Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Antivirus XP/Malaware Doctor/Security Tool


  • This topic is locked This topic is locked
29 replies to this topic

#1 InaPinch

InaPinch

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 12 April 2010 - 11:24 PM

Here is the original topic.

Basically, my computer got infected by Antivirus XP, Security Tool, and Malware Doctor (as far as I know). These malware viruses completely hijacked my computer, and blocked off the internet off my laptop (both wireless and non).

Following Budapest's instructions, Malware Bytes was able to get rid of Antivirus XP,and Security Tool.

When prompted to restart, Malware Doctor appeared on my computer. I also get two error messages at start up.

The first one is,

Generic Host Process for Win32 Services

Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.

If you were in the middle of something, the information you were working on might be lost.

Please tell Microsoft about this problem.
We have created an error report that you can send to help us improve Generic Host Process for Win32 Services. We will treat this report as confidential and anonymous.

To see what data this report contains, click here.

[Debug] [Send Error Report] [Don't Send]


and the second message is,

Fatal error (10)

The key file does not exist.

[ OK ]


Here is the DDS.txt log.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Ben Chao at 18:59:48.85 on Mon 04/12/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383.171 [GMT -7:00]

AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
c:\program files\microsoft xbox 360 accessories\xboxstat .exe
c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
C:\Documents and Settings\Ben Chao\Desktop\Fixing\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://yahoo.sbc.com/dsl
mDefault_Search_URL = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
mSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
mStart Page = hxxp://yahoo.sbc.com/dsl
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uInternet Settings,ProxyServer = proxy.ucr.edu:8080
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Sound Pilot] "c:\program files\sound pilot\SndPilot.exe"
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr .exe" /background
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [dbnetlib.exe] c:\docume~1\bencha~1\locals~1\temp\dbnetlib.exe
uRun: [appreg70700.exe] c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700.exe
uRun: [appreg70700 .exe] c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
uRun: [appreg70700 .exe] c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
uRun: [appreg70700 .exe] c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
uRun: [appreg70700 .exe] c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
uRun: [appreg70700 .exe] c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
uRun: [appreg70700 .exe] c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
uRun: [appreg70700 .exe] c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
mRun: [POEngine]
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [Adobe_Reader] c:\program files\internet explorer\wmpscfgs.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link\airplus g wireless adapter utility\AirPlus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: Yahoo! Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cab
DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
Hosts: 66.98.136.25 auto.search.msn.com
Hosts: 66.98.136.25 auto.search.msn.es
================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bencha~1\applic~1\mozilla\firefox\profiles\ufr54780.default user\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (English)
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\ben chao\application data\mozilla\firefox\profiles\ufr54780.default user\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07075003.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npcdp32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll

============= SERVICES / DRIVERS ===============

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2005-7-13 17792]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-24 149864]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-24 149864]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-24 149864]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-1-5 1251720]
R2 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-28 99376]
S1 rxp;rxp;\??\c:\windows\system32\drivers\rxp.sys --> c:\windows\system32\drivers\rxp.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888]
S3 DLINK11G;D-Link AirPlus G Wireless Adapter;c:\windows\system32\drivers\TNET1130.SYS [2005-6-24 386816]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080928.003\NAVENG.SYS [2008-9-28 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080928.003\NAVEX15.SYS [2008-9-28 873552]

=============== Created Last 30 ================

2010-04-12 06:42:36 1421 ----a-w- c:\windows\lsrslt.ini
2010-04-12 00:50:50 0 d-----w- c:\docume~1\bencha~1\applic~1\Malwarebytes
2010-04-12 00:50:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-12 00:50:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-12 00:50:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-12 00:50:24 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-11 00:53:22 0 d-----w- c:\docume~1\alluse~1\applic~1\avG
2010-04-10 23:32:50 0 d-----w- c:\program files\Your Protection
2010-04-09 22:05:50 37376 ----a-w- c:\documents and settings\ben chao\rundll32 .exe
2010-04-09 19:41:41 0 d--h--w- c:\windows\system32\GroupPolicy
2010-04-09 10:15:21 37376 ----a-w- c:\windows\system32\OLDF78.tmp
2010-04-09 10:15:19 37376 ----a-w- c:\windows\system32\rundll32.exe.delme174
2010-04-09 10:15:19 37376 ----a-w- c:\windows\system32\rundll32.exe.delme155
2010-04-09 10:15:19 33280 -c--a-w- c:\windows\system32\dllcache\rundll32.exe
2010-04-09 10:15:19 33280 ----a-w- c:\windows\system32\rundll32.exe
2010-04-09 10:15:01 6 ----a-w- c:\windows\system32^iphy.dll
2010-04-09 10:14:43 184832 ----a-w- c:\windows\Ctuwua.exe
2010-04-09 10:14:26 0 ----a-w- c:\windows\system32\drivers\axwglaej.sys
2010-04-09 10:14:09 0 d-----w- c:\docume~1\bencha~1\applic~1\C24C80B8C92B382F904356C0D39AD241
2010-03-27 23:45:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-26 21:40:13 268 ---ha-w- C:\sqmdata19.sqm
2010-03-26 21:40:12 244 ---ha-w- C:\sqmnoopt19.sqm
2010-03-26 15:46:53 268 ---ha-w- C:\sqmdata18.sqm
2010-03-26 15:46:53 244 ---ha-w- C:\sqmnoopt18.sqm
2010-03-26 04:27:48 268 ---ha-w- C:\sqmdata17.sqm
2010-03-26 04:27:48 244 ---ha-w- C:\sqmnoopt17.sqm
2010-03-26 02:28:35 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-03-26 02:14:46 268 ---ha-w- C:\sqmdata16.sqm
2010-03-26 02:14:44 244 ---ha-w- C:\sqmnoopt16.sqm
2010-03-24 21:18:59 268 ---ha-w- C:\sqmdata15.sqm
2010-03-24 21:18:58 244 ---ha-w- C:\sqmnoopt15.sqm
2010-03-24 16:08:10 268 ---ha-w- C:\sqmdata14.sqm
2010-03-24 16:08:09 244 ---ha-w- C:\sqmnoopt14.sqm
2010-03-18 22:11:04 0 ----a-w- c:\windows\Chem3D.INI
2010-03-18 21:14:34 268 ---ha-w- C:\sqmdata13.sqm
2010-03-18 21:14:33 244 ---ha-w- C:\sqmnoopt13.sqm
2010-03-17 21:15:57 268 ---ha-w- C:\sqmdata12.sqm
2010-03-17 21:15:56 244 ---ha-w- C:\sqmnoopt12.sqm

==================== Find3M ====================

2010-04-09 10:14:24 4608 ----a-w- c:\windows\system32\srsvc.dll
2010-04-09 04:04:48 32282 ----a-w- c:\windows\system32\nvModes.dat
2010-02-26 06:12:23 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12:17 81920 ------w- c:\windows\system32\ieencode.dll
2005-07-09 09:58:31 611 -c--a-w- c:\program files\Uninstall AIM.lnk
2005-07-09 09:58:31 14337 -c--a-w- c:\program files\INSTALL.LOG
2005-06-02 08:35:06 116977 -c--a-w- c:\program files\uninstll.EXE
2005-06-02 08:34:34 67160 -c--a-w- c:\program files\aim.exe
2005-06-02 08:34:24 131072 -c--a-w- c:\program files\ateima32.dll
2005-06-02 08:34:14 61440 -c--a-w- c:\program files\AlertUI.ocm
2005-06-02 08:34:04 25088 -c--a-w- c:\program files\browse.ocm
2005-06-02 08:33:54 217088 -c--a-w- c:\program files\buddyui.ocm
2005-06-02 08:33:38 233472 -c--a-w- c:\program files\AimSecondarySvcs.dll
2005-06-02 08:33:14 6656 -c--a-w- c:\program files\stats.ocm
2005-06-02 08:33:10 98304 -c--a-w- c:\program files\ChatUI.ocm
2005-06-02 08:32:54 1511424 -c--a-w- c:\program files\AimRes.dll
2005-06-02 08:32:52 192512 -c--a-w- c:\program files\AimCoreSvcs.dll
2005-06-02 08:32:38 266240 -c--a-w- c:\program files\icbmui.ocm
2005-06-02 08:32:20 94208 -c--a-w- c:\program files\ticker.ocm
2005-06-02 08:32:14 114688 -c--a-w- c:\program files\aimapi.dll
2005-06-02 08:31:58 16384 -c--a-w- c:\program files\Admin.ocm
2005-06-02 08:31:50 151552 -c--a-w- c:\program files\locateui.ocm
2005-06-02 08:31:20 135168 -c--a-w- c:\program files\miscui.ocm
2005-06-02 08:31:06 15360 -c--a-w- c:\program files\NTP.ocm
2005-06-02 08:30:52 77824 -c--a-w- c:\program files\OscMail.ocm
2005-06-02 08:30:44 19968 -c--a-w- c:\program files\aimtalk.dll
2005-06-02 08:30:34 69632 -c--a-w- c:\program files\osclogin.ocm
2005-06-02 08:30:24 9216 -c--a-w- c:\program files\oscmain.ocm
2005-06-02 08:30:16 39936 -c--a-w- c:\program files\startup.ocm
2005-06-02 08:29:58 155648 -c--a-w- c:\program files\aimauto.exe
2005-06-02 08:29:52 86016 -c--a-w- c:\program files\OscSrch.ocm
2005-06-02 08:29:42 2048 -c--a-w- c:\program files\ShareFile.exe
2005-06-02 08:29:40 2048 -c--a-w- c:\program files\SendFile.exe
2005-06-02 08:29:40 13824 -c--a-w- c:\program files\osconfig.ocm
2005-06-02 08:29:36 39936 -c--a-w- c:\program files\rvapps.ocm
2005-06-02 08:29:22 40960 -c--a-w- c:\program files\Patcher.exe
2005-06-02 08:29:20 13312 -c--a-w- c:\program files\popup.ocm
2005-06-02 08:29:10 225280 -c--a-w- c:\program files\wndutils.dll
2005-06-02 08:28:32 180224 -c--a-w- c:\program files\rtvideo.dll
2005-06-02 08:27:52 77824 -c--a-w- c:\program files\Patcher.dll
2005-06-02 08:27:42 229376 -c--a-w- c:\program files\inetsocket.dll
2005-06-02 08:26:48 34304 -c--a-w- c:\program files\proto.ocm
2005-06-02 08:26:42 49152 -c--a-w- c:\program files\ProgressDlg.dll
2005-06-02 08:26:40 151552 -c--a-w- c:\program files\oscarui.dll
2005-06-02 08:26:14 192512 -c--a-w- c:\program files\oscore.dll
2005-06-02 08:25:48 192512 -c--a-w- c:\program files\ate32.dll
2005-06-02 08:25:38 4608 -c--a-w- c:\program files\idlemon.dll
2005-05-26 15:32:40 38435 -c--a-w- c:\program files\licens32.txt
2005-04-25 16:00:54 10218 -c--a-w- c:\program files\aim95.CNT
2005-04-25 16:00:52 505551 -c--a-w- c:\program files\AIM95.HLP
2004-08-28 01:29:36 1935 -c--a-w- c:\program files\icbmftvc.lst
2004-08-18 20:56:48 372736 -c--a-w- c:\program files\softokn3.dll
2004-08-18 20:56:48 110592 -c--a-w- c:\program files\ssl3.dll
2004-08-18 20:56:48 106496 -c--a-w- c:\program files\smime3.dll
2004-08-18 20:56:46 348160 -c--a-w- c:\program files\nss3.dll
2004-07-29 21:03:08 98304 -c--a-w- c:\program files\sb.dll
2004-07-22 17:43:54 106496 -c--a-w- c:\program files\CoolPeer.dll
2004-07-22 17:43:42 3584 -c--a-w- c:\program files\CoolSos.dll
2004-07-22 17:43:40 184320 -c--a-w- c:\program files\CoolBos.dll
2004-07-22 17:43:20 114688 -c--a-w- c:\program files\CoolBucky.dll
2004-07-22 17:43:08 61440 -c--a-w- c:\program files\CoolHttp.dll
2004-07-22 17:43:00 57344 -c--a-w- c:\program files\CoolSecNss.dll
2004-07-22 17:42:46 73728 -c--a-w- c:\program files\CoolSocket.dll
2004-07-22 17:42:00 8192 -c--a-w- c:\program files\Xptl.dll
2004-07-22 17:41:54 13824 -c--a-w- c:\program files\Xpcs.dll
2004-07-22 17:41:46 135168 -c--a-w- c:\program files\Xprt.dll
2004-05-19 00:55:26 81920 -c--a-w- c:\program files\xmltok.dll
2004-05-19 00:55:26 53248 -c--a-w- c:\program files\xmlparse.dll
2004-04-16 23:27:56 94208 -c--a-w- c:\program files\jgtktlk.dll
2004-04-16 23:27:56 45056 -c--a-w- c:\program files\jgsetlk.dll
2004-04-16 23:27:54 65536 -c--a-w- c:\program files\jgattlk.dll
2004-04-16 23:27:54 61440 -c--a-w- c:\program files\jgedtlk.dll
2004-04-16 23:27:54 40960 -c--a-w- c:\program files\jgs6tlk.dll
2004-04-16 23:27:54 40960 -c--a-w- c:\program files\jgs2tlk.dll
2004-04-16 23:27:54 36864 -c--a-w- c:\program files\jga1tlk.dll
2004-04-16 23:27:54 32768 -c--a-w- c:\program files\jgs7tlk.dll
2004-04-16 23:27:54 32768 -c--a-w- c:\program files\jgs3tlk.dll
2004-04-16 23:27:52 45056 -c--a-w- c:\program files\jga0tlk.dll
2004-01-09 17:38:16 28672 -c--a-w- c:\program files\plc4.dll
2004-01-09 17:38:16 24576 -c--a-w- c:\program files\plds4.dll
2004-01-09 17:38:16 159744 -c--a-w- c:\program files\nspr4.dll
2003-10-15 00:27:50 2670 -c--a-w- c:\program files\aim.odl
2003-10-15 00:27:50 2486 -c--a-w- c:\program files\netwait.odl
2003-01-06 22:41:36 1457 -c--a-w- c:\program files\rvappstm.lst
2002-08-03 00:40:38 364544 -c--a-w- c:\program files\dBenderC.dll
2002-07-18 18:00:02 139264 -c--a-w- c:\program files\dunzip32.dll
2001-09-29 00:00:28 164864 -c--a-w- c:\program files\unwise32.exe
2001-01-31 00:04:02 1375 -c--a-w- c:\program files\aimalert.gif
2001-01-31 00:03:42 1370 -c--a-w- c:\program files\stockalert.gif
2000-02-17 01:39:00 1732 -c--a-w- c:\program files\unwise32.ini
2000-02-17 00:12:58 50176 -c--a-w- c:\program files\csh.dll

============= FINISH: 19:01:41.01 ===============


Other two log files are attached.

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 PM

Posted 17 April 2010 - 07:37 AM

Hello and welcome to Bleeping Computer

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 InaPinch

InaPinch
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 17 April 2010 - 11:46 PM

At some point during the OTL scan I got an error message that said,

svchost.exe - Application Error

The instruction at "0x100015f4" referenced memory at "0x00000163". The memory could not be "written".

Click on OK to terminate the program
Click on CANCEL to debug the program

I didn't click anything and the scan continued..

Here is the OTL report,

OTL logfile created on: 4/17/2010 6:21:12 PM - Run 1
OTL by OldTimer - Version 3.2.1.2 Folder = C:\Documents and Settings\Ben Chao\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

383.00 Mb Total Physical Memory | 129.00 Mb Available Physical Memory | 34.00% Memory free
921.00 Mb Paging File | 639.00 Mb Available in Paging File | 69.00% Paging File free
Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.62 Gb Total Space | 1.91 Gb Free Space | 10.24% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BCLAPTOP
Current User Name: Ben Chao
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/17 18:19:44 | 000,037,376 | ---- | M] (Portable Library) -- c:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe
PRC - [2010/04/17 18:19:42 | 000,037,376 | ---- | M] (Portable Library) -- c:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe
PRC - [2010/04/17 18:19:41 | 000,037,376 | ---- | M] (Portable Library) -- c:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe
PRC - [2010/04/17 18:19:40 | 000,037,376 | ---- | M] (Portable Library) -- c:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe
PRC - [2010/04/17 18:02:30 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ben Chao\Desktop\OTL.exe
PRC - [2010/04/17 14:19:18 | 000,037,376 | ---- | M] (Portable Library) -- C:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700.exe
PRC - [2009/03/06 18:08:02 | 003,558,136 | ---- | M] (Veoh Networks) -- c:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer .exe
PRC - [2008/09/28 11:34:50 | 001,251,720 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PRC - [2008/02/14 11:02:00 | 000,149,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
PRC - [2007/09/26 19:05:58 | 000,734,264 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Xbox 360 Accessories\xboxstat .exe
PRC - [2007/08/31 12:49:50 | 000,243,064 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
PRC - [2007/07/16 12:58:02 | 001,524,512 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2007/06/13 03:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/04/17 18:02:30 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ben Chao\Desktop\OTL.exe
MOD - [2006/08/25 08:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/04/09 03:14:24 | 000,004,608 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\srsvc.dll -- (srservice)
SRV - [2008/09/28 11:34:50 | 001,251,720 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)
SRV - [2008/02/14 11:02:00 | 000,149,864 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (LiveUpdate Notice)
SRV - [2008/02/14 11:02:00 | 000,149,864 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (CLTNetCnService)
SRV - [2008/02/14 11:02:00 | 000,149,864 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2008/02/14 11:02:00 | 000,149,864 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2007/10/25 16:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/10/18 12:31:54 | 000,098,328 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2007/08/31 12:49:50 | 000,243,064 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)
SRV - [2007/08/23 13:35:22 | 003,192,184 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE -- (LiveUpdate)
SRV - [2007/08/22 00:21:30 | 000,055,640 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe -- (comHost)
SRV - [2007/07/16 12:58:02 | 001,524,512 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2002/11/22 12:49:22 | 000,077,824 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\hphipm11.exe -- (Pml Driver HPH11)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/customize/.../search/ie.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1
IE - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = proxy.ucr.edu:8080

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Wikipedia (English)"
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com"
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.07075003
FF - prefs.js..extensions.enabledItems: web@veoh.com:1.4
FF - prefs.js..network.proxy.backup.ftp: "localhost"
FF - prefs.js..network.proxy.backup.ftp_port: 1080
FF - prefs.js..network.proxy.backup.gopher: "localhost"
FF - prefs.js..network.proxy.backup.gopher_port: 1080
FF - prefs.js..network.proxy.backup.socks: "localhost"
FF - prefs.js..network.proxy.backup.socks_port: 1080
FF - prefs.js..network.proxy.backup.ssl: "localhost"
FF - prefs.js..network.proxy.backup.ssl_port: 1080
FF - prefs.js..network.proxy.ftp: "localhost"
FF - prefs.js..network.proxy.ftp_port: 1080
FF - prefs.js..network.proxy.gopher: "localhost"
FF - prefs.js..network.proxy.gopher_port: 1080
FF - prefs.js..network.proxy.http: "localhost"
FF - prefs.js..network.proxy.http_port: 1080
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "localhost"
FF - prefs.js..network.proxy.socks_port: 1080
FF - prefs.js..network.proxy.ssl: "localhost"
FF - prefs.js..network.proxy.ssl_port: 1080

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/31 00:53:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/31 00:53:57 | 000,000,000 | ---D | M]

[2008/09/03 20:06:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Chao\Application Data\Mozilla\Extensions
[2005/06/23 00:06:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\fotelzx0.default\extensions
[2005/06/23 00:06:34 | 000,000,000 | ---D | M] (Firefox (default)) -- C:\Documents and Settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\fotelzx0.default\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2010/04/09 19:31:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\extensions
[2007/11/19 11:58:23 | 000,000,000 | ---D | M] (Metal Lion - Vista) -- C:\Documents and Settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\extensions\{1AF3FC34-0725-4485-A939-6B40EB7CA96A}
[2007/12/04 02:45:13 | 000,000,000 | ---D | M] (ScrapBook) -- C:\Documents and Settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\extensions\{53A03D43-5363-4669-8190-99061B2DEBA5}
[2007/11/22 18:04:46 | 000,000,000 | ---D | M] (macfoxIIgraphite) -- C:\Documents and Settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\extensions\{a883dc70-3e3e-11db-a98b-0800200c9a66}
[2007/08/01 01:55:37 | 000,000,000 | ---D | M] (iFox Smooth) -- C:\Documents and Settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\extensions\{d3d70bca-2d54-425e-b02c-b7e2f4b07688}
[2007/11/19 19:00:40 | 000,000,000 | ---D | M] (Tweak Network) -- C:\Documents and Settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\extensions\{DAD0F81A-CF67-4eed-98D6-26F6E47274CA}
[2007/11/21 11:26:47 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Documents and Settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2007/07/31 02:16:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2007/11/23 21:00:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\extensions\moveplayer@movenetworks.com
[2007/07/31 02:16:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\extensions\videodowloader@videodownloader.net
[2007/11/19 11:57:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\extensions\zotero@chnm.gmu.edu
[2009/04/15 19:21:08 | 000,001,157 | ---- | M] () -- C:\Documents and Settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\searchplugins\freedict.xml
[2008/09/03 20:19:01 | 000,000,681 | ---- | M] () -- C:\Documents and Settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\searchplugins\webster.xml
[2008/09/03 20:19:05 | 000,001,108 | ---- | M] () -- C:\Documents and Settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\searchplugins\wikipedia.xml
[2008/09/03 20:06:55 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/08/24 20:52:00 | 000,300,400 | ---- | M] (Symantec Corporation) -- C:\Program Files\Mozilla Firefox\components\coFFPlgn.dll
[2006/05/06 09:42:04 | 007,260,160 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\libvlc.dll
[2003/04/23 19:10:48 | 006,595,792 | ---- | M] (CambridgeSoft Corp.) -- C:\Program Files\Mozilla Firefox\plugins\npcdp32.dll
[2006/09/24 17:16:19 | 000,114,688 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
[2009/02/12 03:49:38 | 000,239,432 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll

O1 HOSTS File: ([2006/07/02 03:27:20 | 000,000,801 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 66.98.136.25 auto.search.msn.com
O1 - Hosts: 66.98.136.25 auto.search.msn.es
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Common Files\Symantec Shared\IDS\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Veoh Web Player Video Finder) - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll (Veoh Networks Inc)
O3 - HKLM\..\Toolbar: (Show Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll (Symantec Corporation)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Show Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll (Symantec Corporation)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Show Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003\..\Toolbar\ShellBrowser: (Show Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003\..\Toolbar\WebBrowser: (Show Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [Adobe_Reader] c:\Program Files\Internet Explorer\wmpscfgs.exe (Portable Library)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Microsoft Corporation)
O4 - HKLM..\Run: [osCheck] C:\Program Files\Norton Internet Security\osCheck.exe (Microsoft Corporation)
O4 - HKLM..\Run: [POEngine] File not found
O4 - HKLM..\Run: [QuickTime Task] c:\program files\quicktime\qttask .exe (Portable Library)
O4 - HKLM..\Run: [XboxStat] c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe (Portable Library)
O4 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003..\Run: [appreg70700 .exe] c:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe (Portable Library)
O4 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003..\Run: [appreg70700 .exe] c:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe (Portable Library)
O4 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003..\Run: [appreg70700 .exe] c:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe (Portable Library)
O4 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003..\Run: [appreg70700 .exe] c:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe (Portable Library)
O4 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003..\Run: [appreg70700 .exe] c:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe (Portable Library)
O4 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003..\Run: [appreg70700 .exe] c:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe (Portable Library)
O4 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003..\Run: [appreg70700 .exe] c:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe (Portable Library)
O4 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003..\Run: [appreg70700 .exe] c:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe (Portable Library)
O4 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003..\Run: [appreg70700 .exe] c:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe (Portable Library)
O4 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003..\Run: [appreg70700 .exe] c:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe (Portable Library)
O4 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003..\Run: [appreg70700 .exe] c:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe (Portable Library)
O4 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003..\Run: [appreg70700 .exe] c:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe (Portable Library)
O4 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003..\Run: [appreg70700 .exe] c:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe (Portable Library)
O4 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003..\Run: [appreg70700 .exe] c:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe (Portable Library)
O4 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003..\Run: [appreg70700 .exe] c:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe (Portable Library)
O4 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003..\Run: [appreg70700.exe] C:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700.exe (Portable Library)
O4 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003..\Run: [dbnetlib.exe] C:\Documents and Settings\Ben Chao\Local Settings\Temp\dbnetlib.exe (Portable Library)
O4 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003..\Run: [MsnMsgr] c:\program files\windows live\messenger\msnmsgr .exe (Portable Library)
O4 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003..\Run: [Sound Pilot] C:\Program Files\Sound Pilot\SndPilot.exe (Portable Library)
O4 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003..\Run: [VeohPlugin] C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe (Portable Library)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus G Wireless Utility.lnk = C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AIRPLUS.exe (D-Link)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O8 - Extra context menu item: Yahoo! Dictionary - C:\Program Files\Yahoo!\Common [2005/09/01 13:17:20 | 000,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! Search - C:\Program Files\Yahoo!\Common [2005/09/01 13:17:20 | 000,000,000 | ---D | M]
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll ()
O9 - Extra 'Tools' menuitem : Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll ()
O9 - Extra Button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YPager.exe (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YPager.exe (Yahoo! Inc.)
O9 - Extra Button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe File not found
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} http://download.yahoo.com/dl/installs/yab_af.cab (Reg Error: Key error.)
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (PhotosCtrl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O21 - SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - CLSID or File not found.
O24 - Desktop WallPaper: C:\Documents and Settings\Ben Chao\My Documents\My Pictures\Wallpapers\vista_grass.jpg
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Ben Chao\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/12/22 17:18:57 | 000,000,025 | ---- | M] () - C:\AUTOEXEC.BAK -- [ NTFS ]
O32 - AutoRun File - [2007/12/22 23:03:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/12/22 12:46:49 | 000,000,025 | ---- | M] () - C:\AUTOEXEC.DIS -- [ NTFS ]
O33 - MountPoints2\{236bda54-dc84-11dd-a439-000f3d0baff0}\Shell\AutoRun\command - "" = E:\Install FreeAgent Tools.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-1343024091-1682526488-2146916019-1003\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/06/18 14:27:19 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - C:\WINDOWS\system32\srsvc.dll ()
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk - C:\WINDOWS\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico - ()
MsConfig - StartUpReg: AdobeUpdater - hkey= - key= - C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Yahoo! Pager - hkey= - key= - File not found
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {166B1BCA-3F9C-11CF-8075-444553540000} - Macromedia Shockwave Director 10.1
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Macromedia Shockwave Director 10.1.1
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Macromedia Shockwave Director 10.1.1
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {3e7bb08a-a7a3-4692-8eac-ac5e7895755b} - KB834707
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA851-CC51-11CF-AAFA-00AA00B6015C} - rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: MSACM.CEGSM - C:\WINDOWS\System32\mobileV.acm ()
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\divx.dll (DivXNetworks, Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Unable to start service SrService!

========== Files/Folders - Created Within 14 Days ==========

[2010/04/17 18:10:20 | 000,562,176 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ben Chao\Desktop\OTL.exe
[2010/04/15 10:59:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/15 10:59:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/11 17:50:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ben Chao\Application Data\Malwarebytes
[2010/04/11 17:50:31 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/11 17:50:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/11 17:50:24 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/11 17:50:24 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/11 17:46:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ben Chao\Desktop\Fixing
[2010/04/10 17:53:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\avG
[2010/04/10 17:53:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avG
[2010/04/10 16:32:50 | 000,000,000 | ---D | C] -- C:\Program Files\Your Protection
[2010/04/09 15:05:50 | 000,037,376 | ---- | C] (Portable Library) -- C:\Documents and Settings\Ben Chao\rundll32 .exe
[2010/04/09 12:41:41 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2010/04/09 03:15:19 | 000,037,376 | ---- | C] (Portable Library) -- C:\WINDOWS\System32\rundll32.exe.delme174
[2010/04/09 03:15:19 | 000,037,376 | ---- | C] (Portable Library) -- C:\WINDOWS\System32\rundll32.exe.delme155
[2010/04/09 03:14:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241
[2007/11/23 08:10:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2005/09/03 02:38:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Symantec
[2005/07/09 02:57:55 | 000,225,280 | ---- | C] (America Online, Inc.) -- C:\Program Files\wndutils.dll
[2005/07/09 02:57:54 | 000,372,736 | ---- | C] (Netscape Communications Corporation) -- C:\Program Files\softokn3.dll
[2005/07/09 02:57:54 | 000,180,224 | ---- | C] (America Online, Inc.) -- C:\Program Files\rtvideo.dll
[2005/07/09 02:57:54 | 000,110,592 | ---- | C] (Netscape Communications Corporation) -- C:\Program Files\ssl3.dll
[2005/07/09 02:57:54 | 000,106,496 | ---- | C] (Netscape Communications Corporation) -- C:\Program Files\smime3.dll
[2005/07/09 02:57:54 | 000,098,304 | ---- | C] (America Online, Inc.) -- C:\Program Files\sb.dll
[2005/07/09 02:57:54 | 000,094,208 | ---- | C] (America Online, Inc.) -- C:\Program Files\ticker.ocm
[2005/07/09 02:57:54 | 000,039,936 | ---- | C] (America Online, Inc.) -- C:\Program Files\startup.ocm
[2005/07/09 02:57:54 | 000,039,936 | ---- | C] (America Online, Inc.) -- C:\Program Files\rvapps.ocm
[2005/07/09 02:57:54 | 000,034,304 | ---- | C] (America Online, Inc.) -- C:\Program Files\proto.ocm
[2005/07/09 02:57:53 | 000,192,512 | ---- | C] (America Online, Inc.) -- C:\Program Files\oscore.dll
[2005/07/09 02:57:53 | 000,086,016 | ---- | C] (America Online, Inc.) -- C:\Program Files\OscSrch.ocm
[2005/07/09 02:57:53 | 000,077,824 | ---- | C] (America Online, Inc.) -- C:\Program Files\Patcher.dll
[2005/07/09 02:57:53 | 000,077,824 | ---- | C] (America Online, Inc.) -- C:\Program Files\OscMail.ocm
[2005/07/09 02:57:53 | 000,069,632 | ---- | C] (America Online, Inc.) -- C:\Program Files\osclogin.ocm
[2005/07/09 02:57:53 | 000,049,152 | ---- | C] (America Online, Inc.) -- C:\Program Files\ProgressDlg.dll
[2005/07/09 02:57:53 | 000,040,960 | ---- | C] (America Online, Inc.) -- C:\Program Files\Patcher.exe
[2005/07/09 02:57:53 | 000,028,672 | ---- | C] (Netscape Communications Corporation) -- C:\Program Files\plc4.dll
[2005/07/09 02:57:53 | 000,024,576 | ---- | C] (Netscape Communications Corporation) -- C:\Program Files\plds4.dll
[2005/07/09 02:57:53 | 000,013,824 | ---- | C] (America Online, Inc.) -- C:\Program Files\osconfig.ocm
[2005/07/09 02:57:53 | 000,013,312 | ---- | C] (America Online, Inc.) -- C:\Program Files\popup.ocm
[2005/07/09 02:57:53 | 000,009,216 | ---- | C] (America Online, Inc.) -- C:\Program Files\oscmain.ocm
[2005/07/09 02:57:52 | 000,348,160 | ---- | C] (Netscape Communications Corporation) -- C:\Program Files\nss3.dll
[2005/07/09 02:57:52 | 000,159,744 | ---- | C] (Netscape Communications Corporation) -- C:\Program Files\nspr4.dll
[2005/07/09 02:57:52 | 000,151,552 | ---- | C] (America Online, Inc.) -- C:\Program Files\oscarui.dll
[2005/07/09 02:57:52 | 000,151,552 | ---- | C] (America Online, Inc.) -- C:\Program Files\locateui.ocm
[2005/07/09 02:57:52 | 000,135,168 | ---- | C] (America Online, Inc.) -- C:\Program Files\miscui.ocm
[2005/07/09 02:57:52 | 000,094,208 | ---- | C] (AOL Time Warner) -- C:\Program Files\jgtktlk.dll
[2005/07/09 02:57:52 | 000,045,056 | ---- | C] (America Online) -- C:\Program Files\jgsetlk.dll
[2005/07/09 02:57:52 | 000,015,360 | ---- | C] (America Online, Inc.) -- C:\Program Files\NTP.ocm
[2005/07/09 02:57:51 | 000,266,240 | ---- | C] (America Online, Inc.) -- C:\Program Files\icbmui.ocm
[2005/07/09 02:57:51 | 000,065,536 | ---- | C] (America Online) -- C:\Program Files\jgattlk.dll
[2005/07/09 02:57:51 | 000,061,440 | ---- | C] (America Online) -- C:\Program Files\jgedtlk.dll
[2005/07/09 02:57:51 | 000,045,056 | ---- | C] (America Online) -- C:\Program Files\jga0tlk.dll
[2005/07/09 02:57:51 | 000,040,960 | ---- | C] (America Online) -- C:\Program Files\jgs6tlk.dll
[2005/07/09 02:57:51 | 000,040,960 | ---- | C] (America Online) -- C:\Program Files\jgs2tlk.dll
[2005/07/09 02:57:51 | 000,036,864 | ---- | C] (America Online) -- C:\Program Files\jga1tlk.dll
[2005/07/09 02:57:51 | 000,032,768 | ---- | C] (America Online) -- C:\Program Files\jgs7tlk.dll
[2005/07/09 02:57:51 | 000,032,768 | ---- | C] (America Online) -- C:\Program Files\jgs3tlk.dll
[2005/07/09 02:57:51 | 000,004,608 | ---- | C] (America Online, Inc.) -- C:\Program Files\idlemon.dll
[2005/07/09 02:57:50 | 000,364,544 | ---- | C] (Red Bend Ltd.) -- C:\Program Files\dBenderC.dll
[2005/07/09 02:57:50 | 000,217,088 | ---- | C] (America Online, Inc.) -- C:\Program Files\buddyui.ocm
[2005/07/09 02:57:50 | 000,192,512 | ---- | C] (America Online, Inc.) -- C:\Program Files\ate32.dll
[2005/07/09 02:57:50 | 000,139,264 | ---- | C] (Inner Media, Inc.) -- C:\Program Files\dunzip32.dll
[2005/07/09 02:57:50 | 000,131,072 | ---- | C] (America Online, Inc.) -- C:\Program Files\ateima32.dll
[2005/07/09 02:57:50 | 000,098,304 | ---- | C] (America Online, Inc.) -- C:\Program Files\ChatUI.ocm
[2005/07/09 02:57:50 | 000,050,176 | ---- | C] (Blue Sky Software Corporation) -- C:\Program Files\csh.dll
[2005/07/09 02:57:50 | 000,025,088 | ---- | C] (America Online, Inc.) -- C:\Program Files\browse.ocm
[2005/07/09 02:57:49 | 001,511,424 | ---- | C] (America Online, Inc.) -- C:\Program Files\AimRes.dll
[2005/07/09 02:57:49 | 000,233,472 | ---- | C] (America Online, Inc.) -- C:\Program Files\AimSecondarySvcs.dll
[2005/07/09 02:57:49 | 000,192,512 | ---- | C] (America Online, Inc.) -- C:\Program Files\AimCoreSvcs.dll
[2005/07/09 02:57:49 | 000,061,440 | ---- | C] (America Online, Inc.) -- C:\Program Files\AlertUI.ocm
[2005/07/09 02:57:49 | 000,019,968 | ---- | C] (America Online, Inc.) -- C:\Program Files\aimtalk.dll
[2005/07/09 02:57:48 | 000,184,320 | ---- | C] (America Online, Inc.) -- C:\Program Files\CoolBos.dll
[2005/07/09 02:57:48 | 000,114,688 | ---- | C] (America Online, Inc.) -- C:\Program Files\CoolBucky.dll
[2005/07/09 02:57:48 | 000,114,688 | ---- | C] (America Online, Inc.) -- C:\Program Files\aimapi.dll
[2005/07/09 02:57:48 | 000,106,496 | ---- | C] (America Online, Inc.) -- C:\Program Files\CoolPeer.dll
[2005/07/09 02:57:48 | 000,073,728 | ---- | C] (America Online, Inc.) -- C:\Program Files\CoolSocket.dll
[2005/07/09 02:57:48 | 000,067,160 | ---- | C] (America Online, Inc.) -- C:\Program Files\aim.exe
[2005/07/09 02:57:48 | 000,061,440 | ---- | C] (America Online, Inc.) -- C:\Program Files\CoolHttp.dll
[2005/07/09 02:57:48 | 000,057,344 | ---- | C] (America Online, Inc.) -- C:\Program Files\CoolSecNss.dll
[2005/07/09 02:57:48 | 000,016,384 | ---- | C] (America Online, Inc.) -- C:\Program Files\Admin.ocm
[2005/07/09 02:57:48 | 000,003,584 | ---- | C] (America Online, Inc.) -- C:\Program Files\CoolSos.dll
[2005/07/09 02:57:47 | 000,135,168 | ---- | C] (America Online, Inc.) -- C:\Program Files\Xprt.dll
[2005/07/09 02:57:47 | 000,013,824 | ---- | C] (America Online, Inc.) -- C:\Program Files\Xpcs.dll
[2005/07/09 02:57:47 | 000,008,192 | ---- | C] (America Online, Inc.) -- C:\Program Files\Xptl.dll
[2005/06/18 23:18:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2005/06/18 14:33:10 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2005/06/18 14:33:09 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2005/06/18 14:33:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\Documents and Settings\Ben Chao\My Documents\*.tmp files -> C:\Documents and Settings\Ben Chao\My Documents\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/17 18:18:36 | 000,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2010/04/17 18:18:35 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2010/04/17 18:15:44 | 000,032,282 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2010/04/17 18:15:42 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/04/17 18:15:40 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/17 18:15:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/17 18:15:21 | 401,657,856 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/17 18:14:05 | 000,001,421 | ---- | M] () -- C:\WINDOWS\lsrslt.ini
[2010/04/17 18:14:04 | 000,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2010/04/17 18:14:04 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2010/04/17 18:02:30 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ben Chao\Desktop\OTL.exe
[2010/04/17 11:03:52 | 003,204,146 | -H-- | M] () -- C:\Documents and Settings\Ben Chao\Local Settings\Application Data\IconCache.db
[2010/04/17 11:03:45 | 000,000,004 | ---- | M] () -- C:\Program Files\190644.dat
[2010/04/17 10:01:52 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2010/04/17 10:01:52 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2010/04/17 10:01:52 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2010/04/17 10:01:52 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2010/04/17 10:01:52 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2010/04/17 10:01:52 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2010/04/17 10:01:52 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2010/04/17 10:01:52 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2010/04/17 10:01:52 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2010/04/17 10:01:52 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2010/04/17 10:01:52 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At48.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At47.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At33.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At32.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At31.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At30.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At29.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At28.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2010/04/17 10:01:50 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/04/16 23:50:15 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/16 23:37:16 | 000,002,262 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/16 23:35:34 | 005,242,880 | -H-- | M] () -- C:\Documents and Settings\Ben Chao\NTUSER.DAT
[2010/04/16 23:35:34 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Ben Chao\ntuser.ini
[2010/04/16 23:35:25 | 000,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2010/04/16 23:35:25 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2010/04/12 22:28:37 | 000,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2010/04/12 22:28:37 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2010/04/12 17:49:06 | 000,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2010/04/12 17:49:06 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2010/04/11 19:37:26 | 000,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2010/04/11 19:37:25 | 000,000,136 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2010/04/11 19:28:52 | 000,009,346 | -HS- | M] () -- C:\Documents and Settings\Ben Chao\Local Settings\Application Data\2054117988
[2010/04/11 19:28:52 | 000,009,346 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2054117988
[2010/04/11 17:50:34 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/11 15:36:48 | 000,009,354 | -HS- | M] () -- C:\Documents and Settings\Ben Chao\Local Settings\Application Data\1474v
[2010/04/11 15:36:48 | 000,009,354 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\1474v
[2010/04/10 18:20:53 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2010/04/10 18:20:53 | 000,000,136 | -H-- | M] () -- C:\sqmdata02.sqm
[2010/04/10 14:33:49 | 000,037,376 | ---- | M] (Portable Library) -- C:\WINDOWS\System32\rundll32.exe.delme155
[2010/04/09 22:17:07 | 000,183,296 | -HS- | M] () -- C:\Documents and Settings\Ben Chao\Local Settings\Application Data\1521009742.dll
[2010/04/09 15:05:50 | 000,037,376 | ---- | M] (Portable Library) -- C:\Documents and Settings\Ben Chao\rundll32 .exe
[2010/04/09 03:20:48 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\axwglaej.sys
[2010/04/09 03:17:02 | 000,036,152 | ---- | M] () -- C:\Documents and Settings\Ben Chao\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/09 03:15:18 | 000,037,376 | ---- | M] (Portable Library) -- C:\WINDOWS\System32\rundll32.exe.delme174
[2010/04/09 03:15:01 | 000,000,006 | ---- | M] () -- C:\WINDOWS\system32^iphy.dll
[2010/04/09 03:14:24 | 000,004,608 | ---- | M] () -- C:\WINDOWS\System32\srsvc.dll
[2010/04/09 03:13:53 | 002,549,978 | ---- | M] () -- C:\Documents and Settings\Ben Chao\Desktop\MariaKanellis_Pb_2008-04.zip
[2010/04/09 03:13:47 | 000,184,832 | ---- | M] () -- C:\WINDOWS\Ctuwua.exe
[2010/04/09 00:10:20 | 000,011,243 | ---- | M] () -- C:\Documents and Settings\Ben Chao\Desktop\n1357546642_639.jpg
[2010/04/08 23:32:34 | 000,009,046 | ---- | M] () -- C:\Documents and Settings\Ben Chao\Desktop\av-35367.gif
[2010/04/08 21:04:48 | 000,032,282 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2010/04/08 18:38:38 | 000,025,248 | ---- | M] () -- C:\Documents and Settings\Ben Chao\Desktop\br5tar.jpg
[2010/04/05 11:39:13 | 000,092,660 | ---- | M] () -- C:\Documents and Settings\Ben Chao\Desktop\ChidoriSig.png
[2010/04/04 19:54:58 | 000,131,520 | ---- | M] () -- C:\Documents and Settings\Ben Chao\Desktop\2008101345831_623.jpg
[2010/04/04 10:44:33 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/04/03 21:12:48 | 002,665,778 | ---- | M] () -- C:\Documents and Settings\Ben Chao\Desktop\Hunter-X-Hunter-190.zip
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\Documents and Settings\Ben Chao\My Documents\*.tmp files -> C:\Documents and Settings\Ben Chao\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/17 11:03:45 | 000,000,004 | ---- | C] () -- C:\Program Files\190644.dat
[2010/04/17 10:01:52 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At48.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At47.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At46.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At45.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At44.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At43.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At42.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At41.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At40.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At39.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At38.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At37.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At36.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At35.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At34.job
[2010/04/17 10:01:51 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At33.job
[2010/04/17 10:01:51 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At32.job
[2010/04/17 10:01:51 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At31.job
[2010/04/17 10:01:51 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At30.job
[2010/04/17 10:01:51 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At29.job
[2010/04/17 10:01:51 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At28.job
[2010/04/17 10:01:51 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At27.job
[2010/04/17 10:01:51 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At26.job
[2010/04/17 10:01:51 | 000,000,358 | ---- | C] () -- C:\WINDOWS\tasks\At25.job
[2010/04/15 11:07:45 | 000,014,349 | ---- | C] () -- C:\WINDOWS\KB979683.cat
[2010/04/12 01:08:15 | 401,657,856 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/11 23:42:36 | 000,001,421 | ---- | C] () -- C:\WINDOWS\lsrslt.ini
[2010/04/11 17:50:34 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/10 18:24:36 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2010/04/10 18:24:36 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2010/04/10 18:24:36 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2010/04/10 18:24:36 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2010/04/10 18:24:36 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2010/04/10 14:35:47 | 000,009,346 | -HS- | C] () -- C:\Documents and Settings\Ben Chao\Local Settings\Application Data\2054117988
[2010/04/10 14:35:47 | 000,009,346 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2054117988
[2010/04/09 19:21:05 | 000,183,296 | -HS- | C] () -- C:\Documents and Settings\Ben Chao\Local Settings\Application Data\1521009742.dll
[2010/04/09 03:32:18 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2010/04/09 03:32:18 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2010/04/09 03:32:17 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2010/04/09 03:32:14 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2010/04/09 03:32:14 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2010/04/09 03:32:13 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2010/04/09 03:32:03 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2010/04/09 03:32:02 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2010/04/09 03:32:01 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2010/04/09 03:32:01 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2010/04/09 03:31:59 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2010/04/09 03:31:59 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2010/04/09 03:31:59 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2010/04/09 03:31:59 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2010/04/09 03:31:59 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2010/04/09 03:31:59 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2010/04/09 03:31:58 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2010/04/09 03:31:56 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2010/04/09 03:15:35 | 000,000,380 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2010/04/09 03:15:01 | 000,000,006 | ---- | C] () -- C:\WINDOWS\system32^iphy.dll
[2010/04/09 03:14:43 | 000,184,832 | ---- | C] () -- C:\WINDOWS\Ctuwua.exe
[2010/04/09 03:14:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\axwglaej.sys
[2010/04/09 03:13:50 | 000,009,354 | -HS- | C] () -- C:\Documents and Settings\Ben Chao\Local Settings\Application Data\1474v
[2010/04/09 03:13:50 | 000,009,354 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1474v
[2010/04/09 03:12:27 | 002,549,978 | ---- | C] () -- C:\Documents and Settings\Ben Chao\Desktop\MariaKanellis_Pb_2008-04.zip
[2010/04/09 00:10:07 | 000,011,243 | ---- | C] () -- C:\Documents and Settings\Ben Chao\Desktop\n1357546642_639.jpg
[2010/04/08 23:32:25 | 000,009,046 | ---- | C] () -- C:\Documents and Settings\Ben Chao\Desktop\av-35367.gif
[2010/04/08 18:38:20 | 000,025,248 | ---- | C] () -- C:\Documents and Settings\Ben Chao\Desktop\br5tar.jpg
[2010/04/05 11:39:03 | 000,092,660 | ---- | C] () -- C:\Documents and Settings\Ben Chao\Desktop\ChidoriSig.png
[2010/04/04 19:54:50 | 000,131,520 | ---- | C] () -- C:\Documents and Settings\Ben Chao\Desktop\2008101345831_623.jpg
[2010/04/03 21:12:32 | 002,665,778 | ---- | C] () -- C:\Documents and Settings\Ben Chao\Desktop\Hunter-X-Hunter-190.zip
[2010/03/18 15:11:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Chem3D.INI
[2008/01/05 15:41:16 | 000,055,906 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LuUninstall.LiveUpdate
[2007/11/27 09:49:09 | 000,002,400 | ---- | C] () -- C:\Documents and Settings\Ben Chao\LogTrace.log
[2007/11/25 17:49:36 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\bassmod.dll
[2007/08/03 00:32:07 | 000,000,091 | ---- | C] () -- C:\WINDOWS\CIV.INI
[2007/07/16 12:58:10 | 000,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2007/07/16 12:58:00 | 000,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2007/02/22 08:17:50 | 000,000,071 | ---- | C] () -- C:\WINDOWS\pn.ini
[2006/12/01 21:41:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pcfriend.INI
[2006/11/10 14:01:08 | 000,000,034 | ---- | C] () -- C:\WINDOWS\hpfsched.ini
[2006/05/15 01:33:34 | 000,000,051 | ---- | C] () -- C:\WINDOWS\pr.ini
[2006/02/24 03:14:07 | 000,000,084 | ---- | C] () -- C:\WINDOWS\WB.ini
[2006/02/24 02:25:58 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\wbload.dll
[2006/01/12 23:15:52 | 000,001,770 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/12/18 21:35:48 | 000,405,005 | ---- | C] () -- C:\Documents and Settings\Ben Chao\reglog.txt
[2005/09/01 13:22:40 | 000,000,016 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2005/08/30 11:17:34 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2005/08/21 15:45:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MSREGUSR.INI
[2005/07/09 02:58:31 | 000,014,337 | ---- | C] () -- C:\Program Files\INSTALL.LOG
[2005/07/09 02:58:31 | 000,000,611 | ---- | C] () -- C:\Program Files\Uninstall AIM.lnk
[2005/07/09 02:57:56 | 000,164,864 | ---- | C] () -- C:\Program Files\unwise32.exe
[2005/07/09 02:57:55 | 000,081,920 | ---- | C] () -- C:\Program Files\xmltok.dll
[2005/07/09 02:57:55 | 000,053,248 | ---- | C] () -- C:\Program Files\xmlparse.dll
[2005/07/09 02:57:55 | 000,001,732 | ---- | C] () -- C:\Program Files\unwise32.ini
[2005/07/09 02:57:54 | 000,116,977 | ---- | C] () -- C:\Program Files\uninstll.EXE
[2005/07/09 02:57:54 | 000,006,656 | ---- | C] () -- C:\Program Files\stats.ocm
[2005/07/09 02:57:54 | 000,002,048 | ---- | C] () -- C:\Program Files\ShareFile.exe
[2005/07/09 02:57:54 | 000,002,048 | ---- | C] () -- C:\Program Files\SendFile.exe
[2005/07/09 02:57:54 | 000,001,457 | ---- | C] () -- C:\Program Files\rvappstm.lst
[2005/07/09 02:57:54 | 000,001,370 | ---- | C] () -- C:\Program Files\stockalert.gif
[2005/07/09 02:57:52 | 000,038,435 | ---- | C] () -- C:\Program Files\licens32.txt
[2005/07/09 02:57:52 | 000,002,486 | ---- | C] () -- C:\Program Files\netwait.odl
[2005/07/09 02:57:51 | 000,229,376 | ---- | C] () -- C:\Program Files\inetsocket.dll
[2005/07/09 02:57:51 | 000,001,935 | ---- | C] () -- C:\Program Files\icbmftvc.lst
[2005/07/09 02:57:49 | 000,155,648 | ---- | C] () -- C:\Program Files\aimauto.exe
[2005/07/09 02:57:48 | 000,505,551 | ---- | C] () -- C:\Program Files\AIM95.HLP
[2005/07/09 02:57:48 | 000,010,218 | ---- | C] () -- C:\Program Files\aim95.CNT
[2005/07/09 02:57:48 | 000,002,670 | ---- | C] () -- C:\Program Files\aim.odl
[2005/07/09 02:57:48 | 000,001,375 | ---- | C] () -- C:\Program Files\aimalert.gif
[2005/07/04 01:00:20 | 000,000,517 | ---- | C] () -- C:\WINDOWS\AIM.INI
[2005/07/03 00:36:56 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\dprsx.dll
[2005/07/03 00:36:56 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\gpvbd.dll
[2005/07/03 00:36:56 | 000,027,136 | ---- | C] () -- C:\WINDOWS\System32\AuthDVD.DLL
[2005/06/29 20:14:55 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Ben Chao\AdobeWeb.log
[2005/06/20 21:00:45 | 000,000,107 | ---- | C] () -- C:\WINDOWS\IfoEdit.INI
[2005/06/20 19:56:14 | 000,000,288 | ---- | C] () -- C:\Documents and Settings\Ben Chao\sr.ini
[2005/06/18 23:42:20 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[2005/06/18 19:29:10 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\ntuser.dat
[2005/06/18 19:29:10 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\ntuser.dat.LOG
[2005/06/18 18:50:43 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/06/18 16:38:47 | 000,235,520 | ---- | C] () -- C:\Documents and Settings\Ben Chao\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/06/18 15:26:12 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2005/06/18 15:00:45 | 000,000,192 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2005/06/18 14:46:48 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/06/18 14:34:52 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Ben Chao\ntuser.ini
[2005/06/18 14:34:50 | 005,242,880 | -H-- | C] () -- C:\Documents and Settings\Ben Chao\NTUSER.DAT
[2005/06/18 14:34:50 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Ben Chao\NTUSER.DAT.LOG
[2005/06/18 14:24:33 | 000,004,608 | ---- | C] () -- C:\WINDOWS\System32\srsvc.dll
[2003/07/14 12:30:28 | 000,197,120 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2002/11/22 12:50:06 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\hpodinet.dll
[1999/04/03 09:54:02 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2010/04/10 17:53:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avG
[2009/03/30 12:16:19 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2009/02/12 03:55:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2007/09/16 04:49:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PokerAcademyPro2
[2005/07/09 13:48:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Chao\Application Data\Aim
[2006/09/26 05:03:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Chao\Application Data\Azureus
[2010/04/17 18:19:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241
[2005/11/19 01:30:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Chao\Application Data\Eclipsit
[2007/11/23 12:11:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Chao\Application Data\FMZilla
[2008/01/12 00:20:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Chao\Application Data\Hoyle Blackjack
[2008/01/12 00:20:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Chao\Application Data\Hoyle Card Games
[2007/11/27 19:02:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Chao\Application Data\Hoyle FaceCreator
[2005/06/20 17:36:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Chao\Application Data\InterVideo
[2006/02/25 23:51:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Chao\Application Data\Jasc
[2007/06/17 04:48:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Chao\Application Data\Leadertech
[2007/11/21 18:12:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Chao\Application Data\Lost Marble
[2007/08/13 02:07:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Chao\Application Data\My Games
[2007/09/16 03:24:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Chao\Application Data\PokerAcademyPro2
[2005/07/01 13:30:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Chao\Application Data\Thunderbird
[2007/11/25 20:25:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Chao\Application Data\WildPackets
[2010/04/17 10:01:50 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At10.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At11.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At12.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At13.job
[2010/04/17 10:01:52 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At14.job
[2010/04/17 10:01:52 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At15.job
[2010/04/17 10:01:52 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At16.job
[2010/04/17 10:01:52 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At17.job
[2010/04/17 10:01:52 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At18.job
[2010/04/17 10:01:52 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At19.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
[2010/04/17 10:01:52 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At20.job
[2010/04/17 10:01:52 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At21.job
[2010/04/17 10:01:52 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At22.job
[2010/04/17 10:01:52 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At23.job
[2010/04/17 10:01:52 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At24.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At25.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At26.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At27.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At28.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At29.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At3.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At30.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At31.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At32.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At33.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At34.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At35.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At36.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At37.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At38.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At39.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At4.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At40.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At41.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At42.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At43.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At44.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At45.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At46.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At47.job
[2010/04/17 10:01:52 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\At48.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At5.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At6.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At7.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At8.job
[2010/04/17 10:01:51 | 000,000,380 | ---- | M] () -- C:\WINDOWS\Tasks\At9.job
[2010/04/17 18:15:42 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\dllcache\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\drivers\AGP440.SYS
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\AGP440.SYS
[2001/08/17 06:58:00 | 000,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\atapi.sys
[2001/08/23 05:00:00 | 000,086,656 | ---- | M] (Microsoft Corporation) MD5=A64013E98426E1877CB653685C5C0009 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll
[2004/08/04 00:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2004/08/04 00:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll
[2001/08/23 05:00:00 | 000,047,616 | ---- | M] (Microsoft Corporation) MD5=A510B91253544D56B5712D66BE8371E9 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\netlogon.dll
[2009/02/06 11:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 11:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 00:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2004/08/04 00:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll
[2001/08/23 05:00:00 | 000,397,824 | ---- | M] (Microsoft Corporation) MD5=F41C1602DC79AB72035F2388FCA0255F -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 00:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2004/08/04 00:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2001/08/23 05:00:00 | 000,174,080 | ---- | M] (Microsoft Corporation) MD5=73968C834C316ADC7A2F07DC4B5F3665 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\scecli.dll

