Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infections-DDS & GMER Info Logs For Viewing


  • Please log in to reply
73 replies to this topic

#1 Ta Orfa

Ta Orfa

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 27 March 2010 - 07:40 PM

HiJackThis Trend Micro Found 04 & 017 Issues-Please Help Remove Issues

Cant remove, issues reappear often, cannot get into Google.com or yahoo.com or known sights that would be obviously safe to surf within them such as foxnews.com, cnn.com and other pages take forever to load or do not load at all, just plain old frustrating, msn.com always re-directs to the Spanish version msn page, especially when I load a new web page or tab or when log off of hotmail.com/ live.mail.com, my java is messed up and does not load and it advises that I have the latest version and how to fix the issue but the changes are as advised by java.com but it will not work and all files temp downloaded from Java cannot be deleted when performing a disk cleanup, along with ipod/ ishuffle and all Apple software no longer working, so I cannot use iTunes to load songs on to ipod/ ishuffle or charge the units etc, my Nero 8 is no longer working, flash player stopped playing movies just plays audio no video, external hard drive F; that I had a Maxtor 750 GB that no longer works just beeps and powers up but PC cannot find it like it doesn’t exist, says device needs a high speed USB which is not true it will work and has but it just a little slow but stopped working and I don’t know why, hoping my warranty will cover that problem and I had issues deleting AVG7/ Grisoft but I finally did it via Hijack this but within your scans I noticed that I still have them, confused about this whole scenario. I am using Windows Live OneCare which is awful, Operating System is Windows XP Home Edition SP3, I currently down graded to IE7 from IE8 because I thought that this may have been the issue because I read online that IE8 has many undetected bugs, but that didn’t solve the issues, so I have kept IE7 anyways. I have two logs to post or forward but I was advised not to post the HiJack This logs before someone asks me to and I need to follow the steps within the reparation guide first and so I have.

Please let me know ASAP, I believe I have a serious infection but I have no idea what it can be, so much so, that my hotmail account was hijacked a month ago, so I had to change my password and the person used to send medical spam emails to many comcast.com subscribers and God only knows if he/she has stolen any of my personal and confidential information.

Also at the Network Connection icon bottom right of the screen beside the time clock indicates the bytes, the received are so much larger than bytes sent for example, rcvd 5 million (5,000,000) sent 4 hundred thousand (400,000). Please advise.

Here are some noticed issues apart from the DDS & GMER Info logs,

Noticed Issues
These issues reappears even when not connected to the internet – 04 During disk clean up scanned HiJackThis and found it reappeared again!

When I sign out of my internet Broadband connection, the page(s) that I was waiting for to load within the www actually load only when I sign out, even after waiting for the pages to load when I was signed, over the very same connection for over 10 minutes, when I start the connection again, I get the same blank white page that does not reload the page. Very weird as if someone has botted my PC and sees the exact thing that I am doing on the other end, very worried please help!


Issues:
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{718B04F7-3D72-4276-B6BB-EF749489B30C}: NameServer = 216.254.136.227 216.254.141.13
O23 - Service: Google Update Service (gupdate1c99d7593cb1ce0) (gupdate1c99d7593cb1ce0) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)


DDS.txt log as saved to desktop:


DDS (Ver_10-03-17.01) - NTFSx86
Run by user at 6:34:20.59 on 26/03/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.277 [GMT -4:00]

AV: AVG 7.5.476 *On-access scanning enabled* (Updated) {41564737-3200-1071-989B-0000E87B4FB1}
AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Windows OneCare Live\WinSSUI.exe
C:\Program Files\Microsoft Windows OneCare Live\WinSSUI.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uSearch Bar =
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - No File
TB: {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
TCP: {718B04F7-3D72-4276-B6BB-EF749489B30C} = 216.254.136.227 216.254.141.13
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2006-1-31 4224]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2006-10-26 3968]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2006-1-31 4960]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2010-2-5 26120]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\TMRUBotted.exe [2010-2-19 582992]
R3 CALIAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\caliaud.sys [2004-2-17 292352]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2004-2-17 273536]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [2004-5-4 18432]
R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-28 53168]
R3 st3bus28;st3bus28;c:\windows\system32\drivers\st3bus28.sys [2002-12-28 8416]
R3 st3mp28;st3mp28;c:\windows\system32\drivers\st3mp28.sys [2002-12-28 95328]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-2-19 206608]
S1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2006-5-23 820928]
S1 Avg7RsXP;AVG7 Rezident Driver;c:\windows\system32\drivers\avg7rsxp.sys [2006-1-31 27776]
S2 gupdate1c99d7593cb1ce0;Google Update Service (gupdate1c99d7593cb1ce0);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\aliirda.sys [2003-4-4 26112]
S3 LEX_NIC_SERVICE;IEEE 802.11 Wireless NIC Win2000 Driver;c:\windows\system32\drivers\Express.sys [2003-4-4 57344]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
S3 SMALUSB;Digital Camera Driver;c:\windows\system32\drivers\smallogi.sys [2003-9-26 11721]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-2-19 206608]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2006-8-6 223128]
S3 ZSMC0305;VIMICRO USB PC Camera V; [x]
S4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe --> c:\progra~1\grisoft\avg7\avgamsvr.exe [?]
S4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe --> c:\progra~1\grisoft\avg7\avgupsvc.exe [?]
S4 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe --> c:\progra~1\grisoft\avg7\avgemc.exe [?]
S4 NTLOAD;NTLOAD; [x]

=============== Created Last 30 ================

2010-03-26 09:55:58 20 ----a-w- c:\documents and settings\user\defogger_reenable
2010-03-25 04:34:41 552 -c--a-w- c:\windows\system32\DO_NOT_DELETE.backupSetID
2010-03-14 23:43:44 73728 -c--a-w- c:\windows\system32\javacpl.cpl
2010-03-13 09:25:09 0 -c-ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2010-03-13 09:24:26 37008 -c--a-w- c:\windows\system32\drivers\LMouFilt.Sys
2010-03-13 09:24:26 35472 -c--a-w- c:\windows\system32\drivers\LHidFilt.Sys
2010-03-13 09:24:25 76304 -c--a-w- c:\windows\KHALMNPR.Exe
2010-03-13 09:19:08 0 -c-ha-w- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2010-03-13 09:18:29 29072 -c--a-w- c:\windows\system32\drivers\LUsbFilt.sys
2010-03-13 09:18:29 1419232 -c--a-w- c:\windows\system32\WdfCoInstaller01005.dll
2010-03-07 20:00:17 0 d-----w- c:\program files\TrendMicro
2010-03-07 19:37:50 161296 -c--a-w- c:\windows\system32\drivers\tmcomm.sys

==================== Find3M ====================

2010-03-14 23:42:55 411368 -c--a-w- c:\windows\system32\deploytk.dll
2010-02-18 22:16:45 70984 -c--a-w- c:\documents and settings\user\g2mdlhlpx.exe
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 -c--a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 -c--a-w- c:\windows\system32\corpol.dll
2005-10-12 09:52:08 203353 -c--a-w- c:\program files\cc_20051012_0549.reg
2004-12-07 03:29:38 149 -c--a-w- c:\program files\INSTALL.LOG
2005-01-16 23:19:06 4608 -csha-r- c:\windows\system\driver\cygcrypt-0.dll
2005-01-16 23:19:06 1140617 -csha-r- c:\windows\system\driver\cygwin1.dll
2005-01-28 17:30:22 1478 -csha-r- c:\windows\system\driver\servicelogon.dll
2006-03-21 05:47:48 1877 -csha-r- c:\windows\system\driver\servicesmgr.dll
2005-01-28 17:30:22 1477 -csh--r- c:\windows\system\driver\svchostlogon.dll
2006-03-21 05:47:36 1575 -csha-r- c:\windows\system\driver\winlogon.dll
2008-05-15 21:39:34 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051520080516\index.dat

============= FINISH: 6:35:57.86 ===============

I have attached the ark.txt and Attach.txt files as advised by moderator.... Thank you


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:59 PM

Posted 31 March 2010 - 05:24 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 Ta Orfa

Ta Orfa
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 01 April 2010 - 09:55 AM

Hello etavares,

No issue has not changed and I have done nothing about it besides waiting my turn for support. HiJackThis issue logs reappear often, issues cannot be deleted
nor repaired, please remember I am no expert or techy when it comes to PC's etc. and I am hoping I have given to you everything that you have requested
accurately and completely, in reference to getting back to me, I remain patient and I appreciate your help, hopfully we can resolve these PC issues.
I cannot get into Google.com or yahoo.com or known sights that would be obviously safe to surf within them such as foxnews.com, cnn.com and other pages
take forever to load or do not load at all, just plain old frustrating, msn.com which is my home page as set by me to go to msn.com always re-directs to the Spanish
version msn page http://es.msn.com/iat/us_es.aspx, with a pop up always asking US page or Spanish page, especially when I load a IE page or when log off of hotmail.com/

live.mail.com, I have even changed my home page to bing.com recently and it still goes to http://es.msn.com/iat/us_es.aspx, my java is messed up and does not load
and it advises that I have the latest version and how to fix the issue but the changes are as advised by java.com but it will not work and all files temp downloaded from
Java cannot be deleted when performing a disk cleanup, along with ipod/ ishuffle and all Apple software no longer working, so I cannot use iTunes to load songs on
to ipod/ ishuffle or charge the units etc, my Nero 8 is no longer working, flash player stopped playing movies just plays audio no video, external hard drive F; that I had
a Maxtor 750 GB that no longer works just beeps and powers up but PC cannot find it like it doesn’t exist, says device needs a high speed USB which is not true it will
work and has but it just a little slow but stopped working and I don’t know why, hoping my warranty will cover that problem and I had issues deleting AVG7/ Grisoft but
I finally did it via Hijack this but within your scans I noticed that I still have them, confused about this whole scenario. I am using Windows Live OneCare which is awful, Operating

System is Windows XP Home Edition SP3, I currently down graded to IE7 from IE8 because I thought that this may have been the issue because I read online that IE8 has
many undetected bugs, but that didn’t solve the issues, so I have kept IE7 anyways. I have two logs to post or forward but I was advised not to post the HiJack This logs before

someone asks me to and I need to follow the steps within the reparation guide first and so I have and now your instructions.

Please let me know ASAP, I believe I have a serious infection but I have no idea what it can be, so much so, that my hotmail account was hijacked a month ago, so I had to change

my password and the person used to send medical spam emails to many comcast.com subscribers and God only knows if he/she has stolen any of my personal and confidential

information.

Also at the Network Connection icon bottom right of the screen beside the time clock indicates the bytes, the received are so much larger than bytes sent for example, rcvd 5 million

(5,000,000) sent 4 hundred thousand (400,000) or rcvd starts at over 100,000 bytes to 1200 sent, isnt this weird? Please advise on all.

Here are some noticed issues apart from the DDS & GMER Info logs,

Noticed Issues
These issues reappears even when not connected to the internet – 04 During disk clean up scanned HiJackThis and found it reappeared again!

When I sign out of my internet Broadband connection, the page(s) that I was waiting for to load within the www actually load only when I sign out, even after waiting for the pages to

load when I was signed, over the very same connection for over 10 minutes, when I start the connection again, I get the same blank white page that does not reload the page. Very

weird as if someone has botted my PC and sees the exact thing that I am doing on the other end, very worried please help!

HiJackThis Trend Micro Found The Following Issues:

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{718B04F7-3D72-4276-B6BB-EF749489B30C}: NameServer = 216.254.136.227 216.254.141.13
O23 - Service: Google Update Service (gupdate1c99d7593cb1ce0) (gupdate1c99d7593cb1ce0) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file

missing)

RUBotted:

Also said my PC has been botted and advises to use Trend Micro to clean it but the other Trend Micro software states that PC is clean automatically while gowing through with the

PC scan in less than a second, definetely weird.



OTL PASTE REQUEST:

OTL logfile created on: 01/04/2010 1:57:44 AM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\user\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

703.00 Mb Total Physical Memory | 319.00 Mb Available Physical Memory | 45.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 69.00% Paging File free
Paging file location(s): C:\pagefile.sys 2 1051 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 15.95 Gb Free Space | 42.83% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 189.92 Gb Total Space | 15.35 Gb Free Space | 8.08% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CPQ29466173462
Current User Name: user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/01 01:51:41 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
PRC - [2010/02/05 17:19:46 | 000,728,016 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\WinSSUI.exe
PRC - [2010/02/05 17:19:46 | 000,065,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
PRC - [2010/02/05 17:19:44 | 001,141,112 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\winss.exe
PRC - [2010/02/05 17:19:42 | 000,026,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
PRC - [2008/11/06 12:33:54 | 000,582,992 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
PRC - [2008/07/09 18:05:22 | 000,018,704 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/27 23:56:32 | 000,755,264 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe


========== Modules (SafeList) ==========

MOD - [2010/04/01 01:51:41 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (NTSVCMGR)
SRV - File not found [Disabled | Stopped] -- -- (NTLOAD)
SRV - File not found [Disabled | Stopped] -- -- (gusvc)
SRV - File not found [Auto | Stopped] -- -- (gupdate1c99d7593cb1ce0) Google Update Service (gupdate1c99d7593cb1ce0)
SRV - File not found [Disabled | Stopped] -- -- (Bonjour Service)
SRV - File not found [Disabled | Stopped] -- -- (AVGEMS)
SRV - File not found [Disabled | Stopped] -- -- (Avg7UpdSvc)
SRV - File not found [Disabled | Stopped] -- -- (Avg7Alrt)
SRV - File not found [Disabled | Stopped] -- -- (Apple Mobile Device)
SRV - [2010/02/05 17:19:44 | 001,141,112 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Windows OneCare Live\winss.exe -- (winss)
SRV - [2010/02/05 17:19:42 | 000,026,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe --

(OcHealthMon)
SRV - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

-- (MSSQL$MSSMLBIZ) SQL Server (MSSMLBIZ)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe --

(SeaPort)
SRV - [2009/04/30 16:01:10 | 000,154,136 | ---- | M] (Logitech Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2008/11/24 23:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe --

(SQLWriter)
SRV - [2008/11/24 23:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe --

(SQLBrowser)
SRV - [2008/11/24 23:31:08 | 000,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe --

(MSSQLServerADHelper)
SRV - [2008/11/06 12:33:54 | 000,582,992 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe -- (RUBotted)
SRV - [2008/07/21 17:15:14 | 000,193,888 | ---- | M] (Seagate Technology LLC) [Disabled | Stopped] -- C:\Program Files\Maxtor\Sync\SyncServices.exe -- (Maxtor Sync

Service)
SRV - [2008/07/09 18:05:22 | 000,018,704 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe --

(OneCareMP)
SRV - [2007/11/27 23:56:32 | 000,755,264 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe --

(msfwsvc)
SRV - [2007/01/04 20:48:52 | 000,112,152 | R--- | M] (InterVideo) [Disabled | Stopped] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2004/09/29 13:14:36 | 000,069,632 | ---- | M] (HP) [Disabled | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2004/07/30 16:47:36 | 000,069,632 | ---- | M] (Dantz Development Corporation) [Disabled | Stopped] -- C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe --

(RetroExpLauncher)
SRV - [2002/08/15 14:11:00 | 000,151,552 | ---- | M] (Hewlett-Packard) [Disabled | Stopped] -- C:\WINDOWS\system32\HPConfig.exe -- (HPConfig)
SRV - [2002/07/17 14:12:20 | 000,053,248 | ---- | M] (Hewlett-Packard Co.) [Disabled | Stopped] -- C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe --

(HPWirelessMgr)
SRV - [2001/10/25 18:54:58 | 000,077,824 | ---- | M] (HP) [Disabled | Stopped] -- C:\WINDOWS\system32\hphipm09.exe -- (Pml Driver)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = http://autoconfig.cpqcorp.net

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = http://autoconfig.cpqcorp.net

IE - HKU\S-1-5-21-387571065-2904927342-2305553894-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Live Search
IE - HKU\S-1-5-21-387571065-2904927342-2305553894-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL =

http://search.live.com/results.aspx?q={sea...ferrer:source?}
IE - HKU\S-1-5-21-387571065-2904927342-2305553894-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-387571065-2904927342-2305553894-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2010/03/24 23:57:53 | 000,000,810 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-387571065-2904927342-2305553894-1006\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-387571065-2904927342-2305553894-1006\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value

found.
O3 - HKU\S-1-5-21-387571065-2904927342-2305553894-1006\..\Toolbar\WebBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
O3 - HKU\S-1-5-21-387571065-2904927342-2305553894-1006\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - No CLSID value

found.
O3 - HKU\S-1-5-21-387571065-2904927342-2305553894-1006\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O3 - HKU\S-1-5-21-387571065-2904927342-2305553894-1006\..\Toolbar\WebBrowser: (no name) - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - No CLSID value found.
O3 - HKU\S-1-5-21-387571065-2904927342-2305553894-1006\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value

found.
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-387571065-2904927342-2305553894-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O7 - HKU\S-1-5-21-387571065-2904927342-2305553894-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 0
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/11/19 04:52:22 | 000,000,059 | ---- | M] () - E:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2003/09/10 06:30:47 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: Ip6FwHlp - File not found

