Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

atapi.sys infected with rootkit.win32.tdss.d


  • This topic is locked This topic is locked
11 replies to this topic

#1 fzbxvudu

fzbxvudu

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 07 April 2010 - 11:24 AM

Fought off a malware attack a few evenings ago. However, an infection of my atapi.sys file still persists and I can't seem to get it cleaned up. Up until this morning, the only symptom was an occassional Google search hijack that sent me to various other urls. As of this morning, all of the components on my AVG antivirus suite are inactive (have seen this in a previous malware attack). Below is the DDS.txt data and the attach.txt and ark.text files are attached.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Topher at 21:10:34.37 on Tue 04/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.598 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
svchost.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\ColdFusion8\jnbridge\CF8DotNetsvc.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
D:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
D:\Program Files\Creative\Fatal1ty Professional Laser Mouse\ctusbms.exe
C:\ColdFusion8\jnbridge\JNBDotNetSide.exe
C:\ColdFusion8\runtime\bin\jrunsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Anonymizer\Anonymizer Universal\Anonymizer Universal.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\ColdFusion8\runtime\bin\jrun.exe
C:\ColdFusion8\db\slserver54\bin\swagent.exe
C:\ColdFusion8\db\slserver54\bin\swstrtr.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\ColdFusion8\db\slserver54\bin\swsoc.exe
C:\ColdFusion8\verity\k2\_nti40\bin\k2admin.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\ColdFusion8\verity\k2\_nti40\bin\k2server.exe
C:\ColdFusion8\verity\k2\_nti40\bin\k2index.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Documents and Settings\Topher\Desktop\MaxiVistaViewerA.exe
C:\Documents and Settings\Topher\Desktop\MaxiVistaViewerA.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Topher\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://projecthelpishere.com/
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - d:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - d:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Window Washer] c:\program files\webroot\washer\wwDisp.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Anonymizer Universal] c:\program files\anonymizer\anonymizer universal\Anonymizer Universal.exe /hide
uRun: [Winhlp/Apl] c:\windows\system32\schedul.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [Index Washer] c:\program files\webroot\washer\WashIdx.exe "Topher"
mRun: [LaunchApp] Alaunch
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Boot] c:\acer\empowering technology\epower\Boot.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Adobe Acrobat Speed Launcher] "d:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "d:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CreativeMS2020] d:\program files\creative\fatal1ty professional laser mouse\ctusbms.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\documents and settings\topher\start menu\programs\startup\Adobe Gamma.lnk.disabled
StartupFolder: c:\docume~1\topher\startm~1\programs\startup\setup_~1.lnk - d:\virus kill\virus removal tool\setup_9.0.0.722_06.04.2010_09-08\startup.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerem~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Launcher.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Acrobat Assistant.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Bluetooth.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Cisco Systems VPN Client.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Microsoft Office.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Program Neighborhood Agent.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\QuickBooks Update Agent.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Windows Search.lnk.disabled
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Save YouTube Video - c:\program files\common files\dvdvideosoft\dll\IEContextMenuY.dll/scriptY2MP4.htm
IE: Save YouTube Video as MP3 - c:\program files\common files\dvdvideosoft\dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15030/CTSUEng.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - hxxp://svca.solidworks.com/htdocs/pdownload/edrawings/e2008sp01/cab/eModelsStandard.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185651525562
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {897520CD-B1C8-4745-B46D-B03CF8701BB8} - hxxp://www.jigsaw.com/cab/app/JigsawContactFinder.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://freetrial.webex.com/client/T23L/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15030/CTPID.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
TCP: {70BA5C04-28AA-44D8-9E7E-43C63CF9FB92} = 168.143.113.201 168.143.113.202
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2006\HelpAsyncPluggableProtocol.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - d:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\topher\applic~1\mozilla\firefox\profiles\ctp77iba.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\common files\dvdvideosoft\dll\ffcontextmenuy\components\FFContextMenu.dll
FF - component: c:\program files\mozilla firefox\extensions\{01a8ca0a-4c96-465b-a49b-65c46fad54f9}\components\Contribute.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 09406392;09406392 Boot Guard Driver;c:\windows\system32\drivers\09406392.sys [2010-4-6 37392]
R1 09406391;09406391;c:\windows\system32\drivers\09406391.sys [2010-4-6 128016]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-7 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-7 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-4 242696]
R1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R1 setup_9.0.0.722_06.04.2010_09-08drv;setup_9.0.0.722_06.04.2010_09-08drv;c:\windows\system32\drivers\0940639.sys [2010-4-6 315408]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-13 308064]
R2 ColdFusion 8 .NET Service;ColdFusion 8 .NET Service;c:\coldfusion8\jnbridge\CF8DotNetsvc.exe [2008-5-17 77824]
R2 ColdFusion 8 Application Server;ColdFusion 8 Application Server;c:\coldfusion8\runtime\bin\jrunsvc.exe [2008-5-17 65536]
R2 ColdFusion 8 ODBC Agent;ColdFusion 8 ODBC Agent;c:\coldfusion8\db\slserver54\bin\swagent.exe "coldfusion 8 odbc agent" --> c:\coldfusion8\db\slserver54\bin\swagent.exe ColdFusion 8 ODBC Agent [?]
R2 ColdFusion 8 ODBC Server;ColdFusion 8 ODBC Server;c:\coldfusion8\db\slserver54\bin\swstrtr.exe "coldfusion 8 odbc server" --> c:\coldfusion8\db\slserver54\bin\swstrtr.exe ColdFusion 8 ODBC Server [?]
R2 ColdFusion 8 Search Server;ColdFusion 8 Search Server;c:\coldfusion8\verity\k2\_nti40\bin\k2admin.exe [2008-5-17 2743056]
R2 MaxiVista_service_A;MaxiVista_service_A;c:\documents and settings\topher\desktop\MaxiVistaViewerA.exe [2010-1-11 1770504]
R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2009-12-29 598856]
R3 AVerM115;AVerM115 service;c:\windows\system32\drivers\AVerM115.sys [2006-2-11 1274880]
R3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [2006-4-6 1097472]
R4 42955151;42955151;c:\windows\system32\drivers\42955151.sys --> c:\windows\system32\drivers\42955151.sys [?]
RUnknown 42955152;42955152; [x]
RUnknown setup_9.0.0.722_06.04.2010_03-06drv;setup_9.0.0.722_06.04.2010_03-06drv; [x]
S0 pvlzvvb;pvlzvvb; [x]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]
S3 BEFCMU10;EtherFast Cable Modem with USB;c:\windows\system32\drivers\BEFCMU10.sys [2008-6-3 14844]
S3 ctms2020;Creative HID USB Filter Driver1;c:\windows\system32\drivers\ctms2020.sys [2007-7-3 8914]
S3 mvvideodemo;MaxiVista Virtual Video Demo;c:\windows\system32\drivers\mvvideodemo.sys --> c:\windows\system32\drivers\mvvideodemo.sys [?]
S3 mvvideoexta;MaxiVista Virtual Video ExtA;c:\windows\system32\drivers\mvvideoexta.sys --> c:\windows\system32\drivers\mvvideoexta.sys [?]
S3 mvvideoextb;MaxiVista Virtual Video ExtB;c:\windows\system32\drivers\mvvideoextb.sys --> c:\windows\system32\drivers\mvvideoextb.sys [?]
S3 mvvideoextc;MaxiVista Virtual Video ExtC;c:\windows\system32\drivers\mvvideoextc.sys --> c:\windows\system32\drivers\mvvideoextc.sys [?]
S3 mvvideomir;MaxiVista Virtual Video Mirror;c:\windows\system32\drivers\mvvideomir.sys --> c:\windows\system32\drivers\mvvideomir.sys [?]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\topher\locals~1\temp\000007a9.nmc\nse\bin\ndiskio.sys --> c:\docume~1\topher\locals~1\temp\000007a9.nmc\nse\bin\ndiskio.sys [?]
S3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [2007-2-19 19020]
S3 SaiH80C0;SaiH80C0;c:\windows\system32\drivers\SaiH80C0.sys [2006-12-1 176384]
S3 SASENUM;SASENUM;d:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 utc3ndu0;AVZ Kernel Driver;c:\windows\system32\drivers\utc3ndu0.sys [2010-4-6 7168]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

=============== Created Last 30 ================

2010-04-07 04:04:51 96512 ----a-w- c:\windows\system32\drivers\tsk6.tmp
2010-04-07 04:04:51 36488 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-04-07 01:59:54 7168 ----a-w- c:\windows\system32\drivers\utc3ndu0.sys
2010-04-06 18:07:46 37392 ----a-w- c:\windows\system32\drivers\09406392.sys
2010-04-06 18:07:46 315408 ----a-w- c:\windows\system32\drivers\0940639.sys
2010-04-06 18:07:46 128016 ----a-w- c:\windows\system32\drivers\09406391.sys
2010-04-06 17:29:47 0 d-----w- c:\program files\ESET
2010-04-06 11:29:14 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-06 11:28:48 0 d-----w- c:\docume~1\topher\applic~1\SUPERAntiSpyware.com
2010-04-06 11:27:20 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-06 08:25:01 0 d-----w- C:\newalg
2010-04-06 07:20:06 96512 ----a-w- C:\atapi1.sys
2010-04-06 07:15:38 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-06 07:15:38 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-04-06 07:15:38 86912 ----a-w- C:\atapi.sys
2010-04-05 14:55:01 0 d-sha-r- C:\cmdcons
2010-04-05 14:50:02 98816 ----a-w- c:\windows\sed.exe
2010-04-05 14:50:02 77312 ----a-w- c:\windows\MBR.exe
2010-04-05 14:50:02 261632 ----a-w- c:\windows\PEV.exe
2010-04-05 14:50:02 161792 ----a-w- c:\windows\SWREG.exe
2010-04-05 13:48:22 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-03-27 09:34:40 54156 ---ha-w- c:\windows\QTFont.qfn
2010-03-27 09:34:40 1409 ----a-w- c:\windows\QTFont.for
2010-03-27 06:08:48 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{034ACC02-7584-4658-94C7-CD7F2E9F7F5A}
2010-03-24 08:08:28 87 ----a-w- c:\windows\system32\ssprs.tgz
2010-03-24 08:08:28 219 ----a-w- c:\windows\system32\lsprst7.tgz
2010-03-24 08:08:28 21 ----a-w- c:\windows\SurCode.INI
2010-03-24 08:08:28 1025 ----a-w- c:\windows\system32\sysprs7.tgz
2010-03-24 08:08:28 1025 ----a-w- c:\windows\system32\sysprs7.dll
2010-03-24 08:08:28 1025 ----a-w- c:\windows\system32\clauth2.dll
2010-03-24 08:08:28 1025 ----a-w- c:\windows\system32\clauth1.dll
2010-03-24 08:08:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Minnetonka Audio Software
2010-03-14 06:21:37 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-10 05:55:18 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-03-29 22:24:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 22:24:46 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-14 06:21:45 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-14 06:20:42 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-25 18:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-01-12 00:35:49 112192 ----a-w- c:\windows\system32\cad.exe
2007-02-01 06:23:24 88 -csh--r- c:\windows\system32\9F4482DD95.sys
2008-02-22 23:47:44 2098 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-08-20 17:44:28 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082020080821\index.dat

