Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

World of Warcraft accoutn hacking issue


  • This topic is locked This topic is locked
18 replies to this topic

#1 barrano247

barrano247

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 27 February 2010 - 10:29 AM

Hello, and thxs for letting me come here for help.
I have had a long lasting battle with a trojain that i have yet to identify that has been routinely hacking my world of warcraft account. The strange thing about this one is it hasnt affected anything else on my computer, no stolen credit card information or even emails, just world of warcraft accounts. I have changed my password each time to something that a password cracker couldnt guess. I do have a clue to what it could be, as this file called lexmark toolband.dll (which i never manually installed) is supposedly the blame from my hijackthis log. But the file technically doesnt exist on my computer and i cant locate it despite it showing up on my hijackthis log. A few weeks ago i found a trojan called Hijacker.startup on my computer using malwarebyte, but it wasnt the problem apparently. So heres my GMER and D.D.S logs that you guys have requested, and please ask if you need more specific info.

GMER
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-27 10:20:47
Windows 6.0.6002 Service Pack 2
Running: ehi171yf.exe; Driver: C:\Users\Vedia\AppData\Local\Temp\uglcypod.sys


---- System - GMER 1.0.15 ----

SSDT 85E7B0A0 ZwCreateKey
SSDT 85E7C3E0 ZwCreateMutant
SSDT 85E7A2E0 ZwCreateProcess
SSDT 85E7A5A0 ZwCreateProcessEx
SSDT 85E7BF00 ZwCreateThread
SSDT 85E7B620 ZwDeleteKey
SSDT 85E7B8E0 ZwDeleteValueKey
SSDT 85E7C240 ZwLoadDriver
SSDT 85E7AB20 ZwOpenProcess
SSDT 85E7C580 ZwSetSystemInformation
SSDT 85E7B360 ZwSetValueKey
SSDT 85E7ADE0 ZwTerminateProcess
SSDT 85E7BD60 ZwWriteVirtualMemory
SSDT 85E7C0A0 ZwCreateThreadEx
SSDT 85E7A860 ZwCreateUserProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

---- EOF - GMER 1.0.15 ----

D.D.S

DDS (Ver_09-12-01.01) - NTFSx86 MINIMAL
Run by Vedia at 9:43:18.95 on Sat 02/27/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1607 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: CA AntiSpyware *enabled* (Updated) {6B98D35F-BB76-41C0-876B-A50645ED099A}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Vedia\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [OE] "c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe"
mRun: [Apoint] "c:\program files\apoint2k\Apoint.exe"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
StartupFolder: c:\users\vedia\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\vedia\appdata\roaming\mozilla\firefox\profiles\dfqk1qta.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q=
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: general.useragent.extra.prevx -
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

S1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2010-2-14 146448]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-17 135664]
S2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-2-14 36368]
S2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2010-2-14 283152]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-5-21 21504]
S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-2-14 50704]
S3 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2010-2-14 497008]
S3 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2010-2-14 689416]
SUnknown npggsvc;npggsvc; [x]

=============== Created Last 30 ================

2010-02-27 14:25:37 254056710 ----a-w- c:\windows\MEMORY.DMP
2010-02-27 00:28:21 0 d-----w- c:\program files\COMODO
2010-02-26 00:23:14 0 d-----w- c:\windows\Downloaded Installations
2010-02-26 00:22:47 4130 ----a-w- c:\windows\system32\entitlement.xml
2010-02-24 00:35:18 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-24 00:34:14 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 00:34:13 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 00:34:10 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 00:34:09 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 00:34:09 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 00:34:09 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 00:34:09 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-24 00:34:09 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 00:34:09 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-24 00:34:04 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-24 00:34:02 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-24 00:34:01 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-18 20:11:03 47 ----a-w- c:\windows\WinInit.Ini
2010-02-17 03:20:15 0 d-sh--w- C:\$RECYCLE.BIN
2010-02-17 02:44:50 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-17 02:26:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-17 02:26:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-17 02:26:30 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-17 01:19:47 0 d---a-w- c:\programdata\TEMP
2010-02-16 23:37:50 0 ---ha-w- C:\ProgramData.LOG2
2010-02-16 23:37:50 0 ---ha-w- C:\ProgramData.LOG1
2010-02-16 23:34:16 77312 ----a-w- c:\windows\MBR.exe
2010-02-16 23:34:12 261632 ----a-w- c:\windows\PEV.exe
2010-02-16 23:34:12 161792 ----a-w- c:\windows\SWREG.exe
2010-02-16 23:34:11 98816 ----a-w- c:\windows\sed.exe
2010-02-15 21:01:59 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-15 20:38:55 0 d-----w- c:\program files\CCleaner
2010-02-14 23:51:33 0 d-----w- c:\users\vedia\appdata\roaming\Malwarebytes
2010-02-14 23:51:22 0 d-----w- c:\programdata\Malwarebytes
2010-02-14 20:05:08 89872 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-02-14 20:05:08 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2010-02-14 20:05:08 283152 ----a-w- c:\windows\system32\drivers\tmwfp.sys
2010-02-14 20:05:08 225808 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2010-02-14 20:05:08 1223832 ----a-w- c:\windows\system32\drivers\vsapint.sys
2010-02-14 20:05:07 59920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-02-14 20:05:07 50704 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-02-14 20:05:07 158224 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-14 20:05:07 146448 ----a-w- c:\windows\system32\drivers\tmlwf.sys
2010-02-13 13:32:23 0 d-----w- c:\program files\Windows Portable Devices
2010-02-13 13:31:55 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-02-13 06:36:14 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-02-13 06:36:13 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-02-13 06:36:13 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-02-13 06:34:15 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-02-13 06:31:47 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-02-13 06:31:46 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-02-13 06:31:45 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-02-12 02:04:19 0 d-----w- c:\programdata\WindowsSearch
2010-02-12 01:52:00 0 d-----w- c:\program files\Ask.com
2010-02-12 01:51:13 0 d-----w- c:\program files\MSSOAP
2010-02-12 01:51:13 0 d-----w- c:\program files\common files\MSSoap
2010-02-12 01:34:34 21056 ----a-w- c:\windows\system32\drivers\sskbfd.sys
2010-02-12 00:55:23 959 ----a-w- c:\windows\system32\10004.sks
2010-02-12 00:55:23 3300 ----a-w- c:\windows\system32\10003.sks
2010-02-12 00:55:23 1256 ----a-w- c:\windows\system32\10001.sks
2010-02-12 00:55:23 0 ----a-w- c:\windows\system32\10002.sks
2010-02-11 23:16:24 2380 ----a-w- c:\windows\system32\BlockedCookies
2010-02-11 23:14:45 76 ----a-w- c:\windows\system32\IDPVer.ini
2010-02-11 23:14:44 22 ----a-w- c:\windows\system32\IDPExe.zip
2010-02-11 23:14:39 1409 ----a-w- c:\windows\system32\sk_bho.ini
2010-02-11 21:04:30 0 d-----w- c:\windows\system32\eu-ES
2010-02-11 21:04:30 0 d-----w- c:\windows\system32\ca-ES
2010-02-11 21:04:28 0 d-----w- c:\windows\system32\vi-VN
2010-02-11 20:26:24 0 d-----w- c:\windows\system32\EventProviders
2010-02-09 20:25:10 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-09 20:25:09 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-09 20:25:06 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-09 20:25:05 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys

==================== Find3M ====================

2010-02-18 20:10:31 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-02-18 20:10:31 86016 ----a-w- c:\windows\inf\infstor.dat
2010-02-18 20:10:31 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-13 13:32:07 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-02-11 20:51:10 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-08 20:01:02 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:01:02 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-04 18:30:05 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-04 18:29:41 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-04 18:28:52 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-04 18:28:51 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-04 18:28:51 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-04 18:28:49 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-04 18:28:27 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-04 18:28:21 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-04 18:27:12 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-05-22 02:39:34 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 9:45:45.48 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 5/22/2009 12:33:42 AM
System Uptime: 2/27/2010 9:25:21 AM (0 hours ago)

Motherboard: Hewlett-Packard | | 30D9
Processor: Intel® Pentium® Dual CPU T2310 @ 1.46GHz | CPU | 1463/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 112 GiB total, 72.795 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Bonjour
CCleaner
Conexant HD Audio
Google Toolbar for Internet Explorer
Google Update Helper
HDAUDIO Soft Data Fax Modem with SmartCP
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel® Graphics Media Accelerator Driver
Intel® TV Wizard
iTunes
Lexmark Toolbar
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MobileMe Control Panel
Mozilla Firefox (3.5.8)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
OGA Notifier 2.0.0048.0
Pando Media Booster
QuickTime
Safari
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Touch Pad Driver
Trend Micro Internet Security
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Ventrilo Client
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Live Sign-in Assistant
WinZip 12.1
World of Warcraft
ZipGenius 6 (6.0.3.1150)

