-A3AD-E485D451361F}" = protocol=6 | dir=out | app=system |
"{2EC46091-0AD2-4487-BEFD-D3B935C455FE}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstra.exe |
"{30AA4DF5-4071-470F-964C-C77399705528}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{37C1192E-3B17-4ACA-B484-7A71CDCB41CD}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{37C94472-DE80-40A7-9B61-D9F082D01DF8}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{416EBB65-A01D-46BC-AE9D-2CD3974F9DA8}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{47FB5154-9D6C-4C78-8B07-2D2E37D5763F}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{4C5E4F3A-EF52-4E03-9AF8-5061D08EE1CB}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{52F407E9-00A6-42BD-B15B-E703DB656FCD}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{5393E29E-AC50-4C2C-988F-04BA122E591F}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{53AE1F93-0B40-42F8-95D1-CC470DA082DC}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{5A634E74-20BA-474C-9C58-82E5D97C9B18}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{5DA60015-7B2E-400F-864F-8B34F34F0617}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{61044B2D-0261-44F8-8DF8-46FA487A8844}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{6EC1E2A9-6382-499B-8116-0A4A65861760}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{6F87FA7D-90FE-47AF-9A1D-A1C9A36BC6DF}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{702FB7AE-07B2-4BC9-8FA4-F998B2C8E251}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{718F483D-F592-4EB1-8D3B-8E43D2656B99}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{777E8088-91B4-480C-9388-18D3152D984B}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{7E8DBEB0-3228-497D-A434-76364A6102E5}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstrb.exe |
"{89EFE0EA-9CFB-4F47-ACFA-FD1AB859E50C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{8B3A49AD-81A1-4585-9303-03C1C50DD486}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{8F5B0F69-2882-4E46-995E-51E2F01C9D13}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{95BCE130-811B-4007-9770-3755B816617E}" = protocol=6 | dir=in | app=c:\program files\google\google talk\googletalk.exe |
"{AD66BF4C-0E13-4129-97A1-A2B9246E940F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{AEDBD2C3-4400-4E18-8D58-9A5B4CAF490C}" = protocol=6 | dir=in | app=c:\program files\mcafee\common framework\frameworkservice.exe |
"{AFFF280C-8FAE-4B76-8A9C-2DFCEAD4BAE8}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{BA765687-3C21-42EB-ADB4-1395649A14C2}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{BF69C786-0283-457C-A586-47F708340B91}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstrb.exe |
"{C314C897-4E14-426B-90E1-D3E0BFF3B1E2}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{D3CFD538-4361-4425-9B4E-2A150C6C1E54}" = protocol=17 | dir=in | app=c:\program files\google\google talk\googletalk.exe |
"{D65000E4-7CD3-43D8-939D-FEBAF6F0EA85}" = dir=in | app=c:\program files\cyberlink\powerdvd dx\powerdvd.exe |
"{DFFFDE67-8FBA-4BDB-97FE-7E5E44A8D1DF}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{E2BD869C-EA75-4140-B3D8-F1040C3E0AA8}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{F1B5BF3A-4667-4281-B0F7-2F82E92B51AF}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{F87A3AC3-DB7F-4F49-98E3-E97040CC3560}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{F8D53A62-27C0-46E1-923A-2CC85D67D359}" = protocol=17 | dir=in | app=c:\program files\steam\steam.exe |
"TCP Query User{2C55B352-6122-43FA-9375-5BE30D309984}C:\program files\steam\steamapps\thecallipalegic\counter-strike source\hl2.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\thecallipalegic\counter-strike source\hl2.exe |
"TCP Query User{7A143815-5A3C-4A33-B3BF-BB3206FFEDC8}C:\program files\vuze\azureus.exe" = protocol=6 | dir=in | app=c:\program files\vuze\azureus.exe |
