Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Trojan / Virus


  • This topic is locked This topic is locked
51 replies to this topic

#1 phatpleasure

phatpleasure

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 31 March 2010 - 12:03 PM

ok, so i've done full scan with MAM, Norton and Combofix.
Tell me what else to do.. really need to get rid of this virus.. thanks guys!



ComboFix 10-03-29.04 - phat 01/04/2010 3:37.1.2 - x86
Microsoft® Windows Vistaâ„¢ Home Basic 6.0.6002.2.1252.61.1033.18.3582.2785 [GMT 11:00]
Running from: c:\users\phat\Downloads\ComboFix.exe
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2365545147-1999384947-2466353664-500
c:\users\phat\AppData\Roaming\inst.exe
c:\windows\system32\skinboxer43.dll
c:\windows\system32\systeminfo.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-31 )))))))))))))))))))))))))))))))
.

2010-03-31 13:50 . 2010-03-29 17:05 1324720 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100330.048\NAVEX15.SYS
2010-03-31 13:50 . 2010-03-29 17:05 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100330.048\NAVENG.SYS
2010-03-31 13:50 . 2010-03-29 17:05 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100330.048\NAVENG32.DLL
2010-03-31 13:50 . 2010-03-29 17:05 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100330.048\NAVEX32A.DLL
2010-03-31 13:50 . 2010-03-29 17:05 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100330.048\EECTRL.SYS
2010-03-31 13:50 . 2010-03-29 17:05 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100330.048\CCERASER.DLL
2010-03-31 13:50 . 2010-03-29 17:05 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100330.048\ECMSVR32.DLL
2010-03-31 13:50 . 2010-03-29 17:05 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100330.048\ERASER.SYS
2010-03-31 05:42 . 2010-03-31 05:42 -------- d-----w- c:\users\phat\AppData\Local\CrashDumps
2010-03-30 05:51 . 2010-02-26 02:40 79872 ----a-w- c:\users\phat\AppData\Roaming\Mozilla\Firefox\Profiles\62pk9ffr.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
2010-03-30 05:51 . 2010-02-26 02:40 33280 ----a-w- c:\users\phat\AppData\Roaming\Mozilla\Firefox\Profiles\62pk9ffr.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINCE\components\WeaveCrypto.dll
2010-03-29 18:15 . 2010-03-29 18:15 -------- d-----w- c:\programdata\WindowsSearch
2010-03-29 17:15 . 2010-03-29 17:15 -------- d-----w- c:\program files\Common Files\Java
2010-03-29 16:42 . 2010-03-29 16:42 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-29 16:42 . 2010-03-29 17:08 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-29 16:42 . 2010-03-29 16:42 -------- d-----w- c:\program files\Symantec
2010-03-29 16:41 . 2009-10-01 09:19 164216 ----a-r- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll
2010-03-29 16:41 . 2009-10-05 17:34 929648 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\OCS\hsplayer.dll
2010-03-29 16:41 . 2009-11-07 01:19 893296 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\CLT\cltLMSx.dll
2010-03-29 16:41 . 2010-03-30 06:23 -------- d-----w- c:\windows\system32\drivers\NAV
2010-03-29 16:41 . 2010-03-29 16:41 -------- d-----w- c:\program files\Norton AntiVirus
2010-03-29 16:41 . 2010-03-29 16:42 -------- d-----w- c:\programdata\Norton
2010-03-29 16:33 . 2010-03-29 16:33 -------- d-----w- c:\program files\NortonInstaller
2010-03-29 16:31 . 2010-03-29 16:40 -------- d-----w- c:\programdata\NortonInstaller
2010-03-29 02:41 . 2010-03-29 02:41 388096 ----a-r- c:\users\phat\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-29 02:41 . 2010-03-29 02:41 -------- d-----w- c:\program files\TrendMicro
2010-03-24 20:38 . 2010-03-24 20:38 536112 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100324.001\BHDrvx86.sys
2010-03-24 20:38 . 2010-03-24 20:38 201616 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100324.001\BHRules.dll
2010-03-24 20:38 . 2010-03-24 20:38 1407888 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100324.001\BHEngine.dll
2010-03-24 20:38 . 2010-03-24 20:38 678960 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100324.001\BHDrvx64.sys
2010-03-24 20:38 . 2010-03-24 20:38 611216 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100324.001\bbRGen.dll
2010-03-21 05:51 . 2010-03-21 05:51 -------- d-----w- c:\users\phat\AppData\Local\Apps
2010-03-21 05:51 . 2010-03-21 16:18 -------- d-----w- c:\users\phat\AppData\Local\Deployment
2010-03-04 13:18 . 2010-03-04 13:25 9661 ----a-w- c:\programdata\DVD X Studios\DVD X Player 4.1 Professional\DVDXPlayer.dll
2010-03-04 13:17 . 2010-03-04 13:17 14 ----a-w- c:\windows\system32\SystemInfo32.sys
2010-03-04 13:17 . 2010-03-04 13:17 -------- d-----w- c:\programdata\DVD X Studios
2010-03-04 12:03 . 2010-03-04 13:17 -------- d-----w- c:\program files\DVD X Studios
2010-03-02 14:36 . 2010-03-02 14:36 -------- d-----w- c:\users\phat\AppData\Roaming\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-31 16:34 . 2008-07-15 15:14 -------- d-----w- c:\programdata\NVIDIA
2010-03-31 16:02 . 2008-03-29 06:03 -------- d-----w- c:\program files\Warcraft III
2010-03-31 13:40 . 2009-12-09 16:23 34800 ----a-w- c:\programdata\nvModes.dat
2010-03-30 03:21 . 2009-10-07 06:18 -------- d-----w- c:\program files\Cheat Engine
2010-03-29 17:26 . 2008-11-19 10:49 -------- d-----w- c:\program files\Blaze Media Pro
2010-03-29 17:14 . 2009-01-21 10:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-29 17:05 . 2010-03-29 17:05 1324720 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100329.002\navex15.sys
2010-03-29 17:05 . 2010-03-29 17:05 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100329.002\naveng.sys
2010-03-29 17:05 . 2010-03-29 17:05 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100329.002\eeCtrl.sys
2010-03-29 17:05 . 2010-03-29 17:05 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100329.002\cceraser.dll
2010-03-29 17:05 . 2010-03-29 17:05 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100329.002\ecmsvr32.dll
2010-03-29 17:05 . 2010-03-29 17:05 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100329.002\naveng32.dll
2010-03-29 17:05 . 2010-03-29 17:05 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100329.002\navex32a.dll
2010-03-29 17:05 . 2010-03-29 17:05 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100329.002\eraser.sys
2010-03-29 16:42 . 2010-03-29 16:42 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-29 16:42 . 2010-03-29 16:42 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-29 08:51 . 2008-03-29 06:32 -------- d-----w- c:\program files\Java
2010-03-27 13:42 . 2008-04-01 16:30 -------- d-----w- c:\users\phat\AppData\Roaming\FrostWire
2010-03-24 09:02 . 2009-03-18 11:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-23 23:17 . 2008-11-19 10:38 -------- d-----w- c:\users\phat\AppData\Roaming\dvdcss
2010-03-17 03:21 . 2008-05-26 12:53 -------- d-----w- c:\users\phat\AppData\Roaming\Skype
2010-03-17 03:21 . 2008-05-26 12:56 -------- d-----w- c:\users\phat\AppData\Roaming\skypePM
2010-03-16 01:14 . 2009-09-10 11:25 -------- d-----w- c:\users\phat\AppData\Roaming\FileZilla
2010-03-14 00:38 . 2010-02-23 12:15 55368 ----a-w- c:\windows\War3Unin.dat
2010-03-12 09:29 . 2008-03-29 18:13 -------- d-----w- c:\programdata\Microsoft Help
2010-03-03 06:01 . 2008-03-29 05:59 -------- d-----w- c:\program files\Steam
2010-03-02 14:41 . 2010-01-19 15:45 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-03-02 14:37 . 2010-01-19 15:44 -------- d-----w- c:\program files\ArcSoft
2010-03-02 14:37 . 2008-03-29 08:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-27 16:55 . 2010-02-27 16:55 -------- d-----w- c:\program files\OO Software
2010-02-27 16:50 . 2008-04-28 05:17 -------- d-----w- c:\program files\Bonjour
2010-02-27 16:50 . 2008-11-19 10:44 -------- d-----w- c:\program files\ArtisanDVDPlayer
2010-02-27 16:49 . 2008-12-01 05:49 -------- d-----w- c:\program files\Free Word-Doc to Pdf Converter&Creator
2010-02-27 16:49 . 2008-03-29 08:29 -------- d-----w- c:\program files\Garena
2010-02-27 16:48 . 2009-01-07 16:44 -------- d-----w- c:\users\phat\AppData\Roaming\Vso
2010-02-27 16:36 . 2010-01-19 15:42 -------- d-----w- c:\program files\Panasonic
2010-02-27 16:36 . 2010-01-23 03:28 -------- d-----w- c:\users\phat\AppData\Roaming\Panasonic
2010-02-24 11:03 . 2008-03-29 05:59 -------- d-----w- c:\program files\Common Files\Steam
2010-02-23 23:16 . 2009-10-03 04:05 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 12:19 . 2010-02-23 12:15 2829 ----a-w- c:\windows\War3Unin.pif
2010-02-23 12:19 . 2010-02-23 12:15 139264 ----a-w- c:\windows\War3Unin.exe
2010-02-23 12:08 . 2010-02-23 12:07 -------- d-----w- c:\program files\iTunes
2010-02-23 12:07 . 2010-02-23 12:07 -------- d-----w- c:\program files\iPod
2010-02-23 12:07 . 2008-09-11 16:33 -------- d-----w- c:\program files\Common Files\Apple
2010-02-23 12:01 . 2010-02-23 12:01 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-26 12:34 . 2009-04-01 05:38 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-23 09:26 . 2010-02-24 03:14 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-20 18:43 . 2010-01-20 18:42 5299337 ----a-w- c:\programdata\ArcSoft\Global Deploy\CheckUpdate\ArcConnect.exe
2010-01-20 09:08 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-20 00:05 . 2008-03-29 05:11 101520 ----a-w- c:\users\phat\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-14 14:09 . 2008-03-29 05:11 1356 ----a-w- c:\users\phat\AppData\Local\d3d9caps.dat
2010-01-07 05:07 . 2009-03-18 11:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 05:07 . 2009-03-18 11:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-02 06:38 . 2010-01-22 02:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 02:51 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-22 02:51 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-22 02:51 133632 ----a-w- c:\windows\system32\ieUnatt.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-18 1008184]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 19968]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Habu"="c:\program files\Razer\Habu\razerhid.exe" [2009-08-18 239616]
"AsioReg"="CTASIO.DLL" [2009-06-23 46592]
"CTHelper"="CTHELPER.EXE" [2009-06-23 19456]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"OODefragTray"="c:\program files\OO Software\Defrag\oodtray.exe" [2009-09-11 2524416]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Brother SmartUI PopUp.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Brother SmartUI PopUp.lnk
backup=c:\windows\pss\Brother SmartUI PopUp.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^phat^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Magic Holdem.lnk]
path=c:\users\phat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Magic Holdem.lnk
backup=c:\windows\pss\Magic Holdem.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^phat^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^reminder-ScanSoft Product Registration.lnk]
path=c:\users\phat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reminder-ScanSoft Product Registration.lnk
backup=c:\windows\pss\reminder-ScanSoft Product Registration.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 12:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aliim]
2009-12-22 04:29 222552 ----a-w- c:\program files\trademanager\AliIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2009-06-23 00:48 19456 ----a-w- c:\windows\System32\CtHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2007-04-09 02:32 19968 ----a-w- c:\windows\System32\Ctxfihlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-04-01 09:39 486856 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 00:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-02-28 08:07 1828136 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 07:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-02-18 07:29 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-11-20 09:33 110184 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2001-04-01 22:40 26624 ----a-w- c:\progra~1\ScanSoft\PAPERP~1\Pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 12:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 02:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Utopia Angel]
2008-06-22 10:52 3703808 ----a-w- c:\utopia\Angel\Angel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-07-01 16:37 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:6f,d4,3c,00,99,7d,ca,01

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-04-27 717296]
R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2009-06-23 99352]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2008-06-12 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-12-13 79360]
R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [2008-05-09 191488]
R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2009-06-23 555032]
R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [2009-06-23 100888]
R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2009-06-23 100888]
R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [2008-05-09 1360896]
R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [2008-05-09 67072]
R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2009-06-23 566296]
R3 EraserUtilDrvI9;EraserUtilDrvI9;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1105000.07F\SYMDS.SYS [2009-11-05 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1105000.07F\SYMEFA.SYS [2009-11-26 172592]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100324.001\BHDrvx86.sys [2010-03-24 536112]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1105000.07F\ccHPx86.sys [2009-12-09 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\20100326.001\IDSvix86.sys [2009-10-28 343088]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1105000.07F\Ironx86.SYS [2009-11-26 116272]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NAV\1105000.07F\SYMTDIV.SYS [2009-11-22 340016]
S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe [2009-12-09 126392]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-11-20 240232]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [2009-06-23 99352]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [2009-06-23 555032]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [2009-06-23 566296]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-03-29 102448]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: alipay.com
Trusted Zone: alisoft.com
Trusted Zone: taobao.com
FF - ProfilePath - c:\users\phat\AppData\Roaming\Mozilla\Firefox\Profiles\62pk9ffr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\users\phat\AppData\Roaming\Mozilla\Firefox\Profiles\62pk9ffr.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - plugin: c:\program files\Common-Use Signing Interface\bin\npCsiPlugin.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\phat\AppData\Roaming\Mozilla\Firefox\Profiles\62pk9ffr.default\extensions\{4D144BC3-23FB-47de-90C5-63CCB0139CCF}\plugins\npww.dll
FF - plugin: c:\users\phat\AppData\Roaming\Mozilla\Firefox\Profiles\62pk9ffr.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)
HKCU-Run-RemoteControl - (no file)
MSConfigStartUp-CTDVDDET - c:\program files\Creative\DVDAudio\CTDVDDET.EXE
MSConfigStartUp-OODefragTray - c:\windows\system32\oodtray.exe
MSConfigStartUp-RemoteCenter - c:\program files\Creative\MediaSource\RemoteControl\RcMan.exe
MSConfigStartUp-Sonic PDF Print Dispatcher - c:\windows\system32\iTechPrn.exe
MSConfigStartUp-Sony Ericsson PC Suite - c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
MSConfigStartUp-SRS Audio Sandbox - c:\program files\SRS Labs\Audio Sandbox\SRSSSC.exe
AddRemove-Free Mp3 Wma Converter_is1 - c:\program files\Free Audio Pack\unins000.exe
AddRemove-MagicHoldem - c:\program files\Magic Holdem\Uninstaller.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-01 03:48
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?
AsioReg = REGSVR32.EXE /S CTASIO.DLL?
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.5.0.127\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-580790463-919171761-3139786747-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*c*o*m*@*é—ýVŽsYñ‹Ñ`*N\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-580790463-919171761-3139786747-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:4b,0c,8c,c1,ab,ea,7c,7f,49,f4,99,b6,c3,e9,5f,e2,f9,f6,1e,ab,56,4a,1c,
80,3e,98,99,e1,44,39,94,9a,9f,c1,20,08,db,0d,4d,3c,46,5e,bb,ac,e0,6b,ce,e2,\
"??"=hex:57,cf,de,82,93,18,52,79,f2,68,4f,f2,76,52,74,1f

[HKEY_USERS\S-1-5-21-580790463-919171761-3139786747-1000\Software\SecuROM\License information*]
"datasecu"=hex:e3,07,6f,03,89,e3,23,dd,c9,03,52,15,6d,9e,b1,a2,e6,36,eb,8b,94,
5b,9d,bc,d0,ae,8a,08,92,f4,8d,01,6d,24,63,f1,e3,73,ba,3b,1e,a3,c8,72,6a,3d,\
"rkeysecu"=hex:f7,6c,40,99,c5,89,8f,fa,f2,4d,a6,ce,70,2f,2e,e6

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-01 03:52:00
ComboFix-quarantined-files.txt 2010-03-31 16:51

Pre-Run: 122,126,467,072 bytes free
Post-Run: 122,302,685,184 bytes free

- - End Of File - - 69BE03DFC4678F63EED755379378B455

Edited by Orange Blossom, 31 March 2010 - 04:08 PM.
Move to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:00 PM

Posted 04 April 2010 - 03:07 PM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 phatpleasure

phatpleasure
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 05 April 2010 - 01:33 AM

hi guys,

have read up on some of these issues, but really need personal help.
here are some things that I have done...
BIG BIG THANKS to whoever is going to help me!

note: malwarebytes/spyware doctor unable to update

SCANS:
1. Rkill
2. ComboFix
3. DDS
4. Hijackthis

regards,
Jason.

Edited by phatpleasure, 05 April 2010 - 01:43 AM.


#4 phatpleasure

phatpleasure
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 05 April 2010 - 01:35 AM

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as phat on 05/04/2010 at 16:25:00.


Processes terminated by Rkill or while it was running:


C:\Users\phat\Desktop\rkill.pif


Rkill completed on 05/04/2010 at 16:25:02.


