Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ave.exe virus, also atapi.sys & Google re-directs


  • This topic is locked This topic is locked
69 replies to this topic

#1 naslsoccer

naslsoccer

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 13 April 2010 - 09:50 AM

Hi, I hope that you can help me with my virus problem.

I started with the ave.exe virus, which was causing a number of fake anti-virus popups. I am also getting re-directed on all my Google searches. My computer has been running a little slow, and I have also have issues with my print server and sound drivers crashing.

Here is what I have done so far. I tried following the instructions before posting this topic. DDS ran fine and the logs are included with this message. GMER resulted in a blue screen every time I tried to run it. The initial scan that runs when you first start GMER ran alright (I saved this log and pasted it below). But when I unchecked IAT/EAT, my other drives, and SHOW ALL and ran the scan on GMER, it resulted in a blue screen crash every time I ran it.

Before I saw this forum and the associated instructions, I had tried some other solutions that I saw mentioned on other forums. I ran MalwareBytes, which found and removed the ave.virus. I ran SUPERAntiSpyware, which did not find any issues. I tried running SpyBot Search & Destroy, but it caused a blue screen crash both times I tried to run it. I ran ComboFix (again, before I saw the warnings on this forum stating not to run ComboFix) and it found a few infected files and cleaned them. But I was still having Google re-directs. I then ran TDSSKiller, which identified that I had an infected atapi.sys. TDSSKiller claimed that it successfully removed the infected file, but it came back on every reboot. I booted into Windows Recovery Console and manually copied atapi.sys from my C:\WINDOWS\erdnt\cache directory, but it was overwritten with an infected version on the next re-boot. Then yesterday, the ave.exe virus came back, which I cleaned with MalwareBytes. I also found a virus file in C:\WINDOWS\temp\jrti.tmp, which was a bogus svchost.exe file, which I cleaned with SUPERAntiSpyware. I also found some suspicious looking files in my Application Data directories. For example, in C:\Documents and Settings\All Users\Application Data, there is a file named w30jkdpD.exe that keeps coming back even though I have deleted it.

Can you please help me fix this? (and let me know if you want the ComboFix log, I did not post it in this original message).

Thanks,
Chris

Here is the GMER initial scan log
---------------------------
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-13 08:48:19
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Chris\LOCALS~1\Temp\kwriapob.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 08: copy of MBR

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8B15CAC8

---- Files - GMER 1.0.15 ----

File C:\windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


DDS (Ver_10-03-17.01) - NTFSx86
Run by Chris at 21:50:11.25 on 2010-04-12
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2062 [GMT -5:00]

AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k WudfServiceGroup
C:\windows\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\windows\Explorer.EXE
C:\windows\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\windows\system32\Rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\windows\system32\ctfmon.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\DOCUME~1\Chris\LOCALS~1\Temp\clclean.0001
svchost.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4 .exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray .exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd .exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Support Center\bin\sprtcmd .exe
C:\Program Files\TurboHddUsb\TurboHddUsb .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect .exe
C:\Program Files\ATI Multimedia\main\ATIDtct .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\DellSupport\DSAgnt .exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\windows\eHome\ehRecvr.exe
C:\windows\eHome\ehSched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\windows\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\eHome\ehmsas.exe
C:\Documents and Settings\All Users\Application Data\w30jkdpD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\Internet Security 12\pccmain.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Chris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ATI DeviceDetect] "c:\program files\ati multimedia\main\ATIDtct.EXE"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC .exe" /tray
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe"
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [hplampc] c:\windows\system32\hplampc.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TurboHddUsb] c:\program files\turbohddusb\TurboHddUsb.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\totalm~1.lnk - c:\program files\arcsoft\totalmedia backup & record\uBBMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\dtv\EXPLBAR.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15015/CTSUEng.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {6678BE91-1E04-4A4A-9C32-63145EA79C2A} - hxxp://fifa-online.easports.com/fo3-theme/addons/EAFO3AXLauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15021/CTPID.cab
DPF: {FC0A65F2-8DFF-4F0F-B411-D4A50311628D} - hxxp://xmro.xmradio.com/xstream/registration/dell/xmprofiler.CAB
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2010-2-14 26248]
R0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [2010-2-14 20616]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2010-1-25 7040]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-5-13 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-13 55024]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-10-29 587096]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2006-2-4 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-2-4 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2006-2-4 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-2-4 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-2-4 262215]
R3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [2010-2-14 122504]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-13 7408]
S0 mmkrqijd;mmkrqijd;c:\windows\system32\drivers\xmzgcqhp.sys --> c:\windows\system32\drivers\xmzgcqhp.sys [?]
S0 payihxoq;payihxoq;c:\windows\system32\drivers\ymorkhpe.sys --> c:\windows\system32\drivers\ymorkhpe.sys [?]
S1 DMusicc;DMusicc;c:\windows\system32\drivers\dmusicc.sys --> c:\windows\system32\drivers\DMusicc.sys [?]
S1 NdisIPP;NdisIPP;c:\windows\system32\drivers\ndisipp.sys --> c:\windows\system32\drivers\NdisIPP.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-11 135664]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2010-2-5 16512]
S3 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2010-2-14 14216]
S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [2010-1-25 17792]
S3 hp4200c;%usbscan.SvcDesc%;c:\windows\system32\drivers\hp4200c.sys [2006-2-5 9312]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]

=============== Created Last 30 ================

2010-04-13 02:33:40 71170 ----a-w- c:\docume~1\alluse~1\applic~1\w30jkdpD.exe
2010-04-13 00:02:44 71170 ----a-w- c:\docume~1\alluse~1\applic~1\w30jkdpD.vir
2010-04-12 22:50:32 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-04-12 22:50:31 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-04-12 21:42:44 112 ----a-w- c:\docume~1\alluse~1\applic~1\0hbX77.dat
2010-04-12 04:49:11 0 d-----w- c:\temp\tdss_remover
2010-04-09 05:46:54 293376 ----a-w- c:\temp\gmer.exe
2010-04-06 13:16:57 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-06 04:35:54 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-17 20:13:58 138968 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-03-17 20:13:57 139152 ----a-w- c:\docume~1\chris\applic~1\PnkBstrK.sys

==================== Find3M ====================

2010-04-13 02:24:33 95360 ----a-w- c:\windows\system32\drivers\ATAPI.SYS
2010-04-12 21:40:04 41472 ----a-w- c:\windows\fonts\5xT3TFL5.com
2010-04-12 06:17:01 95360 ----a-w- c:\windows\system32\drivers\atapi.vir
2010-04-07 00:28:49 65536 ----a-w- c:\windows\IFinst27.exe
2010-03-30 05:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-12 23:02:38 261632 ----a-w- c:\windows\PEV.exe
2010-01-24 06:57:20 3532 ----a-w- C:\drmHeader.bin
2009-12-12 20:35:43 56 --sh--r- c:\windows\system32\C702DA514C.sys
2006-05-03 09:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2009-12-12 20:35:44 3558 --sha-w- c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
2009-12-01 19:04:18 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 21:52:32.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:50 AM

Posted 18 April 2010 - 05:04 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 naslsoccer

naslsoccer
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 18 April 2010 - 12:36 PM

Elise,

Thanks for the help.

In the several days that passed since my original post, the fake virus popups came back, so I kept re-running Malwarebytes to clean the computer. The most recent was yesterday. This time Malwarebytes found Vundo, but seemed to clean it just fine. I rebooted, re-ran Malwarebytes and it did not find anything. My computer seemed to be working alright since then.

Then after received your post to my message this morning, I ran OTL and it worked fine. However, when I ran GMER, it crashed and completely locked up my computer. I did not get a blue screen, but nothing would run, the computer would not reboot, and nothing was being responsive. So, I rebooted the computer by pushing the power button. Now, it will not reboot at all. It will not even reboot into safe mode. I can get into to boot into the recovery console, but I have not tried any fixes yet.

What should I do next?

-Chris

Edited by naslsoccer, 18 April 2010 - 12:37 PM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:50 AM

Posted 18 April 2010 - 12:51 PM

Hello, no need to panic yet smile.gif

OK this file is big Print these instruction out so that you know what you are doing

Two programs to download

First

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Use Safelist
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

Edited by elise025, 18 April 2010 - 12:52 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 naslsoccer

naslsoccer
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 18 April 2010 - 02:30 PM

Elise,

Thanks. I did panic a bit. With how backlogged things are at Bleeping Computer (I have seen dozens and dozens of new issues being reported), I wasn't sure when you would be able to get back to me. So, I have attempted a couple of other fixes before I saw your note.

I manually restored the registry hive from the windows\repair directory using the Recovery Console. I was then able to re-boot. I then tried to do a system restore to a restore point from a couple of weeks ago. But that failed. My computer is running very poorly. Internet Explorer will not run at all. I tried running Outlook to see if I could get to the internet through e-mail, but that crashed my computer.

I will run the steps below using OTLPE, but it will be a few hours before I can get access to a computer with a CD burner.

Also, I'm concerned about moving files back and forth using USB, as I do not want to infect any other computers from my infected computer. What steps can I take to make sure I don't spread anything via USB.

Thanks,
Chris


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:50 AM

Posted 18 April 2010 - 02:55 PM

Hello,

By restoring the Repair hive, its possible you may have lost your userprofile folders. Did you check if these folders are still there?

You can use flash disinfector to keep your other computer safe.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


If you want we can run OTLPE from a flashdrive.

I would like you to create a bootable flash drive with OTLPE:

IMPORTANT:
You will need a flash drive with a size of 512 Mb or bigger. Make sure that you do not leave anything important on the flash drive, as all data on it will be deleted during the following steps.

    • Download OTLPE.iso from one of the following links and save it to your Desktop mirror1 or mirror2

    • Download eeepcfr.zip from the following link and save it to your Desktop: the mirror

    • Finally, if you do not have a file archiver like 7-zip or Winrar installed, please download 7-zip from the following link and install it: the mirror


  1. Once you have 7-zip install, decompress OTLPE.iso by rightclicking on the folder and choosing the options shown in the picture below. Please use a dedicated folder, for example OTLPE, on your Desktop




  2. Please also decompress eeepcfr to your systemroot (usually C:\).
  3. Empty the flash drive you want to install OTLPE on.
  4. Go to C:\eeecpfr and double-click usb_prep8.cmd to launch it.
  5. Press any key when asked to in the black window that opens.
  6. As indicated in the image, make sure you have selected the correct flash drive, before proceeding.
    For Drive Label: type in OTLPE.
    Under Source Path to built BartPE/WinPE Files click ... and select the folder OTLPE that you created on your Desktop.
    Finally check Enable File Copy.




  7. Click on Start, accept the disclaimers and wait for the program to finish.

Your bootable flash drive should now be ready!

To boot from the flashdrive, follow the steps in my previous post, but instead of booting from CD, make sure you boot from the Flashdrive.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 naslsoccer

naslsoccer
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 18 April 2010 - 07:21 PM

Elise,

I was able to get my computer to boot into safe mode successfully. So, I created the OTLPE disc in safe mode, then followed your instructions below. Here is the log file from c:\otl.txt. Also, I have posted the OTL.txt and Extra.txt logfiles from when I originally ran OTL, before GMER crashed and I started having my booting issues, in case those helpful.

Please let me know the next steps, and thank you for the continued help.

Thanks,
Chris

OTL logfile created on: 4/18/2010 7:14:30 PM - Run
OTLPE by OldTimer - Version 3.1.37.2 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 90.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 5.20 Gb Free Space | 1.12% Space Free | Partition Type: NTFS
Drive D: | 144.30 Gb Total Space | 1.21 Gb Free Space | 0.84% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 276.80 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet003

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand] -- -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/08/13 19:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2007/10/29 15:27:04 | 000,587,096 | ---- | M] (Lavasoft AB) [Auto] -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice)
SRV - [2007/03/07 16:47:46 | 000,076,848 | ---- | M] () [On_Demand] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2006/09/04 22:54:44 | 000,880,722 | ---- | M] (Trend Micro Incorporated.) [Auto] -- C:\Program Files\Trend Micro\Internet Security 12\PcCtlCom.exe -- (PcCtlCom)
SRV - [2006/02/04 01:59:31 | 000,262,215 | ---- | M] (Trend Micro Inc.) [Auto] -- C:\Program Files\Trend Micro\Internet Security 12\tmproxy.exe -- (tmproxy)
SRV - [2006/02/04 01:59:30 | 000,585,792 | ---- | M] (Trend Micro Inc.) [Auto] -- C:\Program Files\Trend Micro\Internet Security 12\TmPfw.exe -- (TmPfw)
SRV - [2006/02/04 01:59:30 | 000,290,889 | ---- | M] (Trend Micro Incorporated.) [Auto] -- C:\Program Files\Trend Micro\Internet Security 12\Tmntsrv.exe -- (Tmntsrv)
SRV - [2006/01/24 00:06:20 | 000,069,632 | ---- | M] (Creative Labs) [On_Demand] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe -- (Creative Labs Licensing Service)
SRV - [2004/04/07 14:07:32 | 001,135,728 | ---- | M] (America Online, Inc.) [Disabled] -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -- (AOL ACS)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | Boot] -- -- (payihxoq)
DRV - File not found [Kernel | Boot] -- -- (paxpmo)
DRV - File not found [Kernel | System] -- -- (NdisIPP)
DRV - File not found [Kernel | Auto] -- -- (MCSTRM)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (DMusicc)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | On_Demand] -- -- (catchme)
DRV - File not found [Kernel | On_Demand] -- -- (bvrp_pci)
DRV - [2010/03/30 01:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/01/25 02:51:05 | 000,017,792 | ---- | M] (FNet Co., Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\FNETTBOH.SYS -- (FNETTBOH)
DRV - [2010/01/25 02:51:05 | 000,007,040 | ---- | M] (FNet Co., Ltd.) [Kernel | System] -- C:\WINDOWS\system32\drivers\FNETURPX.SYS -- (FNETURPX)
DRV - [2009/11/04 12:15:30 | 004,423,168 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/02/06 10:19:50 | 000,003,636 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\mmkrqijd -- (mmkrqijd)
DRV - [2008/07/18 20:08:38 | 000,205,328 | ---- | M] (Trend Micro Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\tmxpflt.sys -- (Tmfilter)
DRV - [2008/07/18 20:08:32 | 000,036,368 | ---- | M] (Trend Micro Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\tmpreflt.sys -- (Tmpreflt)
DRV - [2008/07/18 19:51:32 | 001,195,448 | ---- | M] (Trend Micro Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\VsapiNT.sys -- (Vsapint)
DRV - [2008/07/02 15:38:14 | 000,089,600 | R--- | M] (ATI Research Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2008/05/13 13:44:00 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2008/05/13 13:43:58 | 000,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2008/05/13 13:43:56 | 000,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2007/02/25 13:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/10/05 17:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/02/04 01:59:33 | 001,884,585 | ---- | M] (Trend Micro Inc.) [Kernel | Auto] -- C:\windows\System32\Drivers\tm_cfw.sys -- (tm_cfw)
DRV - [2006/02/04 01:59:33 | 000,038,528 | ---- | M] (Trend Micro Inc.) [Kernel | System] -- C:\windows\System32\Drivers\tmtdi.sys -- (tmtdi)
DRV - [2006/01/24 00:12:15 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2005/08/02 17:10:13 | 000,032,512 | ---- | M] (CACE Technologies) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2005/06/28 13:43:40 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\irbus.sys -- (IrBus)
DRV - [2005/06/06 04:40:48 | 000,180,736 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA) High Definition Audio Driver (WDM)
DRV - [2005/05/25 05:34:00 | 000,158,464 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\CTUSFSYN.SYS -- (CTUSFSYN)
DRV - [2005/04/12 21:21:32 | 000,022,240 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\WmFilter.sys -- (WmFilter)
DRV - [2005/04/12 21:21:28 | 000,010,144 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\WmBEnum.sys -- (WmBEnum)
DRV - [2005/04/12 21:21:28 | 000,005,600 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\WmVirHid.sys -- (WmVirHid)
DRV - [2005/04/12 21:21:26 | 000,045,504 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\WmXlCore.sys -- (WmXlCore)
DRV - [2005/03/24 22:11:00 | 001,350,272 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sigfilt.sys -- (sigfilt)
DRV - [2005/03/05 02:06:50 | 000,135,296 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\atinavxx.sys -- (ATIAVPCI)
DRV - [2005/02/23 16:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2005/01/10 06:15:00 | 000,138,752 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\CTSFM2K.SYS -- (ctsfm2k)
DRV - [2005/01/10 06:15:00 | 000,106,496 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\CTOSS2K.SYS -- (ossrv)
DRV - [2004/12/06 03:05:00 | 000,100,603 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/12/06 03:05:00 | 000,098,714 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/12/06 03:05:00 | 000,086,586 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/12/06 03:05:00 | 000,034,843 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/12/06 03:05:00 | 000,025,883 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/12/06 03:05:00 | 000,015,227 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/12/06 03:05:00 | 000,006,363 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/12/06 03:05:00 | 000,004,123 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/12/06 03:05:00 | 000,002,239 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/12/01 05:22:00 | 000,087,488 | ---- | M] (Sonic Solutions) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/11/23 04:56:00 | 000,040,480 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2004/08/12 19:45:54 | 000,137,728 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/08/10 07:00:00 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2004/08/04 01:10:14 | 000,015,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\MPE.sys -- (MPE)
DRV - [2004/08/04 01:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled] -- C:\windows\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/04 01:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled] -- C:\windows\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004/08/04 00:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/07/14 13:29:04 | 000,005,627 | ---- | M] (Sonic Solutions) [File_System | System] -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/07/14 13:28:50 | 000,023,545 | ---- | M] (Sonic Solutions) [File_System | System] -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
DRV - [2004/06/16 05:52:40 | 000,061,157 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
DRV - [2004/03/06 06:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
DRV - [2004/03/06 06:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
DRV - [2004/03/06 06:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)
DRV - [2003/01/10 18:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 16:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled] -- C:\windows\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 16:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\windows\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 16:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\windows\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 16:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\windows\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 16:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled] -- C:\windows\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 15:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 15:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled] -- C:\windows\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 15:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled] -- C:\windows\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 15:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled] -- C:\windows\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 15:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled] -- C:\windows\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 15:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled] -- C:\windows\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 15:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled] -- C:\windows\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 15:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled] -- C:\windows\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 15:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled] -- C:\windows\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 15:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled] -- C:\windows\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 15:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled] -- C:\windows\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/02/18 12:09:56 | 000,009,312 | ---- | M] (Hewlett-Packard) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hp4200c.sys -- (hp4200c)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.google.com/ [binary data]
IE - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en
IE - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\Software\Microsoft\Internet Explorer\Search,Start Page = http://www.google.com/ig/dell?hl=en
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/dell?hl=en
IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Chris_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
IE - HKU\Chris_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Chris_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\HelpAssistant_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
IE - HKU\HelpAssistant_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\HelpAssistant_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\Lesley_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en
IE - HKU\Lesley_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell/en/side.html
IE - HKU\Lesley_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/dell?hl=en
IE - HKU\Lesley_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0




