Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Pages


  • This topic is locked This topic is locked
16 replies to this topic

#1 wolfetundra

wolfetundra

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 24 February 2010 - 06:03 AM

I'm not sure how to explain this except for the title. When I click a link that takes me away from the domain the link was on, the browser loads a redirect page. Sometimes it's slow enough for me to catch it. The links aren't melicious in the sense of there's nothing detectable being downloaded. Some of the redirects are hxxp://adservices10.enhance.com, hxxp://414300.coolberg.com], hxxp://click.eurekster.com, hxxp://searchresults.target.net to name a few. These rotate out on each click.

below is my HJT log. I'm not sure what I'm looking for or what to remove.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:02:42 AM, on 2/24/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\StopSign\OnAccess\onaccess.exe
C:\PROGRA~1\StopSign\POPUPB~1\sspopupblockerctrl.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\WebcamMax\wcmmon.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\wamp\wampmanager.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\DllHost.exe
C:\RMS\wrapper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\RMS\jre\bin\java.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
C:\Program Files\StopSign\Firewall\FWService.exe
c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
C:\Program Files\eAcceleration\Station\station_bk.exe
c:\wamp\bin\mysql\mysql5.1.33\bin\mysqld.exe
C:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B753C7C5-0942-4b7f-BC27-942B52BDAC66} - C:\PROGRA~1\StopSign\POPUPB~1\sspopupblocker.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [OnAccess] "C:\Program Files\StopSign\OnAccess\onaccess.exe" -erk
O4 - HKLM\..\Run: [StopSignPopupBlocker] C:\PROGRA~1\StopSign\POPUPB~1\sspopupblockerctrl.exe /Startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [WebcammaxMoniter] "C:\Program Files\WebcamMax\wcmmon.exe" -a
O4 - Startup: Ray Multimedia Server.lnk = ?
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O4 - Global Startup: start WampServer.lnk = C:\wamp\wampmanager.exe
O9 - Extra button: (no name) - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\StopSign\POPUPB~1\sspopupblocker.dll
O9 - Extra 'Tools' menuitem: Block This Page - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\StopSign\POPUPB~1\sspopupblocker.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9331A99-5103-43EB-A02F-9417AC06471D}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
O23 - Service: FWService - eAcceleration Corp - C:\Program Files\StopSign\Firewall\FWService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: RMS (Red5) - Unknown owner - C:\RMS\wrapper.exe
O23 - Service: StopSign Firewall Security Center Provider (ssfwmonsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: StopSign Antivirus Security Center Provider (sstsmonsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.1.33\bin\mysqld.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 6451 bytes

Edited by Orange Blossom, 24 February 2010 - 06:54 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:09 AM

Posted 26 February 2010 - 08:12 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 wolfetundra

wolfetundra
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 04 March 2010 - 01:46 PM

OTL.txt

OTL logfile created on: 3/4/2010 10:40:47 AM - Run 1
OTL by OldTimer - Version 3.1.33.0 Folder = C:\Documents and Settings\Wolfe\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 111.00 Mb Available Physical Memory | 12.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 46.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 103.00 Gb Free Space | 69.11% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME
Current User Name: Wolfe
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/04 10:40:27 | 000,552,960 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Wolfe\Desktop\OTL.exe
PRC - [2010/02/17 23:46:15 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/09/30 10:36:23 | 000,263,504 | ---- | M] (eAcceleration Corp) -- C:\Program Files\eAcceleration\Framework\eac_productsvc.exe
PRC - [2009/09/25 03:23:20 | 000,449,024 | ---- | M] () -- C:\Program Files\WebcamMax\wcmmon.exe
PRC - [2009/09/04 06:42:00 | 001,033,568 | R--- | M] (eAcceleration Corp) -- C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
PRC - [2009/08/05 10:41:41 | 000,324,952 | ---- | M] (eAcceleration Corp) -- C:\Program Files\StopSign\Firewall\FWService.exe
PRC - [2009/08/05 09:54:42 | 000,113,920 | ---- | M] (eAcceleration Corp) -- C:\Program Files\eAcceleration\Framework\eac_svc.exe
PRC - [2009/07/22 13:14:28 | 000,255,328 | ---- | M] (eAcceleration Corp) -- C:\Program Files\StopSign\OnAccess\onaccess.exe
PRC - [2009/06/09 17:40:00 | 000,107,976 | ---- | M] (eAcceleration Corp ) -- C:\Program Files\StopSign\PopupBlocker\sspopupblockerctrl.exe
PRC - [2009/05/15 12:35:07 | 000,447,824 | ---- | M] (eAcceleration Corp) -- C:\Program Files\eAcceleration\Station\station_bk.exe
PRC - [2009/03/16 13:29:28 | 006,562,432 | ---- | M] () -- c:\wamp\bin\mysql\mysql5.1.33\bin\mysqld.exe
PRC - [2008/12/10 01:10:14 | 000,024,636 | ---- | M] (Apache Software Foundation) -- C:\wamp\bin\apache\Apache2.2.11\bin\httpd.exe
PRC - [2008/12/10 01:10:14 | 000,024,636 | ---- | M] (Apache Software Foundation) -- c:\wamp\bin\apache\Apache2.2.11\bin\httpd.exe
PRC - [2008/08/17 08:40:50 | 000,217,088 | ---- | M] () -- C:\RMS\wrapper.exe
PRC - [2007/12/11 11:15:04 | 000,012,800 | ---- | M] (Agere Systems) -- C:\WINDOWS\system32\agrsmsvc.exe
PRC - [2007/09/24 08:30:28 | 000,135,168 | ---- | M] (Sun Microsystems, Inc.) -- C:\RMS\jre\bin\java.exe
PRC - [2007/06/13 02:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/18 18:07:00 | 001,152,512 | ---- | M] (Aestan Software) -- C:\wamp\wampmanager.exe
PRC - [2006/06/30 18:56:08 | 000,065,536 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PRC - [2002/10/11 14:32:30 | 000,065,536 | ---- | M] () -- C:\WINDOWS\twain_32\ca561a\SnapDetect.exe
PRC - [2000/08/18 11:08:58 | 008,550,400 | ---- | M] (Macromedia, Inc.) -- C:\Program Files\Macromedia\Flash 5\Flash.exe


========== Modules (SafeList) ==========

MOD - [2010/03/04 10:40:27 | 000,552,960 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Wolfe\Desktop\OTL.exe
MOD - [2006/08/25 07:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/03/02 19:28:09 | 002,462,256 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\rswin_3648.dll -- (Akamai)
SRV - [2009/09/30 10:36:23 | 000,263,504 | ---- | M] (eAcceleration Corp) [Auto | Running] -- C:\Program Files\eAcceleration\Framework\eac_productsvc.exe -- (eac_productsvc)
SRV - [2009/08/05 10:41:41 | 000,324,952 | ---- | M] (eAcceleration Corp) [Auto | Running] -- C:\Program Files\StopSign\Firewall\FWService.exe -- (FWService)
SRV - [2009/08/05 09:54:42 | 000,113,920 | ---- | M] (eAcceleration Corp) [Auto | Running] -- C:\Program Files\eAcceleration\Framework\eac_svc.exe -- (sstsmonsvc)
SRV - [2009/08/05 09:54:42 | 000,113,920 | ---- | M] (eAcceleration Corp) [Auto | Running] -- C:\Program Files\eAcceleration\Framework\eac_svc.exe -- (ssfwmonsvc)
SRV - [2009/08/05 09:54:42 | 000,113,920 | ---- | M] (eAcceleration Corp) [Auto | Running] -- C:\Program Files\eAcceleration\Framework\eac_svc.exe -- (eac_notifysvc)
SRV - [2009/03/16 13:29:28 | 006,562,432 | ---- | M] () [On_Demand | Running] -- c:\wamp\bin\mysql\mysql5.1.33\bin\mysqld.exe -- (wampmysqld)
SRV - [2008/12/10 01:10:14 | 000,024,636 | ---- | M] (Apache Software Foundation) [On_Demand | Running] -- c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe -- (wampapache)
SRV - [2008/11/09 12:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/08/17 08:40:50 | 000,217,088 | ---- | M] () [Auto | Running] -- C:\RMS\wrapper.exe -- (Red5)
SRV - [2007/12/11 11:15:04 | 000,012,800 | ---- | M] (Agere Systems) [Auto | Running] -- C:\WINDOWS\system32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006/06/30 18:56:08 | 000,065,536 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Running] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)


========== Driver Services (SafeList) ==========

DRV - [2009/08/06 22:42:36 | 001,053,056 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CAMTHWDM.sys -- (CAMTHWDM)
DRV - [2009/08/05 10:41:47 | 000,109,536 | ---- | M] (eAcceleration Corp) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\fwcore.sys -- (fwcore)
DRV - [2009/04/06 13:19:46 | 000,023,064 | ---- | M] (Screaming Bee LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ScreamingBAudio.sys -- (SCREAMINGBDRIVER)
DRV - [2008/12/26 12:56:04 | 000,017,792 | ---- | M] (Avnex) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vcsvad.sys -- (VCSVADHWSer) Avnex Virtual Audio Device (WDM)
DRV - [2008/05/20 17:53:00 | 004,800,000 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/02/25 12:29:00 | 006,867,360 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/01/29 12:37:48 | 000,022,016 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2008/01/29 12:37:46 | 000,054,016 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2008/01/25 20:01:06 | 000,132,096 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvgts.sys -- (nvgts)
DRV - [2008/01/07 16:54:50 | 001,202,560 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2007/10/02 04:06:40 | 000,451,968 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
DRV - [2007/04/21 06:15:42 | 000,009,344 | ---- | M] (Hajo Krabbenhöft) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tenCapture.sys -- (tenCapture)
DRV - [2007/01/19 04:07:03 | 000,013,184 | ---- | M] (Xponaut) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xpntwbd.sys -- (Xponaut_WBD) Xponaut WaveBridge Device (WDM)
DRV - [2005/10/12 12:07:12 | 000,874,240 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS -- (iaStor)
DRV - [2005/01/07 17:07:18 | 000,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/08/04 11:00:00 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2004/08/04 11:00:00 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2004/08/04 11:00:00 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2004/08/04 11:00:00 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2004/08/04 11:00:00 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2004/08/04 11:00:00 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2004/08/04 11:00:00 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2004/08/04 11:00:00 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2004/08/04 11:00:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2004/08/04 11:00:00 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2004/08/04 11:00:00 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2004/08/04 11:00:00 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2004/08/04 11:00:00 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2004/08/04 11:00:00 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2004/08/04 11:00:00 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2004/08/03 15:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/03 15:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2002/10/01 14:43:32 | 000,119,798 | ---- | M] (SP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SPCA561.SYS -- (CA561) ICatch (VI)
DRV - [2001/08/17 04:10:58 | 000,069,692 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\el575ND5.sys -- (el575nd5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3392028434-1750007579-270867441-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-3392028434-1750007579-270867441-1007\S-1-5-21-3392028434-1750007579-270867441-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.param.yahoo-fr: "chrf-i3752"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-i3752"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "about:blank"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.63
FF - prefs.js..keyword.URL: ""


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/24 02:36:01 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/19 19:32:06 | 000,000,000 | ---D | M]