#5 phatpleasure

phatpleasure
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 05 April 2010 - 01:41 AM


DDS (Ver_10-03-17.01) - NTFSx86
Run by phat at 16:38:56.81 on Mon 05/04/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.61.1033.18.3582.2347 [GMT 10:00]

SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Razer\Habu\razerhid.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Windows\System32\CtHelper.exe
C:\Program Files\OO Software\Defrag\oodtray.exe
C:\Windows\system32\msiexec.exe
C:\Program Files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe
C:\Program Files\OO Software\Defrag\oodag.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Razer\Habu\razertra.exe
C:\Program Files\Razer\Habu\razerofa.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Users\phat\Downloads\dds.scr

============== Pseudo HJT Report ===============

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.5.0.127\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Habu] c:\program files\razer\habu\razerhid.exe
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [CTHelper] CTHELPER.EXE
mRun: [OODefragTray] c:\program files\oo software\defrag\oodtray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll/206
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: alipay.com
Trusted Zone: alisoft.com
Trusted Zone: taobao.com
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-au.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15110/CTPID.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\phat\appdata\roaming\mozilla\firefox\profiles\62pk9ffr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\users\phat\appdata\roaming\mozilla\firefox\profiles\62pk9ffr.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - plugin: c:\program files\common-use signing interface\bin\npCsiPlugin.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\phat\appdata\roaming\mozilla\firefox\profiles\62pk9ffr.default\extensions\{4d144bc3-23fb-47de-90c5-63ccb0139ccf}\plugins\npww.dll
FF - plugin: c:\users\phat\appdata\roaming\mozilla\firefox\profiles\62pk9ffr.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-4-2 217032]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1105000.07f\symds.sys [2010-3-30 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1105000.07f\symefa.sys [2010-3-30 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\bashdefs\20100324.001\BHDrvx86.sys [2010-3-25 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1105000.07f\cchpx86.sys [2010-3-30 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\ipsdefs\20100326.001\IDSvix86.sys [2010-3-30 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1105000.07f\ironx86.sys [2010-3-30 116272]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nav\1105000.07f\symtdiv.sys [2010-3-30 340016]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-4-2 112592]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.5.0.127\ccsvchst.exe [2010-3-30 126392]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-4-2 366840]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-4-2 1142224]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-11-20 240232]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-6-23 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2009-6-23 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2009-6-23 566296]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-3-30 102448]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-6-23 99352]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2008-6-13 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-12-13 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-6-13 191488]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2009-6-23 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2009-6-23 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2009-6-23 100888]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-6-13 1360896]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-6-13 67072]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2009-6-23 566296]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-1-2 21504]

=============== Created Last 30 ================

2010-04-05 06:29:30 0 ----a-w- c:\users\phat\defogger_reenable
2010-04-02 13:45:17 0 d-----w- c:\users\phat\appdata\roaming\PC Tools
2010-04-02 13:45:17 0 d-----w- c:\programdata\PC Tools
2010-04-02 13:45:17 0 d-----w- c:\program files\Spyware Doctor
2010-04-02 13:45:17 0 d-----w- c:\program files\common files\PC Tools
2010-04-02 06:48:29 0 d-----w- c:\program files\iPod
2010-04-02 06:48:27 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-02 06:48:27 0 d-----w- c:\program files\iTunes
2010-04-02 05:03:38 94 ----a-w- c:\windows\brpcfx.ini
2010-04-02 05:03:38 224 ----a-w- c:\windows\Brpfx04a.ini
2010-04-02 05:00:53 9 ----a-w- c:\windows\Brfaxrx.ini
2010-04-02 05:00:52 61440 ------w- c:\windows\system32\BrMfNt.dll
2010-04-02 05:00:52 163840 ------w- c:\windows\system32\NSSearch.dll
2010-04-02 05:00:52 106496 ------w- c:\windows\system32\BrMuSNMP.dll
2010-04-01 02:03:18 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-31 16:52:06 0 d-sh--w- C:\$RECYCLE.BIN
2010-03-31 16:35:09 98816 ----a-w- c:\windows\sed.exe
2010-03-31 16:35:09 77312 ----a-w- c:\windows\MBR.exe
2010-03-31 16:35:09 261632 ----a-w- c:\windows\PEV.exe
2010-03-31 16:35:09 161792 ----a-w- c:\windows\SWREG.exe
2010-03-29 18:15:24 0 d-----w- c:\programdata\WindowsSearch
2010-03-29 17:15:26 0 d-----w- c:\programdata\Sun
2010-03-29 16:42:12 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-29 16:42:12 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-29 16:42:12 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-29 16:42:11 0 d-----w- c:\program files\Symantec
2010-03-29 16:42:11 0 d-----w- c:\program files\common files\Symantec Shared
2010-03-29 16:41:17 0 d-----w- c:\windows\system32\drivers\NAV
2010-03-29 16:41:09 0 d-----w- c:\program files\Norton AntiVirus
2010-03-29 16:41:07 0 d-----w- c:\programdata\Norton
2010-03-29 16:33:01 0 d-----w- c:\program files\NortonInstaller
2010-03-29 16:31:23 0 d-----w- c:\programdata\NortonInstaller
2010-03-29 02:41:51 0 d-----w- c:\program files\TrendMicro
2010-03-17 10:53:42 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-03-17 10:53:42 69632 ----a-w- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2010-04-05 06:36:27 34800 ----a-w- c:\programdata\nvModes.dat
2010-04-02 06:41:32 86016 ----a-w- c:\windows\inf\infpub.dat
2010-04-02 06:41:32 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-02 06:41:32 143360 ----a-w- c:\windows\inf\infstor.dat
2010-03-29 17:14:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-14 00:38:49 55368 ----a-w- c:\windows\War3Unin.dat
2010-03-10 00:36:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-23 23:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 12:19:34 2829 ----a-w- c:\windows\War3Unin.pif
2010-02-23 12:19:34 139264 ----a-w- c:\windows\War3Unin.exe
2010-02-12 00:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 00:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-04 22:25:38 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-04 22:18:02 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-02-04 22:17:56 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-21 22:56:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-21 22:56:24 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-21 22:56:24 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-01-21 22:55:54 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-20 09:08:19 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-01-02 05:11:09 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-12-13 16:12:40 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 16:41:01.86 ===============


#6 phatpleasure

phatpleasure
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 07 April 2010 - 04:59 AM

OTL logfile created on: 7/04/2010 7:52:24 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Users\phat\Downloads
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000c09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 65.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288.32 Gb Total Space | 81.99 Gb Free Space | 28.44% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 4.18 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PHAT-PC
Current User Name: phat
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/07 19:50:08 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\phat\Downloads\OTL.exe
PRC - [2010/04/03 11:23:42 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/19 09:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/02/27 06:41:08 | 000,471,040 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\Warcraft III\war3.exe
PRC - [2010/02/26 09:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\ccsvchst.exe
PRC - [2009/11/20 18:17:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2009/09/11 23:34:12 | 001,488,128 | ---- | M] (O&O Software GmbH) -- C:\Program Files\OO Software\Defrag\oodag.exe
PRC - [2009/09/11 23:34:00 | 002,524,416 | ---- | M] (O&O Software GmbH) -- C:\Program Files\OO Software\Defrag\oodtray.exe
PRC - [2009/08/18 15:12:56 | 000,239,616 | ---- | M] () -- C:\Program Files\Razer\Habu\razerhid.exe
PRC - [2009/08/18 08:47:24 | 000,217,600 | ---- | M] () -- C:\Program Files\Razer\Habu\razertra.exe
PRC - [2009/06/23 10:48:12 | 000,019,456 | ---- | M] (Creative Technology Ltd) -- C:\Windows\System32\CtHelper.exe
PRC - [2009/05/19 10:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/04/11 16:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/03/30 15:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
PRC - [2009/03/30 15:28:36 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
PRC - [2009/02/14 15:29:14 | 000,307,200 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe
PRC - [2006/08/07 16:00:28 | 000,163,840 | ---- | M] (Razer Inc.) -- C:\Program Files\Razer\Habu\razerofa.exe


========== Modules (SafeList) ==========

MOD - [2010/04/07 19:50:08 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\phat\Downloads\OTL.exe
MOD - [2009/04/11 16:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (ACDaemon)
SRV - [2010/03/19 09:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/02/26 09:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe -- (NAV)
SRV - [2010/02/24 14:43:33 | 000,332,720 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/12/13 22:47:49 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service)
SRV - [2009/11/20 18:17:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2009/09/25 11:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/09/11 23:34:12 | 001,488,128 | ---- | M] (O&O Software GmbH) [Auto | Running] -- C:\Program Files\OO Software\Defrag\oodag.exe -- (O&O Defrag)
SRV - [2009/05/19 10:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/03/30 15:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2009/02/14 15:29:14 | 000,307,200 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)
SRV - [2008/06/13 02:22:54 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe -- (Creative ALchemy AL6 Licensing Service)
SRV - [2008/04/28 15:12:04 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/04/17 19:13:44 | 005,750,784 | ---- | M] () [On_Demand | Stopped] -- c:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe -- (wampmysqld)
SRV - [2008/01/18 22:38:26 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/18 01:37:26 | 000,024,635 | ---- | M] (Apache Software Foundation) [On_Demand | Stopped] -- c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe -- (wampapache)


========== Driver Services (SafeList) ==========

DRV - [2010/03/30 03:05:07 | 001,324,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100406.038\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/03/30 03:05:06 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/03/30 03:05:06 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/03/30 03:05:06 | 000,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100406.038\NAVENG.SYS -- (NAVENG)
DRV - [2010/03/30 02:42:11 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/03/25 06:38:08 | 000,536,112 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100324.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2010/02/27 12:23:54 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\NAV\1106000.020\Ironx86.SYS -- (SymIRON)
DRV - [2010/02/27 12:23:21 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\System32\Drivers\NAV\1106000.020\SRTSP.SYS -- (SRTSP)
DRV - [2010/02/27 12:23:21 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\NAV\1106000.020\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2010/02/26 09:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\NAV\1106000.020\ccHPx86.sys -- (ccHP)
DRV - [2010/02/04 11:40:52 | 000,340,016 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\NAV\1106000.020\SYMTDIV.SYS -- (SYMTDIv)
DRV - [2010/02/04 11:40:50 | 000,172,592 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\system32\drivers\NAV\1106000.020\SYMEFA.SYS -- (SymEFA)
DRV - [2009/12/20 09:53:32 | 000,234,016 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2009/11/21 12:34:54 | 011,515,752 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2009/11/06 08:06:13 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\NAV\1106000.020\SYMDS.SYS -- (SymDS)
DRV - [2009/10/29 08:37:22 | 000,343,088 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\20100402.001\IDSvix86.sys -- (IDSVix86)
DRV - [2009/06/23 12:38:26 | 000,189,464 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\haP17v2k.sys -- (hap17v2k)
DRV - [2009/06/23 12:38:16 | 000,162,840 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\haP16v2k.sys -- (hap16v2k)
DRV - [2009/06/23 12:38:06 | 000,798,744 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2009/06/23 12:37:54 | 000,092,696 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\emupia2k.sys -- (emupia)
DRV - [2009/06/23 12:37:32 | 000,157,208 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2009/06/23 12:37:22 | 000,014,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2009/06/23 12:37:10 | 000,127,512 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2009/06/23 12:36:36 | 000,347,080 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2009/06/23 12:36:24 | 000,528,408 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2009/06/23 12:36:14 | 000,511,000 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2009/06/23 12:35:04 | 000,100,888 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CTERFXFX.SYS -- (CTERFXFX.SYS)
DRV - [2009/06/23 12:35:04 | 000,100,888 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CTERFXFX.sys -- (CTERFXFX)
DRV - [2009/06/23 12:34:52 | 000,566,296 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CTSBLFX.SYS -- (CTSBLFX.SYS)
DRV - [2009/06/23 12:34:52 | 000,566,296 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CTSBLFX.sys -- (CTSBLFX)
DRV - [2009/06/23 12:34:40 | 000,555,032 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CTAUDFX.SYS -- (CTAUDFX.SYS)
DRV - [2009/06/23 12:34:40 | 000,555,032 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CTAUDFX.sys -- (CTAUDFX)
DRV - [2009/06/23 12:34:30 | 000,099,352 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\COMMONFX.SYS -- (COMMONFX.SYS)
DRV - [2009/06/23 12:34:30 | 000,099,352 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\COMMONFX.sys -- (COMMONFX)
DRV - [2009/01/16 09:21:43 | 000,094,208 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ezplay.sys -- (ezplay)
DRV - [2008/05/09 15:15:04 | 000,067,072 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CTHWIUT.sys -- (CTHWIUT)
DRV - [2008/05/09 15:15:02 | 000,191,488 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CT20XUT.sys -- (CT20XUT)
DRV - [2008/05/09 15:14:58 | 001,360,896 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CTEXFIFX.sys -- (CTEXFIFX)
DRV - [2008/04/27 17:39:16 | 000,717,296 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2008/04/13 22:30:04 | 000,025,544 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\hamachi.sys -- (hamachi)
DRV - [2007/07/26 09:25:12 | 000,039,808 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SRS_SSCFilter_i386.sys -- (SRS_SSCFilter) SRS Labs Audio Sandbox (WDM)
DRV - [2007/04/12 08:10:26 | 000,164,608 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\CT20XUT.DLL -- (CT20XUT.DLL)
DRV - [2007/04/12 08:10:26 | 000,066,816 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\CTHWIUT.DLL -- (CTHWIUT.DLL)
DRV - [2007/04/12 08:10:24 | 001,317,632 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\CTEXFIFX.DLL -- (CTEXFIFX.DLL)
DRV - [2007/04/12 08:10:22 | 000,323,328 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\CTEDSPSY.DLL -- (CTEDSPSY.DLL)
DRV - [2007/04/12 08:10:22 | 000,128,768 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\CTEDSPIO.DLL -- (CTEDSPIO.DLL)
DRV - [2007/04/12 08:10:20 | 000,280,320 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\CTEDSPFX.DLL -- (CTEDSPFX.DLL)
DRV - [2007/04/12 08:10:18 | 000,168,192 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\CTEAPSFX.DLL -- (CTEAPSFX.DLL)
DRV - [2007/04/10 06:03:12 | 001,164,072 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ha20x2k.sys -- (ha20x2k)
DRV - [2007/04/03 13:57:54 | 000,099,080 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s116unic.sys -- (s116unic) Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (WDM)
DRV - [2007/04/03 13:57:52 | 000,098,696 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s116obex.sys -- (s116obex)
DRV - [2007/04/03 13:57:52 | 000,023,176 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s116nd5.sys -- (s116nd5) Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (NDIS)
DRV - [2007/04/03 13:57:50 | 000,100,488 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s116mgmt.sys -- (s116mgmt) Sony Ericsson Device 116 USB WMC Device Management Drivers (WDM)
DRV - [2007/04/03 13:57:48 | 000,108,680 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s116mdm.sys -- (s116mdm)
DRV - [2007/04/03 13:57:48 | 000,015,112 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s116mdfl.sys -- (s116mdfl)
DRV - [2007/04/03 13:57:42 | 000,083,336 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s116bus.sys -- (s116bus) Sony Ericsson Device 116 driver (WDM)
DRV - [2006/11/02 19:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 19:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 19:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 19:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 19:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 19:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 19:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 19:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 19:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 19:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 19:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 19:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 19:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 19:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 19:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 19:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 19:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 19:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 19:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 19:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 19:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 19:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 19:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 19:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 19:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 19:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 19:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 19:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 19:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 19:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 19:49:30 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2006/11/02 19:49:28 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2006/11/02 19:49:20 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2006/11/02 18:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BrSerId.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 18:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2006/11/02 18:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 18:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 18:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 18:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 17:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 17:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2006/11/02 17:30:56 | 000,047,104 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2006/11/02 17:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2006/11/02 17:30:52 | 000,467,456 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2006/10/23 11:09:48 | 000,027,776 | ---- | M] (Razer (Asia-Pacific) Pte Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\habu.sys -- (HabuFltr)
DRV - [2005/02/23 13:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\afc.sys -- (Afc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-580790463-919171761-3139786747-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-580790463-919171761-3139786747-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ninemsn.com.au/?ocid=iehp
IE - HKU\S-1-5-21-580790463-919171761-3139786747-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-au
IE - HKU\S-1-5-21-580790463-919171761-3139786747-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = C9 C1 7E 74 F3 93 CA 01 [binary data]
IE - HKU\S-1-5-21-580790463-919171761-3139786747-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-580790463-919171761-3139786747-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com.au/"
FF - prefs.js..extensions.enabledItems: {4D144BC3-23FB-47de-90C5-63CCB0139CCF}:1.0
FF - prefs.js..extensions.enabledItems: firefox@tvunetworks.com:2
FF - prefs.js..extensions.enabledItems: 4
FF - prefs.js..extensions.enabledItems: 9
FF - prefs.js..extensions.enabledItems: 1
FF - prefs.js..extensions.enabledItems: searchrecs@veoh.com:1.5.2
FF - prefs.js..extensions.enabledItems: wisestamp@wisestamp.com:1.3.5
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {340c2bbc-ce74-4362-90b5-7c26312808ef}:1.1

FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\IPSFFPlgn\ [2010/03/30 02:42:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/03 11:23:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/03 11:23:45 | 000,000,000 | ---D | M]