O1 HOSTS File: ([2009/11/18 18:52:29 | 000,355,987 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-domains-registrations.com
O1 - Hosts: 127.0.0.1 www.1-domains-registrations.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 12234 more lines...
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll File not found
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\Administrator_ON_C\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\Chris_ON_C\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\Chris_ON_C\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\HelpAssistant_ON_C\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\HelpAssistant_ON_C\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\Lesley_ON_C\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [ATICustomerCare] C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe ()
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe File not found
O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe ()
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe ()
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe ()
O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe ()
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe ()
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe (HP)
O4 - HKLM..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe (Hewlett-Packard)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe ()
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MBMon] C:\windows\System32\CTMBHA.DLL ()
O4 - HKLM..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe File not found
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe File not found
O4 - HKLM..\Run: [pccguide.exe] C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe File not found
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe File not found
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\windows\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe File not found
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKLM..\Run: [TurboHddUsb] C:\Program Files\TurboHddUsb\TurboHddUsb.exe ()
O4 - HKLM..\Run: [VoiceCenter] C:\Program Files\Creative\VoiceCenter\AndreaVC .exe (Andrea Electronics Corporation)
O4 - HKU\Administrator_ON_C..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe (Creative Technology Ltd)
O4 - HKU\Administrator_ON_C..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe (Creative Technology Ltd)
O4 - HKU\Administrator_ON_C..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe ()
O4 - HKU\Administrator_ON_C..\Run: [OE_OEM] C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe File not found
O4 - HKU\Chris_ON_C..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE ()
O4 - HKU\Chris_ON_C..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe ()
O4 - HKU\Chris_ON_C..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe ()
O4 - HKU\Chris_ON_C..\Run: [OE_OEM] C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe File not found
O4 - HKU\Chris_ON_C..\Run: [SetDefaultMIDI] C:\windows\MIDIDEF.EXE (Creative Technology Ltd)
O4 - HKU\Chris_ON_C..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe File not found
O4 - HKU\Chris_ON_C..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe ()
O4 - HKU\Chris_ON_C..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe File not found
O4 - HKU\HelpAssistant_ON_C..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE ()
O4 - HKU\HelpAssistant_ON_C..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe ()
O4 - HKU\HelpAssistant_ON_C..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe ()
O4 - HKU\HelpAssistant_ON_C..\Run: [OE_OEM] C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe File not found
O4 - HKU\HelpAssistant_ON_C..\Run: [SetDefaultMIDI] C:\windows\MIDIDEF.EXE (Creative Technology Ltd)
O4 - HKU\HelpAssistant_ON_C..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe File not found
O4 - HKU\HelpAssistant_ON_C..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe ()
O4 - HKU\HelpAssistant_ON_C..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe File not found
O4 - HKU\Lesley_ON_C..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe (Creative Technology Ltd)
O4 - HKU\Lesley_ON_C..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe (Creative Technology Ltd)
O4 - HKU\Lesley_ON_C..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe ()
O4 - HKU\Lesley_ON_C..\Run: [OE_OEM] C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe File not found
O4 - HKU\Lesley_ON_C..\Run: [SetDefaultMIDI] C:\windows\MIDIDEF.EXE (Creative Technology Ltd)
O4 - HKU\Lesley_ON_C..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe (ArcSoft, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\Administrator_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\Administrator_ON_C\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 1
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKU\Chris_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\Chris_ON_C\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\Chris_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\Chris_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\Chris_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\HelpAssistant_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\HelpAssistant_ON_C\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\HelpAssistant_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\HelpAssistant_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\HelpAssistant_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\Lesley_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\Lesley_ON_C\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\Lesley_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\LocalService_ON_C\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\NetworkService_ON_C\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\systemprofile_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\systemprofile_ON_C\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra Button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL (ATI Technologies Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} http://www.creative.com/su/ocx/15015/CTSUEng.cab (Creative Software AutoUpdate)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photo.walgreens.com/WalgreensActivia.cab (Snapfish Activia)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://www.creative.com/su/ocx/15021/CTPID.cab (Creative Software AutoUpdate Support Package)
O16 - DPF: {FC0A65F2-8DFF-4F0F-B411-D4A50311628D} http://xmro.xmradio.com/xstream/registrati.../xmprofiler.CAB (XMRADIO.XM_SystemProfiler)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.72.134 68.87.77.134
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\windows\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 06:43:04 | 000,000,000 | -HS- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/08/16 06:43:04 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\windows\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/04/18 10:39:48 | 000,562,176 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Chris\Desktop\OTL.exe
[2010/04/17 18:11:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chris\Local Settings\Application Data\{A7193FD4-8B2C-4675-A5C6-DC598E409ADB}
[2010/04/12 18:50:32 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ptpusb.dll
[2010/04/12 18:50:31 | 000,159,232 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ptpusd.dll
[2010/04/12 01:54:30 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Chris\Desktop\TDSSKiller.exe
[2010/04/08 04:39:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2010/04/06 14:50:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
[2010/04/06 08:59:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/06 05:56:49 | 000,000,000 | R--D | C] -- C:\Documents and Settings\NetworkService\Favorites
[2010/04/06 01:04:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/06 00:15:40 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache
[2010/04/05 22:08:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2010/04/05 22:08:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2010/04/05 21:13:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/04/05 18:41:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/05 18:41:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/03/20 13:11:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chris\Local Settings\Application Data\IsolatedStorage
[2008/07/18 13:21:41 | 000,722,176 | ---- | C] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Documents and Settings\Chris\gotomypc_428.exe
[6 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]
[1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]
[1 C:\Documents and Settings\Lesley\My Documents\*.tmp files -> C:\Documents and Settings\Lesley\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/18 19:07:57 | 017,039,360 | ---- | M] () -- C:\Documents and Settings\Chris\ntuser.dat
[2010/04/18 19:07:57 | 000,253,952 | ---- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/04/18 19:07:57 | 000,245,760 | ---- | M] () -- C:\Documents and Settings\LocalService\ntuser.dat
[2010/04/18 19:07:46 | 000,002,048 | --S- | M] () -- C:\windows\bootstat.dat
[2010/04/18 19:07:37 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Chris\ntuser.ini
[2010/04/18 19:00:38 | 290,242,560 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\OTLPE.iso
[2010/04/18 14:24:23 | 000,572,528 | ---- | M] () -- C:\windows\System32\PerfStringBackup.INI
[2010/04/18 14:24:23 | 000,476,546 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2010/04/18 14:24:23 | 000,085,024 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2010/04/18 14:08:48 | 000,002,206 | ---- | M] () -- C:\windows\System32\wpa.dbl
[2010/04/18 12:10:36 | 000,000,461 | ---- | M] () -- C:\windows\EAGRAPH.INI
[2010/04/18 12:06:55 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/18 11:43:48 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\bsu9p9zw.exe
[2010/04/18 10:39:50 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chris\Desktop\OTL.exe
[2010/04/18 10:14:56 | 000,000,120 | ---- | M] () -- C:\windows\Rgatikequw.dat
[2010/04/18 01:22:10 | 000,000,000 | ---- | M] () -- C:\windows\Ltiqok.bin
[2010/04/17 18:18:01 | 000,018,582 | -HS- | M] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\58G3tyIDc
[2010/04/17 08:47:31 | 000,001,324 | ---- | M] () -- C:\windows\System32\d3d9caps.dat
[2010/04/16 01:46:28 | 000,019,904 | ---- | M] () -- C:\windows\COOL.INI
[2010/04/16 01:46:28 | 000,010,677 | ---- | M] () -- C:\windows\coolkb2k.ini
[2010/04/16 01:46:28 | 000,000,000 | ---- | M] () -- C:\windows\COOLSYS.INI
[2010/04/15 21:52:14 | 000,000,886 | ---- | M] () -- C:\windows\win.ini
[2010/04/15 21:52:14 | 000,000,027 | ---- | M] () -- C:\windows\winzip32.ini
[2010/04/15 15:53:16 | 000,004,736 | ---- | M] () -- C:\windows\System32\o.sys
[2010/04/14 23:13:03 | 000,214,592 | ---- | M] () -- C:\windows\System32\PnkBstrB.xtr
[2010/04/14 22:50:13 | 000,138,968 | ---- | M] () -- C:\windows\System32\drivers\PnkBstrK.sys
[2010/04/13 12:41:56 | 000,015,266 | -HS- | M] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\o82Ak400MM24
[2010/04/12 22:51:58 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\gmer.zip
[2010/04/12 22:49:51 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\dds.scr
[2010/04/12 21:10:23 | 000,000,000 | ---- | M] () -- C:\windows\system.ini
[2010/04/12 20:47:52 | 000,013,528 | -HS- | M] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\V8i44CYn52
[2010/04/12 17:40:14 | 000,041,476 | ---- | M] () -- C:\windows\System32\5xT3TFL5.com
[2010/04/12 02:17:01 | 000,095,360 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\drivers\atapi.vir
[2010/04/12 01:54:16 | 000,154,469 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\tdsskiller.zip
[2010/04/12 00:56:28 | 003,912,237 | R--- | M] () -- C:\Documents and Settings\Chris\Desktop\ComboFix.exe
[2010/04/10 01:24:00 | 000,000,376 | ---- | M] () -- C:\windows\ODBC.INI
[2010/04/08 21:49:02 | 002,856,464 | ---- | M] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/04/06 20:28:49 | 000,065,536 | ---- | M] () -- C:\windows\IFinst27.exe
[2010/04/06 16:35:49 | 000,016,508 | -HS- | M] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\4W2k7t2Uo86
[2010/04/06 16:08:00 | 000,016,508 | -HS- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\4W2k7t2Uo86
[2010/04/06 00:45:41 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/04/06 00:45:39 | 005,264,656 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/04/04 10:43:46 | 005,315,314 | -H-- | M] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\IconCache.db
[2010/03/30 01:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2010/03/30 01:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2010/03/22 11:43:42 | 000,178,000 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Chris\Desktop\TDSSKiller.exe
[6 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]
[1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]
[1 C:\Documents and Settings\Lesley\My Documents\*.tmp files -> C:\Documents and Settings\Lesley\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/18 19:00:38 | 290,242,560 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\OTLPE.iso
[2010/04/18 14:35:39 | 000,041,476 | ---- | C] () -- C:\windows\System32\5xT3TFL5.com
[2010/04/18 14:19:03 | 000,041,476 | ---- | C] () -- C:\WINDOWS\Fonts\5xT3TFL5.com
[2010/04/18 11:43:44 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\bsu9p9zw.exe
[2010/04/17 18:15:51 | 000,018,582 | -HS- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\58G3tyIDc
[2010/04/17 18:11:21 | 000,000,120 | ---- | C] () -- C:\windows\Rgatikequw.dat
[2010/04/17 18:11:21 | 000,000,000 | ---- | C] () -- C:\windows\Ltiqok.bin
[2010/04/15 15:53:16 | 000,004,736 | ---- | C] () -- C:\windows\System32\o.sys
[2010/04/14 11:04:53 | 000,214,592 | ---- | C] () -- C:\windows\System32\PnkBstrB.exe
[2010/04/14 11:04:52 | 000,214,592 | ---- | C] () -- C:\windows\System32\PnkBstrB.xtr
[2010/04/14 11:04:47 | 000,075,064 | ---- | C] () -- C:\windows\System32\PnkBstrA.exe
[2010/04/13 12:38:58 | 000,015,266 | -HS- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\o82Ak400MM24
[2010/04/12 22:51:55 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\gmer.zip
[2010/04/12 22:49:48 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\dds.scr
[2010/04/12 20:19:16 | 000,013,528 | -HS- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\V8i44CYn52
[2010/04/12 01:54:14 | 000,154,469 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\tdsskiller.zip
[2010/04/12 00:56:24 | 003,912,237 | R--- | C] () -- C:\Documents and Settings\Chris\Desktop\ComboFix.exe
[2010/04/06 15:35:32 | 000,016,508 | -HS- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\4W2k7t2Uo86
[2010/04/06 15:07:40 | 000,016,508 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\4W2k7t2Uo86
[2010/04/06 00:35:54 | 000,001,324 | ---- | C] () -- C:\windows\System32\d3d9caps.dat
[2010/04/04 10:46:11 | 002,856,464 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/03/20 13:20:55 | 017,039,360 | ---- | C] () -- C:\Documents and Settings\Chris\ntuser.dat
[2010/03/20 13:20:54 | 000,245,760 | ---- | C] () -- C:\Documents and Settings\LocalService\ntuser.dat
[2010/03/17 16:13:58 | 000,138,968 | ---- | C] () -- C:\windows\System32\drivers\PnkBstrK.sys
[2010/03/17 16:13:57 | 000,139,152 | ---- | C] () -- C:\Documents and Settings\Chris\Application Data\PnkBstrK.sys
[2010/02/14 13:43:27 | 000,026,248 | ---- | C] () -- C:\windows\System32\drivers\eubakup.sys
[2010/01/25 09:40:18 | 000,000,000 | ---- | C] () -- C:\windows\CSDiff.INI
[2009/12/02 14:59:00 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\prvlcl.dat
[2009/11/29 02:36:53 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/01 13:01:02 | 016,252,928 | ---- | C] () -- C:\Documents and Settings\Chris\Copy of NTUSER.DAT
[2008/11/21 17:47:52 | 003,596,288 | ---- | C] () -- C:\windows\System32\qt-dx331.dll
[2008/11/21 17:45:16 | 000,000,416 | ---- | C] () -- C:\windows\System32\dtu100.dll.manifest
[2008/11/21 17:45:16 | 000,000,416 | ---- | C] () -- C:\windows\System32\dpl100.dll.manifest
[2008/11/21 17:44:16 | 000,012,288 | ---- | C] () -- C:\windows\System32\DivXWMPExtType.dll
[2008/11/15 00:18:09 | 000,027,648 | ---- | C] () -- C:\windows\System32\AVSredirect.dll
[2008/09/01 18:12:28 | 000,870,128 | ---- | C] () -- C:\Documents and Settings\Chris\Application Data\mcs.rma
[2008/09/01 18:12:28 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Chris\Application Data\34D351
[2008/08/27 21:25:09 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Chris\.gtk-bookmarks
[2008/05/27 04:02:35 | 000,000,127 | ---- | C] () -- C:\windows\System32\MRT.INI
[2008/04/23 21:30:13 | 000,010,593 | ---- | C] () -- C:\windows\CSTBox.INI
[2008/04/13 17:09:49 | 000,003,418 | ---- | C] () -- C:\Documents and Settings\Chris\resetlog.txt
[2008/03/04 01:55:52 | 000,001,303 | ---- | C] () -- C:\Documents and Settings\Chris\_GEAREXT.WO_IDENT.TXT
[2008/01/12 18:29:51 | 000,040,960 | ---- | C] () -- C:\windows\System32\IPPCPUID.DLL
[2008/01/12 18:28:50 | 000,011,776 | ---- | C] () -- C:\windows\System32\pmsbfn32.dll
[2008/01/12 18:27:33 | 000,000,419 | ---- | C] () -- C:\windows\MAXLINK.INI
[2007/08/31 10:17:02 | 000,000,000 | ---- | C] () -- C:\windows\ATIMMC.INI
[2007/08/26 11:56:57 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/08/03 22:01:47 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Chris\QBInstanceFinder.log
[2007/07/09 09:06:43 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Chris\Application Data\PFP120JPR.{PB
[2007/07/09 09:06:43 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Chris\Application Data\PFP120JCM.{PB
[2007/06/08 17:37:19 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Lesley\Local Settings\Application Data\fusioncache.dat
[2007/06/08 17:37:18 | 000,917,504 | ---- | C] () -- C:\Documents and Settings\Lesley\ntuser.dat
[2007/06/08 17:37:18 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\Lesley\ntuser.dat.LOG
[2007/06/08 17:37:18 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Lesley\ntuser.ini
[2007/01/06 00:04:21 | 000,000,347 | ---- | C] () -- C:\windows\CTWave32.INI
[2007/01/06 00:04:13 | 000,000,029 | ---- | C] () -- C:\windows\sfbm.INI
[2007/01/05 22:18:21 | 000,253,952 | ---- | C] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2007/01/05 22:18:21 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[2007/01/05 22:18:20 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\LocalService\ntuser.dat.LOG
[2007/01/05 22:17:57 | 000,020,480 | -H-- | C] () -- C:\Documents and Settings\Chris\ntuser.dat.LOG
[2007/01/05 22:17:56 | 016,252,928 | ---- | C] () -- C:\Documents and Settings\Chris\NTUSER.DAT.bak
[2006/12/18 00:00:16 | 000,000,321 | ---- | C] () -- C:\windows\hpipcopy.INI
[2006/11/08 10:11:42 | 000,049,152 | ---- | C] () -- C:\windows\System32\FTPStubInstUtils.dll
[2006/07/06 21:54:52 | 000,580,114 | ---- | C] () -- C:\windows\System32\x264vfw.dll
[2006/05/26 09:29:14 | 000,005,120 | ---- | C] () -- C:\windows\System32\ff_vfw.dll
[2006/04/09 22:17:36 | 000,000,461 | ---- | C] () -- C:\windows\EAGRAPH.INI
[2006/04/03 08:26:36 | 000,000,547 | ---- | C] () -- C:\windows\System32\ff_vfw.dll.manifest
[2006/03/27 02:06:30 | 000,761,856 | ---- | C] () -- C:\windows\System32\xvidcore.dll
[2006/03/27 02:06:30 | 000,180,224 | ---- | C] () -- C:\windows\System32\xvidvfw.dll
[2006/03/16 10:20:16 | 000,000,072 | ---- | C] () -- C:\windows\sbwin.ini
[2006/02/28 01:29:45 | 000,000,027 | ---- | C] () -- C:\windows\winzip32.ini
[2006/02/28 00:36:52 | 000,093,696 | ---- | C] () -- C:\windows\System32\hpgt42.dll
[2006/02/13 01:21:17 | 000,499,427 | ---- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\FASTWiz.log
[2006/02/12 23:14:40 | 000,000,990 | ---- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\FASTWiz.html
[2006/02/12 14:09:05 | 000,011,545 | ---- | C] () -- C:\windows\hpdj5600.ini
[2006/02/05 01:57:55 | 000,306,688 | ---- | C] () -- C:\windows\System32\Lffpx7.dll
[2006/02/05 01:57:55 | 000,095,232 | ---- | C] () -- C:\windows\System32\Lfkodak.dll
[2006/02/05 01:55:27 | 000,015,075 | ---- | C] () -- C:\windows\HPSETUP.INI
[2006/02/04 13:17:52 | 000,000,165 | ---- | C] () -- C:\windows\QUICKEN.INI
[2006/02/03 19:49:55 | 000,000,029 | ---- | C] () -- C:\windows\coolacm.ini
[2006/02/03 19:34:23 | 000,002,233 | ---- | C] () -- C:\windows\coolmp3.ini
[2006/02/03 19:34:23 | 000,000,029 | ---- | C] () -- C:\windows\wordpad.ini
[2006/02/03 19:34:23 | 000,000,000 | ---- | C] () -- C:\windows\COOLSYS.INI
[2006/02/03 19:34:14 | 000,010,677 | ---- | C] () -- C:\windows\coolkb2k.ini
[2006/02/03 19:18:54 | 000,019,904 | ---- | C] () -- C:\windows\COOL.INI
[2006/01/29 00:52:43 | 000,000,376 | ---- | C] () -- C:\windows\ODBC.INI
[2006/01/28 13:30:36 | 000,000,056 | RHS- | C] () -- C:\windows\System32\C702DA514C.sys
[2006/01/28 13:30:35 | 000,003,558 | -HS- | C] () -- C:\windows\System32\KGyGaAvL.sys
[2006/01/28 13:12:43 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\fusioncache.dat
[2006/01/28 13:12:42 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Chris\ntuser.ini
[2006/01/24 00:23:45 | 000,000,061 | ---- | C] () -- C:\windows\smscfg.ini
[2006/01/24 00:13:44 | 000,000,138 | ---- | C] () -- C:\windows\wininit.ini
[2006/01/24 00:06:57 | 000,005,872 | ---- | C] () -- C:\windows\System32\CTSBMB.INI
[2006/01/24 00:02:33 | 000,004,969 | ---- | C] () -- C:\windows\System32\Sigfilt.ini
[2006/01/24 00:02:33 | 000,000,029 | ---- | C] () -- C:\windows\System32\ctzapxx.ini
[2006/01/23 23:39:08 | 000,000,392 | ---- | C] () -- C:\windows\System32\OEMINFO.INI
[2005/08/16 22:52:01 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2005/08/16 12:50:00 | 001,069,056 | ---- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat
[2005/08/16 06:50:01 | 000,053,248 | -H-- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat.LOG
[2005/08/16 06:50:01 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2005/08/16 06:49:40 | 000,000,042 | -HS- | C] () -- C:\Documents and Settings\LocalService\ntuser.ini
[2005/08/16 06:49:39 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\NetworkService\ntuser.ini
[2005/08/16 06:37:24 | 000,001,793 | ---- | C] () -- C:\windows\System32\fxsperf.ini
[2005/08/05 16:01:54 | 000,235,008 | ---- | C] () -- C:\windows\System32\psisdecd.dll
[2005/08/03 15:54:08 | 000,253,952 | ---- | C] () -- C:\windows\System32\Manipulate.dll
[2005/08/02 17:24:01 | 000,053,299 | ---- | C] () -- C:\windows\System32\pthreadVC.dll
[2005/05/19 13:54:00 | 001,345,520 | ---- | C] () -- C:\windows\System32\CTMBHA.DLL
[2005/04/09 19:04:54 | 000,000,000 | ---- | C] () -- C:\windows\System32\px.ini
[2005/01/19 00:18:52 | 000,323,584 | ---- | C] () -- C:\windows\System32\FoxImager.dll
[2004/05/20 11:50:14 | 001,537,536 | ---- | C] () -- C:\windows\System32\erdmpg-hi.dll
[2004/05/12 01:31:54 | 000,005,942 | ---- | C] () -- C:\windows\PWRPLAY.INI
[2004/02/01 15:21:56 | 000,097,280 | ---- | C] () -- C:\windows\System32\Uncommon.dll
[2004/01/28 12:42:06 | 000,066,560 | ---- | C] () -- C:\windows\System32\atiyuv12.dll
[2004/01/28 12:42:06 | 000,056,832 | ---- | C] () -- C:\windows\System32\Iyvu9_32.dll
[2004/01/28 12:42:06 | 000,013,601 | ---- | C] () -- C:\windows\System32\vctest.ini
[2003/08/07 15:01:50 | 000,237,568 | ---- | C] () -- C:\windows\System32\lame_enc.dll
[2003/01/07 17:05:08 | 000,002,695 | ---- | C] () -- C:\windows\System32\OUTLPERF.INI
[2002/11/24 08:40:36 | 000,046,080 | ---- | C] () -- C:\windows\System32\ac3encode.dll

