Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTTP Tidserv request & Tidserv request 2 infection


  • This topic is locked This topic is locked
16 replies to this topic

#1 Imasillyboy

Imasillyboy

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 13 April 2010 - 05:36 AM

Hi, Firstly thank you for all this stuff you do to help us out. I have used (read) this board to resolve PC issues very successfully in the past. BUT today I seam to have a really problem - Norton AV is reporting "Risk Name: HTTP Tidserv request 2" and "Risk Name: HTTP Tidserv request". Obviously I need to get this thing out.

I've followed the thread Might have a TDL3 virus discussing how to resolve this and followed the listed actions.

Quick note of what I did
1 - Recovery is already running
2 - Ran OTL (per instructions in above thread) - I've attached the log
3 - Ran Defogger
4 - Ran ComboFix (renamed to brc0488CF.exe) - realised after I hadn't turn off Norton - I've attached the 1st log "brc0488cf 1st run"
5 - Disconnected from the network & Turned Off Norton Virus and Firewall.
6 - Ran ComboFix again - attached is the 2nd log "brc0488cf 2nd run"
7 - Enabled Norton Agian, connected to network
8 - Tried to restart Firefox and got a message that a registry item maked for deletion was attempted to be modified? Firefox did not start.
9 - rebooted the computer.
10 - restarted firefox (was slow in coming up)
11 - Still getting warnings from Norton sad.gif

This is obviously a tough one... Please Help

I'm willing to reformat etc, but only if its the "final solution"
Many thanks
Robert

EDIT - I can't see the files I uploaded? Will try again..
Oh I see how it works now

Attached File  OTL.Txt   84.23KB   6 downloads

Attached File  Extras.Txt   31.74KB   3 downloads

Attached File  brc0488cf_1st_run.txt.log   42.66KB   10 downloads

Attached File  brc0488cf_2nd_run.txt   42.76KB   6 downloads




Just following up
I can't get GMER to complete a scan. The PC blue screens at some stage. Tried in safe mode as well.

GMER goes for a very long time, I have lots of pictures and audio files it scans through. Is there away to exclude these directories or is that a bad idea?

I have managed to capture this at the start up

---------------------------------------------------------------------------------------------------------------
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-13 14:31:13
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\rotayl\AppData\Local\Temp\uwrorpob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 86739AC8

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

EDIT: Added info contained in second post to thread ~ Hamluis.

Edited by hamluis, 13 April 2010 - 12:40 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 17 April 2010 - 07:43 AM

Hello and welcome to Bleeping Computer

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found in the link below. Since you had issues with GMER before, try running it with only the "sections" and "files" tabs in safe mode.

How to create a GMER log


In your reply, please post both OTL logs and the GMER log. Please copy and paste the contents directly into your reply instead of attaching. Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 Imasillyboy

Imasillyboy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 18 April 2010 - 06:52 PM

Hi etavares,
Thank you for helping me out with this.

Ran OTL log (below) but it didn't produce the second file (Extras) like the first time?

Also GMER ran without problem using standard settings. Though it did take about 4 hours to complete.



--------------------------------------------------------------------GMER Log --------------------------------------------------------------------------

OTL logfile created on: 18/04/2010 20:04:21 - Run 3
OTL by OldTimer - Version 3.2.1.2 Folder = C:\Users\rotayl\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 48.00% Memory free
7.00 Gb Paging File | 5.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 919.55 Gb Total Space | 339.29 Gb Free Space | 36.90% Space Free | Partition Type: NTFS
Drive D: | 11.96 Gb Total Space | 1.62 Gb Free Space | 13.53% Space Free | Partition Type: NTFS
Drive E: | 931.51 Gb Total Space | 77.74 Gb Free Space | 8.35% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: REDRAT-TV
Current User Name: rotayl
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/18 20:02:00 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Users\rotayl\Desktop\OTL.exe
PRC - [2010/04/11 19:26:36 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/01/29 23:20:26 | 000,112,208 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
PRC - [2010/01/27 13:30:16 | 001,312,848 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPointP\SetPoint.exe
PRC - [2010/01/02 03:33:55 | 000,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
PRC - [2009/09/24 02:16:34 | 001,949,765 | ---- | M] (Informer Technologies, Inc.) -- C:\Program Files\Software Informer\softinfo.exe
PRC - [2009/07/25 01:32:34 | 001,492,344 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\winvnc4.exe
PRC - [2009/04/11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2009/04/11 08:27:28 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\conime.exe
PRC - [2009/01/31 05:45:14 | 003,399,727 | ---- | M] (FreeDownloadManager.ORG) -- C:\Program Files\Free Download Manager\fdm.exe
PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/11/03 19:21:18 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/11/03 19:21:16 | 000,182,808 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2008/03/31 23:00:34 | 005,369,856 | ---- | M] (Realtek Semiconductor) -- C:\WINDOWS\RtHDVCpl.exe
PRC - [2007/08/22 18:35:40 | 000,439,632 | ---- | M] (ACD Systems, Ltd.) -- C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
PRC - [2007/05/29 15:19:06 | 000,198,240 | ---- | M] () -- c:\hp\HPEZBTN\HPBtnSrv.exe
PRC - [2007/04/18 17:01:34 | 000,065,536 | ---- | M] (Hewlett-Packard Company) -- C:\hp\support\hpsysdrv.exe
PRC - [2007/02/15 13:59:00 | 000,118,784 | ---- | M] (OsdMaestro) -- C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe


========== Modules (SafeList) ==========

MOD - [2010/04/18 20:02:00 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Users\rotayl\Desktop\OTL.exe
MOD - [2009/04/11 08:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/01/29 23:17:14 | 000,292,944 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2010/01/02 03:33:55 | 000,117,640 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe -- (N360)
SRV - [2009/09/25 03:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/25 01:32:34 | 001,492,344 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/11/03 19:21:18 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2008/02/03 12:00:00 | 000,129,992 | ---- | M] (EasyBits Sofware AS) [Auto | Running] -- C:\WINDOWS\System32\ezsvc7.dll -- (ezSharedSvc)
SRV - [2008/01/21 04:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/05/29 15:19:06 | 000,198,240 | ---- | M] () [Auto | Running] -- c:\hp\HPEZBTN\HPBtnSrv.exe -- (HPBtnSrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cndt


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-697145480-2520524336-2118687293-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-697145480-2520524336-2118687293-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.0.7
FF - prefs.js..extensions.enabledItems: fdm_ffext@freedownloadmanager.org:1.3.4
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.14
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {4C0766D3-67A7-45a3-85A2-752F77312F32}:4.0
FF - prefs.js..extensions.enabledItems: {888d99e7-e8b5-46a3-851e-1ec45da1e644}:3.5.1
FF - prefs.js..extensions.enabledItems: spellbound@sourceforge.net:3.0.6


FF - HKLM\software\mozilla\Firefox\Extensions\\{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\ [2010/04/18 01:03:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/15 09:20:30 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/15 09:20:30 | 000,000,000 | ---D | M]

[2009/08/25 00:09:30 | 000,000,000 | ---D | M] -- C:\Users\rotayl\AppData\Roaming\Mozilla\Extensions
[2010/04/18 01:44:55 | 000,000,000 | ---D | M] -- C:\Users\rotayl\AppData\Roaming\Mozilla\Firefox\Profiles\Rob\extensions
[2009/10/30 13:33:17 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\rotayl\AppData\Roaming\Mozilla\Firefox\Profiles\Rob\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/18 01:44:53 | 000,000,000 | ---D | M] (ReloadEvery) -- C:\Users\rotayl\AppData\Roaming\Mozilla\Firefox\Profiles\Rob\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
[2010/04/18 01:18:08 | 000,000,000 | ---D | M] -- C:\Users\rotayl\AppData\Roaming\Mozilla\Firefox\Profiles\Robert\extensions
[2010/04/12 16:02:45 | 000,000,000 | ---D | M] (FlashGot) -- C:\Users\rotayl\AppData\Roaming\Mozilla\Firefox\Profiles\Robert\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2009/10/31 00:28:36 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\rotayl\AppData\Roaming\Mozilla\Firefox\Profiles\Robert\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/13 21:54:07 | 000,000,000 | ---D | M] (ReloadEvery) -- C:\Users\rotayl\AppData\Roaming\Mozilla\Firefox\Profiles\Robert\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
[2010/04/18 15:34:45 | 000,000,000 | ---D | M] -- C:\Users\rotayl\AppData\Roaming\Mozilla\Firefox\Profiles\RobTay\extensions
[2009/10/30 13:26:02 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\rotayl\AppData\Roaming\Mozilla\Firefox\Profiles\RobTay\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/18 15:34:44 | 000,000,000 | ---D | M] (ReloadEvery) -- C:\Users\rotayl\AppData\Roaming\Mozilla\Firefox\Profiles\RobTay\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
[2009/10/30 00:42:34 | 000,000,000 | ---D | M] -- C:\Users\rotayl\AppData\Roaming\Mozilla\Firefox\Profiles\scqmtrkh.default\extensions
[2009/10/30 00:42:31 | 000,000,000 | ---D | M] (FlashGot) -- C:\Users\rotayl\AppData\Roaming\Mozilla\Firefox\Profiles\scqmtrkh.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2009/09/01 17:39:48 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\rotayl\AppData\Roaming\Mozilla\Firefox\Profiles\scqmtrkh.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/10/30 00:42:31 | 000,000,000 | ---D | M] (NoScript) -- C:\Users\rotayl\AppData\Roaming\Mozilla\Firefox\Profiles\scqmtrkh.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2009/10/29 21:57:09 | 000,000,000 | ---D | M] (ReloadEvery) -- C:\Users\rotayl\AppData\Roaming\Mozilla\Firefox\Profiles\scqmtrkh.default\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
[2009/08/25 00:14:30 | 000,000,000 | ---D | M] -- C:\Users\rotayl\AppData\Roaming\Mozilla\Firefox\Profiles\scqmtrkh.default\extensions\spellbound@sourceforge.net
[2010/04/18 01:02:03 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/06/30 14:44:08 | 000,324,976 | ---- | M] (Symantec Corporation) -- C:\Program Files\Mozilla Firefox\components\coFFPlgn.dll
[2010/04/11 19:26:39 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/04/11 19:26:39 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/04/11 19:26:39 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/04/11 19:26:39 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2006/09/18 23:41:30 | 000,000,761 | ---- | M]) - C:\WINDOWS\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.8.0.41\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (AOL Toolbar BHO) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
O2 - BHO: (FDMIECookiesBHO Class) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll ()
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
O3 - HKU\S-1-5-21-697145480-2520524336-2118687293-1000\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-697145480-2520524336-2118687293-1000\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
O4 - HKLM..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [KBD] C:\hp\KBD\KbdStub.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [OsdMaestro] C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe (OsdMaestro)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-697145480-2520524336-2118687293-1000..\Run: [Device Detector] File not found
O4 - HKU\S-1-5-21-697145480-2520524336-2118687293-1000..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe (FreeDownloadManager.ORG)
O4 - HKU\S-1-5-21-697145480-2520524336-2118687293-1000..\Run: [Software Informer] C:\Program Files\Software Informer\softinfo.exe (Informer Technologies, Inc.)
O4 - Startup: C:\Users\rotayl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iTunes.lnk = File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-697145480-2520524336-2118687293-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &AOL Toolbar Search - C:\ProgramData\AOL\ieToolbar\resources\en-GB\local\search.html ()
O8 - Extra context menu item: Download all with Free Download Manager - C:\Program Files\Free Download Manager\dlall.htm ()
O8 - Extra context menu item: Download selected with Free Download Manager - C:\Program Files\Free Download Manager\dlselected.htm ()
O8 - Extra context menu item: Download video with Free Download Manager - C:\Program Files\Free Download Manager\dlfvideo.htm ()
O8 - Extra context menu item: Download with Free Download Manager - C:\Program Files\Free Download Manager\dllink.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\img24.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/02 13:25:56 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{e76dcbf1-9102-11de-9fc5-00221525c441}\Shell\AutoRun\command - "" = L:\WDSetup.exe -- File not found
O33 - MountPoints2\L\Shell\AutoRun\command - "" = L:\WDSetup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\WINDOWS\System32\ias [2008/01/21 04:34:27 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: ezSharedSvc - C:\WINDOWS\System32\ezsvc7.dll (EasyBits Sofware AS)

MsConfig - State: "services" - 0

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} -
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32: msacm.divxa32 - C:\Windows\System32\divxa32.acm (Kristal StudioDFileDescription)
Drivers32: msacm.l3acm - C:\WINDOWS\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3codecp - C:\Windows\System32\l3codecp.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\Windows\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: VIDC.ACDV - ACDV.dll File not found
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.ffds - C:\Program Files\Combined Community Codec Pack\Filters\FFDShow\ff_vfw.dll ()
Drivers32: vidc.XVID - C:\Windows\System32\xvidvfw.dll ()
OTL cannot create restorepoints on Vista OSs!