==== Event Viewer Messages From Past Week ========

2/27/2010 9:27:37 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
2/27/2010 9:27:27 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
2/27/2010 9:27:27 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
2/27/2010 9:27:25 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx tmlwf tmtdi Wanarpv6
2/27/2010 9:27:25 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
2/27/2010 9:27:25 AM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
2/27/2010 9:27:25 AM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
2/27/2010 9:27:25 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
2/27/2010 9:27:25 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
2/27/2010 9:27:25 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
2/27/2010 9:27:25 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
2/27/2010 9:27:25 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
2/27/2010 9:27:25 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
2/27/2010 9:27:25 AM, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
2/27/2010 9:27:25 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
2/27/2010 9:27:25 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/27/2010 9:27:25 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
2/27/2010 9:27:25 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
2/27/2010 9:26:52 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
2/27/2010 9:26:52 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
2/27/2010 9:26:50 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
2/27/2010 9:26:47 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/27/2010 9:26:36 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
2/27/2010 9:26:05 AM, Error: EventLog [6008] - The previous system shutdown at 9:23:22 AM on 2/27/2010 was unexpected.
2/27/2010 1:52:11 AM, Error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort2.
2/26/2010 7:02:50 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the stisvc service.
2/26/2010 7:02:20 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IKEEXT service.
2/26/2010 7:01:41 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Apple Mobile Device service.
2/26/2010 7:00:54 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Spooler service.
2/26/2010 6:44:59 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the CaCCProvSP service to connect.
2/26/2010 6:44:59 PM, Error: Service Control Manager [7000] - The CaCCProvSP service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/26/2010 6:44:59 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service CaCCProvSP with arguments "" in order to run the server: {AACF4A1C-BC69-4359-9518-DF3F77E462BF}
2/26/2010 6:42:42 PM, Error: EventLog [6008] - The previous system shutdown at 6:37:03 PM on 2/26/2010 was unexpected.
2/26/2010 6:17:48 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
2/26/2010 11:10:35 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Trend Micro Proxy Service service to connect.
2/26/2010 11:10:35 PM, Error: Service Control Manager [7000] - The Trend Micro Proxy Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/25/2010 8:21:34 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SENS service.
2/25/2010 7:22:43 PM, Error: Service Control Manager [7030] - The CA Common Scheduler Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
2/25/2010 7:04:50 PM, Error: volsnap [14] - The shadow copies of volume C: were aborted because of an IO failure on volume C:.
2/25/2010 5:26:21 PM, Error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.2.2 with the system having network hardware address 00-22-48-26-74-79. Network operations on this system may be disrupted as a result.
2/25/2010 3:45:42 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
2/25/2010 3:13:09 PM, Error: Microsoft-Windows-Bits-Client [16392] - The BITS service failed to start. Error 2147943515.
2/24/2010 6:54:03 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
2/21/2010 9:51:23 PM, Error: Microsoft-Windows-Windows Defender [2004] - Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a001 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signatures loading: Backup Loading signature version: 1.75.798.0 Loading engine version: 1.1.4701.0
2/20/2010 2:22:03 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
2/20/2010 10:54:49 PM, Error: EventLog [6008] - The previous system shutdown at 10:53:24 PM on 2/20/2010 was unexpected.

==== End Of File ===========================


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:46 PM

Posted 02 March 2010 - 09:54 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 barrano247

barrano247
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 02 March 2010 - 06:33 PM

Well my friend is a computer security expert he used to work with anti hacking in the government, he looked at my cpu and even he didnt see what could be causing it. He saw something that said it was connected to email, but i got hacked again after changing my email and wow password on a uninfected computer. Im starting to think it might be connected to my network, although that might not be a viable conclusion i dont know really. Ive tried all the common spyware and malware scanners, i used this thing called keylogger detector which didnt help, i used this thing called rootkit revealer which found stuff but i couldnt read it, although from the looks of it it was all false positives. the only thing i havent done so far is wiping my harddrive which i cant do because i dont have the vista disk due to a mix up with the geek squad people a while back, so thats not an option. BTW: i found a file called strvirus on my recently changed list, it wasnt a file it was a link to the internet but is it something to delete? I also found something called antispy.xml that was a link to the internet.

OTL logfile created on: 3/2/2010 5:45:14 PM - Run 1
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Users\Vedia\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 70.60 Gb Free Space | 63.16% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: VEDIA-PC
Current User Name: Vedia
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/02 17:43:51 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Users\Vedia\Downloads\OTL.exe
PRC - [2010/02/14 15:04:56 | 001,020,248 | ---- | M] () -- C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
PRC - [2010/02/14 15:04:54 | 000,689,416 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
PRC - [2010/02/14 15:04:54 | 000,497,008 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
PRC - [2010/02/14 15:04:53 | 000,492,808 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
PRC - [2010/02/14 15:04:53 | 000,345,352 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe
PRC - [2010/02/14 15:04:52 | 000,715,368 | ---- | M] () -- C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
PRC - [2010/01/15 22:09:37 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/05/22 23:20:12 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/05/11 11:10:00 | 000,525,640 | R--- | M] (WinZip Computing, S.L.) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2009/04/11 01:28:08 | 000,037,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\unsecapp.exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/02/26 11:57:20 | 000,141,848 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxtray.exe
PRC - [2009/02/26 11:57:18 | 000,252,952 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxsrvc.exe
PRC - [2008/10/25 07:18:50 | 000,098,696 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
PRC - [2007/10/25 07:23:36 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint2K\ApntEx.exe
PRC - [2007/10/25 03:44:38 | 000,212,992 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint2K\Apoint.exe
PRC - [2007/09/12 04:40:38 | 000,050,472 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint2K\ApMsgFwd.exe


========== Modules (SafeList) ==========

MOD - [2010/03/02 17:43:51 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Users\Vedia\Downloads\OTL.exe
MOD - [2009/04/11 01:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/02/28 11:29:29 | 000,424,832 | ---- | M] (Sysinternals - www.sysinternals.com) [On_Demand | Stopped] -- C:\Users\Vedia\AppData\Local\temp\YINDR.exe -- (YINDR)
SRV - [2010/02/14 15:04:54 | 000,689,416 | ---- | M] (Trend Micro Inc.) [On_Demand | Running] -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- (TmProxy)
SRV - [2010/02/14 15:04:54 | 000,497,008 | ---- | M] (Trend Micro Inc.) [On_Demand | Running] -- C:\Program Files\Trend Micro\Internet Security\TmPfw.exe -- (TmPfw)
SRV - [2010/02/14 15:04:53 | 000,345,352 | ---- | M] (Trend Micro Inc.) [On_Demand | Running] -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe -- (TMBMServer)
SRV - [2010/02/14 15:04:52 | 000,715,368 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe -- (SfCtlCom)
SRV - [2009/09/24 20:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2008/01/18 22:38:26 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2006/11/02 07:35:29 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\ehome\ehstart.dll -- (ehstart)


========== Driver Services (SafeList) ==========

DRV - [2010/02/14 15:05:08 | 001,223,832 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\vsapint.sys -- (vsapint)
DRV - [2010/02/14 15:05:08 | 000,283,152 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\tmwfp.sys -- (tmwfp)
DRV - [2010/02/14 15:05:08 | 000,225,808 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\tmxpflt.sys -- (tmxpflt)
DRV - [2010/02/14 15:05:08 | 000,089,872 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2010/02/14 15:05:08 | 000,036,368 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\tmpreflt.sys -- (tmpreflt)
DRV - [2010/02/14 15:05:07 | 000,158,224 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2010/02/14 15:05:07 | 000,146,448 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\tmlwf.sys -- (tmlwf)
DRV - [2010/02/14 15:05:07 | 000,059,920 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tmactmon.sys -- (tmactmon)
DRV - [2010/02/14 15:05:07 | 000,050,704 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tmevtmgr.sys -- (tmevtmgr)
DRV - [2009/05/18 13:17:00 | 000,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/02/26 11:39:50 | 004,569,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2008/10/23 01:16:28 | 001,331,192 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\BCMWL6.SYS -- (BCM43XX)
DRV - [2008/07/22 06:42:58 | 000,051,200 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2008/03/03 10:32:00 | 000,188,416 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2007/10/29 09:38:38 | 000,162,088 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007/07/10 05:27:56 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/06/20 02:29:56 | 000,984,064 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2007/06/20 02:28:34 | 000,208,896 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2007/06/20 02:28:22 | 000,660,480 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2007/01/25 21:57:20 | 000,021,056 | ---- | M] (Webroot Software Inc (www.webroot.com)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sskbfd.sys -- (SSKBFD)
DRV - [2006/11/02 04:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 04:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 04:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 04:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 04:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 04:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 04:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 04:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 04:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 04:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 04:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 04:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 04:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 04:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 04:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 04:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 04:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 04:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 04:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 04:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 04:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 04:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 04:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 04:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 04:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 04:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 04:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 04:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 04:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 04:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 04:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 04:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 04:49:30 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2006/11/02 04:49:28 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2006/11/02 04:49:20 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2006/11/02 03:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 03:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 03:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 03:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 03:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 03:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 02:41:49 | 000,200,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTAZL3.SYS -- (HSFHWAZL)
DRV - [2006/11/02 02:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 02:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2006/11/02 01:37:21 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv)
DRV - [2006/06/28 09:54:00 | 000,009,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2006/06/18 14:26:58 | 000,012,672 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\mdmxsdk.sys -- (mdmxsdk)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2600240742-2131969781-4149288779-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2600240742-2131969781-4149288779-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2600240742-2131969781-4149288779-1000\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
IE - HKU\S-1-5-21-2600240742-2131969781-4149288779-1000\S-1-5-21-2600240742-2131969781-4149288779-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2600240742-2131969781-4149288779-1000\S-1-5-21-2600240742-2131969781-4149288779-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: toolbar@ask.com:3.6.6.117
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.5.4.20081105
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.50
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..keyword.URL: "http://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q="


FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/27 18:16:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/27 18:15:59 | 000,000,000 | ---D | M]

[2009/09/07 10:19:17 | 000,000,000 | ---D | M] -- C:\Users\Vedia\AppData\Roaming\Mozilla\Extensions
[2010/03/02 16:14:04 | 000,000,000 | ---D | M] -- C:\Users\Vedia\AppData\Roaming\Mozilla\Firefox\Profiles\dfqk1qta.default\extensions
[2009/09/07 10:23:13 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Vedia\AppData\Roaming\Mozilla\Firefox\Profiles\dfqk1qta.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/02/15 18:31:25 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Vedia\AppData\Roaming\Mozilla\Firefox\Profiles\dfqk1qta.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/02/28 08:52:07 | 000,000,000 | ---D | M] (NoScript) -- C:\Users\Vedia\AppData\Roaming\Mozilla\Firefox\Profiles\dfqk1qta.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/02/28 08:57:42 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Vedia\AppData\Roaming\Mozilla\Firefox\Profiles\dfqk1qta.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/10/12 21:33:11 | 000,000,000 | ---D | M] -- C:\Users\Vedia\AppData\Roaming\Mozilla\Firefox\Profiles\dfqk1qta.default\extensions\foxmarks@kei.com
[2010/02/23 19:11:35 | 000,000,000 | ---D | M] -- C:\Users\Vedia\AppData\Roaming\Mozilla\Firefox\Profiles\dfqk1qta.default\extensions\toolbar@ask.com
[2010/02/24 15:09:04 | 000,002,426 | ---- | M] () -- C:\Users\Vedia\AppData\Roaming\Mozilla\Firefox\Profiles\dfqk1qta.default\searchplugins\askcom.xml
[2009/08/04 15:22:25 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/09/25 22:58:03 | 000,238,776 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll

O1 HOSTS File: ([2010/02/15 17:15:19 | 000,378,474 | R--- | M]) - C:\Windows\System32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 13043 more lines...
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKU\S-1-5-21-2600240742-2131969781-4149288779-1000\..\Toolbar\ShellBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No CLSID value found.
O3 - HKU\S-1-5-21-2600240742-2131969781-4149288779-1000\..\Toolbar\WebBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No CLSID value found.
O3 - HKU\S-1-5-21-2600240742-2131969781-4149288779-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-2600240742-2131969781-4149288779-1000\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\hpwuSchd2.exe (Hewlett-Packard Co.)
O4 - HKLM..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [Persistence] C:\Windows\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [UfSeAgnt.exe] C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe (Trend Micro Inc.)
O4 - HKU\S-1-5-21-2600240742-2131969781-4149288779-1000..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4 - HKU\S-1-5-21-2600240742-2131969781-4149288779-1000..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-2600240742-2131969781-4149288779-1000..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\NPSWF32_FlashUtil.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Users\Vedia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2600240742-2131969781-4149288779-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2600240742-2131969781-4149288779-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O7 - HKU\S-1-5-21-2600240742-2131969781-4149288779-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-2600240742-2131969781-4149288779-1000_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 207.69.188.186 207.69.188.187
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img34.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img34.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2009/05/21 21:31:47 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

MsConfig - StartUpReg: lxdfamon - hkey= - key= - C:\Program Files\Lexmark 6500 Series\lxdfamon.exe File not found
MsConfig - StartUpReg: lxdfmon.exe - hkey= - key= - C:\Program Files\Lexmark 6500 Series\lxdfmon.exe File not found
MsConfig - StartUpReg: Windows Defender - hkey= - key= - File not found
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: NTDS - File not found
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PEVSystemStart - Service
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: procexp90.Sys - Driver
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: HelpSvc - Service
SafeBootNet: Messenger - File not found
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: NTDS - File not found
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PEVSystemStart - Service
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: procexp90.Sys - Driver
SafeBootNet: rdsessmgr - Service
SafeBootNet: sacsvr - Service
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootNet: WudfPf - Driver
SafeBootNet: WudfUsbccidDriver - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers
SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} -
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)