========== LOP Check ==========

[2007/09/10 20:51:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\.bittorrent
[2010/02/05 11:07:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\Broad Intelligence
[2008/01/13 16:15:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\Canon
[2007/01/05 20:19:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\ExecutiveSoftware
[2007/01/05 20:19:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\Jasc
[2007/01/05 20:19:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\Leadertech
[2007/01/05 20:19:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\LEAPS
[2008/08/07 01:05:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\Mael
[2009/12/08 14:50:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\NewSoft
[2007/01/05 20:20:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\Pegasys Inc
[2008/10/19 20:53:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\Research In Motion
[2008/01/12 18:27:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\ScanSoft
[2007/01/05 20:20:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\Seven Zip
[2007/11/27 23:00:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\Snapfish
[2007/04/16 08:03:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\Viewpoint

========== Purity Check ==========


< End of report >

OTL logfile created on: 2010-04-18 10:42:33 AM - Run 1
OTL by OldTimer - Version 3.2.1.2 Folder = C:\Documents and Settings\Chris\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 68.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 2.21 Gb Free Space | 0.48% Space Free | Partition Type: NTFS
Drive D: | 3.71 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF1.02
E: Drive not present or media not loaded
Drive F: | 931.51 Gb Total Space | 764.39 Gb Free Space | 82.06% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 144.30 Gb Total Space | 3.26 Gb Free Space | 2.26% Space Free | Partition Type: NTFS

Computer Name: DELLE510
Current User Name: Chris
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010-04-18 09:39:50 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chris\Desktop\OTL.exe
PRC - [2010-04-17 17:51:01 | 000,059,964 | ---- | M] (Macrovision Europe Ltd.) -- C:\Documents and Settings\Chris\Local Settings\temp\clclean.0001
PRC - [2010-01-25 01:51:05 | 003,327,488 | ---- | M] (FNet Co., Ltd.) -- C:\Program Files\TurboHddUsb\TurboHddUsb .exe
PRC - [2010-01-10 00:32:38 | 003,633,152 | ---- | M] () -- C:\Program Files\EA SPORTS\Fifa Master\Creation Master 10\CreationMaster10.exe
PRC - [2009-11-16 13:05:01 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
PRC - [2009-11-12 17:33:10 | 000,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper .exe
PRC - [2009-09-29 09:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008-08-13 18:32:40 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd .exe
PRC - [2008-08-13 18:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008-05-13 12:43:56 | 001,510,640 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
PRC - [2008-02-19 12:01:46 | 000,278,528 | ---- | M] (ArcSoft, Inc.) -- C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
PRC - [2007-10-29 14:27:04 | 000,587,096 | ---- | M] (Lavasoft AB) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
PRC - [2007-06-13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007-03-15 11:09:36 | 000,460,784 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\DSAgnt .exe
PRC - [2006-10-31 21:24:18 | 000,057,344 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Multimedia\main\ATIDtct .exe
PRC - [2006-09-04 21:54:44 | 000,880,722 | ---- | M] (Trend Micro Incorporated.) -- C:\Program Files\Trend Micro\Internet Security 12\PcCtlCom.exe
PRC - [2006-02-04 00:59:31 | 000,262,215 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 12\tmproxy.exe
PRC - [2006-02-04 00:59:30 | 000,585,792 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Internet Security 12\TmPfw.exe
PRC - [2006-02-04 00:59:30 | 000,290,889 | ---- | M] (Trend Micro Incorporated.) -- C:\Program Files\Trend Micro\Internet Security 12\Tmntsrv.exe
PRC - [2006-01-23 23:19:09 | 000,553,472 | ---- | M] () -- C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
PRC - [2006-01-23 23:19:09 | 000,168,448 | ---- | M] () -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
PRC - [2006-01-23 23:12:13 | 000,026,112 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\realplay.exe
PRC - [2006-01-23 23:06:20 | 000,069,632 | ---- | M] (Creative Labs) -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
PRC - [2005-10-22 16:15:28 | 000,196,296 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
PRC - [2005-09-15 10:47:22 | 000,057,344 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
PRC - [2005-08-31 12:06:18 | 000,106,496 | ---- | M] (Corel, Inc.) -- C:\Program Files\Corel\Corel Photo Album 6\MediaDetect .exe
PRC - [2005-07-07 18:57:59 | 006,657,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\MSACCESS.EXE
PRC - [2005-03-22 05:20:44 | 000,339,968 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2005-02-23 17:19:56 | 000,053,248 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
PRC - [2003-11-10 18:04:40 | 000,188,416 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
PRC - [2003-10-23 20:51:18 | 000,233,472 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
PRC - [2003-06-25 12:24:48 | 000,049,152 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd .exe
PRC - [2003-02-28 15:46:00 | 000,543,232 | ---- | M] (TASsoft) -- C:\Temp\Fifa09\eagraph.exe


========== Modules (SafeList) ==========

MOD - [2010-04-18 09:39:50 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chris\Desktop\OTL.exe
MOD - [2008-05-13 10:13:36 | 000,077,824 | ---- | M] (SuperAdBlocker.com) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL
MOD - [2007-03-08 10:36:28 | 000,172,544 | ---- | M] () -- C:\WINDOWS\ijicahalevetecof.dll
MOD - [2006-08-25 10:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004-08-10 06:00:00 | 001,852,416 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\AppPatch\AcGenral.dll
MOD - [2004-08-10 06:00:00 | 000,071,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msacm32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009-09-29 09:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008-08-13 18:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2007-10-29 14:27:04 | 000,587,096 | ---- | M] (Lavasoft AB) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice)
SRV - [2007-03-07 15:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2006-09-04 21:54:44 | 000,880,722 | ---- | M] (Trend Micro Incorporated.) [Auto | Running] -- C:\Program Files\Trend Micro\Internet Security 12\PcCtlCom.exe -- (PcCtlCom)
SRV - [2006-02-04 00:59:31 | 000,262,215 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Internet Security 12\tmproxy.exe -- (tmproxy)
SRV - [2006-02-04 00:59:30 | 000,585,792 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Internet Security 12\TmPfw.exe -- (TmPfw)
SRV - [2006-02-04 00:59:30 | 000,290,889 | ---- | M] (Trend Micro Incorporated.) [Auto | Running] -- C:\Program Files\Trend Micro\Internet Security 12\Tmntsrv.exe -- (Tmntsrv)
SRV - [2006-01-23 23:06:20 | 000,069,632 | ---- | M] (Creative Labs) [On_Demand | Running] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe -- (Creative Labs Licensing Service)
SRV - [2005-08-02 16:18:49 | 000,086,016 | ---- | M] (CACE Technologies) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2004-04-07 13:07:32 | 001,135,728 | ---- | M] (America Online, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -- (AOL ACS)