============= FINISH: 21:13:05.84 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 10 April 2010 - 09:41 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 fzbxvudu

fzbxvudu
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 10 April 2010 - 11:07 PM

Thanks for your help! OTL log is below. Will post GMER log when scan completes...


OTL logfile created on: 4/10/2010 11:11:44 AM - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\Topher\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 0.00 Gb Available Physical Memory | 22.00% Memory free
6.00 Gb Paging File | 4.00 Gb Available in Paging File | 66.00% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 52.72 Gb Total Space | 6.24 Gb Free Space | 11.84% Space Free | Partition Type: NTFS
Drive D: | 111.79 Gb Total Space | 83.82 Gb Free Space | 74.98% Space Free | Partition Type: NTFS
Drive E: | 53.22 Gb Total Space | 31.59 Gb Free Space | 59.35% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ACER-E592EF2C07
Current User Name: Topher
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/10 11:10:29 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Topher\Desktop\OTL.exe
PRC - [2010/04/01 10:14:56 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/03/19 17:59:28 | 006,106,808 | ---- | M] (Anonymizer) -- C:\Program Files\Anonymizer\Anonymizer Universal\Anonymizer Universal.exe
PRC - [2010/03/13 23:21:38 | 000,508,184 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/03/13 23:21:37 | 000,617,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/03/13 23:21:27 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/03/13 23:20:42 | 000,710,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/03/10 22:32:26 | 000,648,536 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
PRC - [2010/01/31 08:01:28 | 000,045,056 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2010/01/11 17:11:36 | 001,770,504 | ---- | M] () -- C:\Documents and Settings\Topher\Desktop\MaxiVistaViewerA.exe
PRC - [2010/01/02 14:09:16 | 003,965,784 | ---- | M] (Emsi Software GmbH) -- D:\Program Files\a-squared Anti-Malware\a2start.exe
PRC - [2010/01/02 14:09:14 | 003,280,712 | ---- | M] (Emsi Software GmbH) -- D:\Program Files\a-squared Anti-Malware\a2guard.exe
PRC - [2009/12/21 18:35:18 | 000,640,440 | ---- | M] (Adobe Systems Inc.) -- D:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
PRC - [2009/10/01 16:03:14 | 001,858,144 | ---- | M] (Emsi Software GmbH) -- d:\Program Files\a-squared Anti-Malware\a2service.exe
PRC - [2009/09/28 09:42:50 | 000,109,056 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/11/24 23:31:07 | 000,239,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/10/24 09:14:36 | 000,206,112 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PRC - [2008/10/10 05:45:26 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008/05/17 02:45:20 | 001,073,152 | ---- | M] () -- C:\ColdFusion8\db\slserver54\bin\swsoc.exe
PRC - [2008/05/17 02:45:20 | 000,696,320 | ---- | M] () -- C:\ColdFusion8\db\slserver54\bin\swagent.exe
PRC - [2008/05/17 02:45:20 | 000,114,688 | ---- | M] () -- C:\ColdFusion8\db\slserver54\bin\swstrtr.exe
PRC - [2008/05/17 02:42:32 | 000,077,824 | ---- | M] () -- C:\ColdFusion8\jnbridge\CF8DotNetsvc.exe
PRC - [2008/05/17 02:42:31 | 000,003,072 | ---- | M] () -- C:\ColdFusion8\jnbridge\JNBDotNetSide.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/18 02:11:40 | 000,065,536 | ---- | M] (Macromedia Inc.) -- C:\ColdFusion8\runtime\bin\jrunsvc.exe
PRC - [2008/03/18 02:11:40 | 000,065,536 | ---- | M] (Macromedia Inc.) -- C:\ColdFusion8\runtime\bin\jrun.exe
PRC - [2008/03/12 02:20:11 | 003,040,496 | ---- | M] (Verity, Inc.) -- C:\ColdFusion8\verity\k2\_nti40\bin\k2server.exe
PRC - [2008/03/12 02:20:03 | 001,332,344 | ---- | M] (Verity, Inc.) -- C:\ColdFusion8\verity\k2\_nti40\bin\k2index.exe
PRC - [2008/03/12 02:19:55 | 002,743,056 | ---- | M] (Verity, Inc.) -- C:\ColdFusion8\verity\k2\_nti40\bin\k2admin.exe
PRC - [2007/11/26 14:47:40 | 000,598,856 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Washer\WasherSvc.exe
PRC - [2007/11/26 14:47:30 | 001,206,600 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Washer\wwDisp.exe
PRC - [2007/10/30 20:51:44 | 000,492,720 | ---- | M] () -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
PRC - [2007/10/30 20:07:38 | 000,427,288 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2006/08/26 01:14:16 | 004,435,968 | ---- | M] () -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
PRC - [2006/06/01 14:40:54 | 000,413,696 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
PRC - [2006/05/09 13:58:00 | 000,143,360 | ---- | M] (Creative ) -- D:\Program Files\Creative\Fatal1ty Professional Laser Mouse\ctusbms.exe
PRC - [2006/05/08 16:01:10 | 000,638,976 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\LManager.exe
PRC - [2006/04/06 19:30:46 | 000,086,016 | ---- | M] (Logitech) -- c:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
PRC - [2006/03/30 18:47:56 | 000,421,888 | ---- | M] () -- C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
PRC - [2006/03/27 11:37:58 | 000,045,056 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
PRC - [2005/06/10 02:21:02 | 000,217,088 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\point32.exe


========== Modules (SafeList) ==========

MOD - [2010/04/10 11:10:29 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Topher\Desktop\OTL.exe
MOD - [2009/07/26 09:50:20 | 000,134,272 | ---- | M] (Emsi Software GmbH) -- d:\Program Files\a-squared Anti-Malware\a2handler.dll
MOD - [2008/04/13 17:11:56 | 001,028,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mfc42.dll
MOD - [2006/04/06 19:30:46 | 000,086,016 | ---- | M] (Logitech) -- C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll
MOD - [2005/10/11 13:18:54 | 000,028,672 | ---- | M] () -- C:\Acer\Empowering Technology\ePower\SysHook.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/03/13 23:21:27 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/01/31 08:01:28 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2010/01/18 01:05:16 | 000,288,112 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe -- (Adobe Version Cue CS4)
SRV - [2010/01/11 17:11:36 | 001,770,504 | ---- | M] () [Auto | Running] -- C:\Documents and Settings\Topher\Desktop\MaxiVistaViewerA.exe -- (MaxiVista_service_A)
SRV - [2009/10/21 14:27:32 | 000,867,080 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/10/01 16:03:14 | 001,858,144 | ---- | M] (Emsi Software GmbH) [Auto | Running] -- d:\Program Files\a-squared Anti-Malware\a2service.exe -- (a2AntiMalware)
SRV - [2009/09/28 09:42:50 | 000,109,056 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS)
SRV - [2008/11/24 23:31:07 | 000,239,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 23:31:07 | 000,045,408 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/18 15:45:28 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2008/10/10 05:45:26 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/05/17 02:45:20 | 000,696,320 | ---- | M] () [Auto | Running] -- C:\ColdFusion8\db\slserver54\bin\swagent.exe -- (ColdFusion 8 ODBC Agent)
SRV - [2008/05/17 02:45:20 | 000,114,688 | ---- | M] () [Auto | Running] -- C:\ColdFusion8\db\slserver54\bin\swstrtr.exe -- (ColdFusion 8 ODBC Server)
SRV - [2008/05/17 02:42:32 | 000,077,824 | ---- | M] () [Auto | Running] -- C:\ColdFusion8\jnbridge\CF8DotNetsvc.exe -- (ColdFusion 8 .NET Service)
SRV - [2008/03/18 02:11:40 | 000,065,536 | ---- | M] (Macromedia Inc.) [Auto | Running] -- C:\ColdFusion8\runtime\bin\jrunsvc.exe -- (ColdFusion 8 Application Server)
SRV - [2008/03/12 02:19:55 | 002,743,056 | ---- | M] (Verity, Inc.) [Auto | Running] -- C:\ColdFusion8\verity\k2\_nti40\bin\k2admin.exe -- (ColdFusion 8 Search Server)
SRV - [2008/01/14 13:07:23 | 000,079,360 | ---- | M] (SolidWorks) [On_Demand | Stopped] -- C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe -- (SolidWorks Licensing Service)
SRV - [2007/11/26 14:47:40 | 000,598,856 | ---- | M] (Webroot Software, Inc.) [Auto | Running] -- C:\Program Files\Webroot\Washer\WasherSvc.exe -- (wwEngineSvc)
SRV - [2007/10/30 20:51:44 | 000,492,720 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe -- (TryAndDecideService)
SRV - [2007/10/30 20:07:38 | 000,427,288 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/08/26 01:14:16 | 004,435,968 | ---- | M] () [Auto | Running] -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe -- (MySQL)
SRV - [2006/04/06 19:30:46 | 000,086,016 | ---- | M] (Logitech) [Auto | Running] -- c:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2378369012-325482502-3300333423-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://projecthelpishere.com/
IE - HKU\S-1-5-21-2378369012-325482502-3300333423-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/03/13 23:37:06 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/27 01:04:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/07 15:55:58 | 000,000,000 | ---D | M]