========== Files/Folders - Created Within 30 Days ==========

[2010/02/28 11:24:13 | 000,000,000 | ---D | C] -- C:\Users\Vedia\Pavark
[2010/02/28 09:36:28 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/02/28 09:34:01 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/02/27 15:57:25 | 000,000,000 | ---D | C] -- C:\Program Files\Hp
[2010/02/27 15:47:02 | 000,000,000 | ---D | C] -- C:\Program Files\Hewlett-Packard
[2010/02/27 15:45:45 | 000,000,000 | ---D | C] -- C:\SWSetup
[2010/02/27 11:17:47 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Blizzard Entertainment
[2010/02/27 09:54:43 | 000,093,056 | ---- | C] (GMER) -- C:\uglcypod.sys
[2010/02/27 09:25:54 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/02/26 22:24:22 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/02/26 19:32:03 | 000,000,000 | ---D | C] -- C:\Users\Vedia\AppData\Local\COMODO
[2010/02/26 19:28:21 | 000,000,000 | ---D | C] -- C:\Program Files\COMODO
[2010/02/25 19:23:14 | 000,000,000 | ---D | C] -- C:\Windows\Downloaded Installations
[2010/02/25 19:22:59 | 000,000,000 | -H-D | C] -- C:\Config.msi
[2010/02/23 19:35:36 | 000,726,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2010/02/23 19:35:18 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2010/02/23 19:34:14 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_isv.dll
[2010/02/23 19:34:13 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc.dll
[2010/02/23 19:34:10 | 000,526,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_isv.exe
[2010/02/23 19:34:09 | 000,518,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate.exe
[2010/02/23 19:34:09 | 000,347,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp.exe
[2010/02/23 19:34:09 | 000,346,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp_isv.exe
[2010/02/23 19:34:09 | 000,332,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdrm.dll
[2010/02/23 19:34:09 | 000,152,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp_isv.dll
[2010/02/23 19:34:09 | 000,152,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp.dll
[2010/02/23 19:34:04 | 001,696,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\gameux.dll
[2010/02/23 19:34:02 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll
[2010/02/23 19:34:01 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll
[2010/02/20 22:12:21 | 000,000,000 | ---D | C] -- C:\Users\Vedia\AppData\Roaming\Ventrilo
[2010/02/20 14:26:20 | 000,000,000 | ---D | C] -- C:\Users\Vedia\AppData\Local\temp(47)
[2010/02/20 14:26:20 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/02/18 15:37:15 | 000,000,000 | ---D | C] -- C:\Users\Vedia\Documents\OneNote Notebooks
[2010/02/16 22:20:15 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/02/16 22:20:06 | 000,000,000 | ---D | C] -- C:\Users\Vedia\AppData\Local\temp
[2010/02/16 22:02:45 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/02/16 21:44:50 | 000,181,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2010/02/16 21:26:34 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/02/16 21:26:31 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/02/16 21:26:30 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/16 20:19:47 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010/02/16 18:34:16 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/02/16 18:34:12 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/02/16 18:34:11 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/02/16 18:33:23 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/02/15 18:19:30 | 000,000,000 | ---D | C] -- C:\Users\Vedia\Desktop\HiJackThis
[2010/02/15 16:01:59 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2010/02/15 15:38:55 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/02/14 18:51:33 | 000,000,000 | ---D | C] -- C:\Users\Vedia\AppData\Roaming\Malwarebytes
[2010/02/14 18:51:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/02/14 15:34:26 | 000,000,000 | ---D | C] -- C:\Users\Vedia\AppData\Local\Blizzard Entertainment
[2010/02/14 15:14:18 | 000,000,000 | ---D | C] -- C:\Users\Vedia\AppData\Local\Trend Micro
[2010/02/14 15:05:08 | 001,223,832 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\vsapint.sys
[2010/02/14 15:05:08 | 000,283,152 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmwfp.sys
[2010/02/14 15:05:08 | 000,225,808 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmxpflt.sys
[2010/02/14 15:05:08 | 000,089,872 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmtdi.sys
[2010/02/14 15:05:08 | 000,036,368 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmpreflt.sys
[2010/02/14 15:05:07 | 000,158,224 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys
[2010/02/14 15:05:07 | 000,146,448 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmlwf.sys
[2010/02/14 15:05:07 | 000,059,920 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmactmon.sys
[2010/02/14 15:05:07 | 000,050,704 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmevtmgr.sys
[2010/02/14 15:04:48 | 000,000,000 | ---D | C] -- C:\Users\Public\Desktop\TIS_Download_SP_32bit
[2010/02/14 15:03:42 | 045,347,568 | ---- | C] (Trend Micro Inc.) -- C:\Users\Public\Desktop\TIS_Download_SP_32bit.exe
[2010/02/13 08:32:23 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Portable Devices
[2010/02/13 01:36:14 | 000,092,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\UIAnimation.dll
[2010/02/13 01:36:13 | 003,023,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\UIRibbon.dll
[2010/02/13 01:36:13 | 001,164,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\UIRibbonRes.dll
[2010/02/13 01:35:13 | 000,369,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WMPhoto.dll
[2010/02/13 01:35:12 | 000,037,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\cdd.dll
[2010/02/13 01:35:10 | 000,829,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10warp.dll
[2010/02/13 01:35:10 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\printfilterpipelineprxy.dll
[2010/02/13 01:35:09 | 000,974,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WindowsCodecs.dll
[2010/02/13 01:35:09 | 000,828,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d2d1.dll
[2010/02/13 01:35:09 | 000,280,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsGdiConverter.dll
[2010/02/13 01:35:09 | 000,195,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxdiagn.dll
[2010/02/13 01:35:09 | 000,189,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WindowsCodecsExt.dll
[2010/02/13 01:35:09 | 000,135,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsRasterService.dll
[2010/02/13 01:35:08 | 001,554,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xpsservices.dll
[2010/02/13 01:35:08 | 001,064,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll
[2010/02/13 01:35:08 | 001,030,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10.dll
[2010/02/13 01:35:08 | 000,847,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\OpcServices.dll
[2010/02/13 01:35:08 | 000,793,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\FntCache.dll
[2010/02/13 01:35:08 | 000,667,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\printfilterpipelinesvc.exe
[2010/02/13 01:35:08 | 000,519,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d11.dll
[2010/02/13 01:35:08 | 000,486,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10level9.dll
[2010/02/13 01:35:08 | 000,481,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxgi.dll
[2010/02/13 01:35:08 | 000,351,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsPrint.dll
[2010/02/13 01:35:08 | 000,321,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PhotoMetadataHandler.dll
[2010/02/13 01:35:08 | 000,252,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxdiag.exe
[2010/02/13 01:35:08 | 000,218,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1core.dll
[2010/02/13 01:35:08 | 000,190,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10core.dll
[2010/02/13 01:35:08 | 000,161,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1.dll
[2010/02/13 01:34:15 | 000,031,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\BthMtpContextHandler.dll
[2010/02/13 01:34:15 | 000,030,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WPDShextAutoplay.exe
[2010/02/13 01:34:08 | 000,060,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PortableDeviceConnectApi.dll
[2010/02/13 01:34:04 | 000,546,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wpd_ci.dll
[2010/02/13 01:34:03 | 000,350,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WPDSp.dll
[2010/02/13 01:34:03 | 000,334,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PortableDeviceApi.dll
[2010/02/13 01:34:03 | 000,196,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PortableDeviceWMDRM.dll
[2010/02/13 01:34:03 | 000,160,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PortableDeviceTypes.dll
[2010/02/13 01:34:03 | 000,100,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PortableDeviceClassExtension.dll
[2010/02/13 01:31:47 | 000,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\oleaccrc.dll
[2010/02/13 01:31:45 | 000,555,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\UIAutomationCore.dll
[2010/02/11 21:04:19 | 000,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch
[2010/02/11 20:52:00 | 000,000,000 | ---D | C] -- C:\Program Files\Ask.com
[2010/02/11 20:51:13 | 000,000,000 | ---D | C] -- C:\Program Files\MSSOAP
[2010/02/11 20:51:13 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\MSSoap
[2010/02/11 20:34:34 | 000,021,056 | ---- | C] (Webroot Software Inc (www.webroot.com)) -- C:\Windows\System32\drivers\sskbfd.sys
[2010/02/11 20:34:20 | 000,271,936 | ---- | C] (Webroot Software, Inc.) -- C:\Windows\WRUninstall.dll
[2010/02/11 20:17:46 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/02/11 16:04:30 | 000,000,000 | ---D | C] -- C:\Windows\System32\eu-ES
[2010/02/11 16:04:30 | 000,000,000 | ---D | C] -- C:\Windows\System32\ca-ES
[2010/02/11 16:04:28 | 000,000,000 | ---D | C] -- C:\Windows\System32\vi-VN
[2010/02/11 15:26:24 | 000,000,000 | ---D | C] -- C:\Windows\System32\EventProviders
[2010/02/09 15:24:55 | 003,600,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2010/02/09 15:24:55 | 003,548,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2010/02/09 15:24:51 | 001,314,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\quartz.dll
[2010/02/09 15:24:49 | 000,123,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msvfw32.dll
[2010/02/09 15:24:49 | 000,091,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\avifil32.dll
[2010/02/09 15:24:49 | 000,082,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mciavi32.dll
[1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/02 17:55:59 | 004,980,736 | -HS- | M] () -- C:\Users\Vedia\ntuser.dat
[2010/03/02 17:22:01 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/02 17:00:09 | 000,005,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/03/02 17:00:09 | 000,005,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/03/02 14:59:52 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/03/01 20:22:02 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/02/28 17:48:26 | 000,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/02/28 17:48:26 | 000,595,684 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/02/28 17:48:26 | 000,101,350 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/02/28 17:04:20 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/02/28 17:04:12 | 2137,022,464 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/28 16:33:15 | 000,524,288 | -HS- | M] () -- C:\Users\Vedia\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/02/28 16:33:15 | 000,065,536 | -HS- | M] () -- C:\Users\Vedia\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/02/28 14:06:36 | 036,237,312 | ---- | M] () -- C:\Windows\System32\AWAIMDOY
[2010/02/28 11:29:16 | 000,001,253 | ---- | M] () -- C:\Users\Vedia\AppData\Roaming\mainhst.zgh
[2010/02/27 18:16:05 | 000,001,724 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/02/27 15:47:23 | 000,001,936 | ---- | M] () -- C:\Users\Public\Desktop\HP Help and Support.lnk
[2010/02/27 11:20:20 | 000,000,797 | ---- | M] () -- C:\Users\Public\Desktop\World of Warcraft.lnk
[2010/02/27 10:58:41 | 000,005,120 | ---- | M] () -- C:\Users\Vedia\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/27 09:54:43 | 000,093,056 | ---- | M] (GMER) -- C:\uglcypod.sys
[2010/02/27 09:49:04 | 000,270,552 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/02/27 09:25:37 | 254,056,710 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/02/26 22:26:19 | 000,082,944 | ---- | M] () -- C:\Windows\System32\umstartup.etl
[2010/02/26 20:51:38 | 000,059,464 | ---- | M] () -- C:\Users\Vedia\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/02/26 20:44:18 | 000,000,036 | ---- | M] () -- C:\Users\Vedia\AppData\Local\housecall.guid.cache
[2010/02/26 19:41:46 | 000,047,930 | ---- | M] () -- C:\Users\Vedia\Documents\Registry backup.reg
[2010/02/25 19:22:47 | 000,004,130 | ---- | M] () -- C:\Windows\System32\entitlement.xml
[2010/02/25 19:16:17 | 000,001,111 | ---- | M] () -- C:\Users\Vedia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
[2010/02/25 15:39:22 | 000,001,356 | ---- | M] () -- C:\Users\Vedia\AppData\Local\d3d9caps.dat
[2010/02/24 09:16:06 | 000,181,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2010/02/18 15:11:03 | 000,000,047 | ---- | M] () -- C:\Windows\WinInit.Ini
[2010/02/16 22:15:32 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/02/16 21:26:38 | 000,000,818 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/16 17:27:13 | 000,001,874 | ---- | M] () -- C:\Users\Vedia\Desktop\HijackThis.lnk
[2010/02/15 17:15:19 | 000,378,474 | R--- | M] () -- C:\Windows\System32\drivers\etc\HOSTS
[2010/02/15 16:01:06 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2010/02/15 15:38:57 | 000,001,670 | ---- | M] () -- C:\Users\Vedia\Desktop\CCleaner.lnk
[2010/02/14 15:17:06 | 000,001,843 | ---- | M] () -- C:\Users\Public\Desktop\Trend Micro Internet Security.lnk
[2010/02/14 15:05:08 | 001,223,832 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\vsapint.sys
[2010/02/14 15:05:08 | 000,283,152 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmwfp.sys
[2010/02/14 15:05:08 | 000,225,808 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmxpflt.sys
[2010/02/14 15:05:08 | 000,089,872 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmtdi.sys
[2010/02/14 15:05:08 | 000,036,368 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmpreflt.sys
[2010/02/14 15:05:07 | 000,158,224 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys
[2010/02/14 15:05:07 | 000,146,448 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmlwf.sys
[2010/02/14 15:05:07 | 000,059,920 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmactmon.sys
[2010/02/14 15:05:07 | 000,050,704 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmevtmgr.sys
[2010/02/14 15:04:38 | 045,347,568 | ---- | M] (Trend Micro Inc.) -- C:\Users\Public\Desktop\TIS_Download_SP_32bit.exe
[2010/02/14 12:38:02 | 000,000,022 | ---- | M] () -- C:\Windows\System32\IDPExe.zip
[2010/02/13 08:31:55 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_07_00.Wdf
[2010/02/11 20:58:25 | 000,000,761 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.20100215-171519.backup
[2010/02/11 20:20:13 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2010/02/11 20:12:07 | 000,001,409 | ---- | M] () -- C:\Windows\System32\sk_bho.ini
[2010/02/11 19:55:23 | 000,003,300 | ---- | M] () -- C:\Windows\System32\10003.sks
[2010/02/11 19:55:23 | 000,001,256 | ---- | M] () -- C:\Windows\System32\10001.sks
[2010/02/11 19:55:23 | 000,000,959 | ---- | M] () -- C:\Windows\System32\10004.sks
[2010/02/11 19:55:23 | 000,000,000 | ---- | M] () -- C:\Windows\System32\10002.sks
[2010/02/11 18:16:24 | 000,002,380 | ---- | M] () -- C:\Windows\System32\BlockedCookies
[2010/02/11 18:16:04 | 000,000,076 | ---- | M] () -- C:\Windows\System32\IDPVer.ini
[1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/28 17:04:12 | 2137,022,464 | -HS- | C] () -- C:\hiberfil.sys
[2010/02/28 14:05:24 | 036,237,312 | ---- | C] () -- C:\Windows\System32\AWAIMDOY
[2010/02/27 18:16:05 | 000,001,724 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/02/27 15:47:23 | 000,001,936 | ---- | C] () -- C:\Users\Public\Desktop\HP Help and Support.lnk
[2010/02/27 09:25:37 | 254,056,710 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/02/26 20:43:05 | 000,000,036 | ---- | C] () -- C:\Users\Vedia\AppData\Local\housecall.guid.cache
[2010/02/26 19:39:26 | 000,047,930 | ---- | C] () -- C:\Users\Vedia\Documents\Registry backup.reg
[2010/02/25 19:22:47 | 000,004,130 | ---- | C] () -- C:\Windows\System32\entitlement.xml
[2010/02/25 19:16:17 | 000,001,111 | ---- | C] () -- C:\Users\Vedia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
[2010/02/18 15:11:03 | 000,000,047 | ---- | C] () -- C:\Windows\WinInit.Ini
[2010/02/17 19:07:07 | 000,000,886 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/02/17 19:07:05 | 000,000,882 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/02/16 21:26:38 | 000,000,818 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/16 18:34:16 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/02/16 18:34:12 | 000,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2010/02/16 18:34:11 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/02/16 18:34:11 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/02/16 18:34:11 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/02/16 17:27:13 | 000,001,874 | ---- | C] () -- C:\Users\Vedia\Desktop\HijackThis.lnk
[2010/02/15 15:38:57 | 000,001,670 | ---- | C] () -- C:\Users\Vedia\Desktop\CCleaner.lnk
[2010/02/14 15:17:06 | 000,001,843 | ---- | C] () -- C:\Users\Public\Desktop\Trend Micro Internet Security.lnk
[2010/02/13 08:31:55 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_07_00.Wdf
[2010/02/11 19:55:23 | 000,003,300 | ---- | C] () -- C:\Windows\System32\10003.sks
[2010/02/11 19:55:23 | 000,001,256 | ---- | C] () -- C:\Windows\System32\10001.sks
[2010/02/11 19:55:23 | 000,000,959 | ---- | C] () -- C:\Windows\System32\10004.sks
[2010/02/11 19:55:23 | 000,000,000 | ---- | C] () -- C:\Windows\System32\10002.sks
[2010/02/11 18:16:24 | 000,002,380 | ---- | C] () -- C:\Windows\System32\BlockedCookies
[2010/02/11 18:14:45 | 000,000,076 | ---- | C] () -- C:\Windows\System32\IDPVer.ini
[2010/02/11 18:14:44 | 000,000,022 | ---- | C] () -- C:\Windows\System32\IDPExe.zip
[2010/02/11 18:14:39 | 000,001,409 | ---- | C] () -- C:\Windows\System32\sk_bho.ini
[2009/09/18 22:23:58 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/06/25 11:05:53 | 000,001,253 | ---- | C] () -- C:\Users\Vedia\AppData\Roaming\mainhst.zgh
[2009/06/24 11:59:06 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
[2009/06/01 21:45:14 | 000,069,632 | ---- | C] () -- C:\Windows\System32\lxdfoem.dll
[2009/05/23 15:30:47 | 000,000,262 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/05/22 08:32:50 | 000,005,120 | ---- | C] () -- C:\Users\Vedia\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/05/21 20:43:49 | 000,001,356 | ---- | C] () -- C:\Users\Vedia\AppData\Local\d3d9caps.dat
[2008/02/11 18:55:18 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1437.dll
[2007/11/20 13:32:40 | 005,527,385 | ---- | C] () -- C:\Windows\System32\IDPRSig.dll
[2007/11/20 13:32:40 | 000,622,113 | ---- | C] () -- C:\Windows\System32\IDPList.dll
[2007/11/20 13:32:39 | 004,985,733 | ---- | C] () -- C:\Windows\System32\IDPFSig.dll
[2007/11/20 13:32:39 | 000,343,272 | ---- | C] () -- C:\Windows\System32\IDPESig.dll
[2007/11/20 13:32:39 | 000,002,380 | ---- | C] () -- C:\Windows\System32\IDPBlkCoo.dll
[2007/11/20 13:32:39 | 000,000,162 | ---- | C] () -- C:\Windows\System32\IDPCritProc.dll
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2009/04/11 01:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2009/04/11 01:28:23 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll

< %systemroot%\Tasks\*.job /lockedfiles >


< MD5 for: AGP440.SYS >
[2008/01/18 22:42:26 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
[2008/01/18 22:42:26 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/18 22:42:26 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/18 22:42:26 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2006/11/02 04:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\ERDNT\cache\AGP440.sys
[2006/11/02 04:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\drivers\AGP440.sys
[2006/11/02 04:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/04/11 01:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\ERDNT\cache\atapi.sys
[2009/04/11 01:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009/04/11 01:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009/04/11 01:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/18 22:41:32 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/18 22:41:32 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 04:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 04:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\ERDNT\cache\cngaudit.dll
[2006/11/02 04:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 04:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2008/01/18 22:42:52 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/18 22:42:52 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 04:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\drivers\iaStorV.sys
[2006/11/02 04:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2006/11/02 04:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll
[2009/04/11 01:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\ERDNT\cache\netlogon.dll
[2009/04/11 01:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll
[2009/04/11 01:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2008/01/18 22:35:38 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 04:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys
[2006/11/02 04:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/18 22:42:10 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/18 22:42:10 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >
[2008/01/18 22:36:20 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2006/11/02 04:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll
[2009/04/11 01:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\ERDNT\cache\scecli.dll
[2009/04/11 01:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll
[2009/04/11 01:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:DFC5A2B2
< End of report >