========== Driver Services (SafeList) ==========

DRV - [2010-04-15 14:53:16 | 000,004,736 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\o.sys -- (k)
DRV - [2010-01-25 01:51:05 | 000,017,792 | ---- | M] (FNet Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\FNETTBOH.SYS -- (FNETTBOH)
DRV - [2010-01-25 01:51:05 | 000,007,040 | ---- | M] (FNet Co., Ltd.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\FNETURPX.SYS -- (FNETURPX)
DRV - [2009-12-02 13:21:00 | 000,020,616 | ---- | M] (CHENGDU YIWO Tech Development Co., Ltd) [Kernel | Boot | Running] -- C:\windows\system32\drivers\eufs.sys -- (EUFS)
DRV - [2009-12-02 13:20:58 | 000,014,216 | ---- | M] (CHENGDU YIWO Tech Development Co., Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\eudskacs.sys -- (EUDSKACS)
DRV - [2009-12-02 13:20:56 | 000,026,248 | ---- | M] (CHENGDU YIWO Tech Development Co., Ltd) [Kernel | Boot | Running] -- C:\windows\system32\drivers\eubakup.sys -- (EUBAKUP)
DRV - [2009-12-02 13:20:54 | 000,122,504 | ---- | M] (CHENGDU YIWO Tech Development Co., Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\EuDisk.sys -- (EuDisk)
DRV - [2009-11-04 11:15:30 | 004,423,168 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009-02-06 09:19:50 | 000,003,636 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\mmkrqijd -- (mmkrqijd)
DRV - [2008-07-18 19:08:38 | 000,205,328 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmxpflt.sys -- (Tmfilter)
DRV - [2008-07-18 19:08:32 | 000,036,368 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmpreflt.sys -- (Tmpreflt)
DRV - [2008-07-18 18:51:32 | 001,195,448 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\VsapiNT.sys -- (Vsapint)
DRV - [2008-07-02 14:38:14 | 000,089,600 | R--- | M] (ATI Research Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2008-05-13 12:44:00 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2008-05-13 12:43:58 | 000,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2008-05-13 12:43:56 | 000,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2007-09-25 09:59:46 | 000,015,152 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\MediaCoder Audio Edition\SysInfo.sys -- (CrystalSysInfo)
DRV - [2007-02-25 12:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006-10-05 16:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006-02-04 00:59:33 | 001,884,585 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\windows\System32\Drivers\tm_cfw.sys -- (tm_cfw)
DRV - [2006-02-04 00:59:33 | 000,038,528 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\windows\System32\Drivers\tmtdi.sys -- (tmtdi)
DRV - [2006-01-23 23:12:15 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2005-08-02 16:10:13 | 000,032,512 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2005-06-28 12:43:40 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\irbus.sys -- (IrBus)
DRV - [2005-06-06 03:40:48 | 000,180,736 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA) High Definition Audio Driver (WDM)
DRV - [2005-05-25 04:34:00 | 000,158,464 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTUSFSYN.SYS -- (CTUSFSYN)
DRV - [2005-04-12 20:21:32 | 000,022,240 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WmFilter.sys -- (WmFilter)
DRV - [2005-04-12 20:21:28 | 000,010,144 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WmBEnum.sys -- (WmBEnum)
DRV - [2005-04-12 20:21:28 | 000,005,600 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WmVirHid.sys -- (WmVirHid)
DRV - [2005-04-12 20:21:26 | 000,045,504 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WmXlCore.sys -- (WmXlCore)
DRV - [2005-03-24 21:11:00 | 001,350,272 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sigfilt.sys -- (sigfilt)
DRV - [2005-03-05 01:06:50 | 000,135,296 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atinavxx.sys -- (ATIAVPCI)
DRV - [2005-02-23 15:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2005-01-10 05:15:00 | 000,138,752 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTSFM2K.SYS -- (ctsfm2k)
DRV - [2005-01-10 05:15:00 | 000,106,496 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTOSS2K.SYS -- (ossrv)
DRV - [2004-12-06 02:05:00 | 000,100,603 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004-12-06 02:05:00 | 000,098,714 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004-12-06 02:05:00 | 000,086,586 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004-12-06 02:05:00 | 000,034,843 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004-12-06 02:05:00 | 000,025,883 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004-12-06 02:05:00 | 000,015,227 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004-12-06 02:05:00 | 000,006,363 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004-12-06 02:05:00 | 000,004,123 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004-12-06 02:05:00 | 000,002,239 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004-12-01 04:22:00 | 000,087,488 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\windows\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004-11-23 03:56:00 | 000,040,480 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2004-08-12 18:45:54 | 000,137,728 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004-08-10 06:00:00 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2004-08-04 00:10:14 | 000,015,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MPE.sys -- (MPE)
DRV - [2004-08-04 00:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004-08-04 00:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004-08-03 23:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004-07-14 12:29:04 | 000,005,627 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004-07-14 12:28:50 | 000,023,545 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
DRV - [2004-06-16 04:52:40 | 000,061,157 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
DRV - [2004-03-06 05:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
DRV - [2004-03-06 05:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
DRV - [2004-03-06 05:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)
DRV - [2003-01-10 17:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2002-07-17 10:05:10 | 000,016,512 | ---- | M] (Adaptec) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (ASPI)
DRV - [2001-08-17 15:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001-08-17 15:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001-08-17 15:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001-08-17 15:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001-08-17 15:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001-08-17 14:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001-08-17 14:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001-08-17 14:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001-08-17 14:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001-08-17 14:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001-08-17 14:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001-08-17 14:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001-08-17 14:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001-08-17 14:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001-08-17 14:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001-08-17 14:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\windows\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001-02-18 11:09:56 | 000,009,312 | ---- | M] (Hewlett-Packard) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hp4200c.sys -- (hp4200c)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.google.com/ [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://www.google.com/ig/dell?hl=en
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1619683409-3122745654-3636637395-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
IE - HKU\S-1-5-21-1619683409-3122745654-3636637395-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1619683409-3122745654-3636637395-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

FF - HKLM\software\mozilla\Firefox\Extensions\\{A7193FD4-8B2C-4675-A5C6-DC598E409ADB}: C:\Documents and Settings\Chris\Local Settings\Application Data\{A7193FD4-8B2C-4675-A5C6-DC598E409ADB} [2010-04-17 17:11:19 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2009-11-18 17:52:29 | 000,355,987 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-domains-registrations.com
O1 - Hosts: 127.0.0.1 www.1-domains-registrations.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 12234 more lines...
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-1619683409-3122745654-3636637395-1005\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-1619683409-3122745654-3636637395-1005\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [ATICustomerCare] C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe ()
O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe ()
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe ()
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe ()
O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe ()
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe ()
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe (HP)
O4 - HKLM..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe (Hewlett-Packard)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe ()
O4 - HKLM..\Run: [Jzedic] C:\windows\ijicahalevetecof.DLL ()
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MBMon] C:\windows\System32\CTMBHA.DLL ()
O4 - HKLM..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe File not found
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe File not found
O4 - HKLM..\Run: [pccguide.exe] C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe File not found
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask .exe (Apple Inc.)
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\windows\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe File not found
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKLM..\Run: [TurboHddUsb] C:\Program Files\TurboHddUsb\TurboHddUsb.exe ()
O4 - HKLM..\Run: [VoiceCenter] C:\Program Files\Creative\VoiceCenter\AndreaVC .exe File not found
O4 - HKU\S-1-5-21-1619683409-3122745654-3636637395-1005..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE ()
O4 - HKU\S-1-5-21-1619683409-3122745654-3636637395-1005..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe ()
O4 - HKU\S-1-5-21-1619683409-3122745654-3636637395-1005..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe ()
O4 - HKU\S-1-5-21-1619683409-3122745654-3636637395-1005..\Run: [OE_OEM] C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe File not found
O4 - HKU\S-1-5-21-1619683409-3122745654-3636637395-1005..\Run: [SetDefaultMIDI] C:\windows\MIDIDEF.EXE (Creative Technology Ltd)
O4 - HKU\S-1-5-21-1619683409-3122745654-3636637395-1005..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe ()
O4 - HKU\S-1-5-21-1619683409-3122745654-3636637395-1005..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe ()
O4 - HKU\S-1-5-21-1619683409-3122745654-3636637395-1005..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe (ArcSoft, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1619683409-3122745654-3636637395-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1619683409-3122745654-3636637395-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1619683409-3122745654-3636637395-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1619683409-3122745654-3636637395-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL (ATI Technologies Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-1619683409-3122745654-3636637395-1005\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O15 - HKU\S-1-5-21-1619683409-3122745654-3636637395-1005\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} http://www.creative.com/su/ocx/15015/CTSUEng.cab (Creative Software AutoUpdate)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photo.walgreens.com/WalgreensActivia.cab (Snapfish Activia)
O16 - DPF: {6678BE91-1E04-4A4A-9C32-63145EA79C2A} http://fifa-online.easports.com/fo3-theme/...3AXLauncher.cab (EAFO3AXLauncher Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://www.creative.com/su/ocx/15021/CTPID.cab (Creative Software AutoUpdate Support Package)
O16 - DPF: {FC0A65F2-8DFF-4F0F-B411-D4A50311628D} http://xmro.xmradio.com/xstream/registrati.../xmprofiler.CAB (XMRADIO.XM_SystemProfiler)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.72.134 68.87.77.134
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\windows\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\DELL.BMP
O24 - Desktop BackupWallPaper: C:\WINDOWS\DELL.BMP
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005-08-16 05:43:04 | 000,000,000 | -HS- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008-09-08 17:55:20 | 000,410,888 | R--- | M] (Electronic Arts) - D:\AutoRun.exe -- [ UDF1.02 ]
O32 - AutoRun File - [2008-09-08 17:52:52 | 000,000,000 | R--D | M] - D:\Autorun -- [ UDF1.02 ]
O32 - AutoRun File - [2008-09-08 17:55:18 | 007,056,384 | R--- | M] () - D:\autorun.dat -- [ UDF1.02 ]
O32 - AutoRun File - [2008-09-08 17:48:15 | 000,000,136 | R--- | M] () - D:\autorun.inf -- [ UDF1.02 ]
O32 - AutoRun File - [2005-08-16 05:43:04 | 000,000,000 | -HS- | M] () - J:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\windows\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = secfile] -- Reg Error: Key error. File not found
O37 - HKU\.DEFAULT\...exe [@ = secfile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found
O37 - HKU\S-1-5-18\...exe [@ = secfile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found
O37 - HKU\S-1-5-21-1619683409-3122745654-3636637395-1005\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010-04-18 09:39:48 | 000,562,176 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Chris\Desktop\OTL.exe
[2010-04-17 17:11:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chris\Local Settings\Application Data\{A7193FD4-8B2C-4675-A5C6-DC598E409ADB}
[2010-04-12 17:50:32 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ptpusb.dll
[2010-04-12 17:50:31 | 000,159,232 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ptpusd.dll
[2010-04-12 00:54:30 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Chris\Desktop\TDSSKiller.exe
[2010-04-08 03:39:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2010-04-06 13:50:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
[2010-04-06 10:15:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010-04-06 07:59:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010-04-06 07:59:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010-04-06 00:04:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010-04-05 21:08:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2010-04-05 21:08:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010-04-05 21:08:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2010-04-05 20:13:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010-04-05 18:21:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010-04-05 17:41:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010-03-20 12:11:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chris\Local Settings\Application Data\IsolatedStorage