"TCP Query User{C906395D-A531-4035-959B-4A8793E5BAD5}C:\westwood\ra2\game.exe" = protocol=6 | dir=in | app=c:\westwood\ra2\game.exe |
"TCP Query User{F3322C13-622C-4D0D-AE5B-31B379FFF10F}C:\program files\steam\steamapps\thecallipalegic\counter-strike source\hl2.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\thecallipalegic\counter-strike source\hl2.exe |
"UDP Query User{258EE8C6-EC87-478C-BCF2-6013F8733E36}C:\program files\steam\steamapps\thecallipalegic\counter-strike source\hl2.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\thecallipalegic\counter-strike source\hl2.exe |
"UDP Query User{54EC5A58-AE4E-47B4-9986-785855328932}C:\program files\steam\steamapps\thecallipalegic\counter-strike source\hl2.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\thecallipalegic\counter-strike source\hl2.exe |
"UDP Query User{63798E02-97BB-4CF7-9FB9-D6D6355B33D3}C:\program files\vuze\azureus.exe" = protocol=17 | dir=in | app=c:\program files\vuze\azureus.exe |
"UDP Query User{D32CE17A-4BCC-43B5-AB78-774492A55848}C:\westwood\ra2\game.exe" = protocol=17 | dir=in | app=c:\westwood\ra2\game.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0394CDC8-FABD-4ED8-B104-03393876DFDF}" = Roxio Creator Tools
"{04010300-6D72-4D54-8686-91D884A27B5C}" = Cisco Clean Access Agent
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{07159635-9DFE-4105-BFC0-2817DB540C68}" = Roxio Activation Module
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0D397393-9B50-4C52-84D5-77E344289F87}" = Roxio Creator Data
"{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID Sign-in Assistant
"{147BCE03-C0F1-4C9F-8157-6A89B6D2D973}" = McAfee VirusScan Enterprise
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{2220CF3A-EBD6-4070-94D0-0C7337B537A7}" = All Day Battery Life Configuration
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java™ 6 Update 15
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
"{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{821DABD6-26F2-49E5-AE55-40A589ADBE6D}" = Pharaoh and Cleopatra
"{83FFCFC7-88C6-41C6-8752-958A45325C82}" = Roxio Creator Audio
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{904CCF62-818D-4675-BC76-D37EB399F917}" = Windows Mobile Device Center
"{907B4640-266B-4A21-92FB-CD1A86CD0F63}" = RollerCoaster Tycoon® 3
"{91120000-0014-0000-0000-0000000FF1CE}" = Microsoft Office Professional 2007
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A10D9B03-AABB-47D7-8A30-2FEA97E70BC7}" = Quake Live Mozilla Plugin
"{A1261462-A2EF-4FAB-9513-48EBEFC9A76E}" = Dell Button Service
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A638557B-1F13-40A0-9627-C892FBCA6960}" = McAfee Agent
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}" = Microsoft Office Live Add-in 1.4
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{E56D39F8-2A9F-44B4-B068-A72E45A073E6}" = Safari
"{E7044E25-3038-4A76-9064-344AC038043E}" = Windows Mobile Device Center Driver Update
"{EA926717-CE5A-4CB4-AB21-9E6E9565A458}" = RCT3 Soaked
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"8461-7759-5462-8226" = Vuze
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Ask Toolbar_is1" = Ask Toolbar
"Cheat Engine 5.5_is1" = Cheat Engine 5.5
"Creative OA001" = Integrated Webcam Driver (1.06.03.0309)
"DAEMON Tools Toolbar" = DAEMON Tools Toolbar
"Dell Webcam Central" = Dell Webcam Central
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"PROR" = Microsoft Office Professional 2007
"PunkBusterSvc" = PunkBuster Services
"Red Alert 2" = Command & Conquer Red Alert 2
"Steam App 211" = Source SDK
"Steam App 218" = Source SDK Base - Orange Box
"Steam App 240" = Counter-Strike: Source
"TVWiz" = Intel® TV Wizard
"UltSounds" = Windows Sound Schemes
"UltSounds2" = Ultimate Extras sounds from Microsoft® Tinker™
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"Yuri's Revenge" = Command && Conquer Red Alert 2 - Yuri's Revenge