[2010/04/05 06:48:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\Mozilla\Firefox\Profiles\ctp77iba.default\extensions
[2010/03/26 20:51:37 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Topher\Application Data\Mozilla\Firefox\Profiles\ctp77iba.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/07 16:02:10 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/01/12 11:01:51 | 000,000,000 | ---D | M] (Adobe Contribute Toolbar) -- C:\Program Files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
[2010/03/27 01:04:11 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org
[2010/03/27 01:04:04 | 000,067,688 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jar50.dll
[2010/03/27 01:04:05 | 000,054,368 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jsd3250.dll
[2010/03/27 01:04:05 | 000,034,944 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\myspell.dll
[2010/03/27 01:04:09 | 000,046,712 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\spellchk.dll
[2010/03/27 01:04:09 | 000,172,136 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\xpinstal.dll
[2008/09/10 01:09:32 | 000,079,216 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npContribute.dll
[2007/10/31 00:15:48 | 000,155,648 | ---- | M] (Solidworks Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npEModelPlugin.dll

O1 HOSTS File: ([2010/04/05 08:25:48 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O3 - HKU\S-1-5-21-2378369012-325482502-3300333423-1005\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-2378369012-325482502-3300333423-1005\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] D:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] D:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe_ID0ENQBO] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [a-squared] D:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe (Emsi Software GmbH)
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
O4 - HKLM..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe ()
O4 - HKLM..\Run: [CreativeMS2020] D:\Program Files\Creative\Fatal1ty Professional Laser Mouse\ctusbms.exe (Creative )
O4 - HKLM..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe ()
O4 - HKLM..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe (Acer Inc.)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [LaunchApp] C:\WINDOWS\Alaunch.exe (Acer Inc.)
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe File not found
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-21-2378369012-325482502-3300333423-1005..\Run: [Anonymizer Universal] C:\Program Files\Anonymizer\Anonymizer Universal\Anonymizer Universal.exe (Anonymizer)
O4 - HKU\S-1-5-21-2378369012-325482502-3300333423-1005..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKU\S-1-5-21-2378369012-325482502-3300333423-1005..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-2378369012-325482502-3300333423-1005..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe (Webroot Software, Inc.)
O4 - HKU\S-1-5-21-2378369012-325482502-3300333423-1005..\Run: [Winhlp/Apl] C:\WINDOWS\System32\schedul.exe File not found
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\setup_9.0.0.722_06.04.2010_03-06.lnk = D:\Virus Kill\Virus Removal Tool\setup_9.0.0.722_06.04.2010_03-06\startup.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acer Empowering Technology.lnk = C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe (Acer Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk.disabled ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk.disabled ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk.disabled ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk.disabled ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Program Neighborhood Agent.lnk.disabled ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk.disabled ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk.disabled ()
O4 - Startup: C:\Documents and Settings\Topher\Start Menu\Programs\Startup\Adobe Gamma.lnk.disabled ()
O4 - Startup: C:\Documents and Settings\Topher\Start Menu\Programs\Startup\setup_9.0.0.722_06.04.2010_09-08.lnk = D:\Virus Kill\Virus Removal Tool\setup_9.0.0.722_06.04.2010_09-08\startup.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2378369012-325482502-3300333423-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2378369012-325482502-3300333423-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2378369012-325482502-3300333423-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Save YouTube Video - C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll (DVSTeam)
O8 - Extra context menu item: Save YouTube Video as MP3 - C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll (DVSTeam)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_19.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKU\S-1-5-21-2378369012-325482502-3300333423-1005\..Trusted Domains: psedd.com ([]http in Local intranet)
O15 - HKU\S-1-5-21-2378369012-325482502-3300333423-1005\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} http://www.creative.com/su/ocx/15030/CTSUEng.cab (Creative Software AutoUpdate)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} http://svca.solidworks.com/htdocs/pdownloa...elsStandard.cab (EModelNonVersionSpecificViewControl Class)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab (DLM Control)
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab (Autodesk MapGuide ActiveX Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1185651525562 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {897520CD-B1C8-4745-B46D-B03CF8701BB8} http://www.jigsaw.com/cab/app/JigsawContactFinder.CAB (Jigsaw Contact Finder)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://freetrial.webex.com/client/T23L/webex/ieatgpc.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://www.creative.com/su/ocx/15030/CTPID.cab (Creative Software AutoUpdate Support Package)
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab (DownloadManager Control)
O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2006\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Acer.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Acer.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - D:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/11 22:55:04 | 000,000,100 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/08/24 15:59:44 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {1325db73-d9f1-48f8-8895-6d814ec58889} - Security Update for Windows XP (KB913433)
ActiveX: {1AC82F6C-5CBE-3A5A-9C64-F7F3255A3509} - Internet Explorer
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {1BC46932-21B2-4130-86E0-B4EB4F7A7A7B} - Microsoft .NET Framework 1.0 Hotfix (KB887998)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {407408d4-94ed-4d86-ab69-a7f649d112ee} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection QuickLaunchShortcut 640 %systemroot%\inf\mcdftreg.inf
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {8b15971b-5355-4c82-8c07-7e181ea07608} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {94de52c8-2d59-4f1b-883e-79663d2d9a8c} - rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallProvider
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {BDE0FA43-6952-4BA8-8C58-09AF690F88E1} - Microsoft .NET Framework 1.0 Hotfix (KB930494)
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D1CEA357-92C1-E8BE-BA93-ABBE53E50AAD} - Browser Customizations
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.
ActiveX: {E8EA5BD6-D931-4001-ABF6-81BAA500360A} - Microsoft .NET Framework 1.0 Hotfix (KB953295)
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EA29D410-CE41-4953-A862-2DE706A1DAD7} - Microsoft .NET Framework 1.0 Service Pack 3
ActiveX: {ED05DDC1-1075-4740-E307-7641F5AB128E} - Internet Explorer Version Update
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: {F4FD00DD-6691-B65F-433D-D56406E4A348} - Microsoft .NET Framework 1.0 Hotfix (KB887998)
ActiveX: {FDC11A6F-17D1-48f9-9EA3-9051954BAA24} - .NET Framework
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: KB910393 - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\EasyCDBlock.inf,PerUserInstall

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.3IV2 - C:\WINDOWS\System32\3ivxVfWCodec.dll (3ivx Technologies Pty. Ltd.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.LEAD - LCODCCMP.DLL File not found
Drivers32: vidc.tscc - C:\WINDOWS\System32\tsccvid.dll (TechSmith Corporation)
Drivers32: VIDC.XFR1 - C:\WINDOWS\System32\xfcodec.dll ()
Drivers32: vidc.XVID - C:\WINDOWS\System32\xvidvfw.dll ()
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Unable to start service SrService!