MsConfig - Services: "WinDefend"
MsConfig - Services: "WMPNetworkSvc"
MsConfig - Services: "SQLWriter"
MsConfig - Services: "SQLBrowser"
MsConfig - Services: "SeaPort"
MsConfig - Services: "RUBotted"
MsConfig - Services: "RichVideo"
MsConfig - Services: "RetroExpLauncher"
MsConfig - Services: "OneCareMP"
MsConfig - Services: "OcHealthMon"
MsConfig - Services: "NTSVCMGR"
MsConfig - Services: "NTLOAD"
MsConfig - Services: "MSSQL$MSSMLBIZ"
MsConfig - Services: "MDM"
MsConfig - Services: "Maxtor Sync Service"
MsConfig - Services: "LVPrcSrv"
MsConfig - Services: "JavaQuickStarterService"
MsConfig - Services: "idsvc"
MsConfig - Services: "IDriverT"
MsConfig - Services: "HPConfig"
MsConfig - Services: "gusvc"
MsConfig - Services: "gupdate1c99d7593cb1ce0"
MsConfig - Services: "Bonjour Service"
MsConfig - Services: "msfwsvc"
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk - C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe - (Adobe Systems, Inc.)
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe - [2009/03/13

12:39:55 | 000,000,000 | ---D | M]
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk - Reg Error: Value error. - File not found
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^intervideo wincinema manager.lnk - C:\Program

Files\InterVideo\Common\Bin\WinCinemaMgr.exe - (InterVideo Inc.)
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk - C:\Program Files\Windows Desktop

Search\WindowsSearch.exe - (Microsoft Corporation)
MsConfig - StartUpReg: Acrobat Assistant 7.0 - hkey= - key= - C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
MsConfig - StartUpReg: ctfmon.exe - hkey= - key= - File not found
MsConfig - StartUpReg: InCD - hkey= - key= - Reg Error: Value error. File not found
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - Reg Error: Value error. File not found
MsConfig - StartUpReg: LVComs - hkey= - key= - File not found
MsConfig - StartUpReg: Nero PhotoShow Media Manager - hkey= - key= - Reg Error: Value error. File not found
MsConfig - StartUpReg: pccguide.exe - hkey= - key= - Reg Error: Value error. File not found
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
MsConfig - StartUpReg: Windows Defender - hkey= - key= - Reg Error: Value error. File not found
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 2

ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {057997dd-71e4-43cc-b161-3f8180691a9e} - Q824145
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608555} - Internet Explorer Classes for Java
ActiveX: {0E9A3196-39EA-409D-8EB4-20D7FABC191A} - Microsoft .NET Framework 1.0 Hotfix (KB928367)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {14303301-758B-402B-9A0D-2C6A591680DB} - Microsoft .NET Framework 1.0 Service Pack 3 (KB867461)
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {2298d453-bcae-4519-bf33-1cbf3faf1524} - Q867801
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 11.0
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 11.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {2cc9d512-6db6-4f1c-8979-9a41fae88de0} - Q837009
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015C} - Microsoft DirectX
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - Windows Messenger 5.1
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5f3c70b3-ac2f-432c-8f9c-1624df61f54f} - Microsoft Data Access Components KB870669
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6ABB5F17-D891-3074-6411-9DA22A4A744F} - IE7 Uninstall Stub
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {78705f0d-e8db-4b2d-8193-982bdda15ecd} - .NET Framework
ActiveX: {795d0712-722c-43ec-906a-fc5e678eada9} - Q831167
ActiveX: {81B52903-4C11-11D6-B6E1-00B0D049139F} - Microsoft .NET Framework 1.0 Service Pack 2 (KB867461)
ActiveX: {871F8A30-15A2-11D6-8711-0002B3281F8B} - Microsoft .NET Framework 1.0 Service Pack 1 (KB867461)
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {8b15971b-5355-4c82-8c07-7e181ea07608} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
ActiveX: {8D1D0E9A-C799-4D28-9E29-0061D1E66E43} - Microsoft .NET Framework 1.1 Hotfix (KB928366)
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {94de52c8-2d59-4f1b-883e-79663d2d9a8c} - Fax Provider
ActiveX: {96543d59-497a-4801-a1f3-5936aacaf7b1} - Q828750
ActiveX: {abcdf74f-9a64-4e6e-b8eb-6e5a41de6550} -
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {eddbec60-89cb-44ef-8291-0850fd28ff6a} - Q832894
ActiveX: {f5173cf0-1dfb-4978-8e50-a90169ee7ca9} - Q823353
ActiveX: {F5776D81-AE53-4935-8E84-B0B283D8BCEF} - Q330994
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: msacm.voxacm160 - C:\WINDOWS\System32\vct3216.acm (Voxware, Inc.)
Drivers32: MSVideo - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: VIDC.I263 - C:\WINDOWS\System32\i263_32.drv (Intel Corporation)
Drivers32: VIDC.I420 - C:\WINDOWS\System32\lvcodec2.dll (Logitech Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.MP42 - C:\WINDOWS\System32\MPG4C32.DLL (Microsoft Corporation)
Drivers32: VIDC.MPG4 - C:\WINDOWS\System32\MPG4C32.DLL (Microsoft Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: wave1 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 14 Days ==========

[2010/04/01 01:51:32 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
[2010/03/25 00:18:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/01/21 04:01:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/03/05 06:08:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/03/05 05:34:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/02/21 09:17:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/01/13 21:51:19 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/06/28 03:03:48 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/08/21 15:29:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\AVG7
[2006/01/28 06:38:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Webroot
[2006/01/17 05:25:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\ApplicationHistory
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\Documents and Settings\All Users\Documents\*.tmp files -> C:\Documents and Settings\All Users\Documents\*.tmp -> ]
[15 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[144 C:\Documents and Settings\user\Desktop\*.tmp files -> C:\Documents and Settings\user\Desktop\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/01 02:10:00 | 000,000,436 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{9752E23C-90C2-4647-AB2F-78A3F65C10E2}.job
[2010/04/01 02:10:00 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{CE692F37-25A4-4CDF-8A76-6C076F161091}.job
[2010/04/01 01:51:41 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
[2010/04/01 01:38:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/31 20:13:17 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\user\Desktop\~$nice Fitness-Consulting Agmt.doc
[2010/03/31 17:00:00 | 000,000,452 | ---- | M] () -- C:\WINDOWS\tasks\RegCure Program Check.job
[2010/03/31 14:08:42 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/31 14:08:29 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/31 13:59:41 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/31 13:59:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/31 13:58:46 | 737,202,176 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/31 13:56:14 | 012,582,912 | ---- | M] () -- C:\Documents and Settings\user\ntuser.dat
[2010/03/31 13:55:59 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\user\ntuser.ini
[2010/03/30 00:04:32 | 000,000,073 | ---- | M] () -- C:\WINDOWS\popcinfo.dat
[2010/03/29 17:07:04 | 000,119,296 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Sales Services Supervisor - QUESTIONNAIRE-REV.doc
[2010/03/28 23:09:00 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job
[2010/03/28 22:24:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
[2010/03/28 03:22:33 | 000,048,128 | ---- | M] () -- C:\Documents and Settings\user\Desktop\SOHO SFA110A .doc
[2010/03/27 20:54:48 | 000,887,296 | ---- | M] () -- C:\Documents and Settings\user\Desktop\reparation Guide For Use Before Using Malware Removal Tools and Requesting

Help.doc
[2010/03/27 20:39:43 | 000,049,152 | ---- | M] () -- C:\Documents and Settings\user\Desktop\HiJackThis Trend Micro Found Issues PLUS 2nd Log sent to Bleeping Computer.doc
[2010/03/27 14:05:19 | 000,026,624 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Windows Live OneCare Refund Demand.doc
[2010/03/27 12:40:06 | 000,343,404 | ---- | M] () -- C:\Documents and Settings\user\Desktop\ark - gmer.JPG
[2010/03/26 21:52:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/03/26 17:51:36 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Community Centre.xls
[2010/03/26 05:57:04 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\user\defogger_reenable
[2010/03/26 02:06:32 | 004,718,646 | ---- | M] () -- C:\Documents and Settings\user\Desktop\speedtouch info ask Primus.JPG
[2010/03/25 20:25:41 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\user\Desktop\gmer.zip
[2010/03/25 20:24:19 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\user\Desktop\dds.scr
[2010/03/25 20:23:31 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Defogger.exe
[2010/03/25 20:19:08 | 000,193,024 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/25 19:53:04 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/25 03:57:55 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\user\Desktop\~$JackThis Trend Micro Found Issues.doc
[2010/03/25 00:34:41 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\DO_NOT_DELETE.backupSetID
[2010/03/24 15:17:20 | 000,101,888 | ---- | M] () -- C:\Documents and Settings\user\Desktop\B.doc
[2010/03/24 15:16:57 | 000,086,528 | ---- | M] () -- C:\Documents and Settings\user\Desktop\A.doc
[2010/03/24 14:36:53 | 000,001,917 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/03/20 01:15:35 | 000,003,595 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Picture 1.JPG
[2010/03/19 23:26:34 | 000,025,600 | ---- | M] () -- C:\Documents and Settings\user\Desktop\GTA-Road Ad.doc
[2010/03/19 03:21:08 | 000,144,414 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Example of no Delete or Change or remove button or icon in order to delete from

list.JPG
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\Documents and Settings\All Users\Documents\*.tmp files -> C:\Documents and Settings\All Users\Documents\*.tmp -> ]
[15 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[144 C:\Documents and Settings\user\Desktop\*.tmp files -> C:\Documents and Settings\user\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/31 20:13:17 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\user\Desktop\~$nice Fitness-Consulting Agmt.doc
[2010/03/29 17:07:03 | 000,119,296 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Sales Services Supervisor - QUESTIONNAIRE-REV.doc
[2010/03/28 02:07:09 | 000,048,128 | ---- | C] () -- C:\Documents and Settings\user\Desktop\SOHO SFA110A .doc
[2010/03/27 13:44:09 | 000,026,624 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Windows Live OneCare Refund Demand.doc
[2010/03/27 12:40:05 | 000,343,404 | ---- | C] () -- C:\Documents and Settings\user\Desktop\ark - gmer.JPG
[2010/03/26 05:55:58 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\user\defogger_reenable
[2010/03/26 02:06:31 | 004,718,646 | ---- | C] () -- C:\Documents and Settings\user\Desktop\speedtouch info ask Primus.JPG
[2010/03/25 20:47:21 | 000,887,296 | ---- | C] () -- C:\Documents and Settings\user\Desktop\reparation Guide For Use Before Using Malware Removal Tools and Requesting

Help.doc
[2010/03/25 20:25:38 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\user\Desktop\gmer.zip
[2010/03/25 20:24:05 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\user\Desktop\dds.scr
[2010/03/25 20:23:31 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Defogger.exe
[2010/03/25 03:57:55 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\user\Desktop\~$JackThis Trend Micro Found Issues.doc
[2010/03/25 03:40:24 | 000,049,152 | ---- | C] () -- C:\Documents and Settings\user\Desktop\HiJackThis Trend Micro Found Issues PLUS 2nd Log sent to Bleeping Computer.doc
[2010/03/25 00:34:41 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\DO_NOT_DELETE.backupSetID
[2010/03/24 23:44:58 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Community Centre.xls
[2010/03/24 15:17:08 | 000,101,888 | ---- | C] () -- C:\Documents and Settings\user\Desktop\B.doc
[2010/03/24 15:16:47 | 000,086,528 | ---- | C] () -- C:\Documents and Settings\user\Desktop\A.doc
[2010/03/23 05:46:53 | 000,079,360 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Venice Fitness-Consulting Agmt.doc
[2010/03/20 01:15:17 | 000,003,595 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Picture 1.JPG
[2010/03/19 23:26:34 | 000,025,600 | ---- | C] () -- C:\Documents and Settings\user\Desktop\GTA-Road Ad.doc
[2010/03/19 03:21:08 | 000,144,414 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Example of no Delete or Change or remove button or icon in order to delete from

list.JPG
[2010/02/18 11:41:54 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\housecall.guid.cache
[2009/08/12 02:46:03 | 000,239,752 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/05/10 12:29:31 | 000,001,582 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
[2009/05/08 10:13:04 | 000,013,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLFT2.dll
[2009/04/30 16:00:12 | 000,025,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2008/10/31 22:48:52 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\PdeSrv2p.dll
[2008/09/01 01:48:31 | 000,198,144 | ---- | C] () -- C:\WINDOWS\System32\_psisdecd.dll
[2007/11/09 11:22:40 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/09/23 19:09:26 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\user\Application Data\7899c571-7bc1-4b20-9ac8-5e3b2530369d
[2007/09/23 19:09:25 | 000,000,949 | ---- | C] () -- C:\Documents and Settings\user\Application Data\b7b9678d-f431-4c31-b54b-5fed3958b448
[2007/09/18 13:29:16 | 000,021,504 | ---- | C] () -- C:\WINDOWS\jestertb.dll
[2007/07/17 17:49:35 | 000,000,262 | ---- | C] () -- C:\Documents and Settings\user\Application Data\WinssCookie.txt
[2007/04/28 19:20:26 | 000,001,362 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/03/10 23:05:18 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2007/03/05 13:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/03/04 20:57:10 | 000,000,176 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/11/20 16:19:48 | 000,034,176 | ---- | C] () -- C:\WINDOWS\System32\drivers\SRS_SSCFilter.sys
[2006/11/20 16:19:44 | 000,044,416 | ---- | C] () -- C:\WINDOWS\System32\drivers\Surroundhp_kern_i386.sys
[2006/11/20 16:19:44 | 000,037,248 | ---- | C] () -- C:\WINDOWS\System32\drivers\csiidecoder_kern_i386.sys
[2006/11/20 16:19:42 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\drivers\tshd4_kern_i386.sys
[2006/09/08 01:42:49 | 000,002,154 | ---- | C] () -- C:\WINDOWS\System32\tmmute.ini
[2006/04/07 22:37:39 | 000,006,330 | ---- | C] () -- C:\Documents and Settings\user\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log
[2006/04/07 22:37:39 | 000,000,206 | ---- | C] () -- C:\WINDOWS\HPGdiPlus.ini
[2006/04/04 23:32:15 | 000,002,158 | ---- | C] () -- C:\WINDOWS\System32\tmasmute.ini
[2006/03/10 20:19:57 | 000,005,631 | ---- | C] () -- C:\Documents and Settings\user\Application Data\BestModePatch_RubenMain.log
[2006/03/10 20:19:57 | 000,000,208 | ---- | C] () -- C:\WINDOWS\HpBestModeUpdatePatchLog.ini
[2006/01/28 06:35:47 | 000,684,032 | ---- | C] () -- C:\WINDOWS\libeay32.dll
[2006/01/28 06:35:47 | 000,155,648 | ---- | C] () -- C:\WINDOWS\ssleay32.dll
[2005/10/12 05:49:54 | 000,203,353 | ---- | C] () -- C:\Program Files\cc_20051012_0549.reg
[2005/10/05 02:45:39 | 000,024,577 | ---- | C] () -- C:\WINDOWS\System32\sr2ksul.dll
[2005/10/05 02:45:39 | 000,020,481 | ---- | C] () -- C:\WINDOWS\System32\nockkey.dll
[2005/10/01 04:04:54 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/10/01 04:04:54 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/10/01 04:04:54 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/10/01 04:04:54 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/10/01 04:04:54 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/10/01 04:04:54 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/08/16 19:55:09 | 000,000,366 | ---- | C] () -- C:\WINDOWS\2XCherry.ini
[2005/07/27 23:18:13 | 000,000,131 | ---- | C] () -- C:\WINDOWS\Readiris.ini
[2005/07/27 23:18:07 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\irisco32.dll
[2005/06/12 05:35:06 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2005/06/12 05:05:20 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2005/05/29 21:49:14 | 000,002,228 | ---- | C] () -- C:\WINDOWS\WILD7.INI
[2005/05/29 21:49:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Totrecal.INI
[2005/05/29 21:47:12 | 000,000,145 | ---- | C] () -- C:\WINDOWS\Hallow.ini
[2005/05/29 21:46:21 | 000,000,027 | ---- | C] () -- C:\WINDOWS\Arcade.ini
[2005/05/29 21:45:00 | 000,000,197 | ---- | C] () -- C:\WINDOWS\KENO.INI
[2005/05/29 21:44:30 | 000,000,027 | ---- | C] () -- C:\WINDOWS\Botz.ini
[2005/05/29 21:43:18 | 000,000,181 | ---- | C] () -- C:\WINDOWS\cncscore.ini
[2005/05/29 20:34:56 | 000,000,983 | ---- | C] () -- C:\WINDOWS\WIZARD.INI
[2005/05/29 20:34:15 | 000,000,218 | ---- | C] () -- C:\WINDOWS\DWSLOT.INI
[2005/05/29 20:32:15 | 000,000,039 | ---- | C] () -- C:\WINDOWS\STUDPOK.INI
[2005/05/29 20:25:08 | 000,000,205 | ---- | C] () -- C:\WINDOWS\WBKENO.INI
[2005/05/29 20:16:20 | 000,000,928 | ---- | C] () -- C:\WINDOWS\ABSOLUTE.INI
[2005/05/29 20:09:33 | 000,000,891 | ---- | C] () -- C:\WINDOWS\8BALL.INI
[2005/05/29 20:08:12 | 000,000,337 | ---- | C] () -- C:\WINDOWS\2XDyna.ini
[2005/05/29 20:00:49 | 000,000,053 | ---- | C] () -- C:\WINDOWS\RVBJ.INI
[2005/05/29 19:31:59 | 000,000,099 | ---- | C] () -- C:\WINDOWS\Ultisoft.ini
[2005/05/29 19:31:59 | 000,000,009 | ---- | C] () -- C:\WINDOWS\Brick.ini
[2005/05/29 19:31:58 | 000,000,009 | ---- | C] () -- C:\WINDOWS\Collida.ini
[2005/05/03 11:44:44 | 000,025,157 | ---- | C] () -- C:\WINDOWS\RMAgentOutput.dll
[2005/05/03 11:43:44 | 000,126,976 | ---- | C] () -- C:\WINDOWS\dllTSCLIBMT.dll
[2005/03/24 23:01:04 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/03/18 01:27:59 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\fusioncache.dat
[2005/01/08 02:42:33 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\fusioncache.dat
[2004/12/06 23:29:52 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\BJAXSecurityManager.dll
[2004/12/06 23:29:43 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\BJInstaller.dll
[2004/12/06 23:29:36 | 000,000,149 | ---- | C] () -- C:\Program Files\INSTALL.LOG
[2004/11/30 11:50:35 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2004/11/01 23:06:01 | 000,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2004/09/01 11:49:17 | 003,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2004/08/04 20:52:08 | 000,000,679 | ---- | C] () -- C:\WINDOWS\TSC.ini
[2004/08/04 20:52:07 | 000,071,749 | ---- | C] () -- C:\WINDOWS\HCExtOutput.dll
[2004/07/21 20:51:49 | 000,000,157 | ---- | C] () -- C:\WINDOWS\sb_affiliate.ini
[2004/04/02 14:01:22 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\HPB1320V.DLL
[2004/03/18 01:12:54 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/02/18 02:25:29 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2004/02/17 18:09:16 | 000,024,578 | ---- | C] () -- C:\WINDOWS\System32\xsmrg32.dll
[2004/02/17 18:09:16 | 000,021,506 | ---- | C] () -- C:\WINDOWS\System32\prasp32.dll
[2004/01/05 03:27:36 | 000,565,248 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2003/11/08 16:45:21 | 000,193,024 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2003/11/06 14:21:07 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/11/05 19:46:00 | 000,000,549 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2003/11/04 00:30:23 | 000,013,786 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2003/10/29 14:58:50 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\user\Application Data\PFP100JPR.{PB
[2003/10/29 14:58:50 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\user\Application Data\PFP100JCM.{PB
[2003/09/26 22:48:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pcf.INI
[2003/09/26 22:40:05 | 000,458,752 | ---- | C] () -- C:\WINDOWS\System32\Fpl.dll
[2003/09/26 22:40:04 | 000,332,800 | ---- | C] () -- C:\WINDOWS\System32\FPXLIB.DLL
[2003/09/26 22:40:04 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\JPEGLIB.DLL
[2003/09/26 22:40:04 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\CPUINF32.DLL
[2003/09/26 22:37:55 | 000,294,912 | ---- | C] () -- C:\WINDOWS\System32\liplW7.dll
[2003/09/26 22:37:55 | 000,290,816 | ---- | C] () -- C:\WINDOWS\System32\liplA6.dll
[2003/09/26 22:37:55 | 000,278,528 | ---- | C] () -- C:\WINDOWS\System32\liplPX.dll
[2003/09/26 22:37:55 | 000,278,528 | ---- | C] () -- C:\WINDOWS\System32\liplP6.dll
[2003/09/26 22:37:55 | 000,278,528 | ---- | C] () -- C:\WINDOWS\System32\liplM6.dll
[2003/09/26 22:37:55 | 000,082,289 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2003/09/26 22:37:55 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\lipl.dll
[2003/09/21 06:55:33 | 000,000,153 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2003/09/20 02:04:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pcfriend.INI
[2003/04/04 23:21:04 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpREG.DLL
[2003/04/04 23:21:04 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\syscontr.dll
[2003/04/04 23:07:49 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/04/04 23:07:38 | 000,000,139 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/04/04 22:47:33 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[2002/09/09 11:15:50 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2002/07/09 11:49:25 | 000,286,208 | ---- | C] () -- C:\WINDOWS\System32\cncs232.dll
[2001/07/31 10:17:12 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[1999/07/23 13:46:48 | 000,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini
[1999/07/23 10:53:20 | 000,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll

