Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Patched.CH and Possibly Others


  • This topic is locked This topic is locked
13 replies to this topic

#1 trumanjunk

trumanjunk

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 25 February 2010 - 02:27 AM

Several days ago, I became infected with some spyware. It installed Security Essentials 2010. After removing it using Malwarebytes Anti-Malware in Safe Mode, I was unable to boot in Windows XP; only in Debugging Mode. It may have to do with some infected NTFS file since my C drive is NTFS format. Current issues are browser redirection, pop ups, slow computer speed, frequent freezing and programs not always opening. After scanning the computer using GMER, AVG Free version 9 starting to show that nvatabus.sys is infected with Win32/Patched.CH.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Rick at 20:00:40.65 on Wed 02/24/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.325 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
svchost.exe
C:\Program Files\Wally\Wally.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Firefox\firefox.exe
C:\Users\Rick\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
mWinlogon: UIHost=%SystemRoot%\System32\ultlogonui.exe
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [Wally] c:\program files\wally\Wally.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [UltimateServices] c:\windows\system32\ultsvcs.exe /startup
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
StartupFolder: c:\users\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1254612117156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://na.webaccess.hp.com/dana-cached/setup/JuniperSetupSP1.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
LSA: Notification Packages = scecli fenefezu.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\rick\applic~1\mozilla\firefox\profiles\altmiiaw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\users\rick\application data\mozilla\firefox\profiles\altmiiaw.default\extensions\downloadscontextmenu@bmproductions\components\contextmenu.dll
FF - plugin: c:\program files\firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\users\rick\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\rick\application data\mozilla\firefox\profiles\altmiiaw.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-21 64288]
R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2006-2-26 16640]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-2 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-2 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-2 360584]
R1 SASDIFSV;SASDIFSV;c:\users\rick\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-21 9968]
R1 SASKUTIL;SASKUTIL;c:\users\rick\locals~1\temp\sas_selfextract\SASKUTIL.sys [2010-2-21 74480]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-1 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-1 285392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1229232]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [2007-4-6 13619]
R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [2009-10-29 9493]
R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\drivers\aksbus.sys [2007-4-6 13647]
R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\drivers\akspcsc.sys [2009-10-29 10161]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2009-10-3 14424]
S2 EZWINIT;EZWINIT;c:\windows\system32\drivers\ezwinit.sys [2008-11-29 14494]
S2 EZWRITER;EZWRITER;c:\windows\system32\drivers\ezwriter.sys [2008-11-29 16680]
S3 AKSIM;ActivKey Sim;c:\windows\system32\drivers\aksim.sys [2009-10-29 27008]
S3 SASENUM;SASENUM;\??\c:\users\rick\locals~1\temp\sas_selfextract\sasenum.sys --> c:\users\rick\locals~1\temp\sas_selfextract\SASENUM.SYS [?]

=============== Created Last 30 ================


==================== Find3M ====================

2010-02-22 04:20:30 79360 ----a-w- c:\windows\system32\drivers\nvatabus.sys
2010-01-05 09:57:31 841216 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 09:57:27 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 09:57:26 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-01 07:58:29 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-27 21:16:22 11094 ----a-w- c:\users\rick\cc_20091227_131618.reg
2009-12-18 08:41:30 6339584 ----a-w- c:\windows\system32\setupapi.dll
2009-12-18 08:38:58 340448 ----a-w- c:\users\rick\cc_20091218_003852.reg
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 07:52:36 2189312 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-09 07:10:32 2066176 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-27 17:23:41 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:23:40 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:28:31 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:28:31 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:28:31 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:28:31 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:28:31 11264 ----a-w- c:\windows\system32\msrle32.dll
2008-01-22 03:51:13 121 ---ha-w- c:\program files\desktop.ini
2009-10-03 06:48:17 16384 --sha-w- c:\windows\system32\config\systemprofile\cookies\index.dat
2009-10-03 06:48:17 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2009-10-03 06:48:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009100220091003\index.dat
2009-10-03 06:48:17 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 20:02:26.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:42 AM

Posted 27 February 2010 - 10:04 AM

Hello trumanjunk my name is Sempai and welcome to Bleeping Computer.
*We apologize for the delay. Forum have been busy.

* Please stay with me until I declare that your computer is clean as most users don't reply anymore once they found out that their computer is running smoothly, but absence of symptoms does not mean that a computer is free from infection.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*You must reply within 5 days otherwise this topic will be closed.



Please give me sometime to review your log. I will post the necessary instructions ASAP.

Thanks,
~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:42 AM

Posted 27 February 2010 - 12:11 PM

Hi trumanjunk,


I would like to discuss some issues before e begin...

First: Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case uTorrent.exe).
These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."




Second: Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
*Registry tools can cause irreparable damage to your Operating System
*Registry tools can, as a result of the above, render your pc to be inoperable.

This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.

Cleaning the registry won't really improve system performance, even though there a lot of orphaned keys.
IMHO, if registry cleaning was required, then Microsoft would have added this option. So you use registry at you own risk. After all, a corrupted registry is a corrupted Windows.

Registry Cleaners and System Tweaking Tools



++++++++++++++++++++++++++


Now let's begin...


1. We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy




2. Please follow this steps on how to Disable AVG Resident Shield:
  • Double click AVG system tray icon to open AVG.
  • In Overview section double click Resident Shield.
  • Uncheck Resident Shield Active.
  • Press Save Changes
  • right click on the icon on the Notification Area to exit AVG.

Note: It is important to activate the resident shield immediately after running ComboFix.



3. Download Combofix from any of the links below but rename it to CFScan before saving it to your desktop.
Link 1
Link 2
  • Temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on the renamed ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.



~Semp



~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#4 trumanjunk

trumanjunk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 27 February 2010 - 02:57 PM

ComboFix 10-02-26.01 - Rick 02/26/2010 9:46.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.740 [GMT -8:00]
Running from: c:\users\Rick\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\\Rick\cc_20091218_003852.reg
c:\users\Rick\cc_20091218_003852.reg
c:\windows\system32\drivers\etc\lmhosts

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS


((((((((((((((((((((((((( Files Created from 2010-01-26 to 2010-02-26 )))))))))))))))))))))))))))))))
.

2010-02-26 06:19 . 2010-02-26 06:19 -------- d-----w- C:\NVIDIA nForce2 ATA Controller (v2.6)
2010-02-26 06:17 . 2009-08-11 21:18 52697 ----a-w- C:\nvatabus.sys
2010-02-26 06:17 . 2009-08-11 21:18 100736 ----a-w- c:\windows\system32\drivers\nvatabus.sys
2010-02-26 04:59 . 2010-02-22 03:31 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-25 05:30 . 2010-02-25 05:30 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-25 05:30 . 2010-02-25 05:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-25 02:53 . 2010-02-25 02:53 -------- d-----w- c:\users\NetworkService\Local Settings\Application Data\Adobe
2010-02-23 08:24 . 2010-02-23 08:24 15758 ----a-w- c:\users\Rick\cc_20100223_002358.reg
2010-02-23 08:24 . 2010-02-23 08:24 15758 ----a-w- c:\users\\Rick\cc_20100223_002358.reg
2010-02-23 08:22 . 2010-02-23 08:22 -------- d-----w- c:\program files\CCleaner
2010-02-23 06:22 . 2010-02-23 06:22 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-22 03:30 . 2010-02-22 03:30 247120 ----a-w- c:\users\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2010-02-22 03:30 . 2010-02-22 03:30 6330848 ----a-w- c:\users\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-02-22 03:30 . 2010-02-22 03:30 329048 ----a-w- c:\users\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-02-22 03:30 . 2010-02-22 03:30 94712 ----a-w- c:\users\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-02-22 03:30 . 2010-02-22 03:30 17480 ----a-w- c:\users\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-02-22 03:30 . 2010-02-22 03:30 961984 ----a-w- c:\users\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-02-22 03:30 . 2010-02-22 03:30 835312 ----a-w- c:\users\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-02-22 03:30 . 2010-02-22 03:30 842992 ----a-w- c:\users\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-02-22 03:30 . 2010-02-22 03:30 1593320 ----a-w- c:\users\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-02-22 03:30 . 2010-02-22 03:30 815184 ----a-w- c:\users\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-02-22 03:30 . 2010-02-22 03:30 1229232 ----a-w- c:\users\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-02-22 03:29 . 2010-02-22 03:29 -------- dc-h--w- c:\users\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-22 03:29 . 2010-02-04 15:53 2954656 -c--a-w- c:\users\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-22 03:28 . 2010-02-22 03:31 -------- d-----w- c:\users\All Users\Application Data\Lavasoft
2010-02-22 03:28 . 2010-02-22 03:29 -------- d-----w- c:\program files\Lavasoft
2010-02-21 23:31 . 2010-02-21 23:31 5115824 ----a-w- c:\users\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-21 03:49 . 2010-02-23 08:29 -------- d-----w- c:\users\All Users\Application Data\Spybot - Search & Destroy
2010-02-21 03:49 . 2010-02-21 03:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-21 02:48 . 2010-02-21 02:48 -------- d-----w- c:\users\All Users\Application Data\Malwarebytes
2010-02-20 21:12 . 2010-02-20 21:12 -------- d-----w- c:\users\Rick\Application Data\Malwarebytes
2010-02-20 21:12 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-20 21:12 . 2010-02-21 23:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 21:12 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 02:34 . 2010-02-19 02:34 -------- d-----w- c:\program files\QuickSFV
2010-02-18 23:52 . 2010-02-18 23:52 -------- d-----w- c:\program files\AutoHotkey
2010-02-18 23:52 . 2010-02-18 23:52 -------- d-----w- c:\windows\ShellNew
2010-02-18 22:01 . 2010-02-18 22:01 -------- d-----w- c:\users\Rick\Application Data\AVG9
2010-02-18 21:58 . 2010-02-18 21:58 -------- d-----w- c:\users\Rick\Application Data\Logitech
2010-02-18 21:58 . 2010-02-18 21:58 -------- d-----w- c:\users\Rick\Application Data\Leadertech
2010-02-18 21:58 . 2010-02-18 21:58 -------- d-----w- c:\users\All Users\Application Data\LogiShrd
2010-02-18 21:58 . 2009-06-17 16:55 10384 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2010-02-18 21:58 . 2009-07-20 20:25 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2010-02-18 21:58 . 2009-07-20 20:26 84496 ----a-w- c:\windows\system32\KemXML.dll
2010-02-18 21:58 . 2009-07-20 20:26 117264 ----a-w- c:\windows\system32\KemWnd.dll
2010-02-18 21:58 . 2009-07-20 20:26 145936 ----a-w- c:\windows\system32\KemUtil.dll
2010-02-18 21:58 . 2009-07-20 20:26 170512 ----a-w- c:\windows\system32\kemutb.dll
2010-02-18 21:57 . 2010-02-18 21:57 -------- d-----w- c:\users\All Users\Application Data\Logitech
2010-02-18 21:46 . 2010-02-18 21:58 -------- d-----w- c:\program files\Common Files\Logishrd
2010-02-18 21:46 . 2010-02-18 21:46 -------- d-----w- c:\program files\Logitech
2010-02-18 21:42 . 2010-01-21 19:46 441168 ----a-w- c:\users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\extensions\DeviceDetection@logitech.com\plugins\npLogitechDeviceDetection.dll
2010-02-18 21:38 . 2008-04-14 12:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-02-18 21:38 . 2008-04-14 12:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-02-14 02:17 . 2010-02-17 23:54 -------- d-----w- C:\BDRips
2010-02-13 19:49 . 2010-02-13 19:53 -------- d-----w- C:\TurboTax
2010-02-13 19:21 . 2010-02-13 19:21 -------- d-----w- c:\users\Rick\TurboTax
2010-02-13 19:21 . 2010-02-13 19:21 -------- d-----w- c:\users\\Rick\TurboTax
2010-02-13 19:21 . 2010-02-13 19:21 -------- d-----w- c:\users\Rick\Application Data\Intuit
2010-02-13 19:20 . 2010-02-13 19:20 -------- d-----w- c:\users\All Users\Application Data\Intuit
2010-02-13 19:20 . 2010-02-18 22:11 -------- d-----w- c:\program files\Common Files\Intuit
2010-02-13 19:20 . 2010-02-13 19:20 -------- d-----w- c:\program files\TurboTax
2010-02-13 19:19 . 2010-02-13 19:19 -------- d-----w- c:\users\Rick\Application Data\InstallShield
2010-02-10 05:29 . 2009-12-04 17:25 456832 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-08 07:37 . 2010-02-08 07:37 -------- d-----w- c:\users\All Users\Application Data\FLEXnet
2010-02-08 07:30 . 2010-02-08 07:30 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-02-08 07:30 . 2010-02-22 00:50 -------- d-----w- c:\users\All Users\Application Data\Rosetta Stone
2010-02-08 07:30 . 2010-02-08 07:30 -------- d-----w- c:\program files\Rosetta Stone
2010-02-08 07:18 . 2010-02-08 07:18 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-02-08 07:18 . 2010-02-08 07:21 -------- d-----w- c:\users\Rick\Application Data\DAEMON Tools Lite
2010-02-08 07:18 . 2010-02-08 07:18 -------- d-----w- c:\users\All Users\Application Data\DAEMON Tools Lite
2010-02-08 06:07 . 2010-02-08 06:08 -------- d-----w- c:\users\Rick\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-26 17:55 . 2009-10-03 08:08 -------- d-----w- c:\program files\PeerBlock
2010-02-26 17:55 . 2009-10-03 07:17 -------- d-----w- c:\users\Rick\Application Data\uTorrent
2010-02-25 03:58 . 2009-10-03 06:34 -------- d---a-w- c:\program files\Firefox
2010-02-25 02:53 . 2009-12-24 06:18 664 ----a-w- c:\users\NetworkService\Local Settings\Application Data\d3d9caps.dat
2010-02-21 23:42 . 2009-10-03 06:42 -------- d---a-w- c:\program files\Windows Sidebar
2010-02-20 20:43 . 2009-10-03 07:18 -------- d-----w- c:\program files\uTorrent
2010-02-20 20:29 . 2009-11-28 04:10 -------- d-----w- c:\program files\JDownloader
2010-02-19 08:28 . 2009-10-22 23:45 411816 ----a-w- c:\users\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-18 21:57 . 2009-10-03 07:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-18 21:48 . 2010-02-18 21:48 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2010-02-18 21:48 . 2010-02-18 21:48 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2010-02-18 21:48 . 2010-02-18 21:48 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-02-08 06:03 . 2010-01-15 08:08 -------- d-----w- c:\users\Rick\Application Data\GlarySoft
2010-02-04 15:53 . 2010-02-22 03:31 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-29 05:33 . 2009-10-30 05:29 -------- d-----w- c:\program files\ActivIdentity
2010-01-27 19:11 . 2010-01-05 22:56 -------- d-----w- c:\program files\Driver Magician
2010-01-22 07:42 . 2009-10-03 23:25 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-21 07:58 . 2009-10-30 05:31 -------- d-----w- c:\program files\RA2HP
2010-01-21 00:34 . 2010-01-21 00:34 -------- d-----w- c:\users\Rick\Application Data\SUPERAntiSpyware.com
2010-01-21 00:34 . 2010-01-21 00:34 -------- d-----w- c:\users\All Users\Application Data\SUPERAntiSpyware.com
2010-01-15 07:02 . 2010-01-15 07:01 -------- d-----w- c:\program files\Glary Utilities
2010-01-15 05:07 . 2009-10-03 18:26 -------- d-----w- c:\program files\TVersity Codec Pack
2010-01-08 04:39 . 2009-12-30 02:56 -------- d-----w- c:\users\Rick\Application Data\Juniper Networks
2010-01-08 04:39 . 2010-01-08 04:39 33220 ----a-w- c:\users\Rick\Application Data\Juniper Networks\Setup\uninstall.exe
2010-01-05 09:57 . 2009-08-11 20:52 841216 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 09:57 . 2009-08-11 20:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 09:57 . 2009-08-11 20:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-01 07:58 . 2009-08-11 20:55 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-30 02:57 . 2009-12-30 02:56 -------- d-----w- c:\users\All Users\Application Data\Juniper Networks
2009-12-29 04:37 . 2009-10-03 23:42 -------- d-----w- c:\users\Rick\Application Data\ATI
2009-12-27 21:16 . 2009-12-27 21:16 11094 ----a-w- c:\users\Rick\cc_20091227_131618.reg
2009-12-27 21:16 . 2009-12-27 21:16 11094 ----a-w- c:\users\\Rick\cc_20091227_131618.reg
2009-12-18 08:41 . 2009-08-11 21:40 6339584 ----a-w- c:\windows\system32\setupapi.dll
2009-12-18 04:11 . 2009-12-19 18:47 606208 ----a-w- c:\users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}-trash\components\afom.exe
2009-12-16 18:43 . 2009-10-03 06:11 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 07:52 . 2009-08-11 21:40 2189312 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-09 07:10 . 2009-02-06 10:30 2066176 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 17:25 . 2009-08-11 20:55 456832 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