OTL Extras logfile created on: 3/2/2010 5:45:14 PM - Run 1
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Users\Vedia\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 70.60 Gb Free Space | 63.16% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: VEDIA-PC
Current User Name: Vedia
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2600240742-2131969781-4149288779-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" [2009/05/22 09:49:15 | 000,000,000 | ---D | M]
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
"DoNotAllowExceptions" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{12909D8D-30B2-4113-AAEA-BEEC3F04A74A}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{427D6AF0-1907-405F-BE4C-58EF4F6AB0C8}" = lport=3702 | protocol=17 | dir=in | app=c:\windows\system32\p2phost.exe |
"{57917EEB-D07A-4E9D-992B-DEC9F8EC69E1}" = rport=3540 | protocol=17 | dir=out | svc=pnrpsvc | app=c:\windows\system32\svchost.exe |
"{9506D6EB-C39D-4313-904E-412A4EC73F9E}" = lport=rpc | protocol=6 | dir=in | svc=ktmrm | app=c:\windows\system32\svchost.exe |
"{A0FC3DEC-79C5-4D9E-9526-396E499D82DF}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{B0B26E7C-F3C0-45B8-BB73-B17F93FB38A4}" = rport=3702 | protocol=17 | dir=out | app=c:\windows\system32\p2phost.exe |
"{BA509100-D19A-42AE-8AD3-CF178ECCC4DE}" = lport=3540 | protocol=17 | dir=in | svc=pnrpsvc | app=c:\windows\system32\svchost.exe |
"{CA0F638A-2805-4F2D-B1C5-7EB46EEE6078}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | app=c:\windows\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{04C753D8-3F4B-436B-AFB5-7ADEBF9C9A36}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-0.2.0.10048-to-0.2.0.10072-enus-downloader.exe |
"{0801BA3A-A7A9-42AF-9F23-914D077B947F}" = protocol=6 | dir=in | app=c:\nexon\combat arms\nmservice.exe |
"{0AF36811-90DD-49DB-86C4-CF763CF12412}" = protocol=17 | dir=in | app=c:\nexon\combat arms\nmservice.exe |
"{0BA2474F-DC85-466A-A10E-F6049994E40A}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdfpswx.exe |
"{1862F51B-2408-43EB-9142-D4E80CEEA7FC}" = protocol=17 | dir=in | app=c:\program files\lexmark 6500 series\frun.exe |
"{18AAC2EB-81F9-4A78-A01B-674E3F92EC97}" = protocol=6 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{1A6478EC-3800-4F71-8F5C-E4F1C80C0D88}" = protocol=6 | dir=in | app=c:\program files\lexmark 6500 series\lxdffax.exe |
"{1E38679B-ABFE-46F0-BEA3-616898ECA03F}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-0.2.0.10072-to-0.2.0.10083-enus-downloader.exe |
"{21D47465-4D1F-40FA-941D-D62B36E76668}" = protocol=17 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{31C81749-F0B7-43E0-BE6C-7E450DF36D5C}" = protocol=17 | dir=in | app=c:\program files\lexmark 6500 series\lxdffax.exe |
"{3782531F-D01B-498C-A9C4-8866AB75312E}" = protocol=6 | dir=in | app=c:\programdata\nexonus\ngm\ngm.exe |
"{3AB2049B-4A4A-4969-A03B-83F969A96ACB}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{3C23775B-37DA-4F1E-BD41-5C0B772B8CEA}" = protocol=6 | dir=in | app=c:\program files\lexmark 6500 series\frun.exe |
"{412AE3D0-9591-4C1F-A3A4-37FDA30687EE}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{4320F410-5F28-4C03-94F3-4F6486CDABC4}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-0.2.0.10072-to-0.2.0.10083-enus-downloader.exe |
"{45B3C280-AADF-48ED-9C10-1C912EEF46EC}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdfpswx.exe |
"{496C7437-A02F-484C-9B22-41A41D71488E}" = protocol=6 | dir=in | app=c:\windows\system32\lxdfcfg.exe |
"{4FCEFA8A-3CA6-4494-8EF4-891E20F150BD}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdftime.exe |
"{52E90E9B-A47C-4415-8FBF-5521F8629AAB}" = protocol=6 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{5D3B465D-8448-4531-8D1B-E3642DD00478}" = protocol=17 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{5F21525F-CB36-4105-8861-8AECD011ECC7}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{60B70F82-B401-453F-89AA-5E7741077065}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{66A755FC-9C8A-48E5-AC3C-79AFDD01D694}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{69916886-9D94-40E6-983F-1F651DD2C37B}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{6B90DF8D-B707-4341-B452-4DBBE55A4572}" = protocol=6 | dir=in | app=c:\windows\system32\p2phost.exe |
"{6E13727D-83C8-4467-B9E4-FD7818937AEA}" = protocol=6 | dir=out | app=c:\windows\system32\p2phost.exe |
"{72248765-55D7-4084-83D1-99557391B1ED}" = protocol=6 | dir=in | app=c:\windows\system32\lxdfcoms.exe |
"{756B8978-8285-4F82-84C8-118C354EDA23}" = dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{7F2B0A5A-28FA-4EE8-BDA8-259A1BB22B8E}" = protocol=6 | dir=out | app=c:\windows\system32\msdtc.exe |
"{87D5F00B-0FAE-4BC8-BE10-18CA40CC01B2}" = protocol=17 | dir=in | app=c:\program files\lexmark 6500 series\lxdfmon.exe |
"{888F99BF-3683-4DEB-AEA8-D087A4B58A7F}" = protocol=6 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{894B34B8-0C51-4950-AA02-5FF4975C242C}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdftime.exe |
"{8CC5D6F8-561B-4D54-9C0A-AEEDE8B7AB53}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{A3EEC47C-C27F-4035-9547-ED58D45136AF}" = protocol=17 | dir=in | app=c:\programdata\nexonus\ngm\ngm.exe |
"{A5F27E8B-0EF6-4877-855D-53970A8D28BD}" = protocol=17 | dir=in | app=c:\windows\system32\lxdfcfg.exe |
"{B7FED4AE-1A02-466E-BAC4-AC8CAA13D18A}" = protocol=6 | dir=in | app=c:\windows\system32\msdtc.exe |
"{C5BEE587-40C5-4365-98A3-CCD536DFBAA1}" = protocol=17 | dir=in | app=c:\program files\lexmark 6500 series\lxdfamon.exe |
"{C833453B-A0C8-417D-92E4-073C1F4F144D}" = protocol=6 | dir=in | app=c:\program files\lexmark 6500 series\lxdfmon.exe |
"{D4CCF2E4-9DE0-4C12-A401-439F12AC8926}" = protocol=17 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{D62DEF85-CDDA-44F2-82A6-EECF1D27AE99}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{DF9FEB77-95EB-4F3A-A249-65E349ECCEFB}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{E32C17D9-9532-4AA5-9F72-BE50178755DD}" = protocol=6 | dir=in | app=c:\program files\lexmark 6500 series\lxdfamon.exe |
"{EB5869E7-573F-47E7-B1AD-7364CFA24F4D}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-0.2.0.10048-to-0.2.0.10072-enus-downloader.exe |
"{F6DBA95F-8706-4D10-A53D-8B124CEDB6DC}" = protocol=17 | dir=in | app=c:\windows\system32\lxdfcoms.exe |
"{FC88D8BC-049E-4710-B84B-8536C77EF771}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"TCP Query User{37C6FDCF-92A3-4D5E-B07F-F04A5C09B693}C:\program files\lexmark 6500 series\lxdfmon.exe" = protocol=6 | dir=in | app=c:\program files\lexmark 6500 series\lxdfmon.exe |
"TCP Query User{50A7C74B-BA6E-4B21-BC55-5AE6C3205E0E}C:\users\public\games\world of warcraft\wow-3.3.0.11159-to-3.3.2.11403-enus-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.0.11159-to-3.3.2.11403-enus-downloader.exe |
"TCP Query User{B4669856-0AEA-4360-859F-A9967FA84950}C:\users\public\games\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
"TCP Query User{C2EA5F18-D6A5-4972-98F0-12F909DED315}C:\users\public\games\world of warcraft\wow-3.0.1.8874-ptr-us-installer-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.0.1.8874-ptr-us-installer-downloader.exe |
"TCP Query User{D523CDDF-71C2-4FA8-9838-DB9AC3F6ABF6}C:\users\public\games\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
"TCP Query User{E06241D6-8AC9-446E-8EF9-B04B5A344534}C:\users\public\games\world of warcraft\repair.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\repair.exe |
"TCP Query User{F228A896-3215-4C01-AF92-08F26BFB25FE}C:\windows\system32\spool\drivers\w32x86\3\lxdfpswx.exe" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdfpswx.exe |
"UDP Query User{06F14498-B5CB-4506-96B2-004AA10208E1}C:\users\public\games\world of warcraft\wow-3.3.0.11159-to-3.3.2.11403-enus-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.0.11159-to-3.3.2.11403-enus-downloader.exe |
"UDP Query User{3C627B43-CAD1-4B03-8CA7-B6BE593F1B01}C:\users\public\games\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
"UDP Query User{599E24A0-516D-4019-A2C4-F2853849C306}C:\users\public\games\world of warcraft\wow-3.0.1.8874-ptr-us-installer-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.0.1.8874-ptr-us-installer-downloader.exe |
"UDP Query User{9E9E5FD0-66AD-4E42-B467-89B378F69727}C:\windows\system32\spool\drivers\w32x86\3\lxdfpswx.exe" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdfpswx.exe |
"UDP Query User{A13B7FD9-6EBE-48CD-8687-4B240AA5E0CB}C:\users\public\games\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
"UDP Query User{BBF14B21-5E86-4B58-A56F-24FD0E6BE555}C:\program files\lexmark 6500 series\lxdfmon.exe" = protocol=17 | dir=in | app=c:\program files\lexmark 6500 series\lxdfmon.exe |
"UDP Query User{EE7C24AD-8BFC-4EB7-AB61-B06AB54E525A}C:\users\public\games\world of warcraft\repair.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\repair.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = Lexmark Toolbar
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{28EDCE9C-3304-4331-8AB3-F3EBE94C35B4}" = HP Help and Support
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{718D791F-F4E8-4aa7-98A6-15FDED17BDD0}" = Trend Micro Internet Security
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9D2B0322-44AE-460E-9283-4D2D7A9205AE}" = Trend Micro Internet Security
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Touch Pad Driver
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB40272D-92AB-4F30-B36B-22EDE16F8FE5}" = HP Update
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B8}" = WinZip 12.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}" = Safari
"{EC3B598C-1151-4191-B5B4-A9072ADE6259}_is1" = ZipGenius 6 (6.0.3.1150)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CCleaner" = CCleaner
"CNXT_AUDIO_HDA" = Conexant HD Audio
"CNXT_MODEM_HDA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"TVWiz" = Intel® TV Wizard
"World of Warcraft" = World of Warcraft

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/27/2010 10:26:47 AM | Computer Name = Vedia-PC | Source = EventSystem | ID = 4609
Description =

Error - 2/27/2010 10:35:29 AM | Computer Name = Vedia-PC | Source = Perflib | ID = 1008
Description =

Error - 2/27/2010 10:35:30 AM | Computer Name = Vedia-PC | Source = PerfNet | ID = 2004
Description =

Error - 2/27/2010 10:35:30 AM | Computer Name = Vedia-PC | Source = PerfNet | ID = 2002
Description =

Error - 2/27/2010 1:59:46 PM | Computer Name = Vedia-PC | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe_WinDefend, version 6.0.6001.18000,
time stamp 0x47918b89, faulting module mpengine.dll, version 1.1.5502.0, time stamp
0x4b7b7bc0, exception code 0xc0000006, fault offset 0x0024cca0, process id 0x384,
application start time 0x01cab7d4f92b3861.

Error - 2/27/2010 1:59:46 PM | Computer Name = Vedia-PC | Source = Application Error | ID = 1005
Description = Windows cannot access the file C:\ProgramData\Microsoft\Windows Defender\Definition
Updates\{26D2CAAC-3445-454B-AE7B-780730F0B7B8}\mpengine.dll for one of the following
reasons: there is a problem with the network connection, the disk that the file
is stored on, or the storage drivers installed on this computer; or the disk is
missing. Windows closed the program Host Process for Windows Services because of
this error. Program: Host Process for Windows Services File: C:\ProgramData\Microsoft\Windows
Defender\Definition Updates\{26D2CAAC-3445-454B-AE7B-780730F0B7B8}\mpengine.dll

The
error value is listed in the Additional Data section. User Action 1. Open the file
again. This situation might be a temporary problem that corrects itself when the
program runs again. 2. If the file still cannot be accessed and - It is on the network,
your network administrator should verify that there is not a problem with the network
and that the server can be contacted. - It is on a removable disk, for example,
a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3.
Check and repair the file system by running CHKDSK. To run CHKDSK, click Start,
click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F,
and then press ENTER. 4. If the problem persists, restore the file from a backup
copy. 5. Determine whether other files on the same disk can be opened. If not, the
disk might be damaged. If it is a hard disk, contact your administrator or computer
hardware vendor for further assistance. Additional Data Error value: C0000185 Disk
type: 3

Error - 2/28/2010 3:22:09 PM | Computer Name = Vedia-PC | Source = Google Update | ID = 20
Description =

Error - 2/28/2010 3:42:34 PM | Computer Name = Vedia-PC | Source = EventSystem | ID = 4609
Description =

Error - 2/28/2010 5:33:16 PM | Computer Name = Vedia-PC | Source = Microsoft-Windows-CAPI2 | ID = 131584
Description =

Error - 2/28/2010 6:43:46 PM | Computer Name = Vedia-PC | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 8/29/2009 9:52:40 PM | Computer Name = Vedia-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 8/30/2009 9:08:39 PM | Computer Name = Vedia-PC | Source = Print | ID = 6161
Description = The document Microsoft Word - 1st HW English, owned by Christian,
failed to print on printer Lexmark 6500 Series. Try to print the document again,
or restart the print spooler. Data type: LEMF. Size of the spool file in bytes:
2849348. Number of bytes printed: 2849348. Total number of pages in the document:
1. Number of pages printed: 0. Client computer: \\VEDIA-PC. Win32 error code returned
by the print processor: 0. The operation completed successfully.