========== LOP Check ==========

[2003/09/10 06:30:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\InterTrust
[2008/06/28 03:03:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG7
[2007/08/21 15:28:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG7(2)
[2010/03/13 05:08:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverScanner
[2007/08/21 15:29:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
[2007/08/21 15:28:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft(2)
[2008/03/09 03:50:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
[2003/11/27 04:04:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InterVideo
[2009/01/24 22:05:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Maxtor
[2006/02/07 20:55:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSN Search Toolbar
[2003/11/06 16:50:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
[2005/07/29 21:17:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Quark
[2008/08/09 22:42:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RetroExp
[2006/08/20 03:36:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2006/12/09 11:24:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SRS Labs
[2007/03/03 15:14:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Transparent
[2008/06/26 22:23:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uniblue
[2006/09/17 15:24:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/03/14 10:45:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2008/12/20 08:20:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
[2009/10/03 05:25:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/04/11 09:02:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/08/12 01:26:47 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}
[2008/12/20 08:20:13 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
[2003/09/10 06:30:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\InterTrust
[2003/09/10 06:30:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Guest\Application Data\InterTrust
[2007/08/21 15:29:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\AVG7
[2007/08/21 15:29:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AVG7
[2003/11/06 17:19:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\GlobalSCAPE
[2003/09/18 03:54:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\InterVideo
[2005/07/14 13:34:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Spam Monitor
[2008/01/22 15:09:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Uniblue
[2006/11/06 02:31:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Windows Desktop Search
[2007/08/21 15:29:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\AVG7
[2008/08/10 21:05:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2005/07/02 02:55:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Common Files
[2003/11/05 19:36:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\GlobalSCAPE
[2006/03/24 18:48:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Greenpoint
[2007/09/18 19:54:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Image Zone Express
[2003/09/10 06:30:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\InterTrust
[2003/10/26 14:40:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\InterVideo
[2003/11/08 14:30:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Kazaa Lite
[2003/12/04 10:02:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Kontiki
[2004/07/27 21:17:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Leadertech
[2003/11/06 16:14:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\MGI
[2006/11/04 12:22:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\MSN Search Toolbar
[2009/05/16 17:39:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\OfficeUpdate12
[2007/09/18 19:54:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Printer Info Cache
[2005/07/29 21:19:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Quark
[2006/05/19 18:12:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Registry Booster
[2007/11/02 02:55:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\RegistrySmart
[2006/04/12 20:45:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Simple Star
[2008/02/19 23:56:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\SoundSpectrum
[2005/07/25 20:41:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Spam Monitor
[2008/12/20 08:19:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Uniblue
[2006/11/04 12:22:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Windows Desktop Search
[2010/03/31 17:00:00 | 000,000,452 | ---- | M] () -- C:\WINDOWS\Tasks\RegCure Program Check.job
[2010/03/28 22:24:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
[2008/06/26 22:24:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
[2010/03/28 23:09:00 | 000,000,278 | ---- | M] () -- C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
[2008/06/26 23:09:31 | 000,000,352 | ---- | M] () -- C:\WINDOWS\Tasks\Uniblue SpyEraser.job
[2010/04/01 02:10:00 | 000,000,436 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{9752E23C-90C2-4647-AB2F-78A3F65C10E2}.job
[2010/04/01 02:10:00 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{CE692F37-25A4-4CDF-8A76-6C076F161091}.job

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2010/03/11 08:38:51 | 000,347,136 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2010/03/11 08:38:51 | 000,214,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[15 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %SYSTEMDRIVE%\*.exe >
[2005/07/22 18:48:28 | 006,758,912 | ---- | M] () -- C:\ps601up.exe
[1999/01/13 15:38:52 | 000,061,440 | ---- | M] (InstallShield Software Corporation) -- C:\Setup.exe
[2005/07/22 18:47:14 | 002,357,912 | ---- | M] () -- C:\SVGView.exe
[1998/10/27 13:08:30 | 000,008,704 | ---- | M] (InstallShield Software Corporation) -- C:\_ISDel.exe


< MD5 for: AGP440.SYS >
[2004/08/28 12:08:52 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/05/15 12:50:29 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2004/08/28 12:08:52 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/05/15 12:50:29 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2002/08/29 03:00:00 | 010,158,890 | R--- | M] () .cab file -- C:\i386\sp1.cab:atapi.sys
[2002/08/28 22:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2004/08/28 12:08:52 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/05/15 12:50:29 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/08/28 12:08:52 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/05/15 12:50:29 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: VAXSCSI.SYS >
[2006/08/06 00:41:31 | 000,223,128 | ---- | M] (Alcohol Soft Co., Ltd.) MD5=92CEBC2BC7BE2C8D49391B365569F306 -- C:\WINDOWS\system32\drivers\vaxscsi.sys

< %systemroot%\*. /mp /s >
< End of report >


OTL PASTE REQUEST END


EXTRAS PASTE REQUEST:

OTL Extras logfile created on: 01/04/2010 1:57:44 AM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\user\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

703.00 Mb Total Physical Memory | 319.00 Mb Available Physical Memory | 45.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 69.00% Paging File free
Paging file location(s): C:\pagefile.sys 2 1051 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 15.95 Gb Free Space | 42.83% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 189.92 Gb Total Space | 15.35 Gb Free Space | 8.08% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CPQ29466173462
Current User Name: user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft

Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Logitech\Logitech Vid\Vid.exe" = C:\Program Files\Logitech\Logitech Vid\Vid.exe:*:Enabled:Logitech Vid -- (Logitech Inc.)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft

Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{09633A5E-3089-41A8-9FF1-382171423C5D}" = PSSWCORE
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0FABD3D7-3036-4e78-B29D-58957ADB0A12}" = HP PSC & OfficeJet 3.5
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{12650598-D7B9-4FB5-91B2-2CAA641AC589}" = Trend Micro RUBotted
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{15B8AFD9-92E9-4E86-96D9-83FAC510B82E}" = HPPhotoSmartPhotobookWebPack1
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{1E88F516-C8AA-4D17-9A54-8AB0768F34C1}" = Retrospect Express HD 1.0
"{1F7473D9-6C0B-4F5A-8FA4-AB8AD78CBE54}" = DocProc
"{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = InterVideo WinDVD 8
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{22EC35BD-F8F2-45EB-8DCB-1C7FB65D0A71}" = QuickTax 2007
"{22F761D1-8063-4170-ADF7-2D2F47834CA9}" = VideoToolkit01
"{23C3F5C0-566B-478B-AAB6-197ADAD0C945}" = Uniblue SpeedUpMyPC 2009
"{24C8FBF7-26C6-48ca-834B-A4E5C09E362F}" = AiO_Scan
"{25771101-7948-4591-ABF3-B1ECE7A7F45F}" = HP Update
"{257EC58E-03FD-472B-A9B6-93F23A3C4CB0}" = Scan
"{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java™ 6 Update 19
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{29B50D30-EAFC-4cea-9F76-3A0E3729E9B0}" = SkinsHP1
"{29D88826-2AB9-11D5-8854-00902761A46D}" = WordPerfect Productivity Pack
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{2E132061-C78A-48D4-A899-1D13B9D189FA}" = Memories Disc Creator 2.0
"{300D9EF4-2721-4cb4-A6C3-FB2337CFEA2D}" = AIOMinimal
"{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3851147E-5A91-4469-BA4D-13FFFCC8A920}" = Microsoft Windows OneCare Live v2.5.2900.20 Idcrl Install
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{39CEE1F2-12B6-4C50-9131-04BFCA110578}" = PowerCinema NE for Everio
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C52E7DA-C431-4239-B66B-1BF703D5B194}" = Windows Live Photo Gallery
"{3CF78481-FB7B-4B51-99A2-D5E0CD0B3AAF}" = HPSystemDiagnostics
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{412033BC-44CF-48D9-B813-4B835101F4D3}" = Adobe Illustrator 10
"{415B8A4E-0EA2-4C69-975C-EEE07B837FD7}" = Unload
"{427EDD3F-D12A-4DE5-9A36-AC4DE8EBC981}" = ActiveSpeed
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer
"{44444444-4444-4444-4444-444444444444}.sdb" = Microsoft Windows Application Compatibility Message Database - Service Pack
"{45EBDA59-D33B-433A-956E-B2F236468B56}" = MUSICMATCH® Jukebox
"{48242276-DB89-42e8-9678-BD4280D7B99A}" = Copy
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}" = Junk Mail filter update
"{4FBCEA31-5D18-4212-9231-DE7CF1BE7DBB}" = Logitech Vid
"{5007E629-8769-44BB-BD51-A20B6DCC5CC9}" = Microsoft Office Accounting 2009
"{53276F5A-85AB-4BEF-BAA2-2490975DC006}" = Microsoft Office Accounting 2009 Fixed Asset Manager
"{53735ECE-E461-4FD0-B742-23A352436D3A}" = Logitech Updater
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{5421155F-B033-49DB-9B33-8F80F233D4D5}" = GdiplusUpgrade
"{5660022E-F3F2-4126-8CC5-9726C47150EB}" = Microsoft Windows Live OneCare Resources v2.5.2900.30
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57C7C46A-D35D-492d-A328-4F8C9B5B4B52}" = PrintScreen
"{5E479D3B-4A87-42B9-A91E-2EB2284A54D4}" = DAEMON Tools
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{5FA793A6-0071-42C1-9355-8F69A428C44F}" = Microsoft Office Accounting ADP Payroll Addin
"{62F79C52-E264-44ab-ABC2-7BEA2962C70D}" = 5500Trb
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{63F2408D-A675-4d97-A256-70EACB6B9B4A}" = AiOSoftware
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6446BBD0-CB83-40E1-BEA1-0C147065E2A6}" = Maxtor Manager
"{6513E869-647F-40FD-A55D-CFC92579B9BA}" = PX Engine
"{67059E28-43F9-439C-9256-E374BC651FE1}" = MSN Toolbar
"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
"{6D4E56A1-22EE-44d8-BD14-7B9FB7F80D1B}" = 5500_Help
"{723C033E-63EA-4227-BAB2-0AA8693C16EB}" = Director
"{73006B34-9743-4A39-AC37-38EDFCEB6DCE}" = Adobe Product/Adobe Studio Update 10/2001
"{73C23496-A105-4b6f-B8F0-22523DFE4E4E}" = 5500
"{745A92AF-53B4-41A7-91C3-9B026B1D5897}" = InstantShare
"{766273C1-A39B-47EB-ACE8-DEBDD8094BCC}" = overland
"{7745B7A9-F323-4BB9-9811-01BF57A028DA}" = Map Button (Windows Live Toolbar)
"{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites for Windows Live Toolbar
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7F231232-C309-4401-964A-2A002B6E1ED9}" = Microsoft Baseline Security Analyzer 2.0.1
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{81DD5688-695A-4c1d-AE7D-368BF857725A}" = TrayApp
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83A881FC-79D3-4A66-A173-F38BEBA40866}" = Logitech Pocket Digital
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{85CFDC2D-710E-49D5-B799-F3743CA506BA}" = Microsoft Protection Service
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B21B9EF-6DBF-4F63-8CC7-9F6A56D1EE8E}" = GTOneCare
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90170409-6000-11D3-8CFE-0050048383C9}" = Microsoft FrontPage 2002
"{90190409-6000-11D3-8CFE-0050048383C9}" = Microsoft Publisher 2002
"{90300409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Media Content
"{90AABED0-25A8-41FC-B738-224889E31033}" = Nero 8
"{91110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-0038-0409-0000-0000000FF1CE}" = Time Zone Data Update Tool for Microsoft Office Outlook
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{98613C99-1399-416C-A07C-1EE1C585D872}" = SeaTools for Windows
"{9894AD94-8A9F-47CB-884C-2C19BA3B23D5}" = HPLAN
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9B03C535-3AEA-4ef2-B326-0A01A2207034}" = CreativeProjects
"{A1BF9950-8CDB-468E-83FA-EACFB00EA7D5}" = Windows Live Sync
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2500497-FD32-493e-B8E5-28D6728DBEF5}" = Readme
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{A44413DC-17D5-4F0B-A128-8B590B20323C}" = Windows Messenger 5.1
"{A580547F-4FB6-433E-A595-21CAA858C556}" = Microsoft Office Live Small Business Image Uploader
"{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}" = Highlight Viewer (Windows Live Toolbar)
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{A654A805-41D9-40C7-AA46-4AF04F044D61}" = Adobe® Photoshop® Album Starter Edition 3.2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A8F2DCDE-AE4E-4AC9-BECD-496FB80FBF6A}" = Notebook Utilities
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AA0D2D5F-612B-45D3-8759-DA87206E5CC9}" = QuickTax 2008
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.2
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.1
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AC96671C-2001-432C-9826-5266D84EF1DC}" = Logitech Webcam Software
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{AF226123-1A6F-4ec1-8DEF-E35E7A0D0127}" = Fax
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English)
"{B6E70EDD-6255-4DB7-9A43-F54D8462D987}" = CuteFTP Pro 3.0
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{B8D0BC3E-67DF-48A3-ACC9-EEAA8DBFBF29}" = QuickTax 2005
"{BC339BFD-F550-471a-8D26-4D08126C62F7}" = SkinsHP2
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C427E746-4EC9-4E3C-AACB-C6BB1F714D7F}" = Uniblue DriverScanner 2009
"{C6C148EC-55FB-4FDF-AD4F-ECEA579D040D}" = Microsoft Office Accounting 2009 Equifax Addin
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CBE3E0AF-73BB-4c21-8B96-B09E003EDE7F}" = QuickProjects
"{CDBFDD5B-50E0-4021-94AF-516B80509ABE}" = 5500Tour
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF9CD37C-E29A-11D5-AE3D-005004B8E30C}" = Digital Photo Navigator 1.5
"{D07A8E7E-D324-4945-BA8C-E532AD008FF3}" = Microsoft Windows OneCare Live v2.5.2900.30
"{D186329B-1B4D-408D-ABEC-EA5CE1F182C9}" = Overland
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{D74CFE48-087F-46E1-80E6-E2950E1A8DCE}" = HP Photosmart Essential 2.5
"{D9AE6BE1-5847-4962-86B0-2A290B7E6C43}" = Microsoft Office Accounting 2009 Tax Integration Add-in
"{DC0C35E4-CD3D-4F12-95BB-7C74D9467BD7}" = Microsoft Office Accounting 2009 PayPal Addin
"{E26B83D1-C0BB-41BC-8F44-31D5354DD6AF}" = Microsoft Windows OneCare Live AntiSpyware and AntiVirus
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E535C94A-B87F-4182-BEA8-1E9322078D3E}" = Cards_Calendar_OrderGift_DoMorePlugout
"{E8BFBD0A-8002-4dc9-869C-E495FA9DCE7A}" = PhotoGallery
"{EB21A812-671B-4D08-B974-2A347F0D8F70}" = HP Photosmart Essential
"{EDE721EC-870A-11D8-9D75-000129760D75}" = PowerDirector Express
"{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar)
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FAFDA89B-1031-4BDB-8619-DE20CBDEDF32}" = QuickTax 2006
"{FBBF532A-47AC-457d-AC06-0D3163D8911E}" = WebReg
"{FE57DE70-95DE-4B64-9266-84DA811053DB}" = HP Update
"{FF102450-55AA-4AE1-ACE4-E271E2470C83}" = hpmdtab
"Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.1.0 Professional
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Photoshop 6.0" = Adobe Photoshop 6.0
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"Adobe® Photoshop® Album Starter Edition 3.2" = Adobe® Photoshop® Album Starter Edition 3.2
"ATI Display Driver" = ATI Display Driver
"audcle" = Plus! MP3 Audio Converter LE
"Bejeweled Deluxe 1.862" = Bejeweled Deluxe 1.862
"Chuzzle Deluxe 1.0" = Chuzzle Deluxe 1.0
"CNXT_MODEM_PCI_VEN_10B9&DEV_5457&SUBSYS_0850103C" = Conexant 56K ACLink Modem
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"Dell File Manager" = Dell DJ Explorer
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"drmtool.inf" = Personal License Update Wizard for Windows Media Player
"EfntSSDSL" = Efficient Networks SpeedStream DSL
"eMule" = eMule
"FLV Player" = FLV Player 2.0 (build 25)
"HijackThis" = HijackThis 2.0.2
"HP Photo & Imaging" = HP Image Zone 3.5
"HP Photosmart Essential" = HP Photosmart Essential 3.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Independent Worker Agreements07-1" = Independent Worker Agreements
"Insaniquarium Deluxe 1.0" = Insaniquarium Deluxe 1.0
"InstallShield_{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = InterVideo WinDVD 8
"InstallShield_{6446BBD0-CB83-40E1-BEA1-0C147065E2A6}" = Maxtor Manager
"InstallShield_{9894AD94-8A9F-47CB-884C-2C19BA3B23D5}" = HP LAN
"legacyqcam_11.10" = Logitech Legacy USB Camera Driver Package
"lvdrivers_12.0" = Logitech Webcam Software Driver Package
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework Full v1.0.3705 (1033)" = Microsoft .NET Framework (English) v1.0.3705
"Microsoft Office Accounting 2009" = Microsoft Office Accounting 2009
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"mmmusic" = Movie Maker Background Music Files
"mmsounds" = Movie Maker Sound Effects
"mmtitle" = Movie Maker Title Images
"mplibwiz.inf" = Media Library Management Wizard
"mpxlswiz.inf" = Windows Media Player Playlist Import to Excel Wizard
"mpxptray.inf" = Windows Media Player Tray Control
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MXOFX" = USB Storage Adapter FX (MXO)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"QT4HPOT" = One-Touch Buttons
"QuickTax T2" = QuickTax T2
"RegistryBooster 2_is1" = Uniblue RegistryBooster 2
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Uniblue DriverScanner 2009" = Uniblue DriverScanner 2009
"Uniblue SpeedUpMyPC 2009" = Uniblue SpeedUpMyPC 2009
"wa2wmp" = Windows Media Player Skin Importer
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WinSS" = Windows Live OneCare
"WinZip" = WinZip
"WMBK2" = Windows Media Bonus Pack for Windows XP
"WMCSetup" = Windows Media Connect
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WordPerfect Productivity Pack" = WordPerfect Productivity Pack
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Zuma Deluxe 1.0" = Zuma Deluxe 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 24/03/1982 10:29:21 PM | Computer Name = CPQ29466173462 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 25/03/2010 12:35:40 AM | Computer Name = CPQ29466173462 | Source = Application Error | ID = 1000
Description = Faulting application TMRUBotted.exe, version 1.5.0.1011, faulting
module libcurl.dll, version 7.18.0.0, fault address 0x00017e88.