------- Sigcheck -------

[-] 2008-10-20 . 402B5152110F91E4C096200501737EA6 . 361600 . . [5.1.2600.9999] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-10-20 . 402B5152110F91E4C096200501737EA6 . 361600 . . [5.1.2600.9999] . . c:\windows\system32\syscache\tcpip.sys

[-] 2009-12-18 . C9FB1A9B3F9B51F08B665542DDFEE295 . 692736 . . [5.82] . . c:\windows\system32\comctl32.dll

[-] 2009-12-18 . 6616894470538493B9AAE74271F099EF . 578048 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll

[-] 2009-12-18 . AEA58E2C358B987FCC612907377373C3 . 1697280 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2009-08-11 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-02-20 320816]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]
"Wally"="c:\program files\Wally\Wally.exe" [2009-11-10 10279966]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UltimateServices"="c:\windows\system32\ultsvcs.exe" [2009-08-09 620585]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-14 172032]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"HPRAService"="c:\program files\RA2HP\HPRAService.exe" [2009-10-16 135168]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-11-25 5720072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]

c:\users\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-2-18 813584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,\

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-02 01:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 20:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgchsvx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/21/2010 7:31 PM 64288]
R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2/26/2006 7:21 AM 16640]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/2/2009 10:54 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/2/2009 10:54 PM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/1/2009 5:17 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/1/2009 5:17 PM 285392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 7:52 AM 1229232]
R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [4/6/2007 10:46 AM 13619]
R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [10/29/2009 9:29 PM 9493]
R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\drivers\aksbus.sys [4/6/2007 10:46 AM 13647]
R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\drivers\akspcsc.sys [10/29/2009 9:29 PM 10161]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [10/3/2009 12:08 AM 14424]
S1 SASDIFSV;SASDIFSV;\??\c:\users\Rick\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\users\Rick\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\users\Rick\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> c:\users\Rick\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?]
S2 EZWINIT;EZWINIT;c:\windows\system32\drivers\ezwinit.sys [11/29/2008 9:53 PM 14494]
S2 EZWRITER;EZWRITER;c:\windows\system32\drivers\ezwriter.sys [11/29/2008 9:53 PM 16680]
S3 AKSIM;ActivKey Sim;c:\windows\system32\drivers\aksim.sys [10/29/2009 9:29 PM 27008]
S3 SASENUM;SASENUM;\??\c:\users\Rick\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\users\Rick\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/7/2010 11:18 PM 691696]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PBFILTER
.
Contents of the 'Scheduled Tasks' folder

2010-02-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 03:30]

2010-02-26 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-01-15 20:09]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
Trusted Zone: turbotax.com
FF - ProfilePath - c:\users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\extensions\downloadscontextmenu@bmproductions\components\contextmenu.dll
FF - plugin: c:\program files\Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\users\Rick\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\extensions\DeviceDetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Security essentials 2010 - c:\program files\Securityessentials2010\SE2010.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-26 09:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(792)
c:\windows\system32\wdigest.dll
c:\windows\system32\setupapi.dll

- - - - - - - > 'explorer.exe'(3096)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\IMHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\COMRes.dll
c:\windows\System32\cscui.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-02-26 09:57:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-26 17:57

Pre-Run: 26,445,049,856 bytes free
Post-Run: 26,336,219,136 bytes free

- - End Of File - - 2DFFA661EAF90399DF332568892B91C4


#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:42 AM

Posted 27 February 2010 - 11:21 PM

Hi, do you still have that boot problem?


1. Can you please post the log of Malwarebytes Anti-Malware. Open MBAM >> click log tab, locate the latest log and post it for me please,



2. We Need to check for Rootkits with RootRepeal
  1. Download RootRepeal from the following location and save it to your desktop.
  2. Open on your desktop.
  3. Click the tab.
  4. Click the button.
  5. Check all seven boxes:
  6. Push Ok
  7. Check the box for your main system drive (Usually C:), and press Ok.
  8. Allow RootRepeal to run a scan of your system. This may take some time.
  9. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply.



3. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
SRPeek::  
c:\windows\system32\drivers\tcpip.sys
c:\windows\system32\syscache\tcpip.sys
c:\windows\system32\comctl32.dll
c:\windows\system32\user32.dll
c:\windows\explorer.exe
c:\windows\system32\sfcfiles.dll


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




4. Create a new DDS log and post it for me please. Thanks.


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#6 trumanjunk

trumanjunk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 01 March 2010 - 10:01 PM

AVG kept crashing over the weekend, so I had to uninstall it. I installed McAfee SecurityCenter for virus protection.

Also, I accidentally let Windows Update install Internet Explorer 8.

I have been unable to run RootRepeal. I've tried it four times and all four times, my computer freezes. I assumed the application was working and my computer would be unresponsive, but after checking the computer 8 hours later, the computer was still in the same state, frozen.

Symptoms seem to have gone away. But things may still be lingering.

Below are the logs you requested.

=====================================

Malwarebytes' Anti-Malware 1.44
Database version: 3795
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2/26/2010 12:02:32 AM
mbam-log-2010-02-26 (00-02-32).txt

Scan type: Quick Scan
Objects scanned: 110436
Time elapsed: 5 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


========================================

ComboFix 10-03-01.01 - Rick 03/01/2010 18:44:47.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.711 [GMT -8:00]
Running from: c:\users\Rick\Desktop\ComboFix.exe
Command switches used :: c:\users\Rick\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-02-27 20:31 . 2010-02-27 20:31 -------- d-----w- c:\users\LocalService\Application Data\SACore
2010-02-27 20:29 . 2010-02-27 20:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-27 20:19 . 2010-02-27 20:19 -------- d-----w- c:\users\All Users\Application Data\SiteAdvisor
2010-02-27 20:17 . 2009-11-11 19:14 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-02-27 20:17 . 2009-11-11 19:14 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-02-27 20:17 . 2009-11-11 19:14 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-02-27 20:17 . 2009-07-16 20:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-02-27 20:17 . 2010-02-27 20:17 -------- d-----w- c:\program files\Common Files\McAfee
2010-02-27 20:17 . 2010-02-27 20:17 -------- d-----w- c:\program files\McAfee.com
2010-02-27 20:17 . 2010-03-01 00:56 -------- d-----w- c:\program files\McAfee
2010-02-27 20:15 . 2009-11-11 19:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-02-27 20:13 . 2010-02-27 20:29 -------- d-----w- c:\users\All Users\Application Data\McAfee
2010-02-26 20:12 . 2010-02-26 20:14 -------- d-----w- c:\users\Rick\Application Data\Skype
2010-02-26 20:12 . 2010-02-26 20:12 -------- d-----r- c:\program files\Skype
2010-02-26 20:12 . 2010-02-26 20:12 -------- d-----w- c:\users\All Users\Application Data\Skype
2010-02-26 19:07 . 2010-02-26 19:07 -------- d-sh--w- c:\users\LocalService\IETldCache
2010-02-26 19:07 . 2010-02-26 19:07 -------- d-sh--w- c:\users\\LocalService\IETldCache
2010-02-26 18:35 . 2010-02-26 18:35 -------- d-sh--w- c:\users\NetworkService\IETldCache
2010-02-26 18:35 . 2010-02-26 18:35 -------- d-sh--w- c:\users\\NetworkService\IETldCache
2010-02-26 18:34 . 2010-02-26 18:34 -------- d-sh--w- c:\users\Rick\IETldCache
2010-02-26 18:34 . 2010-02-26 18:34 -------- d-sh--w- c:\users\\Rick\IETldCache
2010-02-26 18:31 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-26 18:31 . 2010-02-27 02:10 -------- d-----w- c:\windows\ie8updates
2010-02-26 18:31 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-26 18:31 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-26 18:30 . 2010-02-26 18:30 -------- dc-h--w- c:\windows\ie8
2010-02-26 06:17 . 2009-08-11 21:18 52697 ----a-w- C:\nvatabus.sys
2010-02-26 06:17 . 2009-08-11 21:18 100736 ----a-w- c:\windows\system32\drivers\nvatabus.sys
2010-02-25 05:30 . 2010-02-25 05:30 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-25 05:30 . 2010-02-25 05:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-25 02:53 . 2010-02-25 02:53 -------- d-----w- c:\users\NetworkService\Local Settings\Application Data\Adobe
2010-02-23 08:24 . 2010-02-23 08:24 15758 ----a-w- c:\users\Rick\cc_20100223_002358.reg
2010-02-23 08:24 . 2010-02-23 08:24 15758 ----a-w- c:\users\\Rick\cc_20100223_002358.reg
2010-02-23 08:22 . 2010-02-23 08:22 -------- d-----w- c:\program files\CCleaner
2010-02-23 06:22 . 2010-02-23 06:22 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-22 03:31 . 2010-02-22 03:31 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-22 03:28 . 2010-02-27 08:09 -------- d-----w- c:\users\All Users\Application Data\Lavasoft
2010-02-21 23:31 . 2010-02-21 23:31 5115824 ----a-w- c:\users\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-21 03:49 . 2010-02-23 08:29 -------- d-----w- c:\users\All Users\Application Data\Spybot - Search & Destroy
2010-02-21 03:49 . 2010-02-21 03:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-21 02:48 . 2010-02-21 02:48 -------- d-----w- c:\users\All Users\Application Data\Malwarebytes
2010-02-20 21:12 . 2010-02-20 21:12 -------- d-----w- c:\users\Rick\Application Data\Malwarebytes
2010-02-20 21:12 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-20 21:12 . 2010-02-21 23:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 21:12 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 02:34 . 2010-02-19 02:34 -------- d-----w- c:\program files\QuickSFV
2010-02-18 23:52 . 2010-02-26 18:20 -------- d-----w- c:\windows\ShellNew
2010-02-18 21:58 . 2010-02-18 21:58 -------- d-----w- c:\users\Rick\Application Data\Logitech
2010-02-18 21:58 . 2010-02-18 21:58 -------- d-----w- c:\users\Rick\Application Data\Leadertech
2010-02-18 21:58 . 2010-02-18 21:58 -------- d-----w- c:\users\All Users\Application Data\LogiShrd
2010-02-18 21:58 . 2009-06-17 16:55 10384 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2010-02-18 21:58 . 2009-07-20 20:25 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2010-02-18 21:58 . 2009-07-20 20:26 84496 ----a-w- c:\windows\system32\KemXML.dll
2010-02-18 21:58 . 2009-07-20 20:26 117264 ----a-w- c:\windows\system32\KemWnd.dll
2010-02-18 21:58 . 2009-07-20 20:26 145936 ----a-w- c:\windows\system32\KemUtil.dll
2010-02-18 21:58 . 2009-07-20 20:26 170512 ----a-w- c:\windows\system32\kemutb.dll
2010-02-18 21:57 . 2010-02-18 21:57 -------- d-----w- c:\users\All Users\Application Data\Logitech
2010-02-18 21:46 . 2010-02-18 21:58 -------- d-----w- c:\program files\Common Files\Logishrd
2010-02-18 21:46 . 2010-02-18 21:46 -------- d-----w- c:\program files\Logitech
2010-02-18 21:42 . 2010-01-21 19:46 441168 ----a-w- c:\users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\extensions\DeviceDetection@logitech.com\plugins\npLogitechDeviceDetection.dll
2010-02-18 21:38 . 2008-04-14 12:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-02-18 21:38 . 2008-04-14 12:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-02-14 02:17 . 2010-02-17 23:54 -------- d-----w- C:\BDRips
2010-02-13 19:49 . 2010-02-13 19:53 -------- d-----w- C:\TurboTax
2010-02-13 19:21 . 2010-02-13 19:21 -------- d-----w- c:\users\Rick\TurboTax
2010-02-13 19:21 . 2010-02-13 19:21 -------- d-----w- c:\users\\Rick\TurboTax
2010-02-13 19:21 . 2010-02-13 19:21 -------- d-----w- c:\users\Rick\Application Data\Intuit
2010-02-13 19:20 . 2010-02-13 19:20 -------- d-----w- c:\users\All Users\Application Data\Intuit
2010-02-13 19:20 . 2010-02-18 22:11 -------- d-----w- c:\program files\Common Files\Intuit
2010-02-13 19:20 . 2010-02-13 19:20 -------- d-----w- c:\program files\TurboTax
2010-02-13 19:19 . 2010-02-13 19:19 -------- d-----w- c:\users\Rick\Application Data\InstallShield
2010-02-10 05:29 . 2009-12-04 17:25 456832 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-08 07:37 . 2010-02-08 07:37 -------- d-----w- c:\users\All Users\Application Data\FLEXnet
2010-02-08 07:30 . 2010-02-08 07:30 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-02-08 07:30 . 2010-02-22 00:50 -------- d-----w- c:\users\All Users\Application Data\Rosetta Stone
2010-02-08 07:30 . 2010-02-08 07:30 -------- d-----w- c:\program files\Rosetta Stone
2010-02-08 07:18 . 2010-02-08 07:18 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-02-08 07:18 . 2010-02-08 07:21 -------- d-----w- c:\users\Rick\Application Data\DAEMON Tools Lite
2010-02-08 07:18 . 2010-02-08 07:18 -------- d-----w- c:\users\All Users\Application Data\DAEMON Tools Lite
2010-02-08 06:07 . 2010-02-08 06:08 -------- d-----w- c:\users\Rick\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-02 02:39 . 2009-10-03 07:17 -------- d-----w- c:\users\Rick\Application Data\uTorrent
2010-03-01 07:48 . 2009-10-22 23:45 411816 ----a-w- c:\users\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-01 00:45 . 2010-01-05 22:56 -------- d-----w- c:\program files\Driver Magician
2010-02-27 21:53 . 2009-11-28 04:10 -------- d-----w- c:\program files\JDownloader
2010-02-27 21:35 . 2009-10-03 08:08 -------- d-----w- c:\program files\PeerBlock
2010-02-26 18:23 . 2009-10-05 01:09 -------- d-----w- c:\users\All Users\Application Data\Apple Computer
2010-02-26 18:17 . 2009-10-30 05:31 -------- d-----w- c:\program files\RA2HP
2010-02-26 18:16 . 2009-10-30 05:33 -------- d-----w- c:\program files\Microsoft Office Communicator
2010-02-25 03:58 . 2009-10-03 06:34 -------- d---a-w- c:\program files\Firefox
2010-02-25 02:53 . 2009-12-24 06:18 664 ----a-w- c:\users\NetworkService\Local Settings\Application Data\d3d9caps.dat
2010-02-21 23:42 . 2009-10-03 06:42 -------- d---a-w- c:\program files\Windows Sidebar
2010-02-20 20:43 . 2009-10-03 07:18 -------- d-----w- c:\program files\uTorrent
2010-02-18 21:57 . 2009-10-03 07:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-18 21:48 . 2010-02-18 21:48 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2010-02-18 21:48 . 2010-02-18 21:48 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2010-02-18 21:48 . 2010-02-18 21:48 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-02-08 06:03 . 2010-01-15 08:08 -------- d-----w- c:\users\Rick\Application Data\GlarySoft
2010-01-22 07:42 . 2009-10-03 23:25 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-21 00:34 . 2010-01-21 00:34 -------- d-----w- c:\users\Rick\Application Data\SUPERAntiSpyware.com
2010-01-21 00:34 . 2010-01-21 00:34 -------- d-----w- c:\users\All Users\Application Data\SUPERAntiSpyware.com
2010-01-15 07:02 . 2010-01-15 07:01 -------- d-----w- c:\program files\Glary Utilities
2010-01-15 05:07 . 2009-10-03 18:26 -------- d-----w- c:\program files\TVersity Codec Pack
2010-01-08 04:39 . 2009-12-30 02:56 -------- d-----w- c:\users\Rick\Application Data\Juniper Networks
2010-01-08 04:39 . 2010-01-08 04:39 33220 ----a-w- c:\users\Rick\Application Data\Juniper Networks\Setup\uninstall.exe
2010-01-06 02:04 . 2010-01-06 02:04 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-01-01 07:58 . 2009-08-11 20:55 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-27 21:16 . 2009-12-27 21:16 11094 ----a-w- c:\users\Rick\cc_20091227_131618.reg
2009-12-27 21:16 . 2009-12-27 21:16 11094 ----a-w- c:\users\\Rick\cc_20091227_131618.reg
2009-12-21 19:14 . 2009-08-11 20:52 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 08:41 . 2009-08-11 21:40 6339584 ----a-w- c:\windows\system32\setupapi.dll
2009-12-18 04:11 . 2009-12-19 18:47 606208 ----a-w- c:\users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}-trash\components\afom.exe
2009-12-16 18:43 . 2009-10-03 06:11 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 07:52 . 2009-08-11 21:40 2189312 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-09 07:10 . 2009-02-06 10:30 2066176 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 17:25 . 2009-08-11 20:55 456832 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------- Sigcheck -------