< %systemroot%\*. /mp /s >
< End of report >



Extras OTL report,


OTL Extras logfile created on: 4/17/2010 6:21:12 PM - Run 1
OTL by OldTimer - Version 3.2.1.2 Folder = C:\Documents and Settings\Ben Chao\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

383.00 Mb Total Physical Memory | 129.00 Mb Available Physical Memory | 34.00% Memory free
921.00 Mb Paging File | 639.00 Mb Available in Paging File | 69.00% Paging File free
Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.62 Gb Total Space | 1.91 Gb Free Space | 10.24% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BCLAPTOP
Current User Name: Ben Chao
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.url [@ = YBrowser.URL] -- C:\PROGRA~1\Yahoo!\browser\ybrowser.exe File not found
.js [@ = JSFile] -- Reg Error: Key error. File not found

[HKEY_USERS\S-1-5-21-1343024091-1682526488-2146916019-1003\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- C:\PROGRA~1\Yahoo!\browser\ybrowser.exe %1 File not found
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
jsfile [open] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\Winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\Winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\Winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"56474:TCP" = 56474:TCP:*:Enabled:Pando Media Booster
"56474:UDP" = 56474:UDP:*:Enabled:Pando Media Booster

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Aol Instant Messenger\aim.exe" = C:\Program Files\Aol Instant Messenger\aim.exe:*:Enabled:AOL Instant Messenger -- File not found
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Portable Library)
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\WinDVD 7.0\WinDVD.exe" = C:\Program Files\WinDVD 7.0\WinDVD.exe:*:Disabled:WinDVD -- File not found
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:*:Enabled:Connection Manager -- File not found
"C:\Program Files\Aol Instant Messenger\aim.exe" = C:\Program Files\Aol Instant Messenger\aim.exe:*:Enabled:AOL Instant Messenger -- File not found
"C:\Program Files\Macromedia Dreamweaver MX\Dreamweaver MX\Dreamweaver.exe" = C:\Program Files\Macromedia Dreamweaver MX\Dreamweaver MX\Dreamweaver.exe:*:Enabled:Dreamweaver MX -- File not found
"C:\Program Files\Java\jre1.5.0_02\bin\javaw.exe" = C:\Program Files\Java\jre1.5.0_02\bin\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary -- (Sun Microsystems, Inc.)
"C:\Program Files\BitComet\BitComet.exe" = C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client -- File not found
"C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE" = C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\PROGRA~1\Yahoo!\MESSEN~1\yserver.exe" = C:\PROGRA~1\Yahoo!\MESSEN~1\yserver.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)
"C:\Program Files\Mirc\mirc.exe" = C:\Program Files\Mirc\mirc.exe:*:Enabled:mIRC -- (mIRC Co. Ltd.)
"C:\Program Files\i2hub\i2hub.exe" = C:\Program Files\i2hub\i2hub.exe:*:Enabled:i2hub -- File not found
"C:\Program Files\Trillian\trillian.exe" = C:\Program Files\Trillian\trillian.exe:*:Enabled:Trillian -- (Cerulean Studios)
"C:\Program Files\Skype\Skype.exe" = C:\Program Files\Skype\Skype.exe:*:Enabled:Skype -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Portable Library)
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" = C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:*:Enabled:Veoh Web Player -- (Portable Library)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{0D25F7CC-B99C-44ee-9945-B14532B2BB7B}" = Canon MP830
"{111B8587-C888-4B7B-A20D-8CC767437A90}" = D-Link AirPlus G Wireless LAN Adapter
"{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}" = Cisco Systems VPN Client 5.0.01.0600
"{2BD5C305-1B27-4D41-B690-7A61172D2FEB}" = Macromedia Flash 8
"{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09}" = Component Framework
"{3248F0A8-6813-11D6-A77B-00B0D0150010}" = J2SE Runtime Environment 5.0 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{47A85B97-AE27-4963-A839-9B454A7E73A7}" = Mad Catz Xbox PC Driver
"{4F5CE18C-D97D-48FF-A510-A0D90C918294}" = iTunes
"{50457B38-348F-4D28-A897-F7805E455B62}" = Symantec Real Time Storage Protection Component
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{55A6283C-638A-4EE0-B491-51118554BDA2}" = Norton Confidential Core
"{5A33744D-33F5-451A-9CB0-2FE49EE3809C}" = ChemOffice Ultra 2004
"{5B09BD67-4C99-46A1-8161-B7208CE18121}" = QuickTime
"{62120008-8E1E-4807-860D-A8B48F8552DB}" = Norton Protection Center
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{66F0AC35-4805-44BC-A3D4-347D4196F9B3}" = Microsoft Xbox 360 Accessories 1.1
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77772678-817F-4401-9301-ED1D01A8DA56}" = SPBBC 32bit
"{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}" = Norton AntiVirus
"{7959721D-8268-4565-9E0E-C41A9F4848A9}" = SigmaTel AC97 Audio Drivers
"{8C5766F2-81D9-4B5A-8AD5-A8BD6361EF0A}" = Hoyle Card Games
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{AC76BA86-7AD7-1033-7B44-A81000000003}" = Adobe Reader 8.1.1
"{B24E05CC-46FF-4787-BBB8-5CD516AFB118}" = ccCommon
"{B5C209B1-8DDB-4642-A573-375B951514CB}" = Apple Mobile Device Support
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{C1C185CA-C531-49F5-A6FA-B838405A049D}" = Norton Internet Security
"{CD8BDE6B-7F86-4414-891C-40ED68395399}" = SymNet
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7 ESD
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}" = Norton AntiVirus Help
"{E80F62FF-5D3C-4A19-8409-9721F2928206}" = LiveUpdate (Symantec Corporation)
"{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}" = AppCore
"{F3812D83-86D2-4445-A841-3E0BA4F9A11C}" = Merriam-Webster 3.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CDisplay_is1" = CDisplay 1.8
"hphuni04" = Photosmart 130,230,7150,7345,7350,7550 (Remove only)
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Magic ISO Maker v5.3 (build 0221)" = Magic ISO Maker v5.3 (build 0221)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"mIRC" = mIRC
"Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"Poker Tracker Version 2.13.01a_is1" = Poker Tracker Version 2.13.01a
"PokerAcademyPro2" = Poker Academy Pro 2
"PowerISO" = PowerISO
"PrintMaster 7.00" = PrintMaster 7.00
"PsuedoLiveUpdate" = LiveUpdate (Symantec Corporation)
"RumbleFighter" = Rumble Fighter
"Streamripper.Plugin" = Streamripper Plugin 1.62.1 (Remove only)
"SymSetup.{C1C185CA-C531-49F5-A6FA-B838405A049D}" = Norton Internet Security (Symantec Corporation)
"SynTPDeinstKey" = Synaptics TouchPad
"Veoh Web Player Beta" = Veoh Web Player Beta
"VLC media player" = VideoLAN VLC media player 0.8.6a
"Wdf01001" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.1
"WebPost" = Microsoft Web Publishing Wizard 1.52
"Winamp" = Winamp (remove only)
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinHTTrack Website Copier_is1" = WinHTTrack Website Copier 3.33
"WinRAR archiver" = WinRAR archiver

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1343024091-1682526488-2146916019-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Antimalware Doctor" = Antimalware Doctor
"Sound Pilot" = Sound Pilot

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/13/2010 4:36:47 PM | Computer Name = BCLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module srsvc.dll, version 0.0.0.0, fault address 0x000015f4.