Error - 25/03/2010 12:36:08 AM | Computer Name = CPQ29466173462 | Source = Application Error | ID = 1001
Description = Fault bucket 1048066594.

Error - 25/03/2010 4:43:31 AM | Computer Name = CPQ29466173462 | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 10.0.6856.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 25/03/2010 4:44:27 AM | Computer Name = CPQ29466173462 | Source = Application Hang | ID = 1001
Description = Fault bucket 1553673221.

Error - 28/03/2010 2:11:09 AM | Computer Name = CPQ29466173462 | Source = Application Hang | ID = 1002
Description = Hanging application gmer.exe, version 1.0.15.15281, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 28/03/2010 2:11:09 AM | Computer Name = CPQ29466173462 | Source = Application Hang | ID = 1002
Description = Hanging application gmer.exe, version 1.0.15.15281, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 29/03/2010 4:18:17 PM | Computer Name = CPQ29466173462 | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 10.0.6856.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 29/03/2010 4:44:39 PM | Computer Name = CPQ29466173462 | Source = Application Hang | ID = 1001
Description = Fault bucket 1553673221.

Error - 31/03/2010 8:13:59 PM | Computer Name = CPQ29466173462 | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 10.0.6856.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ MSFWSVC Events ]
Error - 07/03/2010 6:16:41 PM | Computer Name = CPQ29466173462 | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.

Error - 08/03/2010 11:49:51 AM | Computer Name = CPQ29466173462 | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.

Error - 13/03/2010 5:13:42 AM | Computer Name = CPQ29466173462 | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.

Error - 20/03/2010 5:05:00 PM | Computer Name = CPQ29466173462 | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.

[ System Events ]
Error - 31/03/2010 12:32:48 PM | Computer Name = CPQ29466173462 | Source = Service Control Manager | ID = 7000
Description = The Google Update Service (gupdate1c99d7593cb1ce0) service failed
to start due to the following error: %%3

Error - 31/03/2010 12:33:45 PM | Computer Name = CPQ29466173462 | Source = MSFWDrv | ID = 262153
Description = The device, , did not respond within the timeout period.

Error - 31/03/2010 12:33:53 PM | Computer Name = CPQ29466173462 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Avg7Core Avg7RsXP

Error - 31/03/2010 2:01:00 PM | Computer Name = CPQ29466173462 | Source = Service Control Manager | ID = 7000
Description = The ASCTRM service failed to start due to the following error: %%2

Error - 31/03/2010 2:01:00 PM | Computer Name = CPQ29466173462 | Source = Service Control Manager | ID = 7000
Description = The Google Update Service (gupdate1c99d7593cb1ce0) service failed
to start due to the following error: %%3

Error - 31/03/2010 2:01:39 PM | Computer Name = CPQ29466173462 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Avg7Core Avg7RsXP

Error - 01/04/2010 12:50:19 AM | Computer Name = CPQ29466173462 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 01/04/2010 12:50:19 AM | Computer Name = CPQ29466173462 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 01/04/2010 12:51:00 AM | Computer Name = CPQ29466173462 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 01/04/2010 12:51:00 AM | Computer Name = CPQ29466173462 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

[ Windows OneCare Events ]
Error - 24/03/2010 10:20:58 PM | Computer Name = CPQ29466173462 | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x8a190107.

Error - 24/03/2010 10:51:38 PM | Computer Name = CPQ29466173462 | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x8a190107.

Error - 25/03/2010 12:30:36 AM | Computer Name = CPQ29466173462 | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x8a190107.


< End of report >


EXTRAS PASTE REQUEST END


GMER LOG FILE PASTE REQUEST:


Sorry but the scan has taken too long and I didnt realize that a response would have come in prior to a long weekend therefore I am off to catch my plane for the scan is still scanning

as I have mentioned, I will however paste the GMER log as soon as I return on the 7th of April which will not change anything due to not touching my PC for the duration until the

7th- Thankyou for your understanding and please do not close my case.


GMER LOG FILE PASTE REQUEST END

I will be unavailable until April sixth (06th) inclusive - Thanks Again - I appreciate your efforts.

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:59 PM

Posted 01 April 2010 - 05:37 PM

OK, thanks for letting me know. Please post the GMER log when you are back. I'll keep the topic open.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 Ta Orfa

Ta Orfa
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 05 April 2010 - 10:10 PM

Hello etavares,

Here is the log posted ahead of time, got back early, hopfully this will do it...

GMER LOG REQUEST START:


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-05 21:14:54
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\USER~1\LOCALS~1\Temp\kfloaaod.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Ip msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\Tcpip \Device\Tcp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)

Device \Driver\Cdrom \Device\CdRom0 83B8A150
Device \Driver\Cdrom \Device\CdRom0 83A66CE8
Device \Driver\atapi \Device\Ide\IdePort0 83A66940
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 83A66940
Device \Driver\atapi \Device\Ide\IdePort1 83A66940
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 83A66940
Device \Driver\Tcpip \Device\Udp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)

Device \Driver\Tcpip \Device\RawIp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp msfwhlpr.sys (OneCare Firewall Helper Driver/Microsoft Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3D 0xD4 0xB8 0x67 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3D 0xD4 0xB8 0x67 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3D 0xD4 0xB8 0x67 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3D 0xD4 0xB8 0x67 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3D 0xD4 0xB8 0x67 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3D 0xD4 0xB8 0x67 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3D 0xD4 0xB8 0x67 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3D 0xD4 0xB8 0x67 ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3D 0xD4 0xB8 0x67 ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3D 0xD4 0xB8 0x67 ...
Reg HKLM\SYSTEM\ControlSet011\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet011\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet011\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3D 0xD4 0xB8 0x67 ...
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3D 0xD4 0xB8 0x67 ...
Reg HKLM\SYSTEM\ControlSet013\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet013\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet013\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3D 0xD4 0xB8 0x67 ...
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3D 0xD4 0xB8 0x67 ...
Reg HKLM\SYSTEM\ControlSet015\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet015\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet015\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3D 0xD4 0xB8 0x67 ...
Reg HKLM\SYSTEM\ControlSet016\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet016\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet016\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3D 0xD4 0xB8 0x67 ...
Reg HKLM\SYSTEM\ControlSet017\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet017\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet017\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3D 0xD4 0xB8 0x67 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3D 0xD4 0xB8 0x67 ...
Reg HKLM\SYSTEM\ControlSet019\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet019\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet019\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3D 0xD4 0xB8 0x67 ...

---- EOF - GMER 1.0.15 ----


GMER LOG REQUEST END

In the meantime, what can I or what can I not do to my system?

Also as you will notice I have a few user profiles on this PC, so please advise if I should do same as requested herein for the others as well or not and I have 2 options/ operating systems to choose from when PC boots prior to start up and I dont know why, operating systems for both are Windows XP, both the exact same I am not sure if this is relevant or not.

Furthermore, please advise on reverse changes if required from all that we have done at the end, well I am assuming that you will anyways, sometimes just asking sheds clarity to any given situation.

Edited by Ta Orfa, 05 April 2010 - 10:14 PM.


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:59 PM

Posted 05 April 2010 - 10:45 PM

OK, before we start, I need to ask a few question.

What do you mean by 'reverse changes'?
Have you always had two operating systems to choose from, or is this a recent and sudden development?
The profiles are fine, just use your normal one for now, although when I ask for updates, please let me know if the issues are present or gone in each account.

Finally, to answer your first question:
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!

Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 Ta Orfa

Ta Orfa
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 06 April 2010 - 10:09 AM

Hello etavares,

Here are the answers to your questions below,


OK, before we start, I need to ask a few question.

(1). What do you mean by 'reverse changes'?

Answer: I meant that any changes if needed/ required, that may/ may have not been done with any of your instruction given thus far, disregard if not required.

(2). Have you always had two operating systems to choose from, or is this a recent and sudden development?

Answer: I believe these two operating systems must have had something to do with some awful Microsoft tech support received a few years ago for .Net Framework 2.0 (KB928365) redistributable package (x86) that could not be installed successfully for a OneCare issue then running some Windows Installer CleanUp Utility and I believe they did something regarding Bios and it created a file named $regrest(2) or could have been that my PC would not boot right to operating system/ windows just the black screen that made this happen, again I am not really sure, but then again I really have no clue for I am the worst person to ask when it comes to PC’s but I can follow instructions really well when/ if needed but I am sorry to say that I don’t trust Microsoft Tem plated Support representatives for numerous reasons. I would prefer not to have the two Operating Systems for they are the same, so what the point in having the two? Unless I need them.

(3). The profiles are fine, just use your normal one for now, although when I ask for updates, please let me know if the issues are present or gone in each account.

Answer: Okay thank you.

Finally, to answer your first question:
Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.

Answer: Have not nor will I run anything until you say so.

Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.

Answer: What topic do wish me to subscribe to? What can fail, please explain?

Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.

Answer: I will do all of this but what do I use/ have to do?

Please reply within 3 days to be fair to other people asking for help.
When in doubt, please stop and ask first. There's no harm in asking questions!

Answer: Okay I have responded promptly and trust me I will ask you questions along the way and I appreciate that you welcome them.

Thanks!

Thank you in return.

Edited by Ta Orfa, 06 April 2010 - 10:13 AM.


#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:59 PM

Posted 06 April 2010 - 05:32 PM

Hello, Ta Orfa.

OK, thanks for your response! I understand better now.

I really can't help you with the two operating systems...my expertise is malware removal. We'll clean up the partition you use. After that, i can refer you to another forum on this site with Advisors that can help you remove the extra installation. I guarantee it's eating up a lot of space on your hard drive!

Subscribing to this topic means you will get an email update when I reply. It works 98% of the time, By 'the email system can fail at time', I mean to not rely on the email and to physically launch your web browser and check the thread every 3 days or so if you haven't seen an email update. It just ensures we quickly work together ot remove the malware and secure your machine before it gets worse. Does that make sense?

Great...let's get started!

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as Ta OrfaCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Ta OrfaCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 Ta Orfa

Ta Orfa
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 06 April 2010 - 08:01 PM

Hello etavares,

Downloaded ComboFix from Bleepingcomputer.com, saved it as Ta OrfaCF on desktop as advised, disabled virus and spyware monitoring and then the Firewall all controlled by OneCare, or as I thought, because when I went to run ComboFix after closing all windows I got a warning from ComboFix,

ComboFix has detected the following real time scanner(s) to be active:

antivirus: AVG 7.5.476

I don’t understand how on earth I still have this program installed and worse yet, running! I have had an AVG tech delete 7.0 the 7.5 version years ago, along with a Microsoft Tech Support rep that did the same thing and I still have it? Maybe this is the large problem along with whatever else they have running hidden along side it, I guess I need your advice on how to find it, for I cannot find the file to delete this software. I looked under Grisoft, looked under AVG, simply cannot find anything, I even ran a Search but it only found related files (such as the serial number safe kept txt file or shortcuts created, clicked on a few of them and nothing opened up, nothing at all happened), then I guess once doing all of that test my PC to see if its completely gone, then run the ComboFix software to get rid of whatever else is around right?

By the way, we should also check if within System if AVG has been disabled and maybe that’s why I cannot get into it to disable it from running I was told, but I don’t know how to do that or if its even relevant to do this, is it?

By the way, as ComboFix is running, should I be on the net or should I disable my Broadband connection along with the Local Area Connection or just simply log off the net connection?

I am awaiting your response prior to running or doing anything, I think this may be a hard job coming up!?!?

Thank you

Ta Orfa

Edited by Ta Orfa, 06 April 2010 - 09:28 PM.


#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:59 PM

Posted 07 April 2010 - 05:41 PM


OK, let's get rid of the AVG leftovers first.

Please download this AVG Remover(32bit) (avgremover.exe) and save it to your desktop.

Double-click it to run and it should remove all the remnants of AVG.