[2008/06/22 16:06:36 | 000,000,000 | ---D | M] -- C:\Users\phat\AppData\Roaming\Mozilla\Extensions
[2010/04/07 17:54:12 | 000,000,000 | ---D | M] -- C:\Users\phat\AppData\Roaming\Mozilla\Firefox\Profiles\62pk9ffr.default\extensions
[2009/09/03 10:45:26 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\phat\AppData\Roaming\Mozilla\Firefox\Profiles\62pk9ffr.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/30 15:51:24 | 000,000,000 | ---D | M] (Weave Sync) -- C:\Users\phat\AppData\Roaming\Mozilla\Firefox\Profiles\62pk9ffr.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
[2009/11/30 23:54:55 | 000,000,000 | ---D | M] (TradeManager-Plugin) -- C:\Users\phat\AppData\Roaming\Mozilla\Firefox\Profiles\62pk9ffr.default\extensions\{4D144BC3-23FB-47de-90C5-63CCB0139CCF}
[2009/12/18 14:34:20 | 000,000,000 | ---D | M] -- C:\Users\phat\AppData\Roaming\Mozilla\Firefox\Profiles\62pk9ffr.default\extensions\firefox@tvunetworks.com
[2010/01/15 19:32:10 | 000,000,000 | ---D | M] -- C:\Users\phat\AppData\Roaming\Mozilla\Firefox\Profiles\62pk9ffr.default\extensions\searchrecs@veoh.com
[2010/03/19 19:22:52 | 000,000,000 | ---D | M] -- C:\Users\phat\AppData\Roaming\Mozilla\Firefox\Profiles\62pk9ffr.default\extensions\wisestamp@wisestamp.com
[2008/04/27 17:41:36 | 000,002,921 | ---- | M] () -- C:\Users\phat\AppData\Roaming\Mozilla\Firefox\Profiles\62pk9ffr.default\searchplugins\daemon-search.xml
[2010/03/30 03:15:09 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/11/11 17:38:54 | 000,663,552 | ---- | M] (BitComet) -- C:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll
[2010/03/18 22:39:33 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/03/18 22:39:33 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/03/18 22:39:33 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/03/18 22:39:33 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2006/09/19 07:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (BitComet Helper) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll (BitComet)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-580790463-919171761-3139786747-1000\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [AsioReg] C:\Windows\System32\ctasio.dll (Creative Technology Ltd)
O4 - HKLM..\Run: [CTHelper] C:\Windows\System32\CtHelper.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [CTxfiHlp] C:\Windows\System32\Ctxfihlp.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [Habu] C:\Program Files\Razer\Habu\razerhid.exe ()
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [OODefragTray] C:\Program Files\OO Software\Defrag\oodtray.exe (O&O Software GmbH)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-580790463-919171761-3139786747-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-580790463-919171761-3139786747-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll (BitComet)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-580790463-919171761-3139786747-1000\..Trusted Domains: alipay.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-580790463-919171761-3139786747-1000\..Trusted Domains: alipay.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-580790463-919171761-3139786747-1000\..Trusted Domains: alisoft.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-580790463-919171761-3139786747-1000\..Trusted Domains: alisoft.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-580790463-919171761-3139786747-1000\..Trusted Domains: taobao.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-580790463-919171761-3139786747-1000\..Trusted Domains: taobao.com ([]https in Trusted sites)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/resources/...NPUplden-au.cab (MSN Photo Upload Tool)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/MessengerGam...1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab (Minesweeper Flags Class)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwareup...15110/CTPID.cab (Creative Software AutoUpdate Support Package)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\phat\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\phat\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/19 07:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (OODBS) - C:\Windows\System32\OODBS.exe (O&O Software GmbH)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-580790463-919171761-3139786747-1000\...com [@ = ComFile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/04/07 11:47:46 | 000,501,888 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NAV\1106000.020\cchpx86.sys
[2010/04/07 11:47:46 | 000,340,016 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NAV\1106000.020\symtdiv.sys
[2010/04/07 11:47:46 | 000,328,752 | R--- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NAV\1106000.020\symds.sys
[2010/04/07 11:47:46 | 000,325,680 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NAV\1106000.020\srtsp.sys
[2010/04/07 11:47:46 | 000,172,592 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NAV\1106000.020\symefa.sys
[2010/04/07 11:47:46 | 000,116,784 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NAV\1106000.020\ironx86.sys
[2010/04/07 11:47:46 | 000,043,696 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NAV\1106000.020\srtspx.sys
[2010/04/07 11:47:32 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NAV\1106000.020
[2010/04/06 22:13:51 | 000,000,000 | ---D | C] -- C:\Users\phat\Desktop\The Pickup Artist Season 1 & 2
[2010/04/05 17:27:12 | 000,000,000 | ---D | C] -- C:\Users\phat\Desktop\virus logs
[2010/04/05 17:09:32 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/04/05 16:58:56 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/04/02 16:48:29 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/04/02 16:48:27 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/04/02 16:48:27 | 000,000,000 | ---D | C] -- C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/04/02 15:03:38 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\BrFaxRx
[2010/04/02 15:00:52 | 000,163,840 | ---- | C] (brother) -- C:\Windows\System32\NSSearch.dll
[2010/04/02 15:00:52 | 000,061,440 | ---- | C] (Brother Industries,LTD.) -- C:\Windows\System32\BrMfNt.dll
[2010/04/02 14:38:38 | 000,000,000 | ---D | C] -- C:\Users\phat\Desktop\unistall
[2010/04/02 13:35:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2010/04/01 08:10:21 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2010/04/01 02:52:06 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/04/01 02:52:03 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/04/01 02:52:02 | 000,000,000 | ---D | C] -- C:\Users\phat\AppData\Local\temp
[2010/04/01 02:35:09 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/04/01 02:35:09 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/04/01 02:35:09 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/04/01 02:34:53 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/04/01 02:32:25 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/01 02:32:07 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/03/31 15:42:52 | 000,000,000 | ---D | C] -- C:\Users\phat\AppData\Local\CrashDumps
[2010/03/30 04:15:24 | 000,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch
[2010/03/30 03:15:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2010/03/30 03:15:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/03/30 03:15:02 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2010/03/30 03:14:57 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2010/03/30 03:14:57 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010/03/30 02:42:12 | 000,124,976 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS
[2010/03/30 02:42:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2010/03/30 02:42:11 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2010/03/30 02:41:17 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NAV
[2010/03/30 02:41:09 | 000,000,000 | ---D | C] -- C:\Program Files\Norton AntiVirus
[2010/03/30 02:41:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
[2010/03/30 02:33:01 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2010/03/30 02:31:23 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
[2010/03/29 12:41:51 | 000,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/03/21 15:51:55 | 000,000,000 | ---D | C] -- C:\Users\phat\AppData\Local\Apps
[2010/03/21 15:51:54 | 000,000,000 | ---D | C] -- C:\Users\phat\AppData\Local\Deployment
[2010/03/17 20:53:42 | 000,094,208 | ---- | C] (Apple Inc.) -- C:\Windows\System32\QuickTimeVR.qtx
[2010/03/17 20:53:42 | 000,069,632 | ---- | C] (Apple Inc.) -- C:\Windows\System32\QuickTime.qts
[2009/06/23 10:49:14 | 000,010,752 | ---- | C] ( ) -- C:\Windows\System32\a3d.dll
[2009/01/16 09:21:43 | 000,094,208 | ---- | C] (VSO Software) -- C:\Users\phat\AppData\Roaming\ezplay.sys
[2009/01/08 02:44:47 | 000,047,360 | ---- | C] (VSO Software) -- C:\Users\phat\AppData\Roaming\pcouffin.sys
[2004/11/25 05:25:52 | 000,335,872 | ---- | C] ( ) -- C:\Windows\System32\drvc.dll
[1 C:\Users\phat\*.tmp files -> C:\Users\phat\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/07 19:54:05 | 018,350,080 | -HS- | M] () -- C:\Users\phat\NTUSER.DAT
[2010/04/07 19:43:35 | 000,694,964 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/04/07 19:43:35 | 000,602,846 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/04/07 19:43:35 | 000,106,292 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/04/07 19:38:50 | 000,034,800 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/04/07 19:38:49 | 000,034,800 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/04/07 19:38:37 | 000,003,776 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/07 19:38:37 | 000,003,776 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/07 19:38:37 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/07 19:38:26 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/07 19:38:16 | 3756,515,328 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/07 19:38:14 | 000,151,844 | ---- | M] () -- C:\Windows\System32\oodbs.lor
[2010/04/07 19:22:33 | 000,031,056 | ---- | M] () -- C:\Windows\System32\BMXStateBkp-{00000004-00000000-00000000-00001102-00000004-20021102}.rfx
[2010/04/07 19:22:33 | 000,031,056 | ---- | M] () -- C:\Windows\System32\BMXState-{00000004-00000000-00000000-00001102-00000004-20021102}.rfx
[2010/04/07 19:22:33 | 000,030,528 | ---- | M] () -- C:\Windows\System32\BMXCtrlState-{00000004-00000000-00000000-00001102-00000004-20021102}.rfx
[2010/04/07 19:22:33 | 000,030,528 | ---- | M] () -- C:\Windows\System32\BMXBkpCtrlState-{00000004-00000000-00000000-00001102-00000004-20021102}.rfx
[2010/04/07 19:22:33 | 000,011,564 | ---- | M] () -- C:\Windows\System32\DVCState-{00000004-00000000-00000000-00001102-00000004-20021102}.rfx
[2010/04/07 19:22:24 | 000,065,536 | -HS- | M] () -- C:\Users\phat\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TM.blf
[2010/04/07 19:22:23 | 000,524,288 | -HS- | M] () -- C:\Users\phat\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms
[2010/04/07 19:22:19 | 003,758,436 | -H-- | M] () -- C:\Users\phat\AppData\Local\IconCache.db
[2010/04/07 18:46:22 | 001,798,720 | ---- | M] () -- C:\Windows\System32\drivers\NAV\1106000.020\Cat.DB
[2010/04/07 18:14:26 | 000,130,560 | ---- | M] () -- C:\Users\phat\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/07 15:45:52 | 000,513,536 | ---- | M] () -- C:\Users\phat\Desktop\Halogentrack.xls
[2010/04/07 13:24:37 | 000,002,135 | ---- | M] () -- C:\Users\Public\Desktop\Norton AntiVirus.lnk
[2010/04/06 10:34:03 | 000,330,240 | ---- | M] () -- C:\Users\phat\Desktop\Kaixen.xls
[2010/04/05 17:13:10 | 000,036,286 | ---- | M] () -- C:\Users\phat\Documents\cc_20100405_171305.reg
[2010/04/05 16:59:50 | 000,312,424 | ---- | M] () -- C:\Users\phat\Documents\cc_20100405_165936.reg
[2010/04/05 16:29:30 | 000,000,000 | ---- | M] () -- C:\Users\phat\defogger_reenable
[2010/04/02 15:52:11 | 000,000,009 | ---- | M] () -- C:\Windows\Brfaxrx.ini
[2010/04/02 15:03:38 | 000,000,224 | ---- | M] () -- C:\Windows\Brpfx04a.ini
[2010/04/02 15:03:38 | 000,000,094 | ---- | M] () -- C:\Windows\brpcfx.ini
[2010/04/02 15:03:38 | 000,000,050 | ---- | M] () -- C:\Windows\System32\Nodata
[2010/04/01 19:10:42 | 000,000,069 | ---- | M] () -- C:\Windows\NeroDigital.ini
[2010/04/01 12:03:18 | 000,000,056 | -H-- | M] () -- C:\Windows\System32\ezsidmv.dat
[2010/04/01 10:43:52 | 000,017,073 | ---- | M] () -- C:\Users\phat\Documents\BEO1106 BUSINESS STATISTICS.docx
[2010/04/01 02:48:17 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/03/30 03:14:21 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deploytk.dll
[2010/03/30 03:14:21 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2010/03/30 03:14:21 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2010/03/30 03:14:21 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010/03/30 02:42:11 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS
[2010/03/30 02:42:11 | 000,007,443 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.CAT
[2010/03/30 02:42:11 | 000,000,805 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.INF
[2010/03/29 23:24:42 | 001,060,864 | ---- | M] () -- C:\Users\phat\Documents\Database.mdb
[2010/03/27 11:15:54 | 000,000,172 | ---- | M] () -- C:\Windows\System32\drivers\NAV\1106000.020\isolate.ini
[2010/03/22 01:24:56 | 003,567,743 | ---- | M] () -- C:\Users\phat\Desktop\jiu yao xing fu le.mp3
[2010/03/17 20:53:42 | 000,094,208 | ---- | M] (Apple Inc.) -- C:\Windows\System32\QuickTimeVR.qtx
[2010/03/17 20:53:42 | 000,069,632 | ---- | M] (Apple Inc.) -- C:\Windows\System32\QuickTime.qts