Error - 4/14/2010 4:29:31 PM | Computer Name = BCLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module srsvc.dll, version 0.0.0.0, fault address 0x000015f4.

Error - 4/14/2010 4:46:16 PM | Computer Name = BCLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module srsvc.dll, version 0.0.0.0, fault address 0x000015f4.

Error - 4/15/2010 1:54:08 PM | Computer Name = BCLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module srsvc.dll, version 0.0.0.0, fault address 0x000015f4.

Error - 4/15/2010 6:55:23 PM | Computer Name = BCLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module srsvc.dll, version 0.0.0.0, fault address 0x000015f4.

Error - 4/17/2010 2:37:48 AM | Computer Name = BCLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module srsvc.dll, version 0.0.0.0, fault address 0x000015f4.

Error - 4/17/2010 12:58:12 PM | Computer Name = BCLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module srsvc.dll, version 0.0.0.0, fault address 0x000015f4.

Error - 4/17/2010 2:01:53 PM | Computer Name = BCLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module srsvc.dll, version 0.0.0.0, fault address 0x000015f4.

Error - 4/17/2010 3:21:27 PM | Computer Name = BCLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module srsvc.dll, version 0.0.0.0, fault address 0x000015f4.

Error - 4/17/2010 9:15:51 PM | Computer Name = BCLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x100015f4.

[ System Events ]
Error - 4/17/2010 8:40:32 PM | Computer Name = BCLAPTOP | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 4/17/2010 8:45:47 PM | Computer Name = BCLAPTOP | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 4/17/2010 8:51:02 PM | Computer Name = BCLAPTOP | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 4/17/2010 8:56:17 PM | Computer Name = BCLAPTOP | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 4/17/2010 9:01:32 PM | Computer Name = BCLAPTOP | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 4/17/2010 9:15:48 PM | Computer Name = BCLAPTOP | Source = Application Popup | ID = 876
Description = Driver Cdr4_2K.SYS has been blocked from loading.

Error - 4/17/2010 9:15:48 PM | Computer Name = BCLAPTOP | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000034'
while processing the file '_filelst.cfg' on the volume 'HarddiskVolume1'. It has
stopped monitoring the volume.

Error - 4/17/2010 9:15:48 PM | Computer Name = BCLAPTOP | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 4/17/2010 9:15:48 PM | Computer Name = BCLAPTOP | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 4/17/2010 9:18:17 PM | Computer Name = BCLAPTOP | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056


< End of report >


And the new GMER log is attached.


Attached Files



#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 PM

Posted 18 April 2010 - 05:47 AM

Hello, InaPinch.

OK, you have a infected computer and malware does appear to be the source of the error you are receiving. I do need to warn you that one of the infections is a backdoor.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.

Online Poker Warning
Your logs show that you have online poker programs installed on your computer. I know that you may use these (this) game(s) on a regular basis but I think it's important to note that often these kind of programmes are installed with other unwanted software, namely spyware or adware. Due to this I strongly suggest that you uninstall these programmes if you do not use them anymore or did not install these programmes yourself on purpose. There are so many online poker games out there these days that it is close to impossible to keep track of whether a programme is infected or not. Should you have installed this online poker game on purpose and wish to continue using this, you may ignore this. Should you decide to uninstall the programme, then you can do so by following the below steps:

You can remove this via Add/Remove programs.









Step 1

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as InaPinchCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on InaPinchCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 InaPinch

InaPinch
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 18 April 2010 - 08:17 PM

Hello etavares, first of all I'd like to thank you for all the help you've given me so far, and I hope your day is going by wondefully as of now.

I took your advice and I deleted the poker games.

As the infected computer does not have internet, I could not create the recovery console to run ComboFix, but I ran it anyway.

While it was running, I got the same error message I got when running OTL,

svchost.exe - Application Error

The instruction at "0x100015f4" referenced memory at "0x00000163". The memory could not be "written".

Click on OK to terminate the program
Click on CANCEL to debug the program

but ComboFix continued to run.

It ran for about 10-15 minutes and the last thing it did was replace an important file (I do not recall the name of the file but it was followed by a =) face because it had been successful).

I left ComboFix running for about an hour and half but it never gave me a log or finished running, instead, there was a big empty space of blue screen below the replacement of the file described above.

I finally closed it and decided to run ComboFix again. This time it finished successfully.

My computer seems to be free of malware/viruses and the internet works again now, although, I don't know if it's safe to use it yet.

Here is the file you asked for for the second time I ran ComboFix,

ComboFix 10-04-17.07 - Ben Chao 04/18/2010 17:02:21.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383.167 [GMT -7:00]
Running from: c:\documents and settings\Ben Chao\Desktop\InaPinchCF.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
.
---- Previous Run -------
.
c:\documents and settings\All Users\Favorites\_favdata.dat
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe.delme7200
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe.delme7198
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700 .exe.delme7196
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700.exe
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\enemies-names.txt
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\hookdll.dll
c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\lsrslt.ini
c:\documents and settings\Ben Chao\rundll32 .exe
c:\program files\Adobe\acrotray .exe
c:\program files\INSTALL.LOG
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs .exe
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\patch.exe
c:\windows\system32\4F3X
c:\windows\system32\reboot.txt
c:\windows\system32\winlogon.bak
c:\windows\system32^iphy.dll

-- Previous Run --

Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\srsvc.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\srsvc.dll

--------

.
((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))
.

2010-04-17 18:03 . 2010-04-17 18:03 4 ----a-w- c:\program files\190644.dat
2010-04-12 00:50 . 2010-04-12 00:50 -------- d-----w- c:\documents and settings\Ben Chao\Application Data\Malwarebytes
2010-04-12 00:50 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-12 00:50 . 2010-04-12 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-12 00:50 . 2010-04-12 00:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-12 00:50 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-11 00:53 . 2010-04-11 00:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\avG
2010-04-11 00:53 . 2010-04-11 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-10 23:32 . 2010-04-10 23:32 -------- d-----w- c:\program files\Your Protection
2010-04-10 02:21 . 2010-04-10 05:17 183296 --sha-w- c:\documents and settings\Ben Chao\Local Settings\Application Data\1521009742.dll
2010-04-09 19:41 . 2010-04-09 19:41 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-04-09 10:15 . 2004-08-04 07:56 33280 -c--a-w- c:\windows\system32\dllcache\rundll32.exe
2010-04-09 10:15 . 2004-08-04 07:56 33280 ----a-w- c:\windows\system32\rundll32.exe
2010-04-09 10:14 . 2010-04-09 10:13 184832 ----a-w- c:\windows\Ctuwua.exe
2010-04-09 10:14 . 2010-04-09 10:20 0 ----a-w- c:\windows\system32\drivers\axwglaej.sys
2010-03-27 23:45 . 2010-04-03 17:22 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-26 02:28 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 23:58 . 2005-12-18 06:44 -------- d-----w- c:\program files\QuickTime
2010-04-18 23:58 . 2006-02-16 09:27 -------- d-----w- c:\program files\Sound Pilot
2010-04-18 22:54 . 2008-01-03 14:02 -------- d-----w- c:\program files\Poker Tracker V2
2010-04-18 20:54 . 2009-01-07 06:43 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2010-04-14 06:04 . 2005-09-20 07:38 -------- d-----w- c:\documents and settings\Ben Chao\Application Data\dvdcss
2010-04-11 02:03 . 2005-08-13 22:03 -------- d-----w- c:\program files\BitComet
2010-04-09 10:31 . 2008-01-05 11:35 -------- d-----w- c:\program files\Norton Internet Security
2010-04-09 10:31 . 2005-06-19 00:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-09 10:17 . 2005-06-18 22:52 36152 -c--a-w- c:\documents and settings\Ben Chao\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-09 10:15 . 2010-04-09 10:15 37376 ----a-w- c:\windows\system32\OLDF78.tmp
2010-04-09 04:04 . 2005-06-19 02:57 32282 ----a-w- c:\windows\system32\nvModes.dat
2010-04-06 03:57 . 2005-06-19 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-03-24 22:04 . 2005-06-18 22:41 -------- d-----w- c:\program files\Paint Shop Pro 7
2010-03-10 08:02 . 2001-08-23 12:00 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:12 . 2004-01-08 22:23 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12 . 2005-06-19 05:57 81920 ------w- c:\windows\system32\ieencode.dll
2010-02-24 12:31 . 2001-08-23 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-12 04:47 . 2001-08-23 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2001-08-23 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2005-07-09 09:58 . 2005-07-09 09:58 611 -c--a-w- c:\program files\Uninstall AIM.lnk
2005-06-02 08:35 . 2005-07-09 09:57 116977 -c--a-w- c:\program files\uninstll.EXE
2005-06-02 08:34 . 2005-07-09 09:57 67160 -c--a-w- c:\program files\aim.exe
2005-06-02 08:34 . 2005-07-09 09:57 131072 -c--a-w- c:\program files\ateima32.dll
2005-06-02 08:34 . 2005-07-09 09:57 61440 -c--a-w- c:\program files\AlertUI.ocm
2005-06-02 08:34 . 2005-07-09 09:57 25088 -c--a-w- c:\program files\browse.ocm
2005-06-02 08:33 . 2005-07-09 09:57 217088 -c--a-w- c:\program files\buddyui.ocm
2005-06-02 08:33 . 2005-07-09 09:57 233472 -c--a-w- c:\program files\AimSecondarySvcs.dll
2005-06-02 08:33 . 2005-07-09 09:57 6656 -c--a-w- c:\program files\stats.ocm
2005-06-02 08:33 . 2005-07-09 09:57 98304 -c--a-w- c:\program files\ChatUI.ocm
2005-06-02 08:32 . 2005-07-09 09:57 1511424 -c--a-w- c:\program files\AimRes.dll
2005-06-02 08:32 . 2005-07-09 09:57 192512 -c--a-w- c:\program files\AimCoreSvcs.dll
2005-06-02 08:32 . 2005-07-09 09:57 266240 -c--a-w- c:\program files\icbmui.ocm
2005-06-02 08:32 . 2005-07-09 09:57 94208 -c--a-w- c:\program files\ticker.ocm
2005-06-02 08:32 . 2005-07-09 09:57 114688 -c--a-w- c:\program files\aimapi.dll
2005-06-02 08:31 . 2005-07-09 09:57 16384 -c--a-w- c:\program files\Admin.ocm
2005-06-02 08:31 . 2005-07-09 09:57 151552 -c--a-w- c:\program files\locateui.ocm
2005-06-02 08:31 . 2005-07-09 09:57 135168 -c--a-w- c:\program files\miscui.ocm
2005-06-02 08:31 . 2005-07-09 09:57 15360 -c--a-w- c:\program files\NTP.ocm
2005-06-02 08:30 . 2005-07-09 09:57 77824 -c--a-w- c:\program files\OscMail.ocm
2005-06-02 08:30 . 2005-07-09 09:57 19968 -c--a-w- c:\program files\aimtalk.dll
2005-06-02 08:30 . 2005-07-09 09:57 69632 -c--a-w- c:\program files\osclogin.ocm
2005-06-02 08:30 . 2005-07-09 09:57 9216 -c--a-w- c:\program files\oscmain.ocm
2005-06-02 08:30 . 2005-07-09 09:57 39936 -c--a-w- c:\program files\startup.ocm
2005-06-02 08:29 . 2005-07-09 09:57 155648 -c--a-w- c:\program files\aimauto.exe
2005-06-02 08:29 . 2005-07-09 09:57 86016 -c--a-w- c:\program files\OscSrch.ocm
2005-06-02 08:29 . 2005-07-09 09:57 2048 -c--a-w- c:\program files\ShareFile.exe
2005-06-02 08:29 . 2005-07-09 09:57 2048 -c--a-w- c:\program files\SendFile.exe
2005-06-02 08:29 . 2005-07-09 09:57 13824 -c--a-w- c:\program files\osconfig.ocm
2005-06-02 08:29 . 2005-07-09 09:57 39936 -c--a-w- c:\program files\rvapps.ocm
2005-06-02 08:29 . 2005-07-09 09:57 40960 -c--a-w- c:\program files\Patcher.exe
2005-06-02 08:29 . 2005-07-09 09:57 13312 -c--a-w- c:\program files\popup.ocm
2005-06-02 08:29 . 2005-07-09 09:57 225280 -c--a-w- c:\program files\wndutils.dll
2005-06-02 08:28 . 2005-07-09 09:57 180224 -c--a-w- c:\program files\rtvideo.dll
2005-06-02 08:27 . 2005-07-09 09:57 77824 -c--a-w- c:\program files\Patcher.dll
2005-06-02 08:27 . 2005-07-09 09:57 229376 -c--a-w- c:\program files\inetsocket.dll
2005-06-02 08:26 . 2005-07-09 09:57 34304 -c--a-w- c:\program files\proto.ocm
2005-06-02 08:26 . 2005-07-09 09:57 49152 -c--a-w- c:\program files\ProgressDlg.dll
2005-06-02 08:26 . 2005-07-09 09:57 151552 -c--a-w- c:\program files\oscarui.dll
2005-06-02 08:26 . 2005-07-09 09:57 192512 -c--a-w- c:\program files\oscore.dll
2005-06-02 08:25 . 2005-07-09 09:57 192512 -c--a-w- c:\program files\ate32.dll
2005-06-02 08:25 . 2005-07-09 09:57 4608 -c--a-w- c:\program files\idlemon.dll
2005-05-26 15:32 . 2005-07-09 09:57 38435 -c--a-w- c:\program files\licens32.txt
2005-04-25 16:00 . 2005-07-09 09:57 10218 -c--a-w- c:\program files\aim95.CNT
2005-04-25 16:00 . 2005-07-09 09:57 505551 -c--a-w- c:\program files\AIM95.HLP
2004-08-28 01:29 . 2005-07-09 09:57 1935 -c--a-w- c:\program files\icbmftvc.lst
2004-08-18 20:56 . 2005-07-09 09:57 372736 -c--a-w- c:\program files\softokn3.dll
2004-08-18 20:56 . 2005-07-09 09:57 110592 -c--a-w- c:\program files\ssl3.dll
2004-08-18 20:56 . 2005-07-09 09:57 106496 -c--a-w- c:\program files\smime3.dll
2004-08-18 20:56 . 2005-07-09 09:57 348160 -c--a-w- c:\program files\nss3.dll
2004-07-29 21:03 . 2005-07-09 09:57 98304 -c--a-w- c:\program files\sb.dll
2004-07-22 17:43 . 2005-07-09 09:57 106496 -c--a-w- c:\program files\CoolPeer.dll
2004-07-22 17:43 . 2005-07-09 09:57 3584 -c--a-w- c:\program files\CoolSos.dll
2004-07-22 17:43 . 2005-07-09 09:57 184320 -c--a-w- c:\program files\CoolBos.dll
2004-07-22 17:43 . 2005-07-09 09:57 114688 -c--a-w- c:\program files\CoolBucky.dll
2004-07-22 17:43 . 2005-07-09 09:57 61440 -c--a-w- c:\program files\CoolHttp.dll
2004-07-22 17:43 . 2005-07-09 09:57 57344 -c--a-w- c:\program files\CoolSecNss.dll
2004-07-22 17:42 . 2005-07-09 09:57 73728 -c--a-w- c:\program files\CoolSocket.dll
2004-07-22 17:42 . 2005-07-09 09:57 8192 -c--a-w- c:\program files\Xptl.dll
2004-07-22 17:41 . 2005-07-09 09:57 13824 -c--a-w- c:\program files\Xpcs.dll
2004-07-22 17:41 . 2005-07-09 09:57 135168 -c--a-w- c:\program files\Xprt.dll
2004-05-19 00:55 . 2005-07-09 09:57 81920 -c--a-w- c:\program files\xmltok.dll
2004-05-19 00:55 . 2005-07-09 09:57 53248 -c--a-w- c:\program files\xmlparse.dll
2004-04-16 23:27 . 2005-07-09 09:57 94208 -c--a-w- c:\program files\jgtktlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 45056 -c--a-w- c:\program files\jgsetlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 65536 -c--a-w- c:\program files\jgattlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 61440 -c--a-w- c:\program files\jgedtlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 40960 -c--a-w- c:\program files\jgs6tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 40960 -c--a-w- c:\program files\jgs2tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 36864 -c--a-w- c:\program files\jga1tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 32768 -c--a-w- c:\program files\jgs7tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 32768 -c--a-w- c:\program files\jgs3tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 45056 -c--a-w- c:\program files\jga0tlk.dll
2004-01-09 17:38 . 2005-07-09 09:57 28672 -c--a-w- c:\program files\plc4.dll
2004-01-09 17:38 . 2005-07-09 09:57 24576 -c--a-w- c:\program files\plds4.dll
2004-01-09 17:38 . 2005-07-09 09:57 159744 -c--a-w- c:\program files\nspr4.dll
2003-10-15 00:27 . 2005-07-09 09:57 2486 -c--a-w- c:\program files\netwait.odl
2003-10-15 00:27 . 2005-07-09 09:57 2670 -c--a-w- c:\program files\aim.odl
2003-01-06 22:41 . 2005-07-09 09:57 1457 -c--a-w- c:\program files\rvappstm.lst
2002-08-03 00:40 . 2005-07-09 09:57 364544 -c--a-w- c:\program files\dBenderC.dll
2002-07-18 18:00 . 2005-07-09 09:57 139264 -c--a-w- c:\program files\dunzip32.dll
2007-08-25 03:52 . 2008-01-05 11:46 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2006-05-06 16:42 . 2006-08-01 02:11 7260160 -c--a-w- c:\program files\mozilla firefox\plugins\libvlc.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
CODE
<pre>
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Microsoft Xbox 360 Accessories\xboxstat .exe
c:\program files\Norton Internet Security\oscheck .exe
c:\program files\QuickTime\qttask                     .exe
c:\program files\QuickTime\qttask                    .exe
c:\program files\QuickTime\qttask                   .exe
c:\program files\QuickTime\qttask                  .exe
c:\program files\QuickTime\qttask                 .exe
c:\program files\QuickTime\qttask                .exe
c:\program files\QuickTime\qttask               .exe
c:\program files\QuickTime\qttask              .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\QuickTime\qttask            .exe
c:\program files\QuickTime\qttask           .exe
c:\program files\QuickTime\qttask          .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Sound Pilot\sndpilot .exe
c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer .exe
c:\program files\Windows Live\Messenger\msnmsgr    .exe
c:\program files\Windows Live\Messenger\msnmsgr   .exe
c:\program files\Windows Live\Messenger\msnmsgr  .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sound Pilot"="c:\program files\Sound Pilot\SndPilot.exe" [2010-04-18 37376]
"MsnMsgr"="c:\program files\windows live\messenger\msnmsgr .exe" [2007-10-18 5724184]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-04-18 37376]
"appreg70700.exe"="c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700.exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"POEngine"="" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-04-09 33280]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2010-04-09 33280]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2010-04-18 37376]
"Adobe_Reader"="c:\program files\internet explorer\wmpscfgs.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
D-Link AirPlus G Wireless Utility.lnk - c:\program files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe [2005-6-24 372736]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-4-3 65588]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-03-30 19:06 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPAGER.EXE"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"c:\\Program Files\\Mirc\\mirc.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56474:TCP"= 56474:TCP:Pando Media Booster
"56474:UDP"= 56474:UDP:Pando Media Booster

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [7/13/2005 12:07 PM 17792]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [8/24/2007 10:07 PM 149864]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/28/2008 11:57 AM 99376]
S1 rxp;rxp;\??\c:\windows\system32\drivers\rxp.sys --> c:\windows\system32\drivers\rxp.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 1:55 PM 23888]
S3 DLINK11G;D-Link AirPlus G Wireless Adapter;c:\windows\system32\drivers\TNET1130.SYS [6/24/2005 9:47 PM 386816]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-03-30 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Ben Chao.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]

2010-04-18 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-10-10 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://yahoo.sbc.com/dsl
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uInternet Settings,ProxyServer = proxy.ucr.edu:8080
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Yahoo! Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (English)
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07075003.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npcdp32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)
AddRemove-Streamripper.Plugin - c:\program files\Winamp\streamripper_uninstall.exe
AddRemove-WinRAR archiver - e:\winrar\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-18 17:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1343024091-1682526488-2146916019-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1343024091-1682526488-2146916019-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,15"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="c:\\WINDOWS\\system32\\SHELL32.dll,17"
"{208D2C60-3AEA-1069-A2D7-08002B30309D}"="c:\\WINDOWS\\system32\\SHELL32.dll,17"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,22"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,23"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,24"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="c:\\WINDOWS\\system32\\shell32.dll,-175"
"{21EC2020-3AEA-1069-A2DD-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,-137"
"{2227A280-3AEA-1069-A2DE-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,-138"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="c:\\WINDOWS\\system32\\shell32.dll,38"
"AudioCD"="c:\\WINDOWS\\System32\\shell32.dll,40"
"{FBF23B42-E3F0-101B-8488-00AA003E56F8}"="c:\\WINDOWS\\system32\\shell32.dll,220"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="c:\\WINDOWS\\system32\\mydocs.dll,0"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="c:\\WINDOWS\\system32\\main.cpl,10"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="c:\\WINDOWS\\system32\\wiashext.dll,0"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="c:\\WINDOWS\\system32\\mstask.dll,-100"
"{88C6C381-2E85-11D0-94DE-444553540000}"="c:\\WINDOWS\\System32\\occache.dll,0"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="c:\\Program Files\\COMMON~1\\MICROS~1\\WEBFOL~1\\MSONSEXT.DLL,0"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="c:\\WINDOWS\\System32\\shdocvw.dll,-20785"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="c:\\WINDOWS\\System32\\webcheck.dll,0"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="c:\\WINDOWS\\system32\\syncui.dll,0"

[HKEY_USERS\S-1-5-21-1343024091-1682526488-2146916019-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e2,7d,a0,7a,56,b6,1d,82,d2,7a,ba,0e,ee,91,81,9c,bd,44,17,53,0b,7b,f5,
d9,be,fb,52,bf,ad,cc,72,22,7b,a0,df,53,cd,c9,6a,4e,36,f9,58,cd,b3,a6,00,6f,\
"??"=hex:ae,f2,bc,ca,c9,03,a4,07,7b,f5,f9,c8,3b,f1,90,9d

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
Completion time: 2010-04-18 17:22:51
ComboFix-quarantined-files.txt 2010-04-19 00:22

Pre-Run: 3,466,121,216 bytes free
Post-Run: 3,417,559,040 bytes free

- - End Of File - - 2211875961724C45E1BBF89AE8AA15E1




I don't know if you want me to attach the log.txt file too so I'm going to include it just in case.