[2010/01/11 00:52:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wolfe\Application Data\Mozilla\Extensions
[2010/03/02 16:18:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wolfe\Application Data\Mozilla\Firefox\Profiles\19w829dm.default\extensions
[2010/01/18 18:53:42 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Wolfe\Application Data\Mozilla\Firefox\Profiles\19w829dm.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}(2)
[2010/01/12 04:40:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Wolfe\Application Data\Mozilla\Firefox\Profiles\19w829dm.default\extensions\{8ea9957e-2953-402f-80e0-bceb5f169d6f}
[2010/02/13 03:56:21 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Wolfe\Application Data\Mozilla\Firefox\Profiles\19w829dm.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2010/02/10 19:50:15 | 000,002,424 | ---- | M] () -- C:\Documents and Settings\Wolfe\Application Data\Mozilla\Firefox\Profiles\19w829dm.default\searchplugins\askcom.xml
[2010/01/23 17:25:41 | 000,001,201 | ---- | M] () -- C:\Documents and Settings\Wolfe\Application Data\Mozilla\Firefox\Profiles\19w829dm.default\searchplugins\winamp-search.xml
[2010/03/01 07:59:15 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2004/08/04 11:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {B753C7C5-0942-4b7f-BC27-942B52BDAC66} - C:\Program Files\StopSign\PopupBlocker\sspopupblocker.dll (eAcceleration Corp )
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKU\S-1-5-21-3392028434-1750007579-270867441-1007\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll File not found
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [OnAccess] C:\Program Files\StopSign\OnAccess\onaccess.exe (eAcceleration Corp)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SoftwareStation] C:\Program Files\eAcceleration\Station\station.exe (eAcceleration Corp)
O4 - HKLM..\Run: [StopSignPopupBlocker] C:\Program Files\StopSign\PopupBlocker\sspopupblockerctrl.exe (eAcceleration Corp )
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [WebcammaxMoniter] C:\Program Files\WebcamMax\wcmmon.exe ()
O4 - HKLM..\Run: [webscan] C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe (eAcceleration Corp)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Icatch(VI) SnapDetect.lnk = C:\WINDOWS\twain_32\ca561a\SnapDetect.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\start WampServer.lnk = C:\wamp\wampmanager.exe (Aestan Software)
O4 - Startup: C:\Documents and Settings\Wolfe\Start Menu\Programs\Startup\Ray Multimedia Server.lnk = C:\RMS\start_service.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3392028434-1750007579-270867441-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Block This Page - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\Program Files\StopSign\PopupBlocker\sspopupblocker.dll (eAcceleration Corp )
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {42DD0873-5FA9-465D-90DE-0826020416A5} - C:\Program Files\StopSign\OnAccess\onaccess_hk32.dll (eAcceleration Corp)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/05/06 16:38:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{c1016ab2-fe27-11de-91e7-98fe3944e59d}\Shell - "" = AutoRun
O33 - MountPoints2\{c1016ab2-fe27-11de-91e7-98fe3944e59d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c1016ab2-fe27-11de-91e7-98fe3944e59d}\Shell\AutoRun\command - "" = F:\WD SmartWare.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/04 10:40:25 | 000,552,960 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Wolfe\Desktop\OTL.exe
[2010/03/01 19:48:59 | 000,000,000 | ---D | C] -- C:\gyoyo
[2010/02/26 17:54:46 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Wolfe\UserData
[2010/02/24 04:09:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DirectX
[2010/02/24 03:54:06 | 000,000,000 | ---D | C] -- C:\AeriaGames
[2010/02/22 05:00:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wolfe\Desktop\Songs
[2010/02/21 01:55:55 | 000,000,000 | ---D | C] -- C:\Program Files\Audacity
[2010/02/19 19:45:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FLEXnet
[2010/02/19 19:35:16 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe Media Player
[2010/02/19 18:56:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wolfe\Desktop\Adobe CS4
[2010/02/19 18:31:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Akamai
[2010/02/19 17:57:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wolfe\Local Settings\Application Data\Macromedia
[2010/02/19 17:50:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Macromedia
[2010/02/19 17:50:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Macromedia
[2010/02/19 17:43:35 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Wolfe\My Documents\Copy of My Pictures
[2010/02/19 16:41:21 | 000,080,880 | ---- | C] (MindVision Software) -- C:\WINDOWS\unvise.exe
[2010/02/19 04:03:49 | 000,000,000 | ---D | C] -- C:\ImageOutput
[2010/02/19 04:03:49 | 000,000,000 | ---D | C] -- C:\Program Files\Easy Graphic Converter
[2010/02/19 03:58:42 | 000,000,000 | ---D | C] -- C:\Multimedia Files
[2010/02/19 03:58:36 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft GIF Animator
[2010/02/19 03:47:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wolfe\Desktop\makegif
[2010/02/18 06:35:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wolfe\Desktop\FLASH
[2010/02/17 21:13:43 | 000,000,000 | ---D | C] -- C:\Program Files\Macromedia
[2010/02/17 21:12:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wolfe\Desktop\Flash 4 Keygen
[2010/02/16 09:41:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2010/02/15 13:18:11 | 000,000,000 | ---D | C] -- C:\Program Files\FunWebProducts
[2010/02/15 00:07:12 | 000,528,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_6.dll
[2010/02/15 00:07:12 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_6.dll
[2010/02/15 00:07:12 | 000,074,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_4.dll
[2010/02/15 00:07:11 | 000,515,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_5.dll
[2010/02/15 00:07:11 | 000,022,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_7.dll
[2010/02/15 00:07:10 | 001,974,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_42.dll
[2010/02/15 00:07:10 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_5.dll
[2010/02/15 00:07:09 | 005,501,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dcsx_42.dll
[2010/02/15 00:07:09 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_42.dll
[2010/02/15 00:07:09 | 000,235,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx11_42.dll
[2010/02/15 00:07:08 | 004,178,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_41.dll
[2010/02/15 00:07:08 | 001,846,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_41.dll
[2010/02/15 00:07:08 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_41.dll
[2010/02/15 00:07:07 | 000,517,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_4.dll
[2010/02/15 00:07:07 | 000,235,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_4.dll
[2010/02/15 00:07:07 | 000,069,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_3.dll
[2010/02/15 00:07:06 | 002,036,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_40.dll
[2010/02/15 00:07:06 | 000,452,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_40.dll
[2010/02/15 00:07:06 | 000,022,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_6.dll
[2010/02/15 00:07:05 | 004,379,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_40.dll
[2010/02/15 00:07:05 | 000,514,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_3.dll
[2010/02/15 00:07:05 | 000,070,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_2.dll
[2010/02/15 00:07:04 | 000,509,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_2.dll
[2010/02/15 00:07:04 | 000,235,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_3.dll
[2010/02/15 00:07:04 | 000,068,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_1.dll
[2010/02/15 00:07:04 | 000,023,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_5.dll
[2010/02/15 00:07:03 | 001,493,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_39.dll
[2010/02/15 00:07:03 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_39.dll
[2010/02/15 00:07:03 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_2.dll
[2010/02/15 00:07:02 | 003,851,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_39.dll
[2010/02/15 00:07:01 | 000,507,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_1.dll
[2010/02/15 00:07:01 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_1.dll
[2010/02/15 00:07:01 | 000,065,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_0.dll
[2010/02/15 00:07:01 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_4.dll
[2010/02/15 00:07:00 | 003,850,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_38.dll
[2010/02/15 00:07:00 | 001,491,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_38.dll
[2010/02/15 00:07:00 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_38.dll
[2010/02/15 00:06:59 | 000,479,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_0.dll
[2010/02/15 00:06:59 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_0.dll
[2010/02/15 00:06:58 | 001,420,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_37.dll
[2010/02/15 00:06:58 | 000,462,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_37.dll
[2010/02/15 00:06:58 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_3.dll
[2010/02/15 00:06:57 | 003,786,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_37.dll
[2010/02/15 00:06:57 | 000,267,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_10.dll
[2010/02/15 00:06:56 | 001,374,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_36.dll
[2010/02/15 00:06:56 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_36.dll
[2010/02/15 00:06:55 | 003,734,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_36.dll
[2010/02/15 00:06:55 | 000,267,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_9.dll
[2010/02/15 00:06:54 | 003,727,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_35.dll
[2010/02/15 00:06:54 | 001,358,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_35.dll
[2010/02/15 00:06:54 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_35.dll
[2010/02/15 00:06:53 | 001,124,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_34.dll
[2010/02/15 00:06:53 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_34.dll
[2010/02/15 00:06:53 | 000,266,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_8.dll
[2010/02/15 00:06:53 | 000,017,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_2.dll
[2010/02/15 00:06:52 | 003,497,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_34.dll
[2010/02/15 00:06:49 | 000,081,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_3.dll
[2010/02/15 00:06:48 | 000,261,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_7.dll
[2010/02/15 00:06:45 | 001,123,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_33.dll
[2010/02/15 00:06:45 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_33.dll
[2010/02/15 00:06:40 | 003,495,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_33.dll
[2010/02/15 00:06:39 | 000,255,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_6.dll
[2010/02/15 00:06:39 | 000,251,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_5.dll
[2010/02/15 00:06:38 | 003,426,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_32.dll
[2010/02/15 00:06:37 | 000,237,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_4.dll
[2010/02/15 00:06:37 | 000,236,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_3.dll
[2010/02/15 00:06:37 | 000,015,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\x3daudio1_1.dll
[2010/02/15 00:06:36 | 000,230,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_2.dll
[2010/02/15 00:06:36 | 000,062,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_2.dll
[2010/02/15 00:06:35 | 000,229,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_1.dll
[2010/02/15 00:06:35 | 000,062,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_1.dll
[2010/02/15 00:06:32 | 002,388,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_30.dll
[2010/02/15 00:06:31 | 000,230,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_0.dll
[2010/02/15 00:06:31 | 000,014,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\x3daudio1_0.dll
[2010/02/15 00:06:30 | 002,332,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_29.dll
[2010/02/15 00:06:29 | 002,323,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_28.dll
[2010/02/15 00:06:29 | 000,061,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput9_1_0.dll
[2010/02/15 00:06:28 | 002,319,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_27.dll
[2010/02/15 00:06:27 | 002,297,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_26.dll
[2010/02/15 00:06:26 | 002,337,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_25.dll
[2010/02/15 00:06:23 | 002,222,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_24.dll
[2010/02/15 00:02:01 | 000,000,000 | -H-D | C] -- C:\WINDOWS\msdownld.tmp
[2010/02/15 00:01:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wolfe\My Documents\Sparkplay Media
[2010/02/14 20:46:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DivX Shared
[2010/02/14 20:46:49 | 000,000,000 | ---D | C] -- C:\Program Files\DivX
[2010/02/14 14:17:58 | 000,274,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll
[2010/02/14 14:17:58 | 000,016,736 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui
[2010/02/14 13:41:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wolfe\My Documents\My Received Files
[2010/02/14 13:39:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wolfe\Tracing
[2010/02/14 13:38:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2010/02/14 13:37:59 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live SkyDrive
[2010/02/14 13:37:22 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live
[2010/02/14 13:35:07 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[2010/02/14 12:22:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wolfe\Desktop\Twilights' Vail
[2010/02/10 19:29:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WebcamMax
[2010/02/10 19:22:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wolfe\Application Data\WebcamMax
[2010/02/10 19:14:29 | 000,000,000 | ---D | C] -- C:\Program Files\WebcamMax
[2010/02/09 17:11:40 | 000,000,000 | ---D | C] -- C:\Program Files\Image Grabber II
[2010/02/09 16:10:32 | 000,000,000 | ---D | C] -- C:\Program Files\Photobie
[2010/02/07 14:19:59 | 005,689,344 | ---- | C] (Gabest) -- C:\Documents and Settings\Wolfe\Desktop\mplayerc.exe
[2010/02/05 21:48:07 | 000,000,000 | ---D | C] -- C:\Program Files\CamStudio
[2010/02/05 19:56:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wolfe\My Documents\ScreenCapture
[2010/02/05 19:55:20 | 000,000,000 | ---D | C] -- C:\Program Files\ScreenPrint32 v3
[2010/02/05 19:55:09 | 000,249,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\Setup1.exe
[2010/02/05 19:55:01 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\ST6UNST.EXE
[2010/02/05 19:54:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wolfe\Desktop\New Folder
[2010/02/05 15:16:33 | 000,000,000 | ---D | C] -- C:\Program Files\Desktop Screen Record 5
[2010/02/05 11:04:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wolfe\Application Data\Media Player Classic
[2010/02/04 20:25:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wolfe\My Documents\FrostWire
[2010/02/04 20:24:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wolfe\Application Data\FrostWire
[2010/02/04 20:24:13 | 000,000,000 | ---D | C] -- C:\Program Files\FrostWire
[2010/02/04 17:53:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wolfe\Application Data\FileZilla
[2010/02/04 17:53:28 | 000,000,000 | ---D | C] -- C:\Program Files\FileZilla FTP Client
[2010/02/04 16:05:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wolfe\Application Data\SmartFTP
[2010/02/04 16:04:20 | 000,000,000 | ---D | C] -- C:\Program Files\SmartFTP Client
[2010/02/04 16:03:57 | 000,000,000 | ---D | C] -- C:\Program Files\SmartFTP Client 4.0 Setup Files
[2010/02/04 15:41:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/02/04 15:41:48 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/02/04 15:41:16 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/02/04 15:41:16 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/02/04 15:41:16 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/02/04 15:41:16 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/02/04 15:41:15 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/02/04 15:40:07 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/02/04 15:39:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wolfe\Application Data\Sun
[2010/02/04 14:31:12 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Digital Image 2006
[2010/02/04 13:52:05 | 000,368,139 | ---- | C] ( ) -- C:\Documents and Settings\Wolfe\Desktop\WatermarkImageSetup.exe
[2010/02/04 13:32:48 | 000,000,000 | ---D | C] -- C:\Program Files\Andromeda
[2010/02/04 12:45:12 | 000,000,000 | ---D | C] -- C:\Program Files\EasySector
[2010/02/04 12:28:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wolfe\My Documents\watermarked
[2010/02/04 12:20:20 | 000,000,000 | ---D | C] -- C:\Program Files\PMlabs
[2010/02/02 14:59:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wolfe\Desktop\GT Test
[2010/01/15 03:40:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/01/13 01:40:38 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/01/10 12:38:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ServiceTest
[2006/05/06 16:41:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2006/05/06 16:38:22 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/04 10:40:27 | 000,552,960 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Wolfe\Desktop\OTL.exe
[2010/03/04 10:33:00 | 000,000,282 | -H-- | M] () -- C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
[2010/03/03 00:01:20 | 000,004,952 | ---- | M] () -- C:\grab00000.jpg
[2010/03/02 23:50:23 | 000,509,930 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/02 23:50:23 | 000,092,662 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/02 23:50:22 | 000,613,638 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/02 23:46:04 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/02 23:45:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/02 23:45:58 | 937,938,944 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/02 23:04:42 | 004,194,304 | ---- | M] () -- C:\Documents and Settings\Wolfe\NTUSER.DAT
[2010/02/28 17:34:49 | 000,000,058 | ---- | M] () -- C:\Documents and Settings\Wolfe\Desktop\Manage Boards.URL
[2010/02/25 08:16:08 | 000,164,864 | ---- | M] () -- C:\Documents and Settings\Wolfe\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/24 04:00:11 | 000,001,594 | ---- | M] () -- C:\Documents and Settings\Wolfe\Desktop\Play Grand Fantasia.lnk
[2010/02/24 03:27:21 | 000,146,887 | ---- | M] () -- C:\Documents and Settings\Wolfe\Desktop\GrandFantasia_Install_20091202_csd.exe
[2010/02/17 21:15:08 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/17 12:33:15 | 000,200,144 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/02/16 18:06:23 | 000,104,626 | ---- | M] () -- C:\Documents and Settings\Wolfe\Desktop\eversave pasta recipes.pdf
[2010/02/14 13:38:58 | 000,050,880 | ---- | M] () -- C:\Documents and Settings\Wolfe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/02/12 22:45:56 | 000,029,524 | ---- | M] () -- C:\Documents and Settings\Wolfe\Desktop\dontlaugh.jpg
[2010/02/09 08:32:26 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/02/06 01:45:14 | 000,001,093 | ---- | M] () -- C:\Documents and Settings\Wolfe\Desktop\stickam.html
[2010/02/05 19:55:09 | 000,249,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Setup1.exe
[2010/02/05 19:55:01 | 000,073,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ST6UNST.EXE
[2010/02/05 19:54:24 | 000,000,303 | ---- | M] () -- C:\WINDOWS\ST6UNST.000
[2010/02/04 15:40:32 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/02/04 15:40:32 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/02/04 15:40:31 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/02/04 15:40:31 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/02/04 15:40:30 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/02/04 14:54:19 | 000,000,442 | ---- | M] () -- C:\Documents and Settings\Wolfe\Desktop\Shortcut to gt.lnk
[2010/02/04 13:32:37 | 000,000,073 | ---- | M] () -- C:\default.wmi
[2010/02/04 13:31:54 | 000,000,083 | ---- | M] () -- C:\WatermarkImage.ini
[2010/02/04 12:38:37 | 000,001,409 | ---- | M] () -- C:\Documents and Settings\Wolfe\My Documents\Big.wpf
[2010/02/04 10:01:14 | 000,528,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_6.dll
[2010/02/04 10:01:14 | 000,238,936 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_6.dll
[2010/02/04 10:01:14 | 000,074,072 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_4.dll
[2010/02/04 10:01:14 | 000,022,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_7.dll
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/01 10:17:44 | 000,001,594 | ---- | C] () -- C:\Documents and Settings\Wolfe\Desktop\Play Grand Fantasia.lnk
[2010/02/28 17:34:49 | 000,000,058 | ---- | C] () -- C:\Documents and Settings\Wolfe\Desktop\Manage Boards.URL
[2010/02/24 03:27:20 | 000,146,887 | ---- | C] () -- C:\Documents and Settings\Wolfe\Desktop\GrandFantasia_Install_20091202_csd.exe
[2010/02/16 18:06:23 | 000,104,626 | ---- | C] () -- C:\Documents and Settings\Wolfe\Desktop\eversave pasta recipes.pdf
[2010/02/12 22:45:56 | 000,029,524 | ---- | C] () -- C:\Documents and Settings\Wolfe\Desktop\dontlaugh.jpg
[2010/02/10 19:14:58 | 001,053,056 | ---- | C] () -- C:\WINDOWS\System32\drivers\CAMTHWDM.sys
[2010/02/09 08:32:26 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/02/07 16:31:20 | 000,004,952 | ---- | C] () -- C:\grab00000.jpg
[2010/02/06 01:15:30 | 000,001,093 | ---- | C] () -- C:\Documents and Settings\Wolfe\Desktop\stickam.html
[2010/02/05 19:54:24 | 000,000,303 | ---- | C] () -- C:\WINDOWS\ST6UNST.000
[2010/02/04 14:54:19 | 000,000,442 | ---- | C] () -- C:\Documents and Settings\Wolfe\Desktop\Shortcut to gt.lnk
[2010/02/04 13:32:37 | 000,000,073 | ---- | C] () -- C:\default.wmi
[2010/02/04 13:31:54 | 000,000,083 | ---- | C] () -- C:\WatermarkImage.ini
[2010/02/04 12:38:37 | 000,001,409 | ---- | C] () -- C:\Documents and Settings\Wolfe\My Documents\Big.wpf
[2010/01/27 16:42:02 | 000,014,385 | ---- | C] () -- C:\WINDOWS\Tw561a.ini
[2010/01/27 16:42:02 | 000,000,180 | ---- | C] () -- C:\WINDOWS\ap561.ini
[2010/01/27 16:42:02 | 000,000,081 | ---- | C] () -- C:\WINDOWS\Setup8a.ini
[2010/01/15 04:58:27 | 000,000,170 | ---- | C] () -- C:\WINDOWS\VPersonality.INI
[2010/01/14 09:23:19 | 008,673,792 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\atscie.msi
[2010/01/13 01:53:37 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010/01/11 03:35:21 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2010/01/10 13:48:20 | 000,164,864 | ---- | C] () -- C:\Documents and Settings\Wolfe\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/02/25 12:29:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/02/25 12:29:00 | 001,482,752 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/02/25 12:29:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/02/25 12:29:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/02/25 12:29:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/06/30 22:01:25 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/05/06 16:24:27 | 000,000,431 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2006/05/06 16:24:27 | 000,000,358 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
< End of report >