[2010/03/15 15:29:02 | 000,087,040 | ---- | M] () -- C:\Users\phat\Desktop\audio.xls
[2010/03/15 15:12:50 | 000,011,901 | ---- | M] () -- C:\Users\phat\Desktop\returns.xlsx
[2010/03/14 10:38:49 | 000,055,368 | ---- | M] () -- C:\Windows\War3Unin.dat
[2010/03/12 17:02:38 | 000,261,632 | ---- | M] () -- C:\Windows\PEV.exe
[1 C:\Users\phat\*.tmp files -> C:\Users\phat\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/07 13:24:37 | 000,002,135 | ---- | C] () -- C:\Users\Public\Desktop\Norton AntiVirus.lnk
[2010/04/07 13:23:24 | 001,798,720 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1106000.020\Cat.DB
[2010/04/07 11:47:46 | 000,007,787 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1106000.020\symnetv.cat
[2010/04/07 11:47:46 | 000,007,444 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1106000.020\symefa.cat
[2010/04/07 11:47:46 | 000,007,442 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1106000.020\srtspx.cat
[2010/04/07 11:47:46 | 000,007,438 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1106000.020\srtsp.cat
[2010/04/07 11:47:46 | 000,007,438 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1106000.020\iron.cat
[2010/04/07 11:47:46 | 000,007,425 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1106000.020\symds.cat
[2010/04/07 11:47:46 | 000,007,396 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1106000.020\cchpx86.cat
[2010/04/07 11:47:46 | 000,007,368 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1106000.020\symnet.cat
[2010/04/07 11:47:46 | 000,003,374 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1106000.020\symefa.inf
[2010/04/07 11:47:46 | 000,002,793 | R--- | C] () -- C:\Windows\System32\drivers\NAV\1106000.020\symds.inf
[2010/04/07 11:47:46 | 000,001,754 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1106000.020\cchpx86.inf
[2010/04/07 11:47:46 | 000,001,473 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1106000.020\symnetv.inf
[2010/04/07 11:47:46 | 000,001,445 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1106000.020\symnet.inf
[2010/04/07 11:47:46 | 000,001,388 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1106000.020\srtspx.inf
[2010/04/07 11:47:46 | 000,001,382 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1106000.020\srtsp.inf
[2010/04/07 11:47:46 | 000,000,741 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1106000.020\iron.inf
[2010/04/07 11:47:32 | 000,000,172 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1106000.020\isolate.ini
[2010/04/05 17:13:07 | 000,036,286 | ---- | C] () -- C:\Users\phat\Documents\cc_20100405_171305.reg
[2010/04/05 16:59:40 | 000,312,424 | ---- | C] () -- C:\Users\phat\Documents\cc_20100405_165936.reg
[2010/04/05 16:35:45 | 3756,515,328 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/05 16:29:30 | 000,000,000 | ---- | C] () -- C:\Users\phat\defogger_reenable
[2010/04/02 15:03:38 | 000,000,224 | ---- | C] () -- C:\Windows\Brpfx04a.ini
[2010/04/02 15:03:38 | 000,000,094 | ---- | C] () -- C:\Windows\brpcfx.ini
[2010/04/02 15:00:53 | 000,000,009 | ---- | C] () -- C:\Windows\Brfaxrx.ini
[2010/04/02 15:00:52 | 000,106,496 | ---- | C] () -- C:\Windows\System32\BrMuSNMP.dll
[2010/04/01 12:03:18 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
[2010/04/01 10:43:42 | 000,017,073 | ---- | C] () -- C:\Users\phat\Documents\BEO1106 BUSINESS STATISTICS.docx
[2010/04/01 02:35:09 | 000,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2010/04/01 02:35:09 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/04/01 02:35:09 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/04/01 02:35:09 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/04/01 02:35:09 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/03/30 02:42:12 | 000,007,443 | ---- | C] () -- C:\Windows\System32\drivers\SYMEVENT.CAT
[2010/03/30 02:42:12 | 000,000,805 | ---- | C] () -- C:\Windows\System32\drivers\SYMEVENT.INF
[2010/03/29 23:24:42 | 001,060,864 | ---- | C] () -- C:\Users\phat\Documents\Database.mdb
[2010/03/22 01:24:05 | 003,567,743 | ---- | C] () -- C:\Users\phat\Desktop\jiu yao xing fu le.mp3
[2010/03/04 23:17:13 | 000,000,014 | ---- | C] () -- C:\Windows\System32\SystemInfo32.sys
[2010/01/20 01:43:30 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini
[2009/12/14 02:08:04 | 000,819,200 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/12/14 02:08:04 | 000,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/12/10 02:24:40 | 000,034,800 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/12/10 02:23:09 | 000,034,800 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/12/03 08:27:28 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2009/10/16 05:35:18 | 000,000,330 | ---- | C] () -- C:\Windows\pdf2word.INI
[2009/10/07 16:18:46 | 001,970,176 | ---- | C] () -- C:\Windows\System32\d3dx9.dll
[2009/10/06 14:28:26 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/02 23:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2009/08/02 23:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2009/08/02 23:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2009/08/02 23:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2009/08/02 23:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2009/08/02 23:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2009/08/02 23:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2009/08/02 23:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2009/08/02 23:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2009/06/23 11:29:50 | 000,049,719 | ---- | C] () -- C:\Windows\System32\instwdm.ini
[2009/06/23 11:29:48 | 000,000,054 | ---- | C] () -- C:\Windows\System32\ctzapxx.ini
[2009/06/23 10:51:00 | 000,043,520 | ---- | C] () -- C:\Windows\System32\CTBurst.dll
[2009/05/22 14:37:07 | 000,000,000 | ---- | C] () -- C:\Windows\asym.ini
[2009/03/17 11:17:56 | 000,000,157 | ---- | C] () -- C:\Windows\MYOBP.INI
[2009/03/17 11:17:56 | 000,000,039 | ---- | C] () -- C:\Windows\MYOB.INI
[2009/03/17 11:16:38 | 000,000,663 | ---- | C] () -- C:\Windows\openrda.ini
[2009/03/17 11:16:19 | 000,000,000 | ---- | C] () -- C:\Windows\drvxl32.INI
[2009/03/17 11:16:18 | 000,000,000 | ---- | C] () -- C:\Windows\drvwd32.INI
[2009/03/12 07:30:28 | 000,025,330 | ---- | C] () -- C:\Windows\maxlink.ini
[2009/03/12 07:30:28 | 000,000,090 | ---- | C] () -- C:\Windows\calera.ini
[2009/03/12 07:30:21 | 000,269,312 | ---- | C] () -- C:\Windows\System32\FPXIG.DLL
[2009/03/12 07:30:21 | 000,068,096 | ---- | C] () -- C:\Windows\System32\IGFPX32P.DLL
[2009/03/12 07:30:21 | 000,065,024 | ---- | C] () -- C:\Windows\System32\JPEGACC.DLL
[2009/03/12 07:30:15 | 000,101,376 | ---- | C] () -- C:\Windows\System32\WELSOF32.DLL
[2009/02/22 22:05:17 | 000,000,061 | ---- | C] () -- C:\Windows\System32\SYSVCPDRV.SYS
[2009/02/11 03:25:46 | 000,000,120 | ---- | C] () -- C:\Windows\Quicken.ini
[2009/01/16 09:22:29 | 000,000,034 | ---- | C] () -- C:\Users\phat\AppData\Roaming\ezplay.log
[2009/01/16 09:21:43 | 000,007,861 | ---- | C] () -- C:\Users\phat\AppData\Roaming\ezplay.cat
[2009/01/16 09:21:43 | 000,001,103 | ---- | C] () -- C:\Users\phat\AppData\Roaming\ezplay.inf
[2009/01/16 09:21:43 | 000,000,125 | ---- | C] () -- C:\Users\phat\AppData\Roaming\ezplay.ini
[2009/01/08 02:45:28 | 000,000,034 | ---- | C] () -- C:\Users\phat\AppData\Roaming\pcouffin.log
[2009/01/08 02:44:47 | 000,007,887 | ---- | C] () -- C:\Users\phat\AppData\Roaming\pcouffin.cat
[2009/01/08 02:44:47 | 000,001,144 | ---- | C] () -- C:\Users\phat\AppData\Roaming\pcouffin.inf
[2008/12/31 17:04:42 | 000,691,560 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2008/12/01 15:26:37 | 000,021,240 | ---- | C] () -- C:\Windows\System32\solidlocalmon.dll
[2008/12/01 15:26:37 | 000,013,560 | ---- | C] () -- C:\Windows\System32\solidlocalui.dll
[2008/11/10 12:07:59 | 000,000,000 | ---- | C] () -- C:\Windows\oodcnt.INI
[2008/11/07 02:37:32 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2008/11/07 02:34:00 | 000,000,416 | ---- | C] () -- C:\Windows\System32\dtu100.dll.manifest
[2008/11/07 02:34:00 | 000,000,416 | ---- | C] () -- C:\Windows\System32\dpl100.dll.manifest
[2008/11/07 02:33:02 | 000,012,288 | ---- | C] () -- C:\Windows\System32\DivXWMPExtType.dll
[2008/09/02 14:30:41 | 000,116,224 | ---- | C] () -- C:\Windows\System32\pdfmonnt.dll
[2008/09/02 14:30:26 | 000,000,164 | ---- | C] () -- C:\Windows\System32\psconv.ini
[2008/08/29 01:15:36 | 000,000,114 | ---- | C] () -- C:\Users\phat\webct_upload_applet.properties
[2008/08/18 21:28:31 | 000,176,235 | ---- | C] () -- C:\Windows\System32\Primomonnt.dll
[2008/07/25 00:54:57 | 000,148,480 | ---- | C] () -- C:\Windows\System32\APOMngr.DLL
[2008/07/25 00:54:57 | 000,073,728 | ---- | C] () -- C:\Windows\System32\CmdRtr.DLL
[2008/07/20 05:23:18 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2008/06/20 02:07:15 | 002,463,976 | ---- | C] () -- C:\Windows\System32\NPSWF32.dll
[2008/06/13 15:02:33 | 000,002,560 | ---- | C] () -- C:\Windows\System32\CtxfiRes.dll
[2008/06/13 14:21:42 | 000,003,072 | ---- | C] () -- C:\Windows\CTXFIRES.DLL
[2008/06/13 01:26:14 | 000,047,360 | ---- | C] () -- C:\Windows\System32\drivers\Surroundhp_kern_i386.sys
[2008/06/13 01:26:14 | 000,042,112 | ---- | C] () -- C:\Windows\System32\drivers\csiidecoder_kern_i386.sys
[2008/06/13 01:26:13 | 000,047,104 | ---- | C] () -- C:\Windows\System32\drivers\tshd4_kern_i386.sys
[2008/06/13 01:26:13 | 000,039,808 | ---- | C] () -- C:\Windows\System32\drivers\SRS_SSCFilter_i386.sys
[2008/06/11 23:08:27 | 000,000,000 | ---- | C] () -- C:\Windows\Irremote.ini
[2008/06/10 01:13:27 | 000,001,024 | ---- | C] () -- C:\Users\phat\.rnd
[2008/06/05 07:58:26 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2008/05/12 01:15:28 | 000,000,014 | ---- | C] () -- C:\Windows\System32\SysEngineDrive1.sys
[2008/04/29 02:13:33 | 000,000,310 | ---- | C] () -- C:\Windows\primopdf.ini
[2008/04/27 17:39:16 | 000,717,296 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys
[2008/03/29 15:30:22 | 000,130,560 | ---- | C] () -- C:\Users\phat\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/03/29 15:24:00 | 000,001,100 | ---- | C] () -- C:\Users\phat\AppData\Local\d3d8caps.dat
[2008/03/29 15:11:25 | 000,001,356 | ---- | C] () -- C:\Users\phat\AppData\Local\d3d9caps.dat
[2008/03/29 15:11:23 | 018,350,080 | -HS- | C] () -- C:\Users\phat\NTUSER.DAT
[2008/03/29 15:11:23 | 000,524,288 | -HS- | C] () -- C:\Users\phat\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms
[2008/03/29 15:11:23 | 000,524,288 | -HS- | C] () -- C:\Users\phat\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms
[2008/03/29 15:11:23 | 000,262,144 | -H-- | C] () -- C:\Users\phat\ntuser.dat.LOG2
[2008/03/29 15:11:23 | 000,262,144 | -H-- | C] () -- C:\Users\phat\ntuser.dat.LOG1
[2008/03/29 15:11:23 | 000,065,536 | -HS- | C] () -- C:\Users\phat\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TM.blf
[2008/03/29 15:11:23 | 000,000,020 | -HS- | C] () -- C:\Users\phat\ntuser.ini
[2007/08/13 19:45:02 | 000,077,824 | ---- | C] () -- C:\Windows\System32\ctmmactl.dll
[2007/07/01 21:12:14 | 003,145,728 | ---- | C] () -- C:\Windows\System32\libavcodec.dll
[2007/07/01 20:59:22 | 000,517,632 | ---- | C] () -- C:\Windows\System32\ff_x264.dll
[2007/06/17 21:43:56 | 000,405,504 | ---- | C] () -- C:\Windows\System32\libmplayer.dll
[2007/06/12 21:21:26 | 000,208,896 | ---- | C] () -- C:\Windows\System32\ff_theora.dll
[2007/04/12 08:10:28 | 000,105,728 | ---- | C] () -- C:\Windows\System32\APOMgrH.dll
[2007/01/10 03:05:50 | 000,026,112 | ---- | C] () -- C:\Windows\System32\ff_wmv9.dll
[2006/11/07 05:30:38 | 000,262,144 | ---- | C] () -- C:\Windows\System32\lame_enc.dll
[2006/11/02 20:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 17:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/10/02 16:25:18 | 000,000,307 | ---- | C] () -- C:\Windows\System32\kill.ini
[2006/05/05 17:26:00 | 000,335,872 | ---- | C] () -- C:\Windows\System32\ctreestd.dll
[2004/10/04 03:50:54 | 000,129,024 | ---- | C] () -- C:\Windows\System32\ff_mpeg2enc.dll
[2000/01/31 07:02:00 | 000,047,104 | ---- | C] () -- C:\Windows\System32\Wh2Robo.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:4B7BEAFF
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:A8ADE5D8
< End of report >
[2010/04/07 19:56:36 | 000,000,000 | R--D | M] -- C:\Users\phat\Downloads
[2010/04/07 19:54:05 | 018,350,080 | -HS- | M] () -- C:\Users\phat\NTUSER.DAT
[2010/04/07 19:54:05 | 000,262,144 | -H-- | M] () -- C:\Users\phat\ntuser.dat.LOG1
[2010/04/07 19:51:23 | 000,000,000 | ---D | M] -- C:\Program Files\Warcraft III
[2010/04/07 19:50:45 | 000,000,000 | ---D | M] -- C:\Users\phat\AppData\Local\temp
[2010/04/07 19:43:35 | 000,694,964 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/04/07 19:43:35 | 000,602,846 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/04/07 19:43:35 | 000,106,292 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/04/07 19:39:06 | 000,000,000 | ---D | M] -- C:\Users\phat\Tracing
[2010/04/07 19:38:53 | 000,000,000 | ---D | M] -- C:\ProgramData\NVIDIA
[2010/04/07 19:38:50 | 000,034,800 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/04/07 19:38:49 | 000,034,800 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/04/07 19:38:37 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/07 19:38:26 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/07 19:38:14 | 000,151,844 | ---- | M] () -- C:\Windows\System32\oodbs.lor
[2010/04/07 19:22:33 | 000,011,564 | ---- | M] () -- C:\Windows\System32\DVCState-{00000004-00000000-00000000-00001102-00000004-20021102}.rfx