========== Files/Folders - Created Within 14 Days ==========

[2010/04/18 20:00:29 | 000,562,176 | ---- | C] (OldTimer Tools) -- C:\Users\rotayl\Desktop\OTL.exe
[2010/04/15 09:22:38 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/04/15 09:22:36 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/04/15 09:22:36 | 000,000,000 | ---D | C] -- C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/04/15 09:20:00 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/04/15 09:17:57 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/04/15 09:17:54 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/04/14 20:44:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/04/14 20:44:03 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/04/13 12:08:12 | 000,000,000 | ---D | C] -- C:\Users\rotayl\AppData\Local\temp
[2010/04/13 12:07:43 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/04/13 11:59:05 | 000,000,000 | ---D | C] -- C:\brc0488cf24018b
[2010/04/13 11:58:46 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/04/13 10:51:50 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/04/13 10:51:50 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/04/13 10:51:49 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/04/13 10:51:33 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/04/13 10:51:32 | 000,000,000 | ---D | C] -- C:\brc0488cf
[2010/04/13 10:50:56 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/12 17:52:31 | 000,000,000 | ---D | C] -- C:\Users\rotayl\Documents\AVS4YOU
[2010/04/12 17:38:57 | 000,000,000 | ---D | C] -- C:\ProgramData\AVS4YOU
[2010/04/12 17:38:55 | 000,000,000 | ---D | C] -- C:\Users\rotayl\AppData\Roaming\AVS4YOU
[2010/04/12 17:37:07 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\AVSMedia
[2010/04/12 17:36:28 | 000,000,000 | ---D | C] -- C:\Program Files\AVS4YOU
[2010/04/12 16:39:16 | 000,000,000 | ---D | C] -- C:\Program Files\MOV to AVI MPEG WMV Converter
[2010/04/12 15:48:20 | 000,000,000 | ---D | C] -- C:\ProgramData\NCH Swift Sound
[2010/04/12 15:48:14 | 000,000,000 | ---D | C] -- C:\Program Files\NCH Swift Sound
[2010/04/12 15:48:13 | 000,000,000 | ---D | C] -- C:\Users\rotayl\AppData\Roaming\NCH Software
[2010/04/12 15:48:01 | 000,000,000 | ---D | C] -- C:\ProgramData\NCH Software
[2010/04/12 15:47:50 | 000,000,000 | ---D | C] -- C:\Program Files\NCH Software
[2010/04/11 11:39:01 | 000,000,000 | ---D | C] -- C:\Program Files\File Renamer
[2010/04/11 11:27:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2010/04/10 15:38:29 | 000,000,000 | ---D | C] -- C:\Users\rotayl\AppData\Roaming\SecondLife
[2010/04/10 15:38:29 | 000,000,000 | ---D | C] -- C:\Users\rotayl\AppData\Local\SecondLife
[2010/04/10 15:37:11 | 000,000,000 | ---D | C] -- C:\Program Files\SecondLifeViewer2
[2010/04/10 13:30:29 | 000,000,000 | ---D | C] -- C:\Users\rotayl\AppData\Roaming\Super Flexible File Synchronizer
[2010/04/10 13:29:38 | 000,000,000 | ---D | C] -- C:\ProgramData\SuperFlexibleSynchronizer
[2010/04/10 13:29:38 | 000,000,000 | ---D | C] -- C:\Program Files\SuperFlexible
[2010/04/10 11:31:56 | 000,000,000 | ---D | C] -- C:\Users\rotayl\AppData\Roaming\Leadertech
[2010/04/10 11:31:36 | 000,016,400 | ---- | C] (Logitech, Inc.) -- C:\Windows\System32\drivers\LNonPnP.sys
[2010/04/10 11:30:30 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\LogiShrd
[2010/04/10 11:29:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Logishrd
[2010/04/10 11:29:50 | 000,000,000 | ---D | C] -- C:\Program Files\Logitech
[2010/04/10 11:29:19 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\LogiShrd
[2010/04/10 11:29:09 | 000,000,000 | ---D | C] -- C:\Users\rotayl\AppData\Roaming\Logitech
[2010/04/10 11:29:09 | 000,000,000 | ---D | C] -- C:\Users\rotayl\AppData\Roaming\Logishrd
[2010/04/10 11:19:20 | 000,000,000 | ---D | C] -- C:\Users\rotayl\AppData\Roaming\ACD Systems
[2010/04/10 11:19:20 | 000,000,000 | ---D | C] -- C:\Users\rotayl\AppData\Local\ACD Systems
[2010/04/10 11:17:28 | 000,000,000 | ---D | C] -- C:\ProgramData\ACD Systems
[2010/04/10 11:17:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ACD Systems
[2010/04/10 11:17:20 | 000,000,000 | ---D | C] -- C:\Program Files\ACD Systems
[2010/04/10 11:14:52 | 000,000,000 | ---D | C] -- C:\Users\rotayl\AppData\Local\Downloaded Installations
[2009/09/21 13:14:13 | 084,569,328 | ---- | C] (Symantec Corporation) -- C:\Users\rotayl\NIS10FDEN.exe

========== Files - Modified Within 14 Days ==========

[2010/04/18 20:04:05 | 001,835,008 | -HS- | M] () -- C:\Users\rotayl\NTUSER.DAT
[2010/04/18 20:02:00 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Users\rotayl\Desktop\OTL.exe
[2010/04/18 19:02:19 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/18 19:02:19 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/18 10:48:58 | 001,894,750 | ---- | M] () -- C:\Windows\System32\drivers\N360\0308000.029\Cat.DB
[2010/04/18 01:08:06 | 000,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/04/18 01:08:06 | 000,599,942 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/04/18 01:08:06 | 000,105,448 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/04/18 01:05:20 | 000,031,966 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/04/18 01:02:02 | 000,031,966 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/04/18 01:02:02 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/18 01:01:56 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/18 01:01:51 | 3488,849,920 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/15 10:58:48 | 000,524,288 | -HS- | M] () -- C:\Users\rotayl\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/04/15 10:58:48 | 000,065,536 | -HS- | M] () -- C:\Users\rotayl\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/04/15 10:06:03 | 002,627,797 | -H-- | M] () -- C:\Users\rotayl\AppData\Local\IconCache.db
[2010/04/15 09:23:30 | 000,001,804 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/04/15 09:20:10 | 000,001,688 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2010/04/14 20:44:08 | 000,001,017 | ---- | M] () -- C:\Users\rotayl\Desktop\Spybot - Search & Destroy.lnk
[2010/04/14 02:09:05 | 000,525,824 | ---- | M] () -- C:\Users\rotayl\Desktop\dds.scr
[2010/04/13 17:53:12 | 000,016,400 | ---- | M] (Logitech, Inc.) -- C:\Windows\System32\drivers\LNonPnP.sys
[2010/04/13 17:52:45 | 622,688,128 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/04/13 12:05:45 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/04/13 10:39:05 | 003,913,715 | R--- | M] () -- C:\Users\rotayl\Desktop\brc0488cf.exe
[2010/04/13 10:31:04 | 000,000,000 | ---- | M] () -- C:\Users\rotayl\defogger_reenable
[2010/04/13 10:30:25 | 000,050,477 | ---- | M] () -- C:\Users\rotayl\Desktop\Defogger.exe
[2010/04/13 09:46:10 | 000,284,915 | ---- | M] () -- C:\Users\rotayl\Desktop\gmer.zip
[2010/04/13 09:28:47 | 000,000,036 | ---- | M] () -- C:\Users\rotayl\AppData\Local\housecall.guid.cache
[2010/04/13 08:54:43 | 000,000,850 | ---- | M] () -- C:\Users\rotayl\Desktop\Firefox - Robert.lnk
[2010/04/13 08:52:50 | 000,001,726 | ---- | M] () -- C:\Users\Public\Desktop\Firefox - GENERAL.lnk
[2010/04/13 08:47:01 | 000,314,544 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/04/12 17:38:47 | 000,076,504 | ---- | M] () -- C:\Users\rotayl\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/04/12 17:38:33 | 000,001,048 | ---- | M] () -- C:\Users\rotayl\Desktop\AVS4YOU Software Navigator.lnk
[2010/04/12 17:37:26 | 000,000,956 | ---- | M] () -- C:\Users\rotayl\Desktop\AVS Video Editor 4.lnk
[2010/04/12 16:39:18 | 000,000,924 | ---- | M] () -- C:\Users\Public\Desktop\MOV to AVI MPEG WMV Converter.lnk
[2010/04/12 15:48:41 | 000,000,919 | ---- | M] () -- C:\Users\Public\Desktop\Pixillion Image Converter.lnk
[2010/04/12 15:48:26 | 000,000,877 | ---- | M] () -- C:\Users\Public\Desktop\Debut Video Capture Software.lnk
[2010/04/12 15:48:19 | 000,000,882 | ---- | M] () -- C:\Users\Public\Desktop\NCH Toolbox.lnk
[2010/04/12 15:48:16 | 000,000,901 | ---- | M] () -- C:\Users\Public\Desktop\VideoPad Video Editor.lnk
[2010/04/12 15:47:50 | 000,000,863 | ---- | M] () -- C:\Users\Public\Desktop\Prism Video Converter.lnk
[2010/04/11 11:39:07 | 000,120,576 | ---- | M] () -- C:\Windows\File Renamer - Basic Uninstaller.exe
[2010/04/11 11:39:04 | 000,000,809 | ---- | M] () -- C:\Users\rotayl\Desktop\FileRenamer.lnk
[2010/04/11 09:29:11 | 000,588,472 | ---- | M] (EasyBits Software AS) -- C:\Windows\System32\ezsvc7x.dll
[2010/04/11 09:28:15 | 000,002,102 | ---- | M] () -- C:\Users\Public\Desktop\Norton 360.lnk
[2010/04/10 15:37:47 | 000,000,891 | ---- | M] () -- C:\Users\Public\Desktop\Second Life Viewer 2.lnk
[2010/04/10 14:16:02 | 000,000,172 | ---- | M] () -- C:\Windows\System32\drivers\N360\0308000.029\isolate.ini
[2010/04/10 11:20:17 | 000,179,200 | ---- | M] () -- C:\Users\rotayl\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/10 11:17:41 | 000,002,088 | ---- | M] () -- C:\Users\Public\Desktop\ACDSee 10 Photo Manager.lnk