Extras.txt

OTL Extras logfile created on: 3/4/2010 10:40:47 AM - Run 1
OTL by OldTimer - Version 3.1.33.0 Folder = C:\Documents and Settings\Wolfe\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 111.00 Mb Available Physical Memory | 12.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 46.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 103.00 Gb Free Space | 69.11% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME
Current User Name: Wolfe
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-3392028434-1750007579-270867441-1007\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = 80:TCP:*:Enabled:wamp
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"67:UDP" = 67:UDP:*:Enabled:DHCP Discovery Service
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1043:TCP" = 1043:TCP:*:Enabled:Akamai NetSession Interface
"5000:UDP" = 5000:UDP:*:Enabled:Akamai NetSession Interface

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\wamp\bin\apache\Apache2.2.11\bin\httpd.exe" = C:\wamp\bin\apache\Apache2.2.11\bin\httpd.exe:*:Enabled:Apache HTTP Server -- (Apache Software Foundation)
"C:\Program Files\Emerald Viewer\SLVoice.exe" = C:\Program Files\Emerald Viewer\SLVoice.exe:*:Enabled:SLVoice -- ()
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager -- (Skype Technologies)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\SmartFTP Client\SmartFTP.exe" = C:\Program Files\SmartFTP Client\SmartFTP.exe:*:Enabled:SmartFTP Client 4.0 -- (SmartSoft Ltd.)
"C:\Program Files\FrostWire\FrostWire.exe" = C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire -- (FrostWire Group)
"C:\Program Files\SasCam_free\SasCam_free.exe" = C:\Program Files\SasCam_free\SasCam_free.exe:*:Disabled:SasCam Video Server -- File not found
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{204D48C5-6231-4955-83EC-623DCB437FD9}_is1" = Emerald Viewer 1.23.5.1101
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 18
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A6829EF-0791-4FDD-9382-C690DD0821B9}" = Adobe Flash Player 10 ActiveX
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{49F09453-8205-48CF-ADE6-29CE6B509669}" = SmartFTP Client
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
"{4C93C363-414E-11D4-9756-00C04F8EEB39}" = Macromedia Flash 5
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}" = Macromedia Extension Manager
"{5D95AD35-368F-47D5-B63A-A082DDF00116}" = Microsoft Digital Image Standard 2006 Editor
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{691F4068-81BF-49E3-B32E-FE3E16400112}" = Microsoft Digital Image Standard 2006 Library
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{885A63EA-382B-4DD4-A755-14809B8557D6}" = Macromedia Flash Player 8
"{8AD2CC46-F48D-4b79-B21C-39CE163CA3CB}}_is1" = WinWAP for Windows 4.2
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.1
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{BCC899FE-2DAA-460C-A5FB-60291E73D9C3}" = Microsoft SQL Server Compact 3.5 ENU
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C34FAEF3-4241-4C4E-9CFF-7BBD8BCEABE7}" = WebEx Support Manager for Internet Explorer
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{EB5F211D-85D5-44C4-BB15-1207C77EF430}" = Visual C++ 8.0 Runtime Setup Package
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{EED50C97-C79E-4149-BD82-7C5A22437708}" = Adobe Setup
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F48C6EA5-3B43-11D6-86A6-0050BA0259A2}" = ICatch (VI) PC Camera
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_a68eec966ce913ddaa63251dc82ed31" = Adobe Flash CS4 Professional
"Agere Systems Soft Modem" = Agere Systems PCI-SV92EX Soft Modem
"Akamai" = Akamai NetSession Interface
"Audacity_is1" = Audacity 1.2.6
"AV Voice Changer Software DIAMOND 6.0" = AV Voice Changer Software DIAMOND 6.0
"Avimator" = Avimator (remove only)
"Batch Photo Watermarker_is1" = Batch Photo Watermarker 3.3
"Ca561 PC Camera" = ICatch (VI) PC Camera
"CamStudio" = CamStudio
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"EaccelSetup" = StopSign Internet Security
"Easy Graphic Converter 1.2_is1" = Easy Graphic Converter 1.2
"FileZilla Client" = FileZilla Client 3.3.1
"FrostWire" = FrostWire 4.18.6
"GIF Animator" = Microsoft GIF Animator
"Grand Fantasia" = Grand Fantasia
"HijackThis" = HijackThis 2.0.2
"Image Grabber II" = Image Grabber II
"jZip" = jZip
"KLiteCodecPack_is1" = K-Lite Codec Pack 5.6.1 (Standard)
"Macromedia Flash 4" = Macromedia Flash 4
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.8)" = Mozilla Firefox (3.5.8)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Drivers" = NVIDIA Drivers
"OpenMetaverse" = OpenMetaverse 0.7.0 (build 20533)
"PictureItPrem_v11" = Microsoft Digital Image Standard 2006
"RMS" = RMS (remove only)
"SmartFTP Client 4.0 Setup Files" = SmartFTP Client 4.0 Setup Files (remove only)
"ST6UNST #1" = ScreenPrint32 v3.5
"WampServer 2_is1" = WampServer 2.0
"Watermark Image_is1" = Watermark Image software version 1.1.0.0
"waterMark V2" = waterMark V2
"WebcamMax" = WebcamMax
"WGA" = Windows Genuine Advantage Validation Tool
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3392028434-1750007579-270867441-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Sparkplayer (Beta)" = Sparkplayer (Beta)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/15/2010 4:04:43 AM | Computer Name = HOME | Source = Application Error | ID = 1000
Description = Faulting application spark.exe, version 0.8.4.0, faulting module libplayer.dll,
version 0.0.0.0, fault address 0x00017a3d.