[2010/04/07 19:22:24 | 000,065,536 | -HS- | M] () -- C:\Users\phat\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TM.blf
[2010/04/07 19:22:23 | 000,524,288 | -HS- | M] () -- C:\Users\phat\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms
[2010/04/07 19:22:19 | 003,758,436 | -H-- | M] () -- C:\Users\phat\AppData\Local\IconCache.db
[2010/04/07 18:14:26 | 000,130,560 | ---- | M] () -- C:\Users\phat\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/07 15:45:52 | 000,513,536 | ---- | M] () -- C:\Users\phat\Desktop\Halogentrack.xls
[2010/04/07 15:45:52 | 000,000,000 | R--D | M] -- C:\Users\phat\Desktop
[2010/04/07 13:24:37 | 000,002,135 | ---- | M] () -- C:\Users\Public\Desktop\Norton AntiVirus.lnk
[2010/04/06 22:17:23 | 000,000,000 | R--D | M] -- C:\Users\phat\Favorites
[2010/04/06 10:34:03 | 000,330,240 | ---- | M] () -- C:\Users\phat\Desktop\Kaixen.xls
[2010/04/05 17:22:55 | 000,000,000 | ---D | M] -- C:\Users\phat\AppData\Local\CrashDumps
[2010/04/05 17:16:31 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2010/04/05 17:13:10 | 000,036,286 | ---- | M] () -- C:\Users\phat\Documents\cc_20100405_171305.reg
[2010/04/05 17:13:07 | 000,000,000 | R--D | M] -- C:\Users\phat\Documents
[2010/04/05 17:10:55 | 000,000,000 | ---D | M] -- C:\Program Files\Steam
[2010/04/05 17:09:41 | 000,000,000 | ---D | M] -- C:\Program Files\Blaze Media Pro
[2010/04/05 17:09:00 | 000,000,000 | ---D | M] -- C:\ProgramData\TEMP
[2010/04/05 17:08:01 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2010/04/05 17:04:35 | 000,000,000 | ---D | M] -- C:\ProgramData\Spybot - Search & Destroy
[2010/04/05 16:59:50 | 000,312,424 | ---- | M] () -- C:\Users\phat\Documents\cc_20100405_165936.reg
[2010/04/05 16:58:58 | 000,000,000 | ---D | M] -- C:\Program Files\CCleaner
[2010/04/05 16:41:37 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2010/04/05 16:29:30 | 000,000,000 | ---- | M] () -- C:\Users\phat\defogger_reenable
[2010/04/03 11:33:13 | 000,000,000 | ---D | M] -- C:\Program Files\Driver Sweeper
[2010/04/03 02:03:59 | 000,000,000 | ---D | M] -- C:\Users\phat\AppData\Roaming\Skype
[2010/04/03 00:39:49 | 000,000,000 | ---D | M] -- C:\Users\phat\AppData\Roaming\dvdcss
[2010/04/02 23:06:05 | 000,000,000 | ---D | M] -- C:\Users\phat\AppData\Roaming\skypePM
[2010/04/02 16:49:19 | 000,000,000 | ---D | M] -- C:\Program Files\iTunes
[2010/04/02 16:49:19 | 000,000,000 | ---D | M] -- C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/04/02 16:48:29 | 000,000,000 | ---D | M] -- C:\Program Files\iPod
[2010/04/02 16:48:28 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files\Apple
[2010/04/02 16:45:57 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2010/04/02 16:40:53 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2010/04/02 15:52:11 | 000,000,009 | ---- | M] () -- C:\Windows\Brfaxrx.ini
[2010/04/02 15:03:38 | 000,000,224 | ---- | M] () -- C:\Windows\Brpfx04a.ini
[2010/04/02 15:03:38 | 000,000,094 | ---- | M] () -- C:\Windows\brpcfx.ini
[2010/04/02 15:03:38 | 000,000,050 | ---- | M] () -- C:\Windows\System32\Nodata
[2010/04/02 15:03:11 | 000,000,000 | R--D | M] -- C:\Users\phat\Pictures
[2010/04/02 15:02:21 | 000,000,000 | ---D | M] -- C:\Users\phat\AppData\Local\Microsoft
[2010/04/02 13:35:37 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files\Skype
[2010/04/01 19:10:42 | 000,000,069 | ---- | M] () -- C:\Windows\NeroDigital.ini
[2010/04/01 13:27:31 | 000,000,000 | ---D | M] -- C:\Users\phat\AppData\Local\Apple Computer
[2010/04/01 12:03:18 | 000,000,056 | -H-- | M] () -- C:\Windows\System32\ezsidmv.dat
[2010/04/01 10:43:52 | 000,017,073 | ---- | M] () -- C:\Users\phat\Documents\BEO1106 BUSINESS STATISTICS.docx
[2010/04/01 03:04:13 | 000,000,000 | ---D | M] -- C:\Program Files\BitComet
[2010/04/01 02:48:17 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/03/30 13:21:40 | 000,000,000 | ---D | M] -- C:\Program Files\Cheat Engine
[2010/03/30 04:15:24 | 000,000,000 | ---D | M] -- C:\ProgramData\WindowsSearch
[2010/03/30 03:15:26 | 000,000,000 | ---D | M] -- C:\ProgramData\Sun
[2010/03/30 03:15:25 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files\Java
[2010/03/30 03:14:21 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2010/03/30 03:14:21 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2010/03/30 03:14:21 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010/03/30 03:08:52 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files\Symantec Shared
[2010/03/30 02:42:47 | 000,000,000 | ---D | M] -- C:\ProgramData\Norton
[2010/03/30 02:42:12 | 000,000,000 | ---D | M] -- C:\Program Files\Symantec
[2010/03/30 02:41:17 | 000,000,000 | ---D | M] -- C:\Program Files\Norton AntiVirus
[2010/03/30 02:40:31 | 000,000,000 | ---D | M] -- C:\ProgramData\NortonInstaller
[2010/03/30 02:33:01 | 000,000,000 | ---D | M] -- C:\Program Files\NortonInstaller
[2010/03/29 23:24:42 | 001,060,864 | ---- | M] () -- C:\Users\phat\Documents\Database.mdb
[2010/03/29 23:24:32 | 000,000,000 | --SD | M] -- C:\Users\phat\AppData\Roaming\Microsoft
[2010/03/29 18:51:38 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2010/03/29 12:41:51 | 000,000,000 | ---D | M] -- C:\Program Files\TrendMicro
[2010/03/27 23:42:56 | 000,000,000 | ---D | M] -- C:\Users\phat\AppData\Roaming\FrostWire
[2010/03/24 19:02:17 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/22 02:18:07 | 000,000,000 | ---D | M] -- C:\Users\phat\AppData\Local\Deployment
[2010/03/22 01:24:56 | 003,567,743 | ---- | M] () -- C:\Users\phat\Desktop\jiu yao xing fu le.mp3
[2010/03/21 15:51:55 | 000,000,000 | ---D | M] -- C:\Users\phat\AppData\Local\Apps
[2010/03/17 20:53:42 | 000,094,208 | ---- | M] (Apple Inc.) -- C:\Windows\System32\QuickTimeVR.qtx
[2010/03/17 20:53:42 | 000,069,632 | ---- | M] (Apple Inc.) -- C:\Windows\System32\QuickTime.qts
[2010/03/16 11:14:21 | 000,000,000 | ---D | M] -- C:\Users\phat\AppData\Roaming\FileZilla
[2010/03/15 15:29:02 | 000,087,040 | ---- | M] () -- C:\Users\phat\Desktop\audio.xls
[2010/03/15 15:12:50 | 000,011,901 | ---- | M] () -- C:\Users\phat\Desktop\returns.xlsx
[2010/03/14 10:38:49 | 000,055,368 | ---- | M] () -- C:\Windows\War3Unin.dat
[2010/03/12 19:29:46 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft Help
[2010/03/12 19:29:22 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/03/12 17:02:38 | 000,261,632 | ---- | M] () -- C:\Windows\PEV.exe
[2010/01/20 10:05:52 | 000,101,520 | ---- | M] () -- C:\Users\phat\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/01/20 01:48:31 | 000,000,006 | -HS- | M] () -- C:\Users\phat\AppData\Roaming\desktop.ini
[2010/01/20 01:48:31 | 000,000,006 | -HS- | M] () -- C:\Users\phat\AppData\Local\desktop.ini
[2010/01/15 00:09:18 | 000,001,356 | ---- | M] () -- C:\Users\phat\AppData\Local\d3d9caps.dat
[2009/12/15 17:11:00 | 000,037,665 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont
[2009/12/01 03:19:40 | 000,524,288 | -HS- | M] () -- C:\Users\phat\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms
[2009/03/21 17:50:48 | 000,000,114 | ---- | M] () -- C:\Users\phat\webct_upload_applet.properties
[2009/01/16 09:22:29 | 000,000,034 | ---- | M] () -- C:\Users\phat\AppData\Roaming\ezplay.log
[2009/01/16 09:21:43 | 000,094,208 | ---- | M] (VSO Software) -- C:\Users\phat\AppData\Roaming\ezplay.sys
[2009/01/16 09:21:43 | 000,007,861 | ---- | M] () -- C:\Users\phat\AppData\Roaming\ezplay.cat
[2009/01/16 09:21:43 | 000,001,103 | ---- | M] () -- C:\Users\phat\AppData\Roaming\ezplay.inf
[2009/01/16 09:21:43 | 000,000,125 | ---- | M] () -- C:\Users\phat\AppData\Roaming\ezplay.ini
[2009/01/08 02:45:28 | 000,000,034 | ---- | M] () -- C:\Users\phat\AppData\Roaming\pcouffin.log
[2009/01/08 02:44:47 | 000,047,360 | ---- | M] (VSO Software) -- C:\Users\phat\AppData\Roaming\pcouffin.sys
[2009/01/08 02:44:47 | 000,007,887 | ---- | M] () -- C:\Users\phat\AppData\Roaming\pcouffin.cat
[2009/01/08 02:44:47 | 000,001,144 | ---- | M] () -- C:\Users\phat\AppData\Roaming\pcouffin.inf
[2009/01/02 15:11:09 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini
[2008/06/15 20:34:01 | 000,001,100 | ---- | M] () -- C:\Users\phat\AppData\Local\d3d8caps.dat
[2008/06/14 17:03:57 | 000,001,024 | ---- | M] () -- C:\Users\phat\.rnd
[2008/05/08 09:10:41 | 000,262,144 | -H-- | M] () -- C:\Users\phat\ntuser.dat.LOG2
[2008/03/29 15:11:23 | 000,000,020 | -HS- | M] () -- C:\Users\phat\ntuser.ini
[2006/11/02 22:35:34 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2006/11/02 22:35:34 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2006/11/02 22:35:34 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[1 C:\Users\phat\*.tmp files -> C:\Users\phat\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/07 19:54:05 | 018,350,080 | -HS- | M] () -- C:\Users\phat\NTUSER.DAT
[2010/04/07 19:43:35 | 000,694,964 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/04/07 19:43:35 | 000,602,846 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/04/07 19:43:35 | 000,106,292 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/04/07 19:38:50 | 000,034,800 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/04/07 19:38:49 | 000,034,800 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/04/07 19:38:37 | 000,003,776 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/07 19:38:37 | 000,003,776 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/07 19:38:37 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/07 19:38:26 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/07 19:38:16 | 3756,515,328 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/07 19:38:14 | 000,151,844 | ---- | M] () -- C:\Windows\System32\oodbs.lor
[2010/04/07 19:22:33 | 000,031,056 | ---- | M] () -- C:\Windows\System32\BMXStateBkp-{00000004-00000000-00000000-00001102-00000004-20021102}.rfx
[2010/04/07 19:22:33 | 000,031,056 | ---- | M] () -- C:\Windows\System32\BMXState-{00000004-00000000-00000000-00001102-00000004-20021102}.rfx
[2010/04/07 19:22:33 | 000,030,528 | ---- | M] () -- C:\Windows\System32\BMXCtrlState-{00000004-00000000-00000000-00001102-00000004-20021102}.rfx
[2010/04/07 19:22:33 | 000,030,528 | ---- | M] () -- C:\Windows\System32\BMXBkpCtrlState-{00000004-00000000-00000000-00001102-00000004-20021102}.rfx
[2010/04/07 19:22:33 | 000,011,564 | ---- | M] () -- C:\Windows\System32\DVCState-{00000004-00000000-00000000-00001102-00000004-20021102}.rfx
[2010/04/07 19:22:24 | 000,065,536 | -HS- | M] () -- C:\Users\phat\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TM.blf
[2010/04/07 19:22:23 | 000,524,288 | -HS- | M] () -- C:\Users\phat\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms
[2010/04/07 19:22:19 | 003,758,436 | -H-- | M] () -- C:\Users\phat\AppData\Local\IconCache.db
[2010/04/07 18:46:22 | 001,798,720 | ---- | M] () -- C:\Windows\System32\drivers\NAV\1106000.020\Cat.DB
[2010/04/07 18:14:26 | 000,130,560 | ---- | M] () -- C:\Users\phat\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/07 15:45:52 | 000,513,536 | ---- | M] () -- C:\Users\phat\Desktop\Halogentrack.xls
[2010/04/07 13:24:37 | 000,002,135 | ---- | M] () -- C:\Users\Public\Desktop\Norton AntiVirus.lnk
[2010/04/06 10:34:03 | 000,330,240 | ---- | M] () -- C:\Users\phat\Desktop\Kaixen.xls
[2010/04/05 17:13:10 | 000,036,286 | ---- | M] () -- C:\Users\phat\Documents\cc_20100405_171305.reg
[2010/04/05 16:59:50 | 000,312,424 | ---- | M] () -- C:\Users\phat\Documents\cc_20100405_165936.reg
[2010/04/05 16:29:30 | 000,000,000 | ---- | M] () -- C:\Users\phat\defogger_reenable
[2010/04/02 15:52:11 | 000,000,009 | ---- | M] () -- C:\Windows\Brfaxrx.ini
[2010/04/02 15:03:38 | 000,000,224 | ---- | M] () -- C:\Windows\Brpfx04a.ini
[2010/04/02 15:03:38 | 000,000,094 | ---- | M] () -- C:\Windows\brpcfx.ini
[2010/04/02 15:03:38 | 000,000,050 | ---- | M] () -- C:\Windows\System32\Nodata
[2010/04/01 19:10:42 | 000,000,069 | ---- | M] () -- C:\Windows\NeroDigital.ini
[2010/04/01 12:03:18 | 000,000,056 | -H-- | M] () -- C:\Windows\System32\ezsidmv.dat
[2010/04/01 10:43:52 | 000,017,073 | ---- | M] () -- C:\Users\phat\Documents\BEO1106 BUSINESS STATISTICS.docx
[2010/04/01 02:48:17 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/03/30 03:14:21 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deploytk.dll
[2010/03/30 03:14:21 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2010/03/30 03:14:21 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2010/03/30 03:14:21 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010/03/30 02:42:11 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS
[2010/03/30 02:42:11 | 000,007,443 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.CAT
[2010/03/30 02:42:11 | 000,000,805 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.INF
[2010/03/29 23:24:42 | 001,060,864 | ---- | M] () -- C:\Users\phat\Documents\Database.mdb
[2010/03/27 11:15:54 | 000,000,172 | ---- | M] () -- C:\Windows\System32\drivers\NAV\1106000.020\isolate.ini
[2010/03/22 01:24:56 | 003,567,743 | ---- | M] () -- C:\Users\phat\Desktop\jiu yao xing fu le.mp3
[2010/03/17 20:53:42 | 000,094,208 | ---- | M] (Apple Inc.) -- C:\Windows\System32\QuickTimeVR.qtx
[2010/03/17 20:53:42 | 000,069,632 | ---- | M] (Apple Inc.) -- C:\Windows\System32\QuickTime.qts
[2010/03/15 15:29:02 | 000,087,040 | ---- | M] () -- C:\Users\phat\Desktop\audio.xls
[2010/03/15 15:12:50 | 000,011,901 | ---- | M] () -- C:\Users\phat\Desktop\returns.xlsx
[2010/03/14 10:38:49 | 000,055,368 | ---- | M] () -- C:\Windows\War3Unin.dat
[2010/03/12 17:02:38 | 000,261,632 | ---- | M] () -- C:\Windows\PEV.exe
[1 C:\Users\phat\*.tmp files -> C:\Users\phat\*.tmp -> ]