[-] 2008-10-20 . 402B5152110F91E4C096200501737EA6 . 361600 . . [5.1.2600.9999] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-10-20 . 402B5152110F91E4C096200501737EA6 . 361600 . . [5.1.2600.9999] . . c:\windows\system32\syscache\tcpip.sys

[-] 2009-12-18 . C9FB1A9B3F9B51F08B665542DDFEE295 . 692736 . . [5.82] . . c:\windows\system32\comctl32.dll

[-] 2009-12-18 . 6616894470538493B9AAE74271F099EF . 578048 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll

[-] 2009-12-18 . AEA58E2C358B987FCC612907377373C3 . 1697280 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2009-08-11 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-02-26_17.53.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-03 06:16 . 2009-01-08 02:21 26144 c:\windows\system32\spupdsvc.exe
+ 2009-10-03 06:53 . 2009-01-08 02:20 16928 c:\windows\system32\spmsg.dll
+ 2009-08-11 20:52 . 2009-03-08 12:31 46592 c:\windows\system32\pngfilt.dll
+ 2009-08-11 20:52 . 2009-01-08 02:20 23552 c:\windows\system32\normaliz.dll
- 2009-08-11 20:52 . 2009-08-11 20:52 23552 c:\windows\system32\normaliz.dll
+ 2009-08-11 20:52 . 2009-01-08 02:20 24576 c:\windows\system32\nlsdl.dll
- 2009-08-11 20:52 . 2009-08-11 20:52 24576 c:\windows\system32\nlsdl.dll
+ 2009-08-11 20:52 . 2009-03-08 12:31 48128 c:\windows\system32\mshtmler.dll
- 2009-08-11 20:52 . 2009-08-11 20:52 48128 c:\windows\system32\mshtmler.dll
+ 2009-08-11 20:52 . 2009-03-08 12:31 66560 c:\windows\system32\mshtmled.dll
- 2009-08-11 20:51 . 2009-08-11 20:51 45568 c:\windows\system32\mshta.exe
+ 2009-08-11 20:51 . 2009-03-08 12:31 45568 c:\windows\system32\mshta.exe
+ 2009-08-11 20:51 . 2009-03-08 12:31 13312 c:\windows\system32\msfeedssync.exe
+ 2009-08-11 20:51 . 2009-12-21 19:14 55296 c:\windows\system32\msfeedsbs.dll
+ 2009-08-11 20:51 . 2009-03-08 12:34 43008 c:\windows\system32\licmgr10.dll
+ 2009-08-11 20:51 . 2009-12-21 19:14 25600 c:\windows\system32\jsproxy.dll
+ 2009-08-11 20:51 . 2009-03-08 12:32 94720 c:\windows\system32\inseng.dll
+ 2009-08-11 20:51 . 2009-03-08 12:31 34816 c:\windows\system32\imgutil.dll
+ 2009-08-11 20:51 . 2009-03-08 12:32 36864 c:\windows\system32\ieudinit.exe
+ 2009-08-11 20:51 . 2009-03-08 12:32 71680 c:\windows\system32\iesetup.dll
+ 2007-12-02 02:42 . 2009-03-08 12:32 55808 c:\windows\system32\iernonce.dll
- 2009-08-11 20:52 . 2009-08-11 20:52 26112 c:\windows\system32\idndl.dll
+ 2009-08-11 20:52 . 2009-01-08 02:20 26112 c:\windows\system32\idndl.dll
+ 2009-08-11 20:51 . 2009-03-08 12:31 59904 c:\windows\system32\icardie.dll
+ 2009-08-11 20:52 . 2009-03-08 12:31 46592 c:\windows\system32\dllcache\pngfilt.dll
+ 2009-08-11 20:52 . 2009-03-08 12:31 48128 c:\windows\system32\dllcache\mshtmler.dll
- 2009-08-11 20:52 . 2009-08-11 20:52 48128 c:\windows\system32\dllcache\mshtmler.dll
+ 2009-08-11 20:52 . 2009-03-08 12:31 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-08-11 20:51 . 2009-03-08 12:31 45568 c:\windows\system32\dllcache\mshta.exe
- 2009-08-11 20:51 . 2009-08-11 20:51 45568 c:\windows\system32\dllcache\mshta.exe
+ 2009-10-03 06:17 . 2009-12-21 19:14 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-08-11 20:51 . 2009-03-08 12:34 43008 c:\windows\system32\dllcache\licmgr10.dll
+ 2009-08-11 20:51 . 2009-12-21 19:14 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-08-11 20:51 . 2009-03-08 12:32 94720 c:\windows\system32\dllcache\inseng.dll
+ 2009-08-11 20:51 . 2009-03-08 12:31 34816 c:\windows\system32\dllcache\imgutil.dll
+ 2009-08-11 20:51 . 2009-03-08 12:32 71680 c:\windows\system32\dllcache\iesetup.dll
+ 2009-10-03 07:12 . 2009-03-08 12:32 55808 c:\windows\system32\dllcache\iernonce.dll
+ 2009-10-03 06:17 . 2009-03-08 12:31 59904 c:\windows\system32\dllcache\icardie.dll
+ 2009-10-03 06:13 . 2009-03-08 12:24 68608 c:\windows\system32\dllcache\hmmapi.dll
+ 2009-08-11 20:51 . 2009-03-08 12:33 18944 c:\windows\system32\dllcache\corpol.dll
+ 2009-08-11 20:51 . 2009-03-08 12:32 72704 c:\windows\system32\dllcache\admparse.dll
+ 2009-08-11 20:51 . 2009-03-08 12:33 18944 c:\windows\system32\corpol.dll
- 2009-10-03 06:49 . 2010-02-26 04:17 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-03 06:49 . 2010-03-02 02:30 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-02-27 20:29 . 2010-03-02 02:30 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2010-02-27 20:29 . 2010-03-02 02:30 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-08-11 20:51 . 2009-03-08 12:32 72704 c:\windows\system32\admparse.dll
+ 2010-02-26 18:32 . 2009-10-29 07:45 12800 c:\windows\ie8updates\KB978207-IE8\xpshims.dll
+ 2010-02-26 18:32 . 2009-10-29 07:45 55296 c:\windows\ie8updates\KB978207-IE8\msfeedsbs.dll
+ 2010-02-26 18:32 . 2009-10-29 07:45 25600 c:\windows\ie8updates\KB978207-IE8\jsproxy.dll
+ 2010-02-26 18:31 . 2009-03-08 12:33 12288 c:\windows\ie8updates\KB976325-IE8\xpshims.dll
+ 2010-02-26 18:31 . 2009-03-08 12:31 55296 c:\windows\ie8updates\KB976325-IE8\msfeedsbs.dll
+ 2010-02-26 18:31 . 2009-03-08 12:33 25600 c:\windows\ie8updates\KB976325-IE8\jsproxy.dll
+ 2010-02-26 18:30 . 2009-03-08 22:23 58464 c:\windows\ie8\spuninst\iecustom.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 44544 c:\windows\ie8\pngfilt.dll
+ 2010-02-26 18:30 . 2009-08-11 20:52 48128 c:\windows\ie8\mshtmler.dll
+ 2010-02-26 18:30 . 2009-08-11 20:51 45568 c:\windows\ie8\mshta.exe
+ 2010-02-26 18:30 . 2009-08-11 20:51 12288 c:\windows\ie8\msfeedssync.exe
+ 2010-02-26 18:30 . 2010-01-05 09:57 52224 c:\windows\ie8\msfeedsbs.dll
+ 2010-02-26 18:30 . 2009-08-11 20:51 40960 c:\windows\ie8\licmgr10.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 27648 c:\windows\ie8\jsproxy.dll
+ 2010-02-26 18:30 . 2009-08-11 20:51 92672 c:\windows\ie8\inseng.dll
+ 2010-02-26 18:30 . 2009-08-11 20:51 36352 c:\windows\ie8\imgutil.dll
+ 2010-02-26 18:30 . 2009-08-11 20:51 55296 c:\windows\ie8\iesetup.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 44544 c:\windows\ie8\iernonce.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 78336 c:\windows\ie8\ieencode.dll
+ 2010-02-26 18:30 . 2010-01-01 06:55 70656 c:\windows\ie8\ie4uinit.exe
+ 2010-02-26 18:30 . 2010-01-05 09:57 63488 c:\windows\ie8\icardie.dll
+ 2010-02-26 18:30 . 2009-08-11 20:51 60416 c:\windows\ie8\hmmapi.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 17408 c:\windows\ie8\corpol.dll
+ 2010-02-26 18:30 . 2009-08-11 20:51 71680 c:\windows\ie8\admparse.dll
+ 2010-02-26 18:31 . 2009-03-08 12:35 2048 c:\windows\ie8updates\KB978506-IE8\iecompat.dll
+ 2008-04-14 12:00 . 2009-01-08 02:21 121856 c:\windows\system32\xmllite.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 121856 c:\windows\system32\xmllite.dll
+ 2009-08-11 20:52 . 2009-03-08 12:34 208384 c:\windows\system32\WinFXDocObj.exe
+ 2009-08-11 20:52 . 2009-03-08 12:34 236544 c:\windows\system32\webcheck.dll
+ 2009-08-11 20:54 . 2009-03-08 12:33 420352 c:\windows\system32\vbscript.dll
- 2009-08-11 20:52 . 2010-01-05 09:57 105984 c:\windows\system32\url.dll
+ 2009-08-11 20:52 . 2009-03-08 12:34 105984 c:\windows\system32\url.dll
+ 2009-08-11 20:52 . 2009-12-21 19:14 206848 c:\windows\system32\occache.dll
+ 2009-08-11 20:52 . 2009-03-08 12:32 611840 c:\windows\system32\mstime.dll
+ 2009-08-11 20:52 . 2009-03-08 12:34 193536 c:\windows\system32\msrating.dll
- 2009-08-11 20:52 . 2009-08-11 20:52 156160 c:\windows\system32\msls31.dll
+ 2009-08-11 20:52 . 2009-03-08 12:22 156160 c:\windows\system32\msls31.dll
+ 2009-08-11 20:51 . 2009-12-21 19:14 594432 c:\windows\system32\msfeeds.dll
+ 2009-01-08 02:20 . 2009-01-08 02:20 265720 c:\windows\system32\msdbg2.dll
+ 2009-08-11 20:54 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
+ 2009-08-11 20:51 . 2009-03-08 12:22 164352 c:\windows\system32\ieui.dll
+ 2009-08-11 20:51 . 2009-12-21 19:14 184320 c:\windows\system32\iepeers.dll
+ 2009-08-11 20:51 . 2009-12-21 19:14 387584 c:\windows\system32\iedkcs32.dll
+ 2009-08-11 20:51 . 2009-03-08 12:11 445952 c:\windows\system32\ieapfltr.dll
+ 2009-08-11 20:51 . 2009-03-08 12:32 163840 c:\windows\system32\ieakui.dll
+ 2009-08-11 20:51 . 2009-03-08 12:33 229376 c:\windows\system32\ieaksie.dll
+ 2009-08-11 20:51 . 2009-03-08 12:33 125952 c:\windows\system32\ieakeng.dll
+ 2009-08-11 20:51 . 2009-12-21 13:19 173056 c:\windows\system32\ie4uinit.exe
+ 2009-08-11 20:51 . 2009-03-08 12:31 216064 c:\windows\system32\dxtrans.dll
+ 2009-08-11 20:51 . 2009-03-08 12:31 348160 c:\windows\system32\dxtmsft.dll
+ 2009-08-11 20:52 . 2009-12-21 19:14 916480 c:\windows\system32\dllcache\wininet.dll
+ 2009-08-11 20:52 . 2009-03-08 12:34 236544 c:\windows\system32\dllcache\webcheck.dll
+ 2009-10-03 06:14 . 2009-03-08 12:33 759296 c:\windows\system32\dllcache\VGX.dll
+ 2009-08-11 20:54 . 2009-03-08 12:33 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2009-08-11 20:52 . 2009-03-08 12:34 105984 c:\windows\system32\dllcache\url.dll
- 2009-08-11 20:52 . 2010-01-05 09:57 105984 c:\windows\system32\dllcache\url.dll
+ 2009-01-08 02:20 . 2009-01-08 02:20 134144 c:\windows\system32\dllcache\sqmapi.dll
+ 2009-08-11 20:52 . 2009-12-21 19:14 206848 c:\windows\system32\dllcache\occache.dll
+ 2009-08-11 20:52 . 2009-03-08 12:32 611840 c:\windows\system32\dllcache\mstime.dll
+ 2009-08-11 20:52 . 2009-03-08 12:34 193536 c:\windows\system32\dllcache\msrating.dll
- 2009-08-11 20:52 . 2009-08-11 20:52 156160 c:\windows\system32\dllcache\msls31.dll
+ 2009-08-11 20:52 . 2009-03-08 12:22 156160 c:\windows\system32\dllcache\msls31.dll
+ 2009-10-03 06:17 . 2009-12-21 19:14 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-08-11 20:54 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-10-03 06:13 . 2009-03-08 22:09 638816 c:\windows\system32\dllcache\iexplore.exe