Error - 2/17/2010 3:26:28 AM | Computer Name = HOME | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.1.3642, faulting module
npswf32.dll, version 10.0.42.34, fault address 0x0013cb08.

Error - 2/18/2010 3:45:35 AM | Computer Name = HOME | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.1.3642, faulting module
unknown, version 0.0.0.0, fault address 0x01011e96.

Error - 2/19/2010 3:30:15 AM | Computer Name = HOME | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
module unknown, version 0.0.0.0, fault address 0x00f51d54.

Error - 2/19/2010 3:30:29 AM | Computer Name = HOME | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.

Error - 2/19/2010 9:50:56 PM | Computer Name = HOME | Source = MsiInstaller | ID = 11904
Description = Product: Macromedia Flash Player 8 -- Error 1904.Module C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
failed to register. HRESULT -2147220473. Contact your support personnel.

Error - 2/19/2010 9:51:30 PM | Computer Name = HOME | Source = MsiInstaller | ID = 11719
Description = Product: Macromedia Flash 8 -- Error 1719.The Windows Installer Service
could not be accessed. This can occur if you are running Windows in safe mode,
or if the Windows Installer is not correctly installed. Contact your support personnel
for assistance.

Error - 2/19/2010 9:51:36 PM | Computer Name = HOME | Source = MsiInstaller | ID = 11719
Description = Product: Macromedia Flash 8 -- Error 1719.The Windows Installer Service
could not be accessed. This can occur if you are running Windows in safe mode,
or if the Windows Installer is not correctly installed. Contact your support personnel
for assistance.

Error - 2/21/2010 2:51:11 AM | Computer Name = HOME | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x02571d54.

Error - 2/24/2010 6:36:13 AM | Computer Name = HOME | Source = MsiInstaller | ID = 11905
Description = Product: Ask Toolbar -- Error 1905.Module C:\Program Files\Ask.com\GenericAskToolbar.dll
failed to unregister. HRESULT -2147220472. Contact your support personnel.

[ System Events ]
Error - 2/28/2010 2:12:23 PM | Computer Name = HOME | Source = Service Control Manager | ID = 7034
Description = The Yahoo! Updater service terminated unexpectedly. It has done this
1 time(s).

Error - 2/28/2010 3:06:05 PM | Computer Name = HOME | Source = Service Control Manager | ID = 7000
Description = The adfs service failed to start due to the following error: %%2

Error - 2/28/2010 3:06:44 PM | Computer Name = HOME | Source = Service Control Manager | ID = 7034
Description = The Application Layer Gateway Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/1/2010 1:27:17 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7000
Description = The adfs service failed to start due to the following error: %%2

Error - 3/1/2010 12:07:16 PM | Computer Name = HOME | Source = Service Control Manager | ID = 7034
Description = The Application Layer Gateway Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/1/2010 8:27:24 PM | Computer Name = HOME | Source = Service Control Manager | ID = 7000
Description = The adfs service failed to start due to the following error: %%2

Error - 3/1/2010 8:31:53 PM | Computer Name = HOME | Source = Service Control Manager | ID = 7034
Description = The Yahoo! Updater service terminated unexpectedly. It has done this
1 time(s).

Error - 3/3/2010 3:05:36 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7000
Description = The adfs service failed to start due to the following error: %%2

Error - 3/3/2010 3:46:18 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7000
Description = The adfs service failed to start due to the following error: %%2

Error - 3/3/2010 3:46:57 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7034
Description = The Yahoo! Updater service terminated unexpectedly. It has done this
1 time(s).


< End of report >


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:09 AM

Posted 05 March 2010 - 12:37 PM

Hi,

please run a scan with gmer net:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myriti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 wolfetundra

wolfetundra
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 06 March 2010 - 01:53 PM

Here is my gmer doc

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-06 10:52:18
Windows 5.1.2600 Service Pack 2
Running: wohh6c2z.exe; Driver: C:\DOCUME~1\Wolfe\LOCALS~1\Temp\pxtdipow.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\nvgts.sys entry point in ".rsrc" section [0xF71BC000]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF5FCE360, 0x30AF87, 0xE8000020]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F706E262] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F706E2B8] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F706E52A] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F706E500] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F706E500] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F706E2B8] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F706E262] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F706E52A] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F706E52A] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F706E500] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F706E2B8] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F706E262] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F706E500] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F706E262] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F706E2B8] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F706E52A] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F706E262] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F706E2B8] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F706E500] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F706E52A] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F706E500] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F706E2B8] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F706E262] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F706E500] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F706E52A] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F706E262] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F706E2B8] fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
AttachedDevice \Driver\Tcpip \Device\Tcp fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
AttachedDevice \Driver\Tcpip \Device\Udp fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)
AttachedDevice \Driver\Tcpip \Device\RawIp fwcore.sys (StopSign Firewall Filter Driver/eAcceleration Corp)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8F5CE514-DAD4-A5B2-6FCA-1E00A233F342}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8F5CE514-DAD4-A5B2-6FCA-1E00A233F342}@iahmfobjlldgbonohl 0x69 0x61 0x6A 0x68 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8F5CE514-DAD4-A5B2-6FCA-1E00A233F342}@habopncoakeoekkh 0x69 0x61 0x6A 0x68 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8F5CE514-DAD4-A5B2-6FCA-1E00A233F342}@fahmglaklfkb 0x67 0x61 0x63 0x64 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\nvgts.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:09 AM

Posted 06 March 2010 - 03:29 PM

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 wolfetundra

wolfetundra
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 06 March 2010 - 04:11 PM

I ran the cleaner. Below is the log.

ComboFix 10-03-06.01 - Wolfe 03/06/2010 13:02:20.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.894.472 [GMT -8:00]
Running from: c:\documents and settings\Wolfe\Desktop\ComboFix.exe
AV: StopSign Antivirus *On-access scanning disabled* (Updated) {3E1D4556-3240-40c8-BBED-64A8690A3FB4}
FW: StopSign Firewall *enabled* {06936B90-CB61-4dcb-AABD-C0E25320F6C3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\FunWebProducts
c:\recycler\S-1-5-21-4127911293-3960565976-3041084174-1003
c:\windows\msa.exe
c:\windows\system32\Ijl11.dll
c:\windows\system32\spool\prtprocs\w32x86\000013ea.tmp
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

.
((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.

2010-03-05 20:16 . 2010-03-05 20:16 -------- d-----w- C:\gmer
2010-02-27 01:54 . 2010-02-27 01:54 -------- d-s---w- c:\documents and settings\Wolfe\UserData
2010-02-24 12:09 . 2010-02-24 12:09 -------- d-----w- c:\program files\Common Files\DirectX
2010-02-24 11:54 . 2010-02-24 11:54 -------- d-----w- C:\AeriaGames
2010-02-21 09:55 . 2010-02-21 09:55 -------- d-----w- c:\program files\Audacity
2010-02-20 03:45 . 2010-02-20 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-02-20 03:35 . 2010-02-20 03:35 -------- d-----w- c:\program files\Adobe Media Player
2010-02-20 02:31 . 2010-03-06 21:08 -------- d-----w- c:\program files\Common Files\Akamai
2010-02-20 02:27 . 2010-02-20 02:27 1923880 ----a-w- c:\documents and settings\Wolfe\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2010-02-20 01:57 . 2010-02-20 02:03 -------- d-----w- c:\documents and settings\Wolfe\Local Settings\Application Data\Macromedia
2010-02-20 01:50 . 2010-02-20 01:50 45056 ----a-r- c:\documents and settings\Wolfe\Application Data\Microsoft\Installer\{885A63EA-382B-4DD4-A755-14809B8557D6}\ARPPRODUCTICON.exe
2010-02-20 01:50 . 2010-02-20 06:26 -------- d-----w- c:\program files\Common Files\Macromedia
2010-02-20 00:41 . 2000-08-11 05:23 80880 ----a-w- c:\windows\unvise.exe
2010-02-19 12:03 . 2010-02-19 12:03 -------- d-----w- c:\program files\Easy Graphic Converter
2010-02-19 12:03 . 2010-02-19 12:03 -------- d-----w- C:\ImageOutput
2010-02-19 11:58 . 2010-02-19 11:58 -------- d-----w- C:\Multimedia Files
2010-02-19 11:58 . 2010-02-19 11:58 -------- d-----w- c:\program files\Microsoft GIF Animator
2010-02-18 05:13 . 2010-02-20 06:30 -------- d-----w- c:\program files\Macromedia
2010-02-16 17:41 . 2010-02-16 17:41 -------- d-----w- c:\windows\Sun
2010-02-15 08:06 . 2008-03-06 00:03 479752 ----a-w- c:\windows\system32\XAudio2_0.dll
2010-02-15 08:02 . 2010-02-15 08:05 -------- d--h--w- c:\windows\msdownld.tmp
2010-02-15 04:46 . 2010-02-15 04:46 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-02-15 04:46 . 2010-02-15 04:47 -------- d-----w- c:\program files\DivX
2010-02-14 22:17 . 2009-08-07 03:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-14 22:17 . 2009-08-07 03:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-14 21:39 . 2010-02-14 21:39 -------- d-----w- c:\documents and settings\Wolfe\Tracing
2010-02-14 21:37 . 2010-02-14 21:37 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-02-14 21:37 . 2010-02-14 21:38 -------- d-----w- c:\program files\Windows Live
2010-02-14 21:35 . 2010-02-14 21:35 -------- d-----w- c:\program files\Common Files\Windows Live
2010-02-11 03:29 . 2010-02-11 04:43 -------- d-----w- c:\documents and settings\All Users\Application Data\WebcamMax
2010-02-11 03:22 . 2010-02-11 03:29 -------- d-----w- c:\documents and settings\Wolfe\Application Data\WebcamMax
2010-02-11 03:14 . 2009-08-07 06:42 1053056 ----a-w- c:\windows\system32\drivers\CAMTHWDM.sys
2010-02-11 03:14 . 2010-02-11 03:41 -------- d-----w- c:\program files\WebcamMax
2010-02-10 01:11 . 2010-02-10 01:11 -------- d-----w- c:\program files\Image Grabber II
2010-02-10 00:10 . 2010-02-10 09:16 -------- d-----w- c:\program files\Photobie
2010-02-09 16:32 . 2010-02-09 16:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-06 05:48 . 2010-02-08 12:35 -------- d-----w- c:\program files\CamStudio
2010-02-06 03:55 . 2010-02-06 03:55 -------- d-----w- c:\program files\ScreenPrint32 v3
2010-02-06 03:55 . 2010-02-06 03:55 249856 ------w- c:\windows\Setup1.exe
2010-02-06 03:55 . 2010-02-06 03:55 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-02-05 23:16 . 2010-02-07 19:28 -------- d-----w- c:\program files\Desktop Screen Record 5
2010-02-05 19:04 . 2010-02-05 19:04 -------- d-----w- c:\documents and settings\Wolfe\Application Data\Media Player Classic
2010-02-05 04:38 . 2010-02-05 04:38 0 ----a-w- c:\documents and settings\Wolfe\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2010-02-05 04:24 . 2010-02-18 08:32 -------- d-----w- c:\documents and settings\Wolfe\Application Data\FrostWire
2010-02-05 04:24 . 2010-02-05 04:24 -------- d-----w- c:\program files\FrostWire
2010-02-05 01:53 . 2010-02-05 02:54 -------- d-----w- c:\documents and settings\Wolfe\Application Data\FileZilla
2010-02-05 01:53 . 2010-02-05 01:53 -------- d-----w- c:\program files\FileZilla FTP Client
2010-02-05 00:05 . 2010-02-05 00:05 -------- d-----w- c:\documents and settings\Wolfe\Application Data\SmartFTP
2010-02-05 00:04 . 2010-02-05 00:04 -------- d-----w- c:\program files\SmartFTP Client
2010-02-05 00:03 . 2010-02-05 00:03 -------- d-----w- c:\program files\SmartFTP Client 4.0 Setup Files
2010-02-04 23:41 . 2010-02-04 23:41 503808 ----a-w- c:\documents and settings\Wolfe\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-62ffe056-n\msvcp71.dll
2010-02-04 23:41 . 2010-02-04 23:41 499712 ----a-w- c:\documents and settings\Wolfe\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-62ffe056-n\jmc.dll
2010-02-04 23:41 . 2010-02-04 23:41 348160 ----a-w- c:\documents and settings\Wolfe\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-62ffe056-n\msvcr71.dll
2010-02-04 23:41 . 2010-02-04 23:41 61440 ----a-w- c:\documents and settings\Wolfe\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5b82b5aa-n\decora-sse.dll
2010-02-04 23:41 . 2010-02-04 23:41 12800 ----a-w- c:\documents and settings\Wolfe\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5b82b5aa-n\decora-d3d.dll
2010-02-04 23:41 . 2010-02-04 23:41 -------- d-----w- c:\program files\Common Files\Java
2010-02-04 23:41 . 2010-02-04 23:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-04 23:40 . 2010-02-04 23:40 -------- d-----w- c:\program files\Java
2010-02-04 22:31 . 2010-02-04 22:35 -------- d-----w- c:\program files\Microsoft Digital Image 2006
2010-02-04 21:32 . 2010-02-04 21:32 -------- d-----w- c:\program files\Andromeda