Side notes:

1. A new Internet Explorer icon and a hidden Thumbs.db file have appeared on my desktop.

2. Also, I was checking Internet Explorer's history, and apparently on the week when the malware got into my computer, there were a bunch of websites that were visited that I've never been to or even heard about. I asked my roommate, and he had not visited those websites either.

3. The error message

Fatal error (10)

The key file does not exist.

[ OK ]

still appears on startup, although, I'm starting to wonder if it has anything to do with malware. There is a little keyboard icon right next to the name on the tab on the taskbar.

Attached Files

  • Attached File  log.txt   28.78KB   5 downloads

Edited by InaPinch, 18 April 2010 - 08:23 PM.


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 PM

Posted 19 April 2010 - 06:10 PM

Hello, InaPinch.
OK, we still have a lot of infection to deal with, so we'll come back to those errors. Keep me informed...that kind of information is very helpful. Please check that as we go. As for thumbs.db, it's a hidden file that will disappear when we hide them again. It's normal, but please don't delete it.



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
AtJob::
RenV::
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Microsoft Xbox 360 Accessories\xboxstat .exe
c:\program files\Norton Internet Security\oscheck .exe
c:\program files\QuickTime\qttask                     .exe
c:\program files\QuickTime\qttask                    .exe
c:\program files\QuickTime\qttask                   .exe
c:\program files\QuickTime\qttask                  .exe
c:\program files\QuickTime\qttask                 .exe
c:\program files\QuickTime\qttask                .exe
c:\program files\QuickTime\qttask               .exe
c:\program files\QuickTime\qttask              .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\QuickTime\qttask            .exe
c:\program files\QuickTime\qttask           .exe
c:\program files\QuickTime\qttask          .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Sound Pilot\sndpilot .exe
c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer .exe
c:\program files\Windows Live\Messenger\msnmsgr    .exe
c:\program files\Windows Live\Messenger\msnmsgr   .exe
c:\program files\Windows Live\Messenger\msnmsgr  .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
DDS::
mDefault_Search_URL = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
mSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
Reg::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"appreg70700.exe"=-
"appreg70700 .exe"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000
RegLock::
[HKEY_USERS\S-1-5-21-1343024091-1682526488-2146916019-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
folder::
C:\Documents and Settings\Ben Chao\Local Settings\Application Data\2054117988
C:\Documents and Settings\All Users\Application Data\2054117988
C:\Documents and Settings\Ben Chao\Local Settings\Application Data\1474v
C:\Documents and Settings\All Users\Application Data\1474v
file::
C:\sqmdata08.sqm
C:\sqmnoopt08.sqm
C:\sqmdata07.sqm
C:\sqmnoopt07.sqm
C:\sqmdata06.sqm
C:\sqmnoopt06.sqm
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\sqmdata04.sqm
C:\sqmnoopt04.sqm
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt02.sqm
C:\sqmdata02.sqm
C:\WINDOWS\System32\rundll32.exe.delme155
C:\Documents and Settings\Ben Chao\Local Settings\Application Data\1521009742.dll
C:\WINDOWS\System32\drivers\axwglaej.sys
C:\WINDOWS\System32\rundll32.exe.delme174
C:\WINDOWS\Ctuwua.exe
C:\Program Files\190644.dat
C:\WINDOWS\lsrslt.ini


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 InaPinch

InaPinch
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 19 April 2010 - 09:22 PM

Hello etavares. I will continue to keep you informed.

Here is the new ComboFix.txt

ComboFix 10-04-17.07 - Ben Chao 04/19/2010 18:39:52.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383.158 [GMT -7:00]
Running from: c:\documents and settings\Ben Chao\Desktop\Fixing\InaPinchCF.exe
Command switches used :: c:\documents and settings\Ben Chao\Desktop\Fixing\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\documents and settings\Ben Chao\Local Settings\Application Data\1521009742.dll"
"c:\program files\190644.dat"
"C:\sqmdata02.sqm"
"C:\sqmdata03.sqm"
"C:\sqmdata04.sqm"
"C:\sqmdata05.sqm"
"C:\sqmdata06.sqm"
"C:\sqmdata07.sqm"
"C:\sqmdata08.sqm"
"C:\sqmnoopt02.sqm"
"C:\sqmnoopt03.sqm"
"C:\sqmnoopt04.sqm"
"C:\sqmnoopt05.sqm"
"C:\sqmnoopt06.sqm"
"C:\sqmnoopt07.sqm"
"C:\sqmnoopt08.sqm"
"c:\windows\Ctuwua.exe"
"c:\windows\lsrslt.ini"
"c:\windows\System32\drivers\axwglaej.sys"
"c:\windows\System32\rundll32.exe.delme155"
"c:\windows\System32\rundll32.exe.delme174"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ben Chao\Local Settings\Application Data\1521009742.dll
c:\program files\190644.dat
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs .exe
c:\program files\Internet Explorer\wmpscfgs.exe
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
c:\windows\Ctuwua.exe
c:\windows\lsrslt.ini
c:\windows\System32\drivers\axwglaej.sys
c:\windows\System32\rundll32.exe.delme155
c:\windows\System32\rundll32.exe.delme174
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 )))))))))))))))))))))))))))))))
.

2010-04-12 00:50 . 2010-04-12 00:50 -------- d-----w- c:\documents and settings\Ben Chao\Application Data\Malwarebytes
2010-04-12 00:50 . 2010-04-12 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-11 00:53 . 2010-04-11 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 01:57 . 2005-12-18 06:44 -------- d-----w- c:\program files\QuickTime
2010-04-20 01:57 . 2009-01-07 06:43 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2010-04-20 01:56 . 2006-02-16 09:27 -------- d-----w- c:\program files\Sound Pilot
2010-04-18 22:54 . 2008-01-03 14:02 -------- d-----w- c:\program files\Poker Tracker V2
2010-04-14 06:04 . 2005-09-20 07:38 -------- d-----w- c:\documents and settings\Ben Chao\Application Data\dvdcss
2010-04-12 00:50 . 2010-04-12 00:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-11 02:03 . 2005-08-13 22:03 -------- d-----w- c:\program files\BitComet
2010-04-10 23:32 . 2010-04-10 23:32 -------- d-----w- c:\program files\Your Protection
2010-04-09 10:31 . 2008-01-05 11:35 -------- d-----w- c:\program files\Norton Internet Security
2010-04-09 10:31 . 2005-06-19 00:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-09 10:17 . 2005-06-18 22:52 36152 -c--a-w- c:\documents and settings\Ben Chao\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-09 10:15 . 2010-04-09 10:15 37376 ----a-w- c:\windows\system32\OLDF78.tmp
2010-04-09 04:04 . 2005-06-19 02:57 32282 ----a-w- c:\windows\system32\nvModes.dat
2010-04-06 03:57 . 2005-06-19 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-03 17:22 . 2010-03-27 23:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-30 07:46 . 2010-04-12 00:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2010-04-12 00:50 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-24 22:04 . 2005-06-18 22:41 -------- d-----w- c:\program files\Paint Shop Pro 7
2010-03-10 08:02 . 2001-08-23 12:00 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:12 . 2004-01-08 22:23 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12 . 2005-06-19 05:57 81920 ------w- c:\windows\system32\ieencode.dll
2010-02-24 12:31 . 2001-08-23 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:19 . 2001-08-23 12:00 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2001-08-17 13:48 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2001-08-23 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2001-08-23 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2005-07-09 09:58 . 2005-07-09 09:58 611 -c--a-w- c:\program files\Uninstall AIM.lnk
2005-06-02 08:35 . 2005-07-09 09:57 116977 -c--a-w- c:\program files\uninstll.EXE
2005-06-02 08:34 . 2005-07-09 09:57 67160 -c--a-w- c:\program files\aim.exe
2005-06-02 08:34 . 2005-07-09 09:57 131072 -c--a-w- c:\program files\ateima32.dll
2005-06-02 08:34 . 2005-07-09 09:57 61440 -c--a-w- c:\program files\AlertUI.ocm
2005-06-02 08:34 . 2005-07-09 09:57 25088 -c--a-w- c:\program files\browse.ocm
2005-06-02 08:33 . 2005-07-09 09:57 217088 -c--a-w- c:\program files\buddyui.ocm
2005-06-02 08:33 . 2005-07-09 09:57 233472 -c--a-w- c:\program files\AimSecondarySvcs.dll
2005-06-02 08:33 . 2005-07-09 09:57 6656 -c--a-w- c:\program files\stats.ocm
2005-06-02 08:33 . 2005-07-09 09:57 98304 -c--a-w- c:\program files\ChatUI.ocm
2005-06-02 08:32 . 2005-07-09 09:57 1511424 -c--a-w- c:\program files\AimRes.dll
2005-06-02 08:32 . 2005-07-09 09:57 192512 -c--a-w- c:\program files\AimCoreSvcs.dll
2005-06-02 08:32 . 2005-07-09 09:57 266240 -c--a-w- c:\program files\icbmui.ocm
2005-06-02 08:32 . 2005-07-09 09:57 94208 -c--a-w- c:\program files\ticker.ocm
2005-06-02 08:32 . 2005-07-09 09:57 114688 -c--a-w- c:\program files\aimapi.dll
2005-06-02 08:31 . 2005-07-09 09:57 16384 -c--a-w- c:\program files\Admin.ocm
2005-06-02 08:31 . 2005-07-09 09:57 151552 -c--a-w- c:\program files\locateui.ocm
2005-06-02 08:31 . 2005-07-09 09:57 135168 -c--a-w- c:\program files\miscui.ocm
2005-06-02 08:31 . 2005-07-09 09:57 15360 -c--a-w- c:\program files\NTP.ocm
2005-06-02 08:30 . 2005-07-09 09:57 77824 -c--a-w- c:\program files\OscMail.ocm
2005-06-02 08:30 . 2005-07-09 09:57 19968 -c--a-w- c:\program files\aimtalk.dll
2005-06-02 08:30 . 2005-07-09 09:57 69632 -c--a-w- c:\program files\osclogin.ocm
2005-06-02 08:30 . 2005-07-09 09:57 9216 -c--a-w- c:\program files\oscmain.ocm
2005-06-02 08:30 . 2005-07-09 09:57 39936 -c--a-w- c:\program files\startup.ocm
2005-06-02 08:29 . 2005-07-09 09:57 155648 -c--a-w- c:\program files\aimauto.exe
2005-06-02 08:29 . 2005-07-09 09:57 86016 -c--a-w- c:\program files\OscSrch.ocm
2005-06-02 08:29 . 2005-07-09 09:57 2048 -c--a-w- c:\program files\ShareFile.exe
2005-06-02 08:29 . 2005-07-09 09:57 2048 -c--a-w- c:\program files\SendFile.exe
2005-06-02 08:29 . 2005-07-09 09:57 13824 -c--a-w- c:\program files\osconfig.ocm
2005-06-02 08:29 . 2005-07-09 09:57 39936 -c--a-w- c:\program files\rvapps.ocm
2005-06-02 08:29 . 2005-07-09 09:57 40960 -c--a-w- c:\program files\Patcher.exe
2005-06-02 08:29 . 2005-07-09 09:57 13312 -c--a-w- c:\program files\popup.ocm
2005-06-02 08:29 . 2005-07-09 09:57 225280 -c--a-w- c:\program files\wndutils.dll
2005-06-02 08:28 . 2005-07-09 09:57 180224 -c--a-w- c:\program files\rtvideo.dll
2005-06-02 08:27 . 2005-07-09 09:57 77824 -c--a-w- c:\program files\Patcher.dll
2005-06-02 08:27 . 2005-07-09 09:57 229376 -c--a-w- c:\program files\inetsocket.dll
2005-06-02 08:26 . 2005-07-09 09:57 34304 -c--a-w- c:\program files\proto.ocm
2005-06-02 08:26 . 2005-07-09 09:57 49152 -c--a-w- c:\program files\ProgressDlg.dll
2005-06-02 08:26 . 2005-07-09 09:57 151552 -c--a-w- c:\program files\oscarui.dll
2005-06-02 08:26 . 2005-07-09 09:57 192512 -c--a-w- c:\program files\oscore.dll
2005-06-02 08:25 . 2005-07-09 09:57 192512 -c--a-w- c:\program files\ate32.dll
2005-06-02 08:25 . 2005-07-09 09:57 4608 -c--a-w- c:\program files\idlemon.dll
2005-05-26 15:32 . 2005-07-09 09:57 38435 -c--a-w- c:\program files\licens32.txt
2005-04-25 16:00 . 2005-07-09 09:57 10218 -c--a-w- c:\program files\aim95.CNT
2005-04-25 16:00 . 2005-07-09 09:57 505551 -c--a-w- c:\program files\AIM95.HLP
2004-08-28 01:29 . 2005-07-09 09:57 1935 -c--a-w- c:\program files\icbmftvc.lst
2004-08-18 20:56 . 2005-07-09 09:57 372736 -c--a-w- c:\program files\softokn3.dll
2004-08-18 20:56 . 2005-07-09 09:57 110592 -c--a-w- c:\program files\ssl3.dll
2004-08-18 20:56 . 2005-07-09 09:57 106496 -c--a-w- c:\program files\smime3.dll
2004-08-18 20:56 . 2005-07-09 09:57 348160 -c--a-w- c:\program files\nss3.dll
2004-07-29 21:03 . 2005-07-09 09:57 98304 -c--a-w- c:\program files\sb.dll
2004-07-22 17:43 . 2005-07-09 09:57 106496 -c--a-w- c:\program files\CoolPeer.dll
2004-07-22 17:43 . 2005-07-09 09:57 3584 -c--a-w- c:\program files\CoolSos.dll
2004-07-22 17:43 . 2005-07-09 09:57 184320 -c--a-w- c:\program files\CoolBos.dll
2004-07-22 17:43 . 2005-07-09 09:57 114688 -c--a-w- c:\program files\CoolBucky.dll
2004-07-22 17:43 . 2005-07-09 09:57 61440 -c--a-w- c:\program files\CoolHttp.dll
2004-07-22 17:43 . 2005-07-09 09:57 57344 -c--a-w- c:\program files\CoolSecNss.dll
2004-07-22 17:42 . 2005-07-09 09:57 73728 -c--a-w- c:\program files\CoolSocket.dll
2004-07-22 17:42 . 2005-07-09 09:57 8192 -c--a-w- c:\program files\Xptl.dll
2004-07-22 17:41 . 2005-07-09 09:57 13824 -c--a-w- c:\program files\Xpcs.dll
2004-07-22 17:41 . 2005-07-09 09:57 135168 -c--a-w- c:\program files\Xprt.dll
2004-05-19 00:55 . 2005-07-09 09:57 81920 -c--a-w- c:\program files\xmltok.dll
2004-05-19 00:55 . 2005-07-09 09:57 53248 -c--a-w- c:\program files\xmlparse.dll
2004-04-16 23:27 . 2005-07-09 09:57 94208 -c--a-w- c:\program files\jgtktlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 45056 -c--a-w- c:\program files\jgsetlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 65536 -c--a-w- c:\program files\jgattlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 61440 -c--a-w- c:\program files\jgedtlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 40960 -c--a-w- c:\program files\jgs6tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 40960 -c--a-w- c:\program files\jgs2tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 36864 -c--a-w- c:\program files\jga1tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 32768 -c--a-w- c:\program files\jgs7tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 32768 -c--a-w- c:\program files\jgs3tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 45056 -c--a-w- c:\program files\jga0tlk.dll
2004-01-09 17:38 . 2005-07-09 09:57 28672 -c--a-w- c:\program files\plc4.dll
2007-08-25 03:52 . 2008-01-05 11:46 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2006-05-06 16:42 . 2006-08-01 02:11 7260160 -c--a-w- c:\program files\mozilla firefox\plugins\libvlc.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
CODE
<pre>
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Microsoft Xbox 360 Accessories\xboxstat .exe
c:\program files\Norton Internet Security\oscheck .exe
c:\program files\QuickTime\qttask                        .exe
c:\program files\QuickTime\qttask                       .exe
c:\program files\QuickTime\qttask                      .exe
c:\program files\Sound Pilot\sndpilot .exe
c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer .exe
c:\program files\Windows Live\Messenger\msnmsgr    .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sound Pilot"="c:\program files\Sound Pilot\SndPilot.exe" [2010-04-20 37376]
"MsnMsgr"="c:\program files\windows live\messenger\msnmsgr .exe" [2007-10-18 5724184]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-04-20 37376]
"appreg70700.exe"="c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700.exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"POEngine"="" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-04-09 33280]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2010-04-09 33280]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2010-04-20 37376]
"Adobe_Reader"="c:\program files\internet explorer\wmpscfgs.exe" [2010-04-20 37376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
D-Link AirPlus G Wireless Utility.lnk - c:\program files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe [2005-6-24 372736]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-4-3 65588]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-03-30 19:06 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPAGER.EXE"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"c:\\Program Files\\Mirc\\mirc.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56474:TCP"= 56474:TCP:Pando Media Booster
"56474:UDP"= 56474:UDP:Pando Media Booster

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [7/13/2005 12:07 PM 17792]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [8/24/2007 10:07 PM 149864]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/28/2008 11:57 AM 99376]
S1 rxp;rxp;\??\c:\windows\system32\drivers\rxp.sys --> c:\windows\system32\drivers\rxp.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 1:55 PM 23888]
S3 DLINK11G;D-Link AirPlus G Wireless Adapter;c:\windows\system32\drivers\TNET1130.SYS [6/24/2005 9:47 PM 386816]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-04-20 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-04-20 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-20 01:57]

2010-03-30 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Ben Chao.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]

2010-04-20 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-10-10 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://yahoo.sbc.com/dsl
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uInternet Settings,ProxyServer = proxy.ucr.edu:8080
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Yahoo! Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (English)
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07075003.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npcdp32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-19 18:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1343024091-1682526488-2146916019-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1343024091-1682526488-2146916019-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e2,7d,a0,7a,56,b6,1d,82,d2,7a,ba,0e,ee,91,81,9c,bd,44,17,53,0b,7b,f5,
d9,be,fb,52,bf,ad,cc,72,22,7b,a0,df,53,cd,c9,6a,4e,36,f9,58,cd,b3,a6,00,6f,\
"??"=hex:ae,f2,bc,ca,c9,03,a4,07,7b,f5,f9,c8,3b,f1,90,9d

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1320)
c:\progra~1\WINDOW~3\wmpband.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\wdfmgr.exe
c:\program files\quicktime\qttask .exe
.
**************************************************************************
.
Completion time: 2010-04-19 19:07:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-20 02:06
ComboFix2.txt 2010-04-19 00:22

Pre-Run: 2,856,181,760 bytes free
Post-Run: 2,811,334,656 bytes free

- - End Of File - - 17973CB84300110A41999FEDB09018E5


And the new log.txt is attached.

Attached Files

  • Attached File  log.txt   26.12KB   5 downloads

Edited by InaPinch, 19 April 2010 - 09:24 PM.


#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 PM

Posted 20 April 2010 - 05:25 PM

Hello, InaPinch.

OK, this will take a few rounds, you do have a stubborn version of the malware. We are making progress.