Error - 8/30/2009 9:28:55 PM | Computer Name = Vedia-PC | Source = HTTP | ID = 15016
Description =

Error - 9/3/2009 3:09:48 AM | Computer Name = Vedia-PC | Source = HTTP | ID = 15016
Description =

Error - 9/3/2009 7:10:05 PM | Computer Name = Vedia-PC | Source = cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 9/7/2009 11:01:50 AM | Computer Name = Vedia-PC | Source = HTTP | ID = 15016
Description =

Error - 9/7/2009 11:01:58 AM | Computer Name = Vedia-PC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.2.6 for the Network Card with network
address 001A739687D4 has been denied by the DHCP server 192.168.2.1 (The DHCP Server
sent a DHCPNACK message).

Error - 9/8/2009 10:46:04 PM | Computer Name = Vedia-PC | Source = Print | ID = 6161
Description = The document Microsoft Word - Document1, owned by Christian, failed
to print on printer Lexmark 6500 Series. Try to print the document again, or restart
the print spooler. Data type: LEMF. Size of the spool file in bytes: 319757. Number
of bytes printed: 319757. Total number of pages in the document: 1. Number of pages
printed: 0. Client computer: \\VEDIA-PC. Win32 error code returned by the print
processor: 0. The operation completed successfully.

Error - 9/10/2009 3:14:00 AM | Computer Name = Vedia-PC | Source = HTTP | ID = 15016
Description =

Error - 9/15/2009 7:35:30 PM | Computer Name = Vedia-PC | Source = HTTP | ID = 15016
Description =


< End of report >

From my own reading of these files, ive identifed mbr.exe as a rootkit that needs to be deleted, anyone know how to get rid of it?

I just ran something called lads to detect alternate data streams, everytime it gets to a certain point it says something really fast then automatically closes, i think the virus is stopping it from detecting it or something.

Edited by barrano247, 02 March 2010 - 07:34 PM.


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:46 PM

Posted 03 March 2010 - 09:03 AM

Hi,

mbr.exe is part of ComboFix, which you ran, and is not a rootkit, but is used to detect rootkits. Could you please provide the log from ComboFix, it is located in C:\combofix.txt

Do you have a safe password? Meaning more than 8 letters, does it use capitalized letters and numbers? (I don't wanna know the password, I'm just wondering whether it could have been brute forced)

lads hasn't been updated in a long time, I believe since 2007. OTL lists Alternate Data Streams and they show nothing unusual.

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    CODE
    :dir
    C:\Windows\System32\AWAIMDOY /s
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 barrano247

barrano247
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 03 March 2010 - 04:43 PM

Heres combofix:
ComboFix 10-02-12.01 - Vedia 02/20/2010 14:20:07.3.2 - x86 MINIMAL
Microsoft® Windows Vistaāā€˛¢ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1606 [GMT -5:00]
Running from: c:\users\Vedia\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 )))))))))))))))))))))))))))))))
.

2010-02-20 19:21 . 2010-02-20 19:22 -------- d-----w- c:\users\Vedia\AppData\Local\temp
2010-02-20 19:21 . 2010-02-20 19:21 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-20 19:21 . 2010-02-20 19:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-20 19:21 . 2010-02-20 19:21 -------- d-----w- c:\users\Christian\AppData\Local\temp
2010-02-20 19:19 . 2010-02-20 19:19 -------- d-----w- C:\32788R22FWJFW
2010-02-18 00:03 . 2010-02-18 00:03 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbC6DB.tmp.exe
2010-02-17 02:44 . 2010-01-14 16:12 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-02-17 02:26 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-17 02:26 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-17 02:26 . 2010-02-17 02:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-17 00:29 . 2010-02-17 00:29 2131336 ----a-w- c:\users\Vedia\AppData\Roaming\Mozilla\Firefox\Profiles\dfqk1qta.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
2010-02-15 23:39 . 2010-02-15 23:39 388096 ----a-r- c:\users\Christian\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-15 21:34 . 2010-02-16 23:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-15 21:34 . 2010-02-16 23:32 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-15 21:01 . 2010-02-15 21:01 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-15 20:50 . 2010-02-15 21:30 -------- d-----w- c:\programdata\Lavasoft
2010-02-15 20:38 . 2010-02-15 20:39 -------- d-----w- c:\program files\CCleaner
2010-02-14 23:52 . 2010-02-14 23:52 -------- d-----w- c:\users\Christian\AppData\Roaming\Malwarebytes
2010-02-14 23:51 . 2010-02-14 23:51 -------- d-----w- c:\users\Vedia\AppData\Roaming\Malwarebytes
2010-02-14 23:51 . 2010-02-14 23:51 -------- d-----w- c:\programdata\Malwarebytes
2010-02-14 20:34 . 2010-02-14 20:34 -------- d-----w- c:\users\Vedia\AppData\Local\Blizzard Entertainment
2010-02-14 20:14 . 2010-02-14 20:14 -------- d-----w- c:\users\Vedia\AppData\Local\Trend Micro
2010-02-14 20:12 . 2010-02-01 12:24 71960 ----a-w- c:\users\Christian\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-1002010-0-npoctoshape.dll
2010-02-14 20:12 . 2010-02-01 12:24 417280 ----a-w- c:\users\Christian\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-1002010-0-libOctoshapeClient.dll
2010-02-14 20:12 . 2010-02-01 12:24 124184 ----a-w- c:\users\Christian\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-1002010-0-apoctoshape.dll
2010-02-14 20:05 . 2010-02-14 20:05 89872 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-02-14 20:05 . 2010-02-14 20:05 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2010-02-14 20:05 . 2010-02-14 20:05 283152 ----a-w- c:\windows\system32\drivers\tmwfp.sys
2010-02-14 20:05 . 2010-02-14 20:05 225808 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2010-02-14 20:05 . 2010-02-14 20:05 1223832 ----a-w- c:\windows\system32\drivers\vsapint.sys
2010-02-14 20:05 . 2010-02-14 20:05 59920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-02-14 20:05 . 2010-02-14 20:05 50704 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-02-14 20:05 . 2010-02-14 20:05 158224 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-14 20:05 . 2010-02-14 20:05 146448 ----a-w- c:\windows\system32\drivers\tmlwf.sys
2010-02-13 13:32 . 2010-02-13 13:32 -------- d-----w- c:\program files\Windows Portable Devices
2010-02-13 06:36 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-02-13 06:36 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-02-13 06:36 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-02-13 06:34 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-02-13 06:34 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2010-02-13 06:34 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-02-13 06:34 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2010-02-13 06:34 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2010-02-13 06:34 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2010-02-13 06:34 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2010-02-13 06:34 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2010-02-13 06:34 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2010-02-13 06:34 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
2010-02-13 06:34 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2010-02-13 06:34 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2010-02-13 06:31 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-02-13 06:31 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-02-13 06:31 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-02-12 02:04 . 2010-02-12 02:04 -------- d-----w- c:\programdata\WindowsSearch
2010-02-12 01:52 . 2010-02-12 01:52 -------- d-----w- c:\program files\Ask.com
2010-02-12 01:51 . 2010-02-12 01:51 -------- d-----w- c:\program files\MSSOAP
2010-02-12 01:34 . 2007-01-26 02:57 21056 ----a-w- c:\windows\system32\drivers\sskbfd.sys
2010-02-12 01:17 . 2010-02-12 01:17 -------- d-----w- c:\programdata\Alwil Software
2010-02-12 01:17 . 2010-02-12 01:17 -------- d-----w- c:\program files\Alwil Software
2010-02-11 23:14 . 2010-02-14 17:38 22 ----a-w- c:\windows\system32\IDPExe.zip
2010-02-11 23:13 . 2010-02-12 01:32 -------- d-----w- c:\program files\IdentityPatrol
2010-02-11 21:04 . 2010-02-11 21:05 -------- d-----w- c:\windows\system32\ca-ES
2010-02-11 21:04 . 2010-02-11 21:05 -------- d-----w- c:\windows\system32\eu-ES
2010-02-11 21:04 . 2010-02-11 21:05 -------- d-----w- c:\windows\system32\vi-VN
2010-02-11 20:26 . 2010-02-11 20:26 -------- d-----w- c:\windows\system32\EventProviders
2010-02-09 20:25 . 2009-12-11 11:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-09 20:25 . 2009-12-11 11:43 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-09 20:25 . 2009-12-08 20:01 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-09 20:25 . 2009-12-08 17:26 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-02-06 15:10 . 2010-02-06 15:10 -------- d-----w- c:\users\Christian\AppData\Local\Blizzard Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 20:47 . 2009-06-07 15:35 120088 ----a-w- c:\users\Christian\AppData\Roaming\Mozilla\Plugins\npoctoshape.dll
2010-02-18 20:32 . 2009-05-23 04:11 -------- d-----w- c:\program files\Google
2010-02-18 20:12 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-02-18 20:12 . 2009-11-25 22:11 -------- d-----w- c:\program files\QuickTime
2010-02-17 02:21 . 2009-05-22 01:44 58896 ----a-w- c:\users\Vedia\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-16 22:27 . 2009-05-22 13:20 -------- d-----w- c:\program files\Trend Micro
2010-02-14 20:16 . 2009-05-22 13:22 -------- d-----w- c:\programdata\Trend Micro
2010-02-13 13:32 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-02-13 13:31 . 2010-02-13 13:31 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-02-13 01:08 . 2009-05-23 20:31 -------- d-----w- c:\users\Christian\AppData\Roaming\Ventrilo
2010-02-11 21:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-02-11 21:05 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-11 21:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-02-11 21:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-02-11 21:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-02-11 21:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-01-23 08:18 . 2009-05-22 14:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-02 06:38 . 2010-01-22 20:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 20:28 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-22 20:28 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-22 20:28 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-28 20:18 . 2009-10-21 23:09 -------- d-----w- c:\programdata\NOS
2009-12-08 20:01 . 2010-02-09 20:24 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:01 . 2010-02-09 20:24 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-05 00:57 . 2009-12-05 00:57 484976 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbF538.tmp.exe
2009-12-04 18:30 . 2010-02-09 20:24 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-04 18:29 . 2010-02-09 20:24 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-04 18:28 . 2010-02-09 20:24 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-04 18:28 . 2010-02-09 20:24 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-04 18:28 . 2010-02-09 20:24 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-04 18:28 . 2010-02-09 20:24 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-04 18:28 . 2010-02-09 20:24 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-04 18:28 . 2010-02-09 20:24 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-04 18:27 . 2010-02-09 20:24 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-04 15:56 . 2010-02-09 20:24 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-12-04 15:56 . 2010-02-09 20:24 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-25 22:06 . 2009-11-25 22:06 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-25 22:03 . 2009-11-25 22:03 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-02-09 20:06 764296 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-23 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-10-25 212992]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 150552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-02-14 1020248]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\users\Vedia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-5-11 525640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 03:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:4f,39,36,af,5e,ab,ca,01