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-24 01:50 . 2010-01-16 12:51 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-20 06:09 . 2010-01-10 21:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-14 21:38 . 2010-01-10 20:37 50880 ----a-w- c:\documents and settings\Wolfe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-09 03:31 . 2010-01-16 07:54 -------- d-----w- c:\documents and settings\Wolfe\Application Data\Skype
2010-02-09 03:03 . 2010-01-16 07:57 -------- d-----w- c:\documents and settings\Wolfe\Application Data\skypePM
2010-02-04 20:45 . 2010-02-04 20:45 -------- d-----w- c:\program files\EasySector
2010-02-04 20:20 . 2010-02-04 20:20 -------- d-----w- c:\program files\PMlabs
2010-02-04 18:01 . 2010-02-15 08:07 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-02-04 18:01 . 2010-02-15 08:07 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-02-04 18:01 . 2010-02-15 08:07 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-02-04 18:01 . 2010-02-15 08:07 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-02-01 06:12 . 2010-02-01 06:12 -------- d-----w- c:\documents and settings\Wolfe\Application Data\Blender Foundation
2010-02-01 05:30 . 2010-01-29 06:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-02-01 05:23 . 2010-02-01 05:23 -------- d-----w- c:\program files\Google
2010-01-29 06:51 . 2010-01-29 06:50 -------- d-----w- c:\documents and settings\Wolfe\Application Data\Yahoo!
2010-01-29 06:50 . 2010-01-29 06:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-01-29 06:50 . 2010-01-29 06:47 -------- d-----w- c:\program files\Yahoo!
2010-01-28 00:57 . 2010-01-21 18:00 -------- d-----w- c:\program files\AV Vcs 6.0 DIAMOND
2010-01-28 00:41 . 2010-01-10 21:50 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-21 22:16 . 2010-01-21 15:21 -------- d-----w- c:\program files\AV Vcs 4.0 DIAMOND
2010-01-21 20:20 . 2010-01-20 16:23 -------- d-----w- c:\program files\Emerald Viewer
2010-01-21 14:29 . 2010-01-15 17:12 -------- d-----w- c:\program files\Screaming Bee
2010-01-21 14:25 . 2010-01-21 14:25 -------- d-----w- c:\documents and settings\Wolfe\Application Data\Avnex
2010-01-20 17:13 . 2010-01-15 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Screaming Bee
2010-01-20 16:23 . 2010-01-19 03:23 -------- d-----w- c:\program files\Emerald Viewer2
2010-01-20 16:05 . 2010-01-14 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2010-01-20 16:03 . 2010-01-10 20:38 -------- d-----w- c:\documents and settings\Wolfe\Application Data\Western Digital
2010-01-20 09:25 . 2010-01-19 08:39 -------- d-----w- c:\program files\QAvimator
2010-01-19 16:05 . 2010-01-19 16:05 -------- d-----w- c:\program files\OpenMetaverse
2010-01-19 08:36 . 2010-01-19 08:36 -------- d-----w- c:\program files\Avimator
2010-01-17 11:45 . 2010-01-17 11:45 -------- d-----w- c:\program files\MSBuild
2010-01-17 11:44 . 2010-01-17 11:44 -------- d-----w- c:\program files\Reference Assemblies
2010-01-17 01:55 . 2010-01-15 09:37 -------- d-----w- c:\documents and settings\Wolfe\Application Data\SecondLife
2010-01-16 08:13 . 2010-01-16 07:53 -------- d-----r- c:\program files\Skype
2010-01-16 07:57 . 2010-01-16 07:57 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-16 07:53 . 2010-01-16 07:53 -------- d-----w- c:\program files\Common Files\Skype
2010-01-16 07:53 . 2010-01-16 07:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-01-15 15:23 . 2010-01-15 12:02 -------- d-----w- c:\documents and settings\Wolfe\Application Data\GetRightToGo
2010-01-14 17:42 . 2010-01-14 17:25 -------- d-----w- c:\program files\Linksys
2010-01-14 17:24 . 2010-01-14 17:24 -------- d-----w- c:\program files\Pure Networks
2010-01-14 17:23 . 2010-01-14 17:23 8673792 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi
2010-01-14 17:21 . 2010-01-14 17:21 -------- d-----w- c:\program files\Common Files\Pure Networks Shared
2010-01-14 12:49 . 2010-01-14 12:48 -------- d-----w- c:\program files\jZip
2010-01-14 11:04 . 2010-01-14 10:59 -------- d-----w- c:\program files\hMailServer
2010-01-14 11:02 . 2010-01-14 11:02 -------- d-----w- c:\program files\MSXML 6.0
2010-01-14 10:59 . 2010-01-14 10:59 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-01-14 10:59 . 2010-01-14 10:59 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-01-14 01:54 . 2010-01-11 08:39 -------- d-----w- c:\program files\Common Files\eAcceleration
2010-01-14 01:54 . 2010-01-11 08:39 -------- d-----w- c:\program files\StopSign
2010-01-13 09:53 . 2010-01-13 09:53 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-01-12 12:51 . 2010-01-12 08:38 -------- d-----w- c:\documents and settings\Wolfe\Application Data\AdobeUM
2010-01-12 12:46 . 2010-01-12 12:46 -------- d-----w- c:\program files\Winwap Technologies
2010-01-12 08:40 . 2010-01-12 08:40 -------- d-----w- c:\documents and settings\Wolfe\Application Data\Leadertech
2010-01-12 08:38 . 2010-01-12 08:38 -------- d-----w- c:\documents and settings\Wolfe\Application Data\AdobeAUM
2010-01-11 08:58 . 2010-01-11 08:58 -------- d-----w- c:\program files\Windows Media Connect 2
2010-01-11 08:52 . 2010-01-11 08:52 0 ----a-w- c:\windows\nsreg.dat
2010-01-11 08:48 . 2010-01-11 08:40 -------- d-----w- c:\documents and settings\Wolfe\Application Data\eAcceleration
2010-01-11 08:40 . 2010-01-11 08:39 -------- d-----w- c:\program files\eAcceleration
2010-01-11 08:39 . 2010-01-11 08:39 -------- d-----w- c:\program files\Acceleration Software
2010-01-11 08:39 . 2010-01-11 08:39 -------- d-----w- c:\documents and settings\All Users\Application Data\eAcceleration
2010-01-10 21:50 . 2010-01-10 21:50 -------- d-----w- c:\program files\Realtek
2010-01-10 21:50 . 2010-01-10 21:50 315392 ----a-w- c:\windows\HideWin.exe
2010-01-10 20:38 . 2010-01-10 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2010-01-10 20:27 . 2010-01-10 20:27 60 ----a-w- c:\windows\system32\SYSDRV.DAT
2009-12-12 14:15 . 2010-01-13 09:53 178176 ----a-w- c:\windows\system32\unrar.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-25 8491008]
"nwiz"="nwiz.exe" [2008-02-25 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-25 81920]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"webscan"="c:\program files\Acceleration Software\Anti-Virus\stopsignav.exe" [2009-09-04 1033568]
"SoftwareStation"="c:\program files\eAcceleration\Station\station.exe" [2009-05-15 177488]
"OnAccess"="c:\program files\StopSign\OnAccess\onaccess.exe" [2009-07-22 255328]
"StopSignPopupBlocker"="c:\progra~1\StopSign\POPUPB~1\sspopupblockerctrl.exe" [2009-06-10 107976]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"WebcammaxMoniter"="c:\program files\WebcamMax\wcmmon.exe" [2009-09-25 449024]

c:\documents and settings\Wolfe\Start Menu\Programs\Startup\
Ray Multimedia Server.lnk - c:\rms\start_service.exe [2009-5-18 49416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Icatch(VI) SnapDetect.lnk - c:\windows\Twain_32\CA561A\SnapDetect.exe [2010-1-27 65536]
start WampServer.lnk - c:\wamp\wampmanager.exe [2010-1-11 1152512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{42DD0873-5FA9-465D-90DE-0826020416A5}"= "c:\program files\StopSign\OnAccess\onaccess_hk32.dll" [2009-07-22 165216]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"=
"c:\\Program Files\\Emerald Viewer\\SLVoice.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"2989:TCP"= 2989:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 fwcore;Fwcore Filter;c:\windows\system32\drivers\fwcore.sys [1/13/2010 5:54 PM 109536]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [1/10/2010 12:23 PM 14336]
R2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CAMTHWDM.sys [2/10/2010 7:14 PM 1053056]
R2 eac_notifysvc;eAcceleration Notification Service;c:\progra~1\EACCEL~1\FRAMEW~1\eac_svc.exe [1/11/2010 12:39 AM 113920]
R2 eac_productsvc;eAcceleration Product Manager Service;c:\progra~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe [1/11/2010 12:39 AM 263504]
R2 FWService;FWService;c:\program files\StopSign\Firewall\FWService.exe -Service --> c:\program files\StopSign\Firewall\FWService.exe -Service [?]
R2 ssfwmonsvc;StopSign Firewall Security Center Provider;c:\progra~1\EACCEL~1\FRAMEW~1\eac_svc.exe [1/11/2010 12:39 AM 113920]
R2 sstsmonsvc;StopSign Antivirus Security Center Provider;c:\progra~1\EACCEL~1\FRAMEW~1\eac_svc.exe [1/11/2010 12:39 AM 113920]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [1/15/2010 4:04 AM 17792]
S2 Red5;RMS;c:\rms\wrapper.exe -s c:\rms\conf\wrapper.conf --> c:\rms\wrapper.exe -s c:\rms\conf\wrapper.conf [?]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [1/10/2010 12:24 PM 69692]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [4/6/2009 1:19 PM 23064]
S3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [4/21/2007 6:15 AM 9344]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - pxtdipow

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: {B9331A99-5103-43EB-A02F-9417AC06471D} = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Wolfe\Application Data\Mozilla\Firefox\Profiles\19w829dm.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL -
FF - plugin: c:\documents and settings\Wolfe\My Documents\Sparkplay Media\Sparkplayer (Beta)\npSparkPlayerNS.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: browser.sessionstore.resume_from_crash - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 13:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvgts.sys >>UNKNOWN [0x84BBB8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf756bfc3
\Driver\ACPI -> ACPI.sys @ 0xf735ecb8
\Driver\atapi -> atapi.sys @ 0xf720a7b4
\Driver\iaStor -> IASTOR.SYS @ 0xf722eb58
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80578c34
ParseProcedure -> ntkrnlpa.exe @ 0x80577896
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80578c34
ParseProcedure -> ntkrnlpa.exe @ 0x80577896
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3392028434-1750007579-270867441-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8F5CE514-DAD4-A5B2-6FCA-1E00A233F342}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iahmfobjlldgbonohl"=hex:69,61,6a,68,63,67,6e,65,70,6d,6f,69,6e,6e,63,61,61,6a,
00,00
"habopncoakeoekkh"=hex:69,61,6a,68,63,67,6e,65,70,6d,6f,69,6e,6e,63,61,61,6a,
00,00
"fahmglaklfkb"=hex:67,61,63,64,63,6b,65,66,65,61,62,6a,67,63,00,00
.
Completion time: 2010-03-06 13:09:48
ComboFix-quarantined-files.txt 2010-03-06 21:09