========== Files Created - No Company Name ==========

[2010/04/15 09:23:30 | 000,001,804 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/04/15 09:20:10 | 000,001,688 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2010/04/14 20:44:08 | 000,001,017 | ---- | C] () -- C:\Users\rotayl\Desktop\Spybot - Search & Destroy.lnk
[2010/04/14 02:09:03 | 000,525,824 | ---- | C] () -- C:\Users\rotayl\Desktop\dds.scr
[2010/04/13 13:12:30 | 3488,849,920 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/13 10:51:50 | 000,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2010/04/13 10:51:50 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/04/13 10:51:50 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/04/13 10:51:50 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/04/13 10:51:49 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/04/13 10:34:37 | 003,913,715 | R--- | C] () -- C:\Users\rotayl\Desktop\brc0488cf.exe
[2010/04/13 10:31:04 | 000,000,000 | ---- | C] () -- C:\Users\rotayl\defogger_reenable
[2010/04/13 10:30:21 | 000,050,477 | ---- | C] () -- C:\Users\rotayl\Desktop\Defogger.exe
[2010/04/13 09:47:20 | 000,293,376 | ---- | C] () -- C:\Users\rotayl\Desktop\gmer.exe
[2010/04/13 09:46:10 | 000,284,915 | ---- | C] () -- C:\Users\rotayl\Desktop\gmer.zip
[2010/04/13 09:28:47 | 000,000,036 | ---- | C] () -- C:\Users\rotayl\AppData\Local\housecall.guid.cache
[2010/04/12 17:38:18 | 000,001,048 | ---- | C] () -- C:\Users\rotayl\Desktop\AVS4YOU Software Navigator.lnk
[2010/04/12 17:37:26 | 000,000,956 | ---- | C] () -- C:\Users\rotayl\Desktop\AVS Video Editor 4.lnk
[2010/04/12 16:39:18 | 000,028,672 | ---- | C] () -- C:\Windows\System32\AVEQT.dll
[2010/04/12 16:39:18 | 000,000,924 | ---- | C] () -- C:\Users\Public\Desktop\MOV to AVI MPEG WMV Converter.lnk
[2010/04/12 15:48:41 | 000,000,919 | ---- | C] () -- C:\Users\Public\Desktop\Pixillion Image Converter.lnk
[2010/04/12 15:48:26 | 000,000,877 | ---- | C] () -- C:\Users\Public\Desktop\Debut Video Capture Software.lnk
[2010/04/12 15:48:19 | 000,000,882 | ---- | C] () -- C:\Users\Public\Desktop\NCH Toolbox.lnk
[2010/04/12 15:48:16 | 000,000,901 | ---- | C] () -- C:\Users\Public\Desktop\VideoPad Video Editor.lnk
[2010/04/12 15:47:50 | 000,000,863 | ---- | C] () -- C:\Users\Public\Desktop\Prism Video Converter.lnk
[2010/04/11 11:39:04 | 000,000,809 | ---- | C] () -- C:\Users\rotayl\Desktop\FileRenamer.lnk
[2010/04/11 11:39:03 | 000,120,576 | ---- | C] () -- C:\Windows\File Renamer - Basic Uninstaller.exe
[2010/04/11 11:14:24 | 000,031,966 | ---- | C] () -- C:\ProgramData\nvModes.001
[2010/04/11 09:45:18 | 000,031,966 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2010/04/10 15:37:47 | 000,000,891 | ---- | C] () -- C:\Users\Public\Desktop\Second Life Viewer 2.lnk
[2010/04/10 11:17:41 | 000,002,088 | ---- | C] () -- C:\Users\Public\Desktop\ACDSee 10 Photo Manager.lnk
[2009/09/10 20:17:56 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/09/08 17:40:50 | 000,026,624 | ---- | C] () -- C:\Windows\System32\VNCpm.dll
[2009/08/25 13:10:42 | 000,179,200 | ---- | C] () -- C:\Users\rotayl\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/25 00:50:54 | 000,000,680 | ---- | C] () -- C:\Users\rotayl\AppData\Local\d3d9caps.dat
[2009/08/24 23:52:33 | 001,835,008 | -HS- | C] () -- C:\Users\rotayl\NTUSER.DAT
[2009/08/24 23:52:33 | 000,524,288 | -HS- | C] () -- C:\Users\rotayl\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms
[2009/08/24 23:52:33 | 000,524,288 | -HS- | C] () -- C:\Users\rotayl\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2009/08/24 23:52:33 | 000,262,144 | -H-- | C] () -- C:\Users\rotayl\ntuser.dat.LOG1
[2009/08/24 23:52:33 | 000,065,536 | -HS- | C] () -- C:\Users\rotayl\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2009/08/24 23:52:33 | 000,000,020 | -HS- | C] () -- C:\Users\rotayl\ntuser.ini
[2009/08/24 23:52:33 | 000,000,000 | -H-- | C] () -- C:\Users\rotayl\ntuser.dat.LOG2
[2008/09/02 22:57:03 | 000,066,048 | ---- | C] () -- C:\Windows\System32\hcwxds.dll
[2008/09/02 13:07:26 | 000,327,680 | ---- | C] () -- C:\Windows\System32\pythoncom25.dll
[2008/09/02 13:07:26 | 000,102,400 | ---- | C] () -- C:\Windows\System32\pywintypes25.dll
[2008/06/12 21:36:38 | 000,007,680 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2008/04/12 08:41:20 | 000,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2008/04/12 08:30:20 | 000,765,952 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2007/06/08 19:44:54 | 000,163,840 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2007/02/05 21:05:26 | 000,000,038 | ---- | C] () -- C:\Windows\AviSplitter.INI
[2006/11/02 14:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== LOP Check ==========

[2010/04/10 11:19:20 | 000,000,000 | ---D | M] -- C:\Users\rotayl\AppData\Roaming\ACD Systems
[2010/04/18 20:04:10 | 000,000,000 | ---D | M] -- C:\Users\rotayl\AppData\Roaming\Free Download Manager
[2009/09/02 11:00:16 | 000,000,000 | ---D | M] -- C:\Users\rotayl\AppData\Roaming\Helios
[2010/04/10 11:31:56 | 000,000,000 | ---D | M] -- C:\Users\rotayl\AppData\Roaming\Leadertech
[2010/04/10 15:42:52 | 000,000,000 | ---D | M] -- C:\Users\rotayl\AppData\Roaming\SecondLife
[2010/04/18 18:44:38 | 000,000,000 | ---D | M] -- C:\Users\rotayl\AppData\Roaming\Software Informer
[2010/04/14 03:53:07 | 000,000,000 | ---D | M] -- C:\Users\rotayl\AppData\Roaming\Super Flexible File Synchronizer
[2009/08/25 08:00:48 | 000,000,000 | ---D | M] -- C:\Users\rotayl\AppData\Roaming\Sync App Settings
[2009/09/09 11:48:51 | 000,000,000 | ---D | M] -- C:\Users\rotayl\AppData\Roaming\WinBatch
[2010/04/15 10:58:50 | 000,022,912 | ---- | M] () -- C:\WINDOWS\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 13:31:42 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\System32\dxtmsft.dll
[2009/03/08 13:31:37 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\System32\dxtrans.dll
[2009/04/11 08:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\System32\rsaenh.dll
[2009/04/11 08:28:23 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\System32\SLC.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/01/21 04:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\WINDOWS\ERDNT\cache\AGP440.sys
[2008/01/21 04:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\WINDOWS\System32\drivers\AGP440.sys
[2008/01/21 04:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\WINDOWS\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
[2008/01/21 04:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\WINDOWS\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/21 04:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\WINDOWS\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/21 04:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\WINDOWS\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2006/11/02 11:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\WINDOWS\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/04/11 08:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009/04/11 08:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\WINDOWS\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/21 04:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/01/21 04:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\WINDOWS\System32\drivers\atapi.sys
[2008/01/21 04:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/21 04:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\WINDOWS\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 11:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 11:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\WINDOWS\ERDNT\cache\cngaudit.dll
[2006/11/02 11:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\WINDOWS\System32\cngaudit.dll
[2006/11/02 11:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: EVENTLOG.DLL >
[2007/01/12 22:30:08 | 000,007,216 | ---- | M] () MD5=C2A279A458A06DE2C83D842AA042B5A8 -- C:\Program Files\CyberLink\PowerDirector\EventLog.dll

< MD5 for: IASTOR.SYS >
[2007/07/12 18:35:02 | 000,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\hp\DRIVERS\Intel_RAID\iastor.sys
[2007/07/12 18:35:02 | 000,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\WINDOWS\System32\DriverStore\FileRepository\iaahci.inf_cfa1dde4\iaStor.sys
[2007/07/12 18:35:02 | 000,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\WINDOWS\System32\DriverStore\FileRepository\iastor.inf_ec8a8d1b\iaStor.sys
[2008/11/03 18:56:40 | 000,327,192 | ---- | M] (Intel Corporation) MD5=37769C28E1C6489C56E41DB7A32D58C5 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys
[2008/11/03 18:56:40 | 000,327,192 | ---- | M] (Intel Corporation) MD5=37769C28E1C6489C56E41DB7A32D58C5 -- C:\WINDOWS\System32\drivers\iaStor.sys
[2008/11/03 18:56:40 | 000,327,192 | ---- | M] (Intel Corporation) MD5=37769C28E1C6489C56E41DB7A32D58C5 -- C:\WINDOWS\System32\DriverStore\FileRepository\iastor.inf_29dfb0d5\iaStor.sys
[2008/11/03 19:10:08 | 000,406,040 | ---- | M] (Intel Corporation) MD5=5979854E6FDA990107E3170327022117 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys

< MD5 for: IASTORV.SYS >
[2008/01/21 04:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\WINDOWS\System32\drivers\iaStorV.sys
[2008/01/21 04:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\WINDOWS\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/21 04:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\WINDOWS\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 11:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\WINDOWS\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/04/11 08:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2009/04/11 08:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\WINDOWS\System32\netlogon.dll
[2009/04/11 08:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2008/01/21 04:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 11:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\WINDOWS\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/21 04:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\WINDOWS\System32\drivers\nvstor.sys
[2008/01/21 04:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\WINDOWS\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/21 04:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\WINDOWS\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >
[2008/01/21 04:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2009/04/11 08:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2009/04/11 08:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\WINDOWS\System32\scecli.dll
[2009/04/11 08:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< %systemroot%\*. /mp /s >
< End of report >


--------------------------------------------------------------------GMER Log --------------------------------------------------------------------------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-19 01:29:08
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\rotayl\AppData\Local\Temp\uwrorpob.sys