[2010-02-11 21:14:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009-12-03 08:31:39 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009-12-03 08:31:39 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008-07-18 12:21:41 | 000,722,176 | ---- | C] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Documents and Settings\Chris\gotomypc_428.exe
[2008-04-13 01:12:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2008-04-13 01:12:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Google
[2008-01-05 19:29:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007-08-15 03:10:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\DivX
[2007-01-05 21:18:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
[6 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]
[1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010-04-18 10:43:48 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\bsu9p9zw.exe
[2010-04-18 09:39:50 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chris\Desktop\OTL.exe
[2010-04-18 09:14:56 | 000,000,120 | ---- | M] () -- C:\windows\Rgatikequw.dat
[2010-04-18 00:27:11 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-04-18 00:22:10 | 000,000,000 | ---- | M] () -- C:\windows\Ltiqok.bin
[2010-04-17 17:50:29 | 000,002,048 | --S- | M] () -- C:\windows\bootstat.dat
[2010-04-17 17:18:01 | 000,018,582 | -HS- | M] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\58G3tyIDc
[2010-04-17 17:18:01 | 000,018,582 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\58G3tyIDc
[2010-04-17 17:08:52 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\0hbX77.dat
[2010-04-17 17:08:51 | 000,071,178 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\w30jkdpD.vir2
[2010-04-17 07:47:31 | 000,001,324 | ---- | M] () -- C:\windows\System32\d3d9caps.dat
[2010-04-16 00:46:28 | 000,019,904 | ---- | M] () -- C:\windows\COOL.INI
[2010-04-16 00:46:28 | 000,010,677 | ---- | M] () -- C:\windows\coolkb2k.ini
[2010-04-16 00:46:28 | 000,000,000 | ---- | M] () -- C:\windows\COOLSYS.INI
[2010-04-15 20:52:14 | 000,000,886 | ---- | M] () -- C:\windows\win.ini
[2010-04-15 20:52:14 | 000,000,027 | ---- | M] () -- C:\windows\winzip32.ini
[2010-04-15 14:53:16 | 000,004,736 | ---- | M] () -- C:\windows\System32\o.sys
[2010-04-14 22:13:03 | 000,214,592 | ---- | M] () -- C:\windows\System32\PnkBstrB.xtr
[2010-04-14 21:50:13 | 000,138,968 | ---- | M] () -- C:\windows\System32\drivers\PnkBstrK.sys
[2010-04-13 12:16:45 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Chris\ntuser.ini
[2010-04-13 12:16:44 | 017,039,360 | ---- | M] () -- C:\Documents and Settings\Chris\ntuser.dat
[2010-04-13 11:41:56 | 000,015,266 | -HS- | M] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\o82Ak400MM24
[2010-04-13 11:41:56 | 000,015,266 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\o82Ak400MM24
[2010-04-12 21:51:58 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\gmer.zip
[2010-04-12 21:49:51 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\dds.scr
[2010-04-12 20:10:23 | 000,000,000 | ---- | M] () -- C:\windows\system.ini
[2010-04-12 19:47:52 | 000,013,528 | -HS- | M] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\V8i44CYn52
[2010-04-12 19:47:52 | 000,013,528 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\V8i44CYn52
[2010-04-12 19:02:43 | 000,071,170 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\w30jkdpD.vir
[2010-04-12 01:17:01 | 000,095,360 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\drivers\atapi.vir
[2010-04-12 00:54:16 | 000,154,469 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\tdsskiller.zip
[2010-04-11 23:56:28 | 003,912,237 | R--- | M] () -- C:\Documents and Settings\Chris\Desktop\ComboFix.exe
[2010-04-10 00:24:00 | 000,000,376 | ---- | M] () -- C:\windows\ODBC.INI
[2010-04-06 19:28:49 | 000,065,536 | ---- | M] () -- C:\windows\IFinst27.exe
[2010-04-06 15:35:49 | 000,016,508 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\696744383
[2010-04-06 15:35:49 | 000,016,508 | -HS- | M] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\4W2k7t2Uo86
[2010-04-06 15:08:00 | 000,016,508 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\4W2k7t2Uo86
[2010-04-05 23:50:41 | 000,002,206 | ---- | M] () -- C:\windows\System32\wpa.dbl
[2010-04-04 09:43:46 | 005,315,314 | -H-- | M] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\IconCache.db
[2010-03-30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2010-03-30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2010-03-25 16:51:38 | 000,001,906 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\FIFA90 Patch.lnk
[2010-03-22 10:43:42 | 000,178,000 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Chris\Desktop\TDSSKiller.exe
[2010-03-20 12:13:59 | 000,001,880 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TurboTax 2009.lnk
[6 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]
[1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010-04-18 10:43:44 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\bsu9p9zw.exe
[2010-04-17 17:15:51 | 000,018,582 | -HS- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\58G3tyIDc
[2010-04-17 17:15:51 | 000,018,582 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\58G3tyIDc
[2010-04-17 17:11:21 | 000,000,120 | ---- | C] () -- C:\windows\Rgatikequw.dat
[2010-04-17 17:11:21 | 000,000,000 | ---- | C] () -- C:\windows\Ltiqok.bin
[2010-04-15 14:53:16 | 000,004,736 | ---- | C] () -- C:\windows\System32\o.sys
[2010-04-14 10:04:53 | 000,214,592 | ---- | C] () -- C:\windows\System32\PnkBstrB.exe
[2010-04-14 10:04:52 | 000,214,592 | ---- | C] () -- C:\windows\System32\PnkBstrB.xtr
[2010-04-14 10:04:47 | 000,075,064 | ---- | C] () -- C:\windows\System32\PnkBstrA.exe
[2010-04-13 11:38:58 | 000,015,266 | -HS- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\o82Ak400MM24
[2010-04-13 11:38:58 | 000,015,266 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\o82Ak400MM24
[2010-04-12 21:51:55 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\gmer.zip
[2010-04-12 21:49:48 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\dds.scr
[2010-04-12 21:33:40 | 000,071,178 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\w30jkdpD.vir2
[2010-04-12 19:19:17 | 000,013,528 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\V8i44CYn52
[2010-04-12 19:19:16 | 000,013,528 | -HS- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\V8i44CYn52
[2010-04-12 19:02:44 | 000,071,170 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\w30jkdpD.vir
[2010-04-12 16:42:44 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\0hbX77.dat
[2010-04-12 00:54:14 | 000,154,469 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\tdsskiller.zip
[2010-04-11 23:56:24 | 003,912,237 | R--- | C] () -- C:\Documents and Settings\Chris\Desktop\ComboFix.exe
[2010-04-06 14:35:32 | 000,016,508 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\696744383
[2010-04-06 14:35:32 | 000,016,508 | -HS- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\4W2k7t2Uo86
[2010-04-06 14:07:40 | 000,016,508 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\4W2k7t2Uo86
[2010-04-06 14:07:40 | 000,016,508 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4W2k7t2Uo86
[2010-04-05 23:35:54 | 000,001,324 | ---- | C] () -- C:\windows\System32\d3d9caps.dat
[2010-04-04 09:46:11 | 002,856,464 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010-03-25 16:51:38 | 000,001,906 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\FIFA90 Patch.lnk
[2010-03-20 12:20:55 | 017,039,360 | ---- | C] () -- C:\Documents and Settings\Chris\ntuser.dat
[2010-03-20 12:13:59 | 000,001,880 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\TurboTax 2009.lnk
[2010-03-17 15:13:58 | 000,138,968 | ---- | C] () -- C:\windows\System32\drivers\PnkBstrK.sys
[2010-03-17 15:13:57 | 000,139,152 | ---- | C] () -- C:\Documents and Settings\Chris\Application Data\PnkBstrK.sys
[2010-01-25 08:40:18 | 000,000,000 | ---- | C] () -- C:\windows\CSDiff.INI
[2009-12-02 13:59:00 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\prvlcl.dat
[2009-11-29 01:36:53 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009-03-01 12:01:02 | 016,252,928 | ---- | C] () -- C:\Documents and Settings\Chris\Copy of NTUSER.DAT
[2008-11-21 16:47:52 | 003,596,288 | ---- | C] () -- C:\windows\System32\qt-dx331.dll
[2008-11-21 16:45:16 | 000,000,416 | ---- | C] () -- C:\windows\System32\dtu100.dll.manifest
[2008-11-21 16:45:16 | 000,000,416 | ---- | C] () -- C:\windows\System32\dpl100.dll.manifest
[2008-11-21 16:44:16 | 000,012,288 | ---- | C] () -- C:\windows\System32\DivXWMPExtType.dll
[2008-11-14 23:18:09 | 000,027,648 | ---- | C] () -- C:\windows\System32\AVSredirect.dll
[2008-09-01 17:12:28 | 000,870,128 | ---- | C] () -- C:\Documents and Settings\Chris\Application Data\mcs.rma
[2008-09-01 17:12:28 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Chris\Application Data\34D351
[2008-08-27 20:25:09 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Chris\.gtk-bookmarks
[2008-05-27 03:02:35 | 000,000,127 | ---- | C] () -- C:\windows\System32\MRT.INI
[2008-04-23 20:30:13 | 000,010,593 | ---- | C] () -- C:\windows\CSTBox.INI
[2008-04-13 16:09:49 | 000,003,418 | ---- | C] () -- C:\Documents and Settings\Chris\resetlog.txt
[2008-03-04 00:55:52 | 000,001,303 | ---- | C] () -- C:\Documents and Settings\Chris\_GEAREXT.WO_IDENT.TXT
[2008-01-12 17:29:51 | 000,040,960 | ---- | C] () -- C:\windows\System32\IPPCPUID.DLL
[2008-01-12 17:28:50 | 000,011,776 | ---- | C] () -- C:\windows\System32\pmsbfn32.dll
[2008-01-12 17:27:33 | 000,000,419 | ---- | C] () -- C:\windows\MAXLINK.INI
[2007-08-31 09:17:02 | 000,000,000 | ---- | C] () -- C:\windows\ATIMMC.INI
[2007-08-26 10:56:57 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007-08-03 21:01:47 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Chris\QBInstanceFinder.log
[2007-07-09 08:06:43 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Chris\Application Data\PFP120JPR.{PB
[2007-07-09 08:06:43 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Chris\Application Data\PFP120JCM.{PB
[2007-01-05 23:04:21 | 000,000,347 | ---- | C] () -- C:\windows\CTWave32.INI
[2007-01-05 23:04:13 | 000,000,029 | ---- | C] () -- C:\windows\sfbm.INI
[2007-01-05 21:17:57 | 000,311,296 | -H-- | C] () -- C:\Documents and Settings\Chris\ntuser.dat.LOG
[2007-01-05 21:17:56 | 016,252,928 | ---- | C] () -- C:\Documents and Settings\Chris\NTUSER.DAT.bak
[2006-12-17 23:00:16 | 000,000,321 | ---- | C] () -- C:\windows\hpipcopy.INI
[2006-11-08 09:11:42 | 000,049,152 | ---- | C] () -- C:\windows\System32\FTPStubInstUtils.dll
[2006-07-06 20:54:52 | 000,580,114 | ---- | C] () -- C:\windows\System32\x264vfw.dll
[2006-05-26 08:29:14 | 000,005,120 | ---- | C] () -- C:\windows\System32\ff_vfw.dll
[2006-04-09 21:17:36 | 000,000,461 | ---- | C] () -- C:\windows\EAGRAPH.INI
[2006-04-03 07:26:36 | 000,000,547 | ---- | C] () -- C:\windows\System32\ff_vfw.dll.manifest
[2006-03-27 01:06:30 | 000,761,856 | ---- | C] () -- C:\windows\System32\xvidcore.dll
[2006-03-27 01:06:30 | 000,180,224 | ---- | C] () -- C:\windows\System32\xvidvfw.dll
[2006-03-16 09:20:16 | 000,000,072 | ---- | C] () -- C:\windows\sbwin.ini
[2006-03-05 12:40:14 | 000,001,782 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006-02-28 00:29:45 | 000,000,027 | ---- | C] () -- C:\windows\winzip32.ini
[2006-02-27 23:36:52 | 000,093,696 | ---- | C] () -- C:\windows\System32\hpgt42.dll
[2006-02-13 00:21:17 | 000,499,427 | ---- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\FASTWiz.log
[2006-02-12 22:14:40 | 000,000,990 | ---- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\FASTWiz.html
[2006-02-12 13:09:05 | 000,011,545 | ---- | C] () -- C:\windows\hpdj5600.ini
[2006-02-05 00:57:55 | 000,306,688 | ---- | C] () -- C:\windows\System32\Lffpx7.dll
[2006-02-05 00:57:55 | 000,095,232 | ---- | C] () -- C:\windows\System32\Lfkodak.dll
[2006-02-05 00:55:27 | 000,015,075 | ---- | C] () -- C:\windows\HPSETUP.INI
[2006-02-04 12:17:52 | 000,000,165 | ---- | C] () -- C:\windows\QUICKEN.INI
[2006-02-03 18:49:55 | 000,000,029 | ---- | C] () -- C:\windows\coolacm.ini
[2006-02-03 18:34:23 | 000,002,233 | ---- | C] () -- C:\windows\coolmp3.ini
[2006-02-03 18:34:23 | 000,000,029 | ---- | C] () -- C:\windows\wordpad.ini
[2006-02-03 18:34:23 | 000,000,000 | ---- | C] () -- C:\windows\COOLSYS.INI
[2006-02-03 18:34:14 | 000,010,677 | ---- | C] () -- C:\windows\coolkb2k.ini
[2006-02-03 18:18:54 | 000,019,904 | ---- | C] () -- C:\windows\COOL.INI
[2006-01-28 23:52:43 | 000,000,376 | ---- | C] () -- C:\windows\ODBC.INI
[2006-01-28 12:30:36 | 000,000,056 | RHS- | C] () -- C:\windows\System32\C702DA514C.sys
[2006-01-28 12:30:35 | 000,003,558 | -HS- | C] () -- C:\windows\System32\KGyGaAvL.sys
[2006-01-28 12:12:43 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\fusioncache.dat
[2006-01-28 12:12:42 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Chris\ntuser.ini
[2006-01-28 12:12:20 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2006-01-28 12:12:20 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2006-01-23 23:23:45 | 000,000,061 | ---- | C] () -- C:\windows\smscfg.ini
[2006-01-23 23:13:44 | 000,000,138 | ---- | C] () -- C:\windows\wininit.ini
[2006-01-23 23:06:57 | 000,005,872 | ---- | C] () -- C:\windows\System32\CTSBMB.INI
[2006-01-23 23:02:33 | 000,004,969 | ---- | C] () -- C:\windows\System32\Sigfilt.ini
[2006-01-23 23:02:33 | 000,000,029 | ---- | C] () -- C:\windows\System32\ctzapxx.ini
[2006-01-23 22:39:08 | 000,000,392 | ---- | C] () -- C:\windows\System32\OEMINFO.INI
[2005-08-16 05:37:24 | 000,001,793 | ---- | C] () -- C:\windows\System32\fxsperf.ini
[2005-08-16 05:18:42 | 000,172,544 | ---- | C] () -- C:\windows\ijicahalevetecof.dll
[2005-08-05 15:01:54 | 000,235,008 | ---- | C] () -- C:\windows\System32\psisdecd.dll
[2005-08-03 14:54:08 | 000,253,952 | ---- | C] () -- C:\windows\System32\Manipulate.dll
[2005-08-02 16:24:01 | 000,053,299 | ---- | C] () -- C:\windows\System32\pthreadVC.dll
[2005-05-19 12:54:00 | 001,345,520 | ---- | C] () -- C:\windows\System32\CTMBHA.DLL
[2005-04-09 18:04:54 | 000,000,000 | ---- | C] () -- C:\windows\System32\px.ini
[2005-01-18 23:18:52 | 000,323,584 | ---- | C] () -- C:\windows\System32\FoxImager.dll
[2004-05-20 10:50:14 | 001,537,536 | ---- | C] () -- C:\windows\System32\erdmpg-hi.dll
[2004-05-12 00:31:54 | 000,005,942 | ---- | C] () -- C:\windows\PWRPLAY.INI
[2004-02-01 14:21:56 | 000,097,280 | ---- | C] () -- C:\windows\System32\Uncommon.dll
[2004-01-28 11:42:06 | 000,066,560 | ---- | C] () -- C:\windows\System32\atiyuv12.dll
[2004-01-28 11:42:06 | 000,056,832 | ---- | C] () -- C:\windows\System32\Iyvu9_32.dll
[2004-01-28 11:42:06 | 000,013,601 | ---- | C] () -- C:\windows\System32\vctest.ini
[2003-08-07 14:01:50 | 000,237,568 | ---- | C] () -- C:\windows\System32\lame_enc.dll
[2003-01-07 16:05:08 | 000,002,695 | ---- | C] () -- C:\windows\System32\OUTLPERF.INI
[2002-11-24 07:40:36 | 000,046,080 | ---- | C] () -- C:\windows\System32\ac3encode.dll
< End of report >