Once that's done, continue to run combofix. You can leave it connected to the network, it will need it to download the recovery center if you don't already have it installed. That provides a safe way to get control back of your computer if something goes wrong.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 Ta Orfa

Ta Orfa
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 09 April 2010 - 08:18 PM

Hello etavares,

Okay did all as requested within your last two communications, I am not sure but I believe the ComboFix log below states that AVG was still enabled, is that right? I ran that AVG removal tool as advised. Also it states that the That machine, my PC did not download the MS Recovery Console, this was due to the ComboFix software, stated that it needed to update for it found updates as I tried to run it and then it stated it had detected the presence of rootkit activity and then needed to reboot, thus it rebooted, then PC started up, I logged in like usual then ComboFix started up, it took some registry backup files, asked me again to download MS Recovery Console but none of my Desktop/ Taskbar was visible, so I clicked yes, but I had no control so it started without it, didn’t want to mess it up so I let it do its thing because that was the only thing up in my screen, all of my files, start menu, everything, was gone at that point and let me tell you, I was on the floor screaming why and how this had happened to me!

ComboFix ran Autoscan Stage 1 - 6, 6A - 19, 19b - 32, 32A - 50, Stage 1 - 10 took ten minutes to complete, Stage 11 - 27 took six minutes to complete, Stage 28 - 41 took two minutes to complete and Stage 32, 32A - 50 was really fast to complete. Deleted Files..... Deleted Folders..... C:...... Rebooting Windows....Please wait.... Please allow ComboFix to Reboot Machine...WARNING!!! DO NOT REBOOT MACHINE YOURSELF, so I didn’t, at this point I clocked 26 minutes prior to reboot.

Then PC rebooted after 29 minutes of scanning at this point. Again, I had to choose which 1 of 2 OS to start with like usual, chose any one of the two OS’s, for they are both the same XP SP3 and useless to have the two (hopefully we can correct that later on), logged into my user profile like usual and ComboFix popped up, window appeared immediately, ComboFix Blue Screen Pop up advised to please wait (ComboFix-Find 3M), then it was done and I was relieved when all of my files and menu returned, wooo that was close! Advised that it was preparing a log and not to run any programs until ComboFix has finished, which I did, it took the scan and log to process a total time of 51 minutes (is 10 minutes the norm? Really?).

Then it took me several attempts and ten minutes to be able to log into my broadband connection, this had never happened before, then I finally was able to connect, I opened an IE page and it immediately advised that Internet Explorer is not my default and if I would like it to be and I chose yes.

Final results, nothing has changed from my initial posting of aid within this site, the only thing that changed is that my PC is running much faster, navigating through internet and quicker responses to opening up/ close files on my PC, i.e. Word, Excel etc. , but I still have the same problems as before. Please advise and hopefully I have been thorough enough with my details for you.

Thank you,

Sincerely,

Ta



COMBOFIX LOG AS REQUESTED:

ComboFix 10-04-05.06 - user 08/04/2010 3:02.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.333 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: AVG 7.5.476 *On-access scanning enabled* (Updated) {41564737-3200-1071-989B-0000E87B4FB1}
AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\recycler\NPROTECT
c:\recycler\S-1-5-21-458786256-4039623426-3980231723-1003
c:\recycler\S-1-5-21-507921405-1563985344-854245398-1003
C:\setup.exe
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\explorer(2).exe
c:\windows\explorer(3).exe
c:\windows\Fonts\acrsec.fon
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\jestertb.dll
c:\windows\patch.exe
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\uninstall.exe
E:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NTBOOT
-------\Legacy_NTLOAD
-------\Service_NTLOAD


((((((((((((((((((((((((( Files Created from 2010-03-08 to 2010-04-08 )))))))))))))))))))))))))))))))
.

2010-03-13 09:24 . 2008-02-29 16:12 37008 -c--a-w- c:\windows\system32\drivers\LMouFilt.Sys
2010-03-13 09:24 . 2008-02-29 16:12 35472 -c--a-w- c:\windows\system32\drivers\LHidFilt.Sys
2010-03-13 09:24 . 2008-02-29 16:12 76304 -c--a-w- c:\windows\KHALMNPR.Exe
2010-03-13 09:18 . 2008-02-29 17:00 1419232 -c--a-w- c:\windows\system32\WdfCoInstaller01005.dll
2010-03-13 09:18 . 2008-02-29 16:12 29072 -c--a-w- c:\windows\system32\drivers\LUsbFilt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-07 16:52 . 2009-01-16 19:01 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2010-03-30 22:00 . 2004-11-02 02:46 -------- d-----w- c:\program files\Common Files\Java
2010-03-30 21:55 . 2008-11-24 06:52 411368 -c--a-w- c:\windows\system32\deploytk.dll
2010-03-30 04:04 . 2005-01-17 07:44 73 -c--a-w- c:\windows\popcinfo.dat
2010-03-27 18:52 . 2004-08-05 00:34 -------- d-----w- c:\program files\Java
2010-03-13 09:47 . 2009-08-12 06:46 239752 -c--a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-13 09:25 . 2010-03-13 09:25 0 -c-ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2010-03-13 09:19 . 2010-03-13 09:19 0 -c-ha-w- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2010-03-13 09:08 . 2008-12-20 12:19 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2010-03-11 12:38 . 2004-02-06 22:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-01-29 20:01 78336 -c--a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2002-08-29 02:00 17408 -c--a-w- c:\windows\system32\corpol.dll
2010-03-07 23:13 . 2004-07-20 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-07 23:08 . 2010-02-18 22:17 -------- d-----w- c:\program files\Citrix
2010-03-07 20:00 . 2010-03-07 20:00 -------- d-----w- c:\program files\TrendMicro
2010-03-07 19:37 . 2010-03-07 19:37 161296 -c--a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-19 21:07 . 2003-09-10 10:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-19 21:01 . 2004-11-02 06:04 -------- d-----w- c:\program files\Trend Micro
2010-02-18 22:16 . 2010-02-18 22:16 70984 -c--a-w- c:\documents and settings\user\g2mdlhlpx.exe
2010-02-11 21:55 . 2006-08-13 21:50 -------- d-----w- c:\program files\Windows Live Safety Center
2005-10-12 09:52 . 2005-10-12 09:49 203353 -c--a-w- c:\program files\cc_20051012_0549.reg
2005-01-16 23:19 . 2006-03-21 05:47 4608 -csha-r- c:\windows\system\DRIVER\cygcrypt-0.dll
2005-01-16 23:19 . 2006-03-21 05:47 1140617 -csha-r- c:\windows\system\DRIVER\cygwin1.dll
2005-01-28 17:30 . 2006-03-21 05:47 1478 -csha-r- c:\windows\system\DRIVER\servicelogon.dll
2006-03-21 05:47 . 2006-03-21 05:47 1877 -csha-r- c:\windows\system\DRIVER\servicesmgr.dll
2005-01-28 17:30 . 2006-03-21 05:47 1477 -csh--r- c:\windows\system\DRIVER\svchostlogon.dll
2006-03-21 05:47 . 2006-03-21 05:47 1575 -csha-r- c:\windows\system\DRIVER\winlogon.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
backup=c:\windows\pss\GStartup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^intervideo wincinema manager.lnk]
backup=c:\windows\pss\intervideo wincinema manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nero PhotoShow Media Manager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 06:08 483328 -c--a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 -c----w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVComs]
2002-04-05 20:35 102400 -c--a-w- c:\windows\system32\LVComS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 -c--a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"SQLWriter"=2 (0x2)
"SQLBrowser"=2 (0x2)
"SeaPort"=2 (0x2)
"RUBotted"=3 (0x3)
"RichVideo"=2 (0x2)
"RetroExpLauncher"=2 (0x2)
"OneCareMP"=2 (0x2)
"OcHealthMon"=2 (0x2)
"NTSVCMGR"=2 (0x2)
"NTLOAD"=2 (0x2)
"MSSQL$MSSMLBIZ"=2 (0x2)
"MDM"=2 (0x2)
"Maxtor Sync Service"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"HPConfig"=2 (0x2)
"gusvc"=3 (0x3)
"gupdate1c99d7593cb1ce0"=2 (0x2)
"Bonjour Service"=2 (0x2)
"msfwsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [05/02/2010 5:19 PM 26120]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [19/02/2010 5:07 PM 582992]
R3 CALIAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\caliaud.sys [17/02/2004 6:58 PM 292352]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [17/02/2004 6:59 PM 273536]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [04/05/2004 2:24 PM 18432]
R3 st3bus28;st3bus28;c:\windows\system32\drivers\st3bus28.sys [28/12/2002 1:16 PM 8416]
R3 st3mp28;st3mp28;c:\windows\system32\drivers\st3mp28.sys [28/12/2002 1:16 PM 95328]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [19/02/2010 5:01 PM 206608]
S2 gupdate1c99d7593cb1ce0;Google Update Service (gupdate1c99d7593cb1ce0);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\aliirda.sys [04/04/2003 10:50 PM 26112]
S3 LEX_NIC_SERVICE;IEEE 802.11 Wireless NIC Win2000 Driver;c:\windows\system32\drivers\Express.sys [04/04/2003 10:50 PM 57344]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [21/08/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [21/08/2008 11:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [18/06/2007 8:18 PM 23680]
S3 SMALUSB;Digital Camera Driver;c:\windows\system32\drivers\smallogi.sys [26/09/2003 10:37 PM 11721]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [19/02/2010 5:01 PM 206608]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [06/08/2006 12:41 AM 223128]
S3 ZSMC0305;VIMICRO USB PC Camera V; [x]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [06/08/2006 12:29 AM 643072]
.
Contents of the 'Scheduled Tasks' folder

2010-04-08 c:\windows\Tasks\User_Feed_Synchronization-{9752E23C-90C2-4647-AB2F-78A3F65C10E2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 23:36]

2010-04-08 c:\windows\Tasks\User_Feed_Synchronization-{CE692F37-25A4-4CDF-8A76-6C076F161091}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 23:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uStart Page = hxxp://www.bing.com/
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
MSConfigStartUp-pccguide - (no file)
AddRemove-Adobe Photoshop 6.0 - c:\program files\Adobe\Photoshop 6.0\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-08 03:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x83AC2150]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7eeef28
\Driver\ACPI -> ACPI.sys @ 0xf7e61cb8
\Driver\atapi -> 0x83ac2150
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-387571065-2904927342-2305553894-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2548)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
c:\program files\Microsoft Windows OneCare Live\winss.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Microsoft Windows OneCare Live\winssnotify.exe
.
**************************************************************************
.
Completion time: 2010-04-08 03:47:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-08 07:47

Pre-Run: 17,112,621,056 bytes free
Post-Run: 17,698,365,440 bytes free

- - End Of File - - EAE8EE628101CE549171685497536F6A

Edited by Ta Orfa, 09 April 2010 - 08:55 PM.


#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:59 PM

Posted 10 April 2010 - 06:02 AM

Hello, Ta Orfa.

The good news is all that is normal. Combofix runtime is based on your machine and how infected it is. More file, more infections = longer.





Step 1

Your GMER log looked clean, yet CF said it detected a rootkit. I want to double-check that result, but we need to disable Daemon Tools first as it can interfere with this.

Please download DeFogger Download Link and save it to your desktop.

Double-click on the defogger icon to run the tool.

Click the Disable button.

Click YES to continue.

When you see a "finished!" message, press OK to continue.

If it's running, it should ask you to reboot. Please do so.

When we're done cleaning your computer, you can use the instructions here to reenable Daemon Tools.



Step 2

We Need to check for Rootkits with RootRepeal
  1. Download RootRepeal from the following location and save it to your desktop.
  2. Extract RootRepeal.exe from the archive.
  3. Open on your desktop.
  4. Click the tab.
  5. Click the button.
  6. Check all seven boxes:
  7. Push Ok
  8. Check the box for your main system drive (Usually C:), and press Ok.
  9. Allow RootRepeal to run a scan of your system. This may take some time.
  10. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.



Step 3
  1. Please download MBR.EXE by GMER. Save the file in your root directory. (C:\)
  2. Open Notepad and copy and paste the text in the codebox below (excluding the word Code) into Notepad.
    CODE
    @echo off
    cd\
    mbr.exe -t
    start mbr.log
  3. Next, select File --> Save As, change file type to All Files (*.*), and save it as fixme.bat in your c:\ folder.
  4. Open your c:\folder and double-click on fixme.bat. A logfile will open (C:\mbr.log). Please paste the contents in your next reply.



Step 3

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system\driver\cygcrypt-0.dll
c:\windows\system\driver\cygwin1.dll
c:\windows\system\driver\servicelogon.dll
c:\windows\system\driver\servicesmgr.dll
c:\windows\system\driver\svchostlogon.dll
c:\windows\system\driver\winlogon.dll


Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/



Step 5

Please reply back with the RootRepeal log, the MBR log, the results of the virus scan on those files.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 Ta Orfa

Ta Orfa
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 11 April 2010 - 12:39 AM

Hello etavares,

Thanks again for your response and I am happy that you understood my response, as that I have previously stated, I am not that tech savvy. Tried your latest Steps and I only got to step 2 until I came across an error. I have downloaded mbr, rootrepeal and I already had defogger, basically I am ready to do everything but after waiting for RootRepeal to initialize a box popup appeared stating a rootrepeal error... ERROR - INVALID PE image found!

I was advised to choose (1) OK or (2) DETAILS >> 01:13:59: Error - invalid PE image found!
01:14:00: Error - invalid PE image found!

Saved Error log...

01:13:59: Error - invalid PE image found!
01:14:00: Error - invalid PE image found!

What should I do, run the software anyways by choosing OK or not? AND In STEP 2 Number 6, How do I Check all seven boxes? I do not see any boxes to check off, you see, out of curiosity I chose OK when error appeared just to see the software, but no check boxes visible just two options to either Scan or Save Report Box on the bottom left and right, below that a few tabs; Drivers, Files, Processes, SSDT, Stealth Objects, Hidden Services, Shadow SSDT, Report and About (Left to Right and in order) on top of the page I see File, Settings and Tools scroll down menu type, below that I see Service Name and to the right of that I see Image Path. Please advise OR what other recommendation you may have.

Thanks Again, I appreciate it!

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:59 PM

Posted 11 April 2010 - 07:33 AM

You can click "OK" on the error for Root Repeal. To check the boxes, you need to click on the "Report" tab, then the "Scan" button, then those boxes will pop up.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 Ta Orfa

Ta Orfa
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 11 April 2010 - 02:30 PM

All of the Steps Performed while Browser and Broadband Connected...

In STEP 3 - While Navigating To The First Line To Find File c:\windows\system\driver\cygcrypt-0.dll, Microsoft OneCare stopped me at c:\windows\system , stopping me prior to getting to driver within the file line, OneCare pop up advised that it found a Trojan....

Trojan:Win32/FakeSpypro...
Alert Level: High
Advice: Remove This software immedietely.
Description: This program is dangerous and executes commands for an attacker.
Two Options Given:

(1). Clean All OR (2). Close.
I chose Clean All
The Result: Removed (PDF Snapshot Saved If You Need It).

After OneCare finished removing whatever it had to do, it then allowed me to continue, so I was able to get to the end of first line and all of the other lines that you requested in order to scan then within Jotti but Jotti was busy or I think that because the grey tab was inoperable, so I used Virustotal: http://www.virustotal.com/ instead with no problems and here are the results.

NOTE: within the same Driver area of the listed files
c:\windows\system\driver\cygcrypt-0.dll
c:\windows\system\driver\cygwin1.dll
c:\windows\system\driver\servicelogon.dll
c:\windows\system\driver\servicesmgr.dll
c:\windows\system\driver\svchostlogon.dll
c:\windows\system\driver\winlogon.dll

Also is two more files that you did not list, that are listed within DRIVER,
c:\windows\system\driver\Driver32.dll
c:\windows\system\driver\win32.dll

Would you;
(1). Require those scanned and sent to you as well?
(2). Are you aware of them?
Or (3). You are aware of them but simply do not need them scanned?