+ 2009-08-11 20:51 . 2009-12-21 19:14 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2009-08-11 20:51 . 2009-12-21 19:14 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-10-03 06:17 . 2009-03-08 12:11 445952 c:\windows\system32\dllcache\ieapfltr.dll
+ 2009-08-11 20:51 . 2009-03-08 12:32 163840 c:\windows\system32\dllcache\ieakui.dll
+ 2009-08-11 20:51 . 2009-03-08 12:33 229376 c:\windows\system32\dllcache\ieaksie.dll
+ 2009-08-11 20:51 . 2009-03-08 12:33 125952 c:\windows\system32\dllcache\ieakeng.dll
+ 2009-08-11 20:51 . 2009-12-21 13:19 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-08-11 20:51 . 2009-03-08 12:31 216064 c:\windows\system32\dllcache\dxtrans.dll
+ 2009-08-11 20:51 . 2009-03-08 12:31 348160 c:\windows\system32\dllcache\dxtmsft.dll
+ 2009-08-11 20:51 . 2009-03-08 12:32 128512 c:\windows\system32\dllcache\advpack.dll
+ 2009-08-11 20:51 . 2009-03-08 12:32 128512 c:\windows\system32\advpack.dll
+ 2010-02-26 20:12 . 2010-02-26 20:12 371272 c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
+ 2010-02-26 18:31 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB978506-IE8\spuninst\updspapi.dll
+ 2010-02-26 18:31 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB978506-IE8\spuninst\spuninst.exe
+ 2010-02-26 18:32 . 2009-10-29 07:45 916480 c:\windows\ie8updates\KB978207-IE8\wininet.dll
+ 2010-02-26 18:32 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB978207-IE8\spuninst\updspapi.dll
+ 2010-02-26 18:32 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB978207-IE8\spuninst\spuninst.exe
+ 2010-02-26 18:32 . 2009-10-29 07:45 206848 c:\windows\ie8updates\KB978207-IE8\occache.dll
+ 2010-02-26 18:32 . 2009-10-29 07:45 594432 c:\windows\ie8updates\KB978207-IE8\msfeeds.dll
+ 2010-02-26 18:32 . 2009-10-29 07:45 246272 c:\windows\ie8updates\KB978207-IE8\ieproxy.dll
+ 2010-02-26 18:32 . 2009-10-29 07:45 184320 c:\windows\ie8updates\KB978207-IE8\iepeers.dll
+ 2010-02-26 18:32 . 2009-10-29 07:45 387584 c:\windows\ie8updates\KB978207-IE8\iedkcs32.dll
+ 2010-02-26 18:32 . 2009-10-28 14:40 173056 c:\windows\ie8updates\KB978207-IE8\ie4uinit.exe
+ 2010-02-27 02:10 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2010-02-27 02:10 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2010-02-27 02:10 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
+ 2010-02-26 18:31 . 2009-03-08 12:34 914944 c:\windows\ie8updates\KB976325-IE8\wininet.dll
+ 2010-02-26 18:31 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB976325-IE8\spuninst\updspapi.dll
+ 2010-02-26 18:31 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB976325-IE8\spuninst\spuninst.exe
+ 2010-02-26 18:31 . 2009-03-08 12:34 109568 c:\windows\ie8updates\KB976325-IE8\occache.dll
+ 2010-02-26 18:31 . 2009-03-08 12:32 594432 c:\windows\ie8updates\KB976325-IE8\msfeeds.dll
+ 2010-02-26 18:31 . 2009-03-08 12:33 246784 c:\windows\ie8updates\KB976325-IE8\ieproxy.dll
+ 2010-02-26 18:31 . 2009-03-08 12:31 183808 c:\windows\ie8updates\KB976325-IE8\iepeers.dll
+ 2010-02-26 18:31 . 2009-03-08 22:09 391536 c:\windows\ie8updates\KB976325-IE8\iedkcs32.dll
+ 2010-02-26 18:31 . 2009-03-08 12:32 173056 c:\windows\ie8updates\KB976325-IE8\ie4uinit.exe
+ 2010-02-27 02:10 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2010-02-27 02:10 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2010-02-27 02:10 . 2009-03-08 12:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 841216 c:\windows\ie8\wininet.dll
+ 2010-02-26 18:30 . 2009-08-11 20:52 206336 c:\windows\ie8\winfxdocobj.exe
+ 2010-02-26 18:30 . 2010-01-05 09:57 233472 c:\windows\ie8\webcheck.dll
+ 2010-02-26 18:30 . 2008-05-27 17:23 765952 c:\windows\ie8\vgx.dll
+ 2010-02-26 18:30 . 2009-08-11 20:54 430080 c:\windows\ie8\vbscript.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 105984 c:\windows\ie8\url.dll
+ 2010-02-26 18:30 . 2009-01-08 02:21 382496 c:\windows\ie8\spuninst\updspapi.dll
+ 2010-02-26 18:30 . 2009-01-08 02:20 231456 c:\windows\ie8\spuninst\spuninst.exe
+ 2010-02-26 18:30 . 2010-01-05 09:57 102912 c:\windows\ie8\occache.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 671232 c:\windows\ie8\mstime.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 193024 c:\windows\ie8\msrating.dll
+ 2010-02-26 18:30 . 2009-08-11 20:52 156160 c:\windows\ie8\msls31.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 477696 c:\windows\ie8\mshtmled.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 459264 c:\windows\ie8\msfeeds.dll
+ 2010-02-26 18:30 . 2009-08-13 15:02 512000 c:\windows\ie8\jscript.dll
+ 2010-02-26 18:30 . 2009-12-18 07:00 634632 c:\windows\ie8\iexplore.exe
+ 2010-02-26 18:30 . 2009-08-11 20:51 180736 c:\windows\ie8\ieui.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 268288 c:\windows\ie8\iertutil.dll
+ 2010-02-26 18:30 . 2009-08-11 20:51 287744 c:\windows\ie8\ieproxy.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 193024 c:\windows\ie8\iepeers.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 388608 c:\windows\ie8\iedkcs32.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 380928 c:\windows\ie8\ieapfltr.dll
+ 2010-02-26 18:30 . 2009-12-18 06:58 161792 c:\windows\ie8\ieakui.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 230400 c:\windows\ie8\ieaksie.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 153088 c:\windows\ie8\ieakeng.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 214528 c:\windows\ie8\dxtrans.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 347136 c:\windows\ie8\dxtmsft.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 124928 c:\windows\ie8\advpack.dll
+ 2009-08-11 20:52 . 2009-12-21 19:14 1208832 c:\windows\system32\urlmon.dll
+ 2009-08-11 20:52 . 2009-12-21 19:14 5942784 c:\windows\system32\mshtml.dll
+ 2009-08-11 20:51 . 2009-12-21 19:14 1985536 c:\windows\system32\iertutil.dll
+ 2009-08-11 20:51 . 2009-02-07 05:07 3698584 c:\windows\system32\ieapfltr.dat
+ 2009-08-11 20:52 . 2009-12-21 19:14 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2009-08-11 20:52 . 2009-12-21 19:14 5942784 c:\windows\system32\dllcache\mshtml.dll
+ 2009-10-03 06:17 . 2009-12-21 19:14 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2009-10-03 06:17 . 2009-02-07 05:07 3698584 c:\windows\system32\dllcache\ieapfltr.dat
+ 2010-02-26 20:12 . 2010-02-26 20:12 1575936 c:\windows\Installer\5a1ee1.msi
+ 2010-02-26 18:32 . 2009-10-29 07:45 1208832 c:\windows\ie8updates\KB978207-IE8\urlmon.dll
+ 2010-02-26 18:32 . 2009-10-29 07:45 5940736 c:\windows\ie8updates\KB978207-IE8\mshtml.dll
+ 2010-02-26 18:32 . 2009-10-29 07:45 1985536 c:\windows\ie8updates\KB978207-IE8\iertutil.dll
+ 2010-02-26 18:31 . 2009-03-08 12:34 1206784 c:\windows\ie8updates\KB976325-IE8\urlmon.dll
+ 2010-02-26 18:31 . 2009-03-08 12:41 5937152 c:\windows\ie8updates\KB976325-IE8\mshtml.dll
+ 2010-02-26 18:31 . 2009-03-08 12:32 1985024 c:\windows\ie8updates\KB976325-IE8\iertutil.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 1170944 c:\windows\ie8\urlmon.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 3602944 c:\windows\ie8\mshtml.dll
+ 2010-02-26 18:30 . 2010-01-05 09:57 6071296 c:\windows\ie8\ieframe.dll
+ 2010-02-26 18:30 . 2009-06-29 08:33 2452872 c:\windows\ie8\ieapfltr.dat
+ 2010-02-26 18:27 . 2010-02-01 19:26 30364104 c:\windows\system32\MRT.exe
+ 2009-08-11 20:51 . 2009-12-21 19:14 11070464 c:\windows\system32\ieframe.dll
+ 2009-10-03 06:17 . 2009-12-21 19:14 11070464 c:\windows\system32\dllcache\ieframe.dll
+ 2010-02-26 18:32 . 2009-10-29 07:45 11069952 c:\windows\ie8updates\KB978207-IE8\ieframe.dll
+ 2010-02-26 18:31 . 2009-03-08 12:39 11063808 c:\windows\ie8updates\KB976325-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-02-20 320816]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]
"Wally"="c:\program files\Wally\Wally.exe" [2009-11-10 10279966]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-14 172032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]

c:\users\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-2-18 813584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,\

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 20:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UltimateServices]
2009-08-09 19:09 620585 ----a-w- c:\windows\system32\ultsvcs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2/26/2006 7:21 AM 16640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2/27/2010 12:19 PM 93320]
S1 SASDIFSV;SASDIFSV;\??\c:\users\Rick\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\users\Rick\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\users\Rick\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> c:\users\Rick\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?]
S2 EZWINIT;EZWINIT;c:\windows\system32\drivers\ezwinit.sys [11/29/2008 9:53 PM 14494]
S2 EZWRITER;EZWRITER;c:\windows\system32\drivers\ezwriter.sys [11/29/2008 9:53 PM 16680]
S3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [4/6/2007 10:46 AM 13619]
S3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [10/29/2009 9:29 PM 9493]
S3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\drivers\aksbus.sys [4/6/2007 10:46 AM 13647]
S3 AKSIM;ActivKey Sim;c:\windows\system32\drivers\aksim.sys [10/29/2009 9:29 PM 27008]
S3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\drivers\akspcsc.sys [10/29/2009 9:29 PM 10161]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [10/3/2009 12:08 AM 14424]
S3 SASENUM;SASENUM;\??\c:\users\Rick\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\users\Rick\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/7/2010 11:18 PM 691696]
.
Contents of the 'Scheduled Tasks' folder