OTL Extras logfile created on: 2010-04-18 10:42:33 AM - Run 1
OTL by OldTimer - Version 3.2.1.2 Folder = C:\Documents and Settings\Chris\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 68.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 2.21 Gb Free Space | 0.48% Space Free | Partition Type: NTFS
Drive D: | 3.71 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF1.02
E: Drive not present or media not loaded
Drive F: | 931.51 Gb Total Space | 764.39 Gb Free Space | 82.06% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 144.30 Gb Total Space | 3.26 Gb Free Space | 2.26% Space Free | Partition Type: NTFS

Computer Name: DELLE510
Current User Name: Chris
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- Reg Error: Key error. File not found

[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe File not found

[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe File not found

[HKEY_USERS\S-1-5-21-1619683409-3122745654-3636637395-1005\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\PROGRA~1\MICROS~4\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\PROGRA~1\MICROS~4\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\WINAMP.EXE" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\kav\kav7\setup.exe" = C:\Program Files\kav\kav7\setup.exe:*:Enabled:Kaspersky Anti-Virus 7.0 Setup -- (Kaspersky Lab)
"C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" = C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe:*:Enabled:CTDetect -- (Creative Technology Ltd)
"C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" = C:\Program Files\Creative\VoiceCenter\AndreaVC.exe:*:Enabled:ENABLE -- ()
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:bittorrent -- File not found
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\EA SPORTS\FIFA Online\NFE.exe" = C:\Program Files\EA SPORTS\FIFA Online\NFE.exe:*:Enabled:EA SPORTS™ FIFA Online -- (Electronic Arts)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00DE25CD-A571-71AA-DD1E-44624D3F3839}" = Catalyst Control Center Localization Russian
"{0100A905-A8DD-501B-F188-5EE0949F452E}" = CCC Help Polish
"{0241E073-A1C3-857F-7DA3-9A5DC6C4F60B}" = Catalyst Control Center Graphics Light
"{02EBDBB9-4600-41D3-B566-40CB861511D2}" = World of Warcraft FREE Trial
"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{057886CB-E3EF-2817-81E0-22C4A42CE498}" = Catalyst Control Center Localization German
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{08E30958-B916-F50F-7D1B-2BC7FFCBE3CD}" = Catalyst Control Center Localization Thai
"{0A2A5039-B37F-489D-B1DC-A5258DF9E697}" = FIFA 08
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{0F55F69B-FB6C-5157-A5DC-B8AC58048A1A}" = ATI Catalyst Install Manager
"{11202615-E557-4ECF-9B86-F59C81E52909}" = FIFA 10
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ4804" = CanoScan 8600F
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{14374619-0900-4056-BA06-C87C900AF9E6}" = QuickBooks Simple Start Special Edition
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{14EED1BC-FFF0-B332-5EF3-AE2ECA7DBAB2}" = CCC Help Korean
"{174D5678-D941-433C-BD23-58A5C7B0D36D}" = Jasc Animation Shop 3
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1B2CAF41-06B0-C482-CFA3-5FEF0CE3EFB7}" = Catalyst Control Center Localization Korean
"{1FF713E1-FE5E-4AD0-9C8C-B2E877846B45}" = Catalyst Control Center - Branding
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD LE
"{2315B23D-3E21-4920-837D-AE6460934ECB}" = FIFA 09
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{27004F1F-150E-10EA-6D9A-477A4D517AE6}" = ccc-core-preinstall
"{271E0D08-7010-7924-8483-AFE61B5F932D}" = Catalyst Control Center Localization Chinese Standard
"{27A1D594-FEE9-DA8F-DCA6-E25CE1F2CFC7}" = Catalyst Control Center Localization Turkish
"{2818095F-FB6C-42C8-827E-0A406CC9AFF5}" = Quicken 2006
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{29D851C2-048C-4B5E-8D1F-25D473342BB5}" = ScanSoft OmniPage SE 4.0
"{2DD4470C-9070-7D7C-340B-C523CB830213}" = Catalyst Control Center Localization Dutch
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}" = Creative MediaSource
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{307B9D04-A1F4-48EA-809C-DF7FA9C4BB6D}" = Presto! PageManager 7.15.13
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{352310C3-E46B-42D3-8F32-54721FDD72D9}" = NetZeroInstallers
"{36C6D94F-3E89-A1E2-50B4-EC111EBD8F0E}" = Catalyst Control Center Localization Spanish
"{37EBB600-EAA2-012B-AD89-000000000000}" = TurboTax 2009 wiliper
"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
"{3A46DFF0-5ED9-7933-6934-C25D7C58C149}" = ccc-core-static
"{3AD95EBD-0199-F426-3EC8-37356E9F221E}" = CCC Help Turkish
"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
"{3CBA0E30-6F54-47EF-910E-1D4D450AFE45}" = ATI Multimedia Center
"{3CCE085E-255D-BBEE-7D51-D46FF3E13B1F}" = Catalyst Control Center HydraVision Full
"{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}" = ATI HYDRAVISION
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = Google AFE
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Modem On Hold
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{4093993B-DCBD-269F-3F25-B19D39F03227}" = Catalyst Control Center Localization Hungarian
"{41BADB07-B491-E330-3727-7ECF24F3973C}" = CCC Help German
"{424D35F1-F86D-9A7C-970A-A3EC69B41EEC}" = Catalyst Control Center Localization Portuguese
"{4667B940-BB01-428B-986E-A0CC46497BF7}" = ELIcon
"{46C73DE4-E96D-4F7C-8371-F28052183B12}" = Sonic Advanced Decoder
"{4C1B42D1-4DE1-42E7-BF55-3977E9A4BC62}" = FifaFace2006_3DViewer_V2.0
"{4C3CD1BF-3A55-3B11-738C-AEBCC136B99D}" = Catalyst Control Center Localization Italian
"{53C6D09E-EAB6-49E5-BA4C-BA7FF13830FB}" = Sound Blaster Audigy ADVANCED MB
"{58F0911C-A70A-5450-AF61-ABA73BC839AF}" = CCC Help Dutch
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5C1DA723-24FC-48AD-93BA-925695C3EF26}" = Logitech Gaming Software
"{5D27AF04-435A-ADA1-A995-DAA23023CD9C}" = CCC Help Swedish
"{5DA6F06A-B389-407B-BF8C-1548767914D8}" = ATI Problem Report Wizard
"{61DA7F1D-26B2-06E9-0B0E-D7EC9CA89FF7}" = Catalyst Control Center Graphics Light
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6412075D-F600-6E0C-47B9-E46B2FCD2281}" = CCC Help English
"{64823E85-64E8-FD8E-9323-10C9DA3DCBF1}" = Catalyst Control Center Localization French
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.5
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6A620E3F-B44C-DC93-6DF3-3C36022FAEC5}" = CCC Help Russian
"{6A7C42A3-02F9-C4E2-3A2B-BED15343DB4E}" = ccc-utility
"{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal
"{6D9306D4-668D-F7B5-30A8-0D20B5D898A0}" = Catalyst Control Center Core Implementation
"{6DE13770-01B7-4366-8DA6-48237793F445}" = VoiceOver Kit
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{6F42FC6B-947B-9B89-29B0-545F0815AD7F}" = ATI Parental Control & Encoder
"{6FDD9182-1069-4808-949C-F502A21E6459}" = WebPirate
"{6FE3B0CE-37C1-4825-908A-5A84C9B4EC2F}" = EA SPORTS™ FIFA Online
"{70A77127-A231-3515-A98E-3BEDD1EE379B}" = CCC Help Danish
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{72736F5F-520D-472A-88CC-7B02872FD34E}" = ATI Catalyst Registration
"{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}" = EarthLink setup files
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{7698EDA5-A90F-4205-99CB-8FF6F9048ED9}" = Trend Micro PC-cillin Internet Security 12
"{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}" = Modem Event Monitor
"{7A3F0566-5E05-4919-9C98-456F6B5CF831}" = Get High Speed Internet!
"{7A5029B2-B9EE-BD2F-D1C2-20A89933BC7B}" = Catalyst Control Center Graphics Full New
"{7C672A89-14D2-4A8F-03E5-42D60DEEEA28}" = Catalyst Control Center Localization Greek
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{80a25fc0-7353-4f39-8115-27f8df007c16}" = Mirar
"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}" = Intel® PROSet for Wired Connections
"{85309D89-7BE9-4094-BB17-24999C6118FC}" = ArcSoft PhotoStudio 5.5
"{85D3CC30-8859-481A-9654-FD9B74310BEF}" = Musicmatch® Jukebox
"{86D37906-6BB5-CEA3-3A9E-282BD3D4821A}" = CCC Help Greek
"{87D0CA2B-8F5C-04FD-8B31-45D72B813939}" = Catalyst Control Center Localization Chinese Traditional
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{885EE19A-486C-4A85-BA1B-19D719C72798}" = dCut
"{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}" = ATI AVIVO Codecs
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A9B8148-DDD7-448F-BD6C-358386D32354}" = Corel Photo Album 6
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8D2AE3F6-79DF-423C-91CB-389F6FB5837B}" = Andrea VoiceCenter
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90170409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office FrontPage 2003
"{903A0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Project Standard 2003
"{90530409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Standard 2003
"{907453D4-2730-940D-42E7-FB9B22D4AA4F}" = CCC Help Norwegian
"{90A10409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office OneNote 2003
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9BAC5D76-82E7-4091-8D54-EEDC32BEBF2A}" = Catalyst Control Center Graphics Full Existing
"{9CE57598-9A41-AFCE-AA0C-954D2B11A389}" = Catalyst Control Center Graphics Full New
"{9E163B34-C00F-ACEE-EC7C-F8287FA63430}" = CCC Help Finnish
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{9F650127-C7C9-A280-23FB-05763FC33871}" = Catalyst Control Center Localization Finnish
"{A1BC8E02-6B5B-4B4A-A75F-B27A16918C2B}" = DiscWizard for Windows
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A439BDA6-3E0E-C98B-4E86-620D8215E7BB}" = CCC Help Japanese
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A6111E9B-996D-48BD-BC27-49E779430C8B}" = File Master 06
"{A683A2C0-821C-486F-858C-FA634DB5E864}" = EducateU
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
"{AB9C21BC-3097-438A-9923-EB1F4D90376D}" = Catalyst Control Center Localization Czech
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B63ECF13-D418-E6F0-D5DB-85E0CF6700F4}" = CCC Help French
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B76D4A7F-FF11-4420-947C-C3AD624B9DBA}" = Jasc Paint Shop Photo Album
"{B88FDD47-6CF4-FBE9-3864-70CF7E71C3BC}" = Catalyst Control Center Localization Danish
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1506CB6-E0BF-5ED7-EC5C-F70F3E56CDE6}" = CCC Help Chinese Traditional
"{C40B0FDC-2503-DEBC-0C1C-4F7200B28347}" = Catalyst Control Center Localization Norwegian
"{C4C2BA9A-E0BE-B4AC-2858-30ED109AAB39}" = CCC Help English
"{C53C7777-EFDD-4B5D-B0B2-199AA6E1E780}" = BlackBerry Desktop Software 4.6
"{C8C8387B-A98B-44E8-807A-1A9B7F51FFDA}" = Blaze Media Pro
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC03804C-5D9E-B6F5-D2D6-2E8D11CE7C22}" = Catalyst Control Center Graphics Previews Common
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF24D929-D3BB-7109-FC9E-447D75FBC0EC}" = Catalyst Control Center Localization Swedish
"{D16C2485-137D-8321-EC76-6774711F1A30}" = Catalyst Control Center Core Implementation
"{D2773F0B-9751-BA4C-387F-5BD115A260AE}" = Catalyst Control Center Localization Polish
"{D371E383-D570-A815-B74B-D2622E43651C}" = Catalyst Control Center Localization Japanese
"{D4318DDE-2E5E-6771-C11C-A1667B133993}" = CCC Help Hungarian
"{D85C36C2-8471-407F-BDAE-FE6D0D7033B9}" = File Master 07
"{DA682C82-D3EE-4959-BE68-A0D7B79DE7B4}" = TMPGEnc 4.0 XPress
"{DB21769C-74C5-4142-BDE7-69334BD866D2}" = Tournament Master 06
"{DB5518BE-F40F-407A-B451-012625D4497B}" = hp deskjet 5600
"{DE017133-018C-61CF-2387-02E15E2ED191}" = CCC Help Portuguese
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware 2007
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E4C07CAB-99A1-4177-8EA1-67B0FE6474C8}" = TurboTax 2008 wiliper
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{E77C5F51-DC43-6D63-27FB-1915944E4302}" = CCC Help Spanish
"{E93E5EF6-D361-481E-849D-F16EF5C78EBC}" = Musicmatch for Windows Media Player
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{ED7E511E-40AF-4A94-6522-7C7B910F6EAF}" = Catalyst Control Center Graphics Previews Common
"{EEADF889-D975-0591-9AA0-89EB6E640B8D}" = CCC Help Czech
"{EF6F70D0-C242-4047-946B-98EA8208481A}" = ArcSoft TotalMedia Backup & Record
"{F08A5341-216B-00BF-659F-ED88DF844B04}" = CCC Help Chinese Standard
"{F165A635-9DFF-4F34-A669-49493E0A5B38}" = M2PMCEncoderZX
"{F3BCD513-E086-4058-B93E-173780E583A2}" = Microsoft MapPoint 2002 North America
"{F58D330D-3D1D-37FE-7591-35EB77EF87D3}" = Skins
"{F6377647-81AF-41C0-BC7E-06CF37E204AB}" = Roxio Media Manager
"{F638C8C3-DFA5-E695-BE3A-971D5D9B5672}" = ccc-utility
"{F76A2E6B-4C7F-3FFC-05A7-5368105B20AC}" = CCC Help Italian
"{F7B013D0-EF94-B8C5-E95F-63CDD1C4D333}" = CCC Help Thai
"{F8BB72FB-615E-4CF6-963D-B37550D4639E}" = TMPGEnc DVD Author 2.0
"{F9C3B51C-DCCC-4916-B08D-A6820D914AC0}" = CSDiff
"{FA3A247D-437A-455E-A88F-7EB6E5F9E799}" = Catalyst Control Center - Branding
"{FE6A0D54-A89C-542A-3C0F-7DE1DFC0F3A2}" = Catalyst Control Center Graphics Full Existing
"{FE7ADD14-5576-C865-AB6A-84BBC94C883B}" = ccc-core-preinstall
"1. Bundesliga Banden by MexicanTraveller" = 1. Bundesliga Banden by MexicanTraveller
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"2. Bundesliga Banden-Pack by MexicanTraveller" = 2. Bundesliga Banden-Pack by MexicanTraveller
"82A44D22-9452-49FB-00FB-CEC7DCAF7E23" = EA SPORTS online 2007
"AC Milán FacePack 1.00" = AC Milán FacePack 1.00
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"America Online us" = America Online (Choose which version to remove)
"AOL Connectivity Services" = AOL Connectivity Services
"AOLCoach" = AOL Coach Version 1.0(Build:20040229.1 en)
"ASF-AVI-RM-WMV Repair_is1" = ASF-AVI-RM-WMV Repair 1.82
"AsfTools 3.1" = AsfTools 3.1 (remove only)
"ATI Display Driver" = ATI Display Driver
"Audacity_is1" = Audacity 1.2.4
"Axis & Allies Iron Blitz" = Axis & Allies Iron Blitz
"Barclays Premier League Flagpack" = Barclays Premier League Flagpack
"Best Buy Digital Music Store" = Best Buy Digital Music Store
"BFL_FIFA_10" = BFL_FIFA_10
"BlackBerry_{C53C7777-EFDD-4B5D-B0B2-199AA6E1E780}" = BlackBerry Desktop Software 4.6
"Canon CanoScan 8600F User Registration" = Canon CanoScan 8600F User Registration
"CanoScan Toolbox 5.0" = Canon CanoScan Toolbox 5.0
"CCleaner" = CCleaner (remove only)
"CDex" = CDex extraction audio
"Clydesdale Bank Premier League" = Clydesdale Bank Premier League
"Coca Cola Championship Flagpatch" = Coca Cola Championship Flagpatch
"Cool Edit 2000" = Cool Edit 2000
"Creation Master 07_is1" = Creation Master 07 Release 2.02
"Creation Master 08_is1" = Creation Master 08 Release 1.00
"Creation Master 09_is1" = Creation Master 09 Release 1.01
"Creation Master 10_is1" = Creation Master 10 Release 10.3
"Cygnus Hex Editor FREE EDITION" = Cygnus Hex Editor FREE EDITION 1.00
"DB Master 08_is1" = DB Master 08
"DB Master 09_is1" = DB Master 09 Release 4.00
"DB Master 10_is1" = DB Master 10 Release 10.3
"DECCHECK" = Microsoft Windows XP Video Decoder Checkup Utility
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"Dell Game Console" = Dell Game Console
"EASEUS Todo Backup 1.1_is1" = EASEUS Todo Backup 1.1
"Elecard Codec SDK G4 1.0.1.80507 Eval" = Elecard Codec SDK G4 Eval
"EmeraldQFE2" = Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
"ESPNMotion" = ESPNMotion
"Face Design Master 09_is1" = Face Design Master 09 Rel 1.02
"FAT Master 08_is1" = FAT Master 08
"ffdshow" = ffdshow
"FIFA 10 Logo Patch" = FIFA 10 Logo Patch
"FIFAMANIA FAT CONTROLLER 08" = FIFAMANIA FAT CONTROLLER 08
"File Master 08_is1" = File Master 08
"File Master 09_is1" = File Master 09 Release 4.00
"File Master 10 Demo_is1" = File Master 10 Release 4.10.D
"File Master 10_is1" = File Master 10 Release 10.3
"FreeUndelete" = FreeUndelete
"Generic Adboards Patch" = Generic Adboards Patch
"Google Desktop" = Google Desktop
"HijackThis" = HijackThis 2.0.2
"Hungarian Super Patch '09v1.0" = Hungarian Super Patch '09
"HxD Hex Editor_is1" = HxD Hex Editor version 1.7.6.3
"ie8" = Windows Internet Explorer 8
"InstallShield_{390FF986-468D-4CA9-8830-2C4B313F447F}" = ATI Parental Control
"InstallShield_{3CBA0E30-6F54-47EF-910E-1D4D450AFE45}" = ATI Multimedia Center 9.16
"Intel® 537EP V9x DF PCI Modem" = Intel® 537EP V9x DF PCI Modem
"Internal Master 08_is1" = Internal Master 08 Release 1.00
"Kit Models Switcher 10" = Kit Models Switcher 10
"Kit-Design Master 08_is1" = Kit-Design Master 08 Release 1.00
"Kit-Design Master 09_is1" = KDM09 FullPack Rel 1.00
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Malwarebytes' RogueRemover FREE_is1" = Malwarebytes' RogueRemover
"Man Utd FacePack" = Man Utd FacePack
"Manager Master 08_is1" = Manager Master 08 Beta 0.1
"Manager Master 09_is1" = Manager Master 09 Release 1.00
"Manager Master 10_is1" = Manager Master 10 Release 10.2
"MediaCoder Audio Edition" = MediaCoder Audio Edition 0.7.2.4598
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MVApplication1" = SureThing CD Labeler
"Nero - Burning Rom!UninstallKey" = Ahead Nero - Burning Rom
"OpenSource Flash Video Splitter" = OpenSource Flash Video Splitter (remove only)
"Premier League Banden - Pack" = Premier League Banden - Pack
"PROSet" = Intel® PRO Network Connections Drivers
"Remove on Reboot Shell Extension_is1" = Remove on Reboot Shell Extension
"RPL UPDATE 1.2 BY FIFARUS" = RPL UPDATE 1.2 BY FIFARUS
"Save My Career 08_is1" = Save My Career 08
"Sound Blaster Audigy ADVANCED MB Product Registration" = Sound Blaster Audigy ADVANCED MB Product Registration
"StreamDown Version 5.7" = StreamDown Version 5.7
"StreetPlugin" = Learn2 Player (Uninstall Only)
"SUPER ©" = SUPER © Version 2008.bld.33 (Sep 2, 2008)
"Switcher Evo 09" = Switcher Evo 09
"SystemRequirementsLab" = System Requirements Lab
"TripleAVersion1_2_1_0" = TripleA Version 1_2_1_0
"TripleAVersion1_2_3_0" = TripleA Version 1_2_3_0
"TurboHddUsb" = TurboHddUsb
"TurboTax 2008" = TurboTax 2008
"TurboTax 2009" = TurboTax 2009
"UniDB_is1" = UniDB Version 4.0
"VideoReDo-Plus_is1" = VideoReDo/Plus Version 2-2-1-445
"ViewpointMediaPlayer" = Viewpoint Media Player
"WIC" = Windows Imaging Component
"Winamp" = Winamp (remove only)
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinMerge_is1" = WinMerge 2.12.2
"WinPcapInst" = WinPcap 3.1
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"WM Recorder 11.1" = WM Recorder 11.1
"WM_Recorder_102" = WM Recorder + RM Recorder 10.21
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"x264 Revision 533 x264.nl" = x264 Revision 533 x264.nl (remove only)
"XviD_is1" = XviD 1.1 final uninstall

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1619683409-3122745654-3636637395-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Bundesliga Flagpack" = Bundesliga Flagpack
"GSP FIFA 10 v1.0 Greece all Divisions Addon" = GSP FIFA 10 v1.0 Greece all Divisions Addon
"MIL 10!" = MIL 10!
"UnityWebPlayer" = Unity Web Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2010-04-17 6:55:39 PM | Computer Name = DELLE510 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2010-04-17 8:55:48 PM | Computer Name = DELLE510 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2010-04-17 10:55:52 PM | Computer Name = DELLE510 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2010-04-18 12:55:54 AM | Computer Name = DELLE510 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2010-04-18 2:55:57 AM | Computer Name = DELLE510 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2010-04-18 4:55:59 AM | Computer Name = DELLE510 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2010-04-18 6:56:04 AM | Computer Name = DELLE510 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2010-04-18 8:56:06 AM | Computer Name = DELLE510 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2010-04-18 10:56:09 AM | Computer Name = DELLE510 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2010-04-18 11:16:22 AM | Computer Name = DELLE510 | Source = Application Hang | ID = 1002
Description = Hanging application iTunes.exe, version 9.0.2.25, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ Application Events ]
Error - 2010-04-17 6:55:39 PM | Computer Name = DELLE510 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2010-04-17 8:55:48 PM | Computer Name = DELLE510 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2010-04-17 10:55:52 PM | Computer Name = DELLE510 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2010-04-18 12:55:54 AM | Computer Name = DELLE510 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2010-04-18 2:55:57 AM | Computer Name = DELLE510 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2010-04-18 4:55:59 AM | Computer Name = DELLE510 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2010-04-18 6:56:04 AM | Computer Name = DELLE510 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2010-04-18 8:56:06 AM | Computer Name = DELLE510 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2010-04-18 10:56:09 AM | Computer Name = DELLE510 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 2010-04-18 11:16:22 AM | Computer Name = DELLE510 | Source = Application Hang | ID = 1002
Description = Hanging application iTunes.exe, version 9.0.2.25, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 2010-04-17 6:51:07 PM | Computer Name = DELLE510 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 2010-04-17 6:53:34 PM | Computer Name = DELLE510 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the WebClient service to
connect.