Pre-Run: 109,166,051,328 bytes free
Post-Run: 109,526,753,280 bytes free

- - End Of File - - 26F12AF3A9F497557CDEDAF7EE630F9E


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:09 AM

Posted 06 March 2010 - 05:00 PM

Hi,

it seems ComboFix did not see the infection, please run tdsskiller next:
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 wolfetundra

wolfetundra
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 06 March 2010 - 05:15 PM

14:14:23:312 2992 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
14:14:23:312 2992 ================================================================================
14:14:23:312 2992 SystemInfo:

14:14:23:312 2992 OS Version: 5.1.2600 ServicePack: 2.0
14:14:23:312 2992 Product type: Workstation
14:14:23:312 2992 ComputerName: HOME
14:14:23:312 2992 UserName: Wolfe
14:14:23:312 2992 Windows directory: C:\WINDOWS
14:14:23:312 2992 Processor architecture: Intel x86
14:14:23:312 2992 Number of processors: 1
14:14:23:312 2992 Page size: 0x1000
14:14:23:312 2992 Boot type: Normal boot
14:14:23:312 2992 ================================================================================
14:14:23:359 2992 UnloadDriverW: NtUnloadDriver error 2
14:14:23:359 2992 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
14:14:23:625 2992 Initialize success
14:14:23:625 2992
14:14:23:625 2992 Scanning Services ...
14:14:23:625 2992 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
14:14:23:625 2992 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:14:23:625 2992 wfopen_ex: Trying to KLMD file open
14:14:23:625 2992 wfopen_ex: File opened ok (Flags 2)
14:14:23:625 2992 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
14:14:23:625 2992 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:14:23:625 2992 wfopen_ex: Trying to KLMD file open
14:14:23:625 2992 wfopen_ex: File opened ok (Flags 2)
14:14:23:843 2992 GetAdvancedServicesInfo: Raw services enum returned 339 services
14:14:23:859 2992 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
14:14:23:859 2992 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
14:14:23:859 2992
14:14:23:859 2992 Scanning Kernel memory ...
14:14:23:859 2992 Devices to scan: 4
14:14:23:859 2992
14:14:23:859 2992 Driver Name: Disk
14:14:23:859 2992 IRP_MJ_CREATE : F756DC30
14:14:23:859 2992 IRP_MJ_CREATE_NAMED_PIPE : 804F3538
14:14:23:859 2992 IRP_MJ_CLOSE : F756DC30
14:14:23:859 2992 IRP_MJ_READ : F7567D9B
14:14:23:859 2992 IRP_MJ_WRITE : F7567D9B
14:14:23:859 2992 IRP_MJ_QUERY_INFORMATION : 804F3538
14:14:23:859 2992 IRP_MJ_SET_INFORMATION : 804F3538
14:14:23:859 2992 IRP_MJ_QUERY_EA : 804F3538
14:14:23:859 2992 IRP_MJ_SET_EA : 804F3538
14:14:23:859 2992 IRP_MJ_FLUSH_BUFFERS : F7568366
14:14:23:859 2992 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3538
14:14:23:859 2992 IRP_MJ_SET_VOLUME_INFORMATION : 804F3538
14:14:23:859 2992 IRP_MJ_DIRECTORY_CONTROL : 804F3538
14:14:23:859 2992 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3538
14:14:23:859 2992 IRP_MJ_DEVICE_CONTROL : F756844D
14:14:23:859 2992 IRP_MJ_INTERNAL_DEVICE_CONTROL : F756BFC3
14:14:23:859 2992 IRP_MJ_SHUTDOWN : F7568366
14:14:23:859 2992 IRP_MJ_LOCK_CONTROL : 804F3538
14:14:23:859 2992 IRP_MJ_CLEANUP : 804F3538
14:14:23:859 2992 IRP_MJ_CREATE_MAILSLOT : 804F3538
14:14:23:859 2992 IRP_MJ_QUERY_SECURITY : 804F3538
14:14:23:859 2992 IRP_MJ_SET_SECURITY : 804F3538
14:14:23:859 2992 IRP_MJ_POWER : F7569EF3
14:14:23:859 2992 IRP_MJ_SYSTEM_CONTROL : F756EA24
14:14:23:859 2992 IRP_MJ_DEVICE_CHANGE : 804F3538
14:14:23:859 2992 IRP_MJ_QUERY_QUOTA : 804F3538
14:14:23:859 2992 IRP_MJ_SET_QUOTA : 804F3538
14:14:23:906 2992 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
14:14:23:906 2992 sion
14:14:23:906 2992 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
14:14:23:906 2992
14:14:23:906 2992 Driver Name: USBSTOR
14:14:23:906 2992 IRP_MJ_CREATE : EC83A218
14:14:23:906 2992 IRP_MJ_CREATE_NAMED_PIPE : 804F3538
14:14:23:906 2992 IRP_MJ_CLOSE : EC83A218
14:14:23:906 2992 IRP_MJ_READ : EC83A23C
14:14:23:906 2992 IRP_MJ_WRITE : EC83A23C
14:14:23:906 2992 IRP_MJ_QUERY_INFORMATION : 804F3538
14:14:23:906 2992 IRP_MJ_SET_INFORMATION : 804F3538
14:14:23:906 2992 IRP_MJ_QUERY_EA : 804F3538
14:14:23:906 2992 IRP_MJ_SET_EA : 804F3538
14:14:23:906 2992 IRP_MJ_FLUSH_BUFFERS : 804F3538
14:14:23:906 2992 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3538
14:14:23:906 2992 IRP_MJ_SET_VOLUME_INFORMATION : 804F3538
14:14:23:906 2992 IRP_MJ_DIRECTORY_CONTROL : 804F3538
14:14:23:906 2992 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3538
14:14:23:906 2992 IRP_MJ_DEVICE_CONTROL : EC83A180
14:14:23:906 2992 IRP_MJ_INTERNAL_DEVICE_CONTROL : EC8359E6
14:14:23:906 2992 IRP_MJ_SHUTDOWN : 804F3538
14:14:23:906 2992 IRP_MJ_LOCK_CONTROL : 804F3538
14:14:23:906 2992 IRP_MJ_CLEANUP : 804F3538
14:14:23:906 2992 IRP_MJ_CREATE_MAILSLOT : 804F3538
14:14:23:906 2992 IRP_MJ_QUERY_SECURITY : 804F3538
14:14:23:906 2992 IRP_MJ_SET_SECURITY : 804F3538
14:14:23:906 2992 IRP_MJ_POWER : EC8395F0
14:14:23:906 2992 IRP_MJ_SYSTEM_CONTROL : EC837A6E
14:14:23:906 2992 IRP_MJ_DEVICE_CHANGE : 804F3538
14:14:23:906 2992 IRP_MJ_QUERY_QUOTA : 804F3538
14:14:23:906 2992 IRP_MJ_SET_QUOTA : 804F3538
14:14:23:921 2992 siohd: 0
14:14:23:921 2992 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
14:14:23:921 2992
14:14:23:921 2992 Driver Name: Disk
14:14:23:921 2992 IRP_MJ_CREATE : F756DC30
14:14:23:921 2992 IRP_MJ_CREATE_NAMED_PIPE : 804F3538
14:14:23:921 2992 IRP_MJ_CLOSE : F756DC30
14:14:23:921 2992 IRP_MJ_READ : F7567D9B
14:14:23:921 2992 IRP_MJ_WRITE : F7567D9B
14:14:23:921 2992 IRP_MJ_QUERY_INFORMATION : 804F3538
14:14:23:921 2992 IRP_MJ_SET_INFORMATION : 804F3538
14:14:23:921 2992 IRP_MJ_QUERY_EA : 804F3538
14:14:23:921 2992 IRP_MJ_SET_EA : 804F3538
14:14:23:921 2992 IRP_MJ_FLUSH_BUFFERS : F7568366
14:14:23:921 2992 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3538
14:14:23:921 2992 IRP_MJ_SET_VOLUME_INFORMATION : 804F3538
14:14:23:921 2992 IRP_MJ_DIRECTORY_CONTROL : 804F3538
14:14:23:921 2992 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3538
14:14:23:921 2992 IRP_MJ_DEVICE_CONTROL : F756844D
14:14:23:921 2992 IRP_MJ_INTERNAL_DEVICE_CONTROL : F756BFC3
14:14:23:921 2992 IRP_MJ_SHUTDOWN : F7568366
14:14:23:921 2992 IRP_MJ_LOCK_CONTROL : 804F3538
14:14:23:921 2992 IRP_MJ_CLEANUP : 804F3538
14:14:23:921 2992 IRP_MJ_CREATE_MAILSLOT : 804F3538
14:14:23:921 2992 IRP_MJ_QUERY_SECURITY : 804F3538
14:14:23:921 2992 IRP_MJ_SET_SECURITY : 804F3538
14:14:23:921 2992 IRP_MJ_POWER : F7569EF3
14:14:23:921 2992 IRP_MJ_SYSTEM_CONTROL : F756EA24
14:14:23:921 2992 IRP_MJ_DEVICE_CHANGE : 804F3538
14:14:23:921 2992 IRP_MJ_QUERY_QUOTA : 804F3538
14:14:23:921 2992 IRP_MJ_SET_QUOTA : 804F3538
14:14:23:921 2992 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
14:14:23:921 2992 sion
14:14:23:921 2992 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
14:14:23:921 2992
14:14:23:921 2992 Driver Name: nvgts
14:14:23:921 2992 IRP_MJ_CREATE : F71B2552
14:14:23:921 2992 IRP_MJ_CREATE_NAMED_PIPE : F71B2552
14:14:23:921 2992 IRP_MJ_CLOSE : F71B2552
14:14:23:921 2992 IRP_MJ_READ : F71B2552
14:14:23:921 2992 IRP_MJ_WRITE : F71B2552
14:14:23:921 2992 IRP_MJ_QUERY_INFORMATION : F71B2552
14:14:23:921 2992 IRP_MJ_SET_INFORMATION : F71B2552
14:14:23:921 2992 IRP_MJ_QUERY_EA : F71B2552
14:14:23:921 2992 IRP_MJ_SET_EA : F71B2552
14:14:23:921 2992 IRP_MJ_FLUSH_BUFFERS : F71B2552
14:14:23:921 2992 IRP_MJ_QUERY_VOLUME_INFORMATION : F71B2552
14:14:23:921 2992 IRP_MJ_SET_VOLUME_INFORMATION : F71B2552
14:14:23:921 2992 IRP_MJ_DIRECTORY_CONTROL : F71B2552
14:14:23:921 2992 IRP_MJ_FILE_SYSTEM_CONTROL : F71B2552
14:14:23:921 2992 IRP_MJ_DEVICE_CONTROL : F71B2552
14:14:23:921 2992 IRP_MJ_INTERNAL_DEVICE_CONTROL : F71B2552
14:14:23:921 2992 IRP_MJ_SHUTDOWN : F71B2552
14:14:23:921 2992 IRP_MJ_LOCK_CONTROL : F71B2552
14:14:23:921 2992 IRP_MJ_CLEANUP : F71B2552
14:14:23:921 2992 IRP_MJ_CREATE_MAILSLOT : F71B2552
14:14:23:921 2992 IRP_MJ_QUERY_SECURITY : F71B2552
14:14:23:921 2992 IRP_MJ_SET_SECURITY : F71B2552
14:14:23:921 2992 IRP_MJ_POWER : F71B2552
14:14:23:921 2992 IRP_MJ_SYSTEM_CONTROL : F71B2552
14:14:23:921 2992 IRP_MJ_DEVICE_CHANGE : F71B2552
14:14:23:921 2992 IRP_MJ_QUERY_QUOTA : F71B2552
14:14:23:921 2992 IRP_MJ_SET_QUOTA : F71B2552
14:14:23:984 2992 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
14:14:23:984 2992 TDL3_IrpHookDetect: New IrpHandler addr: 84BBB8C8
14:14:23:984 2992 ihd: 10, FFDF0308, 510, 134, 3, 120, 0
14:14:23:984 2992 Driver "nvgts" Irp handler infected by TDSS rootkit ... 14:14:23:984 2992 cured
14:14:23:984 2992 siohd: 0
14:14:23:984 2992 C:\WINDOWS\system32\DRIVERS\nvgts.sys - Verdict: Infected
14:14:23:984 2992 File C:\WINDOWS\system32\DRIVERS\nvgts.sys infected by TDSS rootkit ... 14:14:23:984 2992 Processing driver file: C:\WINDOWS\system32\DRIVERS\nvgts.sys
14:14:23:984 2992 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
14:14:24:171 2992 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
14:14:24:218 2992 !fdfb7
14:14:24:265 2992 !vfvi8
14:14:24:265 2992 !vdf6
14:14:24:312 2992 !ttfc3 1784
14:14:24:312 2992 cure failed
14:14:24:312 2992
14:14:24:312 2992 Completed
14:14:24:312 2992
14:14:24:312 2992 Results:
14:14:24:312 2992 Memory objects infected / cured / cured on reboot: 1 / 1 / 0
14:14:24:312 2992 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:14:24:312 2992 File objects infected / cured / cured on reboot: 1 / 0 / 0
14:14:24:312 2992
14:14:24:328 2992 KLMD(ARK) unloaded successfully


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:09 AM

Posted 06 March 2010 - 05:25 PM

Hi,

you definitely have a very special and very attached infection there. smile.gif But we're not out of ideas yet.