========== Files/Folders - Created Within 14 Days ==========

[2010/04/10 11:10:21 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Topher\Desktop\OTL.exe
[2010/04/07 21:03:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Topher\My Documents\a-squared
[2010/04/07 20:50:24 | 002,618,936 | ---- | C] (Norman ASA) -- C:\Documents and Settings\Topher\Desktop\Norman_TDSS_Cleaner.exe
[2010/04/07 15:56:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/06 21:06:07 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/06 11:07:46 | 000,315,408 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\0940639.sys
[2010/04/06 11:07:46 | 000,128,016 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\09406391.sys
[2010/04/06 11:07:46 | 000,037,392 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\09406392.sys
[2010/04/06 10:29:47 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/04/06 04:29:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/04/06 04:28:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Topher\Application Data\SUPERAntiSpyware.com
[2010/04/06 04:27:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/04/06 01:40:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/04/06 01:25:01 | 000,000,000 | ---D | C] -- C:\newalg
[2010/04/05 07:55:01 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/05 07:50:02 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/05 07:50:02 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/05 07:50:02 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/05 07:50:02 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/05 07:47:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/05 07:41:17 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/05 07:15:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Topher\Local Settings\Application Data\Threat Expert
[2010/04/05 07:06:20 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/04/05 06:44:44 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2010/04/05 06:12:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2010/04/05 05:42:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Topher\My Documents\New Folder
[2010/04/05 05:33:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/05 03:58:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/05 03:58:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/02/07 02:16:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2009/11/04 14:49:18 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/11/04 14:49:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/06/04 09:09:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Intuit
[2008/08/14 08:14:14 | 000,079,240 | ---- | C] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\adobetmp000120456
[2008/07/21 23:10:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Roxio
[2008/07/09 01:47:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2007/11/30 15:25:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Acronis
[2007/08/06 19:13:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Xfire
[2006/12/29 20:54:40 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\Interop.Shell32.dll
[2006/11/08 21:56:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\DivX
[2006/09/24 15:25:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Macromedia
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/10 11:10:29 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Topher\Desktop\OTL.exe
[2010/04/10 05:27:57 | 058,758,894 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/04/09 21:45:18 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/09 21:40:54 | 000,051,048 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/04/09 21:40:48 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/09 21:40:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/09 21:40:41 | 2145,562,624 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/09 21:38:33 | 012,582,912 | -H-- | M] () -- C:\Documents and Settings\Topher\NTUSER.DAT
[2010/04/09 21:38:09 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Topher\ntuser.ini
[2010/04/07 21:03:47 | 000,000,561 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\a-squared Anti-Malware.lnk
[2010/04/07 20:50:27 | 002,618,936 | ---- | M] (Norman ASA) -- C:\Documents and Settings\Topher\Desktop\Norman_TDSS_Cleaner.exe
[2010/04/07 16:26:02 | 000,000,090 | ---- | M] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2010/04/07 14:39:28 | 003,712,418 | -H-- | M] () -- C:\Documents and Settings\Topher\Local Settings\Application Data\IconCache.db
[2010/04/07 14:14:33 | 000,121,000 | ---- | M] () -- C:\Documents and Settings\Topher\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/07 14:14:04 | 002,305,664 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/06 21:25:56 | 000,007,175 | ---- | M] () -- C:\Documents and Settings\Topher\Desktop\Attach.zip
[2010/04/06 21:10:06 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Topher\Desktop\dds.scr
[2010/04/06 20:38:55 | 000,000,534 | ---- | M] () -- C:\Documents and Settings\Topher\Desktop\HijackThis.lnk
[2010/04/06 11:09:06 | 000,001,361 | ---- | M] () -- C:\Documents and Settings\Topher\Start Menu\Programs\Startup\setup_9.0.0.722_06.04.2010_09-08.lnk
[2010/04/06 04:28:55 | 000,000,642 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/04/06 04:24:31 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\Topher\Desktop\rkill.com
[2010/04/06 01:36:36 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/06 01:23:25 | 003,908,183 | R--- | M] () -- C:\Documents and Settings\Topher\Desktop\newalg.exe
[2010/04/05 08:25:48 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/05 07:55:16 | 000,000,279 | RHS- | M] () -- C:\boot.ini
[2010/04/05 07:33:36 | 003,907,460 | R--- | M] () -- C:\Documents and Settings\Topher\Desktop\ComboFix.exe
[2010/04/05 06:42:06 | 005,154,304 | ---- | M] () -- C:\Documents and Settings\Topher\Desktop\WindowsDefender.msi
[2010/04/04 03:00:01 | 000,000,292 | ---- | M] () -- C:\WINDOWS\tasks\Anonymizer Universal Updates.job
[2010/03/29 19:07:37 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/03/29 15:24:58 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/29 15:24:46 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/08 23:21:36 | 000,864,104 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/04/07 21:03:47 | 000,000,561 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\a-squared Anti-Malware.lnk
[2010/04/07 15:21:48 | 2145,562,624 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/06 21:25:56 | 000,007,175 | ---- | C] () -- C:\Documents and Settings\Topher\Desktop\Attach.zip
[2010/04/06 21:10:02 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Topher\Desktop\dds.scr
[2010/04/06 20:38:55 | 000,000,534 | ---- | C] () -- C:\Documents and Settings\Topher\Desktop\HijackThis.lnk
[2010/04/06 11:09:06 | 000,001,361 | ---- | C] () -- C:\Documents and Settings\Topher\Start Menu\Programs\Startup\setup_9.0.0.722_06.04.2010_09-08.lnk
[2010/04/06 04:28:55 | 000,000,642 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/04/06 04:24:24 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\Topher\Desktop\rkill.com
[2010/04/06 01:23:23 | 003,908,183 | R--- | C] () -- C:\Documents and Settings\Topher\Desktop\newalg.exe
[2010/04/05 07:55:15 | 000,000,209 | ---- | C] () -- C:\Boot.bak
[2010/04/05 07:55:06 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/05 07:50:02 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/05 07:50:02 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/05 07:50:02 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/05 07:50:02 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/05 07:50:02 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/05 07:33:33 | 003,907,460 | R--- | C] () -- C:\Documents and Settings\Topher\Desktop\ComboFix.exe
[2010/04/05 06:42:07 | 005,154,304 | ---- | C] () -- C:\Documents and Settings\Topher\Desktop\WindowsDefender.msi
[2010/03/24 01:08:28 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2010/03/24 01:08:28 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2010/03/24 01:08:28 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2010/03/24 01:08:28 | 000,000,021 | ---- | C] () -- C:\WINDOWS\SurCode.INI
[2010/01/17 19:49:59 | 000,019,241 | ---- | C] () -- C:\Documents and Settings\Topher\ahk.txt
[2009/11/29 15:59:14 | 000,001,437 | ---- | C] () -- C:\Documents and Settings\Topher\Application Data\BBMS_EXCEPTION.txt
[2009/11/09 11:31:59 | 000,023,552 | ---- | C] () -- C:\Documents and Settings\Topher\MceRepair_ACER-E592EF2C07_20091109.log
[2009/10/12 12:19:03 | 000,000,029 | ---- | C] () -- C:\WINDOWS\CDMKR32.INI
[2009/07/31 11:54:58 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Topher\Local Settings\Application Data\rx_image.Cache
[2009/07/28 21:49:17 | 008,676,883 | ---- | C] () -- C:\WINDOWS\System32\NCMedia2.dll
[2009/07/28 21:49:17 | 000,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/07/28 21:49:17 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/06/03 13:08:44 | 000,000,090 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2009/05/17 22:32:34 | 000,021,908 | ---- | C] () -- C:\Documents and Settings\Topher\Application Data\Microsoft Excel.ADR
[2009/01/26 14:44:52 | 000,000,054 | ---- | C] () -- C:\WINDOWS\EZCOMAPI.ini
[2008/11/06 09:37:32 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/11/06 09:34:00 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/08/25 11:12:50 | 000,000,256 | ---- | C] () -- C:\Documents and Settings\Topher\pool.bin
[2008/02/22 17:00:46 | 000,000,168 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\8C7D90A9FF.sys
[2008/02/22 17:00:45 | 000,002,098 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2008/02/20 18:57:30 | 000,054,608 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2008/02/18 23:33:34 | 000,446,352 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2008/01/14 13:07:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\eDrawingOfficeAutomator.INI
[2007/11/30 13:48:54 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIDIB4.dll
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/09/12 16:11:48 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Topher\mm.cfg
[2007/06/21 21:04:48 | 000,056,912 | ---- | C] () -- C:\Documents and Settings\Topher\g2mdlhlpx.exe
[2007/04/30 13:47:14 | 000,039,017 | ---- | C] () -- C:\Documents and Settings\Topher\Application Data\Comma Separated Values (Windows).ADR
[2007/04/10 12:08:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Jcmkr32.INI
[2007/02/09 18:40:49 | 000,000,784 | ---- | C] () -- C:\WINDOWS\NTIWVEDT.INI
[2007/01/31 23:23:22 | 000,002,098 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2007/01/31 23:23:22 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\9F4482DD95.sys
[2007/01/31 21:12:53 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\Topher\Application Data\ActUpdate.log
[2006/12/30 02:40:10 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/12/29 20:54:41 | 000,331,776 | ---- | C] () -- C:\WINDOWS\System32\ScrollBarLib.dll
[2006/12/13 17:46:15 | 000,139,096 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2006/12/01 17:57:14 | 000,005,120 | R--- | C] () -- C:\WINDOWS\System32\SaiC80C0_0402.dll
[2006/12/01 09:25:15 | 000,000,702 | ---- | C] () -- C:\Documents and Settings\Topher\atmgr.exe_Trace.txt
[2006/11/08 14:27:22 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2006/10/21 01:09:14 | 000,077,824 | ---- | C] () -- C:\Documents and Settings\Topher\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/10/16 22:11:19 | 000,003,399 | R--- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[2006/10/16 22:11:19 | 000,000,148 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
[2006/10/16 21:51:40 | 000,000,947 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
[2006/10/08 22:11:56 | 000,002,181 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/09/24 07:43:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/09/23 13:39:03 | 000,000,531 | ---- | C] () -- C:\Documents and Settings\Topher\NTIDATACDLog.TXT
[2006/09/23 12:39:50 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Topher\Local Settings\Application Data\fusioncache.dat
[2006/09/23 12:39:49 | 012,582,912 | -H-- | C] () -- C:\Documents and Settings\Topher\NTUSER.DAT
[2006/09/23 12:39:49 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Topher\ntuser.dat.LOG
[2006/09/23 12:39:49 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Topher\ntuser.ini
[2006/09/23 12:38:31 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2006/09/23 12:38:31 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2006/08/08 22:39:07 | 000,000,084 | ---- | C] () -- C:\WINDOWS\EMEAPAGE.INI
[2006/04/06 19:30:46 | 002,400,128 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVMVdrv.sys
[2006/04/06 19:30:46 | 000,016,768 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPrcMon.sys
[2006/04/06 19:22:00 | 000,000,719 | R--- | C] () -- C:\WINDOWS\System32\InstExec.ini
[2006/04/06 06:53:00 | 000,013,227 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2006/03/17 03:16:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/03/17 03:16:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/03/17 03:16:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/03/17 03:16:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/03/17 03:16:00 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/03/10 03:15:44 | 000,036,404 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/12/14 20:59:52 | 000,000,038 | ---- | C] () -- C:\WINDOWS\Acer.ini
[2005/08/24 21:18:34 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/08/24 16:44:30 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIBUN4.dll
[2005/08/24 16:43:46 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2005/08/24 16:43:46 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMP3.dll
[2005/08/24 16:43:46 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIFCD3.dll
[2005/08/24 16:43:46 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK7.dll
[2005/08/05 14:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2005/06/11 11:47:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\fpprintmon.dll
[2005/03/28 04:45:26 | 000,000,083 | ---- | C] () -- C:\WINDOWS\ALaunch.ini
[2004/01/13 07:46:34 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll
[2003/02/26 23:07:20 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\34CoInstaller.dll
[2001/12/26 15:12:30 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001/09/03 22:46:38 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001/07/30 15:33:56 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001/07/23 21:04:36 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll
[1999/01/27 13:39:06 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1999/01/22 11:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1997/06/13 07:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== LOP Check ==========