---- System - GMER 1.0.15 ----

SSDT 89BAB850 ZwAlertResumeThread
SSDT 89B581A0 ZwAlertThread
SSDT 89C70950 ZwAllocateVirtualMemory
SSDT 89C98868 ZwAlpcConnectPort
SSDT 89C3A110 ZwAssignProcessToJobObject
SSDT 89C90880 ZwCreateMutant
SSDT 89B526C0 ZwCreateSymbolicLinkObject
SSDT 89BC6EF0 ZwCreateThread
SSDT 89C36118 ZwDebugActiveProcess
SSDT 89C6FAB0 ZwDuplicateObject
SSDT 89C5E7F0 ZwFreeVirtualMemory
SSDT 89BD4108 ZwImpersonateAnonymousToken
SSDT 89BD2118 ZwImpersonateThread
SSDT 89A9E888 ZwLoadDriver
SSDT 89BCE158 ZwMapViewOfSection
SSDT 89BED118 ZwOpenEvent
SSDT 89C5BDF8 ZwOpenProcess
SSDT 89B3C4E8 ZwOpenProcessToken
SSDT 89B87118 ZwOpenSection
SSDT 89C5A648 ZwOpenThread
SSDT 89B516B0 ZwProtectVirtualMemory
SSDT 89B49600 ZwResumeThread
SSDT 89B99EC8 ZwSetContextThread
SSDT 89BFA780 ZwSetInformationProcess
SSDT 89C35E88 ZwSetSystemInformation
SSDT 89BEF118 ZwSuspendProcess
SSDT 89B9B110 ZwSuspendThread
SSDT 89B98738 ZwTerminateProcess
SSDT 89C05110 ZwTerminateThread
SSDT 89B48A18 ZwUnmapViewOfSection
SSDT 89C37E50 ZwWriteVirtualMemory
SSDT 89B52DB0 ZwCreateThreadEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 824E7880 8 Bytes [50, B8, BA, 89, A0, 81, B5, ...] {PUSH EAX; MOV EAX, 0x81a089ba; MOV CH, 0x89}
.text ntkrnlpa.exe!KeSetEvent + 131 824E7894 4 Bytes [50, 09, C7, 89]
.text ntkrnlpa.exe!KeSetEvent + 13D 824E78A0 4 Bytes [68, 88, C9, 89]
.text ntkrnlpa.exe!KeSetEvent + 191 824E78F4 4 Bytes [10, A1, C3, 89]
.text ntkrnlpa.exe!KeSetEvent + 1F5 824E7958 4 Bytes [80, 08, C9, 89]
.text ...
.rsrc C:\Windows\system32\drivers\ndis.sys entry point in ".rsrc" section [0x8B304014]
C:\Program Files\HP\DVDPlay\000.fcl entry point in "" section [0xA1988000]
.clc C:\Program Files\HP\DVDPlay\000.fcl unknown last section [0xA1989000, 0x1000, 0x00000000]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtProtectVirtualMemory 779C4D34 5 Bytes JMP 0082000A
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtWriteVirtualMemory 779C5674 5 Bytes JMP 0083000A
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!KiUserExceptionDispatcher 779C5DC8 5 Bytes JMP 0081000A
.text C:\Windows\system32\svchost.exe[1068] ole32.dll!CoCreateInstance 76D59EA6 5 Bytes JMP 02A7000A
.text C:\Windows\explorer.exe[2528] ntdll.dll!NtProtectVirtualMemory 779C4D34 5 Bytes JMP 0169000A
.text C:\Windows\explorer.exe[2528] ntdll.dll!NtWriteVirtualMemory 779C5674 5 Bytes JMP 016A000A
.text C:\Windows\explorer.exe[2528] ntdll.dll!KiUserExceptionDispatcher 779C5DC8 5 Bytes JMP 0032000A
.text C:\Windows\Explorer.EXE[2612] ntdll.dll!NtProtectVirtualMemory 779C4D34 5 Bytes JMP 0169000A
.text C:\Windows\Explorer.EXE[2612] ntdll.dll!NtWriteVirtualMemory 779C5674 5 Bytes JMP 016A000A
.text C:\Windows\Explorer.EXE[2612] ntdll.dll!KiUserExceptionDispatcher 779C5DC8 5 Bytes JMP 0032000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5156] ntdll.dll!RtlEncodeSystemPointer + 873 7798938B 10 Bytes JMP 01F3003A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5156] ntdll.dll!NtProtectVirtualMemory 779C4D34 5 Bytes JMP 0090000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5156] ntdll.dll!NtWriteVirtualMemory 779C5674 5 Bytes JMP 0091000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5156] ntdll.dll!KiUserExceptionDispatcher 779C5DC8 5 Bytes JMP 007E000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 86739AC8

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\ndis.sys suspicious modification
File C:\Windows\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 19 April 2010 - 05:57 PM

Hello, Imasillyboy.

Thanks for running the GMER log. It can take a while depending on your computer, but it's a very important tool. It also shows that you have a backdoor rootkit infection.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.











Step

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
TDL::
C:\Windows\system32\drivers\ndis.sys
Reg::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring"=0


Save this as CFScript.txt, in the same location as ComboFix.




Refering to the picture above, drag CFScript into ComboFix.exe (or what you named it)

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 Imasillyboy

Imasillyboy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 19 April 2010 - 07:26 PM

Hi etavares,

Ok, did as directed.
Ran the CFScript.txt.
Program ran for a while then said it was rebooting (but don't touch).
PC reboot into a recovery mode?
I was prompted to do recovery (which I did)
after some time the PC rebooted again.
And I re-log on.

I can not find any file called "C:\ComboFix.txt" !?!?

Though I did find a directory C:\ComboFix\ containing many file which seams to be new.

Many Thanks again for you help
Rob

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 19 April 2010 - 07:57 PM

ok, is there a TXT file in c:\qoobox\ with Combofix-Quarantined-Files? Can you please post any and all you find?

Please also re-run GMER...we need to verify it got the rootkit. I know it will take some time, but we do need to know we got it.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 Imasillyboy

Imasillyboy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 20 April 2010 - 10:01 AM

Hi etavars,

Yes there are some text files there as follows. I note that the file creation dates on these are 13/04/2010 (the date I tried to fix it by following another thread) and not the 20th when I ran to your instructions.

Appologies if I've mucked this up a bit.

Latest GMER log at the end.

ALSO - Is there a way to check to see if my other computer (LAPTOP and far more important data) is clean from this type of a problem? Its is not showing any signs and but given the stealth capabilities of these how can I be sure?

Again, thanks for your help.
Rob

==============================================================
==== ComboFix-quarantined-files.txt ======================================
==============================================================

2010-04-13 09:08:53 . 2010-04-13 09:08:53 688 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-sp44626.reg.dat
2010-04-13 09:08:21 . 2010-04-13 09:08:21 309 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-HP Health Check Scheduler.reg.dat
2010-04-13 09:08:19 . 2010-04-13 09:08:19 155 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Canaveral.reg.dat
2010-04-13 09:08:19 . 2010-04-13 09:08:19 89 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-fsm.reg.dat
2010-04-13 09:03:25 . 2010-04-13 10:03:58 4,736 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-04-13 08:51:34 . 2010-04-13 09:59:51 124 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-04-13 06:52:32 . 2010-04-13 06:52:32 1,113 ----a-w- C:\Qoobox\Quarantine\C\Users\rotayl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk.vir
2010-04-12 15:35:29 . 2010-04-12 15:35:29 202,240 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\System32\sshnas21.dll.vir






==============================================================
==== ComboFix2.txt ================================================
==============================================================

ComboFix 10-04-12.04 - rotayl 13/04/2010 11:59:51.2.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3326.1688 [GMT 2:00]
Running from: c:\users\rotayl\Desktop\brc0488cf.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))
.