2010-03-02 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-01-15 20:09]

2010-02-27 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-27 20:22]

2010-02-27 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-27 20:22]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
Trusted Zone: turbotax.com
FF - ProfilePath - c:\users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\extensions\downloadscontextmenu@bmproductions\components\contextmenu.dll
FF - plugin: c:\program files\Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\users\Rick\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\extensions\DeviceDetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-01 18:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(772)
c:\windows\system32\wdigest.dll
c:\windows\system32\SETUPAPI.dll

- - - - - - - > 'explorer.exe'(1864)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\IMHook.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\COMRes.dll
c:\windows\System32\cscui.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
.
Completion time: 2010-03-01 18:51:22
ComboFix-quarantined-files.txt 2010-03-02 02:51
ComboFix2.txt 2010-02-26 17:57

Pre-Run: 49,653,604,352 bytes free
Post-Run: 49,657,733,120 bytes free

- - End Of File - - 819B72BDD47C3F1C8A502AFFEBA447F3

===========================================


DDS (Ver_09-12-01.01) - NTFSx86
Run by Rick at 18:55:08.46 on Mon 03/01/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.681 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Firefox\firefox.exe
C:\Users\Rick\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mWinlogon: UIHost=%SystemRoot%\System32\ultlogonui.exe
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [Wally] c:\program files\wally\Wally.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
StartupFolder: c:\users\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
Trusted Zone: turbotax.com
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1254612117156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://na.webaccess.hp.com/dana-cached/setup/JuniperSetupSP1.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\rick\applic~1\mozilla\firefox\profiles\altmiiaw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\users\rick\application data\mozilla\firefox\profiles\altmiiaw.default\extensions\downloadscontextmenu@bmproductions\components\contextmenu.dll
FF - plugin: c:\program files\firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\users\rick\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\rick\application data\mozilla\firefox\profiles\altmiiaw.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 385536]
R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2006-2-26 16640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-2-27 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-2-27 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-2-27 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-2-27 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-2-27 35272]
S1 SASDIFSV;SASDIFSV;\??\c:\users\rick\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\users\rick\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\users\rick\locals~1\temp\sas_selfextract\saskutil.sys --> c:\users\rick\locals~1\temp\sas_selfextract\SASKUTIL.sys [?]
S2 EZWINIT;EZWINIT;c:\windows\system32\drivers\ezwinit.sys [2008-11-29 14494]
S2 EZWRITER;EZWRITER;c:\windows\system32\drivers\ezwriter.sys [2008-11-29 16680]
S3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [2007-4-6 13619]
S3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [2009-10-29 9493]
S3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\drivers\aksbus.sys [2007-4-6 13647]
S3 AKSIM;ActivKey Sim;c:\windows\system32\drivers\aksim.sys [2009-10-29 27008]
S3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\drivers\akspcsc.sys [2009-10-29 10161]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-2-27 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-2-27 40552]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2009-10-3 14424]
S3 SASENUM;SASENUM;\??\c:\users\rick\locals~1\temp\sas_selfextract\sasenum.sys --> c:\users\rick\locals~1\temp\sas_selfextract\SASENUM.SYS [?]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-2-27 606736]
UnknownUnknown rootrepeal;rootrepeal; [x]

=============== Created Last 30 ================

2010-02-27 20:28:59 6801 ----a-w- c:\windows\system32\Config.MPF
2010-02-27 20:17:32 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-02-27 20:17:32 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-02-27 20:17:32 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-02-27 20:17:30 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-02-27 20:17:13 0 d-----w- c:\program files\McAfee.com
2010-02-27 20:17:13 0 d-----w- c:\program files\common files\McAfee
2010-02-27 20:17:06 0 d-----w- c:\program files\McAfee
2010-02-27 20:15:38 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-02-26 20:12:40 0 d-----r- c:\program files\Skype
2010-02-26 18:34:59 0 d-sh--w- c:\users\rick\IETldCache
2010-02-26 18:31:43 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-26 18:31:30 0 d-----w- c:\windows\ie8updates
2010-02-26 18:31:16 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-26 18:31:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-26 18:31:04 1374 ----a-w- c:\windows\imsins.BAK
2010-02-26 18:30:20 0 dc-h--w- c:\windows\ie8
2010-02-26 17:45:16 98816 ----a-w- c:\windows\sed.exe
2010-02-26 17:45:16 77312 ----a-w- c:\windows\MBR.exe
2010-02-26 17:45:16 261632 ----a-w- c:\windows\PEV.exe
2010-02-26 17:45:16 161792 ----a-w- c:\windows\SWREG.exe
2010-02-26 06:17:33 52697 ----a-w- C:\nvatabus.sys
2010-02-26 06:17:33 100736 ----a-w- c:\windows\system32\drivers\nvatabus.sys
2010-02-25 05:30:45 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-25 05:30:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-25 03:58:54 20 ----a-w- c:\users\rick\defogger_reenable
2010-02-23 08:24:00 15758 ----a-w- c:\users\rick\cc_20100223_002358.reg
2010-02-23 08:22:16 0 d-----w- c:\program files\CCleaner
2010-02-23 06:22:24 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-22 03:31:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-21 03:49:33 0 d-----w- c:\users\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-21 03:49:33 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-02-21 02:48:45 0 d-----w- c:\users\alluse~1\applic~1\Malwarebytes
2010-02-21 01:54:51 0 d-----w- c:\windows\pss
2010-02-20 21:12:34 0 d-----w- c:\users\rick\applic~1\Malwarebytes
2010-02-20 21:12:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-20 21:12:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-20 21:12:28 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-19 02:34:05 0 d-----w- c:\program files\QuickSFV
2010-02-19 01:35:01 1352 ----a-w- c:\users\rick\AutoHotkey.ahk
2010-02-18 23:52:45 0 d-----w- c:\windows\ShellNew
2010-02-18 21:58:38 10384 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2010-02-18 21:58:14 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2010-02-18 21:58:11 84496 ----a-w- c:\windows\system32\KemXML.dll
2010-02-18 21:58:11 170512 ----a-w- c:\windows\system32\kemutb.dll
2010-02-18 21:58:11 145936 ----a-w- c:\windows\system32\KemUtil.dll
2010-02-18 21:58:11 117264 ----a-w- c:\windows\system32\KemWnd.dll
2010-02-18 21:48:16 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2010-02-18 21:48:16 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2010-02-18 21:48:13 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-02-18 21:38:58 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-02-18 21:38:58 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-02-14 02:17:42 0 d-----w- C:\BDRips
2010-02-13 19:49:39 0 d-----w- C:\TurboTax
2010-02-13 19:21:42 0 d-----w- c:\users\rick\TurboTax
2010-02-13 19:21:41 0 d-----w- c:\users\rick\applic~1\Intuit
2010-02-13 19:20:56 0 d-----w- c:\users\alluse~1\applic~1\Intuit
2010-02-13 19:20:29 0 d-----w- c:\program files\common files\Intuit
2010-02-13 19:20:04 0 d-----w- c:\program files\TurboTax
2010-02-10 05:29:28 456832 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-08 07:30:57 0 d-----w- c:\program files\common files\Macrovision Shared
2010-02-08 07:30:48 0 d-----w- c:\users\alluse~1\applic~1\Rosetta Stone
2010-02-08 07:30:48 0 d-----w- c:\program files\Rosetta Stone
2010-02-08 07:18:42 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-02-08 07:18:21 0 d-----w- c:\users\rick\applic~1\DAEMON Tools Lite
2010-02-08 07:18:18 0 d-----w- c:\users\alluse~1\applic~1\DAEMON Tools Lite

==================== Find3M ====================

2010-01-06 02:04:02 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-01-01 07:58:29 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-27 21:16:22 11094 ----a-w- c:\users\rick\cc_20091227_131618.reg
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-18 08:41:30 6339584 ----a-w- c:\windows\system32\setupapi.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 07:52:36 2189312 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-09 07:10:32 2066176 ------w- c:\windows\system32\ntkrnlpa.exe
2008-01-22 03:51:13 121 ---ha-w- c:\program files\desktop.ini
2009-10-03 06:48:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009100220091003\index.dat

============= FINISH: 18:55:36.37 ===============

=================================================

Thanks for any additional help you can provide.

#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:42 AM

Posted 02 March 2010 - 09:33 AM

Hi,

1. Please make sure that you can view all hidden files.  Instructions on how to do this can be found here:
How to see hidden files in Windows
  • Please click this link-->Jotti
  • When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit.  You will only be able to have one file scanned at a time.  
    C:\WINDOWS\system32\drivers\nvatabus.sys
    c:\windows\system32\drivers\tcpip.sys
    c:\windows\system32\syscache\tcpip.sys
    c:\windows\system32\comctl32.dll
    c:\windows\system32\user32.dll
    c:\windows\explorer.exe
    c:\windows\system32\sfcfiles.dll
  • Please post back the results of the scan in your next post.
  • If Jotti is busy, try the same at Virustotal:  http://www.virustotal.com/



2. Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    CODE
    :filefind
    nvatabus.sys
    tcpip.sys
    comctl32.dll
    user32.dll
    explorer.exe
    sfcfiles.dll
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply



~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 trumanjunk

trumanjunk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 03 March 2010 - 02:08 AM

Filename: nvatabus.sys
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Wed 3 Mar 2010 08:09:24 (CET) Permalink

Filename: tcpip.sys
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Wed 3 Mar 2010 07:02:20 (CET) Permalink

Filename: tcpip.sys
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Wed 3 Mar 2010 07:09:34 (CET) Permalink

Filename: comctl32.dll
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Wed 3 Mar 2010 07:19:47 (CET) Permalink

Filename: user32.dll
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Wed 3 Mar 2010 07:35:28 (CET) Permalink

Filename: explorer.exe
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Wed 3 Mar 2010 07:47:17 (CET) Permalink

Filename: sfcfiles.dll
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Wed 3 Mar 2010 07:49:26 (CET) Permalink

=====================================================


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 22:52 on 02/03/2010 by Rick (Administrator - Elevation successful)

========== filefind ==========

Searching for "nvatabus.sys"
C:\nvatabus.sys --a--- 52697 bytes [06:17 26/02/2010] [21:18 11/08/2009] B226BA682359A8D879FA31A41ADDB904
C:\WINDOWS\system32\drivers\nvatabus.sys --a--- 100736 bytes [06:17 26/02/2010] [21:18 11/08/2009] C03E15101F6D9E82CD9B0E7D715F5DE3
C:\WINDOWS\system32\drivers\OemPnP\MassStorage\NVATABUS.sys --a--- 89856 bytes [15:21 26/02/2006] [15:21 26/02/2006] 83F0275A21D9772B51CEF57E35AFAE61

Searching for "tcpip.sys"
C:\WINDOWS\system32\drivers\tcpip.sys --a--- 361600 bytes [08:53 20/10/2008] [08:53 20/10/2008] 402B5152110F91E4C096200501737EA6
C:\WINDOWS\system32\syscache\tcpip.sys --a--- 361600 bytes [06:46 03/10/2009] [08:53 20/10/2008] 402B5152110F91E4C096200501737EA6

Searching for "comctl32.dll"
C:\WINDOWS\system32\comctl32.dll --a--- 692736 bytes [21:39 11/08/2009] [08:41 18/12/2009] C9FB1A9B3F9B51F08B665542DDFEE295
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll -ra--- 921088 bytes [23:03 02/10/2009] [12:00 14/04/2008] AEF3D788DBF40C7C4D204EA45EB0C505
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll --a--- 1054208 bytes [23:03 02/10/2009] [12:00 14/04/2008] BD38D1EBE24A46BD3EDA059560AFBA12

Searching for "user32.dll"
C:\WINDOWS\system32\user32.dll --a--- 578048 bytes [21:40 11/08/2009] [08:42 18/12/2009] 6616894470538493B9AAE74271F099EF

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe --a--- 1697280 bytes [21:40 11/08/2009] [08:41 18/12/2009] AEA58E2C358B987FCC612907377373C3

Searching for "sfcfiles.dll"
C:\WINDOWS\system32\sfcfiles.dll --a--- 1614848 bytes [21:06 11/08/2009] [21:06 11/08/2009] 362BC5AF8EAF712832C58CC13AE05750

-=End Of File=-

Edited by trumanjunk, 03 March 2010 - 02:10 AM.