[2007/11/30 15:20:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2007/01/31 17:49:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ACT
[2008/05/22 19:30:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AddressGrabber Basic
[2010/03/26 23:08:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Anonymizer
[2009/11/04 14:56:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2007/05/10 17:37:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2009/06/03 13:08:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2009/10/21 15:17:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2007/11/30 15:31:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Maxtor
[2010/03/24 01:08:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Minnetonka Audio Software
[2009/10/19 21:30:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies
[2007/08/14 20:47:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PACE Anti-Piracy
[2009/11/29 15:58:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2007/01/31 21:13:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sage Software SB, Inc
[2008/02/22 17:03:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sage Software, Inc
[2010/01/18 16:21:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Saitek
[2009/10/21 15:47:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
[2009/06/03 15:45:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 10
[2010/04/05 07:21:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2006/12/13 18:12:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/04/04 03:00:06 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{034ACC02-7584-4658-94C7-CD7F2E9F7F5A}
[2010/02/19 11:10:38 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{2E192FDE-76CB-4F90-BBDA-1616E31CBB07}
[2010/03/19 23:23:31 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{B8C6D6D7-91D0-4819-9B32-B971291A575D}
[2007/11/30 15:25:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Acronis
[2008/02/22 16:55:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\ACT
[2007/11/01 13:50:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\Alien Skin
[2009/12/23 22:28:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\Anonymizer
[2009/12/14 23:08:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\AVG9
[2007/05/11 00:31:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\Azureus
[2007/04/18 19:34:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\BitTyrant
[2008/07/22 15:58:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\Blackberry Desktop
[2008/05/14 23:36:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\Charles
[2007/05/20 11:08:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\com.codeode
[2007/02/27 16:11:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\CompanionLink
[2009/05/27 23:59:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\EZLinks
[2006/12/13 18:19:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\ICAClient
[2007/01/31 21:13:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\IsolatedStorage
[2007/03/20 14:09:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\Jigsaw
[2008/05/22 19:32:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\MSNInstaller
[2009/03/06 18:27:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\MySQL
[2009/10/21 14:57:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\No Company Name
[2007/04/11 12:53:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\Northwoods Software
[2007/02/26 10:42:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\OfficeUpdate12
[2007/02/28 16:25:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\Opera
[2007/08/14 20:47:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\PACE Anti-Piracy
[2009/11/29 15:58:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\Research In Motion
[2009/11/12 23:11:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\TourDeFlex.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2007/05/10 17:37:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\uTorrent
[2007/05/22 22:58:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\Viewpoint
[2007/03/29 21:26:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\webex
[2008/12/15 12:06:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\Windows Desktop Search
[2008/12/15 12:22:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Topher\Application Data\Windows Search
[2010/04/04 03:00:01 | 000,000,292 | ---- | M] () -- C:\WINDOWS\Tasks\Anonymizer Universal Updates.job

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 04:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 04:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[7 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/10 20:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys
[2008/08/20 10:25:10 | 023,852,652 | ---- | M] () .cab file -- C:\I386\sp3.cab:AGP440.sys
[2004/08/10 20:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/08/20 10:25:10 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/10 20:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys
[2008/08/20 10:25:10 | 023,852,652 | ---- | M] () .cab file -- C:\I386\sp3.cab:atapi.sys
[2004/08/10 20:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/08/20 10:25:10 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2002/08/29 01:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\atapi.sys
[2010/04/06 01:07:11 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2010/04/08 01:51:21 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2010/04/09 21:39:24 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/10 20:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/10 20:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2006/02/21 05:44:30 | 000,250,368 | ---- | M] (Intel Corporation) MD5=88B1943ECFF661F765228099138CF6AB -- C:\WINDOWS\OemDir\iaStor.sys
[2006/02/21 05:44:30 | 000,250,368 | ---- | M] (Intel Corporation) MD5=88B1943ECFF661F765228099138CF6AB -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/10 20:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/10 20:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 1259 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:qOFvK4Gca1bth0rC8TWCDWv
@Alternate Data Stream - 1252 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:B8B0MrwRHfN8ZjWCZE7ODM
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 1063 bytes -> C:\Program Files\Outlook Express:ANRIwMMhADfzPrGMXUs3
< End of report

Edited by fzbxvudu, 10 April 2010 - 11:33 PM.


#4 fzbxvudu

fzbxvudu
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 11 April 2010 - 03:25 AM

After trying several times and disabling background processes such as antivirus programs, cleaners, etc. I still cannot get a full GMER scan completed. When first starting GMER it seems to run a quick scan and I get the following:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-10 21:43:11
Windows 5.1.2600 Service Pack 3
Running: qrdy9cxj.exe; Driver: C:\DOCUME~1\Topher\LOCALS~1\Temp\axddiaob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A8F7AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


But when I make the selections noted in the posting provided and try to run a scan it never completes. Twice (first and third attempt) it has started the scan only to have the screen go blank and the computer go black and startup. It does not execute a full restart as there is no Windows shutdown occurring. Screen simply goes black and then Windows begins to restart. The second attempt saw the scan run for several hours then BSOD popped up for a second then the screen went black and Windows restarted...just tried a fourth time and didn't even make it far enough to start the scan - black screen then Windows startup. Ugh...

#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 11 April 2010 - 07:59 AM

Hello, fzbxvudu.

The GMER log confirms the TDL3, so we have enough for now. OK, let's get started.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.



Viewpoint (foistware) Warning"

I see Viewpoint is installed on your machine. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to the Control Panel, then Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.



Trusted Zone Warning

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.



Step 1

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as fzbxvuduCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on fzbxvuduCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 fzbxvudu

fzbxvudu
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 11 April 2010 - 02:48 PM

Combofix ran fine. Below is the log:

ComboFix 10-04-05.05 - Topher 04/11/2010 9:45.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.767 [GMT -7:00]
Running from: c:\documents and settings\Topher\Desktop\newalg.exe
AV: a-squared Anti-Malware *On-access scanning disabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
The following files were disabled during the run:
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Topher\My Documents\cc_20100411_093716.reg

.
((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 )))))))))))))))))))))))))))))))
.