Please advise and here are the Virus Scan Results, the Root Repeal log (I included two different ones because I had many webpages opened and I thought that the results may have been misleading for I had so many personal windows open whilst surfing the net when I did the original scan, sure enough the two whr different-Please See Them Below Clearly Identified) and lastly the MBR log (All in order as announced)

Lastly, should I reverse the STEP 3 Hidden Files Request, my Two PC monitors are completely being filled up with what looks like temp files or previously made files but are faint/ see through not solid, please advise-Thank you


Virus Scan Results



START OF RESULT SCANS REQUEST FOR STEP 4 - All Done With Hidden Files Exposed As Within Instructions
As Advised Within This Link: http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/ - Under Windows XP

Results from: http://www.virustotal.com/

c:\windows\system\driver\cygcrypt-0.dll

File has already been analysed:
MD5: 82b006aa0e496983a112a61df57a9677
First received: 2007.03.15 23:18:45 UTC
Date: 2009.10.11 23:45:53 UTC [>181D]
Results: 2/41
Permalink: analisis/1c1b4ad96af649f217a3d56b3d82547f40a775698b7e8bcbc9334cd545bda59f-1255304753



File 05A98ADB007A14A0128D0049A130DA0008E5F846.dll received on 2009.10.11 23:45:53 (UTC)
Current status: finished

Result: 2/41 (4.88%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.11 -
AhnLab-V3 5.0.0.2 2009.10.10 -
AntiVir 7.9.1.35 2009.10.09 -
Antiy-AVL 2.0.3.7 2009.10.10 -
Authentium 5.1.2.4 2009.10.11 -
Avast 4.8.1351.0 2009.10.11 -
AVG 8.5.0.420 2009.10.04 -
BitDefender 7.2 2009.10.12 -
CAT-QuickHeal 10.00 2009.10.10 -
ClamAV 0.94.1 2009.10.10 -
Comodo 2576 2009.10.11 -
DrWeb 5.0.0.12182 2009.10.12 -
eSafe 7.0.17.0 2009.10.08 Suspicious File
eTrust-Vet 35.1.7060 2009.10.09 -
F-Prot 4.5.1.85 2009.10.12 -
F-Secure 8.0.14470.0 2009.10.12 -
Fortinet 3.120.0.0 2009.10.12 -
GData 19 2009.10.12 -
Ikarus T3.1.1.72.0 2009.10.11 -
Jiangmin 11.0.800 2009.10.08 -
K7AntiVirus 7.10.867 2009.10.10 -
Kaspersky 7.0.0.125 2009.10.12 -
McAfee 5768 2009.10.11 -
McAfee+Artemis 5768 2009.10.11 -
McAfee-GW-Edition 6.8.5 2009.10.12 -
Microsoft 1.5101 2009.10.11 -
NOD32 4498 2009.10.11 -
Norman 6.01.09 2009.10.11 -
nProtect 2009.1.8.0 2009.10.11 -
Panda 10.0.2.2 2009.10.11 -
PCTools 4.4.2.0 2009.10.11 -
Prevx 3.0 2009.10.12 -
Rising 21.50.60.00 2009.10.11 -
Sophos 4.45.0 2009.10.12 -
Sunbelt 3.2.1858.2 2009.10.11 WootBot
Symantec 1.4.4.12 2009.10.12 -
TheHacker 6.5.0.2.038 2009.10.12 -
TrendMicro 8.950.0.1094 2009.10.11 -
VBA32 3.12.10.11 2009.10.11 -
ViRobot 2009.10.9.1978 2009.10.09 -
VirusBuster 4.6.5.0 2009.10.11 -
Additional information
File size: 4608 bytes
MD5 : 82b006aa0e496983a112a61df57a9677
SHA1 : 3150fc701f26cf80502857cb2fbfb859c349dd9f
SHA256: 1c1b4ad96af649f217a3d56b3d82547f40a775698b7e8bcbc9334cd545bda59f
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x8BF0
timedatestamp.....: 0x3F92557E (Sun Oct 19 11:12:30 2003)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x7000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x8000 0x1000 0xE00 7.52 f077fa8b6489b8a80241dbe0d4162aaf
UPX2 0x9000 0x1000 0x200 2.23 9943b96dcadb10470f658ac832ac5274

( 0 imports )


( 0 exports )

TrID : File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
ssdeep: 96:rM00wpRLON4kU4mw6nFzhO6x+YghpXVyN381X+H1:w00wCN4kU4m/nF9O6lcJVyN38
PEiD : -
packers (Kaspersky): UPX
packers (F-Prot): UPX
RDS : NSRL Reference Data Set
-


__________________________________________________________________________________________________________________

Results from: http://www.virustotal.com/

c:\windows\system\driver\cygwin1.dll

First Attempt Resulted in this...
Exception
Please report failure as: ErrorTime= "Apr 11 19:21:41"
http://www.virustotal.com/vt/en/recepcion?...6ccee729663df52

Second Result Resulted in this...

File has already been analysed:
MD5: 2852ff9d8f43590d3963b298f9a6492e
First received: 2007.03.30 11:26:52 UTC
Date: 2009.12.13 08:04:42 UTC [>119D]
Results: 0/41
Permalink: analisis/e19cdbce37da1ed5acfd8e7b888922fda770ebf52e9164bcf3c8036f33184780-1260691482



File cygwin1.dll received on 2009.12.13 08:04:42 (UTC)
Current status: finished

Result: 0/41 (0.00%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.13 -
AhnLab-V3 5.0.0.2 2009.12.12 -
AntiVir 7.9.1.108 2009.12.11 -
Antiy-AVL 2.0.3.7 2009.12.11 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.12 -
AVG 8.5.0.427 2009.12.12 -
BitDefender 7.2 2009.12.13 -
CAT-QuickHeal 10.00 2009.12.12 -
ClamAV 0.94.1 2009.12.13 -
Comodo 3226 2009.12.13 -
DrWeb 5.0.0.12182 2009.12.13 -
eSafe 7.0.17.0 2009.12.10 -
eTrust-Vet 35.1.7171 2009.12.11 -
F-Prot 4.5.1.85 2009.12.12 -
F-Secure 9.0.15370.0 2009.12.13 -
Fortinet 4.0.14.0 2009.12.13 -
GData 19 2009.12.13 -
Ikarus T3.1.1.74.0 2009.12.13 -
Jiangmin 13.0.900 2009.12.13 -
K7AntiVirus 7.10.918 2009.12.11 -
Kaspersky 7.0.0.125 2009.12.13 -
McAfee 5830 2009.12.12 -
McAfee+Artemis 5830 2009.12.12 -
McAfee-GW-Edition 6.8.5 2009.12.13 -
Microsoft 1.5302 2009.12.13 -
NOD32 4682 2009.12.12 -
Norman 6.04.03 2009.12.12 -
nProtect 2009.1.8.0 2009.12.13 -
Panda 10.0.2.2 2009.12.12 -
PCTools 7.0.3.5 2009.12.12 -
Prevx 3.0 2009.12.13 -
Rising 22.25.06.03 2009.12.13 -
Sophos 4.48.0 2009.12.13 -
Sunbelt 3.2.1858.2 2009.12.13 -
Symantec 1.4.4.12 2009.12.13 -
TheHacker 6.5.0.2.092 2009.12.12 -
TrendMicro 9.100.0.1001 2009.12.13 -
VBA32 3.12.12.0 2009.12.12 -
ViRobot 2009.12.12.2085 2009.12.12 -
VirusBuster 5.0.21.0 2009.12.12 -
Additional information
File size: 1140617 bytes
MD5 : 2852ff9d8f43590d3963b298f9a6492e
SHA1 : 63b0ce1799cd60696968fda81f6fa0ffa81deb47
SHA256: e19cdbce37da1ed5acfd8e7b888922fda770ebf52e9164bcf3c8036f33184780
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x58A60
timedatestamp.....: 0x4192193F (Wed Nov 10 14:35:59 2004)
machinetype.......: 0x14C (Intel I386)

( 36 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xEE498 0xEE600 6.60 ab14f85b63c7034b2de916ab8b337796
.data 0xF0000 0x828C 0x8400 5.60 ec88b0abba33c578bf7879fabee4b764
_4 0xF9000 0x144 0x200 2.38 9da500dd7baaf61db5bf0bf203b2716e
_17 0xFA000 0x378 0x400 3.05 908fcb9d70ce2b702ba395304aa012df
_31 0xFB000 0x6C0 0x800 2.89 2cb3bd7f5e0d2934f715b455e7749dc9
_46 0xFC000 0xB50 0xC00 4.76 8af42821e7b21c3cf27afe2b27a2613b
_61 0xFD000 0xB0 0x200 1.63 e632cc1f2a1c67b0d276461ae0270f8e
_76 0xFE000 0x120 0x200 3.13 b17c799cea843ab673d421565cae3d6c
_91 0xFF000 0x160 0x200 2.39 8257fc174a276b0e422b852e7d007da0
_103 0x100000 0x2C0 0x400 3.70 2d6a6073d3bad0eb4a5d14346314c3af
_115 0x101000 0x2C 0x200 0.49 e4b38eea3b399a3d83bcbc620a22ee06
_127 0x102000 0x58 0x200 1.19 13b4e74b2bee6989abdd94db6e1704fc
_139 0x103000 0x78 0x200 1.21 19c61028cfd9b2a7e5df61c3d78c0288
_153 0x104000 0xE8 0x200 2.65 d1a214c83859c8feea3eacb970f88ea0
_167 0x105000 0x310 0x400 2.72 6778832594dd05ed499fd8630f7503f8
_180 0x106000 0x560 0x600 4.39 a034df411befdb89bb075124c71a53f1
_193 0x107000 0x4E0 0x600 3.87 fe12ae951e6c747e9712f42686a94c9a
_207 0x108000 0x1F0 0x200 4.53 b22b478d7b2260d1924b37864391f4e0
_220 0x109000 0x64 0x200 1.00 de23b4b8d37c223d845ad26bff839718
_235 0x10A000 0x90 0x200 1.70 f3539f31eb3a35c7df29810bafafd189
_250 0x10B000 0x44 0x200 0.70 5275073df51a1f41daab58c96398260e
_262 0x10C000 0x78 0x200 1.42 27a15fd66c5238ed2c6eb1cfcef14f33
_274 0x10D000 0x190 0x200 2.90 92c97ded37f0c4a0b8e316829d3d8963
_289 0x10E000 0x298 0x400 3.64 8c834b752e3f930092d0fde5f37d4f13
_304 0x10F000 0x1D0 0x200 2.79 67abf0a6dafc2342bdb9fd4eec45d161
_316 0x110000 0x330 0x400 3.91 d578d4136439972ae06cc245c96b4b72
_328 0x111000 0x30 0x200 0.53 cc02779db4529a1fa1b468e8fe4ab38a
_341 0x112000 0x50 0x200 1.04 6e7e01dbd38b340b897728ee3848dd45
_354 0x113000 0x120 0x200 0.00 bf619eac0cdf3f68d496ea9344137e8b
_375 0x114000 0x20 0x200 0.00 bf619eac0cdf3f68d496ea9344137e8b
.rdata 0x115000 0x23A0 0x2400 4.84 0cd007430b59091e9facd5f2e495be88
.bss 0x118000 0x9520 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.edata 0x122000 0x77BF 0x7800 5.94 48255949df231a4385d784a86d16cd14
.idata 0x12A000 0x18B8 0x1A00 5.19 9ee9b2a5b75a14cd403268f46125c26b
.rsrc 0x12C000 0x428 0x600 2.61 aec3082c73cf506135cbe46836dea1ce
.reloc 0x12D000 0xDC04 0xDE00 6.69 7f15cbf342a555117776da0a3e321182

( 2 imports )

> advapi32.dll: RegCloseKey
> kernel32.dll: AllocConsole, BackupRead, BackupSeek, BackupWrite, ClearCommBreak, ClearCommError, CloseHandle, CompareFileTime, CopyFileA,
CreateDirectoryA, CreateEventA, CreateFileA, CreateFileMappingA, CreateMutexA, CreateNamedPipeA, CreatePipe, CreateProcessA, CreateSemaphoreA,
CreateTapePartition, CreateThread, DeleteCriticalSection, DeleteFileA, DeviceIoControl, DuplicateHandle, EnterCriticalSection, EraseTape, EscapeCommFunction,
ExitProcess, ExitThread, ExpandEnvironmentStringsA, FillConsoleOutputAttribute, FillConsoleOutputCharacterA, FindClose, FindFirstChangeNotificationA, FindFirstFileA,
FindNextChangeNotification, FindNextFileA, FlushConsoleInputBuffer, FlushFileBuffers, FlushViewOfFile, FreeConsole, FreeEnvironmentStringsA, FreeLibrary, GetACP,
GetCommModemStatus, GetCommState, GetCommandLineA, GetComputerNameA, GetConsoleCP, GetConsoleMode, GetConsoleOutputCP, GetConsoleScreenBufferInfo,
GetConsoleTitleA, GetCurrentDirectoryA, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetDiskFreeSpaceA, GetDriveTypeA,
GetEnvironmentStrings, GetEnvironmentVariableA, GetExitCodeProcess, GetFileAttributesA, GetFileInformationByHandle, GetFileSize, GetFileType, GetFullPathNameA,
GetLastError, GetLogicalDriveStringsA, GetLogicalDrives, GetModuleFileNameA, GetModuleHandleA, GetNumberOfConsoleInputEvents, GetOEMCP, GetOverlappedResult,
GetPriorityClass, GetProcAddress, GetProcessTimes, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTime, GetSystemTimeAsFileTime,
GetTapeParameters, GetTapePosition, GetTapeStatus, GetThreadContext, GetThreadPriority, GetTickCount, GetTimeZoneInformation, GetVersionExA, GetVolumeInformationA,
GetWindowsDirectoryA, GlobalAlloc, GlobalFree, GlobalLock, GlobalMemoryStatus, GlobalUnlock, InitializeCriticalSection, IsBadReadPtr, IsBadStringPtrA, IsBadWritePtr,
LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LockFile, LockFileEx, MapViewOfFileEx, MoveFileA, MoveFileExA, MultiByteToWideChar, OpenEventA, OpenFileMappingA,
OpenMutexA, OpenProcess, OpenSemaphoreA, OutputDebugStringA, PeekConsoleInputA, PeekNamedPipe, PrepareTape, PurgeComm, QueryDosDeviceA, QueryPerformanceCounter,
QueryPerformanceFrequency, ReadConsoleInputA, ReadConsoleOutputA, ReadFile, ReadProcessMemory, ReleaseMutex, ReleaseSemaphore, RemoveDirectoryA, ResetEvent,
ResumeThread, RtlUnwind, ScrollConsoleScreenBufferA, SetCommBreak, SetCommMask, SetCommState, SetCommTimeouts, SetConsoleCtrlHandler, SetConsoleCursorPosition,
SetConsoleMode, SetConsoleTextAttribute, SetConsoleTitleA, SetCurrentDirectoryA, SetEndOfFile, SetEnvironmentVariableA, SetErrorMode, SetEvent, SetFileApisToANSI,
SetFileApisToOEM, SetFileAttributesA, SetFilePointer, SetFileTime, SetHandleInformation, SetLastError, SetNamedPipeHandleState, SetPriorityClass, SetStdHandle, SetSystemTime,
SetTapeParameters, SetTapePosition, SetThreadAffinityMask, SetThreadContext, SetThreadPriority, Sleep, SuspendThread, SystemTimeToFileTime, TerminateProcess, TerminateThread,
TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TransmitCommChar, UnlockFile, UnlockFileEx, UnmapViewOfFile, VirtualAlloc, VirtualFree, VirtualProtect, VirtualProtectEx, VirtualQuery,
WaitCommEvent, WaitForMultipleObjects, WaitForSingleObject, WaitNamedPipeA, WideCharToMultiByte, WriteConsoleOutputA, WriteFile, WriteProcessMemory, WriteTapemark

( 1 exports )