2010-04-13 10:05 . 2010-04-13 10:05 -------- d-----w- c:\users\rotayl\AppData\Local\temp
2010-04-13 10:05 . 2010-04-13 10:05 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-13 10:05 . 2010-04-13 10:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-13 10:05 . 2010-04-13 10:05 -------- d-----w- c:\users\boinc_master\AppData\Local\temp
2010-04-13 08:51 . 2010-04-13 09:09 -------- d-----w- C:\brc0488cf
2010-04-13 07:56 . 2010-02-12 16:41 558448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-04-13 06:47 . 2010-02-01 18:20 165240 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-04-13 01:13 . 2010-04-09 14:33 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\NAVENG.SYS
2010-04-13 01:13 . 2010-04-09 14:33 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\NAVENG32.DLL
2010-04-13 01:13 . 2010-04-09 14:33 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\NAVEX32A.DLL
2010-04-13 01:13 . 2010-04-09 14:33 1324720 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\NAVEX15.SYS
2010-04-13 01:12 . 2010-04-09 14:33 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\ERASER.SYS
2010-04-13 01:12 . 2010-04-09 14:33 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\EECTRL.SYS
2010-04-13 01:12 . 2010-04-09 14:33 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\CCERASER.DLL
2010-04-13 01:12 . 2010-04-09 14:33 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\ECMSVR32.DLL
2010-04-12 20:43 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100409.001\IDSvix86.sys
2010-04-12 20:43 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100409.001\Scxpx86.dll
2010-04-12 20:43 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100409.001\IDSxpx86.dll
2010-04-12 20:43 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100409.001\IDSviA64.sys
2010-04-12 20:43 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100409.001\IDSXpx86.sys
2010-04-12 15:38 . 2010-04-12 15:38 -------- d-----w- c:\programdata\AVS4YOU
2010-04-12 15:38 . 2010-04-12 15:38 -------- d-----w- c:\users\rotayl\AppData\Roaming\AVS4YOU
2010-04-12 15:37 . 2010-04-12 15:38 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-04-12 15:36 . 2010-04-12 15:38 -------- d-----w- c:\program files\AVS4YOU
2010-04-12 15:36 . 2008-07-17 14:25 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2010-04-12 15:36 . 2007-12-29 07:42 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-04-12 14:39 . 2006-09-26 11:57 28672 ----a-w- c:\windows\system32\AVEQT.dll
2010-04-12 14:39 . 2010-04-12 14:39 -------- d-----w- c:\program files\MOV to AVI MPEG WMV Converter
2010-04-12 13:52 . 2007-11-27 06:41 405504 ----a-w- c:\users\rotayl\AppData\Roaming\NCH Software\Components\mp3el2\lame.exe
2010-04-12 13:48 . 2010-04-12 13:48 -------- d-----w- c:\programdata\NCH Swift Sound
2010-04-12 13:48 . 2010-04-12 13:48 -------- d-----w- c:\program files\NCH Swift Sound
2010-04-12 13:48 . 2010-04-12 13:52 -------- d-----w- c:\users\rotayl\AppData\Roaming\NCH Software
2010-04-12 13:48 . 2010-04-13 08:12 -------- d-----w- c:\programdata\NCH Software
2010-04-12 13:47 . 2010-04-13 08:12 -------- d-----w- c:\program files\NCH Software
2010-04-11 09:39 . 2010-04-11 09:39 120576 ----a-w- c:\windows\File Renamer - Basic Uninstaller.exe
2010-04-11 09:39 . 2010-04-11 09:48 -------- d-----w- c:\program files\File Renamer
2010-04-11 07:46 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-04-11 07:40 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-04-11 07:40 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-04-11 07:40 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-04-10 13:38 . 2010-04-11 16:43 -------- d-----w- c:\users\rotayl\AppData\Local\SecondLife
2010-04-10 13:38 . 2010-04-10 13:42 -------- d-----w- c:\users\rotayl\AppData\Roaming\SecondLife
2010-04-10 13:37 . 2010-04-10 13:37 -------- d-----w- c:\program files\SecondLifeViewer2
2010-04-10 11:30 . 2010-04-10 11:30 -------- d-----w- c:\users\rotayl\AppData\Roaming\Super Flexible File Synchronizer
2010-04-10 11:29 . 2010-04-10 11:30 -------- d-----w- c:\programdata\SuperFlexibleSynchronizer
2010-04-10 11:29 . 2010-04-10 11:29 -------- d-----w- c:\program files\SuperFlexible
2010-04-10 09:43 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-04-10 09:43 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-04-10 09:43 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-04-10 09:43 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-04-10 09:43 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-04-10 09:43 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-04-10 09:43 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-04-10 09:43 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-04-10 09:43 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-04-10 09:42 . 2009-12-11 11:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-04-10 09:42 . 2009-12-11 11:43 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-04-10 09:35 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-10 09:32 . 2009-12-08 20:01 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-10 09:32 . 2009-12-08 20:01 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-10 09:31 . 2010-04-10 09:31 -------- d-----w- c:\users\rotayl\AppData\Roaming\Leadertech
2010-04-10 09:31 . 2010-04-10 09:31 53248 ----a-r- c:\users\rotayl\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2010-04-10 09:31 . 2010-04-10 09:31 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-04-10 09:29 . 2010-04-10 09:31 -------- d-----w- c:\programdata\Logishrd
2010-04-10 09:29 . 2010-04-10 09:30 -------- d-----w- c:\program files\Logitech
2010-04-10 09:29 . 2010-04-10 09:31 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-04-10 09:29 . 2010-04-10 09:35 -------- d-----w- c:\users\rotayl\AppData\Roaming\Logitech
2010-04-10 09:29 . 2010-04-10 09:29 -------- d-----w- c:\users\rotayl\AppData\Roaming\Logishrd
2010-04-10 09:26 . 2009-12-08 20:01 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-10 09:25 . 2009-12-08 17:26 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-04-10 09:25 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-04-10 09:25 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-04-10 09:25 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-04-10 09:24 . 2009-12-04 18:30 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-04-10 09:24 . 2009-12-04 18:29 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-04-10 09:24 . 2009-12-04 18:28 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-04-10 09:24 . 2009-12-04 18:28 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-04-10 09:24 . 2009-12-04 18:28 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-04-10 09:24 . 2009-12-04 18:28 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-04-10 09:24 . 2009-12-04 18:28 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-04-10 09:24 . 2009-12-04 18:28 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-04-10 09:24 . 2009-12-04 18:27 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-04-10 09:24 . 2009-12-04 15:56 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-10 09:24 . 2009-12-04 15:56 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-10 09:19 . 2010-04-10 09:19 -------- d-----w- c:\users\rotayl\AppData\Local\ACD Systems
2010-04-10 09:19 . 2010-04-10 09:19 -------- d-----w- c:\users\rotayl\AppData\Roaming\ACD Systems
2010-04-10 09:17 . 2010-04-10 09:17 -------- d-----w- c:\programdata\ACD Systems
2010-04-10 09:17 . 2010-04-10 09:17 -------- d-----w- c:\program files\Common Files\ACD Systems
2010-04-10 09:17 . 2010-04-10 09:17 -------- d-----w- c:\program files\ACD Systems
2010-04-10 09:14 . 2010-04-10 09:14 -------- d-----w- c:\users\rotayl\AppData\Local\Downloaded Installations
2010-04-10 08:56 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100402.001\IDSvix86.sys
2010-04-10 08:56 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100402.001\IDSXpx86.sys
2010-04-10 08:56 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100402.001\Scxpx86.dll
2010-04-10 08:56 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100402.001\IDSxpx86.dll
2010-04-10 08:56 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100402.001\IDSviA64.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-13 10:05 . 2009-09-15 11:02 -------- d-----w- c:\users\rotayl\AppData\Roaming\Free Download Manager
2010-04-13 08:10 . 2010-04-11 07:45 31966 ----a-w- c:\programdata\nvModes.dat
2010-04-13 04:02 . 2009-09-15 11:02 -------- d-----w- c:\users\rotayl\AppData\Roaming\Software Informer
2010-04-12 15:38 . 2009-08-24 21:57 76504 ----a-w- c:\users\rotayl\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-12 14:02 . 2009-11-26 12:36 181096 ----a-w- c:\users\rotayl\AppData\Roaming\Mozilla\Firefox\Profiles\Robert\FlashGot.exe
2010-04-11 09:27 . 2008-09-02 11:27 -------- d-----w- c:\program files\Common Files\Java
2010-04-11 09:26 . 2008-09-02 11:27 -------- d-----w- c:\program files\Java
2010-04-11 09:17 . 2008-09-02 11:18 -------- d-----w- c:\programdata\NVIDIA
2010-04-11 09:11 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-11 07:29 . 2008-09-02 11:32 588472 ----a-w- c:\windows\system32\ezsvc7x.dll
2010-04-11 07:25 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-04-10 10:21 . 2009-09-05 14:39 -------- d-----w- c:\program files\TagRename
2010-04-10 10:05 . 2009-11-20 11:37 36864 ----a-w- c:\programdata\Temp\{DCCAD079-F92C-44DA-B258-624FC6517A5A}\PostBuild.exe
2010-03-09 03:28 . 2009-08-24 22:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-23 06:39 . 2010-04-10 09:44 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-04-10 09:44 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 06:33 . 2010-04-10 09:44 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 04:55 . 2010-04-10 09:44 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-01-25 12:00 . 2010-04-10 09:44 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-04-10 09:44 471552 ----a-w- c:\windows\system32\secproc.dll
2008-06-30 12:44 . 2009-08-24 22:51 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-12-20 14:49 . 2009-08-25 04:17 22 --sha-w- c:\windows\SMINST\HPCD.SYS
2008-09-02 20:56 . 2008-09-02 20:56 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Device Detector"="DevDetect.exe -autorun" [X]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" [2009-01-31 3399727]
"Software Informer"="c:\program files\Software Informer\softinfo.exe" [2009-09-24 1949765]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-31 5369856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-11-03 182808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1312848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-26 13789728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:6d,06,64,a5,87,35,ca,01

R3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2008-03-26 21280]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [2010-01-02 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys [2010-01-02 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\N360\0308000.029\ccHPx86.sys [2010-01-02 482432]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100409.001\IDSvix86.sys [2009-10-28 343088]
S2 {22D78859-9CE9-4B77-BF18-AC83E81A9263};{22D78859-9CE9-4B77-BF18-AC83E81A9263};c:\program files\HP\DVDPlay\000.fcl [2008-03-11 41456]
S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 21504]
S2 HPBtnSrv;HP Chasis Button Service;c:\hp\HPEZBTN\HPBtnSrv.exe [2007-05-29 198240]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2010-01-02 117640]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-12-31 102448]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2008-12-03 1426304]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\Drivers\LEqdUsb.Sys [2009-11-10 40848]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\Drivers\LHidEqd.Sys [2009-11-10 10384]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [2010-01-02 48688]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Pavilion&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Pavilion&pf=cndt
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-GB\local\search.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
FF - ProfilePath - c:\users\rotayl\AppData\Roaming\Mozilla\Firefox\Profiles\Robert\
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
.
------- File Associations -------
.
txtfile=c:\windows\notepad.exe %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-13 12:05
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86715AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8b79dd24
\Driver\ACPI -> acpi.sys @ 0x80691d68
\Driver\iaStor -> iastor.sys @ 0x82a4be3a
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files\HP\DVDPlay\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f5,b4,34,5c,da,13,1a,48,af,3f,e9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f5,b4,34,5c,da,13,1a,48,af,3f,e9,\

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.032\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.032"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.amr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.amr"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ani\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ani"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.arw"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bay\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.bay"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.bmp"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.bw"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bwf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.bwf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.caf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.caf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cdda\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.cdda"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cel\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.cel"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.cr2"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.crw"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cs1\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.cs1"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cur\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.cur"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.dcr"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.dcx"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.dib"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.djv"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djvu\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.djvu"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dng\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.dng"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.emf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eps\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.eps"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.erf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.fff"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.fpx"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.gif"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gsm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.gsm"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.hdr"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icl\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.icl"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icn\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.icn"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ico"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.iff"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ilbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ilbm"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.int\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.int"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inta\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.inta"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iw4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.iw4"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2c\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.j2c"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2k\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.j2k"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jfif"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jif"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jp2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jp2"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpc"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpe"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpeg"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpg"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpk\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpk"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpx"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.lbm"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m15\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.m15"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.m1a"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.m2a"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4p\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.m4p"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.m4v"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m75\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.m75"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.mef"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mos\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.mos"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.mpv"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MRW\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.mrw"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.nef"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.orf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pbm"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pcd"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pct\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pct"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pcx"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pef"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pgm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pgm"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pic\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pic"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pics\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pics"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pict\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pict"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pix\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pix"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.png"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ppm"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.psd"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.psp"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspimage\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pspimage"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.qcp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.qcp"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.qtpf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.qtpf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.raf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ras\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ras"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.raw"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.rgb"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgba\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.rgba"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rle\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.rle"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rsb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.rsb"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sdv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.sdv"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sfil\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.sfil"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sgi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.sgi"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.smf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.smf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.sml"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.sr2"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.srf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.swa\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.swa"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tga\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.tga"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.THM\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.thm"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.tif"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.tiff"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ttc"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ttf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ulw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ulw"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v10o\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.v10o"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v10p\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.v10p"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v10pf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.v10pf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vfw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.vfw"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.wbm"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.wbmp"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.wmf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.xbm"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.xif"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.xmp"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xpm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.xpm"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1492)
c:\program files\Norton 360\Engine\3.8.0.41\ccVrTrst.dll
c:\program files\Norton 360\Engine\3.8.0.41\ccSet.dll
.
Completion time: 2010-04-13 12:08:09
ComboFix-quarantined-files.txt 2010-04-13 10:08
ComboFix2.txt 2010-04-13 09:09

Pre-Run: 256,635,174,912 bytes free
Post-Run: 256,598,446,080 bytes free

- - End Of File - - 3C23BC0073C187DF8ACF95DC92943142


==============================================================
==== ComboFix3.txt ================================================
==============================================================


ComboFix 10-04-12.04 - rotayl 13/04/2010 10:55:03.1.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3326.949 [GMT 2:00]
Running from: c:\users\rotayl\Desktop\brc0488cf.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\rotayl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
c:\windows\system32\sshnas21.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))
.