2010-04-11 04:23 . 2010-04-11 04:23 -------- d-----w- c:\documents and settings\Topher\WINDOWS
2010-04-09 06:21 . 2010-04-10 04:38 864104 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-08 03:53 . 2010-04-08 03:53 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-07 22:56 . 2010-04-07 22:56 503808 ----a-w- c:\documents and settings\Topher\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-29d21214-n\msvcp71.dll
2010-04-07 22:56 . 2010-04-07 22:56 499712 ----a-w- c:\documents and settings\Topher\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-29d21214-n\jmc.dll
2010-04-07 22:56 . 2010-04-07 22:56 348160 ----a-w- c:\documents and settings\Topher\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-29d21214-n\msvcr71.dll
2010-04-07 22:56 . 2010-04-07 22:56 12800 ----a-w- c:\documents and settings\Topher\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-758ed415-n\decora-d3d.dll
2010-04-07 22:56 . 2010-04-07 22:56 61440 ----a-w- c:\documents and settings\Topher\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-758ed415-n\decora-sse.dll
2010-04-07 22:55 . 2010-04-07 22:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-06 18:07 . 2009-10-22 20:54 37392 ----a-w- c:\windows\system32\drivers\09406392.sys
2010-04-06 18:07 . 2009-10-10 06:31 315408 ----a-w- c:\windows\system32\drivers\0940639.sys
2010-04-06 18:07 . 2009-09-26 00:59 128016 ----a-w- c:\windows\system32\drivers\09406391.sys
2010-04-06 11:42 . 2010-04-06 11:42 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-06 11:42 . 2010-04-06 11:42 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-06 11:41 . 2010-04-06 11:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-04-06 11:29 . 2010-04-06 11:29 52224 ----a-w- c:\documents and settings\Topher\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-06 11:29 . 2010-04-06 11:29 117760 ----a-w- c:\documents and settings\Topher\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-06 11:29 . 2010-04-06 11:29 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-06 11:28 . 2010-04-06 11:28 -------- d-----w- c:\documents and settings\Topher\Application Data\SUPERAntiSpyware.com
2010-04-06 11:27 . 2010-04-06 11:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-06 08:25 . 2010-04-06 08:40 -------- d-----w- C:\newalg
2010-04-06 07:20 . 2010-04-06 07:38 96512 ----a-w- C:\atapi1.sys
2010-04-06 07:15 . 2010-04-10 04:39 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-06 07:15 . 2010-04-08 08:51 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-04-06 07:15 . 2002-08-29 08:27 86912 ----a-w- C:\atapi.sys
2010-04-06 01:20 . 2010-04-06 01:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-05 14:15 . 2010-04-05 14:15 -------- d-----w- c:\documents and settings\Topher\Local Settings\Application Data\Threat Expert
2010-04-05 13:48 . 2010-02-24 17:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-05 13:44 . 2010-04-05 13:44 -------- d-----w- c:\program files\Windows Defender
2010-04-01 17:16 . 2010-04-01 17:16 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-04-01 17:16 . 2010-04-01 17:16 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-04-01 17:16 . 2010-04-01 17:16 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-04-01 17:16 . 2010-04-01 17:16 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
2010-04-01 17:16 . 2010-04-01 17:16 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-04-01 17:16 . 2010-04-01 17:16 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-04-01 17:16 . 2010-04-01 17:16 341272 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxch32.dll
2010-04-01 17:16 . 2010-04-01 17:16 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll
2010-04-01 17:16 . 2010-04-01 17:16 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2010-04-01 17:16 . 2010-04-01 17:16 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
2010-04-01 17:16 . 2010-04-01 17:16 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
2010-04-01 17:16 . 2010-04-01 17:16 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-04-01 17:13 . 2010-04-01 17:13 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-01 17:13 . 2010-04-01 17:13 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-03-27 06:08 . 2010-03-20 00:59 3536168 -c--a-w- c:\documents and settings\All Users\Application Data\{034ACC02-7584-4658-94C7-CD7F2E9F7F5A}\Anonymizer_Universal_Setup.exe
2010-03-27 06:08 . 2010-04-11 10:00 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{034ACC02-7584-4658-94C7-CD7F2E9F7F5A}
2010-03-27 06:07 . 2010-03-20 00:59 49848 -c--a-w- c:\documents and settings\All Users\Application Data\{034ACC02-7584-4658-94C7-CD7F2E9F7F5A}\OFFLINE\1BB4769\8C137512\System.Windows.Interactivity.dll
2010-03-27 06:07 . 2010-03-20 00:59 457912 -c--a-w- c:\documents and settings\All Users\Application Data\{034ACC02-7584-4658-94C7-CD7F2E9F7F5A}\OFFLINE\3DB641BE\8C137512\WPFToolkit.dll
2010-03-27 06:07 . 2010-03-20 00:59 78008 -c--a-w- c:\documents and settings\All Users\Application Data\{034ACC02-7584-4658-94C7-CD7F2E9F7F5A}\OFFLINE\967B3C26\8C137512\AnonTunnelLib.dll
2010-03-27 06:07 . 2010-03-20 00:59 70328 -c--a-w- c:\documents and settings\All Users\Application Data\{034ACC02-7584-4658-94C7-CD7F2E9F7F5A}\OFFLINE\EF82CF2D\8C137512\Microsoft.Expression.Interactions.dll
2010-03-27 06:07 . 2010-03-20 00:59 206008 -c--a-w- c:\documents and settings\All Users\Application Data\{034ACC02-7584-4658-94C7-CD7F2E9F7F5A}\OFFLINE\DEB07ADF\8C137512\Microsoft.Xml.Schema.Linq.dll
2010-03-27 06:07 . 2010-03-20 00:59 180920 -c--a-w- c:\documents and settings\All Users\Application Data\{034ACC02-7584-4658-94C7-CD7F2E9F7F5A}\OFFLINE\DCAAEBF0\8C137512\Anonymizer.System.dll
2010-03-27 06:07 . 2010-03-20 00:59 137912 -c--a-w- c:\documents and settings\All Users\Application Data\{034ACC02-7584-4658-94C7-CD7F2E9F7F5A}\OFFLINE\8BBEB911\8C137512\DotRas.dll
2010-03-27 06:07 . 2010-03-20 00:59 35512 -c--a-w- c:\documents and settings\All Users\Application Data\{034ACC02-7584-4658-94C7-CD7F2E9F7F5A}\OFFLINE\291F391B\8C137512\AnonLocalizationLib.dll
2010-03-27 06:07 . 2010-03-20 00:59 31928 -c--a-w- c:\documents and settings\All Users\Application Data\{034ACC02-7584-4658-94C7-CD7F2E9F7F5A}\OFFLINE\E26F9C86\8C137512\AnonServiceLib.dll
2010-03-27 06:07 . 2010-03-20 00:59 125112 -c--a-w- c:\documents and settings\All Users\Application Data\{034ACC02-7584-4658-94C7-CD7F2E9F7F5A}\OFFLINE\F157BDE7\8C137512\AnonCommonLib.dll
2010-03-27 06:07 . 2010-03-20 00:59 6106808 -c--a-w- c:\documents and settings\All Users\Application Data\{034ACC02-7584-4658-94C7-CD7F2E9F7F5A}\OFFLINE\51EDEFF0\8C137512\Anonymizer Universal.exe
2010-03-27 06:07 . 2010-03-20 00:59 447160 -c--a-w- c:\documents and settings\All Users\Application Data\{034ACC02-7584-4658-94C7-CD7F2E9F7F5A}\OFFLINE\F5DD9604\8C137512\AnonBoot.exe
2010-03-24 08:08 . 2010-03-24 08:08 1025 ----a-w- c:\windows\system32\sysprs7.dll
2010-03-24 08:08 . 2010-03-24 08:08 1025 ----a-w- c:\windows\system32\clauth2.dll
2010-03-24 08:08 . 2010-03-24 08:08 1025 ----a-w- c:\windows\system32\clauth1.dll
2010-03-24 08:08 . 2010-03-24 08:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Minnetonka Audio Software
2010-03-14 06:23 . 2010-03-14 06:23 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-14 06:23 . 2010-03-14 06:23 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-14 06:23 . 2010-03-14 06:23 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-14 06:21 . 2010-03-14 06:21 12464 ----a-w- c:\windows\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 04:23 . 2006-10-19 04:04 -------- d-----w- c:\program files\Microsoft IntelliPoint
2010-04-10 15:51 . 2004-08-11 03:00 5888 ----a-w- c:\windows\system32\drivers\dmload.sys
2010-04-10 04:08 . 2006-09-24 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-08 00:30 . 2009-06-03 22:47 2374 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2010-04-07 23:04 . 2006-10-06 04:42 -------- d-----w- c:\program files\Java
2010-04-07 22:56 . 2006-10-06 04:41 -------- d-----w- c:\program files\Common Files\Java
2010-04-07 21:14 . 2006-09-23 19:39 121000 ----a-w- c:\documents and settings\Topher\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-05 14:21 . 2008-05-05 09:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-29 22:24 . 2009-12-28 13:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 22:24 . 2009-12-28 13:50 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-27 06:08 . 2007-11-08 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Anonymizer
2010-03-27 06:08 . 2007-05-23 16:58 -------- d-----w- c:\program files\Anonymizer
2010-03-24 19:38 . 2008-06-24 17:37 -------- d-----w- c:\program files\MSECache
2010-03-20 06:23 . 2010-02-19 18:14 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{B8C6D6D7-91D0-4819-9B32-B971291A575D}
2010-03-15 09:26 . 2009-06-04 02:35 211720 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2010-03-15 09:26 . 2009-06-04 02:35 1337608 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2010-03-15 09:23 . 2010-01-11 22:09 869664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\qbpatch.exe
2010-03-14 06:21 . 2009-11-04 21:56 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-14 06:21 . 2008-09-08 04:59 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-14 06:20 . 2008-09-08 04:59 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-02 21:50 . 2010-03-02 21:50 -------- d-----w- c:\program files\Adobe Media Player
2010-02-26 23:19 . 2008-07-21 21:11 256 ----a-w- c:\windows\system32\pool.bin
2010-02-25 06:24 . 2006-01-09 18:02 916480 ------w- c:\windows\system32\wininet.dll
2010-02-22 07:15 . 2009-07-29 03:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-22 07:10 . 2009-11-30 03:36 38784 ----a-w- c:\documents and settings\Topher\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-21 07:26 . 2009-12-03 05:02 -------- d-----w- c:\program files\Dvd-cloner
2010-02-19 18:10 . 2009-12-24 22:43 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2E192FDE-76CB-4F90-BBDA-1616E31CBB07}
2010-02-12 22:36 . 2010-02-19 18:14 3534720 -c----w- c:\documents and settings\All Users\Application Data\{B8C6D6D7-91D0-4819-9B32-B971291A575D}\Anonymizer_Universal_Beta_2_Setup.exe
2010-01-18 05:45 . 2008-08-14 14:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
2010-01-12 08:12 . 2010-01-12 08:12 3584 ----a-r- c:\documents and settings\Topher\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-01-12 00:35 . 2010-01-12 00:35 112192 ----a-w- c:\windows\system32\cad.exe
2010-01-11 22:33 . 2010-01-11 20:14 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-11 22:11 . 2009-09-01 02:53 850736 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\dblgen11.dll
2010-01-11 22:11 . 2009-09-01 02:53 2151728 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\iAnywhere.Data.SQLAnywhere.dll
2010-03-27 08:04 . 2007-05-16 00:25 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2010-03-27 08:04 . 2007-05-16 00:25 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2010-03-27 08:04 . 2007-05-16 00:25 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2010-03-27 08:04 . 2007-05-16 00:25 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2010-03-27 08:04 . 2007-05-16 00:25 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2007-02-01 06:23 . 2007-02-01 06:23 88 -csh--r- c:\windows\system32\9F4482DD95.sys
2008-02-22 23:47 . 2007-02-01 06:23 2098 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-04-06_00.12.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-11 08:15 . 2010-04-11 08:15 16384 c:\windows\temp\Perflib_Perfdata_8ec.dat
+ 2008-08-20 17:44 . 2010-04-11 07:58 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-20 17:44 . 2010-01-13 01:22 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-20 17:44 . 2010-01-13 01:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-20 17:44 . 2010-04-11 07:58 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-12-28 07:40 . 2010-01-13 01:22 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-12-28 07:40 . 2010-04-11 07:58 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2010-04-07 06:13 . 2010-04-11 07:58 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-04-06 11:29 . 2010-04-06 11:29 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2010-04-06 11:29 . 2010-04-06 11:29 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 45056 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut6_1B72F66FEC97454396CC50F63093FE70_1.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 45056 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut6_1B72F66FEC97454396CC50F63093FE70_1.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 45056 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut30_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 45056 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut30_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 45056 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut2.CB4E6205_F99A_4C51_ADD4_184506EFAB87.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 45056 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut2.CB4E6205_F99A_4C51_ADD4_184506EFAB87.exe
+ 2004-08-11 03:00 . 2010-04-10 15:51 5888 c:\windows\system32\dllcache\dmload.sys
- 2004-08-11 03:00 . 2004-08-11 03:00 5888 c:\windows\system32\dllcache\dmload.sys
+ 2010-04-06 11:29 . 2010-04-06 11:29 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
+ 2009-01-20 21:33 . 2009-01-20 22:33 403973 c:\windows\system32\spool\drivers\w32x86\amyuni_amyunidocumentconverter300\acpdfui300.dll
- 2009-01-20 21:33 . 2009-01-20 21:33 403973 c:\windows\system32\spool\drivers\w32x86\amyuni_amyunidocumentconverter300\acpdfui300.dll
- 2009-01-20 21:33 . 2009-01-20 21:33 434339 c:\windows\system32\spool\drivers\w32x86\amyuni_amyunidocumentconverter300\acpdf300.dll
+ 2009-01-20 21:33 . 2009-01-20 22:33 434339 c:\windows\system32\spool\drivers\w32x86\amyuni_amyunidocumentconverter300\acpdf300.dll
- 2009-01-20 21:33 . 2009-01-20 21:33 403973 c:\windows\system32\spool\drivers\w32x86\3\acpdfui300.dll
+ 2009-01-20 21:33 . 2009-01-20 22:33 403973 c:\windows\system32\spool\drivers\w32x86\3\acpdfui300.dll
+ 2009-01-20 21:33 . 2009-01-20 22:33 434339 c:\windows\system32\spool\drivers\w32x86\3\acpdf300.dll
- 2009-01-20 21:33 . 2009-01-20 21:33 434339 c:\windows\system32\spool\drivers\w32x86\3\acpdf300.dll
+ 2010-04-07 22:55 . 2010-04-07 22:55 153376 c:\windows\system32\javaws.exe
+ 2010-04-07 22:55 . 2010-04-07 22:55 145184 c:\windows\system32\javaw.exe
+ 2010-04-07 22:55 . 2010-04-07 22:55 145184 c:\windows\system32\java.exe
+ 2010-04-07 22:56 . 2010-04-07 22:56 180224 c:\windows\Installer\200c27.msi
+ 2010-04-07 22:55 . 2010-04-07 22:55 577536 c:\windows\Installer\200c20.msi