> __argc, __argv, __argz_add, __argz_add_sep, __argz_append, __argz_count, __argz_create, __argz_create_sep, __argz_delete, __argz_extract, __argz_insert, __argz_next, __argz_replace,
__argz_stringify, __assert, __assertfail, __check_rhosts_file, __ctype_ptr, __cygwin_environ, __cygwin_user_data, __envz_add, __envz_entry, __envz_get, __envz_merge, __envz_remove,
__envz_strip, __eprintf, __errno, __f_atan2, __f_atan2f, __f_exp, __f_expf, __f_frexp, __f_frexpf, __f_ldexp, __f_ldexpf, __f_log, __f_log10, __f_log10f, __f_logf, __f_pow, __f_powf, __f_tan, __f_tanf,
__fpclassifyd, __fpclassifyf, __getreent, __infinity, __main, __mb_cur_max, __mempcpy, __progname, __rcmd_errstr, __signbitd, __signbitf, __signgam, __srget, __swbuf, _abort, _abs, _access, _acl,
_acl32, _aclcheck, _aclcheck32, _aclfrommode, _aclfrommode32, _aclfrompbits, _aclfrompbits32, _aclfromtext, _aclfromtext32, _aclsort, _aclsort32, _acltomode, _acltomode32, _acltopbits, _acltopbits32,
_acltotext, _acltotext32, _acos, _acosf, _acosh, _acoshf, _alarm, _alloca, _alphasort, _asctime, _asctime_r, _asin, _asinf, _asinh, _asinhf, _asprintf, _asprintf_r, _atan, _atan2, _atan2f, _atanf, _atanh,
_atanhf, _atexit, _atof, _atoff, _atoi, _atol, _bcmp, _bcopy, _bsearch, _bzero, _cabs, _cabsf, _calloc, _cbrt, _cbrtf, _ceil, _ceilf, _chdir, _check_for_executable, _chmod, _chown, _chown32, _chroot,
_clearerr, _clock, _close, _closedir, _closelog, _copysign, _copysignf, _cos, _cosf, _cosh, _coshf, _creat, _ctime, _ctime_r, _ctype_, _cuserid, _cwait, _daylight, _difftime, _dirfd, _div, _dll_crt0@0,
_drand48, _drem, _dremf, _dup, _dup2, _ecvt, _ecvtbuf, _ecvtf, _endgrent, _endmntent, _endpwent, _endutent, _erand48, _erf, _erfc, _erfcf, _erff, _execl, _execle, _execlp, _execv, _execve,
_execvp, _exit, _exp, _expf, _expm1, _expm1f, _f_atan2, _f_atan2f, _f_exp, _f_expf, _f_frexp, _f_frexpf, _f_ldexp, _f_ldexpf, _f_log, _f_log10, _f_log10f, _f_logf, _f_pow, _f_powf, _f_tan, _f_tanf,
_fabs, _fabsf, _facl, _facl32, _fchdir, _fchmod, _fchown, _fchown32, _fclose, _fcloseall, _fcloseall_r, _fcntl, _fcntl64, _fcvt, _fcvtbuf, _fcvtf, _fdopen, _fdopen64, _feof, _ferror, _fflush, _ffs, _fgetc, _fgetpos,
_fgetpos64, _fgets, _fileno, _finite, _finitef, _fiprintf, _floor, _floorf, _fmod, _fmodf, _fnmatch, _fopen, _fopen64, _fork, _fprintf, _fputc, _fputs, _fread, _free, _freopen, _freopen64, _frexp, _frexpf, _fscanf,
_fscanf_r, _fseek, _fseeko, _fseeko64, _fsetpos, _fsetpos64, _fstat, _fstat64, _fstatfs, _fsync, _ftell, _ftello, _ftello64, _ftime, _ftok, _ftruncate, _ftruncate64, _fwrite, _gamma, _gamma_r, _gammaf, _gammaf_r,
_gcvt, _gcvtf, _get_osfhandle, _getc, _getc_unlocked, _getchar, _getchar_unlocked, _getcwd, _getdomainname, _getdtablesize, _getegid, _getegid32, _getenv, _geteuid, _geteuid32, _getgid, _getgid32,
_getgrent, _getgrent32, _getgrgid, _getgrgid32, _getgrnam, _getgrnam32, _getgroups, _getgroups32, _gethostname, _getlogin, _getmntent, _getmode, _getpagesize, _getpass, _getpgrp, _getpid, _getppid,
_getpwduid, _getpwent, _getpwnam, _getpwuid, _getpwuid32, _getpwuid_r32, _getrlimit, _getrusage, _gets, _gettimeofday, _getuid, _getuid32, _getutent, _getutid, _getutline, _getw, _getwd, _glob,
_globfree, _gmtime, _gmtime_r, _htonl, _htons, _hypot, _hypotf, _ilogb, _ilogbf, _impure_ptr, _index, _infinity, _infinityf, _initgroups32, _ioctl, _iprintf, _isalnum, _isalpha, _isascii, _isatty, _iscntrl, _isdigit,
_isgraph, _isinf, _isinff, _islower, _isnan, _isnanf, _isprint, _ispunct, _isspace, _isupper, _isxdigit, _j0, _j0f, _j1, _j1f, _jn, _jnf, _jrand48, _kill, _labs, _lacl, _lchown, _lchown32, _lcong48, _ldexp, _ldexpf,
_ldiv, _lgamma, _lgamma_r, _lgammaf, _lgammaf_r, _link, _localeconv, _localtime, _localtime_r, _log, _log10, _log10f, _log1p, _log1pf, _logb, _logbf, _logf, _longjmp, _lrand48, _lseek, _lseek64, _lstat,
_lstat64, _malloc, _matherr, _mblen, _mbstowcs, _mbtowc, _memccpy, _memchr, _memcmp, _memcpy, _memmove, _memset, _mkdir, _mknod, _mknod32, _mkstemp, _mktemp, _mktime, _mmap64,
_modf, _modff, _mount, _nan, _nanf, _nanosleep, _nextafter, _nextafterf, _nice, _nl_langinfo, _nrand48, _ntohl, _ntohs, _open, _open64, _opendir, _openlog, _pathconf, _pclose, _perror, _pipe, _poll,
_popen, _pow, _powf, _printf, _pthread_cleanup_pop, _pthread_cleanup_push, _putc, _putc_unlocked, _putchar, _putchar_unlocked, _putenv, _puts, _pututline, _putw, _qsort, _raise, _rand, _read,
_readdir, _readlink, _readv, _realloc, _remainder, _remainderf, _remove, _rename, _rewind, _rewinddir, _rindex, _rint, _rintf, _rmdir, _sbrk, _scalb, _scalbf, _scalbn, _scalbnf, _scandir, _scanf, _scanf_r,
_seed48, _seekdir, _seekdir64, _select, _setbuf, _setdtablesize, _setegid, _setegid32, _setenv, _seteuid, _seteuid32, _setgid, _setgid32, _setgrent, _setgroups, _setgroups32, _setjmp, _setlocale, _setmntent,
_setmode, _setpassent, _setpgid, _setpgrp, _setpwent, _setregid, _setregid32, _setreuid, _setreuid32, _setrlimit, _setsid, _settimeofday, _setuid, _setuid32, _setutent, _setvbuf, _sin, _sinf, _sinh, _sinhf,
_siprintf, _sleep, _snprintf, _spawnl, _spawnle, _spawnlp, _spawnlpe, _spawnv, _spawnve, _spawnvp, _spawnvpe, _sprintf, _sqrt, _sqrtf, _srand, _srand48, _sscanf, _sscanf_r, _stat, _stat64, _statfs,
_strcasecmp, _strcat, _strchr, _strcmp, _strcoll, _strcpy, _strcspn, _strdup, _strerror, _strerror_r, _strftime, _strlcat, _strlcpy, _strlen, _strlwr, _strncasecmp, _strncat, _strncmp, _strncpy, _strpbrk, _strptime,
_strrchr, _strsep, _strspn, _strstr, _strtod, _strtodf, _strtok, _strtok_r, _strtol, _strtold, _strtoll, _strtoul, _strtoull, _strupr, _strxfrm, _swab, _symlink, _sync, _sys_errlist, _sys_nerr, _sysconf, _syslog, _system,
_tan, _tanf, _tanh, _tanhf, _tcdrain, _tcflow, _tcflush, _tcgetattr, _tcgetpgrp, _tcsendbreak, _tcsetattr, _tcsetpgrp, _telldir, _telldir64, _tempnam, _time, _times, _timezone, _tmpfile, _tmpfile64, _tmpnam, _toascii,
_tolower, _toupper, _truncate, _truncate64, _ttyname, _tzname, _tzset, _ualarm, _umask, _umount, _uname, _ungetc, _unlink, _unsetenv, _usleep, _utime, _utimes, _utmpname, _vasprintf, _vasprintf_r,
_vfiprintf, _vfork, _vfprintf, _vfscanf, _vfscanf_r, _vhangup, _vprintf, _vscanf, _vscanf_r, _vsnprintf, _vsprintf, _vsscanf, _vsscanf_r, _wait, _waitpid, _wcscmp, _wcslen, _wcstombs, _wctomb, _wprintf, _write,
_writev, a64l, abort, abs, accept, access, acl, aclcheck, aclfrommode, aclfrompbits, aclfromtext, aclsort, acltomode, acltopbits, acltotext, acos, acosf, acosh, acoshf, alarm, alphasort, argz_add, argz_add_sep,
argz_append, argz_count, argz_create, argz_create_sep, argz_delete, argz_extract, argz_insert, argz_next, argz_replace, argz_stringify, asctime, asctime_r, asin, asinf, asinh, asinhf, asprintf, asprintf_r,
atan, atan2, atan2f, atanf, atanh, atanhf, atexit, atof, atoff, atoi, atol, atoll, bcmp, bcopy, bind, bsearch, btowc, bzero, cabs, cabsf, calloc, cbrt, cbrtf, ceil, ceilf, cfgetispeed, cfgetospeed, cfsetispeed, cfsetospeed,
chdir, chmod, chown, chroot, cleanup_glue, clearerr, clock, clock_gettime, close, closedir, closelog, connect, copysign, copysignf, cos, cosf, cosh, coshf, creat, ctermid, ctime, ctime_r, cuserid, cwait,
cygwin32_attach_handle_to_fd, cygwin32_conv_to_full_posix_path, cygwin32_conv_to_full_win32_path, cygwin32_conv_to_posix_path, cygwin32_conv_to_win32_path, cygwin32_detach_dll,
cygwin32_internal, cygwin32_posix_path_list_p, cygwin32_posix_to_win32_path_list, cygwin32_posix_to_win32_path_list_buf_size, cygwin32_split_path, cygwin32_win32_to_posix_path_list,
cygwin32_win32_to_posix_path_list_buf_size, cygwin32_winpid_to_pid, cygwin_attach_handle_to_fd, cygwin_conv_to_full_posix_path, cygwin_conv_to_full_win32_path, cygwin_conv_to_posix_path,
cygwin_conv_to_win32_path, cygwin_detach_dll, cygwin_dll_init, cygwin_internal, cygwin_logon_user, cygwin_posix_path_list_p, cygwin_posix_to_win32_path_list, cygwin_posix_to_win32_path_list_buf_size,
cygwin_set_impersonation_token, cygwin_split_path, cygwin_stackdump, cygwin_umount, cygwin_win32_to_posix_path_list, cygwin_win32_to_posix_path_list_buf_size, cygwin_winpid_to_pid, daemon,
difftime, dirfd, div, dlclose, dlerror, dlfork, dll_crt0__FP11per_process, dll_dllcrt0, dll_entry@12, dll_noncygwin_dllcrt0, dlopen, dlsym, drand48, drem, dremf, dup, dup2, ecvt, ecvtbuf, ecvtf, endgrent,
endhostent, endmntent, endprotoent, endpwent, endservent, endusershell, endutent, envz_add, envz_entry, envz_get, envz_merge, envz_remove, envz_strip, erand48, erf, erfc, erfcf, erff, err, errx,
execl, execle, execlp, execv, execve, execvp, exit, exp, exp2, exp2f, expf, expm1, expm1f, fabs, fabsf, facl, fchdir, fchmod, fchown, fclose, fcloseall, fcloseall_r, fcntl, fcvt, fcvtbuf, fcvtf, fdim, fdimf, fdopen,
feof, ferror, fflush, ffs, fgetc, fgetpos, fgets, fileno, finite, finitef, fiprintf, flock, flockfile, floor, floorf, fma, fmaf, fmax, fmaxf, fmin, fminf, fmod, fmodf, fnmatch, fopen, fork, forkpty, fpathconf, fprintf, fputc, fputs, fread,
free, freopen, frexp, frexpf, fscanf, fscanf_r, fseek, fseeko, fsetpos, fstat, fstatfs, fsync, ftell, ftello, ftime, ftok, ftruncate, ftrylockfile, funlockfile, fwrite, gamma, gamma_r, gammaf, gammaf_r, gcvt, gcvtf, get_osfhandle,
getc, getc_unlocked, getchar, getchar_unlocked, getcwd, getdomainname, getdtablesize, getegid, getenv, geteuid, getgid, getgrent, getgrgid, getgrgid_r, getgrnam, getgrnam_r, getgroups, gethostbyaddr,
gethostbyname, gethostid, gethostname, getitimer, getlogin, getlogin_r, getmntent, getmode, getopt, getopt_long, getpagesize, getpass, getpeername, getpgid, getpgrp, getpid, getppid, getprogname,
getprotobyname, getprotobynumber, getprotoent, getpwduid, getpwent, getpwnam, getpwnam_r, getpwuid, getpwuid_r, getrlimit, getrusage, gets, getservbyname, getservbyport, getservent, getsid,
getsockname, getsockopt, gettimeofday, getuid, getusershell, getutent, getutid, getutline, getw, getwd, glob, globfree, gmtime, gmtime_r, grantpt, h_errno, hcreate, hcreate_r, hdestroy, hdestroy_r, herror,
hsearch, hsearch_r, hstrerror, htonl, htons, hypot, hypotf, ilogb, ilogbf, index, inet_addr, inet_aton, inet_makeaddr, inet_netof, inet_network, inet_ntoa, infinity, infinityf, initgroups, initstate, ioctl, iprintf, iruserok,
isalnum, isalpha, isascii, isatty, isblank, iscntrl, isdigit, isgraph, isinf, isinff, islower, isnan, isnanf, isprint, ispunct, isspace, isupper, iswalnum, iswalpha, iswblank, iswcntrl, iswctype, iswdigit, iswgraph, iswlower,
iswprint, iswpunct, iswspace, iswupper, iswxdigit, isxdigit, j0, j0f, j1, j1f, jn, jnf, jrand48, kill, killpg, l64a, labs, lacl, lchown, lcong48, ldexp, ldexpf, ldiv, lgamma, lgamma_r, lgammaf, lgammaf_r, link, listen,
localeconv, localtime, localtime_r, log, log10, log10f, log1p, log1pf, logb, logbf, logf, login, login_tty, logout, logwtmp, longjmp, lrand48, lrint, lrintf, lround, lroundf, lseek, lstat, mallinfo, malloc, malloc_stats,
malloc_trim, malloc_usable_size, mallopt, matherr, mblen, mbrlen, mbrtowc, mbsinit, mbsrtowcs, mbstowcs, mbtowc, memalign, memccpy, memchr, memcmp, memcpy, memmove, mempcpy, memset,
mkdir, mkfifo, mknod, mkstemp, mktemp, mktime, mmap, modf, modff, mount, mprotect, mrand48, msgctl, msgget, msgrcv, msgsnd, msync, munmap, nan, nanf, nanosleep, nearbyint, nearbyintf, nextafter,
nextafterf, nice, nl_langinfo, nrand48, ntohl, ntohs, on_exit, open, opendir, openlog, openpty, optarg, opterr, optind, optopt, optreset, pathconf, pause, pclose, perror, pipe, poll, popen, posix_regcomp,
posix_regerror, posix_regexec, posix_regfree, pow, powf, printf, pthread_atfork, pthread_attr_destroy, pthread_attr_getdetachstate, pthread_attr_getinheritsched, pthread_attr_getschedparam,
pthread_attr_getschedpolicy, pthread_attr_getscope, pthread_attr_getstacksize, pthread_attr_init, pthread_attr_setdetachstate, pthread_attr_setinheritsched, pthread_attr_setschedparam,
pthread_attr_setschedpolicy, pthread_attr_setscope, pthread_attr_setstacksize, pthread_cancel, pthread_cond_broadcast, pthread_cond_destroy, pthread_cond_init, pthread_cond_signal,
pthread_cond_timedwait, pthread_cond_wait, pthread_condattr_destroy, pthread_condattr_getpshared, pthread_condattr_init, pthread_condattr_setpshared, pthread_continue, pthread_create,
pthread_detach, pthread_equal, pthread_exit, pthread_getconcurrency, pthread_getschedparam, pthread_getsequence_np, pthread_getspecific, pthread_join, pthread_key_create,
pthread_key_delete, pthread_kill, pthread_mutex_destroy, pthread_mutex_getprioceiling, pthread_mutex_init, pthread_mutex_lock, pthread_mutex_setprioceiling, pthread_mutex_trylock,
pthread_mutex_unlock, pthread_mutexattr_destroy, pthread_mutexattr_getprioceiling, pthread_mutexattr_getprotocol, pthread_mutexattr_getpshared, pthread_mutexattr_gettype, pthread_mutexattr_init,
pthread_mutexattr_setprioceiling, pthread_mutexattr_setprotocol, pthread_mutexattr_setpshared, pthread_mutexattr_settype, pthread_once, pthread_rwlock_destroy, pthread_rwlock_init,
pthread_rwlock_rdlock, pthread_rwlock_tryrdlock, pthread_rwlock_trywrlock, pthread_rwlock_unlock, pthread_rwlock_wrlock, pthread_rwlockattr_destroy, pthread_rwlockattr_getpshared,
pthread_rwlockattr_init, pthread_rwlockattr_setpshared, pthread_self, pthread_setcancelstate, pthread_setcanceltype, pthread_setconcurrency, pthread_setschedparam, pthread_setspecific,
pthread_sigmask, pthread_suspend, pthread_testcancel, ptsname, putc, putc_unlocked, putchar, putchar_unlocked, putenv, puts, pututline, putw, qsort, raise, rand, rand_r, random, rcmd, read,
readdir, readlink, readv, realloc, realpath, recv, recvfrom, recvmsg, reent_data, regcomp, regerror, regexec, regfree, regsub, remainder, remainderf, remove, remquo, remquof, rename, revoke,
rewind, rewinddir, rexec, rindex, rint, rintf, rmdir, round, roundf, rresvport, ruserok, sbrk, scalb, scalbf, scalbln, scalblnf, scalbn, scalbnf, scandir, scanf, scanf_r, sched_get_priority_max,
sched_get_priority_min, sched_getparam, sched_getscheduler, sched_rr_get_interval, sched_setparam, sched_setscheduler, sched_yield, seed48, seekdir, select, sem_close, sem_destroy,
sem_getvalue, sem_init, sem_open, sem_post, sem_timedwait, sem_trywait, sem_wait, semctl, semget, semop, send, sendmsg, sendto, setbuf, setbuffer, setdtablesize, setegid, setenv, seteuid,
setgid, setgrent, setgroups, sethostent, setitimer, setjmp, setlinebuf, setlocale, setlogmask, setmntent, setmode, setpassent, setpgid, setpgrp, setprogname, setprotoent, setpwent, setregid, setregid32,
setreuid, setreuid32, setrlimit, setservent, setsid, setsockopt, setstate, settimeofday, setuid, setusershell, setutent, setvbuf, sexecl, sexecle, sexeclp, sexeclpe, sexecp, sexecv, sexecve, sexecvpe,
shmat, shmctl, shmdt, shmget, shutdown, sigaction, sigaddset, sigdelset, sigemptyset, sigfillset, sighold, siginterrupt, sigismember, signal, significand, significandf, sigpause, sigpending, sigprocmask,
sigqueue, sigsuspend, sigwait, sigwaitinfo, sin, sincos, sincosf, sinf, sinh, sinhf, siprintf, sleep, snprintf, socket, socketpair, spawnl, spawnle, spawnlp, spawnlpe, spawnv, spawnve, spawnvp, spawnvpe,
sprintf, sqrt, sqrtf, srand, srand48, srandom, sscanf, sscanf_r, stat, statfs, strcasecmp, strcat, strchr, strcmp, strcoll, strcpy, strcspn, strdup, strerror, strerror_r, strftime, strlcat, strlcpy, strlen, strlwr,
strncasecmp, strncat, strncmp, strncpy, strndup, strnlen, strpbrk, strptime, strrchr, strsep, strsignal, strspn, strstr, strtod, strtodf, strtof, strtok, strtok_r, strtol, strtoll, strtosigno, strtoul, strtoull, strupr, strxfrm,
swab, symlink, sync, sys_errlist, sys_nerr, sysconf, syslog, system, tan, tanf, tanh, tanhf, tcdrain, tcflow, tcflush, tcgetattr, tcgetpgrp, tcsendbreak, tcsetattr, tcsetpgrp, tdelete, tdestroy, telldir, tempnam,
tfind, tgamma, tgammaf, time, timer_create, timer_delete, timer_settime, times, timezone, tmpfile, tmpnam, toascii, tolower, toupper, towctrans, towlower, towupper, trunc, truncate, truncf, tsearch,
ttyname, ttyname_r, ttyslot, twalk, tzset, ualarm, umask, umount, uname, ungetc, unlink, unlockpt, unsetenv, updwtmp, usleep, utime, utimes, utmpname, valloc, vasprintf, vasprintf_r, verr, verrx,
vfiprintf, vfork, vfprintf, vfscanf, vfscanf_r, vhangup, vprintf, vscanf, vscanf_r, vsnprintf, vsprintf, vsscanf, vsscanf_r, vsyslog, vwarn, vwarnx, wait, wait3, wait4, waitpid, warn, warnx, wcrtomb,
wcscat, wcschr, wcscmp, wcscoll, wcscpy, wcscspn, wcslcat, wcslcpy, wcslen, wcsncat, wcsncmp, wcsncpy, wcspbrk, wcsrchr, wcsrtombs, wcsspn, wcsstr, wcstombs, wcswidth, wctob, wctomb,
wctrans, wctype, wcwidth, wmemchr, wmemcmp, wmemcpy, wmemmove, wmemset, wprintf, write, writev, y0, y0f, y1, y1f, yn, ynf
TrID : File type identification
55.5% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
17.5% (.SCR) Windows Screen Saver (13105/51/3)
11.3% (.EXE) Win32 Executable Generic (8527/13/3)
10.1% (.DLL) Win32 Dynamic Link Library (generic) (7583/30/2)
2.6% (.EXE) Generic Win/DOS Executable (2002/3)
ssdeep: 24576:8QNQwonbn3KRkjhxwmeyVknSIJx3K8N1tVEmXOcRmYPlz+6:8QNQPa8wh26SIJx6yimXzmYPxv
PEiD : -
CWSandbox: http://research.sunbelt-software.com/partn...963b298f9a6492e
RDS : NSRL Reference Data Set
-