2010-04-13 07:56 . 2010-02-12 16:41 558448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-04-13 06:47 . 2010-02-01 18:20 165240 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-04-13 01:13 . 2010-04-09 14:33 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\NAVENG.SYS
2010-04-13 01:13 . 2010-04-09 14:33 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\NAVENG32.DLL
2010-04-13 01:13 . 2010-04-09 14:33 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\NAVEX32A.DLL
2010-04-13 01:13 . 2010-04-09 14:33 1324720 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\NAVEX15.SYS
2010-04-13 01:12 . 2010-04-09 14:33 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\ERASER.SYS
2010-04-13 01:12 . 2010-04-09 14:33 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\EECTRL.SYS
2010-04-13 01:12 . 2010-04-09 14:33 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\CCERASER.DLL
2010-04-13 01:12 . 2010-04-09 14:33 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100412.033\ECMSVR32.DLL
2010-04-12 20:43 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100409.001\IDSvix86.sys
2010-04-12 20:43 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100409.001\Scxpx86.dll
2010-04-12 20:43 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100409.001\IDSxpx86.dll
2010-04-12 20:43 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100409.001\IDSviA64.sys
2010-04-12 20:43 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100409.001\IDSXpx86.sys
2010-04-12 15:38 . 2010-04-12 15:38 -------- d-----w- c:\programdata\AVS4YOU
2010-04-12 15:38 . 2010-04-12 15:38 -------- d-----w- c:\users\rotayl\AppData\Roaming\AVS4YOU
2010-04-12 15:37 . 2010-04-12 15:38 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-04-12 15:36 . 2010-04-12 15:38 -------- d-----w- c:\program files\AVS4YOU
2010-04-12 15:36 . 2008-07-17 14:25 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2010-04-12 15:36 . 2007-12-29 07:42 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-04-12 14:39 . 2006-09-26 11:57 28672 ----a-w- c:\windows\system32\AVEQT.dll
2010-04-12 14:39 . 2010-04-12 14:39 -------- d-----w- c:\program files\MOV to AVI MPEG WMV Converter
2010-04-12 13:52 . 2007-11-27 06:41 405504 ----a-w- c:\users\rotayl\AppData\Roaming\NCH Software\Components\mp3el2\lame.exe
2010-04-12 13:48 . 2010-04-12 13:48 -------- d-----w- c:\programdata\NCH Swift Sound
2010-04-12 13:48 . 2010-04-12 13:48 -------- d-----w- c:\program files\NCH Swift Sound
2010-04-12 13:48 . 2010-04-12 13:52 -------- d-----w- c:\users\rotayl\AppData\Roaming\NCH Software
2010-04-12 13:48 . 2010-04-13 08:12 -------- d-----w- c:\programdata\NCH Software
2010-04-12 13:47 . 2010-04-13 08:12 -------- d-----w- c:\program files\NCH Software
2010-04-11 09:39 . 2010-04-11 09:39 120576 ----a-w- c:\windows\File Renamer - Basic Uninstaller.exe
2010-04-11 09:39 . 2010-04-11 09:48 -------- d-----w- c:\program files\File Renamer
2010-04-11 07:46 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-04-11 07:40 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-04-11 07:40 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-04-11 07:40 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-04-10 13:38 . 2010-04-11 16:43 -------- d-----w- c:\users\rotayl\AppData\Local\SecondLife
2010-04-10 13:38 . 2010-04-10 13:42 -------- d-----w- c:\users\rotayl\AppData\Roaming\SecondLife
2010-04-10 13:37 . 2010-04-10 13:37 -------- d-----w- c:\program files\SecondLifeViewer2
2010-04-10 11:30 . 2010-04-10 11:30 -------- d-----w- c:\users\rotayl\AppData\Roaming\Super Flexible File Synchronizer
2010-04-10 11:29 . 2010-04-10 11:30 -------- d-----w- c:\programdata\SuperFlexibleSynchronizer
2010-04-10 11:29 . 2010-04-10 11:29 -------- d-----w- c:\program files\SuperFlexible
2010-04-10 09:43 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-04-10 09:43 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-04-10 09:43 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-04-10 09:43 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-04-10 09:43 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-04-10 09:43 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-04-10 09:43 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-04-10 09:43 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-04-10 09:43 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-04-10 09:42 . 2009-12-11 11:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-04-10 09:42 . 2009-12-11 11:43 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-04-10 09:35 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-10 09:32 . 2009-12-08 20:01 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-10 09:32 . 2009-12-08 20:01 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-10 09:31 . 2010-04-10 09:31 -------- d-----w- c:\users\rotayl\AppData\Roaming\Leadertech
2010-04-10 09:31 . 2010-04-10 09:31 53248 ----a-r- c:\users\rotayl\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2010-04-10 09:31 . 2010-04-10 09:31 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-04-10 09:29 . 2010-04-10 09:31 -------- d-----w- c:\programdata\Logishrd
2010-04-10 09:29 . 2010-04-10 09:30 -------- d-----w- c:\program files\Logitech
2010-04-10 09:29 . 2010-04-10 09:31 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-04-10 09:29 . 2010-04-10 09:35 -------- d-----w- c:\users\rotayl\AppData\Roaming\Logitech
2010-04-10 09:29 . 2010-04-10 09:29 -------- d-----w- c:\users\rotayl\AppData\Roaming\Logishrd
2010-04-10 09:26 . 2009-12-08 20:01 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-10 09:25 . 2009-12-08 17:26 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-04-10 09:25 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-04-10 09:25 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-04-10 09:25 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-04-10 09:24 . 2009-12-04 18:30 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-04-10 09:24 . 2009-12-04 18:29 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-04-10 09:24 . 2009-12-04 18:28 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-04-10 09:24 . 2009-12-04 18:28 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-04-10 09:24 . 2009-12-04 18:28 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-04-10 09:24 . 2009-12-04 18:28 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-04-10 09:24 . 2009-12-04 18:28 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-04-10 09:24 . 2009-12-04 18:28 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-04-10 09:24 . 2009-12-04 18:27 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-04-10 09:24 . 2009-12-04 15:56 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-10 09:24 . 2009-12-04 15:56 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-10 09:19 . 2010-04-10 09:19 -------- d-----w- c:\users\rotayl\AppData\Local\ACD Systems
2010-04-10 09:19 . 2010-04-10 09:19 -------- d-----w- c:\users\rotayl\AppData\Roaming\ACD Systems
2010-04-10 09:17 . 2010-04-10 09:17 -------- d-----w- c:\programdata\ACD Systems
2010-04-10 09:17 . 2010-04-10 09:17 -------- d-----w- c:\program files\Common Files\ACD Systems
2010-04-10 09:17 . 2010-04-10 09:17 -------- d-----w- c:\program files\ACD Systems
2010-04-10 09:14 . 2010-04-10 09:14 -------- d-----w- c:\users\rotayl\AppData\Local\Downloaded Installations
2010-04-10 08:56 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100402.001\IDSvix86.sys
2010-04-10 08:56 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100402.001\IDSXpx86.sys
2010-04-10 08:56 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100402.001\Scxpx86.dll
2010-04-10 08:56 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100402.001\IDSxpx86.dll
2010-04-10 08:56 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100402.001\IDSviA64.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-13 09:05 . 2009-09-15 11:02 -------- d-----w- c:\users\rotayl\AppData\Roaming\Free Download Manager
2010-04-13 08:10 . 2010-04-11 07:45 31966 ----a-w- c:\programdata\nvModes.dat
2010-04-13 04:02 . 2009-09-15 11:02 -------- d-----w- c:\users\rotayl\AppData\Roaming\Software Informer
2010-04-12 15:38 . 2009-08-24 21:57 76504 ----a-w- c:\users\rotayl\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-12 14:02 . 2009-11-26 12:36 181096 ----a-w- c:\users\rotayl\AppData\Roaming\Mozilla\Firefox\Profiles\Robert\FlashGot.exe
2010-04-11 09:27 . 2008-09-02 11:27 -------- d-----w- c:\program files\Common Files\Java
2010-04-11 09:26 . 2008-09-02 11:27 -------- d-----w- c:\program files\Java
2010-04-11 09:17 . 2008-09-02 11:18 -------- d-----w- c:\programdata\NVIDIA
2010-04-11 09:11 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-11 07:29 . 2008-09-02 11:32 588472 ----a-w- c:\windows\system32\ezsvc7x.dll
2010-04-11 07:25 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-04-10 10:21 . 2009-09-05 14:39 -------- d-----w- c:\program files\TagRename
2010-04-10 10:05 . 2009-11-20 11:37 36864 ----a-w- c:\programdata\Temp\{DCCAD079-F92C-44DA-B258-624FC6517A5A}\PostBuild.exe
2010-03-09 03:28 . 2009-08-24 22:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-23 06:39 . 2010-04-10 09:44 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-04-10 09:44 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 06:33 . 2010-04-10 09:44 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 04:55 . 2010-04-10 09:44 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-01-25 12:00 . 2010-04-10 09:44 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-04-10 09:44 471552 ----a-w- c:\windows\system32\secproc.dll
2008-06-30 12:44 . 2009-08-24 22:51 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-12-20 14:49 . 2009-08-25 04:17 22 --sha-w- c:\windows\SMINST\HPCD.SYS
2008-09-02 20:56 . 2008-09-02 20:56 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Device Detector"="DevDetect.exe -autorun" [X]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" [2009-01-31 3399727]
"Software Informer"="c:\program files\Software Informer\softinfo.exe" [2009-09-24 1949765]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-31 5369856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-11-03 182808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1312848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-26 13789728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:6d,06,64,a5,87,35,ca,01

R3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2008-03-26 21280]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [2010-01-02 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys [2010-01-02 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\N360\0308000.029\ccHPx86.sys [2010-01-02 482432]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100409.001\IDSvix86.sys [2009-10-28 343088]
S2 {22D78859-9CE9-4B77-BF18-AC83E81A9263};{22D78859-9CE9-4B77-BF18-AC83E81A9263};c:\program files\HP\DVDPlay\000.fcl [2008-03-11 41456]
S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 21504]
S2 HPBtnSrv;HP Chasis Button Service;c:\hp\HPEZBTN\HPBtnSrv.exe [2007-05-29 198240]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2010-01-02 117640]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-12-31 102448]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2008-12-03 1426304]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\Drivers\LEqdUsb.Sys [2009-11-10 40848]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\Drivers\LHidEqd.Sys [2009-11-10 10384]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [2010-01-02 48688]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Pavilion&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Pavilion&pf=cndt
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-GB\local\search.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
FF - ProfilePath - c:\users\rotayl\AppData\Roaming\Mozilla\Firefox\Profiles\Robert\
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
.
------- File Associations -------
.
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-fsm - (no file)
HKCU-Run-Canaveral - c:\windows\system32\sshnas21.dll
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
AddRemove-sp44626 - c:\hp\Softpaq\sp44626\sp44626.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-13 11:05
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86715AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8b79dd24
\Driver\ACPI -> acpi.sys @ 0x80691d68
\Driver\iaStor -> iastor.sys @ 0x82a4be3a
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files\HP\DVDPlay\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f5,b4,34,5c,da,13,1a,48,af,3f,e9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f5,b4,34,5c,da,13,1a,48,af,3f,e9,\

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.032\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.032"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.amr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.amr"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ani\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ani"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.arw"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bay\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.bay"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.bmp"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.bw"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bwf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.bwf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.caf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.caf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cdda\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.cdda"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cel\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.cel"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.cr2"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.crw"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cs1\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.cs1"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cur\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.cur"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.dcr"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.dcx"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.dib"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.djv"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djvu\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.djvu"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dng\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.dng"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.emf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eps\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.eps"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.erf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.fff"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.fpx"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.gif"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gsm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.gsm"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.hdr"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icl\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.icl"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icn\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.icn"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ico"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.iff"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ilbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ilbm"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.int\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.int"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inta\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.inta"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iw4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.iw4"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2c\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.j2c"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2k\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.j2k"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jfif"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jif"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jp2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jp2"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpc"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpe"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpeg"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpg"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpk\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpk"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpx"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.lbm"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m15\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.m15"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.m1a"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.m2a"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4p\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.m4p"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.m4v"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m75\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.m75"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.mef"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mos\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.mos"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.mpv"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MRW\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.mrw"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.nef"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.orf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pbm"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pcd"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pct\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pct"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pcx"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pef"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pgm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pgm"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pic\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pic"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pics\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pics"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pict\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pict"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pix\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pix"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.png"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ppm"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.psd"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.psp"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspimage\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pspimage"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.qcp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.qcp"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.qtpf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.qtpf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.raf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ras\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ras"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.raw"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.rgb"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgba\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.rgba"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rle\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.rle"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rsb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.rsb"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sdv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.sdv"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sfil\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.sfil"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sgi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.sgi"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.smf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.smf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.sml"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.sr2"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.srf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.swa\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.swa"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tga\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.tga"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.THM\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.thm"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.tif"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.tiff"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ttc"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ttf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ulw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ulw"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v10o\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.v10o"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v10p\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.v10p"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v10pf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.v10pf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vfw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.vfw"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.wbm"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.wbmp"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.wmf"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.xbm"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.xif"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.xmp"

[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xpm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.xpm"
.
Completion time: 2010-04-13 11:09:15
ComboFix-quarantined-files.txt 2010-04-13 09:09

Pre-Run: 256,285,024,256 bytes free
Post-Run: 256,590,045,184 bytes free

- - End Of File - - 5A91C1A8D934744B1BE5C951DDC5EEFE



==============================================================
==== GMER.txt ===================================================
==============================================================

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-20 15:53:05
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\rotayl\AppData\Local\Temp\uwrorpob.sys