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut91_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut91_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut9_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut9_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut81_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut81_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut8_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut8_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut71_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut71_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut7_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut7_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut51_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut51_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut5_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut5_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut41_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut41_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut4_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut4_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut31_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut31_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut3_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut3_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut28_6C2287199EDD4CAA8285D3095F51E522.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut28_6C2287199EDD4CAA8285D3095F51E522.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut27_6C2287199EDD4CAA8285D3095F51E522.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut27_6C2287199EDD4CAA8285D3095F51E522.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut26_6C2287199EDD4CAA8285D3095F51E522.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut26_6C2287199EDD4CAA8285D3095F51E522.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut25_6C2287199EDD4CAA8285D3095F51E522.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut25_6C2287199EDD4CAA8285D3095F51E522.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut241_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut241_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut24_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut24_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut21_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut21_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut201_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut201_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut20_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut20_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut2_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut2_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut181_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut181_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut18_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut18_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut171_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut171_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut17_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut17_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut161_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut161_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut16_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut16_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut151_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut151_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut15_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut15_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut131_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut131_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut13_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut13_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut121_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut121_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut12_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut12_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut111_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut111_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut11_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut11_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut101_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut101_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-06-03 20:24 . 2010-04-07 23:24 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut10_1B72F66FEC97454396CC50F63093FE70.exe
- 2009-06-03 20:24 . 2010-01-11 23:12 335872 c:\windows\Installer\{9A2F0810-369F-4E86-9072-973FBE1679C5}\NewShortcut10_1B72F66FEC97454396CC50F63093FE70.exe
+ 2009-01-20 21:33 . 2009-01-20 22:33 3833856 c:\windows\system32\spool\drivers\w32x86\amyuni_amyunidocumentconverter300\cdintf300.dll
- 2009-01-20 21:33 . 2009-01-20 21:33 3833856 c:\windows\system32\spool\drivers\w32x86\amyuni_amyunidocumentconverter300\cdintf300.dll
- 2009-01-20 21:33 . 2009-01-20 21:33 3833856 c:\windows\system32\spool\drivers\w32x86\3\cdintf300.dll
+ 2009-01-20 21:33 . 2009-01-20 22:33 3833856 c:\windows\system32\spool\drivers\w32x86\3\cdintf300.dll
+ 2005-08-25 04:07 . 2010-04-07 21:14 2305664 c:\windows\system32\FNTCACHE.DAT
- 2009-06-03 20:27 . 2009-01-20 21:33 3833856 c:\windows\system32\cdintf300.dll
+ 2009-06-03 20:27 . 2009-01-20 22:33 3833856 c:\windows\system32\cdintf300.dll
+ 2010-04-06 11:29 . 2010-04-06 11:29 1583616 c:\windows\Installer\dcf79.msi
+ 2010-03-15 09:23 . 2010-03-15 09:23 24489984 c:\windows\Installer\36f6a0.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"Anonymizer Universal"="c:\program files\Anonymizer\Anonymizer Universal\Anonymizer Universal.exe" [2010-03-20 6106808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-05-08 638976]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-03-31 421888]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-16 579584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-09 7573504]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-12-22 1092872]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2010-01-18 611712]
"Adobe Acrobat Speed Launcher"="d:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840]
"Acrobat Assistant 8.0"="d:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-22 640440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-29 282624]
"CreativeMS2020"="d:\program files\Creative\Fatal1ty Professional Laser Mouse\ctusbms.exe" [2006-05-09 143360]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"a-squared"="d:\program files\A-SQUARED ANTI-MALWARE\a2guard.exe" [2010-01-02 3280712]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\Topher\Start Menu\Programs\Startup\
Adobe Gamma.lnk.disabled [2006-9-24 896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-12-29 45056]
Acrobat Assistant.lnk.disabled [2006-12-13 1732]
Adobe Reader Speed Launch.lnk.disabled [2006-9-30 1665]
Bluetooth.lnk.disabled [2006-9-23 637]
Cisco Systems VPN Client.lnk.disabled [2006-12-13 1670]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Microsoft Office.lnk.disabled [2006-9-24 1633]
Program Neighborhood Agent.lnk.disabled [2006-12-13 1728]
QuickBooks Update Agent.lnk.disabled [2009-6-3 2113]
Windows Search.lnk.disabled [2008-12-15 1791]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-14 06:21 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"EA Core"=c:\program files\Electronic Arts\EA Link\Core.exe -silent
"Start WingMan Profiler"=
"com.codeode.cactusspamfilter"="c:\program files\Cactus Spam Filter 2.13\cactusspamfilter.exe" -minimized
"BitTorrent DNA"="c:\program files\DNA\btdna.exe"
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
"Steam"="d:\program files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"AzMixerSel"=c:\program files\Realtek\InstallShield\AzMixerSel.exe
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
"LogitechVideo[inspector]"=c:\program files\Acer\OrbiCam\InstallHelper.exe /inspect
"SaiMfd"=c:\program files\Saitek\Software\SaiMfd.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Profiler"=c:\program files\Saitek\Software\ProfilerU.exe
"nwiz"=nwiz.exe /installquiet /keeploaded /nodetect
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"LVCOMSX"=c:\windows\system32\LVCOMSX.EXE
"MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"LogitechCameraAssistant"=c:\program files\Acer\OrbiCam\CameraAssistant.exe
"LogitechCameraService(E)"=c:\windows\system32\ElkCtrl.exe /automation
"ntiMUI"=c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"ehTray"=c:\windows\ehome\ehtray.exe
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"AcronisTimounterMonitor"=c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
"TrueImageMonitor.exe"=c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe"
"CreativeMS2020"=c:\program files\Creative\Fatal1ty Professional Laser Mouse\ctusbms.exe
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe"
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
"Intuit SyncManager"=c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
"RTHDCPL"=RTHDCPL.EXE
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"UserFaultCheck"=%systemroot%\system32\dumprep 0 -u
"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
"ProfilerU"=c:\program files\Saitek\SD6\Software\ProfilerU.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Adobe\\Flex Builder 3\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\Program Files\\Adobe\\Flex Builder 3\\jre\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_06\\bin\\java.exe"=
"d:\\Program Files\\Adobe\\Flex Builder 3\\FlexBuilder.exe"=
"c:\\ColdFusion8\\runtime\\bin\\jrun.exe"=
"c:\\EHN\\EZUpdate.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Documents and Settings\\Topher\\Desktop\\ehnadmin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\Adobe\\Elements Organizer 8.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"d:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"d:\\Program Files\\Steam\\Steam.exe"=
"d:\\Program Files\\Steam\\steamapps\\topheraz\\half-life\\hl.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6100:UDP"= 6100:UDP:MaxiVista UDP 1
"6101:UDP"= 6101:UDP:MaxiVista UDP 2
"6102:UDP"= 6102:UDP:MaxiVista UDP 3
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 09406392;09406392 Boot Guard Driver;c:\windows\system32\drivers\09406392.sys [4/6/2010 11:07 AM 37392]
R1 09406391;09406391;c:\windows\system32\drivers\09406391.sys [4/6/2010 11:07 AM 128016]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/7/2008 9:59 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/4/2009 2:56 PM 242696]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R1 setup_9.0.0.722_06.04.2010_09-08drv;setup_9.0.0.722_06.04.2010_09-08drv;c:\windows\system32\drivers\0940639.sys [4/6/2010 11:07 AM 315408]
R2 a2AntiMalware;a-squared Anti-Malware Service;d:\program files\a-squared Anti-Malware\a2service.exe [4/7/2010 9:03 PM 1858144]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/13/2010 11:21 PM 308064]
R2 ColdFusion 8 Application Server;ColdFusion 8 Application Server;c:\coldfusion8\runtime\bin\jrunsvc.exe [5/17/2008 2:41 AM 65536]
R2 ColdFusion 8 ODBC Agent;ColdFusion 8 ODBC Agent;c:\coldfusion8\db\slserver54\bin\swagent.exe "ColdFusion 8 ODBC Agent" --> c:\coldfusion8\db\slserver54\bin\swagent.exe ColdFusion 8 ODBC Agent [?]
R2 ColdFusion 8 ODBC Server;ColdFusion 8 ODBC Server;c:\coldfusion8\db\slserver54\bin\swstrtr.exe "ColdFusion 8 ODBC Server" --> c:\coldfusion8\db\slserver54\bin\swstrtr.exe ColdFusion 8 ODBC Server [?]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [12/29/2009 8:57 AM 598856]
R3 AVerM115;AVerM115 service;c:\windows\system32\drivers\AVerM115.sys [2/11/2006 4:58 AM 1274880]
R3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [4/6/2006 7:46 AM 1097472]
S0 pvlzvvb;pvlzvvb; [x]
S2 ColdFusion 8 .NET Service;ColdFusion 8 .NET Service;c:\coldfusion8\jnbridge\CF8DotNetsvc.exe [5/17/2008 2:42 AM 77824]
S2 ColdFusion 8 Search Server;ColdFusion 8 Search Server;c:\coldfusion8\verity\k2\_nti40\bin\k2admin.exe [5/17/2008 2:41 AM 2743056]
S2 MaxiVista_service_A;MaxiVista_service_A;c:\documents and settings\Topher\Desktop\MaxiVistaViewerA.exe [1/11/2010 5:15 PM 1770504]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 288112]
S3 BEFCMU10;EtherFast Cable Modem with USB;c:\windows\system32\drivers\BEFCMU10.sys [6/3/2008 6:45 PM 14844]
S3 ctms2020;Creative HID USB Filter Driver1;c:\windows\system32\drivers\ctms2020.sys [7/3/2007 7:41 PM 8914]
S3 mvvideodemo;MaxiVista Virtual Video Demo;c:\windows\system32\DRIVERS\mvvideodemo.sys --> c:\windows\system32\DRIVERS\mvvideodemo.sys [?]
S3 mvvideoexta;MaxiVista Virtual Video ExtA;c:\windows\system32\DRIVERS\mvvideoexta.sys --> c:\windows\system32\DRIVERS\mvvideoexta.sys [?]
S3 mvvideoextb;MaxiVista Virtual Video ExtB;c:\windows\system32\DRIVERS\mvvideoextb.sys --> c:\windows\system32\DRIVERS\mvvideoextb.sys [?]
S3 mvvideoextc;MaxiVista Virtual Video ExtC;c:\windows\system32\DRIVERS\mvvideoextc.sys --> c:\windows\system32\DRIVERS\mvvideoextc.sys [?]
S3 mvvideomir;MaxiVista Virtual Video Mirror;c:\windows\system32\DRIVERS\mvvideomir.sys --> c:\windows\system32\DRIVERS\mvvideomir.sys [?]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\Topher\LOCALS~1\Temp\0000100d.nmc\nse\bin\ndiskio.sys --> c:\docume~1\Topher\LOCALS~1\Temp\0000100d.nmc\nse\bin\ndiskio.sys [?]
S3 nsak;nsak;\??\c:\docume~1\Topher\LOCALS~1\Temp\0000100d.nmc\nse\bin\nsak.sys --> c:\docume~1\Topher\LOCALS~1\Temp\0000100d.nmc\nse\bin\nsak.sys [?]
S3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [2/19/2007 5:16 PM 19020]
S3 SaiH80C0;SaiH80C0;c:\windows\system32\drivers\SaiH80C0.sys [12/1/2006 5:57 PM 176384]
S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2010-04-11 c:\windows\Tasks\Anonymizer Universal Updates.job
- c:\windows\Installer\Anonymizer Universal Updates for All Users.lnk [2010-03-27 06:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://projecthelpishere.com/
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Save YouTube Video - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2006\HelpAsyncPluggableProtocol.dll
DPF: {897520CD-B1C8-4745-B46D-B03CF8701BB8} - hxxp://www.jigsaw.com/cab/app/JigsawContactFinder.CAB
FF - ProfilePath - c:\documents and settings\Topher\Application Data\Mozilla\Firefox\Profiles\ctp77iba.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\Common Files\DVDVideoSoft\Dll\FFContextMenuY\components\FFContextMenu.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}\components\Contribute.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 09:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A83EAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf7482852
\Driver\iaStor -> iaStor.sys @ 0xf7b27f18
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
SecurityProcedure -> ntoskrnl.exe @ 0x805d96a1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
SecurityProcedure -> ntoskrnl.exe @ 0x805d96a1
NDIS: Marvell Yukon 88E8055 PCI-E Gigabit Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xbaf31bb0
PacketIndicateHandler -> NDIS.sys @ 0xbaf20a0d
SendHandler -> NDIS.sys @ 0xbaf34b40
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:fd,86,a2,13,d2,2c,12,fd,e1,6a,33,c2,fe,91,bf,ba,97,f0,45,6a,15,
4b,32,ac,54,e0,e7,a9,18,45,be,94,13,17,8c,72,dd,13,35,bb,5d,77,4b,90,f7,55,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:fd,86,a2,13,d2,2c,12,fd,e1,6a,33,c2,fe,91,bf,ba,97,f0,45,6a,15,
4b,32,ac,54,e0,e7,a9,18,45,be,94,13,17,8c,72,dd,13,35,bb,5d,77,4b,90,f7,55,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1048)
c:\windows\system32\WININET.dll
d:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(1112)
c:\windows\system32\WININET.dll
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-04-11 10:06:16
ComboFix-quarantined-files.txt 2010-04-11 17:06
ComboFix2.txt 2010-04-06 08:40
ComboFix3.txt 2010-04-06 00:19
ComboFix4.txt 2010-04-05 15:41