========== Alternate Data Streams ==========

@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:4B7BEAFF
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:A8ADE5D8

< End of report >


OTL Extras logfile created on: 7/04/2010 7:52:24 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Users\phat\Downloads
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000c09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 65.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288.32 Gb Total Space | 81.99 Gb Free Space | 28.44% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 4.18 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PHAT-PC
Current User Name: phat
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-580790463-919171761-3139786747-1000\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- Reg Error: Key error. File not found
.cmd [@ = cmdfile] -- Reg Error: Key error. File not found
.com [@ = ComFile] -- Reg Error: Key error. File not found
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.pif [@ = piffile] -- Reg Error: Key error. File not found
.vbs [@ = VBSFile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00EE6A4E-80B6-4A72-85F3-6B952A801B7D}" = lport=138 | protocol=17 | dir=in | app=system |
"{047BA801-0B22-4ACF-9BEB-6C6C95906167}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{0AE2BD37-D1AB-44D9-8058-B2160F378AC7}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{1ABE1D73-1730-4B2E-9D6B-AFDFBCD9E922}" = lport=137 | protocol=17 | dir=in | app=system |
"{39B6C33F-1A15-43A7-9A6F-60D306A076F6}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{474AE360-FB47-494D-9019-AFF9F3221C70}" = lport=139 | protocol=6 | dir=in | app=system |
"{68D14CBB-C103-4E78-A506-E4AC989B6F09}" = rport=137 | protocol=17 | dir=out | app=system |
"{7955F1F8-F7BC-4753-A671-FB4884A7C92B}" = rport=445 | protocol=6 | dir=out | app=system |
"{7B14F260-1D7D-4642-B482-49114F01F6F8}" = rport=139 | protocol=6 | dir=out | app=system |
"{B0EC51E8-CC27-4E1B-9410-DCF45D6F0D1A}" = lport=445 | protocol=6 | dir=in | app=system |
"{BC4CFA7C-509C-4B85-8518-B00D7E275001}" = lport=2869 | protocol=6 | dir=in | app=system |
"{C0DBA33D-6200-409C-9BC8-FD35F1A890C9}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{CEE73747-E39A-4657-A4B4-16C563350EA6}" = lport=24998 | protocol=17 | dir=in | name=bitcomet 24998 udp |
"{D0844B6C-8AA8-4D42-A145-CD06CC479466}" = lport=24998 | protocol=6 | dir=in | name=bitcomet 24998 tcp |
"{F14E2578-4A5F-470F-A1E5-51A4DD59EE62}" = rport=138 | protocol=17 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0101C350-9059-47F7-8462-34AD1694DA36}" = protocol=58 | dir=out | app=system |
"{0E22E59D-445B-4743-8D3B-24EC998D93EB}" = protocol=58 | dir=out | app=system |
"{104BAB88-FC9B-45BF-85A2-D89BCF3046FF}" = protocol=58 | dir=out | app=system |
"{15083EB0-F978-4E21-B820-05708BE1E41F}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{1A8DCC53-09BB-4728-BB4F-D4D4883FBD9A}" = protocol=58 | dir=out | app=system |
"{1BFE548E-B549-4959-949C-ABE166C89465}" = protocol=58 | dir=out | app=system |
"{1EB5820E-544D-4661-9866-933D4D077A34}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\left 4 dead\left4dead.exe |
"{1F223069-9ED4-45E0-A290-A0E3B050C7F7}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{2100ED6D-CBAC-4BE8-B572-B4ACB1ACA73C}" = protocol=58 | dir=out | app=system |
"{242A377A-96BA-4A6B-A671-DA8573D6BBA4}" = protocol=58 | dir=out | app=system |
"{2465C17E-2AE6-43AD-8E61-5896C8C90233}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\left 4 dead\left4dead.exe |
"{25122843-0FB1-45FD-9722-8BC002F0627E}" = protocol=6 | dir=in | app=c:\program files\atari\neverwinter nights 2\nwupdate.exe |
"{25157A79-E683-48AC-87EC-9B25008C9721}" = protocol=58 | dir=out | app=system |
"{257FFBFC-C7BA-4FA5-9326-E827719B7E69}" = protocol=58 | dir=out | app=system |
"{2A894B1B-2DCC-4B85-AFB7-E81D2BE0B872}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\call of duty modern warfare 2\iw4mp.exe |
"{2B6C5AC1-B358-4F2F-AF5A-D207A91892A6}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{2B92EF38-415F-47C7-B041-98C48D5482EC}" = protocol=58 | dir=out | app=system |
"{2F63B117-B112-46DF-9348-C49D77160EEC}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\left 4 dead\left4dead.exe |
"{309F102B-A6C7-42BE-B634-AC1BF0205F8C}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\call of duty modern warfare 2\iw4sp.exe |
"{31A3E4B1-2B00-4A64-8ACC-7BE847310A53}" = protocol=6 | dir=in | app=c:\program files\atari\neverwinter nights 2\nwn2main_amdxp.exe |
"{34E59A5D-B6F0-4D31-9652-F82B9FE11CC7}" = protocol=58 | dir=out | app=system |
"{37A5B417-7F5D-44E0-B054-3430F9B681FD}" = protocol=58 | dir=out | app=system |
"{3B3D9C3C-8D19-4087-9DEB-215D54563620}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\left 4 dead\left4dead.exe |
"{3CF07E53-6F9A-48BF-B83A-D512149C29E3}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{42CC2390-1DAC-4B24-B67D-6EB817C77B09}" = protocol=58 | dir=out | app=system |
"{48DE2BAF-2CE5-431C-BF21-503DDE6A7990}" = protocol=6 | dir=in | app=c:\windows\temp\~os5ef2.tmp\ossproxy.exe |
"{4EC90D8D-57D2-4725-A31C-3800890391D7}" = protocol=58 | dir=out | app=system |
"{4F7EDF20-5E4D-4059-AF54-8D4B635B492A}" = protocol=6 | dir=in | app=c:\windows\temp\~os7c51.tmp\rlvknlg.exe |
"{55177AF5-913F-4C7C-8168-DCF9219BD204}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{5614BF0A-ED7D-4B74-A47C-6E75DD39289B}" = protocol=58 | dir=out | app=system |
"{579E477D-A902-49EF-83B3-13ED23E75774}" = protocol=58 | dir=out | app=system |
"{5B154588-54B3-4A5F-B768-EB203D38FEF7}" = protocol=58 | dir=out | app=system |
"{5B2CEEC7-B293-4DEE-8207-518C4F48B7FE}" = protocol=58 | dir=out | app=system |
"{5B489A7F-60CA-454A-B33F-E74947929FEE}" = protocol=17 | dir=in | app=c:\program files\skype\plugin manager\skypepm.exe |
"{5D153E77-64A2-4AAF-8D2C-39C96845B6A4}" = protocol=17 | dir=in | app=c:\program files\atari\neverwinter nights 2\nwn2main_amdxp.exe |
"{5D311CFB-E73D-464F-9B97-BAA80CDFE17C}" = protocol=58 | dir=out | app=system |
"{5EBD2A25-0706-436B-A93A-0A875F2900F5}" = protocol=58 | dir=out | app=system |
"{60B05D08-D7EF-45F9-BFE4-A50FDB10AB56}" = protocol=58 | dir=out | app=system |
"{645DEF00-0C89-4CF7-BAA4-063E3CA9C32E}" = protocol=17 | dir=in | app=c:\program files\atari\neverwinter nights 2\nwupdate.exe |
"{686BC80C-36A6-420D-BCE6-B1F93102C590}" = protocol=17 | dir=in | app=c:\program files\atari\neverwinter nights 2\nwn2server.exe |
"{69736F95-3F21-40EE-AD9D-B1047B6700AE}" = protocol=17 | dir=in | app=c:\program files\relevantknowledge\rlvknlg.exe |
"{6BEACB83-8529-49E5-9D9B-A077BD3E4BF9}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{6BF0BC3E-1FCD-4D9B-B0BF-BE59D2A06078}" = protocol=58 | dir=out | app=system |
"{6C5DE2AE-E295-45E1-9EA9-124D130F089A}" = protocol=58 | dir=out | app=system |
"{7492DCF2-11E5-42C6-97FB-54F927ABD55A}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{76286D89-C1C2-4CED-BFCD-8656927721BF}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{782515C4-B719-45B8-8F39-BE2453F71F70}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{7C84AC37-A3F8-424E-A320-78A61EEC92F9}" = protocol=58 | dir=out | app=system |
"{7CCAE443-8D28-45D0-BEC7-1390F4D1CC40}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{8326D8B5-C27E-4A6E-A1A5-CA442D432889}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{83759CC0-5E0C-4301-B049-015AAFA8D88E}" = protocol=58 | dir=out | app=system |
"{845C9EC3-A924-447C-96C9-C21F6850ADF9}" = protocol=58 | dir=out | app=system |
"{8A06FD59-8941-4307-9FFB-F883EB947EB3}" = protocol=58 | dir=out | app=system |
"{8B625C2C-C67B-40F7-B438-701587EC0A96}" = protocol=6 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |
"{8CFA60BE-0A2D-41AF-9CDD-F4E79101EB72}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{8EBAA04A-AF32-4B9C-83DE-7DD5A5DE9A9F}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{92290545-84A3-4411-9F4D-6E2D770D1DE3}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{92B7E282-5C8C-4CC2-8835-A59591825FDC}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{97268911-A1A9-4772-887C-156F1A148762}" = protocol=6 | dir=in | app=c:\program files\relevantknowledge\rlvknlg.exe |
"{97294CF6-EA85-48B1-B7C9-56DB9F457765}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{9BA886FD-19F2-4231-A454-2FE961AA1FF7}" = protocol=58 | dir=out | app=system |
"{A2FB265E-4410-4578-BDB3-46C171BE7C1B}" = protocol=58 | dir=out | app=system |
"{A90F84AD-B924-4065-BF9F-3021046860D2}" = protocol=58 | dir=out | app=system |
"{AC50E465-8389-4769-8BE4-FB79176FDAEB}" = protocol=58 | dir=out | app=system |
"{AED79894-413C-4C6A-97DC-678C8464AA0A}" = protocol=58 | dir=out | app=system |
"{AF42313F-ABE4-4E07-95C7-4B65BD4AADC5}" = protocol=6 | dir=in | app=c:\program files\atari\neverwinter nights 2\nwn2server.exe |
"{B3AE5663-5D96-4D81-904D-C5517AD78801}" = protocol=58 | dir=out | app=system |
"{B5A9C777-0CD4-48DE-8286-78D863702F27}" = protocol=17 | dir=in | app=c:\program files\atari\neverwinter nights 2\nwn2main.exe |
"{B6CB0E17-0D55-46C3-A1BA-E8B96316661A}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{BBA6CD57-96DA-408B-BC81-0283D5A77351}" = protocol=58 | dir=out | app=system |
"{BD671B09-BF04-447E-AA5A-6E6FD15951C1}" = protocol=58 | dir=out | app=system |
"{BE581DB5-A70E-403F-B10F-1FF9049DBFD4}" = protocol=58 | dir=out | app=system |
"{C0948974-D397-42ED-B056-C1C3F9051F2A}" = protocol=58 | dir=out | app=system |
"{C3A00694-C810-42D8-94C6-6438886AE3F5}" = protocol=58 | dir=out | app=system |
"{C4A753EE-EC71-47C9-B846-C16F37068A8C}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{C8B699ED-9B05-4577-9662-742A49BA91D3}" = protocol=17 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |
"{C9F892BB-E624-46FF-912B-19599042224D}" = protocol=58 | dir=out | app=system |
"{CCDABB93-A3FD-46D0-94B9-D7CD4A2A837B}" = protocol=58 | dir=out | app=system |
"{CE680C47-04C9-4AB3-B5F0-8DF0968874B0}" = protocol=58 | dir=out | app=system |
"{D38EA228-1256-4462-8407-47E76CA4E27D}" = protocol=58 | dir=out | app=system |
"{D6CEE32A-125F-44F4-8519-1EC3EC48576B}" = protocol=58 | dir=in | app=system |
"{D736820B-37C5-42C4-877C-8846ACDB6325}" = protocol=58 | dir=out | app=system |
"{D77B77AE-2001-4373-963F-7D4824B6A4B8}" = protocol=6 | dir=in | app=c:\program files\skype\plugin manager\skypepm.exe |
"{DBAB77B3-BB27-47F7-8781-D4EC3342E1CE}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{DF020A97-7363-495F-83B0-06EF8373482D}" = protocol=58 | dir=out | app=system |
"{EC4273D8-03DA-410D-B36C-5CF19F9BD4DE}" = protocol=58 | dir=out | app=system |
"{EDBC3D09-5D52-49B3-9BE5-D4DB72B02573}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\call of duty modern warfare 2\iw4mp.exe |
"{EECF56D4-8548-4B13-8B22-B596DFFF719E}" = protocol=58 | dir=out | app=system |
"{EFA628B0-BA04-4605-B133-F1FEDFC305DE}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{F281A052-8005-44CA-A18D-137520987947}" = protocol=58 | dir=out | app=system |
"{F37AEAAE-D208-4E42-913C-FE4E0DF82BC3}" = protocol=58 | dir=out | app=system |
"{F4206731-C7C2-4EF5-8BAF-6D7D75C5BF14}" = protocol=58 | dir=out | app=system |
"{F59CDAC8-0AB5-42B6-A632-3F491414B6A0}" = protocol=58 | dir=out | app=system |
"{F5A293C4-F94B-4BF3-B1C7-41EA2DD18BD0}" = protocol=58 | dir=out | app=system |
"{F810B7B3-5472-4BA7-8EE3-7C6CD71D73A1}" = protocol=58 | dir=out | app=system |
"{FC0554D7-8A10-4523-A8CA-A951804BD4AF}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\call of duty modern warfare 2\iw4sp.exe |
"{FE4378B6-E736-41F1-AD07-C5394CCF93E7}" = protocol=6 | dir=in | app=c:\program files\atari\neverwinter nights 2\nwn2main.exe |
"{FE8599C2-0253-44A6-A17C-D51221D4CAD2}" = protocol=6 | dir=in | app=c:\windows\temp\~osbc2e.tmp\rlvknlg.exe |
"TCP Query User{1E596BF9-85F1-49DC-A5AB-77EEFB64B9A1}C:\program files\steam\steamapps\phatpleasure\team fortress 2\hl2.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\phatpleasure\team fortress 2\hl2.exe |
"TCP Query User{443A55C4-2B62-4A60-B922-5AB7A10229F7}C:\program files\bitcomet\bitcomet.exe" = protocol=6 | dir=in | app=c:\program files\bitcomet\bitcomet.exe |
"TCP Query User{7A9A2558-DE0A-42A9-92F6-0DCDD89553F7}C:\program files\veoh networks\veohwebplayer\veohwebplayer.exe" = protocol=6 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |
"TCP Query User{98BEDBC6-7B72-4F41-A22A-23CF5036B286}C:\program files\warcraft iii\war3.exe" = protocol=6 | dir=in | app=c:\program files\warcraft iii\war3.exe |
"TCP Query User{9FACC983-E8E3-4D7E-A1D7-D217D55F4383}C:\program files\garena\garena.exe" = protocol=6 | dir=in | app=c:\program files\garena\garena.exe |
"TCP Query User{D26752ED-325C-4CB8-A1B4-A08187E6206D}C:\program files\frostwire\frostwire.exe" = protocol=6 | dir=in | app=c:\program files\frostwire\frostwire.exe |
"TCP Query User{E630D839-C3F9-478F-AB00-C83919C09960}C:\program files\warcraft iii\war3.exe" = protocol=6 | dir=in | app=c:\program files\warcraft iii\war3.exe |
"TCP Query User{F23B8660-F737-4765-8EFE-33D61D39835B}C:\program files\steam\steamapps\common\call of duty modern warfare 2\iw4mp.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\call of duty modern warfare 2\iw4mp.exe |
"UDP Query User{19B12FA6-5676-46CB-B996-2F198CC40EB2}C:\program files\garena\garena.exe" = protocol=17 | dir=in | app=c:\program files\garena\garena.exe |
"UDP Query User{43718867-9685-4948-AF42-C140FAE44356}C:\program files\steam\steamapps\phatpleasure\team fortress 2\hl2.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\phatpleasure\team fortress 2\hl2.exe |
"UDP Query User{73734E9D-2A2A-49ED-BDA0-5DC7999DECE3}C:\program files\warcraft iii\war3.exe" = protocol=17 | dir=in | app=c:\program files\warcraft iii\war3.exe |
"UDP Query User{7628FDCD-B515-4797-96D6-4E2758014D85}C:\program files\frostwire\frostwire.exe" = protocol=17 | dir=in | app=c:\program files\frostwire\frostwire.exe |
"UDP Query User{A34CA746-B68C-4C83-8158-EBD12387867C}C:\program files\warcraft iii\war3.exe" = protocol=17 | dir=in | app=c:\program files\warcraft iii\war3.exe |
"UDP Query User{B957FAE5-5A7D-4B52-941D-52D51172EC0F}C:\program files\bitcomet\bitcomet.exe" = protocol=17 | dir=in | app=c:\program files\bitcomet\bitcomet.exe |
"UDP Query User{BCE58B81-8F1B-4FEE-89F6-86FC471B741F}C:\program files\veoh networks\veohwebplayer\veohwebplayer.exe" = protocol=17 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |
"UDP Query User{C61F0FF3-25EA-4331-8F9A-3AC9ABC9F05F}C:\program files\steam\steamapps\common\call of duty modern warfare 2\iw4mp.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\call of duty modern warfare 2\iw4mp.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
"{005E738B-5A0A-4483-A900-877D183A8F45}_is1" = BlindWrite 6
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}" = OpenOffice.org Installer 1.0
"{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID Sign-in Assistant
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ4802" = CanoScan LiDE 600F
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{15C768E2-AB61-4DE3-952F-6B237A834951}" = Adobe Setup
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 18
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2EA870FA-585F-4187-903D-CB9FFD21E2E0}" = DHTML Editing Component
"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder
"{32CF189D-52BB-4C1C-8F93-97E8F3CDDC95}" = Razer Habu Config
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{3A12C952-61D5-4C3B-B68B-8CFBE47E22F1}" = Adobe Setup
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C5F1B30-B10B-4579-86DD-D00F662E1033}" = Nero 8
"{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{56F3E1FF-54FE-4384-A153-6CCABA097814}" = Creative MediaSource
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6283B16A-66AE-48F9-BCA5-9EABDAE1790B}" = MYOB Accounting Plus v18
"{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69640730-B830-4C24-BB5C-222DA1260548}" = Turbo Lister 2
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6B52140A-F189-4945-BFFC-DB3F00B8C589}" = Adobe Flash CS3
"{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{715E37EC-7AFD-43F0-AF4E-DF2FB2C438C4}" = Magic Holdem Calculator
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76BC2442-0002-47FA-9617-43BAD82BEF4C}" = Bonjour
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{937C6F96-CEA5-4B97-848D-1328BD8D59D4}" = ECI Client v5.2
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{996A2FAA-7514-4628-9D12-A8FC34A0016E}" = iTunes
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{AC76BA86-7AD7-2447-0000-800000000003}" = Chinese Simplified Fonts Support For Adobe Reader 8
"{AC76BA86-7AD7-5670-0000-800000000003}" = Korean Fonts Support For Adobe Reader 8
"{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}" = Microsoft Office Live Add-in 1.4
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B148AB4B-C8FA-474B-B981-F2943C5B5BCD}" = OGA Notifier 1.7.0105.35.0
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B5C3B892-0849-476C-9F46-B12F84819D57}" = Apple Mobile Device Support
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}" = Adobe Flash Player 9 ActiveX
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{C63E7C60-25EB-11D3-8EDA-00A0C911E8E5}" = Microsoft Outlook Personal Folders Backup
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D1565BD9-6E66-4292-90C6-5FC70A98A428}" = MYOB ODBC Direct v8 AUS
"{D1BB4446-AE9C-4256-9A7F-4D46604D2462}" = Adobe Setup
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{D7A53E41-3F32-4A44-989C-53DDEBB2130C}" = Adobe Extension Manager CS3
"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{DF29A0E2-DF76-4932-98A9-34B441F40486}" = Auction Sentry
"{E16110F7-1C85-4675-99F4-7938F832C825}" = Adobe Fireworks CS3
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{ED2A3C11-3EA8-4380-B59C-F2C1832731B0}" = Quicken 2009
"{ED6C5ECD-5AA4-4054-BF67-8F49526E5765}" = O&O Defrag Professional
"{EDA0FFC5-7964-4E2F-9014-693F04695933}" = BA Installer
"{F01D5ED5-D53A-4468-B428-149DC2CB3110}" = Adobe Dreamweaver CS3
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"{FB3BE405-6BF0-490A-84B3-00611385EA0D}" = Common-Use Signing Interface
"{FE0646A7-19D0-41B4-A2BB-2C35D644270D}" = Windows Live OneCare safety scanner
"{FFC1ADE3-944B-4231-894E-3903C37271D2}" = Adobe Setup
"AC3Filter" = AC3Filter (remove only)
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Adobe_2ac78060bc5856b0c1cf873bb919b58" = Adobe Photoshop CS3
"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
"Adobe_435a6af7459cb02a9c1138113a26e93" = Adobe Dreamweaver CS3
"Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings
"Adobe_bbef028176efa5abf0233d3e1747be8" = Adobe Fireworks CS3
"Adobe_c3c7fe8b09d497ab2b3fd91c9353390" = Adobe Flash CS3 Professional
"ALchemy" = Creative ALchemy
"AudioConSole" = Creative Audio Console
"AudioCS" = Creative Audio Console
"BitComet" = BitComet 1.09
"Brother Extensions for Paperport" = Brother Extensions for Paperport
"CanoScan Toolbox 5.0" = Canon CanoScan Toolbox 5.0
"CCleaner" = CCleaner
"Cheat Engine 5.5_is1" = Cheat Engine 5.5
"Common-Use Signing Interface" = Common-Use Signing Interface
"Creative MediaSource DVD-Audio Player" = Creative MediaSource DVD-Audio Player
"Creative Software AutoUpdate" = Creative Software AutoUpdate
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Shrink_is1" = DVD Shrink 3.2
"DVD X Player 4.0 Professional_is1" = DVD X Player 4.0 Professional
"DVD X Player 4.1 Professional_is1" = DVD X Player 4.1 Professional
"ENTERPRISE" = Microsoft Office Enterprise 2007
"FileZilla Client" = FileZilla Client 3.3.1
"FireTune" = FireTune
"FLV Player" = FLV Player 2.0 (build 25)
"Free PDF to Word Doc Converter_is1" = Free PDF to Word Doc Converter v1.1
"Free PS Convert driver_is1" = Free PS Convert driver 8.15
"FrostWire" = FrostWire 4.18.6
"ImgBurn" = ImgBurn
"Insaniquarium Deluxe 1.1" = Insaniquarium Deluxe 1.1
"InstallShield_{6283B16A-66AE-48F9-BCA5-9EABDAE1790B}" = MYOB Accounting Plus v18
"InstallShield_{69640730-B830-4C24-BB5C-222DA1260548}" = Turbo Lister 2
"InstallShield_{D1565BD9-6E66-4292-90C6-5FC70A98A428}" = MYOB ODBC Direct v8 AUS
"Magic ISO Maker v5.4 (build 0256)" = Magic ISO Maker v5.4 (build 0256)
"Magic ISO Maker v5.5 (build 0272)" = Magic ISO Maker v5.5 (build 0272)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"NAV" = Norton AntiVirus
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"OpenAL" = OpenAL
"PaperPort 6.5" = PaperPort 6.5
"PFPortChecker" = PFPortChecker 1.0.28
"PrimoPDF4.1.0.9" = PrimoPDF
"Steam App 10180" = Call of Duty: Modern Warfare 2
"Steam App 10190" = Call of Duty: Modern Warfare 2 - Multiplayer
"Steam App 240" = Counter-Strike: Source
"Steam App 440" = Team Fortress 2
"Steam App 500" = Left 4 Dead
"Steam App 80" = Condition Zero
"SwitchOff" = Switch Off
"SystemRequirementsLab" = System Requirements Lab
"TradeManager 2008" = TradeManager 2008
"Veoh Web Player Beta" = Veoh Web Player
"VLC media player" = VideoLAN VLC media player 0.8.6
"WampServer 2_is1" = WampServer 2.0
"Warcraft III" = Warcraft III
"WaveStudio 7" = Creative WaveStudio 7
"Winamp" = Winamp
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"XP Codec Pack" = XP Codec Pack
"Xvid_is1" = Xvid 1.2.2 final uninstall

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-580790463-919171761-3139786747-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"19b70efeac82acf9" = UberGraffiti
"Warcraft III" = Warcraft III: All Products

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/04/2010 2:56:45 AM | Computer Name = phat-PC | Source = Application Hang | ID = 1002
Description = The program explorer.exe version 6.0.6002.18005 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 122c Start Time: 01cad48ccf3ef7bd Termination Time: 3430

Error - 5/04/2010 3:07:39 AM | Computer Name = phat-PC | Source = VSS | ID = 8194
Description =

Error - 5/04/2010 3:22:54 AM | Computer Name = phat-PC | Source = Application Error | ID = 1000
Description = Faulting application oodtray.exe, version 12.0.0.199, time stamp 0x4aaac84f,
faulting module oorwiz2.dll, version 2.0.1.10793, time stamp 0x4a9d10fd, exception
code 0xc000000d, fault offset 0x00040696, process id 0x848, application start time
0x01cad49003dd9ecf.