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/14/2010 1:53:13 AM | Computer Name = DCN62SK1 | Source = System Restore | ID = 8193
Description =

Error - 1/14/2010 1:54:07 AM | Computer Name = DCN62SK1 | Source = Microsoft-Windows-CAPI2 | ID = 131585
Description =

Error - 1/14/2010 1:54:09 AM | Computer Name = DCN62SK1 | Source = SPP | ID = 16387
Description =

Error - 1/14/2010 1:54:09 AM | Computer Name = DCN62SK1 | Source = System Restore | ID = 8193
Description =

Error - 1/14/2010 1:54:30 AM | Computer Name = DCN62SK1 | Source = Microsoft-Windows-CAPI2 | ID = 131585
Description =

Error - 1/14/2010 1:54:32 AM | Computer Name = DCN62SK1 | Source = SPP | ID = 16387
Description =

Error - 1/14/2010 1:54:32 AM | Computer Name = DCN62SK1 | Source = System Restore | ID = 8193
Description =

Error - 1/14/2010 3:39:33 AM | Computer Name = DCN62SK1 | Source = WinMgmt | ID = 10
Description =

Error - 1/14/2010 3:48:51 AM | Computer Name = DCN62SK1 | Source = WinMgmt | ID = 10
Description =

Error - 1/14/2010 3:50:32 AM | Computer Name = DCN62SK1 | Source = Application Error | ID = 1000
Description = Faulting application SpybotSD.exe, version 1.6.2.46, time stamp 0x2a425e19,
faulting module SpybotSD.exe, version 1.6.2.46, time stamp 0x2a425e19, exception
code 0x80000003, fault offset 0x002e5bb0, process id 0x1760, application start time
0x01ca94ee3eb2efc3.

[ Media Center Events ]
Error - 8/12/2009 10:55:54 PM | Computer Name = DCN62SK1 | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.SqmFlushSession failed; Win32 GetLastError
returned 0D Process: DefaultDomain Object Name: Media Center Guide

Error - 10/7/2009 9:40:33 PM | Computer Name = DCN62SK1 | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 10/11/2009 11:24:23 PM | Computer Name = DCN62SK1 | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

[ System Events ]
Error - 10/27/2009 1:47:02 PM | Computer Name = DCN62SK1 | Source = Microsoft-Windows-Servicing | ID = 4385
Description =

Error - 10/28/2009 3:00:16 AM | Computer Name = DCN62SK1 | Source = Tcpip | ID = 4199
Description = The system detected an address conflict for IP address 192.168.1.8
with the system having network hardware address 00-23-32-11-17-79. Network operations
on this system may be disrupted as a result.

Error - 10/29/2009 3:16:12 AM | Computer Name = DCN62SK1 | Source = Service Control Manager | ID = 7034
Description =

Error - 10/29/2009 5:14:57 AM | Computer Name = DCN62SK1 | Source = iaStor | ID = 262153
Description = The device, \Device\Ide\iaStor0, did not respond within the timeout
period.

Error - 11/1/2009 3:44:46 AM | Computer Name = DCN62SK1 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.10 for the Network Card with network
address 00216A62571E has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 11/2/2009 11:24:15 AM | Computer Name = DCN62SK1 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.9 for the Network Card with network
address 00216A62571E has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 11/5/2009 1:15:02 PM | Computer Name = DCN62SK1 | Source = Service Control Manager | ID = 7031
Description =

Error - 11/5/2009 8:14:09 PM | Computer Name = DCN62SK1 | Source = WPDMTPDriver | ID = 80836
Description =

Error - 11/6/2009 5:51:18 PM | Computer Name = DCN62SK1 | Source = bowser | ID = 8003
Description =

Error - 11/6/2009 11:56:45 PM | Computer Name = DCN62SK1 | Source = bowser | ID = 8003
Description =


< End of report >


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:54 AM

Posted 30 January 2010 - 10:26 AM

Hi,

please run a scan with gmer as well:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 TheCallipalegic

TheCallipalegic
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 30 January 2010 - 06:22 PM


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-30 18:18:58
Windows 6.0.6002 Service Pack 2
Running: xbhd8zf1.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\kwdyapow.sys


---- System - GMER 1.0.15 ----

INT 0x72 ? 878D2BF8
INT 0x72 ? 878D2BF8
INT 0x72 ? 878D2BF8
INT 0x72 ? 878D2BF8
INT 0x82 ? 878D2BF8
INT 0x82 ? 878D2BF8
INT 0x82 ? 878D2BF8
INT 0x92 ? 878D2BF8
INT 0x92 ? 878D2BF8
INT 0x92 ? 878D2BF8
INT 0x92 ? 878D2BF8
INT 0xB2 ? 85E65BF8

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0x8BF88FF8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8BF8900C]
Code 8B57B7E8 ZwEnumerateKey
Code 8B6A9EB8 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0x8BF8904A]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8BF89036]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8BF88FE4]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8BF89022]
Code 8B678905 IofCallDriver
Code 8B6AA916 IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 82444912 5 Bytes JMP 8B67890A
.text ntkrnlpa.exe!IofCompleteRequest 8244497F 5 Bytes JMP 8B6AA91B
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 825AFEF5 5 Bytes JMP 8B6A9EBC
PAGE ntkrnlpa.exe!ZwCreateUserProcess 825C9B82 5 Bytes JMP 8BF89026 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 825F0D5D 5 Bytes JMP 8BF88FE8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 825FD0BA 5 Bytes JMP 8B57B7EC
PAGE ntkrnlpa.exe!NtSetInformationProcess 82614474 5 Bytes JMP 8BF8903A \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 8269174B 5 Bytes JMP 8BF88FFC \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 82691796 7 Bytes JMP 8BF89010 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 82692253 5 Bytes JMP 8BF8904E \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
? System32\Drivers\spej.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8FD5A41B 5 Bytes JMP 878D21D8