Error - 2010-04-17 6:53:34 PM | Computer Name = DELLE510 | Source = Service Control Manager | ID = 7000
Description = The WebClient service failed to start due to the following error:
%%1053

Error - 2010-04-17 6:53:34 PM | Computer Name = DELLE510 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the HTTP SSL service to connect.

Error - 2010-04-17 6:53:34 PM | Computer Name = DELLE510 | Source = Service Control Manager | ID = 7000
Description = The HTTP SSL service failed to start due to the following error: %%1053

Error - 2010-04-17 6:53:34 PM | Computer Name = DELLE510 | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2

Error - 2010-04-17 6:53:34 PM | Computer Name = DELLE510 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher
9 service to connect.

Error - 2010-04-17 6:53:34 PM | Computer Name = DELLE510 | Source = Service Control Manager | ID = 7001
Description = The Windows Media Player Network Sharing Service service depends on
the HTTP SSL service which failed to start because of the following error: %%1053

Error - 2010-04-17 6:55:19 PM | Computer Name = DELLE510 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
mmkrqijd

Error - 2010-04-17 6:58:29 PM | Computer Name = DELLE510 | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460


< End of report >


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:50 AM

Posted 19 April 2010 - 03:26 AM

Hello again,
Since safe mode is working, lets continue there first.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 naslsoccer

naslsoccer
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 19 April 2010 - 11:17 AM

Elise,

OK, it took me several hours to get a succesful run of Combofix, but I finally did. Here is what happened.

I initially tried to run Combofix in safe mode, but when I started it, it was complaining that my TrendMicro anti-virus real-time scanning was enabled. But for some reason, I could not disable real-time scanning in safe mode. So, I rebooted in regular Windows. The first time I tried to get into the TrendMicro control console, Windows locked up. On the second attempt, I was able to get into TrendMicro and disable real-time scanning. At this point, the computer seemed to be working fairly well, so I ran Combofix from regular Windows mode. It made it all the way through the 50 of so phases of the program, but then Windows completely locked up when Combofix was at the point where it says "almost complete...please wait a few seconds for the report log to come up. Report log will be located at C:\COMBOFIX.txt". I then rebooted again (by cycling the power) into safe mode and ran Combofix again. This time it ran successfully. During running, a message box came up that said "Combofix has detected rootkit activity and needs to reboot your computer now". It rebooted (into safe mode again) and then ran through the 50 phases of checks, and finally produced an output log, which I have copied here. Please let me know the next steps.

Thanks for the continued help,
Chris

ComboFix 10-04-18.04 - Chris 2010-04-19 10:44:35.33.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.3026 [GMT -5:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\docume~1\Chris\LOCALS~1\Temp\clclean.0001.dir.0010\~df394b.tmp
c:\documents and settings\Chris\Local Settings\Application Data\{A7193FD4-8B2C-4675-A5C6-DC598E409ADB}
c:\documents and settings\Chris\Local Settings\Application Data\{A7193FD4-8B2C-4675-A5C6-DC598E409ADB}\chrome.manifest
c:\documents and settings\Chris\Local Settings\Application Data\{A7193FD4-8B2C-4675-A5C6-DC598E409ADB}\chrome\content\_cfg.js
c:\documents and settings\Chris\Local Settings\Application Data\{A7193FD4-8B2C-4675-A5C6-DC598E409ADB}\chrome\content\overlay.xul
c:\documents and settings\Chris\Local Settings\Application Data\{A7193FD4-8B2C-4675-A5C6-DC598E409ADB}\install.rdf
c:\documents and settings\Chris\Local Settings\temp\clclean.0001.dir.0010\~df394b.tmp
c:\documents and settings\Chris\Local Settings\Temporary Internet Files\0OrR6LRq1.jpg
c:\documents and settings\Chris\Local Settings\Temporary Internet Files\14TRbyq7.jpg
c:\documents and settings\Chris\Local Settings\Temporary Internet Files\6jYD3V28.jpg
c:\documents and settings\Chris\Local Settings\Temporary Internet Files\ahM5kU.jpg
c:\documents and settings\Chris\Local Settings\Temporary Internet Files\gkrVbU.jpg
c:\documents and settings\Chris\Local Settings\Temporary Internet Files\sAfD61T7.jpg
c:\documents and settings\Chris\Local Settings\Temporary Internet Files\tma3X7.jpg
c:\documents and settings\Chris\Local Settings\Temporary Internet Files\xmweIHTM.jpg

.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))
.

2010-04-18 18:35 . 2010-04-12 21:40 41476 ----a-w- c:\windows\system32\5xT3TFL5.com
2010-04-18 18:34 . 2010-04-19 15:34 -------- d-----w- c:\documents and settings\HelpAssistant
2010-04-17 22:11 . 2010-04-18 14:14 120 ----a-w- c:\windows\Rgatikequw.dat
2010-04-17 22:11 . 2010-04-18 05:22 0 ----a-w- c:\windows\Ltiqok.bin
2010-04-15 19:53 . 2010-04-15 19:53 4736 ----a-w- c:\windows\system32\o.sys
2010-04-14 15:04 . 2010-04-15 02:49 214592 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-04-14 15:04 . 2010-04-14 15:04 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-04-12 22:50 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-04-12 22:50 . 2004-08-04 05:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-04-12 04:49 . 2010-04-12 04:49 -------- d-----w- c:\temp\tdss_remover
2010-04-08 08:39 . 2010-04-08 08:39 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-06 18:50 . 2010-04-06 18:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-06 15:15 . 2010-04-06 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-06 13:16 . 2010-04-06 13:16 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-06 12:59 . 2010-04-06 12:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-06 04:35 . 2010-04-17 12:47 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-06 04:15 . 2010-04-06 04:15 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-06 02:08 . 2010-04-06 02:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-04-04 14:46 . 2010-04-09 01:49 2856464 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-20 17:11 . 2010-03-20 17:11 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\IsolatedStorage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-19 16:21 . 2010-04-12 21:42 112 ----a-w- c:\documents and settings\All Users\Application Data\0hbX77.dat
2010-04-19 16:21 . 2010-04-18 16:45 71698 ----a-w- c:\documents and settings\All Users\Application Data\w30jkdpD.exe
2010-04-19 03:04 . 2009-05-06 04:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-18 18:36 . 2008-05-14 00:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-18 18:26 . 2009-12-10 18:54 -------- d-----w- c:\program files\QuickTime
2010-04-18 16:01 . 2007-01-06 02:56 -------- d-----w- c:\program files\VideoReDoPlus
2010-04-17 22:48 . 2009-11-12 03:48 95360 ----a-w- c:\windows\system32\drivers\ATAPI.SYS
2010-04-16 05:46 . 2007-01-06 02:23 -------- d-----w- c:\program files\Cool2000
2010-04-15 02:50 . 2010-03-17 20:13 138968 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-04-13 00:02 . 2010-04-13 00:02 71170 ----a-w- c:\documents and settings\All Users\Application Data\w30jkdpD.vir
2010-04-12 21:59 . 2007-04-11 12:59 -------- d-----w- c:\program files\DellSupport
2010-04-12 21:40 . 2010-01-25 06:51 -------- d-----w- c:\program files\TurboHddUsb
2010-04-12 21:40 . 2009-12-10 18:56 -------- d-----w- c:\program files\iTunes
2010-04-12 21:40 . 2010-04-18 18:19 41476 ----a-w- c:\windows\Fonts\5xT3TFL5.com
2010-04-12 06:17 . 2004-08-04 04:59 95360 ----a-w- c:\windows\system32\drivers\atapi.vir
2010-04-11 17:22 . 2007-01-06 00:19 -------- d-----w- c:\documents and settings\Chris\Application Data\Apple Computer
2010-04-11 17:21 . 2007-12-31 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-04-07 00:28 . 2006-05-12 02:19 65536 ----a-w- c:\windows\IFinst27.exe
2010-03-30 05:46 . 2009-05-06 04:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45 . 2009-05-06 04:08 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 22:42 . 2007-01-06 02:25 -------- d-----w- c:\program files\EA SPORTS
2010-03-20 17:10 . 2007-01-06 02:55 -------- d-----w- c:\program files\TurboTax
2010-03-17 20:13 . 2010-03-17 20:13 139152 ----a-w- c:\documents and settings\Chris\Application Data\PnkBstrK.sys
2010-03-16 02:30 . 2009-11-12 15:30 -------- d-----w- c:\program files\JDownloader
2010-03-05 05:37 . 2009-10-28 01:25 -------- d-----w- c:\program files\Triple A
2010-02-18 21:13 . 2010-02-18 21:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-25 06:51 . 2010-01-25 06:51 7040 ----a-w- c:\windows\system32\drivers\FNETURPX.SYS
2010-01-25 06:51 . 2010-01-25 06:51 17792 ----a-w- c:\windows\system32\drivers\FNETTBOH.SYS
2010-01-24 06:57 . 2009-02-16 06:53 3532 ----a-w- C:\drmHeader.bin
2009-12-12 20:35 . 2006-01-28 17:30 56 --sh--r- c:\windows\system32\C702DA514C.sys
2006-05-03 09:06 . 2008-11-15 04:17 163328 --sha-r- c:\windows\system32\flvDX.dll
2009-12-12 20:35 . 2006-01-28 17:30 3558 --sha-w- c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47 . 2008-11-15 04:17 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2008-11-15 04:17 216064 --sha-r- c:\windows\system32\nbDX.dll
.
CODE
<pre>
c:\program files\ATI\ATICustomerCare\ATICustomerCare .exe
c:\program files\ATI Multimedia\main\ATIDtct .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9 .exe
c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe
c:\program files\Corel\Corel Photo Album 6\MediaDetect .exe
c:\program files\Creative\VoiceCenter\AndreaVC    .exe
c:\program files\Creative\VoiceCenter\AndreaVC   .exe
c:\program files\Creative\VoiceCenter\AndreaVC  .exe
c:\program files\Creative\VoiceCenter\AndreaVC .exe
c:\program files\CyberLink\PowerDVD\DVDLauncher .exe
c:\program files\Dell Support Center\bin\sprtcmd .exe
c:\program files\DellSupport\DSAgnt .exe
c:\program files\Google\Google Desktop Search\GoogleDesktop .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\Google\Quick Search Box\GoogleQuickSearchBox .exe
c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd .exe
c:\program files\HP\hpcoretech\hpcmpmgr .exe
c:\program files\Intel\Modem Event Monitor\IntelMEM .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray .exe
c:\program files\QuickTime\qttask              .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\QuickTime\qttask            .exe
c:\program files\QuickTime\qttask           .exe
c:\program files\QuickTime\qttask          .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4 .exe
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware .exe
c:\program files\Trend Micro\Internet Security 12\pccguide .exe
c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon .exe
c:\program files\TurboHddUsb\TurboHddUsb .exe
c:\program files\Windows Media Player\WMPNSCFG .exe
c:\windows\ehome\ehtray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-23 24576]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [N/A]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [N/A]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2010-04-12 41480]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2010-04-12 41480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [N/A]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [N/A]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-12 41480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC .exe" [2005-09-19 1159168]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [N/A]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-01-24 26112]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [N/A]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [N/A]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [N/A]
"MBMon"="CTMBHA.DLL" [2005-05-19 1345520]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2010-04-12 41476]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [N/A]
"hplampc"="c:\windows\system32\hplampc.exe" [2002-01-17 40448]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-11-10 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2010-04-12 41476]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [N/A]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-04-12 41476]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2010-04-12 41476]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2010-04-12 41476]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [N/A]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [N/A]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-04-12 41476]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2010-04-12 41476]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-12 41476]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2010-04-12 41476]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [N/A]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-12 41476]
"TurboHddUsb"="c:\program files\TurboHddUsb\TurboHddUsb.exe" [2010-04-12 41476]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-3-17 59080]
TotalMedia Backup Monitor.lnk - c:\program files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2010-1-25 278528]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-2-4 106560]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 18:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 15:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\kav\\kav7\\setup.exe"=
"c:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe"=
"c:\\Program Files\\Creative\\VoiceCenter\\AndreaVC.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"6981:TCP"= 6981:TCP:Services
"6980:TCP"= 6980:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"8956:TCP"= 8956:TCP:Services
"8957:TCP"= 8957:TCP:Services

R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2010-01-25 1:51 AM 7040]
S0 mmkrqijd;mmkrqijd;c:\windows\system32\drivers\xmzgcqhp.sys --> c:\windows\system32\drivers\xmzgcqhp.sys [?]
S0 paxpmo;paxpmo;c:\windows\system32\drivers\cyor.sys --> c:\windows\system32\drivers\cyor.sys [?]
S0 payihxoq;payihxoq;c:\windows\system32\drivers\ymorkhpe.sys --> c:\windows\system32\drivers\ymorkhpe.sys [?]
S1 DMusicc;DMusicc;c:\windows\system32\drivers\DMusicc.sys --> c:\windows\system32\drivers\DMusicc.sys [?]
S1 NdisIPP;NdisIPP;c:\windows\system32\drivers\NdisIPP.sys --> c:\windows\system32\drivers\NdisIPP.sys [?]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-05-13 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-05-13 55024]
S2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2006-02-04 205328]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2006-02-04 290889]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2006-02-04 585792]
S2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-02-04 36368]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2006-02-04 262215]
S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [2010-01-25 1:51 AM 17792]
S3 hp4200c;%usbscan.SvcDesc%;c:\windows\system32\drivers\hp4200c.sys [2006-02-05 9312]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2005-08-02 4:10 PM 32512]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-13 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-06-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cac67b16fb9446.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 02:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {FC0A65F2-8DFF-4F0F-B411-D4A50311628D} - hxxp://xmro.xmradio.com/xstream/registration/dell/xmprofiler.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-19 11:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1619683409-3122745654-3636637395-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{76A0FAF2-34AA-30AD-57E5-F69671CDE111}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iapkeogikoeaknacki"=hex:6b,61,6c,6a,6a,70,68,62,63,61,66,65,6d,6b,61,6b,6e,70,
6b,65,6f,6b,00,00
"habkkiefkfnkcgif"=hex:6b,61,6c,6a,6a,70,68,62,63,61,66,65,6d,6b,61,6b,6e,70,
6b,65,6f,6b,00,00

[HKEY_USERS\S-1-5-21-1619683409-3122745654-3636637395-1005\Software\SecuROM\License information*]
"datasecu"=hex:c8,de,44,c4,38,68,20,0f,8c,14,f5,13,8b,c0,de,59,bf,f8,b9,fa,30,
32,5f,e9,0d,fc,bf,fe,2c,dc,bb,72,0a,23,fe,ab,12,07,7b,18,92,37,ce,ee,61,4a,\
"rkeysecu"=hex:00,6f,12,08,77,65,58,f6,aa,16,a9,1a,3c,a8,61,ec
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1328)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-04-19 11:07:22
ComboFix-quarantined-files.txt 2010-04-19 16:07
ComboFix2.txt 2010-04-12 05:34
ComboFix3.txt 2009-12-03 07:37
ComboFix4.txt 2009-11-16 17:18
ComboFix5.txt 2010-04-19 14:23

Pre-Run: 11,851,141,120 bytes free
Post-Run: 11,806,433,280 bytes free

- - End Of File - - 7501830718CEC06F63188178B77CA280


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:50 AM

Posted 19 April 2010 - 12:36 PM

Hello again,

We have a lot of bad stuff showing here, but please consider the following first.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 naslsoccer

naslsoccer
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 19 April 2010 - 02:12 PM

Elise,

OK, I ran the HelpAsst tool. It did not find a mbr infection. I then followed the instructions by typing mbr -f twice, shutting down, rebooting after a few minutes, and then typing helpasst -mbrt after 5 minutes. Here is the resulting log.