---- System - GMER 1.0.15 ----

SSDT 89E37048 ZwAlertResumeThread
SSDT 89E1C048 ZwAlertThread
SSDT 89E4B780 ZwAllocateVirtualMemory
SSDT 89B3CA30 ZwAlpcConnectPort
SSDT 89E55348 ZwAssignProcessToJobObject
SSDT 89E52C40 ZwCreateMutant
SSDT 89E56150 ZwCreateSymbolicLinkObject
SSDT 89DEF330 ZwCreateThread
SSDT 89E54248 ZwDebugActiveProcess
SSDT 89E4B998 ZwDuplicateObject
SSDT 89E4B1A0 ZwFreeVirtualMemory
SSDT 89E4E048 ZwImpersonateAnonymousToken
SSDT 89E39048 ZwImpersonateThread
SSDT 89B028A0 ZwLoadDriver
SSDT 89E4CFB0 ZwMapViewOfSection
SSDT 89E522C0 ZwOpenEvent
SSDT 89E4BBF0 ZwOpenProcess
SSDT 89DDF048 ZwOpenProcessToken
SSDT 89E53290 ZwOpenSection
SSDT 89E4BAE8 ZwOpenThread
SSDT 89E56E00 ZwProtectVirtualMemory
SSDT 89D04130 ZwResumeThread
SSDT 89DE3048 ZwSetContextThread
SSDT 89E4CD98 ZwSetInformationProcess
SSDT 89E53048 ZwSetSystemInformation
SSDT 89E53A90 ZwSuspendProcess
SSDT 89DF0048 ZwSuspendThread
SSDT 89D99048 ZwTerminateProcess
SSDT 89E14050 ZwTerminateThread
SSDT 89C71B00 ZwUnmapViewOfSection
SSDT 89E4B4B0 ZwWriteVirtualMemory
SSDT 89E56620 ZwCreateThreadEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 824B6860 8 Bytes [48, 70, E3, 89, 48, C0, E1, ...] {DEC EAX; JO 0xffffffffffffffe6; MOV [EAX-0x40], ECX; LOOPZ 0xffffffffffffff91}
.text ntkrnlpa.exe!KeSetEvent + 131 824B6874 4 Bytes [80, B7, E4, 89]
.text ntkrnlpa.exe!KeSetEvent + 13D 824B6880 4 Bytes [30, CA, B3, 89] {XOR DL, CL; MOV BL, 0x89}
.text ntkrnlpa.exe!KeSetEvent + 191 824B68D4 4 Bytes [48, 53, E5, 89] {DEC EAX; PUSH EBX; IN EAX, 0x89}
.text ntkrnlpa.exe!KeSetEvent + 1F5 824B6938 4 Bytes [40, 2C, E5, 89]
.text ...
C:\Program Files\HP\DVDPlay\000.fcl entry point in "" section [0xA05E9000]
.clc C:\Program Files\HP\DVDPlay\000.fcl unknown last section [0xA05EA000, 0x1000, 0x00000000]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----




#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 20 April 2010 - 05:55 PM


Hello, Imasillyboy.

OK, thanks! Let's run Combofix again, with this script:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.032\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.amr\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ani\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bay\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bw\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bwf\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.caf\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cdda\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cel\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cs1\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cur\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcr\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcx\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djv\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djvu\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dng\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eps\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fff\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fpx\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gsm\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdr\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icl\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icn\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iff\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ilbm\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.int\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inta\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iw4\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2c\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2k\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jif\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jp2\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpc\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpk\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpx\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lbm\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m15\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1a\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2a\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4p\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m75\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mef\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mos\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MRW\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbm\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcd\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pct\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcx\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pgm\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pic\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pics\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pict\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pix\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppm\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psd\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psp\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspimage\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.qcp\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.qtpf\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ras\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgb\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgba\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rle\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rsb\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sdv\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sfil\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sgi\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.smf\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sml\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srf\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.swa\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tga\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.THM\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttc\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttf\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ulw\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v10o\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v10p\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v10pf\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vfw\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbm\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbmp\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xbm\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xif\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
[HKEY_USERS\S-1-5-21-697145480-2520524336-2118687293-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xpm\UserChoice]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 Imasillyboy

Imasillyboy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 20 April 2010 - 08:35 PM

Ok, here's the ComboFix.txt file..

Rob

ComboFix 10-04-19.08 - rotayl 21/04/2010 3:19.1.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3326.1941 [GMT 2:00]
Running from: c:\users\rotayl\Desktop\ComboFix.exe
Command switches used :: c:\users\rotayl\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\rotayl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk

----- BITS: Possible infected sites -----

hxxp://buy-download.norton.com
hxxp://liveupdate.symantec.com
hxxp://definitions.symantec.com
.
((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-21 01:26 . 2010-04-21 01:26 -------- d-----w- c:\users\rotayl\AppData\Local\temp
2010-04-21 01:26 . 2010-04-21 01:26 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-21 01:26 . 2010-04-21 01:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-21 01:18 . 2010-04-21 01:18 -------- d-----w- C:\32788R22FWJFW
2010-04-20 23:40 . 2010-04-19 16:31 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100420.024\NAVENG.SYS
2010-04-20 23:40 . 2010-04-19 16:31 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100420.024\NAVENG32.DLL
2010-04-20 23:40 . 2010-04-19 16:31 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100420.024\NAVEX32A.DLL
2010-04-20 23:40 . 2010-04-19 16:31 1324720 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100420.024\NAVEX15.SYS
2010-04-20 23:40 . 2010-04-19 16:31 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100420.024\EECTRL.SYS
2010-04-20 23:40 . 2010-04-19 16:31 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100420.024\CCERASER.DLL
2010-04-20 23:40 . 2010-04-19 16:31 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100420.024\ECMSVR32.DLL
2010-04-20 23:40 . 2010-04-19 16:31 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100420.024\ERASER.SYS
2010-04-20 15:23 . 2010-02-12 16:41 558448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-04-20 15:22 . 2010-02-01 18:20 165240 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-04-20 14:15 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100415.001\IDSvix86.sys
2010-04-20 14:15 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100415.001\IDSXpx86.sys
2010-04-20 14:15 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100415.001\Scxpx86.dll
2010-04-20 14:15 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100415.001\IDSxpx86.dll
2010-04-20 14:15 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100415.001\IDSviA64.sys
2010-04-20 14:04 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-20 14:04 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-20 14:04 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-20 14:04 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-20 14:04 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-20 14:04 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-20 14:01 . 2010-04-20 14:01 -------- d-----w- c:\program files\Norton Support
2010-04-20 05:30 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-20 05:30 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-20 05:30 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-20 05:29 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-20 05:28 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-20 04:34 . 2010-04-20 04:34 -------- d-----w- c:\users\rotayl\AppData\Local\Symantec
2010-04-20 00:10 . 2010-04-20 00:10 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-04-15 07:22 . 2010-04-15 07:22 -------- d-----w- c:\program files\iPod(35)
2010-04-15 07:22 . 2010-04-15 07:23 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-15 07:22 . 2010-04-15 07:23 -------- d-----w- c:\program files\iTunes(36)
2010-04-15 07:20 . 2010-04-15 07:20 -------- d-----w- c:\program files\QuickTime(46)
2010-04-15 07:17 . 2010-04-15 07:17 -------- d-----w- c:\program files\Bonjour(11)
2010-04-14 18:44 . 2010-04-14 22:29 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-14 18:44 . 2010-04-14 18:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-13 10:08 . 2010-04-19 23:45 -------- d-----w- c:\users\rotayl\AppData\Local\Temp(286)
2010-04-12 15:38 . 2010-04-12 15:38 -------- d-----w- c:\programdata\AVS4YOU
2010-04-12 15:38 . 2010-04-12 15:38 -------- d-----w- c:\users\rotayl\AppData\Roaming\AVS4YOU
2010-04-12 15:37 . 2010-04-12 15:38 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-04-12 15:36 . 2010-04-12 15:38 -------- d-----w- c:\program files\AVS4YOU
2010-04-12 14:39 . 2010-04-12 14:39 -------- d-----w- c:\program files\MOV to AVI MPEG WMV Converter
2010-04-12 13:48 . 2010-04-12 13:48 -------- d-----w- c:\programdata\NCH Swift Sound
2010-04-12 13:48 . 2010-04-12 13:48 -------- d-----w- c:\program files\NCH Swift Sound
2010-04-12 13:48 . 2010-04-12 13:52 -------- d-----w- c:\users\rotayl\AppData\Roaming\NCH Software
2010-04-12 13:48 . 2010-04-13 08:12 -------- d-----w- c:\programdata\NCH Software
2010-04-12 13:47 . 2010-04-13 08:12 -------- d-----w- c:\program files\NCH Software
2010-04-11 09:39 . 2010-04-11 09:39 120576 ----a-w- c:\windows\File Renamer - Basic Uninstaller.exe
2010-04-11 09:39 . 2010-04-11 09:48 -------- d-----w- c:\program files\File Renamer
2010-04-11 07:46 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-04-11 07:40 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-04-11 07:40 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-04-11 07:40 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-04-10 13:38 . 2010-04-20 18:11 -------- d-----w- c:\users\rotayl\AppData\Local\SecondLife
2010-04-10 13:38 . 2010-04-10 13:42 -------- d-----w- c:\users\rotayl\AppData\Roaming\SecondLife
2010-04-10 13:37 . 2010-04-10 13:37 -------- d-----w- c:\program files\SecondLifeViewer2
2010-04-10 11:30 . 2010-04-14 01:53 -------- d-----w- c:\users\rotayl\AppData\Roaming\Super Flexible File Synchronizer
2010-04-10 11:29 . 2010-04-20 10:05 -------- d-----w- c:\programdata\SuperFlexibleSynchronizer
2010-04-10 11:29 . 2010-04-10 11:29 -------- d-----w- c:\program files\SuperFlexible
2010-04-10 09:43 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-04-10 09:43 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-04-10 09:43 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-04-10 09:43 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-04-10 09:43 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-04-10 09:43 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-04-10 09:43 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-04-10 09:43 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-04-10 09:43 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-04-10 09:42 . 2009-12-11 11:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-04-10 09:42 . 2009-12-11 11:43 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-04-10 09:35 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-10 09:31 . 2010-04-10 09:31 -------- d-----w- c:\users\rotayl\AppData\Roaming\Leadertech
2010-04-10 09:31 . 2010-04-10 09:31 53248 ----a-r- c:\users\rotayl\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2010-04-10 09:31 . 2010-04-10 09:31 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-04-10 09:29 . 2010-04-10 09:31 -------- d-----w- c:\programdata\Logishrd
2010-04-10 09:29 . 2010-04-10 09:30 -------- d-----w- c:\program files\Logitech
2010-04-10 09:29 . 2010-04-10 09:31 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-04-10 09:29 . 2010-04-10 09:35 -------- d-----w- c:\users\rotayl\AppData\Roaming\Logitech
2010-04-10 09:29 . 2010-04-10 09:29 -------- d-----w- c:\users\rotayl\AppData\Roaming\Logishrd
2010-04-10 09:25 . 2009-12-08 17:26 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-04-10 09:25 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-04-10 09:25 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-04-10 09:25 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-04-10 09:24 . 2009-12-04 18:30 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-04-10 09:24 . 2009-12-04 18:29 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-04-10 09:24 . 2009-12-04 18:28 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-04-10 09:24 . 2009-12-04 18:28 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-04-10 09:24 . 2009-12-04 18:28 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-04-10 09:24 . 2009-12-04 18:28 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-04-10 09:24 . 2009-12-04 18:28 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-04-10 09:24 . 2009-12-04 18:28 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-04-10 09:24 . 2009-12-04 18:27 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-04-10 09:19 . 2010-04-10 09:19 -------- d-----w- c:\users\rotayl\AppData\Local\ACD Systems
2010-04-10 09:19 . 2010-04-10 09:19 -------- d-----w- c:\users\rotayl\AppData\Roaming\ACD Systems
2010-04-10 09:17 . 2010-04-10 09:17 -------- d-----w- c:\programdata\ACD Systems
2010-04-10 09:17 . 2010-04-10 09:17 -------- d-----w- c:\program files\Common Files\ACD Systems
2010-04-10 09:17 . 2010-04-10 09:17 -------- d-----w- c:\program files\ACD Systems
2010-04-10 09:14 . 2010-04-10 09:14 -------- d-----w- c:\users\rotayl\AppData\Local\Downloaded Installations
2010-04-10 08:56 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100402.001\IDSvix86.sys
2010-04-10 08:56 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100402.001\IDSXpx86.sys
2010-04-10 08:56 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100402.001\Scxpx86.dll
2010-04-10 08:56 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100402.001\IDSxpx86.dll
2010-04-10 08:56 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100402.001\IDSviA64.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 01:26 . 2009-09-15 11:02 -------- d-----w- c:\users\rotayl\AppData\Roaming\Free Download Manager
2010-04-21 00:02 . 2009-09-15 11:02 -------- d-----w- c:\users\rotayl\AppData\Roaming\Software Informer
2010-04-20 21:17 . 2009-08-24 22:14 181096 ----a-w- c:\users\rotayl\AppData\Roaming\Mozilla\Firefox\Profiles\scqmtrkh.default\FlashGot.exe
2010-04-20 15:26 . 2009-09-21 11:14 -------- d-----w- c:\programdata\Norton
2010-04-20 15:25 . 2010-04-11 07:45 31966 ----a-w- c:\programdata\nvModes.dat
2010-04-20 15:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-20 10:05 . 2009-10-30 16:31 -------- d-----w- c:\program files\iTunes
2010-04-20 10:05 . 2009-09-14 20:34 -------- d-----w- c:\program files\QuickTime
2010-04-20 10:05 . 2009-08-24 21:55 -------- d-----w- c:\program files\Microsoft Works
2010-04-20 10:05 . 2009-08-24 22:27 -------- d-----w- c:\program files\Bonjour
2010-04-20 10:05 . 2009-08-24 22:26 -------- d-----w- c:\program files\Common Files\Apple
2010-04-20 09:58 . 2009-10-30 16:31 -------- d-----w- c:\program files\iPod
2010-04-20 00:11 . 2009-08-24 21:57 76096 ----a-w- c:\users\rotayl\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-15 07:22 . 2009-08-24 22:27 -------- d-----w- c:\programdata\Apple Computer
2010-04-11 09:27 . 2008-09-02 11:27 -------- d-----w- c:\program files\Common Files\Java
2010-04-11 09:26 . 2008-09-02 11:27 -------- d-----w- c:\program files\Java
2010-04-11 09:17 . 2008-09-02 11:18 -------- d-----w- c:\programdata\NVIDIA
2010-04-11 07:29 . 2008-09-02 11:32 588472 ----a-w- c:\windows\system32\ezsvc7x.dll
2010-04-11 07:25 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-04-10 10:21 . 2009-09-05 14:39 -------- d-----w- c:\program files\TagRename
2010-04-10 10:05 . 2009-11-20 11:37 36864 ----a-w- c:\programdata\Temp\{DCCAD079-F92C-44DA-B258-624FC6517A5A}\PostBuild.exe
2010-03-09 03:28 . 2009-08-24 22:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-23 06:39 . 2010-04-10 09:44 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-04-10 09:44 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 06:33 . 2010-04-10 09:44 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 04:55 . 2010-04-10 09:44 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-01-25 12:00 . 2010-04-10 09:44 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-04-10 09:44 471552 ----a-w- c:\windows\system32\secproc.dll
2008-06-30 12:44 . 2009-08-24 22:51 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-12-20 14:49 . 2009-08-25 04:17 22 --sha-w- c:\windows\SMINST\HPCD.SYS
2008-09-02 20:56 . 2008-09-02 20:56 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Device Detector"="DevDetect.exe -autorun" [X]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" [2009-01-31 3399727]
"Software Informer"="c:\program files\Software Informer\softinfo.exe" [2009-09-24 1949765]
"fsm"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-31 5369856]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [BU]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-11-03 182808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1312848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-26 13789728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:6d,06,64,a5,87,35,ca,01