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[13892] WS2_32.dll!closesocket 7711330C 5 Bytes JMP 02BF000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[13892] WS2_32.dll!connect 771140D9 5 Bytes JMP 02BE000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[13892] WS2_32.dll!send 7711659B 5 Bytes JMP 02CD000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8068E6D6] \SystemRoot\System32\Drivers\spej.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8068E042] \SystemRoot\System32\Drivers\spej.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8068E800] \SystemRoot\System32\Drivers\spej.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [8068E0C0] \SystemRoot\System32\Drivers\spej.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8068E13E] \SystemRoot\System32\Drivers\spej.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [8069DB90] \SystemRoot\System32\Drivers\spej.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85E671F8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \FileSystem\fastfat \FatCdrom AD9671F8
Device \Driver\volmgr \Device\VolMgrControl 85E621F8
Device \Driver\usbuhci \Device\USBPDO-0 878D31F8
Device \Driver\usbuhci \Device\USBPDO-1 878D31F8
Device \Driver\PCI_PNP8045 \Device\00000052 spej.sys
Device \Driver\netbt \Device\NetBT_Tcpip_{4E2B17DE-F011-4693-AE2F-E1C6E4C832CE} 8B73A1F8
Device \Driver\usbuhci \Device\USBPDO-2 878D31F8
Device \Driver\usbehci \Device\USBPDO-3 878D41F8
Device \Driver\usbuhci \Device\USBPDO-4 878D31F8

AttachedDevice \Driver\tdx \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBPDO-5 878D31F8
Device \Driver\usbuhci \Device\USBPDO-6 878D31F8
Device \Driver\volmgr \Device\HarddiskVolume1 85E621F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\usbehci \Device\USBPDO-7 878D41F8
Device \Driver\sptd \Device\1953704071 spej.sys
Device \Driver\volmgr \Device\HarddiskVolume2 85E621F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\iaStor \Device\Ide\iaStor0 [82B560B0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [82B560B0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [82B560B0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\netbt \Device\NetBt_Wins_Export 8B73A1F8
Device \Driver\Smb \Device\NetbiosSmb 8B73F1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{267C9DB5-F6F8-48EA-BE30-7BDA6D029E4F} 8B73A1F8
Device \Driver\iScsiPrt \Device\RaidPort0 879DE1F8

AttachedDevice \Driver\tdx \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 878D31F8
Device \Driver\usbuhci \Device\USBFDO-1 878D31F8
Device \Driver\usbuhci \Device\USBFDO-2 878D31F8
Device \Driver\usbehci \Device\USBFDO-3 878D41F8
Device \Driver\usbuhci \Device\USBFDO-4 878D31F8
Device \Driver\usbuhci \Device\USBFDO-5 878D31F8
Device \Driver\usbuhci \Device\USBFDO-6 878D31F8
Device \Driver\usbehci \Device\USBFDO-7 878D41F8
Device \Driver\av7o7r3l \Device\Scsi\av7o7r3l1Port2Path0Target2Lun0 879971F8
Device \Driver\av7o7r3l \Device\Scsi\av7o7r3l1Port2Path0Target0Lun0 879971F8
Device \Driver\av7o7r3l \Device\Scsi\av7o7r3l1 879971F8
Device \Driver\av7o7r3l \Device\Scsi\av7o7r3l1Port2Path0Target1Lun0 879971F8
Device \FileSystem\fastfat \Fat AD9671F8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \FileSystem\cdfs \Cdfs B08541F8