Thanks,
Chris

C:\Documents and Settings\Chris\Desktop\HelpAsst_mebroot_fix.exe
2010-04-19 at 13:02:48.09

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"6981:TCP"=-
"6980:TCP"=-
"3389:TCP"=-
"8956:TCP"=-
"8957:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"6981:TCP"=-
"6980:TCP"=-
"3389:TCP"=-
"8956:TCP"=-
"8957:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1619683409-3122745654-3636637395-1004
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on 2010-04-19 at 14:03:41.51

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x03A384C41
malicious code @ sector 0x03A384C44 !
PE file found in sector at 0x03A384C5A !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


#12 naslsoccer

naslsoccer
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 19 April 2010 - 02:17 PM

As I was finishing the step above, I was getting multiple fake anti-virus popups. As these have crashed my computer before when I left them to escalate on their own, I decided to kill them so I could ensure the HelpAsst log would finish.

The process that was running to cause the fake anti-virus popups was w30jkdpD.exe, which is located in my C:\Documents and Settings\All Users\Application Data folder. I killed the process in taskmanager and renamed the w30jkdpD.exe to w30jkdpD.vir to (temporarily) prevent it from starting again.

I await further instructions, and thanks for the continued help.

Thanks,
Chris


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:50 AM

Posted 19 April 2010 - 03:18 PM

Thanks for letting me know. No worries that fix went just fine smile.gif

Now lets get rid of some other stuff as well.

CF-SCRIPT
-------------
Open notepad and copy/paste the text in the quotebox below into it:

CODE
<http://www.bleepingcomputer.com/forums/index.php?showtopic=309394&view=findpost&p=1722287>

RenV::
c:\program files\ATI\ATICustomerCare\ATICustomerCare .exe
c:\program files\ATI Multimedia\main\ATIDtct .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9 .exe
c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe
c:\program files\Corel\Corel Photo Album 6\MediaDetect .exe
c:\program files\Creative\VoiceCenter\AndreaVC    .exe
c:\program files\Creative\VoiceCenter\AndreaVC   .exe
c:\program files\Creative\VoiceCenter\AndreaVC  .exe
c:\program files\Creative\VoiceCenter\AndreaVC .exe
c:\program files\CyberLink\PowerDVD\DVDLauncher .exe
c:\program files\Dell Support Center\bin\sprtcmd .exe
c:\program files\DellSupport\DSAgnt .exe
c:\program files\Google\Google Desktop Search\GoogleDesktop .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\Google\Quick Search Box\GoogleQuickSearchBox .exe
c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd .exe
c:\program files\HP\hpcoretech\hpcmpmgr .exe
c:\program files\Intel\Modem Event Monitor\IntelMEM .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray .exe
c:\program files\QuickTime\qttask              .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\QuickTime\qttask            .exe
c:\program files\QuickTime\qttask           .exe
c:\program files\QuickTime\qttask          .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4 .exe
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware .exe
c:\program files\Trend Micro\Internet Security 12\pccguide .exe
c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon .exe
c:\program files\TurboHddUsb\TurboHddUsb .exe
c:\program files\Windows Media Player\WMPNSCFG .exe
c:\windows\ehome\ehtray .exe

Collect::
c:\windows\system32\5xT3TFL5.com
c:\windows\Rgatikequw.dat
c:\windows\Ltiqok.bin
c:\windows\system32\o.sys
c:\windows\system32\drivers\xmzgcqhp.sys
c:\windows\system32\drivers\cyor.sys
c:\windows\system32\drivers\ymorkhpe.sys
c:\windows\system32\drivers\NdisIPP.sys

Driver::
k
mmkrqijd
paxpmo
payihxoq
NdisIPP


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 naslsoccer

naslsoccer
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 19 April 2010 - 04:09 PM

Elise,

Combofix appeared to run fine, however, I did not get a message box when Combofix completed. I did get the following error when Windows rebooted during the Combofix process, "Error: Could not load CTMBHA.DLL". Perhaps this had something to do with the missing message box?

Anyway, here is the Combofix log. Please let me know what is next.

Thanks,
Chris

ComboFix 10-04-18.04 - Chris 2010-04-19 15:32:25.34.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2624 [GMT -5:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris\Desktop\CFScript.txt
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Created a new restore point

file zipped: c:\windows\Ltiqok.bin
file zipped: c:\windows\Rgatikequw.dat
file zipped: c:\windows\system32\5xT3TFL5.com
file zipped: c:\windows\system32\o.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Chris\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\Chris\Local Settings\temp\clclean.0001.dir.0000\~df394b.tmp
c:\windows\Ltiqok.bin
c:\windows\Rgatikequw.dat
c:\windows\system32\5xT3TFL5.com
c:\windows\system32\o.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MMKRQIJD
-------\Service_mmkrqijd
-------\Service_NdisIPP
-------\Service_paxpmo
-------\Service_payihxoq


((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))
.

2010-04-19 18:02 . 2010-04-19 18:02 -------- d-----w- C:\HelpAsst_backup
2010-04-14 15:04 . 2010-04-15 02:49 214592 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-04-14 15:04 . 2010-04-14 15:04 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-04-12 22:50 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-04-12 22:50 . 2004-08-04 05:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-04-12 04:49 . 2010-04-12 04:49 -------- d-----w- c:\temp\tdss_remover
2010-04-08 08:39 . 2010-04-08 08:39 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-06 18:50 . 2010-04-06 18:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-06 15:15 . 2010-04-06 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-06 13:16 . 2010-04-06 13:16 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-06 12:59 . 2010-04-06 12:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-06 04:35 . 2010-04-17 12:47 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-06 04:15 . 2010-04-06 04:15 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-06 02:08 . 2010-04-06 02:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-04-04 14:46 . 2010-04-09 01:49 2856464 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-19 20:53 . 2009-12-10 18:54 -------- d-----w- c:\program files\QuickTime
2010-04-19 20:53 . 2010-01-25 06:51 -------- d-----w- c:\program files\TurboHddUsb
2010-04-19 20:53 . 2009-12-10 18:56 -------- d-----w- c:\program files\iTunes
2010-04-19 20:53 . 2008-05-14 00:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-19 20:53 . 2007-04-11 12:59 -------- d-----w- c:\program files\DellSupport
2010-04-19 19:43 . 2006-01-28 17:30 116320 ----a-w- c:\documents and settings\Chris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-19 19:00 . 2010-04-12 21:42 112 ----a-w- c:\documents and settings\All Users\Application Data\0hbX77.dat
2010-04-19 17:27 . 2009-05-06 04:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-18 16:01 . 2007-01-06 02:56 -------- d-----w- c:\program files\VideoReDoPlus
2010-04-17 22:48 . 2009-11-12 03:48 95360 ----a-w- c:\windows\system32\drivers\ATAPI.SYS
2010-04-16 05:46 . 2007-01-06 02:23 -------- d-----w- c:\program files\Cool2000
2010-04-15 02:50 . 2010-03-17 20:13 138968 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-04-13 00:02 . 2010-04-13 00:02 71170 ----a-w- c:\documents and settings\All Users\Application Data\w30jkdpD.vir
2010-04-12 22:00 . 2010-04-18 18:19 41484 ----a-w- c:\windows\Fonts\5xT3TFL5.com
2010-04-12 06:17 . 2004-08-04 04:59 95360 ----a-w- c:\windows\system32\drivers\atapi.vir
2010-04-11 17:22 . 2007-01-06 00:19 -------- d-----w- c:\documents and settings\Chris\Application Data\Apple Computer
2010-04-11 17:21 . 2007-12-31 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-04-07 00:28 . 2006-05-12 02:19 65536 ----a-w- c:\windows\IFinst27.exe
2010-03-30 05:46 . 2009-05-06 04:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45 . 2009-05-06 04:08 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 22:42 . 2007-01-06 02:25 -------- d-----w- c:\program files\EA SPORTS
2010-03-20 17:10 . 2007-01-06 02:55 -------- d-----w- c:\program files\TurboTax
2010-03-17 20:13 . 2010-03-17 20:13 139152 ----a-w- c:\documents and settings\Chris\Application Data\PnkBstrK.sys
2010-03-16 02:30 . 2009-11-12 15:30 -------- d-----w- c:\program files\JDownloader
2010-03-05 05:37 . 2009-10-28 01:25 -------- d-----w- c:\program files\Triple A
2010-02-18 21:13 . 2010-02-18 21:13 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-25 06:51 . 2010-01-25 06:51 7040 ----a-w- c:\windows\system32\drivers\FNETURPX.SYS
2010-01-25 06:51 . 2010-01-25 06:51 17792 ----a-w- c:\windows\system32\drivers\FNETTBOH.SYS
2010-01-24 06:57 . 2009-02-16 06:53 3532 ----a-w- C:\drmHeader.bin
2009-12-12 20:35 . 2006-01-28 17:30 56 --sh--r- c:\windows\system32\C702DA514C.sys
2006-05-03 09:06 . 2008-11-15 04:17 163328 --sha-r- c:\windows\system32\flvDX.dll
2009-12-12 20:35 . 2006-01-28 17:30 3558 --sha-w- c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47 . 2008-11-15 04:17 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2008-11-15 04:17 216064 --sha-r- c:\windows\system32\nbDX.dll
.
CODE
<pre>
c:\program files\ATI\ATICustomerCare\ATICustomerCare .exe
c:\program files\ATI Multimedia\main\ATIDtct .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9 .exe
c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe
c:\program files\Corel\Corel Photo Album 6\MediaDetect .exe
c:\program files\Creative\VoiceCenter\AndreaVC     .exe
c:\program files\CyberLink\PowerDVD\DVDLauncher .exe
c:\program files\Dell Support Center\bin\sprtcmd .exe
c:\program files\Dell Support Center\gs_agent\custom\dsca .exe
c:\program files\DellSupport\DSAgnt .exe
c:\program files\Google\Google Desktop Search\GoogleDesktop .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\Google\Quick Search Box\GoogleQuickSearchBox .exe
c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd .exe
c:\program files\HP\hpcoretech\hpcmpmgr .exe
c:\program files\Intel\Modem Event Monitor\IntelMEM .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray .exe
c:\program files\QuickTime\qttask .exe
c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4 .exe
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware .exe
c:\program files\Trend Micro\Internet Security 12\pccguide .exe
c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon .exe
c:\windows\ehome\ehtray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-23 24576]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2010-04-19 41488]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2010-04-19 41488]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2010-04-19 41488]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2010-04-19 41488]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-19 41488]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2010-04-19 41488]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-19 41488]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC .exe" [N/A]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2010-04-19 41488]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-01-24 26112]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2010-04-19 41488]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2010-04-19 41488]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2010-04-19 41488]
"MBMon"="CTMBHA.DLL" [2005-05-19 1345520]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2010-04-19 41488]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2010-04-19 41488]
"hplampc"="c:\windows\system32\hplampc.exe" [2002-01-17 40448]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-11-10 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2010-04-19 41488]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2010-04-19 41488]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-04-19 41488]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2010-04-19 41488]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2010-04-19 41488]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2010-04-19 41488]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2010-04-19 41488]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-04-19 41488]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2010-04-19 41488]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-19 41488]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2010-04-19 41488]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [N/A]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-19 41488]
"TurboHddUsb"="c:\program files\TurboHddUsb\TurboHddUsb.exe" [2010-04-19 41488]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2010-04-19 41488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-3-17 59080]
TotalMedia Backup Monitor.lnk - c:\program files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2010-1-25 278528]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-2-4 106560]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 18:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2010-04-19 20:53 41488 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\kav\\kav7\\setup.exe"=
"c:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe"=
"c:\\Program Files\\Creative\\VoiceCenter\\AndreaVC.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2010-01-25 1:51 AM 7040]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-05-13 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-05-13 55024]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2006-02-04 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2006-02-04 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2006-02-04 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-02-04 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2006-02-04 262215]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-13 7408]
S1 DMusicc;DMusicc;c:\windows\system32\drivers\DMusicc.sys --> c:\windows\system32\drivers\DMusicc.sys [?]
S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [2010-01-25 1:51 AM 17792]
S3 hp4200c;%usbscan.SvcDesc%;c:\windows\system32\drivers\hp4200c.sys [2006-02-05 9312]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2005-08-02 4:10 PM 32512]
.
Contents of the 'Scheduled Tasks' folder

2009-06-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cac67b16fb9446.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 02:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {FC0A65F2-8DFF-4F0F-B411-D4A50311628D} - hxxp://xmro.xmradio.com/xstream/registration/dell/xmprofiler.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-19 15:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1619683409-3122745654-3636637395-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{76A0FAF2-34AA-30AD-57E5-F69671CDE111}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iapkeogikoeaknacki"=hex:6b,61,6c,6a,6a,70,68,62,63,61,66,65,6d,6b,61,6b,6e,70,
6b,65,6f,6b,00,00
"habkkiefkfnkcgif"=hex:6b,61,6c,6a,6a,70,68,62,63,61,66,65,6d,6b,61,6b,6e,70,
6b,65,6f,6b,00,00

[HKEY_USERS\S-1-5-21-1619683409-3122745654-3636637395-1005\Software\SecuROM\License information*]
"datasecu"=hex:c8,de,44,c4,38,68,20,0f,8c,14,f5,13,8b,c0,de,59,bf,f8,b9,fa,30,
32,5f,e9,0d,fc,bf,fe,2c,dc,bb,72,0a,23,fe,ab,12,07,7b,18,92,37,ce,ee,61,4a,\
"rkeysecu"=hex:00,6f,12,08,77,65,58,f6,aa,16,a9,1a,3c,a8,61,ec
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1320)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WS_FTP Pro\nsftpch.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Windows Media Player\WMPNSCFG .exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
.
**************************************************************************
.
Completion time: 2010-04-19 16:05:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-19 21:05
ComboFix2.txt 2010-04-19 16:07
ComboFix3.txt 2010-04-12 05:34
ComboFix4.txt 2009-12-03 07:37
ComboFix5.txt 2010-04-19 20:31

Pre-Run: 11,370,389,504 bytes free
Post-Run: 11,484,270,592 bytes free

- - End Of File - - 61DB1F0A31D4C64075742447968B8477


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:50 AM

Posted 20 April 2010 - 04:04 AM

Hello again,

Please visit this site and follow the instructions for uploading the zipped files you will find in the c:\qoobox\quarantine folder. The files that need to be uploaded look like this: C:\Qoobox\Quarantine\[4]-Submit_2008-10-11@13.43.zip

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
RenV::
c:\program files\ATI\ATICustomerCare\ATICustomerCare .exe
c:\program files\ATI Multimedia\main\ATIDtct .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9 .exe
c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe
c:\program files\Corel\Corel Photo Album 6\MediaDetect .exe
c:\program files\Creative\VoiceCenter\AndreaVC     .exe
c:\program files\CyberLink\PowerDVD\DVDLauncher .exe
c:\program files\Dell Support Center\bin\sprtcmd .exe
c:\program files\Dell Support Center\gs_agent\custom\dsca .exe
c:\program files\DellSupport\DSAgnt .exe
c:\program files\Google\Google Desktop Search\GoogleDesktop .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\Google\Quick Search Box\GoogleQuickSearchBox .exe
c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd .exe
c:\program files\HP\hpcoretech\hpcmpmgr .exe
c:\program files\Intel\Modem Event Monitor\IntelMEM .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray .exe
c:\program files\QuickTime\qttask .exe
c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4 .exe
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware .exe
c:\program files\Trend Micro\Internet Security 12\pccguide .exe
c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon .exe
c:\windows\ehome\ehtray .exe

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM and update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users