R3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2008-03-26 21280]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [2010-01-02 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys [2010-01-02 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\N360\0308000.029\ccHPx86.sys [2010-01-02 482432]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100402.001\IDSvix86.sys [2009-10-28 343088]
S2 {22D78859-9CE9-4B77-BF18-AC83E81A9263};{22D78859-9CE9-4B77-BF18-AC83E81A9263};c:\program files\HP\DVDPlay\000.fcl [2008-03-11 41456]
S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 21504]
S2 HPBtnSrv;HP Chasis Button Service;c:\hp\HPEZBTN\HPBtnSrv.exe [2007-05-29 198240]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2010-01-02 117640]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-12-31 102448]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2008-12-03 1426304]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\Drivers\LEqdUsb.Sys [2009-11-10 40848]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\Drivers\LHidEqd.Sys [2009-11-10 10384]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [2010-01-02 48688]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Pavilion&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Pavilion&pf=cndt
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-GB\local\search.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
FF - ProfilePath - c:\users\rotayl\AppData\Roaming\Mozilla\Firefox\Profiles\Robert\
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-21 03:26
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files\HP\DVDPlay\000.fcl"
.
Completion time: 2010-04-21 03:28:32
ComboFix-quarantined-files.txt 2010-04-21 01:28
ComboFix2.txt 2010-04-13 10:08
ComboFix3.txt 2010-04-13 09:09

Pre-Run: 352,373,096,448 bytes free
Post-Run: 352,303,861,760 bytes free

- - End Of File - - C249708BB7F28439F20BAEA1B24440B3


#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 21 April 2010 - 05:53 PM

Hello, Imasillyboy.

How is your computer running now?


We need run an OTL Script
  1. Please download OTL from one of the following mirrors if you do not still have it.
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Paste the following code under the Custom Scans/Fixes box at the bottom. Do not include the word "Code".
    CODE
    :OTL
    O4 - HKU\S-1-5-21-697145480-2520524336-2118687293-1000..\Run: [Device Detector] File not found
    O4 - Startup: C:\Users\rotayl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iTunes.lnk = File not found
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
    :Files
    c:\windows\system32\ezsidmv.dat
    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
    "DisableMonitoring" = 0
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring" = 0
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
    "DisableMonitoring" = 0
  5. Click the Run Fix button at the top.
  6. let the program run unhindered and reboot when it is done.
  7. You will get a log when it is done, please post that in your reply.
  8. Please then create a new OTL report....
  9. Click the "Scan All Users" checkbox.
  10. Push the button.
  11. A report will open, copy and paste it in a reply here.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 Imasillyboy

Imasillyboy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 22 April 2010 - 09:40 AM

Hi etavares,

The computer seams ok. But it wasn't slow or anything. I only knew there was a problem when I opened a program (thinking it was an installer, ie my handle) and Norton went off like fireworks!! The only tell tail that Norton hadn't protected everything was Norton started complaining every 10-20mins about an external attack from some ip address etc. A knew this had to be related to what happen and my research lead me to here.

But I haven't seen any more of these alarms from Norton but not sure that proves anything.

Anyway, that PC has been packed along with every thing else and is on it's way to Australia - moving back home after 14 years. So I wont see it for another 2 months or so. So Thank you for your help so far but I guess we can close this thread for now.

BUT
I am concerned about my laptop, if it's been effected during this past week of drama. Given the amount of on-line purchasing I'm doing at the moment due to the move (and I simply can stop right now) I'm concerned.

There are no obvious alarms from Norton but the History log shows some funny Medium level Severity of "Unauthorised access" to target ccSvcHst.exe. Which seams strange. I have of course run Norton , and Malwarebytes which finds typical Tracking Cookies etc. but nothing bad.

Is there something in your arsenal of tools that I can run to check if my laptop is infected with anything bad?


If something is found that I can't fix by simple means I'll start up a new thread here.

Again, many thanks for you help.
Cheers,
Rob

Edited by Imasillyboy, 22 April 2010 - 09:45 AM.


#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 22 April 2010 - 05:52 PM

Hi Rob-

Ok, once you get to Australia, you'll want to run the following online scan. This will also help for your laptop. Also, with the computer you just shipped, you'll want to update Java and Adobe Reader...both are outdated and have security holes.

Safe travels!

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 Imasillyboy

Imasillyboy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 26 April 2010 - 02:34 AM

Hi etavares,
Great, thanks for this. Here is the output from ESET. And it obviously Found stuff. Which is good.

------------------------- ESETScan.txt ----------------------------

C:\Downloads\Software\HSS-1.37-install-anchorfree-76-conduit.zip Win32/Adware.AnchorFree application deleted - quarantined
C:\Downloads\Software\Agile.MP4.Video.Joiner.v2.3.6.WinAll.Incl.KeyGen-NeoX\Dream.Computer.Piano.v1.03.Win2kXP2k3Vista.Incl.Keygen.READ.NFO-CRD\cxx1627a\cxx1627a\keygen\keygen.exe a variant of Win32/Induc.A virus deleted - quarantined
C:\Downloads\Software\Agile.MP4.Video.Joiner.v2.3.6.WinAll.Incl.KeyGen-NeoX\Dream.Computer.Piano.v1.03.Win2kXP2k3Vista.Incl.Keygen.READ.NFO-CRD\cxx1627a\cxx1627a\setup\setup.exe probably a variant of Win32/Inject trojan cleaned by deleting - quarantined
C:\Downloads\Software\HSS-1.37-install-anchorfree-76-conduit\HSS-1.37-install-anchorfree-76-conduit.exe Win32/Adware.AnchorFree application deleted - quarantined
C:\ProgramData\{AAAE891E-DC50-4DD4-A79D-C19DDB94E30E}\OFFLINE\29A73ACD\3E688669\stb0.dll a variant of Win32/Adware.DoubleD.AB application cleaned by deleting - quarantined
C:\ProgramData\{AAAE891E-DC50-4DD4-A79D-C19DDB94E30E}\OFFLINE\BED3DEFB\3E688669\stbasst.exe a variant of Win32/Adware.DoubleD.AF application cleaned by deleting - quarantined
C:\ProgramData\{AAAE891E-DC50-4DD4-A79D-C19DDB94E30E}\OFFLINE\mFileBagIDE.dll\bag\FFToolbar.xpi probably a variant of Win32/Adware.DoubleD.AF application deleted - quarantined
C:\ProgramData\{AAAE891E-DC50-4DD4-A79D-C19DDB94E30E}\OFFLINE\mFileBagIDE.dll\bag\stbpx.exe a variant of Win32/Adware.DoubleD.AF application cleaned by deleting - quarantined


#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 26 April 2010 - 06:17 AM

MOstly adware, but it does look like you used a keygen. Be careful...P2P/warez/etc. are well known as a virus vector. Do you need anything else before you move?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 Imasillyboy

Imasillyboy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 27 April 2010 - 04:33 AM

Hi,
Actually, I'd downloaded that but never run it... Thankfully.. Anyway, I don't do P2P.

That's all for now, thank you for all you're help. This is an amazing service you supply.

Again, thanks.
Rob




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users