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
AtJob::
RenV::
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Microsoft Xbox 360 Accessories\xboxstat .exe
c:\program files\Norton Internet Security\oscheck .exe
c:\program files\QuickTime\qttask                        .exe
c:\program files\QuickTime\qttask                       .exe
c:\program files\QuickTime\qttask                      .exe
c:\program files\Sound Pilot\sndpilot .exe
c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer .exe
c:\program files\Windows Live\Messenger\msnmsgr    .exe
Folder::
c:\program files\Your Protection
File::
c:\windows\system32\OLDF78.tmp
c:\program files\internet explorer\wmpscfgs.exe
FileLook::
c:\program files\windows live\messenger\msnmsgr .exe
C:\Program Files\Sound Pilot\SndPilot.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
Reg::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 InaPinch

InaPinch
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 20 April 2010 - 08:41 PM

Ah, all the error messages have ceased to appear after this. Thank you etavares, you are the man!

Here are the new logs,

ComboFix 10-04-17.07 - Ben Chao 04/20/2010 17:54:56.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383.128 [GMT -7:00]
Running from: c:\documents and settings\Ben Chao\Desktop\Fixing\InaPinchCF.exe
Command switches used :: c:\documents and settings\Ben Chao\Desktop\Fixing\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\program files\internet explorer\wmpscfgs.exe"
"c:\windows\system32\OLDF78.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\program files\Your Protection
c:\windows\system32\OLDF78.tmp
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-12 00:50 . 2010-04-12 00:50 -------- d-----w- c:\documents and settings\Ben Chao\Application Data\Malwarebytes
2010-04-12 00:50 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-12 00:50 . 2010-04-12 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-12 00:50 . 2010-04-12 00:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-12 00:50 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-11 00:53 . 2010-04-11 00:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\avG
2010-04-11 00:53 . 2010-04-11 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-09 19:41 . 2010-04-09 19:41 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-04-09 10:15 . 2004-08-04 07:56 33280 -c--a-w- c:\windows\system32\dllcache\rundll32.exe
2010-04-09 10:15 . 2004-08-04 07:56 33280 ----a-w- c:\windows\system32\rundll32.exe
2010-03-27 23:45 . 2010-04-03 17:22 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-26 02:28 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 00:54 . 2006-02-16 09:27 -------- d-----w- c:\program files\Sound Pilot
2010-04-21 00:54 . 2005-12-18 06:44 -------- d-----w- c:\program files\QuickTime
2010-04-21 00:54 . 2009-01-07 06:43 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2010-04-18 22:54 . 2008-01-03 14:02 -------- d-----w- c:\program files\Poker Tracker V2
2010-04-14 06:04 . 2005-09-20 07:38 -------- d-----w- c:\documents and settings\Ben Chao\Application Data\dvdcss
2010-04-11 02:03 . 2005-08-13 22:03 -------- d-----w- c:\program files\BitComet
2010-04-09 10:31 . 2008-01-05 11:35 -------- d-----w- c:\program files\Norton Internet Security
2010-04-09 10:31 . 2005-06-19 00:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-09 10:17 . 2005-06-18 22:52 36152 -c--a-w- c:\documents and settings\Ben Chao\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-09 04:04 . 2005-06-19 02:57 32282 ----a-w- c:\windows\system32\nvModes.dat
2010-04-06 03:57 . 2005-06-19 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-03-24 22:04 . 2005-06-18 22:41 -------- d-----w- c:\program files\Paint Shop Pro 7
2010-03-10 08:02 . 2001-08-23 12:00 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:12 . 2004-01-08 22:23 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12 . 2005-06-19 05:57 81920 ------w- c:\windows\system32\ieencode.dll
2010-02-24 12:31 . 2001-08-23 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:19 . 2001-08-23 12:00 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2001-08-17 13:48 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2001-08-23 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2001-08-23 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2005-07-09 09:58 . 2005-07-09 09:58 611 -c--a-w- c:\program files\Uninstall AIM.lnk
2005-06-02 08:35 . 2005-07-09 09:57 116977 -c--a-w- c:\program files\uninstll.EXE
2005-06-02 08:34 . 2005-07-09 09:57 67160 -c--a-w- c:\program files\aim.exe
2005-06-02 08:34 . 2005-07-09 09:57 131072 -c--a-w- c:\program files\ateima32.dll
2005-06-02 08:34 . 2005-07-09 09:57 61440 -c--a-w- c:\program files\AlertUI.ocm
2005-06-02 08:34 . 2005-07-09 09:57 25088 -c--a-w- c:\program files\browse.ocm
2005-06-02 08:33 . 2005-07-09 09:57 217088 -c--a-w- c:\program files\buddyui.ocm
2005-06-02 08:33 . 2005-07-09 09:57 233472 -c--a-w- c:\program files\AimSecondarySvcs.dll
2005-06-02 08:33 . 2005-07-09 09:57 6656 -c--a-w- c:\program files\stats.ocm
2005-06-02 08:33 . 2005-07-09 09:57 98304 -c--a-w- c:\program files\ChatUI.ocm
2005-06-02 08:32 . 2005-07-09 09:57 1511424 -c--a-w- c:\program files\AimRes.dll
2005-06-02 08:32 . 2005-07-09 09:57 192512 -c--a-w- c:\program files\AimCoreSvcs.dll
2005-06-02 08:32 . 2005-07-09 09:57 266240 -c--a-w- c:\program files\icbmui.ocm
2005-06-02 08:32 . 2005-07-09 09:57 94208 -c--a-w- c:\program files\ticker.ocm
2005-06-02 08:32 . 2005-07-09 09:57 114688 -c--a-w- c:\program files\aimapi.dll
2005-06-02 08:31 . 2005-07-09 09:57 16384 -c--a-w- c:\program files\Admin.ocm
2005-06-02 08:31 . 2005-07-09 09:57 151552 -c--a-w- c:\program files\locateui.ocm
2005-06-02 08:31 . 2005-07-09 09:57 135168 -c--a-w- c:\program files\miscui.ocm
2005-06-02 08:31 . 2005-07-09 09:57 15360 -c--a-w- c:\program files\NTP.ocm
2005-06-02 08:30 . 2005-07-09 09:57 77824 -c--a-w- c:\program files\OscMail.ocm
2005-06-02 08:30 . 2005-07-09 09:57 19968 -c--a-w- c:\program files\aimtalk.dll
2005-06-02 08:30 . 2005-07-09 09:57 69632 -c--a-w- c:\program files\osclogin.ocm
2005-06-02 08:30 . 2005-07-09 09:57 9216 -c--a-w- c:\program files\oscmain.ocm
2005-06-02 08:30 . 2005-07-09 09:57 39936 -c--a-w- c:\program files\startup.ocm
2005-06-02 08:29 . 2005-07-09 09:57 155648 -c--a-w- c:\program files\aimauto.exe
2005-06-02 08:29 . 2005-07-09 09:57 86016 -c--a-w- c:\program files\OscSrch.ocm
2005-06-02 08:29 . 2005-07-09 09:57 2048 -c--a-w- c:\program files\ShareFile.exe
2005-06-02 08:29 . 2005-07-09 09:57 2048 -c--a-w- c:\program files\SendFile.exe
2005-06-02 08:29 . 2005-07-09 09:57 13824 -c--a-w- c:\program files\osconfig.ocm
2005-06-02 08:29 . 2005-07-09 09:57 39936 -c--a-w- c:\program files\rvapps.ocm
2005-06-02 08:29 . 2005-07-09 09:57 40960 -c--a-w- c:\program files\Patcher.exe
2005-06-02 08:29 . 2005-07-09 09:57 13312 -c--a-w- c:\program files\popup.ocm
2005-06-02 08:29 . 2005-07-09 09:57 225280 -c--a-w- c:\program files\wndutils.dll
2005-06-02 08:28 . 2005-07-09 09:57 180224 -c--a-w- c:\program files\rtvideo.dll
2005-06-02 08:27 . 2005-07-09 09:57 77824 -c--a-w- c:\program files\Patcher.dll
2005-06-02 08:27 . 2005-07-09 09:57 229376 -c--a-w- c:\program files\inetsocket.dll
2005-06-02 08:26 . 2005-07-09 09:57 34304 -c--a-w- c:\program files\proto.ocm
2005-06-02 08:26 . 2005-07-09 09:57 49152 -c--a-w- c:\program files\ProgressDlg.dll
2005-06-02 08:26 . 2005-07-09 09:57 151552 -c--a-w- c:\program files\oscarui.dll
2005-06-02 08:26 . 2005-07-09 09:57 192512 -c--a-w- c:\program files\oscore.dll
2005-06-02 08:25 . 2005-07-09 09:57 192512 -c--a-w- c:\program files\ate32.dll
2005-06-02 08:25 . 2005-07-09 09:57 4608 -c--a-w- c:\program files\idlemon.dll
2005-05-26 15:32 . 2005-07-09 09:57 38435 -c--a-w- c:\program files\licens32.txt
2005-04-25 16:00 . 2005-07-09 09:57 10218 -c--a-w- c:\program files\aim95.CNT
2005-04-25 16:00 . 2005-07-09 09:57 505551 -c--a-w- c:\program files\AIM95.HLP
2004-08-28 01:29 . 2005-07-09 09:57 1935 -c--a-w- c:\program files\icbmftvc.lst
2004-08-18 20:56 . 2005-07-09 09:57 372736 -c--a-w- c:\program files\softokn3.dll
2004-08-18 20:56 . 2005-07-09 09:57 110592 -c--a-w- c:\program files\ssl3.dll
2004-08-18 20:56 . 2005-07-09 09:57 106496 -c--a-w- c:\program files\smime3.dll
2004-08-18 20:56 . 2005-07-09 09:57 348160 -c--a-w- c:\program files\nss3.dll
2004-07-29 21:03 . 2005-07-09 09:57 98304 -c--a-w- c:\program files\sb.dll
2004-07-22 17:43 . 2005-07-09 09:57 106496 -c--a-w- c:\program files\CoolPeer.dll
2004-07-22 17:43 . 2005-07-09 09:57 3584 -c--a-w- c:\program files\CoolSos.dll
2004-07-22 17:43 . 2005-07-09 09:57 184320 -c--a-w- c:\program files\CoolBos.dll
2004-07-22 17:43 . 2005-07-09 09:57 114688 -c--a-w- c:\program files\CoolBucky.dll
2004-07-22 17:43 . 2005-07-09 09:57 61440 -c--a-w- c:\program files\CoolHttp.dll
2004-07-22 17:43 . 2005-07-09 09:57 57344 -c--a-w- c:\program files\CoolSecNss.dll
2004-07-22 17:42 . 2005-07-09 09:57 73728 -c--a-w- c:\program files\CoolSocket.dll
2004-07-22 17:42 . 2005-07-09 09:57 8192 -c--a-w- c:\program files\Xptl.dll
2004-07-22 17:41 . 2005-07-09 09:57 13824 -c--a-w- c:\program files\Xpcs.dll
2004-07-22 17:41 . 2005-07-09 09:57 135168 -c--a-w- c:\program files\Xprt.dll
2004-05-19 00:55 . 2005-07-09 09:57 81920 -c--a-w- c:\program files\xmltok.dll
2004-05-19 00:55 . 2005-07-09 09:57 53248 -c--a-w- c:\program files\xmlparse.dll
2004-04-16 23:27 . 2005-07-09 09:57 94208 -c--a-w- c:\program files\jgtktlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 45056 -c--a-w- c:\program files\jgsetlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 65536 -c--a-w- c:\program files\jgattlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 61440 -c--a-w- c:\program files\jgedtlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 40960 -c--a-w- c:\program files\jgs6tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 40960 -c--a-w- c:\program files\jgs2tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 36864 -c--a-w- c:\program files\jga1tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 32768 -c--a-w- c:\program files\jgs7tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 32768 -c--a-w- c:\program files\jgs3tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 45056 -c--a-w- c:\program files\jga0tlk.dll
2004-01-09 17:38 . 2005-07-09 09:57 28672 -c--a-w- c:\program files\plc4.dll
2004-01-09 17:38 . 2005-07-09 09:57 24576 -c--a-w- c:\program files\plds4.dll
2004-01-09 17:38 . 2005-07-09 09:57 159744 -c--a-w- c:\program files\nspr4.dll
2003-10-15 00:27 . 2005-07-09 09:57 2486 -c--a-w- c:\program files\netwait.odl
2003-10-15 00:27 . 2005-07-09 09:57 2670 -c--a-w- c:\program files\aim.odl
2003-01-06 22:41 . 2005-07-09 09:57 1457 -c--a-w- c:\program files\rvappstm.lst
2002-08-03 00:40 . 2005-07-09 09:57 364544 -c--a-w- c:\program files\dBenderC.dll
2007-08-25 03:52 . 2008-01-05 11:46 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2006-05-06 16:42 . 2006-08-01 02:11 7260160 -c--a-w- c:\program files\mozilla firefox\plugins\libvlc.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
CODE
<pre>
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Norton Internet Security\oscheck .exe
c:\program files\Windows Live\Messenger\msnmsgr    .exe
</pre>


(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\program files\Sound Pilot\SndPilot.exe ---
Company: Invention Pilot, Inc
File Description: Add sound effect to keyboard buttons
File Version: 1.4.0.22
Product Name: Sound Pilot
Copyright: Copyright 2001-2003 by Kirill Braulov
Original Filename: SndPilot
File size: 544256
Created time: 2003-10-26 16:15
Modified time: 2003-10-26 16:15
MD5: BC665E1743D830CF2F4F199F17D9A315
SHA1: 28BEBDCD41EF4B28000B1DBA74F2B629175144FA


--- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe ---
Company: Veoh Networks
File Description: Veoh Web Player Beta
File Version: 1.1.2.2029
Product Name: Veoh Web Player Beta
Copyright: Copyright © Veoh Networks 2008
Original Filename: Veohwebplayer.exe
File size: 3558136
Created time: 2009-03-07 01:08
Modified time: 2009-03-07 01:08
MD5: E5CF812D81A4C4D60AF7AEB12E24789C
SHA1: B81B69ED9FA8E4C252218CCCBF81A487B8941299


--- c:\program files\Windows Live\Messenger\msnmsgr.exe ---
Company: Portable Library
File Description: Portable NX
File Version: 3.2.1203.2000
Product Name: PNX
Copyright: PortLib. 2009
Original Filename: PNX.EXE
File size: 37376
Created time: 2007-10-18 19:34
Modified time: 2010-04-10 21:33
MD5: D0AF1ABF8A826152359B430245B3C74D
SHA1: 9B47382C71258E5F66C3FD156CEA45F924960F86


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sound Pilot"="c:\program files\Sound Pilot\SndPilot.exe" [2003-10-26 544256]
"MsnMsgr"="c:\program files\windows live\messenger\msnmsgr .exe" [2007-10-18 5724184]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-03-07 3558136]
"appreg70700.exe"="c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700.exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"POEngine"="" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-04-09 33280]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2010-04-09 33280]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-27 734264]
"Adobe_Reader"="c:\program files\internet explorer\wmpscfgs.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
D-Link AirPlus G Wireless Utility.lnk - c:\program files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe [2005-6-24 372736]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-4-3 65588]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-03-30 19:06 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPAGER.EXE"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"c:\\Program Files\\Mirc\\mirc.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56474:TCP"= 56474:TCP:Pando Media Booster
"56474:UDP"= 56474:UDP:Pando Media Booster

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [7/13/2005 12:07 PM 17792]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [8/24/2007 10:07 PM 149864]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/28/2008 11:57 AM 99376]
S1 rxp;rxp;\??\c:\windows\system32\drivers\rxp.sys --> c:\windows\system32\drivers\rxp.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 1:55 PM 23888]
S3 DLINK11G;D-Link AirPlus G Wireless Adapter;c:\windows\system32\drivers\TNET1130.SYS [6/24/2005 9:47 PM 386816]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-04-20 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Ben Chao.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]

2010-04-21 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-10-10 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://yahoo.sbc.com/dsl
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uInternet Settings,ProxyServer = proxy.ucr.edu:8080
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Yahoo! Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (English)
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07075003.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npcdp32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-20 18:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1343024091-1682526488-2146916019-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1343024091-1682526488-2146916019-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e2,7d,a0,7a,56,b6,1d,82,d2,7a,ba,0e,ee,91,81,9c,bd,44,17,53,0b,7b,f5,
d9,be,fb,52,bf,ad,cc,72,22,7b,a0,df,53,cd,c9,6a,4e,36,f9,58,cd,b3,a6,00,6f,\
"??"=hex:ae,f2,bc,ca,c9,03,a4,07,7b,f5,f9,c8,3b,f1,90,9d

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2432)
c:\progra~1\WINDOW~3\wmpband.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2010-04-20 18:21:20 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-21 01:21
ComboFix2.txt 2010-04-20 02:07
ComboFix3.txt 2010-04-19 00:22

Pre-Run: 2,823,069,696 bytes free
Post-Run: 2,784,468,992 bytes free

- - End Of File - - 963DD751F08FB4BDFE9EC471C0DA1D8B


Attached Files

  • Attached File  log.txt   24.32KB   1 downloads


#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 PM

Posted 21 April 2010 - 05:56 PM

Hello, InaPinch.

Sounds like it's getting better! We still have some more work to do, though. It usually takes a few rounds to fully remove the type of Vundo infection you have, then we still have other rmalware. But....we are slowly making progress and regaining control.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RenV::
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Norton Internet Security\oscheck .exe
c:\program files\Windows Live\Messenger\msnmsgr    .exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 InaPinch

InaPinch
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 21 April 2010 - 09:05 PM

Hello etavares. Here are the new logs,

ComboFix 10-04-17.07 - Ben Chao 04/21/2010 17:21:36.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383.156 [GMT -7:00]
Running from: c:\documents and settings\Ben Chao\Desktop\Fixing\InaPinchCF.exe
Command switches used :: c:\documents and settings\Ben Chao\Desktop\Fixing\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2010-03-22 to 2010-04-22 )))))))))))))))))))))))))))))))
.