S1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\System32\drivers\tmlwf.sys [2/14/2010 3:05 PM 146448]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/17/2010 7:07 PM 135664]
S2 tmpreflt;tmpreflt;c:\windows\System32\drivers\tmpreflt.sys [2/14/2010 3:05 PM 36368]
S2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\System32\drivers\tmwfp.sys [2/14/2010 3:05 PM 283152]
S3 tmevtmgr;tmevtmgr;c:\windows\System32\drivers\tmevtmgr.sys [2/14/2010 3:05 PM 50704]
S3 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2/14/2010 3:25 PM 497008]
S3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2/14/2010 3:25 PM 689416]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 00:06]

2010-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 00:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Vedia\AppData\Roaming\Mozilla\Firefox\Profiles\dfqk1qta.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q=
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: general.useragent.extra.prevx -
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)
MSConfigStartUp-lxdfamon - c:\program files\Lexmark 6500 Series\lxdfamon.exe
MSConfigStartUp-lxdfmon - c:\program files\Lexmark 6500 Series\lxdfmon.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-20 14:22
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1848)
c:\windows\system32\igfxsrvc.dll
.
Completion time: 2010-02-20 14:26:19
ComboFix-quarantined-files.txt 2010-02-20 19:26
ComboFix2.txt 2010-02-17 03:20

Pre-Run: 43,819,184,128 bytes free
Post-Run: 43,730,268,160 bytes free

- - End Of File - - 4F3F05EDC1ECF466642B332462E24C79

Hers Systemlook
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 16:45 on 03/03/2010 by Vedia (Administrator - Elevation successful)

========== dir ==========

C:\Windows\System32\AWAIMDOY - Unable to find folder.

-=End Of File=-

My passwords are very complicated btw including caps and uncapped letters and numbers.

Edited by barrano247, 04 March 2010 - 03:09 PM.


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:46 PM

Posted 05 March 2010 - 08:53 AM

Hi,

are you familiar with this file:
QUOTE
C:\Windows\System32\AWAIMDOY


If not please upload it:
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\Windows\System32\AWAIMDOY

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 barrano247

barrano247
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 05 March 2010 - 04:12 PM

Ok, Virustotal said that it was bigger than permitted size and jotti said "No file uploaded!"
BTW i did upload the file.
I found and opened the file with notepad btw do you want me to paste it or send ti to you somehow? its extremely complicated i doubt i could fit it here though.
From what i have read through the vast amounts of coding i keep seeing the names of dll's and the phrase inprocserver32, it also says threadingmodel a lot. I didnt see anything that stuck out to me but it said thousands of commands and lots of windows dll's, as well as files. I didnt alter the files at all.
By the way, last night i downloaded the spyhunter trial, and ran the scan. It said i had the zlob trojan but i had to buy it to delete the infected registry keys, which were all in this secluded key with the names of porn sites and fake antivirus sites that i have never visited, but i manually deleted all the files that were reportedly infected.
UPDATE: Somewhere deep in the file i saw the phrase P˙˙˙C e r t a i n s e t t i n g s a r e c a u s i n g T r e n d M i c r o F i r e w a l l t o b l o c k p a r t i c u l a r c o n n e c t i o n s . I think this is a log of the viruses activities.

Edited by barrano247, 05 March 2010 - 04:42 PM.


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:46 PM

Posted 06 March 2010 - 12:51 PM

Hi,

could you please rename the file to AWAIMDOY.vir and see if the file gets recreated. It must not be malware, it could actually be Trend Micro itself or any other program.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 barrano247

barrano247
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 06 March 2010 - 01:18 PM

it didnt get recreated.

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:46 PM

Posted 06 March 2010 - 03:20 PM

Hi,

do you use a router? Your logs are looking clean. Please run a scan with Malwarebytes next:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Have you thought about using things like the battle.net authenticator for additional safety: http://eu.blizzard.com/support/article.xml...articleId=39151 ? (note that I'm not a WoW player and don't know how much additional safety this will give you).

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 barrano247

barrano247
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 06 March 2010 - 04:49 PM

Yea ive thought about the authenticator, theres no keylogger or anything that can hack it thats out now, so its 100% safety. Only reason i dont have it yet is because it takes anywhere from a week to a month to get here and i ordered it this morning finally so i still would like to solve the problem at hand. Yes i am using a router btw, belkin. BTW i have a file called qoobox isnt that related to virtumonde everytime i delete it it comes back on the same day as the time when i get hacked.
The malwarebytes scan didnt have any results, i already did the thing where you run a full scan in safe mode with system restore off.

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:46 PM

Posted 06 March 2010 - 05:20 PM

Hi,

I do not see signs of infection to be honest. There are infections that will get onto your PC, collect the data and once they have your passwords uninstall itself again, so that you don't know that you have been compromised. It is very rare though.
Is there a possibility that you compromised your passwords on a different PC?

Some routers can get infected, so if you could please check that the settings in your router are unchanged or simply do a factory reset, that would rule it out as the source of infection.

Qoobox is the quarantine folder of ComboFix. It is probably not related to virtumonde or your infection. Could it be that the folder got created the same day your account was compromised because you ran ComboFix to check for malware once you learned you were compromised?

QUOTE
The malwarebytes scan didnt have any results, i already did the thing where you run a full scan in safe mode with system restore off.

Malwarebytes is more efficient in normal mode, it does behaviour based detections and needs the malware to be active for it.
I usually advise to keep system restore on during the cleaning, in case something goes wrong and only to disable system restore once the system has been successfully cleaned and a new clean system restore point can be set.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 barrano247

barrano247
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 06 March 2010 - 10:41 PM

Yea my friend is a computer security expert and he said he didnt find anything that stuck out but from the looks of it, something was connected to my email, so ill do a factory reset. I got the authenticator so that saga of my life is finally over! Thanks fo much for your help!

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:46 PM

Posted 07 March 2010 - 04:07 AM

Hi,

it is probably the safest solution.

[/list]Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holeswill allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variantsevery single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.
Some more links you might find of interest:Have a nice day
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 barrano247

barrano247
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 07 March 2010 - 11:11 AM

I cant do the thing with the hosts file, all the vista tutorials dont work right for some reason. But im using trend micro firewall on maximum settings, i got the spywareblaster on top of trend and malwarebyte, and no windows updates were available, so i am sure that the problems im having are external. My friend said they could be using transfer cables and my ip address to get in my computers files, in that case ill reset my router to factory settings. Anyway, thanks for your help again!

Oh yea a week ago i did a hard disk diagnostic and it got to 27% before it stopped and said that hard disk failure is iminent, back up files immediately. Also i got a blue screen a week or two ago, but it has not happened sense then.

Edited by barrano247, 07 March 2010 - 11:13 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users