Error - 6/04/2010 8:29:49 AM | Computer Name = phat-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 6/04/2010 12:28:45 PM | Computer Name = phat-PC | Source = Bonjour Service | ID = 100
Description = 388: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 6/04/2010 12:28:45 PM | Computer Name = phat-PC | Source = Bonjour Service | ID = 100
Description = 384: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 6/04/2010 12:28:45 PM | Computer Name = phat-PC | Source = Bonjour Service | ID = 100
Description = 400: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 6/04/2010 12:28:45 PM | Computer Name = phat-PC | Source = Bonjour Service | ID = 100
Description = 404: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 6/04/2010 12:28:45 PM | Computer Name = phat-PC | Source = Bonjour Service | ID = 100
Description = 408: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 6/04/2010 12:28:45 PM | Computer Name = phat-PC | Source = Bonjour Service | ID = 100
Description = 412: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

[ OSession Events ]
Error - 17/10/2008 8:20:21 AM | Computer Name = phat-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6308.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 5
seconds with 0 seconds of active time. This session ended with a crash.

Error - 22/01/2009 12:20:23 AM | Computer Name = phat-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1158
seconds with 360 seconds of active time. This session ended with a crash.

Error - 2/04/2009 1:19:25 AM | Computer Name = phat-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 109
seconds with 60 seconds of active time. This session ended with a crash.

Error - 11/04/2009 12:24:39 AM | Computer Name = phat-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6316.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 11238
seconds with 720 seconds of active time. This session ended with a crash.

Error - 23/04/2009 2:21:50 AM | Computer Name = phat-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 647
seconds with 360 seconds of active time. This session ended with a crash.

Error - 27/04/2009 12:58:54 PM | Computer Name = phat-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6316.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 23271
seconds with 540 seconds of active time. This session ended with a crash.

Error - 4/10/2009 7:52:10 AM | Computer Name = phat-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6504.5001, Microsoft Office Version: 12.0.6215.1000. This session lasted 3178
seconds with 780 seconds of active time. This session ended with a crash.

Error - 4/12/2009 6:15:15 AM | Computer Name = phat-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2
seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/12/2009 6:03:22 AM | Computer Name = phat-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 4
seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/12/2009 8:29:15 AM | Computer Name = phat-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session
lasted 5051 seconds with 3000 seconds of active time. This session ended with a
crash.

[ System Events ]
Error - 5/04/2010 8:18:41 PM | Computer Name = phat-PC | Source = Print | ID = 19
Description = The print spooler failed to share printer Send To OneNote 2007 with
shared resource name Send To OneNote 2007. Error 2114. The printer cannot be used
by others on the network.

Error - 5/04/2010 8:18:41 PM | Computer Name = phat-PC | Source = Print | ID = 19
Description = The print spooler failed to share printer Quicken PDF Printer with
shared resource name Quicken PDF Printer. Error 2114. The printer cannot be used
by others on the network.

Error - 5/04/2010 8:19:04 PM | Computer Name = phat-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 6/04/2010 2:38:02 AM | Computer Name = phat-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 6/04/2010 4:28:21 AM | Computer Name = phat-PC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.5 for the Network Card with network
address 001D7DD0AA7E has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 6/04/2010 9:35:49 PM | Computer Name = phat-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 7/04/2010 1:28:32 AM | Computer Name = phat-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 7/04/2010 3:43:50 AM | Computer Name = phat-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 7/04/2010 5:38:44 AM | Computer Name = phat-PC | Source = Print | ID = 19
Description = The print spooler failed to share printer Send To OneNote 2007 with
shared resource name Send To OneNote 2007. Error 2114. The printer cannot be used
by others on the network.

Error - 7/04/2010 5:39:09 AM | Computer Name = phat-PC | Source = Service Control Manager | ID = 7026
Description =


< End of report >



#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:00 PM

Posted 07 April 2010 - 08:39 AM

Please post me also the GMER log. If it crashes somehow, try running it with Devices and IAT/EAT unchecked.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 phatpleasure

phatpleasure
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 07 April 2010 - 12:03 PM

QUOTE(elise025 @ Apr 7 2010, 08:39 AM) View Post
Please post me also the GMER log. If it crashes somehow, try running it with Devices and IAT/EAT unchecked.



Hi,

yes, it did crash.
program was stopped working, or similar message.

Also, tried to do in safe mode - however the load stops at Crcdisk.sys
weird... didn't' happen before..

i'll try it unchecked now.



#9 phatpleasure

phatpleasure
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 07 April 2010 - 03:09 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-08 06:06:07
Windows 6.0.6002 Service Pack 2
Running: mhlw3urp.exe; Driver: C:\Users\phat\AppData\Local\Temp\kxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT 88086068 ZwAlertResumeThread
SSDT 88083120 ZwAlertThread
SSDT 889F5B48 ZwAllocateVirtualMemory
SSDT 87C4E510 ZwAlpcConnectPort
SSDT 889AB048 ZwAssignProcessToJobObject
SSDT 889FD800 ZwCreateMutant
SSDT 88A03008 ZwCreateSymbolicLinkObject
SSDT 889F4940 ZwCreateThread
SSDT 87E7CD10 ZwDebugActiveProcess
SSDT 889F5D20 ZwDuplicateObject
SSDT 889F7F40 ZwFreeVirtualMemory
SSDT 87ECE068 ZwImpersonateAnonymousToken
SSDT 88039118 ZwImpersonateThread
SSDT 87C4E478 ZwLoadDriver
SSDT 889F7DE0 ZwMapViewOfSection
SSDT 8805B118 ZwOpenEvent
SSDT 889F5F40 ZwOpenProcess
SSDT 87F8F918 ZwOpenProcessToken
SSDT 88045048 ZwOpenSection
SSDT 889F5E30 ZwOpenThread
SSDT 88A016F0 ZwProtectVirtualMemory
SSDT 8807D108 ZwResumeThread
SSDT 88021068 ZwSetContextThread
SSDT 889F7BC8 ZwSetInformationProcess
SSDT 88067948 ZwSetSystemInformation
SSDT 87F610B0 ZwSuspendProcess
SSDT 88032108 ZwSuspendThread
SSDT 87F84110 ZwTerminateProcess
SSDT 88033068 ZwTerminateThread
SSDT 87EC1068 ZwUnmapViewOfSection
SSDT 889F57F8 ZwWriteVirtualMemory
SSDT 88A02E30 ZwCreateThreadEx

INT 0x62 ? 86DE6F00
INT 0x72 ? 86DE6F00
INT 0x82 ? 85CB3BF8
INT 0x92 ? 85CB3BF8
INT 0xA2 ? 86DE6F00
INT 0xB2 ? 86DE6F00

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 826CB880 8 Bytes [68, 60, 08, 88, 20, 31, 08, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 826CB894 4 Bytes [48, 5B, 9F, 88]
.text ntkrnlpa.exe!KeSetEvent + 13D 826CB8A0 4 Bytes [10, E5, C4, 87]
.text ntkrnlpa.exe!KeSetEvent + 191 826CB8F4 4 Bytes [48, B0, 9A, 88]
.text ntkrnlpa.exe!KeSetEvent + 1F5 826CB958 4 Bytes [00, D8, 9F, 88]
.text ...
? System32\Drivers\spex.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8BFE641B 5 Bytes JMP 86DE64E0
.text axqc0zay.SYS 91148000 22 Bytes [82, F3, 9D, 82, 6C, F2, 9D, ...]
.text axqc0zay.SYS 91148017 105 Bytes [00, 32, 97, 79, 80, 3D, 95, ...]
.text axqc0zay.SYS 91148081 53 Bytes [4A, 66, 82, 98, 5E, 6C, 82, ...]
.text axqc0zay.SYS 911480B7 22 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text axqc0zay.SYS 911480CE 80 Bytes [00, 00, 26, 00, 00, 00, E0, ...]
.text ...

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5E 0x2C 0x76 0xEB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x87 0x8C 0x00 0x2D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x3E 0x41 0x3C 0xEA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5E 0x2C 0x76 0xEB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x87 0x8C 0x00 0x2D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x3E 0x41 0x3C 0xEA ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 13B8553DFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC7933FEBC9E127BECC74CA9C6AECB7A5D1407F56977804C6F0176095E4A3929E0335BAE12CC388CC2E07EDFE4027CD46740AADDA72B211D40B9F02AC25C9314CBA2E4486167DA300DCFEE533714EEA698F3A765D6279D35AA5348C48DBB81C6D8C126F0DAEA89DB4376C5716FC70DC4E9A7F67B4321F6AF7DFE806735A375894E57E476BEB647A24751ABE1363F0D3277AD4046A023B21DAB05E5541621E6181AC0AD55B17D1C0F1E710C8018F3A5E4FD6DF29D0488DAFECB40057F6E97CE22CBEC4E40BDC4939D6FFB975B87B015475FDFBF0F69017ECD1A213193623BACCB97E05B1F4CE8BDBE88ABC1375A169B37A2939A5A2E932C7273A900EDF916842ED335AB8B3097AD57DBCB430CC8967D07EFABBD7315987BCD5CF1CB209E865B547D16D8D39BD47B427BBE1884F07A037B95DDA503C4BB86337AA4B2EE22BEBBBE344443FAA9F6C1CA23790101D35FF9CF067314E6487EE967990216D4B6423560BC128E37D3A723B12D050213D7B1B232D7CC8E2E8BB5C72728DB9DFEF2ECD9A2FC69A1F27D673F2D1D006285C4388143435ADC1FE2094622B91B32CED36DC0E182C6A7CDE887406616992FD0C8893F1AA7238CAF04778DF884B9825A38C28
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG12.00.00.01PROFESSIONAL 907F17FCF994F9A658F24DD0A972D7F4C7EA184E284F7B7AFD954026D7A3B79012CCDC9FAF28ECE7DEB2FC35599C389AD8A4CD0CCA62A2837D77DFB97D636DEECC10F056B0CA6213CEB9CBE23A0C4261B860B67D69BD319B8A8874E47B4448C9D228CECB9943246FF73D3683F2EB0D9B8CC972E65593B042C2895E28E89CE3EDDF0A3760ECAE7C3649097EF10DBEB891A09F6142C1E8AF6CEACDBEBCC3175F1C4EFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3DC038D530D6EB3452A2D97226D213B555D63AC9640DF8D049AA080996EC093AA96814F2257C585F03072712C58EFD20346A203B23AB599FA85AF48FCFAD912B15DC4054CB40B2FC3E4C5F1092A55043D652A00ABE52BE01689F85833F5254B74FFE0C549702456541BB0FCC321809CFED4837E643804F2224C5F4D23A7D08588D5213C048A7777EFBA9D40FEDB2DFB8C1159F391F8637A299ADC09FF7A6E97B29E93717FDEEB7237F8110D36D9694E43C9A5E19A68A2395AFCC2E40161939809E701A8B3DE6F4200241E74CC1B6E62F6C4A38D41186C605ECA9C2C0157239BC8EA22585717225B75DFAC45CDB5D1E67852B38EC7A47596B7D614A5ED7A631F83ED184A1E64A40200FD4539C12A78350DED82C9760F09439B0A4D30CA7FA6E7

---- EOF - GMER 1.0.15 ----


thanks blonde / elise!
I apprecitae your help very much!

Edited by phatpleasure, 07 April 2010 - 08:32 PM.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:00 PM

Posted 08 April 2010 - 01:28 AM

Can you also please include a detailed description of the problems you are having now. Along this thread I've seen many references, but no clear description.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 phatpleasure

phatpleasure
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 08 April 2010 - 01:49 AM

sure...

- new window pop-ups IE: hxxp://www.tapeguard.com/
- links being re-directed when I click on a link OR typed address
- i noticed while loading, 'transferring data' to DOZENS OF numerous sites (at the bottom left of firefox). ie: google analytics, yting.com, net, v4, ajax... etc ect
- websites does load then goes to white loading screen, error loading screen screen
- "windows internet security - online protection tool" when you click "allow" it asks you to download "setup.exe" which I didn't.

- internet is sometimes slow (maybe ISP fault)

Edited by elise025, 08 April 2010 - 03:52 AM.
deactivated link ~ Elise


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:00 PM

Posted 08 April 2010 - 03:54 AM

Hello again, please let me know in which browser these problems occur (only firefox or also in Internet explorer?)
  • Please download TDSSKiller.zip and save it to your desktop.
  • Extract the zip file to your desktop (important, before continuing, make sure the file is located on your desktop, otherwise the following steps will not work!). Do NOT run the file yet!
  • Click Start > Run and copy paste the following bolded text in the run box
    "%userprofile%\desktop\tdsskiller.exe" -l report.txt
  • When it finished press any key to continue.
  • If needed reboot the computer.
A logfile (report.txt) will be created on your desktop. Please post its contents in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 phatpleasure

phatpleasure
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 08 April 2010 - 09:18 PM

Most problems previously listed happens to IE aswell.

12:17:44:919 5752 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
12:17:44:919 5752 ================================================================================
12:17:44:920 5752 SystemInfo:

12:17:44:920 5752 OS Version: 6.0.6002 ServicePack: 2.0
12:17:44:920 5752 Product type: Workstation
12:17:44:920 5752 ComputerName: PHAT-PC
12:17:44:920 5752 UserName: phat
12:17:44:920 5752 Windows directory: C:\Windows
12:17:44:920 5752 Processor architecture: Intel x86
12:17:44:920 5752 Number of processors: 2
12:17:44:920 5752 Page size: 0x1000
12:17:44:922 5752 Boot type: Normal boot
12:17:44:922 5752 ================================================================================
12:17:44:926 5752 UnloadDriverW: NtUnloadDriver error 2
12:17:44:926 5752 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
12:17:44:994 5752 wfopen_ex: Trying to open file C:\Windows\system32\config\system
12:17:44:994 5752 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:17:44:994 5752 wfopen_ex: Trying to KLMD file open
12:17:44:994 5752 wfopen_ex: File opened ok (Flags 2)
12:17:45:008 5752 wfopen_ex: Trying to open file C:\Windows\system32\config\software
12:17:45:008 5752 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:17:45:008 5752 wfopen_ex: Trying to KLMD file open
12:17:45:008 5752 wfopen_ex: File opened ok (Flags 2)
12:17:45:008 5752 Initialize success
12:17:45:008 5752
12:17:45:008 5752 Scanning Services ...
12:17:45:942 5752 Raw services enum returned 475 services
12:17:45:959 5752
12:17:45:959 5752 Scanning Kernel memory ...
12:17:45:959 5752 Devices to scan: 1
12:17:45:960 5752
12:17:45:960 5752 Driver Name: atapi
12:17:45:960 5752 IRP_MJ_CREATE : 8531E1F8
12:17:45:960 5752 IRP_MJ_CREATE_NAMED_PIPE : 8263EA22
12:17:45:960 5752 IRP_MJ_CLOSE : 8531E1F8
12:17:45:960 5752 IRP_MJ_READ : 8263EA22
12:17:45:960 5752 IRP_MJ_WRITE : 8263EA22
12:17:45:960 5752 IRP_MJ_QUERY_INFORMATION : 8263EA22
12:17:45:960 5752 IRP_MJ_SET_INFORMATION : 8263EA22
12:17:45:960 5752 IRP_MJ_QUERY_EA : 8263EA22
12:17:45:960 5752 IRP_MJ_SET_EA : 8263EA22
12:17:45:960 5752 IRP_MJ_FLUSH_BUFFERS : 8263EA22
12:17:45:960 5752 IRP_MJ_QUERY_VOLUME_INFORMATION : 8263EA22
12:17:45:960 5752 IRP_MJ_SET_VOLUME_INFORMATION : 8263EA22
12:17:45:960 5752 IRP_MJ_DIRECTORY_CONTROL : 8263EA22
12:17:45:960 5752 IRP_MJ_FILE_SYSTEM_CONTROL : 8263EA22
12:17:45:960 5752 IRP_MJ_DEVICE_CONTROL : 8531E1F8
12:17:45:960 5752 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8531E1F8
12:17:45:960 5752 IRP_MJ_SHUTDOWN : 8263EA22
12:17:45:960 5752 IRP_MJ_LOCK_CONTROL : 8263EA22
12:17:45:960 5752 IRP_MJ_CLEANUP : 8263EA22
12:17:45:960 5752 IRP_MJ_CREATE_MAILSLOT : 8263EA22
12:17:45:960 5752 IRP_MJ_QUERY_SECURITY : 8263EA22
12:17:45:960 5752 IRP_MJ_SET_SECURITY : 8263EA22
12:17:45:960 5752 IRP_MJ_POWER : 8531E1F8
12:17:45:960 5752 IRP_MJ_SYSTEM_CONTROL : 8531E1F8
12:17:45:960 5752 IRP_MJ_DEVICE_CHANGE : 8263EA22
12:17:45:960 5752 IRP_MJ_QUERY_QUOTA : 8263EA22
12:17:45:961 5752 IRP_MJ_SET_QUOTA : 8263EA22
12:17:45:971 5752 C:\Windows\system32\drivers\atapi.sys - Verdict: 1
12:17:45:971 5752
12:17:45:972 5752 Completed
12:17:45:972 5752
12:17:45:972 5752 Results:
12:17:45:972 5752 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
12:17:45:973 5752 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:17:45:973 5752 File objects infected / cured / cured on reboot: 0 / 0 / 0
12:17:45:973 5752
12:17:45:974 5752 fclose_ex: Trying to close file C:\Windows\system32\config\system
12:17:45:975 5752 fclose_ex: Trying to close file C:\Windows\system32\config\software
12:17:46:019 5752 KLMD(ARK) unloaded successfully


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:00 PM

Posted 09 April 2010 - 03:37 AM

Hello again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM and update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 phatpleasure

phatpleasure
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 10 April 2010 - 05:58 AM

ComboFix 10-04-09.06 - phat 10/04/2010 20:41:20.2.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.61.1033.18.3582.2752 [GMT 10:00]
Running from: c:\users\phat\Downloads\ComboFix.exe
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cthelper.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-10 to 2010-04-10 )))))))))))))))))))))))))))))))
.