Please run the following search to look for replacements:

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    CODE
    :filefind
    nvgts.sys
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 wolfetundra

wolfetundra
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 06 March 2010 - 05:32 PM

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 14:27 on 06/03/2010 by Wolfe (Administrator - Elevation successful)

========== filefind ==========

Searching for "nvgts.sys"
C:\WINDOWS\system32\drivers\nvgts.sys --a--- 132096 bytes [04:01 26/01/2008] [04:01 26/01/2008] A117466B0ACB13288DEEE4F2E936E67F

-=End Of File=-

Thank you for all your help. I hope we can get rid of this without having to format.

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:09 AM

Posted 06 March 2010 - 05:53 PM

Hi,

do you have a windows CD?

Could you please run the followin batch:
Open Notepad and copy/paste the code box below into a new text file.
CODE
@echo off
copy C:\WINDOWS\system32\drivers\nvgts.sys C:\nvgt.sys.bak
dir C:\ >tmp.log
tmp.log
  • Save the file as query.bat by choosing save as *All Files, and save it to your Desktop.
  • Locate "query.bat" and double-click on it to run. (It is important that you run the script from the drive where your operating system is installed).
  • It will open a text file, please copy the content in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 wolfetundra

wolfetundra
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 06 March 2010 - 05:59 PM

I do have a windows disk.

Volume in drive C has no label.
Volume Serial Number is 7C4C-65A8

Directory of C:\

01/18/2010 07:12 PM <DIR> 8bbafdb139299b2564afac79
01/14/2010 03:00 AM <DIR> aa9099925595e3d47b451e
02/24/2010 03:54 AM <DIR> AeriaGames
05/06/2006 04:38 PM 0 AUTOEXEC.BAT
01/21/2010 06:30 AM <DIR> AV_LOGS
01/10/2010 12:27 PM 201 Boot.bak
08/03/2004 11:00 PM 260,272 cmldr
03/06/2010 01:09 PM 20,911 ComboFix.txt
05/06/2006 04:38 PM 0 CONFIG.SYS
02/04/2010 01:32 PM 73 default.wmi
01/10/2010 12:35 PM <DIR> Documents and Settings
01/15/2010 06:31 AM 0 fftoutput.txt
03/05/2010 12:16 PM <DIR> gmer
03/06/2010 08:21 AM 13,168 grab00000.jpg
02/24/2010 03:02 AM <DIR> HJT
02/19/2010 04:03 AM <DIR> ImageOutput
02/19/2010 03:58 AM <DIR> Multimedia Files
01/25/2008 08:01 PM 132,096 nvgt.sys.bak
03/06/2010 01:07 PM <DIR> Program Files
03/06/2010 01:09 PM <DIR> Qoobox
01/10/2010 12:31 PM 2 REQUEST_OEMRESET_ENDUSER
01/14/2010 03:56 AM <DIR> RMS
01/10/2010 12:35 PM <DIR> SYSPREP
03/06/2010 02:14 PM 21,752 TDSSKiller.2.2.7.1_06.03.2010_14.14.23_log.txt
03/06/2010 02:14 PM 21,486 TDSSKiller.txt
01/23/2010 06:48 PM <DIR> vcs5BGEffects
01/21/2010 10:02 AM <DIR> vcs5core
01/13/2010 05:48 PM <DIR> wamp
02/04/2010 01:31 PM 83 WatermarkImage.ini
03/06/2010 01:08 PM <DIR> WINDOWS
13 File(s) 470,044 bytes
17 Dir(s) 109,491,380,224 bytes free


#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:09 AM

Posted 06 March 2010 - 06:24 PM

Hi,

please run the following script:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
FCopy::
C:\nvgt.sys.bak | C:\windows\system32\drivers\nvgts.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Let me know if you see any improvements after running combofix.

regards myrti

Edited by myrti, 06 March 2010 - 06:53 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 wolfetundra

wolfetundra
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 06 March 2010 - 06:49 PM

Below is my log after completing the steps you provided. I need to go help a friend with his computer lol. I will return shortly and hopefully the problem is resolved.

ComboFix 10-03-06.03 - Wolfe 03/06/2010 15:34:12.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.894.553 [GMT -8:00]
Running from: c:\documents and settings\Wolfe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Wolfe\Desktop\CFScript.txt
AV: StopSign Antivirus *On-access scanning disabled* (Updated) {3E1D4556-3240-40c8-BBED-64A8690A3FB4}
FW: StopSign Firewall *enabled* {06936B90-CB61-4dcb-AABD-C0E25320F6C3}
.

((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.