2010-04-12 00:50 . 2010-04-12 00:50 -------- d-----w- c:\documents and settings\Ben Chao\Application Data\Malwarebytes
2010-04-12 00:50 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-12 00:50 . 2010-04-12 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-12 00:50 . 2010-04-12 00:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-12 00:50 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-11 00:53 . 2010-04-11 00:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\avG
2010-04-11 00:53 . 2010-04-11 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-09 19:41 . 2010-04-09 19:41 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-04-09 10:15 . 2004-08-04 07:56 33280 -c--a-w- c:\windows\system32\dllcache\rundll32.exe
2010-04-09 10:15 . 2004-08-04 07:56 33280 ----a-w- c:\windows\system32\rundll32.exe
2010-03-27 23:45 . 2010-04-03 17:22 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-26 02:28 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 06:53 . 2005-09-20 07:38 -------- d-----w- c:\documents and settings\Ben Chao\Application Data\dvdcss
2010-04-21 00:54 . 2006-02-16 09:27 -------- d-----w- c:\program files\Sound Pilot
2010-04-21 00:54 . 2005-12-18 06:44 -------- d-----w- c:\program files\QuickTime
2010-04-21 00:54 . 2009-01-07 06:43 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2010-04-18 22:54 . 2008-01-03 14:02 -------- d-----w- c:\program files\Poker Tracker V2
2010-04-11 02:03 . 2005-08-13 22:03 -------- d-----w- c:\program files\BitComet
2010-04-09 10:31 . 2008-01-05 11:35 -------- d-----w- c:\program files\Norton Internet Security
2010-04-09 10:31 . 2005-06-19 00:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-09 10:17 . 2005-06-18 22:52 36152 -c--a-w- c:\documents and settings\Ben Chao\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-09 04:04 . 2005-06-19 02:57 32282 ----a-w- c:\windows\system32\nvModes.dat
2010-04-06 03:57 . 2005-06-19 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-03-24 22:04 . 2005-06-18 22:41 -------- d-----w- c:\program files\Paint Shop Pro 7
2010-03-10 08:02 . 2001-08-23 12:00 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:12 . 2004-01-08 22:23 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12 . 2005-06-19 05:57 81920 ------w- c:\windows\system32\ieencode.dll
2010-02-24 12:31 . 2001-08-23 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:19 . 2001-08-23 12:00 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2001-08-17 13:48 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2001-08-23 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2001-08-23 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2005-07-09 09:58 . 2005-07-09 09:58 611 -c--a-w- c:\program files\Uninstall AIM.lnk
2005-06-02 08:35 . 2005-07-09 09:57 116977 -c--a-w- c:\program files\uninstll.EXE
2005-06-02 08:34 . 2005-07-09 09:57 67160 -c--a-w- c:\program files\aim.exe
2005-06-02 08:34 . 2005-07-09 09:57 131072 -c--a-w- c:\program files\ateima32.dll
2005-06-02 08:34 . 2005-07-09 09:57 61440 -c--a-w- c:\program files\AlertUI.ocm
2005-06-02 08:34 . 2005-07-09 09:57 25088 -c--a-w- c:\program files\browse.ocm
2005-06-02 08:33 . 2005-07-09 09:57 217088 -c--a-w- c:\program files\buddyui.ocm
2005-06-02 08:33 . 2005-07-09 09:57 233472 -c--a-w- c:\program files\AimSecondarySvcs.dll
2005-06-02 08:33 . 2005-07-09 09:57 6656 -c--a-w- c:\program files\stats.ocm
2005-06-02 08:33 . 2005-07-09 09:57 98304 -c--a-w- c:\program files\ChatUI.ocm
2005-06-02 08:32 . 2005-07-09 09:57 1511424 -c--a-w- c:\program files\AimRes.dll
2005-06-02 08:32 . 2005-07-09 09:57 192512 -c--a-w- c:\program files\AimCoreSvcs.dll
2005-06-02 08:32 . 2005-07-09 09:57 266240 -c--a-w- c:\program files\icbmui.ocm
2005-06-02 08:32 . 2005-07-09 09:57 94208 -c--a-w- c:\program files\ticker.ocm
2005-06-02 08:32 . 2005-07-09 09:57 114688 -c--a-w- c:\program files\aimapi.dll
2005-06-02 08:31 . 2005-07-09 09:57 16384 -c--a-w- c:\program files\Admin.ocm
2005-06-02 08:31 . 2005-07-09 09:57 151552 -c--a-w- c:\program files\locateui.ocm
2005-06-02 08:31 . 2005-07-09 09:57 135168 -c--a-w- c:\program files\miscui.ocm
2005-06-02 08:31 . 2005-07-09 09:57 15360 -c--a-w- c:\program files\NTP.ocm
2005-06-02 08:30 . 2005-07-09 09:57 77824 -c--a-w- c:\program files\OscMail.ocm
2005-06-02 08:30 . 2005-07-09 09:57 19968 -c--a-w- c:\program files\aimtalk.dll
2005-06-02 08:30 . 2005-07-09 09:57 69632 -c--a-w- c:\program files\osclogin.ocm
2005-06-02 08:30 . 2005-07-09 09:57 9216 -c--a-w- c:\program files\oscmain.ocm
2005-06-02 08:30 . 2005-07-09 09:57 39936 -c--a-w- c:\program files\startup.ocm
2005-06-02 08:29 . 2005-07-09 09:57 155648 -c--a-w- c:\program files\aimauto.exe
2005-06-02 08:29 . 2005-07-09 09:57 86016 -c--a-w- c:\program files\OscSrch.ocm
2005-06-02 08:29 . 2005-07-09 09:57 2048 -c--a-w- c:\program files\ShareFile.exe
2005-06-02 08:29 . 2005-07-09 09:57 2048 -c--a-w- c:\program files\SendFile.exe
2005-06-02 08:29 . 2005-07-09 09:57 13824 -c--a-w- c:\program files\osconfig.ocm
2005-06-02 08:29 . 2005-07-09 09:57 39936 -c--a-w- c:\program files\rvapps.ocm
2005-06-02 08:29 . 2005-07-09 09:57 40960 -c--a-w- c:\program files\Patcher.exe
2005-06-02 08:29 . 2005-07-09 09:57 13312 -c--a-w- c:\program files\popup.ocm
2005-06-02 08:29 . 2005-07-09 09:57 225280 -c--a-w- c:\program files\wndutils.dll
2005-06-02 08:28 . 2005-07-09 09:57 180224 -c--a-w- c:\program files\rtvideo.dll
2005-06-02 08:27 . 2005-07-09 09:57 77824 -c--a-w- c:\program files\Patcher.dll
2005-06-02 08:27 . 2005-07-09 09:57 229376 -c--a-w- c:\program files\inetsocket.dll
2005-06-02 08:26 . 2005-07-09 09:57 34304 -c--a-w- c:\program files\proto.ocm
2005-06-02 08:26 . 2005-07-09 09:57 49152 -c--a-w- c:\program files\ProgressDlg.dll
2005-06-02 08:26 . 2005-07-09 09:57 151552 -c--a-w- c:\program files\oscarui.dll
2005-06-02 08:26 . 2005-07-09 09:57 192512 -c--a-w- c:\program files\oscore.dll
2005-06-02 08:25 . 2005-07-09 09:57 192512 -c--a-w- c:\program files\ate32.dll
2005-06-02 08:25 . 2005-07-09 09:57 4608 -c--a-w- c:\program files\idlemon.dll
2005-05-26 15:32 . 2005-07-09 09:57 38435 -c--a-w- c:\program files\licens32.txt
2005-04-25 16:00 . 2005-07-09 09:57 10218 -c--a-w- c:\program files\aim95.CNT
2005-04-25 16:00 . 2005-07-09 09:57 505551 -c--a-w- c:\program files\AIM95.HLP
2004-08-28 01:29 . 2005-07-09 09:57 1935 -c--a-w- c:\program files\icbmftvc.lst
2004-08-18 20:56 . 2005-07-09 09:57 372736 -c--a-w- c:\program files\softokn3.dll
2004-08-18 20:56 . 2005-07-09 09:57 110592 -c--a-w- c:\program files\ssl3.dll
2004-08-18 20:56 . 2005-07-09 09:57 106496 -c--a-w- c:\program files\smime3.dll
2004-08-18 20:56 . 2005-07-09 09:57 348160 -c--a-w- c:\program files\nss3.dll
2004-07-29 21:03 . 2005-07-09 09:57 98304 -c--a-w- c:\program files\sb.dll
2004-07-22 17:43 . 2005-07-09 09:57 106496 -c--a-w- c:\program files\CoolPeer.dll
2004-07-22 17:43 . 2005-07-09 09:57 3584 -c--a-w- c:\program files\CoolSos.dll
2004-07-22 17:43 . 2005-07-09 09:57 184320 -c--a-w- c:\program files\CoolBos.dll
2004-07-22 17:43 . 2005-07-09 09:57 114688 -c--a-w- c:\program files\CoolBucky.dll
2004-07-22 17:43 . 2005-07-09 09:57 61440 -c--a-w- c:\program files\CoolHttp.dll
2004-07-22 17:43 . 2005-07-09 09:57 57344 -c--a-w- c:\program files\CoolSecNss.dll
2004-07-22 17:42 . 2005-07-09 09:57 73728 -c--a-w- c:\program files\CoolSocket.dll
2004-07-22 17:42 . 2005-07-09 09:57 8192 -c--a-w- c:\program files\Xptl.dll
2004-07-22 17:41 . 2005-07-09 09:57 13824 -c--a-w- c:\program files\Xpcs.dll
2004-07-22 17:41 . 2005-07-09 09:57 135168 -c--a-w- c:\program files\Xprt.dll
2004-05-19 00:55 . 2005-07-09 09:57 81920 -c--a-w- c:\program files\xmltok.dll
2004-05-19 00:55 . 2005-07-09 09:57 53248 -c--a-w- c:\program files\xmlparse.dll
2004-04-16 23:27 . 2005-07-09 09:57 94208 -c--a-w- c:\program files\jgtktlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 45056 -c--a-w- c:\program files\jgsetlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 65536 -c--a-w- c:\program files\jgattlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 61440 -c--a-w- c:\program files\jgedtlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 40960 -c--a-w- c:\program files\jgs6tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 40960 -c--a-w- c:\program files\jgs2tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 36864 -c--a-w- c:\program files\jga1tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 32768 -c--a-w- c:\program files\jgs7tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 32768 -c--a-w- c:\program files\jgs3tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 45056 -c--a-w- c:\program files\jga0tlk.dll
2004-01-09 17:38 . 2005-07-09 09:57 28672 -c--a-w- c:\program files\plc4.dll
2004-01-09 17:38 . 2005-07-09 09:57 24576 -c--a-w- c:\program files\plds4.dll
2004-01-09 17:38 . 2005-07-09 09:57 159744 -c--a-w- c:\program files\nspr4.dll
2003-10-15 00:27 . 2005-07-09 09:57 2486 -c--a-w- c:\program files\netwait.odl
2003-10-15 00:27 . 2005-07-09 09:57 2670 -c--a-w- c:\program files\aim.odl
2003-01-06 22:41 . 2005-07-09 09:57 1457 -c--a-w- c:\program files\rvappstm.lst
2002-08-03 00:40 . 2005-07-09 09:57 364544 -c--a-w- c:\program files\dBenderC.dll
2007-08-25 03:52 . 2008-01-05 11:46 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2006-05-06 16:42 . 2006-08-01 02:11 7260160 -c--a-w- c:\program files\mozilla firefox\plugins\libvlc.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
CODE
<pre>
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Norton Internet Security\oscheck .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sound Pilot"="c:\program files\Sound Pilot\SndPilot.exe" [2003-10-26 544256]
"MsnMsgr"="c:\program files\windows live\messenger\msnmsgr .exe" [N/A]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-03-07 3558136]
"appreg70700.exe"="c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700.exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"POEngine"="" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-04-09 33280]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2010-04-09 33280]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-27 734264]
"Adobe_Reader"="c:\program files\internet explorer\wmpscfgs.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
D-Link AirPlus G Wireless Utility.lnk - c:\program files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe [2005-6-24 372736]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-4-3 65588]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-03-30 19:06 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPAGER.EXE"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"c:\\Program Files\\Mirc\\mirc.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56474:TCP"= 56474:TCP:Pando Media Booster
"56474:UDP"= 56474:UDP:Pando Media Booster

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [7/13/2005 12:07 PM 17792]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [8/24/2007 10:07 PM 149864]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/28/2008 11:57 AM 99376]
S1 rxp;rxp;\??\c:\windows\system32\drivers\rxp.sys --> c:\windows\system32\drivers\rxp.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 1:55 PM 23888]
S3 DLINK11G;D-Link AirPlus G Wireless Adapter;c:\windows\system32\drivers\TNET1130.SYS [6/24/2005 9:47 PM 386816]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-04-20 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Ben Chao.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]

2010-04-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-10-10 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://yahoo.sbc.com/dsl
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uInternet Settings,ProxyServer = proxy.ucr.edu:8080
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Yahoo! Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (English)
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07075003.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npcdp32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-21 17:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1343024091-1682526488-2146916019-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1343024091-1682526488-2146916019-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e2,7d,a0,7a,56,b6,1d,82,d2,7a,ba,0e,ee,91,81,9c,bd,44,17,53,0b,7b,f5,
d9,be,fb,52,bf,ad,cc,72,22,7b,a0,df,53,cd,c9,6a,4e,36,f9,58,cd,b3,a6,00,6f,\
"??"=hex:ae,f2,bc,ca,c9,03,a4,07,7b,f5,f9,c8,3b,f1,90,9d

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(908)
c:\progra~1\WINDOW~3\wmpband.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2010-04-21 17:48:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-22 00:48
ComboFix2.txt 2010-04-21 01:21
ComboFix3.txt 2010-04-20 02:07
ComboFix4.txt 2010-04-19 00:22

Pre-Run: 2,792,402,944 bytes free
Post-Run: 2,748,854,272 bytes free

- - End Of File - - 8877A3EE6A592257FF7612B003F405D0



Attached Files

  • Attached File  log.txt   21.91KB   3 downloads


#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 PM

Posted 22 April 2010 - 05:44 PM

Hello, InaPinch.

Still chipping away at it. I know it probably seems like we're spinning in circles, but each time we're a step closer. Please delete your copy of Combofix on your desktop, download a fresh copy from the link above, then continue on.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RenV::
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Norton Internet Security\oscheck .exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares

Edited by etavares, 22 April 2010 - 05:44 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 InaPinch

InaPinch
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 23 April 2010 - 12:32 PM

Hello etavares, I hope you are doing well. I completely understand that it might take a few rounds for my computer to be clear and I thank you for your efforts. =P

Here is the new ComboFix.txt,

ComboFix 10-04-21.01 - Ben Chao 04/23/2010 9:53.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383.199 [GMT -7:00]
Running from: c:\documents and settings\Ben Chao\Desktop\InaPinchCF.exe
Command switches used :: c:\documents and settings\Ben Chao\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2010-03-23 to 2010-04-23 )))))))))))))))))))))))))))))))
.

2010-04-12 00:50 . 2010-04-12 00:50 -------- d-----w- c:\documents and settings\Ben Chao\Application Data\Malwarebytes
2010-04-12 00:50 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-12 00:50 . 2010-04-12 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-12 00:50 . 2010-04-12 00:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-12 00:50 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-11 00:53 . 2010-04-11 00:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\avG
2010-04-11 00:53 . 2010-04-11 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-09 19:41 . 2010-04-09 19:41 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-04-09 10:15 . 2004-08-04 07:56 33280 -c--a-w- c:\windows\system32\dllcache\rundll32.exe
2010-04-09 10:15 . 2004-08-04 07:56 33280 ----a-w- c:\windows\system32\rundll32.exe
2010-03-27 23:45 . 2010-04-22 19:08 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-26 02:28 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-23 17:06 . 2005-06-19 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-22 07:30 . 2005-09-20 07:38 -------- d-----w- c:\documents and settings\Ben Chao\Application Data\dvdcss
2010-04-21 00:54 . 2006-02-16 09:27 -------- d-----w- c:\program files\Sound Pilot
2010-04-21 00:54 . 2005-12-18 06:44 -------- d-----w- c:\program files\QuickTime
2010-04-21 00:54 . 2009-01-07 06:43 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2010-04-18 22:54 . 2008-01-03 14:02 -------- d-----w- c:\program files\Poker Tracker V2
2010-04-11 02:03 . 2005-08-13 22:03 -------- d-----w- c:\program files\BitComet
2010-04-09 10:31 . 2008-01-05 11:35 -------- d-----w- c:\program files\Norton Internet Security
2010-04-09 10:31 . 2005-06-19 00:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-09 10:17 . 2005-06-18 22:52 36152 -c--a-w- c:\documents and settings\Ben Chao\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-09 04:04 . 2005-06-19 02:57 32282 ----a-w- c:\windows\system32\nvModes.dat
2010-03-24 22:04 . 2005-06-18 22:41 -------- d-----w- c:\program files\Paint Shop Pro 7
2010-03-10 08:02 . 2001-08-23 12:00 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:12 . 2004-01-08 22:23 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12 . 2005-06-19 05:57 81920 ------w- c:\windows\system32\ieencode.dll
2010-02-24 12:31 . 2001-08-23 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:19 . 2001-08-23 12:00 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2001-08-17 13:48 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2001-08-23 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2001-08-23 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2005-07-09 09:58 . 2005-07-09 09:58 611 -c--a-w- c:\program files\Uninstall AIM.lnk
2005-06-02 08:35 . 2005-07-09 09:57 116977 -c--a-w- c:\program files\uninstll.EXE
2005-06-02 08:34 . 2005-07-09 09:57 67160 -c--a-w- c:\program files\aim.exe
2005-06-02 08:34 . 2005-07-09 09:57 131072 -c--a-w- c:\program files\ateima32.dll
2005-06-02 08:34 . 2005-07-09 09:57 61440 -c--a-w- c:\program files\AlertUI.ocm
2005-06-02 08:34 . 2005-07-09 09:57 25088 -c--a-w- c:\program files\browse.ocm
2005-06-02 08:33 . 2005-07-09 09:57 217088 -c--a-w- c:\program files\buddyui.ocm
2005-06-02 08:33 . 2005-07-09 09:57 233472 -c--a-w- c:\program files\AimSecondarySvcs.dll
2005-06-02 08:33 . 2005-07-09 09:57 6656 -c--a-w- c:\program files\stats.ocm
2005-06-02 08:33 . 2005-07-09 09:57 98304 -c--a-w- c:\program files\ChatUI.ocm
2005-06-02 08:32 . 2005-07-09 09:57 1511424 -c--a-w- c:\program files\AimRes.dll
2005-06-02 08:32 . 2005-07-09 09:57 192512 -c--a-w- c:\program files\AimCoreSvcs.dll
2005-06-02 08:32 . 2005-07-09 09:57 266240 -c--a-w- c:\program files\icbmui.ocm
2005-06-02 08:32 . 2005-07-09 09:57 94208 -c--a-w- c:\program files\ticker.ocm
2005-06-02 08:32 . 2005-07-09 09:57 114688 -c--a-w- c:\program files\aimapi.dll
2005-06-02 08:31 . 2005-07-09 09:57 16384 -c--a-w- c:\program files\Admin.ocm
2005-06-02 08:31 . 2005-07-09 09:57 151552 -c--a-w- c:\program files\locateui.ocm
2005-06-02 08:31 . 2005-07-09 09:57 135168 -c--a-w- c:\program files\miscui.ocm
2005-06-02 08:31 . 2005-07-09 09:57 15360 -c--a-w- c:\program files\NTP.ocm
2005-06-02 08:30 . 2005-07-09 09:57 77824 -c--a-w- c:\program files\OscMail.ocm
2005-06-02 08:30 . 2005-07-09 09:57 19968 -c--a-w- c:\program files\aimtalk.dll
2005-06-02 08:30 . 2005-07-09 09:57 69632 -c--a-w- c:\program files\osclogin.ocm
2005-06-02 08:30 . 2005-07-09 09:57 9216 -c--a-w- c:\program files\oscmain.ocm
2005-06-02 08:30 . 2005-07-09 09:57 39936 -c--a-w- c:\program files\startup.ocm
2005-06-02 08:29 . 2005-07-09 09:57 155648 -c--a-w- c:\program files\aimauto.exe
2005-06-02 08:29 . 2005-07-09 09:57 86016 -c--a-w- c:\program files\OscSrch.ocm
2005-06-02 08:29 . 2005-07-09 09:57 2048 -c--a-w- c:\program files\ShareFile.exe
2005-06-02 08:29 . 2005-07-09 09:57 2048 -c--a-w- c:\program files\SendFile.exe
2005-06-02 08:29 . 2005-07-09 09:57 13824 -c--a-w- c:\program files\osconfig.ocm
2005-06-02 08:29 . 2005-07-09 09:57 39936 -c--a-w- c:\program files\rvapps.ocm
2005-06-02 08:29 . 2005-07-09 09:57 40960 -c--a-w- c:\program files\Patcher.exe
2005-06-02 08:29 . 2005-07-09 09:57 13312 -c--a-w- c:\program files\popup.ocm
2005-06-02 08:29 . 2005-07-09 09:57 225280 -c--a-w- c:\program files\wndutils.dll
2005-06-02 08:28 . 2005-07-09 09:57 180224 -c--a-w- c:\program files\rtvideo.dll
2005-06-02 08:27 . 2005-07-09 09:57 77824 -c--a-w- c:\program files\Patcher.dll
2005-06-02 08:27 . 2005-07-09 09:57 229376 -c--a-w- c:\program files\inetsocket.dll
2005-06-02 08:26 . 2005-07-09 09:57 34304 -c--a-w- c:\program files\proto.ocm
2005-06-02 08:26 . 2005-07-09 09:57 49152 -c--a-w- c:\program files\ProgressDlg.dll
2005-06-02 08:26 . 2005-07-09 09:57 151552 -c--a-w- c:\program files\oscarui.dll
2005-06-02 08:26 . 2005-07-09 09:57 192512 -c--a-w- c:\program files\oscore.dll
2005-06-02 08:25 . 2005-07-09 09:57 192512 -c--a-w- c:\program files\ate32.dll
2005-06-02 08:25 . 2005-07-09 09:57 4608 -c--a-w- c:\program files\idlemon.dll
2005-05-26 15:32 . 2005-07-09 09:57 38435 -c--a-w- c:\program files\licens32.txt
2005-04-25 16:00 . 2005-07-09 09:57 10218 -c--a-w- c:\program files\aim95.CNT
2005-04-25 16:00 . 2005-07-09 09:57 505551 -c--a-w- c:\program files\AIM95.HLP
2004-08-28 01:29 . 2005-07-09 09:57 1935 -c--a-w- c:\program files\icbmftvc.lst
2004-08-18 20:56 . 2005-07-09 09:57 372736 -c--a-w- c:\program files\softokn3.dll
2004-08-18 20:56 . 2005-07-09 09:57 110592 -c--a-w- c:\program files\ssl3.dll
2004-08-18 20:56 . 2005-07-09 09:57 106496 -c--a-w- c:\program files\smime3.dll
2004-08-18 20:56 . 2005-07-09 09:57 348160 -c--a-w- c:\program files\nss3.dll
2004-07-29 21:03 . 2005-07-09 09:57 98304 -c--a-w- c:\program files\sb.dll
2004-07-22 17:43 . 2005-07-09 09:57 106496 -c--a-w- c:\program files\CoolPeer.dll
2004-07-22 17:43 . 2005-07-09 09:57 3584 -c--a-w- c:\program files\CoolSos.dll
2004-07-22 17:43 . 2005-07-09 09:57 184320 -c--a-w- c:\program files\CoolBos.dll
2004-07-22 17:43 . 2005-07-09 09:57 114688 -c--a-w- c:\program files\CoolBucky.dll
2004-07-22 17:43 . 2005-07-09 09:57 61440 -c--a-w- c:\program files\CoolHttp.dll
2004-07-22 17:43 . 2005-07-09 09:57 57344 -c--a-w- c:\program files\CoolSecNss.dll
2004-07-22 17:42 . 2005-07-09 09:57 73728 -c--a-w- c:\program files\CoolSocket.dll
2004-07-22 17:42 . 2005-07-09 09:57 8192 -c--a-w- c:\program files\Xptl.dll
2004-07-22 17:41 . 2005-07-09 09:57 13824 -c--a-w- c:\program files\Xpcs.dll
2004-07-22 17:41 . 2005-07-09 09:57 135168 -c--a-w- c:\program files\Xprt.dll
2004-05-19 00:55 . 2005-07-09 09:57 81920 -c--a-w- c:\program files\xmltok.dll
2004-05-19 00:55 . 2005-07-09 09:57 53248 -c--a-w- c:\program files\xmlparse.dll
2004-04-16 23:27 . 2005-07-09 09:57 94208 -c--a-w- c:\program files\jgtktlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 45056 -c--a-w- c:\program files\jgsetlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 65536 -c--a-w- c:\program files\jgattlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 61440 -c--a-w- c:\program files\jgedtlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 40960 -c--a-w- c:\program files\jgs6tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 40960 -c--a-w- c:\program files\jgs2tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 36864 -c--a-w- c:\program files\jga1tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 32768 -c--a-w- c:\program files\jgs7tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 32768 -c--a-w- c:\program files\jgs3tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 45056 -c--a-w- c:\program files\jga0tlk.dll
2004-01-09 17:38 . 2005-07-09 09:57 28672 -c--a-w- c:\program files\plc4.dll
2004-01-09 17:38 . 2005-07-09 09:57 24576 -c--a-w- c:\program files\plds4.dll
2004-01-09 17:38 . 2005-07-09 09:57 159744 -c--a-w- c:\program files\nspr4.dll
2003-10-15 00:27 . 2005-07-09 09:57 2486 -c--a-w- c:\program files\netwait.odl
2003-10-15 00:27 . 2005-07-09 09:57 2670 -c--a-w- c:\program files\aim.odl
2003-01-06 22:41 . 2005-07-09 09:57 1457 -c--a-w- c:\program files\rvappstm.lst
2002-08-03 00:40 . 2005-07-09 09:57 364544 -c--a-w- c:\program files\dBenderC.dll
2007-08-25 03:52 . 2008-01-05 11:46 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2006-05-06 16:42 . 2006-08-01 02:11 7260160 -c--a-w- c:\program files\mozilla firefox\plugins\libvlc.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
CODE
<pre>
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Norton Internet Security\oscheck .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sound Pilot"="c:\program files\Sound Pilot\SndPilot.exe" [2003-10-26 544256]
"MsnMsgr"="c:\program files\windows live\messenger\msnmsgr .exe" [N/A]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-03-07 3558136]
"appreg70700.exe"="c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700.exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]
"appreg70700 .exe"="c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"POEngine"="" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-04-09 33280]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2010-04-09 33280]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-27 734264]
"Adobe_Reader"="c:\program files\internet explorer\wmpscfgs.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
D-Link AirPlus G Wireless Utility.lnk - c:\program files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe [2005-6-24 372736]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-4-3 65588]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-03-30 19:06 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPAGER.EXE"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"c:\\Program Files\\Mirc\\mirc.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56474:TCP"= 56474:TCP:Pando Media Booster
"56474:UDP"= 56474:UDP:Pando Media Booster