#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:42 AM

Posted 03 March 2010 - 11:40 AM

Download and Run Custom Scan with OTL
  • Download OTL by OldTimer and save it to your desktop.
  • Double click on the icon on your desktop. If you are using Vista, please right-click and select run as administrator
  • Check the "Scan All Users" checkbox.
  • Copy and Paste the following code into the textbox. Do not include the word "Code"

    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvatabus.sys
    tcpip.sys
    comctl32.dll
    user32.dll
    explorer.exe
    sfcfiles.dll
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  • Push
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 trumanjunk

trumanjunk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 03 March 2010 - 03:05 PM

OTL logfile created on: 3/3/2010 10:53:28 AM - Run 1
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Users\Rick\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 0.00 Gb Available Physical Memory | 40.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 1920 3840 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 186.30 Gb Total Space | 42.30 Gb Free Space | 22.71% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 698.46 Gb Total Space | 24.38 Gb Free Space | 3.49% Space Free | Partition Type: FAT32

Computer Name: MRBLACK
Current User Name: Rick
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/03 10:52:09 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Users\Rick\Desktop\OTL.exe
PRC - [2010/02/20 12:13:04 | 000,320,816 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe
PRC - [2010/02/11 12:36:12 | 001,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2010/02/11 12:36:12 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2010/01/15 19:09:37 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Firefox\firefox.exe
PRC - [2010/01/11 17:17:34 | 000,856,064 | ---- | M] () -- C:\Program Files\TVersity\Media Server\MediaServer.exe
PRC - [2009/12/18 00:41:12 | 001,697,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/11/11 11:14:06 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/11/11 10:19:48 | 000,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/11/10 09:34:52 | 010,279,966 | ---- | M] (BeCrux, http://www.becrux.com) -- C:\Program Files\Wally\Wally.exe
PRC - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/28 01:02:44 | 001,524,824 | ---- | M] (PeerBlock, LLC) -- C:\Program Files\PeerBlock\peerblock.exe
PRC - [2009/07/20 12:30:50 | 000,813,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2009/07/10 12:42:32 | 000,055,824 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
PRC - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2008/12/08 14:50:04 | 000,054,576 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Software Update\hpwuschd2.exe
PRC - [2006/01/13 16:13:02 | 000,172,032 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe


========== Modules (SafeList) ==========

MOD - [2010/03/03 10:52:09 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Users\Rick\Desktop\OTL.exe
MOD - [2009/07/20 12:29:06 | 000,045,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll
MOD - [2009/07/20 12:25:46 | 000,017,424 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\IMHook.dll
MOD - [2009/07/12 01:12:06 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/02/11 12:36:12 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2010/02/07 23:30:57 | 000,658,432 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/01/25 09:03:04 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/01/11 17:17:34 | 000,856,064 | ---- | M] () [Auto | Running] -- C:\Program Files\TVersity\Media Server\MediaServer.exe -- (TVersityMediaServer)
SRV - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/11/11 11:14:06 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/11/11 10:19:48 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/07/20 12:28:10 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)


========== Driver Services (SafeList) ==========

DRV - [2010/02/07 23:18:42 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/01/05 18:04:02 | 000,385,536 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/11/11 11:14:44 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/11/11 11:14:44 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/11/11 11:14:44 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/11/11 11:14:12 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/09/28 01:02:44 | 000,014,424 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\PeerBlock\pbfilter.sys -- (pbfilter)
DRV - [2009/08/11 13:18:18 | 000,100,736 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2009/07/16 12:32:26 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/06/17 08:56:16 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2009/06/17 08:56:06 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2009/06/17 08:55:18 | 000,020,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV - [2008/04/14 04:00:00 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/14 04:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2008/04/13 15:15:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 15:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/06/26 01:06:42 | 000,027,008 | ---- | M] (ActivIdentity) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\aksim.sys -- (AKSIM)
DRV - [2007/06/26 01:06:42 | 000,013,647 | ---- | M] (ActivIdentity) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\aksbus.sys -- (aksbus)
DRV - [2007/06/26 01:06:42 | 000,013,619 | ---- | M] (ActivCard) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\akbus.sys -- (akbus)
DRV - [2007/06/26 01:06:42 | 000,010,161 | ---- | M] (ActivIdentity) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\akspcsc.sys -- (akspcsc)
DRV - [2007/06/26 01:06:42 | 000,009,493 | ---- | M] (ActivCard) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\akpcsc.sys -- (akpcsc)
DRV - [2006/02/26 07:21:18 | 000,016,640 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvcchflt.sys -- (nvcchflt)
DRV - [2006/02/21 20:46:26 | 001,505,792 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/06/06 08:18:28 | 000,014,494 | ---- | M] (USTC) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\ezwinit.sys -- (EZWINIT)
DRV - [2004/05/25 13:58:04 | 000,396,032 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce) Service for NVIDIA® nForce™
DRV - [2004/05/25 13:58:02 | 000,048,640 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax) Service for NVIDIA® nForce™
DRV - [2004/04/02 13:40:00 | 000,021,760 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2004/01/28 23:45:50 | 000,093,764 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENET.sys -- (NVENET)
DRV - [2002/10/09 14:18:12 | 000,016,680 | ---- | M] () [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\ezwriter.sys -- (EZWRITER)
DRV - [2001/08/17 05:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.google.com/ [binary data]
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.yahoo.com/ [binary data]
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.yahoo.com/ [binary data]
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1390067357-796845957-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1390067357-796845957-682003330-1004\S-1-5-21-1390067357-796845957-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/02/28 17:08:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Firefox\components [2010/02/23 00:26:13 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Firefox\plugins [2010/02/23 00:26:27 | 000,000,000 | ---D | M]

[2009/10/02 22:34:37 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Mozilla\Extensions
[2010/03/03 03:19:06 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\extensions
[2010/02/22 21:56:48 | 000,000,000 | ---D | M] (WebMail Notifier) -- C:\Users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
[2010/01/07 13:29:02 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/01/23 20:09:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}-trash
[2010/02/13 02:04:03 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010/02/18 13:42:46 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\extensions\DeviceDetection@logitech.com
[2010/01/20 16:45:43 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\extensions\downloadscontextmenu@bmproductions
[2009/10/04 16:26:44 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\extensions\feedly@devhd
[2010/03/03 03:19:06 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\extensions\foxmarks@kei.com
[2010/01/16 11:10:35 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\extensions\reliby@gemal.dk
[2010/02/20 12:22:20 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\extensions\UnsortedBookmarksMenu@alice
[2010/02/21 15:26:02 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\extensions\feedly@devhd\content\app\extension
[2009/12/18 00:39:49 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Mozilla\Firefox\Profiles\gyu8ajzm.default\extensions

O1 HOSTS File: ([2010/02/27 12:08:23 | 000,379,546 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 13102 more lines...
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\hpwuschd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe (HP)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKU\S-1-5-21-1390067357-796845957-682003330-1004..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe (PeerBlock, LLC)
O4 - HKU\S-1-5-21-1390067357-796845957-682003330-1004..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - HKU\S-1-5-21-1390067357-796845957-682003330-1004..\Run: [Wally] C:\Program Files\Wally\Wally.exe (BeCrux, http://www.becrux.com)
O4 - HKU\.DEFAULT..\RunOnce: [_nltide_2] File not found
O4 - HKU\S-1-5-18..\RunOnce: [_nltide_2] File not found
O4 - Startup: C:\Users\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 1
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1390067357-796845957-682003330-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1390067357-796845957-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1390067357-796845957-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1390067357-796845957-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1390067357-796845957-682003330-1004_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - HKU\S-1-5-21-1390067357-796845957-682003330-1004\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1254612117156 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://na.webaccess.hp.com/dana-cached/set...perSetupSP1.cab (JuniperSetupSP1 Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (%SystemRoot%\System32\ultlogonui.exe) - C:\WINDOWS\system32\ultlogonui.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop BackupWallPaper: C:\Users\Rick\Application Data\Mozilla\Firefox\Desktop Background.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/10/02 22:15:58 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpReg: UltimateServices - hkey= - key= - File not found
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: Lavasoft Ad-Aware Service - Reg Error: Value error.
SafeBootMin: mcmscsvc - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SafeBootMin: MCODS - C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: WdfLoadGroup -
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: Lavasoft Ad-Aware Service - Reg Error: Value error.
SafeBootNet: mcmscsvc - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SafeBootNet: MCODS - C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SafeBootNet: MpfService - C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: WdfLoadGroup -
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {0E9A3196-39EA-409D-8EB4-20D7FABC191A} - Microsoft .NET Framework 1.0 Hotfix (KB928367)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {14303301-758B-402B-9A0D-2C6A591680DB} - Microsoft .NET Framework 1.0 Service Pack 3 (KB867461)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {2F035644-F6BE-7EBA-E918-11A4D02B397F} - Microsoft Windows Media Player 6.4
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {407408d4-94ed-4d86-ab69-a7f649d112ee} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection QuickLaunchShortcut 640 %systemroot%\inf\mcdftreg.inf
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {78705f0d-e8db-4b2d-8193-982bdda15ecd} - .NET Framework
ActiveX: {81B52903-4C11-11D6-B6E1-00B0D049139F} - Microsoft .NET Framework 1.0 Service Pack 2 (KB867461)
ActiveX: {86502EEE-2886-9B0F-C651-742B33C86DA6} - Microsoft Office Communicator 2007
ActiveX: {871F8A30-15A2-11D6-8711-0002B3281F8B} - Microsoft .NET Framework 1.0 Service Pack 1 (KB867461)
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {F66E6EBC-EA77-9E99-0AA8-FFC326360252} - Microsoft .NET Framework 1.0 Hotfix (KB928367)
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.ac3acm - C:\WINDOWS\System32\ac3acm.acm (fccHandler)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.DIVX - C:\WINDOWS\System32\divx.dll (DivX, Inc.)
Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.XVID - C:\WINDOWS\System32\xvidvfw.dll ()
Drivers32: VIDC.YV12 - C:\WINDOWS\System32\yv12vfw.dll (www.helixcommunity.org)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891835792228352)