Pre-Run: 6,632,772,096 bytes free
Post-Run: 6,629,348,864 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - BB6B841A3CE5F589E9272940F76911C6


#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 11 April 2010 - 09:01 PM

Hello, fzbxvudu.

Ok, we'll have to do this manually.



Step 1
  1. Restart your computer
  2. Before Windows loads, you will be prompted to choose which Operating System to start
  3. Use the up and down arrow key to select Microsoft Windows Recovery Console
  4. You must enter which Windows installation to log onto. Type 1 and press enter.

Now, at the prompt, type each bolded line exactly as shown and press enter after each.

ren c:\windows\system32\drivers\atapi.sys atapi.old

copy C:\WINDOWS\ServicePackFiles\i386\atapi.sys c:\windows\system32\drivers\atapi.sys
You should see 1 file(s) copied.

Reboot.



Step 2
  1. Please download MBR.EXE by GMER. Save the file in your root directory. (C:\)
  2. Open Notepad and copy and paste the text in the codebox below (excluding the word Code) into Notepad.
    CODE
    @echo off
    cd\
    mbr.exe -t
    start mbr.log
  3. Next, select File --> Save As, change file type to All Files (*.*), and save it as fixme.bat in your c:\ folder.
  4. Open your c:\folder and double-click on fixme.bat. A logfile will open (C:\mbr.log). Please paste the contents in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 fzbxvudu

fzbxvudu
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 12 April 2010 - 12:11 AM

Step 1 and Step 2 completed without incident (though when I reconnected to the internet to post this reply a new browser window popped open and pulled up some site saying I'd won a prize...imagine that). mbr.log contents below:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A85AAC8]<<
kernel: MBR read successfully
user & kernel MBR OK


#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 12 April 2010 - 10:55 PM

OK, please run GMER. Please disconnect from the internet and shut down your virus protection. Please check "sections", "Files" and "devices" only. If it locks up, blue screens, etc., uncheck devices and try it again. If it still hangs/bluescreens, then reboot into safe mode, disconnect from the internet and shut down your virus protect and try it with all 3 checked. If issues, uncheck devices and try again in safe mode. I'm mostly interested in 'sections', but also 'files'.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 fzbxvudu

fzbxvudu
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 12 April 2010 - 11:26 PM

Tried running GMER with only the items you indicated should be checked. Neither scan completed. Each realized a reboot of Windows a few minutes into the scan. Just attempted to run in Safe Mode however there is no SCAN button available to me to start a scan. Only OK and CANCEL buttons show. Selecting OK closes the window without GMER running the scan.

At this point, I think realistically (as much as I hate to admit it) a full reinstall is probably the best course of action. An upgrade to Windows 7 was coming anyway, this just expedites it a little. Given we're a few days into our tandem work (which comes after my own efforts for 4 days solid) with more effort needed and the apparent existence of the backdoor makes the machine inherently untrustworthy, all signs point to remedying this thru a clean re-install.

Your help and time has been GREATLY appreciated! Your instructions were clear and concise. And once on the case, you were timely. Thank you again. One final question as I would be interested in also offering my help in these efforts...what is the correct first step to take?

#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 13 April 2010 - 05:33 PM

Hello, fzbxvudu.
OK, I've listed some reformat advice below.

As for your question as to how to help, BC runs a training program. Check out the link at the end of the info in the link below frequently as spots open and close regularly.
http://www.bleepingcomputer.com/forums/t/86678/malware-removal-training-program/




Here's a good article on how to reformat:
When Should I Format, How Should I Reinstall

Also, to protect yourself against malware and reduce your chance of reinfection in the future, I strongly recommend to have a look at following links (giving some advice and tips):
etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 18 April 2010 - 06:05 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If you are the topic starter, and need this topic reopened, please contact me via PM with the address of this thread.

Everyone else please begin a new topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users