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\H8SRTeppuxwhdrf.sys (*** hidden *** ) [SYSTEM] H8SRTd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTeppuxwhdrf.sys
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTeppuxwhdrf.sys
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTxpikpjwrqr.dll
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTpvryqflxpy.dat
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTjltqlxvifm.dll
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTxtxbemaptv.dll
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x66 0x1F 0x40 0x80 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x3A 0xBD 0x3A 0xFF ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDA 0x6C 0xAC 0x97 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xE6 0x8E 0xD4 0xC4 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x6C 0xD4 0xF8 0xDE ...
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTeppuxwhdrf.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTeppuxwhdrf.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTxpikpjwrqr.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTpvryqflxpy.dat
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTjltqlxvifm.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTxtxbemaptv.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTeppuxwhdrf.sys
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTeppuxwhdrf.sys
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTxpikpjwrqr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTpvryqflxpy.dat
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTjltqlxvifm.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTxtxbemaptv.dll
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTeppuxwhdrf.sys
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTeppuxwhdrf.sys
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTxpikpjwrqr.dll
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTpvryqflxpy.dat
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTjltqlxvifm.dll
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTxtxbemaptv.dll
Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTeppuxwhdrf.sys
Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTeppuxwhdrf.sys
Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTxpikpjwrqr.dll
Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTpvryqflxpy.dat
Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTjltqlxvifm.dll
Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTxtxbemaptv.dll
Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTeppuxwhdrf.sys
Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTeppuxwhdrf.sys
Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTxpikpjwrqr.dll
Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTpvryqflxpy.dat
Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTjltqlxvifm.dll
Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTxtxbemaptv.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTeppuxwhdrf.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTeppuxwhdrf.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTxpikpjwrqr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTpvryqflxpy.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTjltqlxvifm.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTxtxbemaptv.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x66 0x1F 0x40 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x3A 0xBD 0x3A 0xFF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x8D 0x7E 0x70 0x21 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xE6 0x8E 0xD4 0xC4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x6C 0xD4 0xF8 0xDE ...
Reg HKLM\SYSTEM\ControlSet008\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet008\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet008\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTeppuxwhdrf.sys
Reg HKLM\SYSTEM\ControlSet008\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet008\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTeppuxwhdrf.sys
Reg HKLM\SYSTEM\ControlSet008\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTxpikpjwrqr.dll
Reg HKLM\SYSTEM\ControlSet008\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTpvryqflxpy.dat
Reg HKLM\SYSTEM\ControlSet008\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTjltqlxvifm.dll
Reg HKLM\SYSTEM\ControlSet008\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTxtxbemaptv.dll
Reg HKLM\SYSTEM\ControlSet009\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet009\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet009\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTeppuxwhdrf.sys
Reg HKLM\SYSTEM\ControlSet009\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet009\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTeppuxwhdrf.sys
Reg HKLM\SYSTEM\ControlSet009\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTxpikpjwrqr.dll
Reg HKLM\SYSTEM\ControlSet009\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTpvryqflxpy.dat
Reg HKLM\SYSTEM\ControlSet009\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTjltqlxvifm.dll
Reg HKLM\SYSTEM\ControlSet009\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTxtxbemaptv.dll
Reg HKLM\SYSTEM\ControlSet010\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet010\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet010\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTeppuxwhdrf.sys
Reg HKLM\SYSTEM\ControlSet010\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet010\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTeppuxwhdrf.sys
Reg HKLM\SYSTEM\ControlSet010\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTxpikpjwrqr.dll
Reg HKLM\SYSTEM\ControlSet010\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTpvryqflxpy.dat
Reg HKLM\SYSTEM\ControlSet010\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTjltqlxvifm.dll
Reg HKLM\SYSTEM\ControlSet010\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTxtxbemaptv.dll
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x66 0x1F 0x40 0x80 ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x3A 0xBD 0x3A 0xFF ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDA 0x6C 0xAC 0x97 ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xE6 0x8E 0xD4 0xC4 ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x6C 0xD4 0xF8 0xDE ...

---- Files - GMER 1.0.15 ----

File C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8D45F372-0DF3-11DF-B43C-0024E8C23133}.dat 3584 bytes
File C:\Users\Administrator\AppData\Local\Temp\H8SRTc190.tmp 679936 bytes executable
File C:\Users\Administrator\AppData\Local\Temp\h8srtmainqt.dll 10227 bytes
File C:\Windows\System32\drivers\H8SRTeppuxwhdrf.sys 40960 bytes executable <-- ROOTKIT !!!
File C:\Windows\System32\H8SRTjltqlxvifm.dll 36864 bytes executable
File C:\Windows\System32\h8srtkrl32mainweq.dll 1004 bytes
File C:\Windows\System32\H8SRTpvryqflxpy.dat 241 bytes
File C:\Windows\System32\H8SRTxpikpjwrqr.dll 23552 bytes executable
File C:\Windows\System32\H8SRTxtxbemaptv.dll 40960 bytes executable

---- EOF - GMER 1.0.15 ----


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:54 AM

Posted 05 February 2010 - 08:05 AM

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:54 AM

Posted 20 February 2010 - 08:30 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users