Additional Result from...
http://research.sunbelt-software.com/partn...963b298f9a6492e

Sunbelt Software™ CWSandbox Report
Scan Summary All Processes File Activity Registry Activity Network Activity Process Details


Submission Summary
Analysis Summary
CWSandbox Version: 1.115
Time: 3/30/2007 2:16:28 PM
Submitted File: 2852ff9d8f43590d3963b298f9a6492e.exe
Logpath: C:\analysis\log\2852ff9d8f43590d3963b298f9a6492e.exe\run_1\
Main Process (1)

Process # 1, (ID: 996)
c:\temp\2852ff9d8f43590d3963b298f9a6492e.exe
Start Time: 00:00.156
Start Reason: AnalysisTarget

c:\temp\2852ff9d8f43590d3963b298f9a6492e.exe
Start Time: 00:00.156
Start Reason: AnalysisTarget

Scanners Used
Process # 1, (ID: 996)

Authentium Command Antivirus , Version: 4.92.123.35
BitDefender Antivirus , Version: 7.0.0.2311
CounterSpy , Version: 2.1.628.0
Microsoft Malware Protection , Version: 1.1.1904.0
Norton AntiVirus , Version: 20061.3.0.12

__________________________________________________________________________________________________________________

Results from: http://www.virustotal.com/

c:\windows\system\driver\servicelogon.dll

File has already been analysed:
MD5: fa59828cf8a77b077318efa7d667b9e9
First received: 2010.04.11 17:30:47 UTC
Date: 2010.04.11 17:30:47 UTC [<1D]
Results: 0/39
Permalink: analisis/b832e9e2b68fa089ff9c3d5c281d5e727423a3350940d205788d070e105cffb3-1271007047



File servicelogon.dll received on 2010.04.11 17:30:47 (UTC)
Current status: finished

Result: 0/39 (0.00%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.04.11 -
AhnLab-V3 5.0.0.2 2010.04.10 -
AntiVir 7.10.6.55 2010.04.09 -
Antiy-AVL 2.0.3.7 2010.04.09 -
Authentium 5.2.0.5 2010.04.11 -
Avast 4.8.1351.0 2010.04.11 -
Avast5 5.0.332.0 2010.04.11 -
AVG 9.0.0.787 2010.04.11 -
BitDefender 7.2 2010.04.11 -
CAT-QuickHeal 10.00 2010.04.10 -
ClamAV 0.96.0.3-git 2010.04.11 -
Comodo 4569 2010.04.11 -
DrWeb 5.0.2.03300 2010.04.11 -
eSafe 7.0.17.0 2010.04.11 -
eTrust-Vet 35.2.7418 2010.04.09 -
F-Prot 4.5.1.85 2010.04.11 -
F-Secure 9.0.15370.0 2010.04.11 -
Fortinet 4.0.14.0 2010.04.10 -
GData 19 2010.04.11 -
Ikarus T3.1.1.80.0 2010.04.11 -
Jiangmin 13.0.900 2010.04.11 -
Kaspersky 7.0.0.125 2010.04.11 -
McAfee-GW-Edition 6.8.5 2010.04.11 -
Microsoft 1.5605 2010.04.11 -
NOD32 5018 2010.04.11 -
Norman 6.04.11 2010.04.10 -
nProtect 2009.1.8.0 2010.04.06 -
Panda 10.0.2.2 2010.04.11 -
PCTools 7.0.3.5 2010.04.11 -
Prevx 3.0 2010.04.11 -
Rising 22.42.06.04 2010.04.11 -
Sophos 4.52.0 2010.04.11 -
Sunbelt 6164 2010.04.11 -
Symantec 20091.2.0.41 2010.04.11 -
TheHacker 6.5.2.0.259 2010.04.11 -
TrendMicro 9.120.0.1004 2010.04.11 -
VBA32 3.12.12.4 2010.04.09 -
ViRobot 2010.4.10.2270 2010.04.10 -
VirusBuster 5.0.27.0 2010.04.11 -
Additional information
File size: 1478 bytes
MD5 : fa59828cf8a77b077318efa7d667b9e9
SHA1 : 9aa17e7da53903e44773958e13ef43f1f4f51b69
SHA256: b832e9e2b68fa089ff9c3d5c281d5e727423a3350940d205788d070e105cffb3
TrID : File type identification
Unknown!
ssdeep: 24:cGDZ3+ER0u38LM/vr1sBOBqCq2dT7WHRF:cGLr3Vmd
sigcheck: publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEiD : -
RDS : NSRL Reference Data Set
-


__________________________________________________________________________________________________________________

Results from: http://www.virustotal.com/

c:\windows\system\driver\servicesmgr.dll


File servicesmgr.dll received on 2010.04.11 17:45:38 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/39 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.04.11 -
AhnLab-V3 5.0.0.2 2010.04.10 -
AntiVir 7.10.6.55 2010.04.09 -
Antiy-AVL 2.0.3.7 2010.04.09 -
Authentium 5.2.0.5 2010.04.11 -
Avast 4.8.1351.0 2010.04.11 -
Avast5 5.0.332.0 2010.04.11 -
AVG 9.0.0.787 2010.04.11 -
BitDefender 7.2 2010.04.11 -
CAT-QuickHeal 10.00 2010.04.10 -
ClamAV 0.96.0.3-git 2010.04.11 -
Comodo 4569 2010.04.11 -
DrWeb 5.0.2.03300 2010.04.11 -
eSafe 7.0.17.0 2010.04.11 -
eTrust-Vet 35.2.7418 2010.04.09 -
F-Prot 4.5.1.85 2010.04.11 -
F-Secure 9.0.15370.0 2010.04.11 -
Fortinet 4.0.14.0 2010.04.10 -
GData 19 2010.04.11 -
Ikarus T3.1.1.80.0 2010.04.11 -
Jiangmin 13.0.900 2010.04.11 -
Kaspersky 7.0.0.125 2010.04.11 -
McAfee-GW-Edition 6.8.5 2010.04.11 -
Microsoft 1.5605 2010.04.11 -
NOD32 5018 2010.04.11 -
Norman 6.04.11 2010.04.10 -
nProtect 2009.1.8.0 2010.04.06 -
Panda 10.0.2.2 2010.04.11 -
PCTools 7.0.3.5 2010.04.11 -
Prevx 3.0 2010.04.11 -
Rising 22.42.06.04 2010.04.11 -
Sophos 4.52.0 2010.04.11 -
Sunbelt 6164 2010.04.11 -
Symantec 20091.2.0.41 2010.04.11 -
TheHacker 6.5.2.0.259 2010.04.11 -
TrendMicro 9.120.0.1004 2010.04.11 -
VBA32 3.12.12.4 2010.04.09 -
ViRobot 2010.4.10.2270 2010.04.10 -
VirusBuster 5.0.27.0 2010.04.11 -
Additional information
File size: 1877 bytes
MD5...: 11e6bed9206d9314f4170ae3dac16227
SHA1..: b32a28ee5305fac4db76124bc91052d780e470e2
SHA256: a16e4a16060e4e980124ff2c72c5744f87840a4f5f9eaf529b993f7475b21e8c
ssdeep: 24:W0EJ/W9sLkGhTC7GOV+3bK8MNQ20pnfZ8X5597lbGf4j79OSpf4q+u:W0zSLh
kLVUO8MNQL905D7lbGS79jp9+u

PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

trid..: Generic INI configuration (100.0%)


__________________________________________________________________________________________________________________

Results from: http://www.virustotal.com/

c:\windows\system\driver\svchostlogon.dll


File has already been analysed:
MD5: ca7a86d7a1b6b5d4ab1a08a43710eba2
First received: 2008.01.26 18:55:50 UTC
Date: 2008.01.26 18:58:31 UTC [>805D]
Results: 1/33
Permalink: analisis/db23e4ae1e3f95d863c83b928abedd23aff9cc115abdfc56a97f39cf293ded37-1201373911


File Not available, prior to VT database update received on 2008.01.26 18:58:31 (UTC)
Current status: finished

Result: 1/33 (3.03%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
FileAdvisor - - -
Fortinet - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
SAVMail - - -
Sophos - - -
Sunbelt - - WootBot
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
File size: 1477 bytes
MD5 : ca7a86d7a1b6b5d4ab1a08a43710eba2
SHA1 : f3153ca081be8fb93e9968344d98676139b39b09
SHA256: db23e4ae1e3f95d863c83b928abedd23aff9cc115abdfc56a97f39cf293ded37
TrID : File type identification
Warning: file seems to be plain text/ASCII
TrID is best suited to analyze binary files!
Unknown!
ssdeep: 24:cGDZ3+ER0u38LM/vr1sBOBqCq2dT7WHRUe:cGLr3Vmce
PEiD : -
RDS : NSRL Reference Data Set
-


__________________________________________________________________________________________________________________

Results from: http://www.virustotal.com/

c:\windows\system\driver\winlogon.dll


File winlogon.dll received on 2010.04.11 17:57:00 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/39 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.04.11 -
AhnLab-V3 5.0.0.2 2010.04.10 -
AntiVir 7.10.6.55 2010.04.09 -
Antiy-AVL 2.0.3.7 2010.04.09 -
Authentium 5.2.0.5 2010.04.11 -
Avast 4.8.1351.0 2010.04.11 -
Avast5 5.0.332.0 2010.04.11 -
AVG 9.0.0.787 2010.04.11 -
BitDefender 7.2 2010.04.11 -
CAT-QuickHeal 10.00 2010.04.10 -
ClamAV 0.96.0.3-git 2010.04.11 -
Comodo 4569 2010.04.11 -
DrWeb 5.0.2.03300 2010.04.11 -
eSafe 7.0.17.0 2010.04.11 -
eTrust-Vet 35.2.7418 2010.04.09 -
F-Prot 4.5.1.85 2010.04.11 -
F-Secure 9.0.15370.0 2010.04.11 -
Fortinet 4.0.14.0 2010.04.10 -
GData 19 2010.04.11 -
Ikarus T3.1.1.80.0 2010.04.11 -
Jiangmin 13.0.900 2010.04.11 -
Kaspersky 7.0.0.125 2010.04.11 -
McAfee-GW-Edition 6.8.5 2010.04.11 -
Microsoft 1.5605 2010.04.11 -
NOD32 5018 2010.04.11 -
Norman 6.04.11 2010.04.10 -
nProtect 2009.1.8.0 2010.04.06 -
Panda 10.0.2.2 2010.04.11 -
PCTools 7.0.3.5 2010.04.11 -
Prevx 3.0 2010.04.11 -
Rising 22.42.06.04 2010.04.11 -
Sophos 4.52.0 2010.04.11 -
Sunbelt 6164 2010.04.11 -
Symantec 20091.2.0.41 2010.04.11 -
TheHacker 6.5.2.0.259 2010.04.11 -
TrendMicro 9.120.0.1004 2010.04.11 -
VBA32 3.12.12.4 2010.04.09 -
ViRobot 2010.4.10.2270 2010.04.10 -
VirusBuster 5.0.27.0 2010.04.11 -
Additional information
File size: 1575 bytes
MD5...: 7946728f3d8d81ced4afa4ba973bbb7b
SHA1..: 68784de0bfa63f3e2d394f05d8d5300dc7f55617
SHA256: 97f0e1d2a0b8e5a7abc8be0b6a56e85e3c01720845f8fda45721157325340951
ssdeep: 24:cGDZ3+ER0u38LM/vr1sBOBqCq2dT7WHReyXm+:cGLr3Vm2yX5

PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Unknown!
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

END OF RESULT SCANS REQUEST FOR STEP 4



RootRepeal report while web surfing

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/04/11 10:04
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEF371000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF83EB000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEED1C000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user\Local Settings\temp\Temporary Internet Files\Content.IE5\0QMIQNMZ\mail[1].fpp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user\Local Settings\temp\Temporary Internet Files\Content.IE5\18CSWSAK\pickering-jobs[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\user\Local Settings\temp\Temporary Internet Files\Content.IE5\44WPJVXH\pickering-jobs[1].htm
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\user\Local Settings\temp\Temporary Internet Files\Content.IE5\44WPJVXH\header-icons[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\temp\Temporary Internet Files\Content.IE5\44WPJVXH\ScriptResource[1].axd
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\temp\Temporary Internet Files\Content.IE5\44WPJVXH\ScriptResource[2].axd
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\temp\Temporary Internet Files\Content.IE5\44WPJVXH\top-leader-board-bg[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\temp\Temporary Internet Files\Content.IE5\4N1N2EJH\employer-nav-background[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\temp\Temporary Internet Files\Content.IE5\4N1N2EJH\ScriptResource[1].axd
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\temp\Temporary Internet Files\Content.IE5\4N1N2EJH\workopolisLogoNew[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\temp\Temporary Internet Files\Content.IE5\KKFCL0HD\handler[1].css
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\temp\Temporary Internet Files\Content.IE5\KKFCL0HD\header-search-bg[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\temp\Temporary Internet Files\Content.IE5\KKFCL0HD\header-textbox-bg[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\temp\Temporary Internet Files\Content.IE5\KKFCL0HD\ieFix-0410[1].css
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\temp\Temporary Internet Files\Content.IE5\KKFCL0HD\ScriptResource[1].axd
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\temp\Temporary Internet Files\Content.IE5\KKFCL0HD\ScriptResource[2].axd
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\temp\Temporary Internet Files\Content.IE5\YQH16ER8\ADTECH;alias=workopolisEN_ros_key728x90_1;size=
728x90;loc=100;target=_blank;key=;grp=983;misc=1270996381847;aduho=-240;rdclick=[1]

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\temp\Temporary Internet Files\Content.IE5\YQH16ER8\find-jobs-buttons[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\temp\Temporary Internet Files\Content.IE5\YQH16ER8\js[1]
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\temp\Temporary Internet Files\Content.IE5\YQH16ER8\ScriptResource[1].axd
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\temp\Temporary Internet Files\Content.IE5\YQH16ER8\WebResource[1].axd
Status: Visible to the Windows API, but not on disk.

Stealth Objects
-------------------
Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x83f22158 Size: 37

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x83eca150 Size: 37

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x83f1d158 Size: 37

==EOF==



RootRepeal report while only on Bleepingcomputer.com

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/04/11 11:14
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEF371000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF83EB000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEDEAC000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\user\Local Settings\temp\Temporary Internet Files\Content.IE5\0QMIQNMZ\mail[1].fpp
Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x83f22158 Size: 37

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x83eca150 Size: 37

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x83f1d158 Size: 37

==EOF==

MBR log

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x83F22158]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x83f22158
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

By the way, how much of my personal/ confidential information has been jeapordized from this virus or whatever it is? Do you know from what/ whom it originated from? Date, specifically year? It looks very bad, what would you call what I have, so just in case I need to advise/ explain it to anyone - Thanks Again...

Sorry I had to edit my original posting of 3:30 PM today at 6:20 PM, for I wanted to advise that the initial Trojan Catch from OneCare happens to be ComboFix.exe because when I ran OneCare again later on to make sure that the Trojan was caught it was in the Quarantine section of OneCare, has ComboFix been verified? OneCare now shows ComboFix of being the Trojan.

Edited by Ta Orfa, 11 April 2010 - 05:26 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users