2010-03-05 20:16 . 2010-03-05 20:16 -------- d-----w- C:\gmer
2010-02-27 01:54 . 2010-02-27 01:54 -------- d-s---w- c:\documents and settings\Wolfe\UserData
2010-02-24 12:09 . 2010-02-24 12:09 -------- d-----w- c:\program files\Common Files\DirectX
2010-02-24 11:54 . 2010-02-24 11:54 -------- d-----w- C:\AeriaGames
2010-02-21 09:55 . 2010-02-21 09:55 -------- d-----w- c:\program files\Audacity
2010-02-20 03:45 . 2010-02-20 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-02-20 03:35 . 2010-02-20 03:35 -------- d-----w- c:\program files\Adobe Media Player
2010-02-20 02:31 . 2010-03-06 23:41 -------- d-----w- c:\program files\Common Files\Akamai
2010-02-20 02:27 . 2010-02-20 02:27 1923880 ----a-w- c:\documents and settings\Wolfe\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2010-02-20 01:57 . 2010-02-20 02:03 -------- d-----w- c:\documents and settings\Wolfe\Local Settings\Application Data\Macromedia
2010-02-20 01:50 . 2010-02-20 01:50 45056 ----a-r- c:\documents and settings\Wolfe\Application Data\Microsoft\Installer\{885A63EA-382B-4DD4-A755-14809B8557D6}\ARPPRODUCTICON.exe
2010-02-20 01:50 . 2010-02-20 06:26 -------- d-----w- c:\program files\Common Files\Macromedia
2010-02-20 00:41 . 2000-08-11 05:23 80880 ----a-w- c:\windows\unvise.exe
2010-02-19 12:03 . 2010-02-19 12:03 -------- d-----w- c:\program files\Easy Graphic Converter
2010-02-19 12:03 . 2010-02-19 12:03 -------- d-----w- C:\ImageOutput
2010-02-19 11:58 . 2010-02-19 11:58 -------- d-----w- C:\Multimedia Files
2010-02-19 11:58 . 2010-02-19 11:58 -------- d-----w- c:\program files\Microsoft GIF Animator
2010-02-18 05:13 . 2010-02-20 06:30 -------- d-----w- c:\program files\Macromedia
2010-02-16 17:41 . 2010-02-16 17:41 -------- d-----w- c:\windows\Sun
2010-02-15 08:06 . 2008-03-06 00:03 479752 ----a-w- c:\windows\system32\XAudio2_0.dll
2010-02-15 08:02 . 2010-02-15 08:05 -------- d--h--w- c:\windows\msdownld.tmp
2010-02-15 04:46 . 2010-02-15 04:46 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-02-15 04:46 . 2010-02-15 04:47 -------- d-----w- c:\program files\DivX
2010-02-14 22:17 . 2009-08-07 03:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-14 22:17 . 2009-08-07 03:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-14 21:39 . 2010-02-14 21:39 -------- d-----w- c:\documents and settings\Wolfe\Tracing
2010-02-14 21:37 . 2010-02-14 21:37 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-02-14 21:37 . 2010-02-14 21:38 -------- d-----w- c:\program files\Windows Live
2010-02-14 21:35 . 2010-02-14 21:35 -------- d-----w- c:\program files\Common Files\Windows Live
2010-02-11 03:29 . 2010-02-11 04:43 -------- d-----w- c:\documents and settings\All Users\Application Data\WebcamMax
2010-02-11 03:22 . 2010-02-11 03:29 -------- d-----w- c:\documents and settings\Wolfe\Application Data\WebcamMax
2010-02-11 03:14 . 2009-08-07 06:42 1053056 ----a-w- c:\windows\system32\drivers\CAMTHWDM.sys
2010-02-11 03:14 . 2010-02-11 03:41 -------- d-----w- c:\program files\WebcamMax
2010-02-10 01:11 . 2010-02-10 01:11 -------- d-----w- c:\program files\Image Grabber II
2010-02-10 00:10 . 2010-02-10 09:16 -------- d-----w- c:\program files\Photobie
2010-02-09 16:32 . 2010-02-09 16:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-06 05:48 . 2010-02-08 12:35 -------- d-----w- c:\program files\CamStudio
2010-02-06 03:55 . 2010-02-06 03:55 -------- d-----w- c:\program files\ScreenPrint32 v3
2010-02-06 03:55 . 2010-02-06 03:55 249856 ------w- c:\windows\Setup1.exe
2010-02-06 03:55 . 2010-02-06 03:55 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-02-05 23:16 . 2010-02-07 19:28 -------- d-----w- c:\program files\Desktop Screen Record 5
2010-02-05 19:04 . 2010-02-05 19:04 -------- d-----w- c:\documents and settings\Wolfe\Application Data\Media Player Classic
2010-02-05 04:38 . 2010-02-05 04:38 0 ----a-w- c:\documents and settings\Wolfe\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2010-02-05 04:24 . 2010-02-18 08:32 -------- d-----w- c:\documents and settings\Wolfe\Application Data\FrostWire
2010-02-05 04:24 . 2010-02-05 04:24 -------- d-----w- c:\program files\FrostWire
2010-02-05 01:53 . 2010-02-05 02:54 -------- d-----w- c:\documents and settings\Wolfe\Application Data\FileZilla
2010-02-05 01:53 . 2010-02-05 01:53 -------- d-----w- c:\program files\FileZilla FTP Client
2010-02-05 00:05 . 2010-02-05 00:05 -------- d-----w- c:\documents and settings\Wolfe\Application Data\SmartFTP
2010-02-05 00:04 . 2010-02-05 00:04 -------- d-----w- c:\program files\SmartFTP Client
2010-02-05 00:03 . 2010-02-05 00:03 -------- d-----w- c:\program files\SmartFTP Client 4.0 Setup Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-06 22:14 . 2010-03-06 22:14 0 ----a-w- c:\windows\system32\drivers\tsk2A8.tmp
2010-03-06 22:14 . 2010-03-06 22:14 0 ----a-w- c:\windows\system32\drivers\tsk2A6.tmp
2010-02-24 01:50 . 2010-01-16 12:51 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-20 06:09 . 2010-01-10 21:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-14 21:38 . 2010-01-10 20:37 50880 ----a-w- c:\documents and settings\Wolfe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-09 03:31 . 2010-01-16 07:54 -------- d-----w- c:\documents and settings\Wolfe\Application Data\Skype
2010-02-09 03:03 . 2010-01-16 07:57 -------- d-----w- c:\documents and settings\Wolfe\Application Data\skypePM
2010-02-04 23:41 . 2010-02-04 23:41 503808 ----a-w- c:\documents and settings\Wolfe\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-62ffe056-n\msvcp71.dll
2010-02-04 23:41 . 2010-02-04 23:41 499712 ----a-w- c:\documents and settings\Wolfe\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-62ffe056-n\jmc.dll
2010-02-04 23:41 . 2010-02-04 23:41 348160 ----a-w- c:\documents and settings\Wolfe\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-62ffe056-n\msvcr71.dll
2010-02-04 23:41 . 2010-02-04 23:41 61440 ----a-w- c:\documents and settings\Wolfe\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5b82b5aa-n\decora-sse.dll
2010-02-04 23:41 . 2010-02-04 23:41 12800 ----a-w- c:\documents and settings\Wolfe\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5b82b5aa-n\decora-d3d.dll
2010-02-04 23:41 . 2010-02-04 23:41 -------- d-----w- c:\program files\Common Files\Java
2010-02-04 23:40 . 2010-02-04 23:41 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-04 23:40 . 2010-02-04 23:40 -------- d-----w- c:\program files\Java
2010-02-04 22:35 . 2010-02-04 22:31 -------- d-----w- c:\program files\Microsoft Digital Image 2006
2010-02-04 21:32 . 2010-02-04 21:32 -------- d-----w- c:\program files\Andromeda
2010-02-04 20:45 . 2010-02-04 20:45 -------- d-----w- c:\program files\EasySector
2010-02-04 20:20 . 2010-02-04 20:20 -------- d-----w- c:\program files\PMlabs
2010-02-04 18:01 . 2010-02-15 08:07 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-02-04 18:01 . 2010-02-15 08:07 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-02-04 18:01 . 2010-02-15 08:07 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-02-04 18:01 . 2010-02-15 08:07 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-02-01 06:12 . 2010-02-01 06:12 -------- d-----w- c:\documents and settings\Wolfe\Application Data\Blender Foundation
2010-02-01 05:30 . 2010-01-29 06:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-02-01 05:23 . 2010-02-01 05:23 -------- d-----w- c:\program files\Google
2010-01-29 06:51 . 2010-01-29 06:50 -------- d-----w- c:\documents and settings\Wolfe\Application Data\Yahoo!
2010-01-29 06:50 . 2010-01-29 06:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-01-29 06:50 . 2010-01-29 06:47 -------- d-----w- c:\program files\Yahoo!
2010-01-28 00:57 . 2010-01-21 18:00 -------- d-----w- c:\program files\AV Vcs 6.0 DIAMOND
2010-01-28 00:41 . 2010-01-10 21:50 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-21 22:16 . 2010-01-21 15:21 -------- d-----w- c:\program files\AV Vcs 4.0 DIAMOND
2010-01-21 20:20 . 2010-01-20 16:23 -------- d-----w- c:\program files\Emerald Viewer
2010-01-21 14:29 . 2010-01-15 17:12 -------- d-----w- c:\program files\Screaming Bee
2010-01-21 14:25 . 2010-01-21 14:25 -------- d-----w- c:\documents and settings\Wolfe\Application Data\Avnex
2010-01-20 17:13 . 2010-01-15 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Screaming Bee
2010-01-20 16:23 . 2010-01-19 03:23 -------- d-----w- c:\program files\Emerald Viewer2
2010-01-20 16:05 . 2010-01-14 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2010-01-20 16:03 . 2010-01-10 20:38 -------- d-----w- c:\documents and settings\Wolfe\Application Data\Western Digital
2010-01-20 09:25 . 2010-01-19 08:39 -------- d-----w- c:\program files\QAvimator
2010-01-19 16:05 . 2010-01-19 16:05 -------- d-----w- c:\program files\OpenMetaverse
2010-01-19 08:36 . 2010-01-19 08:36 -------- d-----w- c:\program files\Avimator
2010-01-17 11:45 . 2010-01-17 11:45 -------- d-----w- c:\program files\MSBuild
2010-01-17 11:44 . 2010-01-17 11:44 -------- d-----w- c:\program files\Reference Assemblies
2010-01-17 01:55 . 2010-01-15 09:37 -------- d-----w- c:\documents and settings\Wolfe\Application Data\SecondLife
2010-01-16 08:13 . 2010-01-16 07:53 -------- d-----r- c:\program files\Skype
2010-01-16 07:57 . 2010-01-16 07:57 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-16 07:53 . 2010-01-16 07:53 -------- d-----w- c:\program files\Common Files\Skype
2010-01-16 07:53 . 2010-01-16 07:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-01-15 15:23 . 2010-01-15 12:02 -------- d-----w- c:\documents and settings\Wolfe\Application Data\GetRightToGo
2010-01-14 17:42 . 2010-01-14 17:25 -------- d-----w- c:\program files\Linksys
2010-01-14 17:24 . 2010-01-14 17:24 -------- d-----w- c:\program files\Pure Networks
2010-01-14 17:23 . 2010-01-14 17:23 8673792 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi
2010-01-14 17:21 . 2010-01-14 17:21 -------- d-----w- c:\program files\Common Files\Pure Networks Shared
2010-01-14 12:49 . 2010-01-14 12:48 -------- d-----w- c:\program files\jZip
2010-01-14 11:04 . 2010-01-14 10:59 -------- d-----w- c:\program files\hMailServer
2010-01-14 11:02 . 2010-01-14 11:02 -------- d-----w- c:\program files\MSXML 6.0
2010-01-14 10:59 . 2010-01-14 10:59 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-01-14 10:59 . 2010-01-14 10:59 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-01-14 01:54 . 2010-01-11 08:39 -------- d-----w- c:\program files\Common Files\eAcceleration
2010-01-14 01:54 . 2010-01-11 08:39 -------- d-----w- c:\program files\StopSign
2010-01-13 09:53 . 2010-01-13 09:53 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-01-12 12:51 . 2010-01-12 08:38 -------- d-----w- c:\documents and settings\Wolfe\Application Data\AdobeUM
2010-01-12 12:46 . 2010-01-12 12:46 -------- d-----w- c:\program files\Winwap Technologies
2010-01-12 08:40 . 2010-01-12 08:40 -------- d-----w- c:\documents and settings\Wolfe\Application Data\Leadertech
2010-01-12 08:38 . 2010-01-12 08:38 -------- d-----w- c:\documents and settings\Wolfe\Application Data\AdobeAUM
2010-01-11 08:58 . 2010-01-11 08:58 -------- d-----w- c:\program files\Windows Media Connect 2
2010-01-11 08:52 . 2010-01-11 08:52 0 ----a-w- c:\windows\nsreg.dat
2010-01-11 08:48 . 2010-01-11 08:40 -------- d-----w- c:\documents and settings\Wolfe\Application Data\eAcceleration
2010-01-11 08:40 . 2010-01-11 08:39 -------- d-----w- c:\program files\eAcceleration
2010-01-11 08:39 . 2010-01-11 08:39 -------- d-----w- c:\program files\Acceleration Software
2010-01-11 08:39 . 2010-01-11 08:39 -------- d-----w- c:\documents and settings\All Users\Application Data\eAcceleration
2010-01-10 21:50 . 2010-01-10 21:50 -------- d-----w- c:\program files\Realtek
2010-01-10 21:50 . 2010-01-10 21:50 315392 ----a-w- c:\windows\HideWin.exe
2010-01-10 20:38 . 2010-01-10 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2010-01-10 20:27 . 2010-01-10 20:27 60 ----a-w- c:\windows\system32\SYSDRV.DAT
2009-12-12 14:15 . 2010-01-13 09:53 178176 ----a-w- c:\windows\system32\unrar.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-25 8491008]
"nwiz"="nwiz.exe" [2008-02-25 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-25 81920]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"webscan"="c:\program files\Acceleration Software\Anti-Virus\stopsignav.exe" [2009-09-04 1033568]
"SoftwareStation"="c:\program files\eAcceleration\Station\station.exe" [2009-05-15 177488]
"OnAccess"="c:\program files\StopSign\OnAccess\onaccess.exe" [2009-07-22 255328]
"StopSignPopupBlocker"="c:\progra~1\StopSign\POPUPB~1\sspopupblockerctrl.exe" [2009-06-10 107976]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"WebcammaxMoniter"="c:\program files\WebcamMax\wcmmon.exe" [2009-09-25 449024]

c:\documents and settings\Wolfe\Start Menu\Programs\Startup\
Ray Multimedia Server.lnk - c:\rms\start_service.exe [2009-5-18 49416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Icatch(VI) SnapDetect.lnk - c:\windows\Twain_32\CA561A\SnapDetect.exe [2010-1-27 65536]
start WampServer.lnk - c:\wamp\wampmanager.exe [2010-1-11 1152512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{42DD0873-5FA9-465D-90DE-0826020416A5}"= "c:\program files\StopSign\OnAccess\onaccess_hk32.dll" [2009-07-22 165216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\Userinit.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"=
"c:\\Program Files\\Emerald Viewer\\SLVoice.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Wolfe\\Desktop\\NetDraft\\idraft.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"1031:TCP"= 1031:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 fwcore;Fwcore Filter;c:\windows\system32\drivers\fwcore.sys [1/13/2010 5:54 PM 109536]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [1/10/2010 12:23 PM 14336]
R2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CAMTHWDM.sys [2/10/2010 7:14 PM 1053056]
R2 eac_notifysvc;eAcceleration Notification Service;c:\progra~1\EACCEL~1\FRAMEW~1\eac_svc.exe [1/11/2010 12:39 AM 113920]
R2 eac_productsvc;eAcceleration Product Manager Service;c:\progra~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe [1/11/2010 12:39 AM 263504]
R2 FWService;FWService;c:\program files\StopSign\Firewall\FWService.exe -Service --> c:\program files\StopSign\Firewall\FWService.exe -Service [?]
R2 Red5;RMS;c:\rms\wrapper.exe -s c:\rms\conf\wrapper.conf --> c:\rms\wrapper.exe -s c:\rms\conf\wrapper.conf [?]
R2 ssfwmonsvc;StopSign Firewall Security Center Provider;c:\progra~1\EACCEL~1\FRAMEW~1\eac_svc.exe [1/11/2010 12:39 AM 113920]
R2 sstsmonsvc;StopSign Antivirus Security Center Provider;c:\progra~1\EACCEL~1\FRAMEW~1\eac_svc.exe [1/11/2010 12:39 AM 113920]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [1/15/2010 4:04 AM 17792]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [1/10/2010 12:24 PM 69692]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [4/6/2009 1:19 PM 23064]
S3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [4/21/2007 6:15 AM 9344]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: {B9331A99-5103-43EB-A02F-9417AC06471D} = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Wolfe\Application Data\Mozilla\Firefox\Profiles\19w829dm.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL -
FF - plugin: c:\documents and settings\Wolfe\My Documents\Sparkplay Media\Sparkplayer (Beta)\npSparkPlayerNS.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: browser.sessionstore.resume_from_crash - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 15:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvgts.sys >>UNKNOWN [0x84C0E8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf756bfc3
\Driver\ACPI -> ACPI.sys @ 0xf735ecb8
\Driver\atapi -> atapi.sys @ 0xf720a7b4
\Driver\iaStor -> IASTOR.SYS @ 0xf722eb58
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80578c34
ParseProcedure -> ntkrnlpa.exe @ 0x80577896
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80578c34
ParseProcedure -> ntkrnlpa.exe @ 0x80577896
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3392028434-1750007579-270867441-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8F5CE514-DAD4-A5B2-6FCA-1E00A233F342}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iahmfobjlldgbonohl"=hex:69,61,6a,68,63,67,6e,65,70,6d,6f,69,6e,6e,63,61,61,6a,
00,00
"habopncoakeoekkh"=hex:69,61,6a,68,63,67,6e,65,70,6d,6f,69,6e,6e,63,61,61,6a,
00,00
"fahmglaklfkb"=hex:67,61,63,64,63,6b,65,66,65,61,62,6a,67,63,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3864)
c:\program files\SmartFTP Client\en-US\sfShellTools.dll.mui
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\StopSign\OnAccess\onaccess_hk32.dll
c:\windows\system32\browselc.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\progra~1\StopSign\POPUPB~1\sspopupblocker.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\agrsmsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\rms\wrapper.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\rms\jre\bin\java.exe
c:\program files\StopSign\Firewall\FWService.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\windows\system32\DllHost.exe
c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
c:\wamp\bin\mysql\mysql5.1.33\bin\mysqld.exe
c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
.
**************************************************************************
.
Completion time: 2010-03-06 15:47:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-06 23:47
ComboFix2.txt 2010-03-06 21:09

Pre-Run: 109,471,326,208 bytes free
Post-Run: 109,438,095,360 bytes free

- - End Of File - - 3C577D3F65D3E04D3BD5B141373501BB





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users