========== Files/Folders - Created Within 30 Days ==========

[2010/03/03 10:52:05 | 000,551,424 | ---- | C] (OldTimer Tools) -- C:\Users\Rick\Desktop\OTL.exe
[2010/03/01 22:03:04 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/02/27 12:31:50 | 000,000,000 | ---D | M] -- C:\Users\LocalService\Application Data\SACore
[2010/02/27 12:19:22 | 000,000,000 | ---D | C] -- C:\Users\All Users\Application Data\SiteAdvisor
[2010/02/27 12:17:32 | 000,079,816 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2010/02/27 12:17:32 | 000,040,552 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys
[2010/02/27 12:17:32 | 000,035,272 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2010/02/27 12:17:30 | 000,120,136 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\Mpfp.sys
[2010/02/27 12:17:13 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2010/02/27 12:17:13 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2010/02/27 12:17:06 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee
[2010/02/27 12:15:38 | 000,034,248 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys
[2010/02/27 12:13:08 | 000,000,000 | ---D | C] -- C:\Users\All Users\Application Data\McAfee
[2010/02/27 11:59:42 | 000,000,000 | --SD | M] -- C:\Users\NetworkService\Local Settings\Application Data\Microsoft
[2010/02/27 11:59:42 | 000,000,000 | --SD | M] -- C:\Users\NetworkService\Application Data\Microsoft
[2010/02/27 11:59:42 | 000,000,000 | --SD | M] -- C:\Users\LocalService\Local Settings\Application Data\Microsoft
[2010/02/27 11:59:42 | 000,000,000 | --SD | M] -- C:\Users\LocalService\Application Data\Microsoft
[2010/02/27 00:09:56 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/02/26 12:12:50 | 000,000,000 | ---D | C] -- C:\Users\Rick\Application Data\Skype
[2010/02/26 12:12:40 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2010/02/26 12:12:35 | 000,000,000 | ---D | C] -- C:\Users\All Users\Application Data\Skype
[2010/02/26 10:34:59 | 000,000,000 | -HSD | C] -- C:\Users\Rick\IETldCache
[2010/02/26 10:31:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2010/02/26 10:30:20 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/02/26 09:57:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/02/26 09:45:16 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/02/26 09:45:16 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/02/26 09:45:16 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/02/26 09:45:16 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/02/26 09:44:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/26 09:44:00 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/25 22:17:33 | 000,100,736 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\drivers\nvatabus.sys
[2010/02/24 18:53:13 | 000,000,000 | ---D | M] -- C:\Users\NetworkService\Local Settings\Application Data\Adobe
[2010/02/24 18:53:13 | 000,000,000 | ---D | M] -- C:\Users\NetworkService\Application Data\Adobe
[2010/02/24 18:53:08 | 000,000,000 | ---D | M] -- C:\Users\NetworkService\Application Data\Sun
[2010/02/23 00:25:24 | 000,000,000 | RH-D | C] -- C:\Users\Rick\Recent
[2010/02/23 00:22:16 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/02/22 22:22:24 | 000,161,296 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/02/21 19:31:14 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/02/21 19:28:44 | 000,000,000 | ---D | C] -- C:\Users\All Users\Application Data\Lavasoft
[2010/02/20 19:49:33 | 000,000,000 | ---D | C] -- C:\Users\All Users\Application Data\Spybot - Search & Destroy
[2010/02/20 19:49:33 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/02/20 18:48:45 | 000,000,000 | ---D | C] -- C:\Users\All Users\Application Data\Malwarebytes
[2010/02/20 17:54:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/02/20 13:12:34 | 000,000,000 | ---D | C] -- C:\Users\Rick\Application Data\Malwarebytes
[2010/02/20 13:12:30 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/20 13:12:28 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/20 13:12:28 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/20 12:57:36 | 000,000,000 | ---D | M] -- C:\Users\NetworkService\Application Data\Macromedia
[2010/02/20 12:43:17 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/02/18 18:34:05 | 000,000,000 | ---D | C] -- C:\Program Files\QuickSFV
[2010/02/18 15:52:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\ShellNew
[2010/02/18 13:58:47 | 000,000,000 | ---D | C] -- C:\Users\Rick\Application Data\Logitech
[2010/02/18 13:58:43 | 000,000,000 | ---D | C] -- C:\Users\Rick\Application Data\Leadertech
[2010/02/18 13:58:38 | 000,010,384 | ---- | C] (Logitech, Inc.) -- C:\WINDOWS\System32\drivers\LBeepKE.sys
[2010/02/18 13:58:38 | 000,000,000 | ---D | C] -- C:\Users\All Users\Application Data\LogiShrd
[2010/02/18 13:58:14 | 000,301,656 | ---- | C] (Broadcom Corporation.) -- C:\WINDOWS\System32\BtCoreIf.dll
[2010/02/18 13:58:11 | 000,170,512 | ---- | C] (Logitech, Inc.) -- C:\WINDOWS\System32\kemutb.dll
[2010/02/18 13:58:11 | 000,145,936 | ---- | C] (Logitech, Inc.) -- C:\WINDOWS\System32\KemUtil.dll
[2010/02/18 13:58:11 | 000,117,264 | ---- | C] (Logitech, Inc.) -- C:\WINDOWS\System32\KemWnd.dll
[2010/02/18 13:58:11 | 000,084,496 | ---- | C] (Logitech, Inc.) -- C:\WINDOWS\System32\KemXML.dll
[2010/02/18 13:57:57 | 000,000,000 | ---D | C] -- C:\Users\All Users\Application Data\Logitech
[2010/02/18 13:46:49 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Logishrd
[2010/02/18 13:46:47 | 000,000,000 | ---D | C] -- C:\Program Files\Logitech
[2010/02/18 13:38:58 | 000,021,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hidserv.dll
[2010/02/13 18:17:42 | 000,000,000 | ---D | C] -- C:\BDRips
[2010/02/13 11:49:39 | 000,000,000 | ---D | C] -- C:\TurboTax
[2010/02/13 11:21:42 | 000,000,000 | ---D | C] -- C:\Users\Rick\TurboTax
[2010/02/13 11:21:41 | 000,000,000 | ---D | C] -- C:\Users\Rick\Application Data\Intuit
[2010/02/13 11:20:56 | 000,000,000 | ---D | C] -- C:\Users\All Users\Application Data\Intuit
[2010/02/13 11:20:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Intuit
[2010/02/13 11:20:04 | 000,000,000 | ---D | C] -- C:\Program Files\TurboTax
[2010/02/13 11:19:39 | 000,000,000 | ---D | C] -- C:\Users\Rick\Application Data\InstallShield
[2010/02/09 21:29:28 | 000,456,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2010/02/07 23:37:27 | 000,000,000 | ---D | C] -- C:\Users\All Users\Application Data\FLEXnet
[2010/02/07 23:30:57 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Macrovision Shared
[2010/02/07 23:30:48 | 000,000,000 | ---D | C] -- C:\Users\All Users\Application Data\Rosetta Stone
[2010/02/07 23:30:48 | 000,000,000 | ---D | C] -- C:\Program Files\Rosetta Stone
[2010/02/07 23:18:42 | 000,691,696 | ---- | C] (Duplex Secure Ltd.) -- C:\WINDOWS\System32\drivers\sptd.sys
[2010/02/07 23:18:21 | 000,000,000 | ---D | C] -- C:\Users\Rick\Application Data\DAEMON Tools Lite
[2010/02/07 23:18:18 | 000,000,000 | ---D | C] -- C:\Users\All Users\Application Data\DAEMON Tools Lite
[2010/02/07 22:07:19 | 000,000,000 | ---D | C] -- C:\Users\Rick\Application Data\vlc
[2009/12/19 09:36:51 | 000,000,000 | ---D | M] -- C:\Users\LocalService\Local Settings\Application Data\Google
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/03 10:52:09 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Users\Rick\Desktop\OTL.exe
[2010/03/02 20:02:52 | 000,007,319 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/03/02 20:02:02 | 000,000,310 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2010/03/02 20:01:50 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/02 20:01:39 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/02 20:01:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/01 23:10:25 | 000,000,178 | -HS- | M] () -- C:\Users\Rick\ntuser.ini
[2010/03/01 23:10:24 | 008,912,896 | -H-- | M] () -- C:\Users\Rick\NTUSER.DAT
[2010/03/01 19:07:21 | 006,315,266 | -H-- | M] () -- C:\Users\Rick\Local Settings\Application Data\IconCache.db
[2010/03/01 18:49:23 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/02/27 12:19:22 | 000,000,706 | ---- | M] () -- C:\Users\All Users\Desktop\McAfee Security Center.lnk
[2010/02/27 12:17:21 | 000,000,338 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2010/02/27 12:17:20 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2010/02/27 12:08:23 | 000,379,546 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/02/26 18:10:39 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/26 12:12:42 | 000,001,878 | ---- | M] () -- C:\Users\All Users\Desktop\Skype.lnk
[2010/02/26 10:26:51 | 000,000,538 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/02/26 10:26:51 | 000,000,257 | -HS- | M] () -- C:\boot.ini
[2010/02/26 09:52:50 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100227-120822.backup
[2010/02/26 00:37:40 | 000,000,127 | ---- | M] () -- C:\WINDOWS\WININIT.INI
[2010/02/25 23:50:47 | 000,521,942 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/02/25 23:50:47 | 000,441,124 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/02/25 23:50:47 | 000,071,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/02/24 21:30:45 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/02/24 21:30:45 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/02/24 19:59:26 | 000,000,020 | ---- | M] () -- C:\Users\Rick\defogger_reenable
[2010/02/23 00:24:01 | 000,015,758 | ---- | M] () -- C:\Users\Rick\cc_20100223_002358.reg
[2010/02/22 22:22:24 | 000,161,296 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/02/22 22:08:38 | 000,000,036 | ---- | M] () -- C:\Users\Rick\Local Settings\Application Data\housecall.guid.cache
[2010/02/22 19:28:12 | 000,380,149 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.bak
[2010/02/22 19:28:12 | 000,380,149 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100226-000336.backup
[2010/02/22 00:04:01 | 000,000,998 | ---- | M] () -- C:\Users\Rick\Desktop\Spybot - Search & Destroy.lnk
[2010/02/21 23:59:40 | 000,380,149 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100222-192812.backup
[2010/02/21 19:31:13 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/02/20 19:56:10 | 000,380,149 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100221-235939.backup
[2010/02/20 18:48:50 | 000,000,731 | ---- | M] () -- C:\Users\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/18 18:32:37 | 000,001,659 | ---- | M] () -- C:\Users\All Users\Desktop\Firefox.lnk
[2010/02/18 17:35:01 | 000,001,352 | ---- | M] () -- C:\Users\Rick\AutoHotkey.ahk
[2010/02/18 13:58:14 | 000,001,687 | ---- | M] () -- C:\Users\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
[2010/02/18 13:48:16 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
[2010/02/18 13:48:16 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
[2010/02/18 13:48:13 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
[2010/02/13 12:25:39 | 000,196,096 | ---- | M] () -- C:\Users\Rick\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/07 23:18:42 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) -- C:\WINDOWS\System32\drivers\sptd.sys
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/27 12:28:59 | 000,007,319 | ---- | C] () -- C:\WINDOWS\System32\Config.MPF
[2010/02/27 12:19:22 | 000,000,706 | ---- | C] () -- C:\Users\All Users\Desktop\McAfee Security Center.lnk
[2010/02/27 12:17:20 | 000,000,338 | ---- | C] () -- C:\WINDOWS\tasks\McDefragTask.job
[2010/02/27 12:17:19 | 000,000,316 | ---- | C] () -- C:\WINDOWS\tasks\McQcTask.job
[2010/02/26 12:12:42 | 000,001,878 | ---- | C] () -- C:\Users\All Users\Desktop\Skype.lnk
[2010/02/26 10:31:04 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/02/26 09:45:16 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/02/26 09:45:16 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/02/26 09:45:16 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/02/26 09:45:16 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/02/26 09:45:16 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/02/25 22:17:33 | 000,052,697 | ---- | C] () -- C:\nvatabus.sys
[2010/02/24 21:30:45 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/02/24 21:30:12 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/02/24 19:58:54 | 000,000,020 | ---- | C] () -- C:\Users\Rick\defogger_reenable
[2010/02/23 00:24:00 | 000,015,758 | ---- | C] () -- C:\Users\Rick\cc_20100223_002358.reg
[2010/02/22 22:08:38 | 000,000,036 | ---- | C] () -- C:\Users\Rick\Local Settings\Application Data\housecall.guid.cache
[2010/02/20 19:49:37 | 000,000,998 | ---- | C] () -- C:\Users\Rick\Desktop\Spybot - Search & Destroy.lnk
[2010/02/20 13:12:32 | 000,000,731 | ---- | C] () -- C:\Users\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/18 17:35:01 | 000,001,352 | ---- | C] () -- C:\Users\Rick\AutoHotkey.ahk
[2010/02/18 13:58:14 | 000,001,687 | ---- | C] () -- C:\Users\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
[2010/02/18 13:48:16 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
[2010/02/18 13:48:16 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
[2010/02/18 13:48:13 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
[2009/12/28 20:46:01 | 000,000,127 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/12/23 22:18:26 | 000,000,664 | ---- | C] () -- C:\Users\NetworkService\Local Settings\Application Data\d3d9caps.dat
[2009/12/23 22:16:39 | 000,219,136 | ---- | C] () -- C:\Users\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/22 15:45:45 | 000,411,816 | ---- | C] () -- C:\Users\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/10/20 19:19:15 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2009/10/20 19:19:13 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/10/20 19:19:13 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/10/20 19:19:13 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/10/20 19:19:12 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/10/20 19:19:12 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/10/13 10:29:11 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/10/05 12:57:44 | 000,010,552 | ---- | C] () -- C:\WINDOWS\hpdj3840.ini
[2009/10/03 15:42:48 | 000,000,110 | ---- | C] () -- C:\Users\Rick\Local Settings\Application Data\fusioncache.dat
[2009/10/03 12:32:44 | 000,196,096 | ---- | C] () -- C:\Users\Rick\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/02 22:34:43 | 000,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll
[2009/10/02 22:34:43 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll
[2009/03/23 15:38:02 | 001,481,728 | ---- | C] () -- C:\WINDOWS\System32\legitcheckcontrol.dll
[2009/01/18 08:22:56 | 000,001,008 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008/11/29 21:53:50 | 000,016,680 | ---- | C] () -- C:\WINDOWS\System32\drivers\ezwriter.sys
[2008/06/22 00:42:48 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\vtthooks.dll
[2008/03/22 23:01:34 | 000,039,424 | ---- | C] () -- C:\WINDOWS\System32\vshellext.dll
[2008/03/22 23:00:10 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\vclasses.dll
[2008/01/16 07:17:42 | 000,039,945 | ---- | C] () -- C:\WINDOWS\System32\winapp.ini
[2005/08/05 13:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll

========== Custom Scans ==========


< %ALLUSERSPROFILE%\Application Data\*. >
[2009/10/03 00:03:32 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\Adobe
[2010/02/26 10:23:39 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\Apple Computer
[2009/10/02 23:33:39 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\ashampoo
[2010/02/07 23:18:25 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\DAEMON Tools Lite
[2009/10/16 10:13:06 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\DVD Shrink
[2010/02/07 23:37:27 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\FLEXnet
[2009/10/10 13:38:02 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\ID3-TagIT 3
[2010/02/13 11:20:56 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\Intuit
[2009/12/29 18:57:16 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\Juniper Networks
[2010/02/27 00:09:47 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\Lavasoft
[2009/10/20 09:02:49 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\Little Games Company
[2010/02/18 13:58:38 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\LogiShrd
[2010/02/18 13:57:57 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\Logitech
[2010/02/20 18:48:45 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\Malwarebytes
[2010/02/27 12:29:01 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\McAfee
[2009/12/27 13:49:45 | 000,000,000 | --SD | M] -- C:\Users\All Users\Application Data\Microsoft
[2009/11/21 21:12:39 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\MumboJumbo
[2009/10/02 23:38:27 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\Namco Networks
[2009/10/08 10:53:59 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\PopCap
[2010/02/21 16:50:37 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\Rosetta Stone
[2010/02/27 12:19:22 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\SiteAdvisor
[2010/02/26 12:12:40 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\Skype
[2010/02/23 00:29:49 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\Spybot - Search & Destroy
[2010/01/20 16:34:28 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\SUPERAntiSpyware.com
[2009/10/20 09:02:48 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\TEMP
[2009/11/21 21:12:38 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\Trymedia
[2009/10/03 15:22:40 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\Windows Genuine Advantage
[2009/10/04 17:10:43 | 000,000,000 | ---D | M] -- C:\Users\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

< %ALLUSERSPROFILE%\Application Data\*.exe /s >
[2010/02/21 15:31:23 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

< %APPDATA%\*. >
[2009/10/03 00:03:29 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Adobe
[2009/10/12 23:17:06 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Amazon
[2009/10/20 22:02:53 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Apple Computer
[2009/10/02 23:33:51 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Ashampoo
[2009/12/28 20:37:07 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\ATI
[2010/02/07 23:21:15 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\DAEMON Tools Lite
[2010/02/07 22:03:40 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\GlarySoft
[2009/11/15 05:25:38 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\gtk-2.0
[2009/10/07 20:38:42 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\HpUpdate
[2009/10/10 16:24:14 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\ID3-TagIT 3
[2009/10/02 22:50:43 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Identities
[2009/10/02 23:03:56 | 000,000,000 | -H-D | M] -- C:\Users\Rick\Application Data\IFViewer
[2009/10/03 13:05:35 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\ImgBurn
[2010/02/13 11:19:39 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\InstallShield
[2010/02/13 11:21:41 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Intuit
[2010/01/07 20:39:24 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Juniper Networks
[2010/02/18 13:58:43 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Leadertech
[2009/10/20 09:02:49 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Little Games Company
[2010/02/18 13:58:47 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Logitech
[2009/10/02 23:11:12 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Macromedia
[2010/02/20 13:12:34 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Malwarebytes
[2009/10/13 10:29:35 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Media Player Classic
[2010/02/27 11:59:42 | 000,000,000 | --SD | M] -- C:\Users\Rick\Application Data\Microsoft
[2009/10/03 15:59:15 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Move Networks
[2009/08/11 13:41:24 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Mozilla
[2009/10/02 22:45:31 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Nero
[2009/10/02 22:45:32 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\OtakuSoftware
[2010/01/19 10:15:34 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Real
[2010/02/26 12:14:29 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Skype
[2009/12/10 21:39:49 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\Sun
[2010/01/20 16:34:28 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\SUPERAntiSpyware.com
[2009/11/27 12:34:49 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\U3
[2010/03/03 11:00:57 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\uTorrent
[2010/02/07 22:08:29 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\vlc
[2009/11/27 19:52:25 | 000,000,000 | ---D | M] -- C:\Users\Rick\Application Data\WinRAR

< %APPDATA%\*.exe /s >
[2008/02/08 15:16:28 | 000,036,864 | ---- | M] () -- C:\Users\Rick\Application Data\Juniper Networks\Setup\dsmmf.exe
[2008/02/08 15:16:47 | 000,032,855 | R--- | M] () -- C:\Users\Rick\Application Data\Juniper Networks\Setup\JuniperSetupApp.exe
[2010/01/07 20:39:23 | 000,033,220 | ---- | M] () -- C:\Users\Rick\Application Data\Juniper Networks\Setup\uninstall.exe
[2009/10/03 15:57:54 | 000,127,872 | ---- | M] () -- C:\Users\Rick\Application Data\Move Networks\uninstall.exe
[2009/06/15 22:35:42 | 000,097,144 | ---- | M] () -- C:\Users\Rick\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
[2009/12/17 20:11:44 | 000,606,208 | ---- | M] (IDEVFH L.L.C.) -- C:\Users\Rick\Application Data\Mozilla\Firefox\Profiles\altmiiaw.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}-trash\components\afom.exe