2010-04-10 10:49 . 2010-04-10 10:49 -------- d-----w- c:\users\phat\AppData\Local\temp
2010-04-10 10:49 . 2010-04-10 10:49 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-10 10:49 . 2010-04-10 10:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-10 05:10 . 2010-03-29 17:05 1324720 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100409.055\NAVEX15.SYS
2010-04-10 05:10 . 2010-03-29 17:05 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100409.055\NAVENG.SYS
2010-04-10 05:10 . 2010-03-29 17:05 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100409.055\EECTRL.SYS
2010-04-10 05:10 . 2010-03-29 17:05 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100409.055\ECMSVR32.DLL
2010-04-10 05:10 . 2010-03-29 17:05 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100409.055\NAVENG32.DLL
2010-04-10 05:10 . 2010-03-29 17:05 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100409.055\NAVEX32A.DLL
2010-04-10 05:10 . 2010-03-29 17:05 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100409.055\ERASER.SYS
2010-04-10 05:10 . 2010-03-29 17:05 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100409.055\CCERASER.DLL
2010-04-06 00:29 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\20100402.001\IDSvix86.sys
2010-04-06 00:29 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\20100402.001\IDSXpx86.sys
2010-04-06 00:29 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\20100402.001\Scxpx86.dll
2010-04-06 00:29 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\20100402.001\IDSxpx86.dll
2010-04-06 00:29 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\20100402.001\IDSviA64.sys
2010-04-05 06:58 . 2010-04-05 06:58 -------- d-----w- c:\program files\CCleaner
2010-04-02 06:48 . 2010-04-02 06:48 -------- d-----w- c:\program files\iPod
2010-04-02 06:48 . 2010-04-02 06:49 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-02 06:48 . 2010-04-02 06:49 -------- d-----w- c:\program files\iTunes
2010-04-02 06:13 . 2010-04-02 06:13 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-02 05:00 . 2006-08-20 19:19 61440 ------w- c:\windows\system32\BrMfNt.dll
2010-04-02 05:00 . 2006-04-13 06:12 163840 ------w- c:\windows\system32\NSSearch.dll
2010-04-02 05:00 . 2002-11-26 02:43 106496 ------w- c:\windows\system32\BrMuSNMP.dll
2010-04-02 03:35 . 2010-04-02 03:35 -------- d-----w- c:\program files\Common Files\Skype
2010-04-01 02:03 . 2010-04-01 02:03 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-31 22:10 . 2010-03-31 22:10 -------- d-----w- c:\windows\Sun
2010-03-31 05:42 . 2010-04-07 16:59 -------- d-----w- c:\users\phat\AppData\Local\CrashDumps
2010-03-30 05:51 . 2010-02-26 02:40 79872 ----a-w- c:\users\phat\AppData\Roaming\Mozilla\Firefox\Profiles\62pk9ffr.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
2010-03-30 05:51 . 2010-02-26 02:40 33280 ----a-w- c:\users\phat\AppData\Roaming\Mozilla\Firefox\Profiles\62pk9ffr.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINCE\components\WeaveCrypto.dll
2010-03-29 18:15 . 2010-03-29 18:15 -------- d-----w- c:\programdata\WindowsSearch
2010-03-29 17:15 . 2010-03-29 17:15 -------- d-----w- c:\program files\Common Files\Java
2010-03-29 16:42 . 2010-03-29 16:42 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-29 16:42 . 2010-03-29 17:08 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-29 16:42 . 2010-03-29 16:42 -------- d-----w- c:\program files\Symantec
2010-03-29 16:41 . 2009-10-01 09:19 164216 ----a-r- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll
2010-03-29 16:41 . 2009-10-05 17:34 929648 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\OCS\hsplayer.dll
2010-03-29 16:41 . 2009-11-07 01:19 893296 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\CLT\cltLMSx.dll
2010-03-29 16:41 . 2010-04-07 03:24 -------- d-----w- c:\windows\system32\drivers\NAV
2010-03-29 16:41 . 2010-03-29 16:41 -------- d-----w- c:\program files\Norton AntiVirus
2010-03-29 16:41 . 2010-03-29 16:42 -------- d-----w- c:\programdata\Norton
2010-03-29 16:33 . 2010-03-29 16:33 -------- d-----w- c:\program files\NortonInstaller
2010-03-29 16:31 . 2010-03-29 16:40 -------- d-----w- c:\programdata\NortonInstaller
2010-03-29 02:41 . 2010-03-29 02:41 388096 ----a-r- c:\users\phat\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-29 02:41 . 2010-03-29 02:41 -------- d-----w- c:\program files\TrendMicro
2010-03-24 20:38 . 2010-03-24 20:38 536112 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100324.001\BHDrvx86.sys
2010-03-24 20:38 . 2010-03-24 20:38 201616 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100324.001\BHRules.dll
2010-03-24 20:38 . 2010-03-24 20:38 1407888 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100324.001\BHEngine.dll
2010-03-24 20:38 . 2010-03-24 20:38 678960 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100324.001\BHDrvx64.sys
2010-03-24 20:38 . 2010-03-24 20:38 611216 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100324.001\bbRGen.dll
2010-03-21 05:51 . 2010-03-21 05:51 -------- d-----w- c:\users\phat\AppData\Local\Apps
2010-03-21 05:51 . 2010-03-21 16:18 -------- d-----w- c:\users\phat\AppData\Local\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-10 10:39 . 2009-12-09 16:23 34800 ----a-w- c:\programdata\nvModes.dat
2010-04-10 10:37 . 2008-07-15 15:14 -------- d-----w- c:\programdata\NVIDIA
2010-04-09 03:23 . 2008-03-29 06:03 -------- d-----w- c:\program files\Warcraft III
2010-04-08 08:06 . 2008-04-01 16:30 -------- d-----w- c:\users\phat\AppData\Roaming\FrostWire
2010-04-05 07:10 . 2008-03-29 05:59 -------- d-----w- c:\program files\Steam
2010-04-05 07:09 . 2008-11-19 10:49 -------- d-----w- c:\program files\Blaze Media Pro
2010-04-05 07:08 . 2008-03-29 08:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-05 07:04 . 2008-05-18 14:14 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-03 01:33 . 2008-06-13 04:14 -------- d-----w- c:\program files\Driver Sweeper
2010-04-02 16:03 . 2008-05-26 12:53 -------- d-----w- c:\users\phat\AppData\Roaming\Skype
2010-04-02 14:39 . 2008-11-19 10:38 -------- d-----w- c:\users\phat\AppData\Roaming\dvdcss
2010-04-02 13:06 . 2008-05-26 12:56 -------- d-----w- c:\users\phat\AppData\Roaming\skypePM
2010-04-02 06:48 . 2008-09-11 16:33 -------- d-----w- c:\program files\Common Files\Apple
2010-04-02 06:45 . 2008-06-19 16:07 -------- d-----w- c:\program files\QuickTime
2010-04-02 06:40 . 2008-04-28 05:17 -------- d-----w- c:\program files\Bonjour
2010-03-31 17:04 . 2008-03-29 05:43 -------- d-----w- c:\program files\BitComet
2010-03-30 03:21 . 2009-10-07 06:18 -------- d-----w- c:\program files\Cheat Engine
2010-03-29 17:14 . 2009-01-21 10:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-29 17:05 . 2010-03-29 17:05 1324720 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100329.002\navex15.sys
2010-03-29 17:05 . 2010-03-29 17:05 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100329.002\naveng.sys
2010-03-29 17:05 . 2010-03-29 17:05 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100329.002\eeCtrl.sys
2010-03-29 17:05 . 2010-03-29 17:05 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100329.002\cceraser.dll
2010-03-29 17:05 . 2010-03-29 17:05 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100329.002\ecmsvr32.dll
2010-03-29 17:05 . 2010-03-29 17:05 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100329.002\naveng32.dll
2010-03-29 17:05 . 2010-03-29 17:05 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100329.002\navex32a.dll
2010-03-29 17:05 . 2010-03-29 17:05 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100329.002\eraser.sys
2010-03-29 16:42 . 2010-03-29 16:42 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-29 16:42 . 2010-03-29 16:42 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-29 08:51 . 2008-03-29 06:32 -------- d-----w- c:\program files\Java
2010-03-24 09:02 . 2009-03-18 11:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-16 01:14 . 2009-09-10 11:25 -------- d-----w- c:\users\phat\AppData\Roaming\FileZilla
2010-03-14 00:38 . 2010-02-23 12:15 55368 ----a-w- c:\windows\War3Unin.dat
2010-03-12 09:29 . 2008-03-29 18:13 -------- d-----w- c:\programdata\Microsoft Help
2010-03-04 13:25 . 2010-03-04 13:18 9661 ----a-w- c:\programdata\DVD X Studios\DVD X Player 4.1 Professional\DVDXPlayer.dll
2010-03-04 13:17 . 2010-03-04 13:17 14 ----a-w- c:\windows\system32\SystemInfo32.sys
2010-03-04 13:17 . 2010-03-04 13:17 -------- d-----w- c:\programdata\DVD X Studios
2010-03-04 13:17 . 2010-03-04 12:03 -------- d-----w- c:\program files\DVD X Studios
2010-03-02 14:41 . 2010-01-19 15:45 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-03-02 14:37 . 2010-01-19 15:44 -------- d-----w- c:\program files\ArcSoft
2010-03-02 14:36 . 2010-03-02 14:36 -------- d-----w- c:\users\phat\AppData\Roaming\InstallShield
2010-02-27 16:50 . 2008-11-19 10:44 -------- d-----w- c:\program files\ArtisanDVDPlayer
2010-02-27 16:49 . 2008-12-01 05:49 -------- d-----w- c:\program files\Free Word-Doc to Pdf Converter&Creator
2010-02-27 16:49 . 2008-03-29 08:29 -------- d-----w- c:\program files\Garena
2010-02-27 16:48 . 2009-01-07 16:44 -------- d-----w- c:\users\phat\AppData\Roaming\Vso
2010-02-27 16:36 . 2010-01-19 15:42 -------- d-----w- c:\program files\Panasonic
2010-02-27 16:36 . 2010-01-23 03:28 -------- d-----w- c:\users\phat\AppData\Roaming\Panasonic
2010-02-24 11:03 . 2008-03-29 05:59 -------- d-----w- c:\program files\Common Files\Steam
2010-02-23 23:16 . 2009-10-03 04:05 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 12:19 . 2010-02-23 12:15 2829 ----a-w- c:\windows\War3Unin.pif
2010-02-23 12:19 . 2010-02-23 12:15 139264 ----a-w- c:\windows\War3Unin.exe
2010-02-12 00:46 . 2010-02-12 00:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 00:46 . 2010-02-12 00:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-01-26 12:34 . 2009-04-01 05:38 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-23 09:26 . 2010-02-24 03:14 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-20 18:43 . 2010-01-20 18:42 5299337 ----a-w- c:\programdata\ArcSoft\Global Deploy\CheckUpdate\ArcConnect.exe
2010-01-20 09:08 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-20 00:05 . 2008-03-29 05:11 101520 ----a-w- c:\users\phat\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-14 14:09 . 2008-03-29 05:11 1356 ----a-w- c:\users\phat\AppData\Local\d3d9caps.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-18 1008184]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 19968]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Habu"="c:\program files\Razer\Habu\razerhid.exe" [2009-08-18 239616]
"AsioReg"="CTASIO.DLL" [2009-06-23 46592]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-25 142120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Brother SmartUI PopUp.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Brother SmartUI PopUp.lnk
backup=c:\windows\pss\Brother SmartUI PopUp.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^phat^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Magic Holdem.lnk]
path=c:\users\phat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Magic Holdem.lnk
backup=c:\windows\pss\Magic Holdem.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^phat^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^reminder-ScanSoft Product Registration.lnk]
path=c:\users\phat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reminder-ScanSoft Product Registration.lnk
backup=c:\windows\pss\reminder-ScanSoft Product Registration.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 12:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aliim]
2009-12-22 04:29 222552 ----a-w- c:\program files\trademanager\AliIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2007-04-09 02:32 19968 ----a-w- c:\windows\System32\Ctxfihlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-04-01 09:39 486856 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 00:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-02-28 08:07 1828136 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-25 14:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-02-18 07:29 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-11-20 09:33 110184 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2001-04-01 22:40 26624 ----a-w- c:\progra~1\ScanSoft\PAPERP~1\Pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 10:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-03-08 23:02 26100520 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Utopia Angel]
2008-06-22 10:52 3703808 ----a-w- c:\utopia\Angel\Angel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-07-01 16:37 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:6f,d4,3c,00,99,7d,ca,01

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-04-27 717296]
R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2009-06-23 99352]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2008-06-12 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-12-13 79360]
R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [2008-05-09 191488]
R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2009-06-23 555032]
R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [2009-06-23 100888]
R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2009-06-23 100888]
R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [2008-05-09 1360896]
R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [2008-05-09 67072]
R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2009-06-23 566296]
R3 EraserUtilDrvI9;EraserUtilDrvI9;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1106000.020\SYMDS.SYS [2009-11-05 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1106000.020\SYMEFA.SYS [2010-02-04 172592]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100324.001\BHDrvx86.sys [2010-03-24 536112]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1106000.020\ccHPx86.sys [2010-02-25 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\20100402.001\IDSvix86.sys [2009-10-28 343088]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1106000.020\Ironx86.SYS [2010-02-27 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NAV\1106000.020\SYMTDIV.SYS [2010-02-04 340016]
S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe [2010-02-25 126392]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-11-20 240232]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [2009-06-23 99352]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [2009-06-23 555032]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [2009-06-23 566296]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-03-29 102448]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: alipay.com
Trusted Zone: alisoft.com
Trusted Zone: taobao.com
FF - ProfilePath - c:\users\phat\AppData\Roaming\Mozilla\Firefox\Profiles\62pk9ffr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\users\phat\AppData\Roaming\Mozilla\Firefox\Profiles\62pk9ffr.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - plugin: c:\program files\Common-Use Signing Interface\bin\npCsiPlugin.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\phat\AppData\Roaming\Mozilla\Firefox\Profiles\62pk9ffr.default\extensions\{4D144BC3-23FB-47de-90C5-63CCB0139CCF}\plugins\npww.dll
FF - plugin: c:\users\phat\AppData\Roaming\Mozilla\Firefox\Profiles\62pk9ffr.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-CTHelper - CTHELPER.EXE
MSConfigStartUp-CTHelper - CTHELPER.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-10 20:49
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?
AsioReg = REGSVR32.EXE /S CTASIO.DLL?
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.6.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-580790463-919171761-3139786747-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:4b,0c,8c,c1,ab,ea,7c,7f,49,f4,99,b6,c3,e9,5f,e2,f9,f6,1e,ab,56,4a,1c,
80,3e,98,99,e1,44,39,94,9a,9f,c1,20,08,db,0d,4d,3c,46,5e,bb,ac,e0,6b,ce,e2,\
"??"=hex:57,cf,de,82,93,18,52,79,f2,68,4f,f2,76,52,74,1f

[HKEY_USERS\S-1-5-21-580790463-919171761-3139786747-1000\Software\SecuROM\License information*]
"datasecu"=hex:e3,07,6f,03,89,e3,23,dd,c9,03,52,15,6d,9e,b1,a2,e6,36,eb,8b,94,
5b,9d,bc,d0,ae,8a,08,92,f4,8d,01,6d,24,63,f1,e3,73,ba,3b,1e,a3,c8,72,6a,3d,\
"rkeysecu"=hex:f7,6c,40,99,c5,89,8f,fa,f2,4d,a6,ce,70,2f,2e,e6

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-10 20:52:58
ComboFix-quarantined-files.txt 2010-04-10 10:52
ComboFix2.txt 2010-03-31 16:52

Pre-Run: 91,075,239,936 bytes free
Post-Run: 91,044,810,752 bytes free

- - End Of File - - 16AF0256FE1948739C3E01B61DFEA7C5





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users