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [7/13/2005 12:07 PM 17792]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [8/24/2007 10:07 PM 149864]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/28/2008 11:57 AM 99376]
S1 rxp;rxp;\??\c:\windows\system32\drivers\rxp.sys --> c:\windows\system32\drivers\rxp.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 1:55 PM 23888]
S3 DLINK11G;D-Link AirPlus G Wireless Adapter;c:\windows\system32\drivers\TNET1130.SYS [6/24/2005 9:47 PM 386816]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-04-20 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Ben Chao.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]

2010-04-23 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-10-10 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://yahoo.sbc.com/dsl
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uInternet Settings,ProxyServer = proxy.ucr.edu:8080
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Yahoo! Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (English)
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07075003.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npcdp32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-23 10:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1343024091-1682526488-2146916019-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1343024091-1682526488-2146916019-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e2,7d,a0,7a,56,b6,1d,82,d2,7a,ba,0e,ee,91,81,9c,bd,44,17,53,0b,7b,f5,
d9,be,fb,52,bf,ad,cc,72,22,7b,a0,df,53,cd,c9,6a,4e,36,f9,58,cd,b3,a6,00,6f,\
"??"=hex:ae,f2,bc,ca,c9,03,a4,07,7b,f5,f9,c8,3b,f1,90,9d

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3992)
c:\progra~1\WINDOW~3\wmpband.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2010-04-23 10:23:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-23 17:22
ComboFix2.txt 2010-04-22 00:48
ComboFix3.txt 2010-04-21 01:21
ComboFix4.txt 2010-04-20 02:07
ComboFix5.txt 2010-04-23 16:50

Pre-Run: 1,894,875,136 bytes free
Post-Run: 1,882,300,416 bytes free

- - End Of File - - B390086BD856B8268C9D756332E7736D



P.S. If there is a problem with Norton, I would not mind removing it for another Antivirus/Antispyware. I feel as if my trust for Norton doesn't exist anymore.

Edited by InaPinch, 23 April 2010 - 12:35 PM.


#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 PM

Posted 23 April 2010 - 05:45 PM

Hello, InaPinch.
Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.
Ok, let's try to do this in safe mode. Norton is infected, but we can usually remove it. If this doesn't work, we'll manually remove the Vundo and uninstall Norton. If you want to reinstall Norton, we can do that, or I can suggest freeware. Let's try this first.

Please reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RenV::
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Norton Internet Security\oscheck .exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 InaPinch

InaPinch
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 24 April 2010 - 01:42 PM

Hello etavares, how are you doing?

Here is the new ComboFix.txt, Norton seems to have started working again.

ComboFix 10-04-21.01 - Ben Chao 04/24/2010 9:17.7.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383.247 [GMT -7:00]
Running from: c:\documents and settings\Ben Chao\Desktop\InaPinchCF.exe
Command switches used :: c:\documents and settings\Ben Chao\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2010-03-24 to 2010-04-24 )))))))))))))))))))))))))))))))
.

2010-04-12 00:50 . 2010-04-12 00:50 -------- d-----w- c:\documents and settings\Ben Chao\Application Data\Malwarebytes
2010-04-12 00:50 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-12 00:50 . 2010-04-12 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-12 00:50 . 2010-04-12 00:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-12 00:50 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-11 00:53 . 2010-04-11 00:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\avG
2010-04-11 00:53 . 2010-04-11 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-09 19:41 . 2010-04-09 19:41 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-04-09 10:15 . 2004-08-04 07:56 33280 -c--a-w- c:\windows\system32\dllcache\rundll32.exe
2010-04-09 10:15 . 2004-08-04 07:56 33280 ----a-w- c:\windows\system32\rundll32.exe
2010-03-27 23:45 . 2010-04-22 19:08 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-26 02:28 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-24 16:17 . 2008-01-05 11:35 -------- d-----w- c:\program files\Norton Internet Security
2010-04-24 16:17 . 2005-06-19 00:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-24 05:59 . 2005-09-20 07:38 -------- d-----w- c:\documents and settings\Ben Chao\Application Data\dvdcss
2010-04-23 17:06 . 2005-06-19 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-21 00:54 . 2006-02-16 09:27 -------- d-----w- c:\program files\Sound Pilot
2010-04-21 00:54 . 2005-12-18 06:44 -------- d-----w- c:\program files\QuickTime
2010-04-21 00:54 . 2009-01-07 06:43 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2010-04-18 22:54 . 2008-01-03 14:02 -------- d-----w- c:\program files\Poker Tracker V2
2010-04-11 02:03 . 2005-08-13 22:03 -------- d-----w- c:\program files\BitComet
2010-04-09 10:17 . 2005-06-18 22:52 36152 -c--a-w- c:\documents and settings\Ben Chao\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-09 04:04 . 2005-06-19 02:57 32282 ----a-w- c:\windows\system32\nvModes.dat
2010-03-24 22:04 . 2005-06-18 22:41 -------- d-----w- c:\program files\Paint Shop Pro 7
2010-03-10 08:02 . 2001-08-23 12:00 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:12 . 2004-01-08 22:23 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12 . 2005-06-19 05:57 81920 ------w- c:\windows\system32\ieencode.dll
2010-02-24 12:31 . 2001-08-23 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:19 . 2001-08-23 12:00 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2001-08-17 13:48 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2001-08-23 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2001-08-23 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2005-07-09 09:58 . 2005-07-09 09:58 611 -c--a-w- c:\program files\Uninstall AIM.lnk
2005-06-02 08:35 . 2005-07-09 09:57 116977 -c--a-w- c:\program files\uninstll.EXE
2005-06-02 08:34 . 2005-07-09 09:57 67160 -c--a-w- c:\program files\aim.exe
2005-06-02 08:34 . 2005-07-09 09:57 131072 -c--a-w- c:\program files\ateima32.dll
2005-06-02 08:34 . 2005-07-09 09:57 61440 -c--a-w- c:\program files\AlertUI.ocm
2005-06-02 08:34 . 2005-07-09 09:57 25088 -c--a-w- c:\program files\browse.ocm
2005-06-02 08:33 . 2005-07-09 09:57 217088 -c--a-w- c:\program files\buddyui.ocm
2005-06-02 08:33 . 2005-07-09 09:57 233472 -c--a-w- c:\program files\AimSecondarySvcs.dll
2005-06-02 08:33 . 2005-07-09 09:57 6656 -c--a-w- c:\program files\stats.ocm
2005-06-02 08:33 . 2005-07-09 09:57 98304 -c--a-w- c:\program files\ChatUI.ocm
2005-06-02 08:32 . 2005-07-09 09:57 1511424 -c--a-w- c:\program files\AimRes.dll
2005-06-02 08:32 . 2005-07-09 09:57 192512 -c--a-w- c:\program files\AimCoreSvcs.dll
2005-06-02 08:32 . 2005-07-09 09:57 266240 -c--a-w- c:\program files\icbmui.ocm
2005-06-02 08:32 . 2005-07-09 09:57 94208 -c--a-w- c:\program files\ticker.ocm
2005-06-02 08:32 . 2005-07-09 09:57 114688 -c--a-w- c:\program files\aimapi.dll
2005-06-02 08:31 . 2005-07-09 09:57 16384 -c--a-w- c:\program files\Admin.ocm
2005-06-02 08:31 . 2005-07-09 09:57 151552 -c--a-w- c:\program files\locateui.ocm
2005-06-02 08:31 . 2005-07-09 09:57 135168 -c--a-w- c:\program files\miscui.ocm
2005-06-02 08:31 . 2005-07-09 09:57 15360 -c--a-w- c:\program files\NTP.ocm
2005-06-02 08:30 . 2005-07-09 09:57 77824 -c--a-w- c:\program files\OscMail.ocm
2005-06-02 08:30 . 2005-07-09 09:57 19968 -c--a-w- c:\program files\aimtalk.dll
2005-06-02 08:30 . 2005-07-09 09:57 69632 -c--a-w- c:\program files\osclogin.ocm
2005-06-02 08:30 . 2005-07-09 09:57 9216 -c--a-w- c:\program files\oscmain.ocm
2005-06-02 08:30 . 2005-07-09 09:57 39936 -c--a-w- c:\program files\startup.ocm
2005-06-02 08:29 . 2005-07-09 09:57 155648 -c--a-w- c:\program files\aimauto.exe
2005-06-02 08:29 . 2005-07-09 09:57 86016 -c--a-w- c:\program files\OscSrch.ocm
2005-06-02 08:29 . 2005-07-09 09:57 2048 -c--a-w- c:\program files\ShareFile.exe
2005-06-02 08:29 . 2005-07-09 09:57 2048 -c--a-w- c:\program files\SendFile.exe
2005-06-02 08:29 . 2005-07-09 09:57 13824 -c--a-w- c:\program files\osconfig.ocm
2005-06-02 08:29 . 2005-07-09 09:57 39936 -c--a-w- c:\program files\rvapps.ocm
2005-06-02 08:29 . 2005-07-09 09:57 40960 -c--a-w- c:\program files\Patcher.exe
2005-06-02 08:29 . 2005-07-09 09:57 13312 -c--a-w- c:\program files\popup.ocm
2005-06-02 08:29 . 2005-07-09 09:57 225280 -c--a-w- c:\program files\wndutils.dll
2005-06-02 08:28 . 2005-07-09 09:57 180224 -c--a-w- c:\program files\rtvideo.dll
2005-06-02 08:27 . 2005-07-09 09:57 77824 -c--a-w- c:\program files\Patcher.dll
2005-06-02 08:27 . 2005-07-09 09:57 229376 -c--a-w- c:\program files\inetsocket.dll
2005-06-02 08:26 . 2005-07-09 09:57 34304 -c--a-w- c:\program files\proto.ocm
2005-06-02 08:26 . 2005-07-09 09:57 49152 -c--a-w- c:\program files\ProgressDlg.dll
2005-06-02 08:26 . 2005-07-09 09:57 151552 -c--a-w- c:\program files\oscarui.dll
2005-06-02 08:26 . 2005-07-09 09:57 192512 -c--a-w- c:\program files\oscore.dll
2005-06-02 08:25 . 2005-07-09 09:57 192512 -c--a-w- c:\program files\ate32.dll
2005-06-02 08:25 . 2005-07-09 09:57 4608 -c--a-w- c:\program files\idlemon.dll
2005-05-26 15:32 . 2005-07-09 09:57 38435 -c--a-w- c:\program files\licens32.txt
2005-04-25 16:00 . 2005-07-09 09:57 10218 -c--a-w- c:\program files\aim95.CNT
2005-04-25 16:00 . 2005-07-09 09:57 505551 -c--a-w- c:\program files\AIM95.HLP
2004-08-28 01:29 . 2005-07-09 09:57 1935 -c--a-w- c:\program files\icbmftvc.lst
2004-08-18 20:56 . 2005-07-09 09:57 372736 -c--a-w- c:\program files\softokn3.dll
2004-08-18 20:56 . 2005-07-09 09:57 110592 -c--a-w- c:\program files\ssl3.dll
2004-08-18 20:56 . 2005-07-09 09:57 106496 -c--a-w- c:\program files\smime3.dll
2004-08-18 20:56 . 2005-07-09 09:57 348160 -c--a-w- c:\program files\nss3.dll
2004-07-29 21:03 . 2005-07-09 09:57 98304 -c--a-w- c:\program files\sb.dll
2004-07-22 17:43 . 2005-07-09 09:57 106496 -c--a-w- c:\program files\CoolPeer.dll
2004-07-22 17:43 . 2005-07-09 09:57 3584 -c--a-w- c:\program files\CoolSos.dll
2004-07-22 17:43 . 2005-07-09 09:57 184320 -c--a-w- c:\program files\CoolBos.dll
2004-07-22 17:43 . 2005-07-09 09:57 114688 -c--a-w- c:\program files\CoolBucky.dll
2004-07-22 17:43 . 2005-07-09 09:57 61440 -c--a-w- c:\program files\CoolHttp.dll
2004-07-22 17:43 . 2005-07-09 09:57 57344 -c--a-w- c:\program files\CoolSecNss.dll
2004-07-22 17:42 . 2005-07-09 09:57 73728 -c--a-w- c:\program files\CoolSocket.dll
2004-07-22 17:42 . 2005-07-09 09:57 8192 -c--a-w- c:\program files\Xptl.dll
2004-07-22 17:41 . 2005-07-09 09:57 13824 -c--a-w- c:\program files\Xpcs.dll
2004-07-22 17:41 . 2005-07-09 09:57 135168 -c--a-w- c:\program files\Xprt.dll
2004-05-19 00:55 . 2005-07-09 09:57 81920 -c--a-w- c:\program files\xmltok.dll
2004-05-19 00:55 . 2005-07-09 09:57 53248 -c--a-w- c:\program files\xmlparse.dll
2004-04-16 23:27 . 2005-07-09 09:57 94208 -c--a-w- c:\program files\jgtktlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 45056 -c--a-w- c:\program files\jgsetlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 65536 -c--a-w- c:\program files\jgattlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 61440 -c--a-w- c:\program files\jgedtlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 40960 -c--a-w- c:\program files\jgs6tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 40960 -c--a-w- c:\program files\jgs2tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 36864 -c--a-w- c:\program files\jga1tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 32768 -c--a-w- c:\program files\jgs7tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 32768 -c--a-w- c:\program files\jgs3tlk.dll
2004-04-16 23:27 . 2005-07-09 09:57 45056 -c--a-w- c:\program files\jga0tlk.dll
2004-01-09 17:38 . 2005-07-09 09:57 28672 -c--a-w- c:\program files\plc4.dll
2004-01-09 17:38 . 2005-07-09 09:57 24576 -c--a-w- c:\program files\plds4.dll
2004-01-09 17:38 . 2005-07-09 09:57 159744 -c--a-w- c:\program files\nspr4.dll
2003-10-15 00:27 . 2005-07-09 09:57 2486 -c--a-w- c:\program files\netwait.odl
2003-10-15 00:27 . 2005-07-09 09:57 2670 -c--a-w- c:\program files\aim.odl
2003-01-06 22:41 . 2005-07-09 09:57 1457 -c--a-w- c:\program files\rvappstm.lst
2002-08-03 00:40 . 2005-07-09 09:57 364544 -c--a-w- c:\program files\dBenderC.dll
2007-08-25 03:52 . 2008-01-05 11:46 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2006-05-06 16:42 . 2006-08-01 02:11 7260160 -c--a-w- c:\program files\mozilla firefox\plugins\libvlc.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sound Pilot"="c:\program files\Sound Pilot\SndPilot.exe" [2003-10-26 544256]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-03-07 3558136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-25 714608]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-27 734264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
D-Link AirPlus G Wireless Utility.lnk - c:\program files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe [2005-6-24 372736]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-4-3 65588]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-03-30 19:06 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPAGER.EXE"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"c:\\Program Files\\Mirc\\mirc.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56474:TCP"= 56474:TCP:Pando Media Booster
"56474:UDP"= 56474:UDP:Pando Media Booster

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [7/13/2005 12:07 PM 17792]
S1 rxp;rxp;\??\c:\windows\system32\drivers\rxp.sys --> c:\windows\system32\drivers\rxp.sys [?]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [8/24/2007 10:07 PM 149864]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 1:55 PM 23888]
S3 DLINK11G;D-Link AirPlus G Wireless Adapter;c:\windows\system32\drivers\TNET1130.SYS [6/24/2005 9:47 PM 386816]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/28/2008 11:57 AM 99376]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-04-20 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Ben Chao.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]

2010-04-24 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-10-10 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://yahoo.sbc.com/dsl
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uInternet Settings,ProxyServer = proxy.ucr.edu:8080
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Yahoo! Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (English)
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\Ben Chao\Application Data\Mozilla\Firefox\Profiles\ufr54780.Default User\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07075003.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npcdp32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\windows live\messenger\msnmsgr .exe
HKCU-Run-appreg70700.exe - c:\documents and settings\Ben Chao\Application Data\C24C80B8C92B382F904356C0D39AD241\appreg70700.exe
HKCU-Run-appreg70700 .exe - c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
HKCU-Run-appreg70700 .exe - c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
HKCU-Run-appreg70700 .exe - c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
HKCU-Run-appreg70700 .exe - c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
HKCU-Run-appreg70700 .exe - c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
HKCU-Run-appreg70700 .exe - c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
HKCU-Run-appreg70700 .exe - c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
HKCU-Run-appreg70700 .exe - c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
HKCU-Run-appreg70700 .exe - c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
HKCU-Run-appreg70700 .exe - c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
HKCU-Run-appreg70700 .exe - c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
HKCU-Run-appreg70700 .exe - c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
HKCU-Run-appreg70700 .exe - c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
HKCU-Run-appreg70700 .exe - c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
HKCU-Run-appreg70700 .exe - c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
HKCU-Run-appreg70700 .exe - c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
HKCU-Run-appreg70700 .exe - c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
HKCU-Run-appreg70700 .exe - c:\documents and settings\ben chao\application data\c24c80b8c92b382f904356c0d39ad241\appreg70700 .exe
HKLM-Run-POEngine - (no file)
HKLM-Run-Adobe_Reader - c:\program files\internet explorer\wmpscfgs.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-24 09:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1343024091-1682526488-2146916019-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1343024091-1682526488-2146916019-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e2,7d,a0,7a,56,b6,1d,82,d2,7a,ba,0e,ee,91,81,9c,bd,44,17,53,0b,7b,f5,
d9,be,fb,52,bf,ad,cc,72,22,7b,a0,df,53,cd,c9,6a,4e,36,f9,58,cd,b3,a6,00,6f,\
"??"=hex:ae,f2,bc,ca,c9,03,a4,07,7b,f5,f9,c8,3b,f1,90,9d

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
Completion time: 2010-04-24 09:33:07
ComboFix-quarantined-files.txt 2010-04-24 16:33
ComboFix2.txt 2010-04-23 17:23
ComboFix3.txt 2010-04-22 00:48
ComboFix4.txt 2010-04-21 01:21
ComboFix5.txt 2010-04-24 16:15

Pre-Run: 2,822,963,200 bytes free
Post-Run: 2,768,793,600 bytes free

- - End Of File - - 84A69548581DB854528A3A65EF9D033F





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users