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2009/08/11 13:06:02 | 017,778,292 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/08/11 13:06:02 | 017,778,292 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 04:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/14 04:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: COMCTL32.DLL >
[2008/04/14 04:00:00 | 000,921,088 | R--- | M] (Microsoft Corporation) MD5=AEF3D788DBF40C7C4D204EA45EB0C505 -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[2008/04/14 04:00:00 | 001,054,208 | ---- | M] (Microsoft Corporation) MD5=BD38D1EBE24A46BD3EDA059560AFBA12 -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
[2009/12/18 00:41:08 | 000,692,736 | ---- | M] (Microsoft Corporation) MD5=C9FB1A9B3F9B51F08B665542DDFEE295 -- C:\WINDOWS\system32\comctl32.dll

< MD5 for: EVENTLOG.DLL >
[2008/04/14 04:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 04:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 04:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: EXPLORER.EXE >
[2009/12/18 00:41:12 | 001,697,280 | ---- | M] (Microsoft Corporation) MD5=AEA58E2C358B987FCC612907377373C3 -- C:\WINDOWS\explorer.exe

< MD5 for: IASTOR.SYS >
[2007/09/29 13:03:12 | 000,308,248 | ---- | M] (Intel Corporation) MD5=E5A0034847537EAEE3C00349D5C34C5F -- C:\WINDOWS\system32\drivers\OemPnP\MassStorage\IaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 04:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 04:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 04:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: NVATABUS.SYS >
[2006/02/26 07:21:18 | 000,089,856 | ---- | M] (NVIDIA Corporation) MD5=83F0275A21D9772B51CEF57E35AFAE61 -- C:\WINDOWS\system32\drivers\OemPnP\MassStorage\NVATABUS.sys
[2006/02/26 07:21:18 | 000,089,856 | ---- | M] (NVIDIA Corporation) MD5=83F0275A21D9772B51CEF57E35AFAE61 -- C:\WINDOWS\system32\drivers\OemPnP\MassStorage\NVATABUS.sys
[2009/08/11 13:18:18 | 000,052,697 | ---- | M] () MD5=B226BA682359A8D879FA31A41ADDB904 -- C:\nvatabus.sys
[2009/08/11 13:18:18 | 000,052,697 | ---- | M] () MD5=B226BA682359A8D879FA31A41ADDB904 -- C:\nvatabus.sys
[2009/08/11 13:18:18 | 000,100,736 | ---- | M] (NVIDIA Corporation) MD5=C03E15101F6D9E82CD9B0E7D715F5DE3 -- C:\WINDOWS\system32\drivers\nvatabus.sys
[2009/08/11 13:18:18 | 000,100,736 | ---- | M] (NVIDIA Corporation) MD5=C03E15101F6D9E82CD9B0E7D715F5DE3 -- C:\WINDOWS\system32\drivers\nvatabus.sys

< MD5 for: NVGTS.SYS >
[2007/07/27 12:16:02 | 000,105,984 | ---- | M] (NVIDIA Corporation) MD5=4BC4BAAED05161E0D331627E90A10745 -- C:\WINDOWS\system32\drivers\OemPnP\MassStorage\nvgts.sys

< MD5 for: SCECLI.DLL >
[2008/04/14 04:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 04:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 04:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: SFCFILES.DLL >
[2009/08/11 13:06:08 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=362BC5AF8EAF712832C58CC13AE05750 -- C:\WINDOWS\system32\sfcfiles.dll

< MD5 for: TCPIP.SYS >
[2008/10/20 00:53:58 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=402B5152110F91E4C096200501737EA6 -- C:\WINDOWS\system32\drivers\tcpip.sys
[2008/10/20 00:53:58 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=402B5152110F91E4C096200501737EA6 -- C:\WINDOWS\system32\syscache\tcpip.sys

< MD5 for: USER32.DLL >
[2009/12/18 00:42:35 | 000,578,048 | ---- | M] (Microsoft Corporation) MD5=6616894470538493B9AAE74271F099EF -- C:\WINDOWS\system32\user32.dll

< MD5 for: VIAMRAID.SYS >
[2008/07/09 17:19:02 | 000,117,248 | ---- | M] (VIA Technologies inc,.ltd) MD5=00046AA2E396EDC2238556E740A8E5AF -- C:\WINDOWS\system32\drivers\OemPnP\MassStorage\viamraid.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/04/14 04:00:00 | 001,267,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\comsvcs.dll
< End of report >

==============================================

OTL Extras logfile created on: 3/3/2010 10:53:28 AM - Run 1
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Users\Rick\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 0.00 Gb Available Physical Memory | 40.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 1920 3840 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 186.30 Gb Total Space | 42.30 Gb Free Space | 22.71% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 698.46 Gb Total Space | 24.38 Gb Free Space | 3.49% Space Free | Partition Type: FAT32

Computer Name: MRBLACK
Current User Name: Rick
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-1390067357-796845957-682003330-1004\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
https [open] -- "C:\Program Files\Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\WINDOWS\system32\javaw.exe" = C:\WINDOWS\system32\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\TVersity\Media Server\MediaServer.exe" = C:\Program Files\TVersity\Media Server\MediaServer.exe:*:Enabled:TVersity Media Server -- ()
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{015C5B35-B678-451C-9AEE-821E8D69621C}_is1" = PeerBlock 1.0.0 (r181)
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{1CB92574-96F2-467B-B793-5CEB35C40C29}" = Image Resizer Powertoy for Windows XP
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java™ 6 Update 15
"{2E376AD9-5C49-4F7D-A0BA-6A44E8FA5A3B}" = Next Generation Visualisations
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{3F3733A5-8322-454D-A638-3B74E1C83752}" = Gadget Installer
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English)
"{BB05D173-9681-4812-A7FA-BD4042A3DA00}" = Alky for Applications (Windows XP)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}" = ClearType Tuning Control Panel Applet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.5
"Ashampoo Burning Studio 2008_is1" = Ashampoo Burning Studio 2008
"ATI Display Driver" = ATI Display Driver
"CCleaner" = CCleaner
"Driver Magician_is1" = Driver Magician 3.48
"DVD Shrink_is1" = DVD Shrink 3.2
"Easy Video Splitter_is1" = Easy Video Splitter 1.28
"EPSON Scanner" = EPSON Scan
"ffdshow_is1" = ffdshow [rev 1723] [2007-12-24]
"Glary Utilities_is1" = Glary Utilities Pro 2.18.0.786
"HijackThis" = HijackThis 2.0.2
"ID3-TagIT 3_is1" = ID3-TagIT 3
"ie8" = Windows Internet Explorer 8
"ImgBurn" = ImgBurn
"JDownloader" = JDownloader
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 5.2.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"MSC" = McAfee SecurityCenter
"NVIDIA Drivers" = NVIDIA Drivers
"Picasa 3" = Picasa 3
"QuickSFV" = QuickSFV (Remove only)
"TVersity Codec Pack" = TVersity Codec Pack 1.2
"TVersity Media Server" = TVersity Media Server 1.7.3 Beta
"Tweak UI 2.10" = Tweak UI
"uberOptions" = uberOptions 4.80.5
"uTorrent" = µTorrent
"Wally" = Wally
"WBFS Manager 3.0" = WBFS Manager 3.0
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1390067357-796845957-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/18/2010 10:19:14 PM | Computer Name = MRBLACK | Source = Application Error | ID = 1000
Description = Faulting application braid.exe, version 1.0.0.1, faulting module braid.exe,
version 1.0.0.1, fault address 0x00038dfe.

Error - 2/20/2010 4:56:45 PM | Computer Name = MRBLACK | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 2/20/2010 4:56:46 PM | Computer Name = MRBLACK | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/21/2010 9:47:25 PM | Computer Name = MRBLACK | Source = ESENT | ID = 490
Description = svchost (1176) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 2/21/2010 9:47:25 PM | Computer Name = MRBLACK | Source = ESENT | ID = 470
Description = Catalog Database (1176) Database C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
is partially attached. Attachment stage: 3. Error: -1032.

Error - 2/21/2010 11:29:49 PM | Computer Name = MRBLACK | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 2/24/2010 11:19:37 PM | Computer Name = MRBLACK | Source = Application Error | ID = 1000
Description = Faulting application teatimer.exe, version 1.6.6.32, faulting module
teatimer.exe, version 1.6.6.32, fault address 0x0006e66e.

Error - 2/25/2010 12:10:34 AM | Computer Name = MRBLACK | Source = Application Error | ID = 1000
Description = Faulting application gmer.exe, version 1.0.15.15281, faulting module
gmer.exe, version 1.0.15.15281, fault address 0x0005c887.

Error - 2/28/2010 8:33:15 PM | Computer Name = MRBLACK | Source = Application Error | ID = 1000
Description = Faulting application wiiscrubber.exe, version 1.4.0.0, faulting module
wiiscrubber.exe, version 1.4.0.0, fault address 0x00029a01.

Error - 2/28/2010 9:03:08 PM | Computer Name = MRBLACK | Source = COM+ | ID = 135761
Description = The run-time environment has detected an inconsistency in its internal
state. This indicates a potential instability in the process that could be caused
by the custom components running in the COM+ application, the components they make
use of, or other factors. Error in f:\xpsp3\com\com1x\src\comsvcs\package\cpackage.cpp(1184),
hr = 8007041d: InitEventCollector fail

[ System Events ]
Error - 3/1/2010 10:24:29 PM | Computer Name = MRBLACK | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SASDIFSV SASKUTIL

Error - 3/1/2010 10:24:30 PM | Computer Name = MRBLACK | Source = DCOM | ID = 10010
Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register
with DCOM within the required timeout.

Error - 3/1/2010 10:44:07 PM | Computer Name = MRBLACK | Source = Service Control Manager | ID = 7034
Description = The TVersityMediaServer service terminated unexpectedly. It has done
this 1 time(s).

Error - 3/1/2010 10:49:18 PM | Computer Name = MRBLACK | Source = PlugPlayManager | ID = 11
Description = The device Root\LEGACY_ROOTREPEAL\0000 disappeared from the system
without first being prepared for removal.

Error - 3/1/2010 11:09:25 PM | Computer Name = MRBLACK | Source = Service Control Manager | ID = 7000
Description = The EZWINIT service failed to start due to the following error: %%1058

Error - 3/1/2010 11:09:25 PM | Computer Name = MRBLACK | Source = Service Control Manager | ID = 7000
Description = The EZWRITER service failed to start due to the following error: %%1058

Error - 3/1/2010 11:09:28 PM | Computer Name = MRBLACK | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SASDIFSV SASKUTIL

Error - 3/3/2010 12:02:32 AM | Computer Name = MRBLACK | Source = Service Control Manager | ID = 7000
Description = The EZWINIT service failed to start due to the following error: %%1058

Error - 3/3/2010 12:02:32 AM | Computer Name = MRBLACK | Source = Service Control Manager | ID = 7000
Description = The EZWRITER service failed to start due to the following error: %%1058

Error - 3/3/2010 12:02:37 AM | Computer Name = MRBLACK | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SASDIFSV SASKUTIL


< End of report >


#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:42 AM

Posted 04 March 2010 - 09:24 AM

Hi,

C:\nvatabus.sys <-- Why do you have this driver on C:\? Did you modify this driver?

Can you reinstall or update your NVIDIA drivers?

+++++++++++++++++++++


1. Please run defogger.
Double click DeFogger to run the tool. (For Vista, right click and run as administrator)
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.




2. Go to Start > Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c mbr -t& start mbr.log
  • mbr.log will pop up, please post the contents in your reply.




3. We need to run an OTL Fix
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"

    CODE
    :OTL
    O4 - HKU\.DEFAULT..\RunOnce: [_nltide_2] File not found
    O4 - HKU\S-1-5-18..\RunOnce: [_nltide_2] File not found
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]


    :Commands
    [purity]
    [emptytemp]
    [Reboot]

  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.




~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 trumanjunk

trumanjunk
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 07 March 2010 - 08:01 PM

My anti-virus software kept repeatedly showing nvatabus.sys as having been infected with Win32/Patched.CH and it was never able to remove it.

So I placed a clean copy of the nvatabus.sys file on C drive and used Windows Recovery Console to replace the infected one. The one in the root C drive is perfectly clean and is just a backup.

=======================

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvatabus.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 62 !

====================================

All processes killed
========== OTL ==========
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\\_nltide_2 deleted successfully.
Invalid CLSID key: _nltide_2
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\_nltide_2 not found.
Invalid CLSID key: _nltide_2
C:\WINDOWS\SET3.tmp deleted successfully.
C:\WINDOWS\SET4.tmp deleted successfully.
C:\WINDOWS\SET8.tmp deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 2114322 bytes

User: LocalService
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 524422 bytes
->Java cache emptied: 9290 bytes
->Flash cache emptied: 12294 bytes

User: Rick
->Temp folder emptied: 14956977 bytes
->Temporary Internet Files folder emptied: 2244190 bytes
->Java cache emptied: 37624 bytes
->FireFox cache emptied: 54209509 bytes
->Flash cache emptied: 21050 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 71.00 mb


OTL by OldTimer - Version 3.1.35.0 log created on 03072010_170202

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Edited by trumanjunk, 07 March 2010 - 08:08 PM.


#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:42 AM

Posted 08 March 2010 - 09:13 AM

Hi,

I just want to know where did you get the nvatabus.sys? Is there any other files that you replace?

Do you have a Windows cd?


++++++++++++++++++++++++

Please complete instruction #1 before proceeding to #2.


1. Please download TDSSKiller.zip and save it to your desktop.
  • Extract the zip file to your desktop (Right click on the file and choose extract all).
  • Double-Click (Run as administrator for Vista) TDSSKiller.exe to run it.
  • When it finished press any key to continue (Let reboot if needed).
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log.



2. Delete the copy of Combofix that you have (do not uninstall it), then download and run using a new copy.
Download Combofix (by Subs) from any of the links below, and save it to your desktop.
Link 1
Link 2
  • Temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    • It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  • If you did not have it installed, you will see the prompt below. Choose YES.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note**
*If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
**Please note**
*Leave your computer alone while ComboFix is running.
*ComboFix will restart your computer if malware is found; allow it to do so.
*Please Do NOT mouseclick combofix's window while its running because it may call it to stall.


Warning!
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper, *** If your are not the topic starter DO NOT run this tool as it could cause irreversible damage to your computer.


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix




~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:42 AM

Posted 12 March 2010 - 10:15 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users