Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.Vundo


  • This topic is locked This topic is locked
17 replies to this topic

#1 fuadramsey

fuadramsey

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 06 May 2010 - 11:47 AM

Hi I have been having problems with Firefox crashing frequently.

Also when I do a search in Yahoo search and click on a results link I am sometimes taken to an alternate site instead of the actual link in the results. If I go back and click the link again it will take me to the correct link.

My computer will also reset itself (BSOD) after frequent crashes at night.



I have run Malewarebytes Anti Malware in Safe Mode and it finds Trojan.Vundo in the registery. I tell Maleware to fix the issue and when I reboot the same issue keep happening. I then run Malewarebytes program again in safe mode and the Trojoan.Vundo is still there.

Norton Internet Security fails to find the issue as I have ran a full scan on the system drive both in regular and safe mode.

Spybot does not detect anything.


Please advise,

thanks!





DDS (Ver_10-03-17.01) - NTFSx86
Run by Mr.Roboto at 8:32:56.92 on Thu 05/06/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1918.937 [GMT -7:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Fortinet\FortiClient\scheduler.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Fortinet\FortiClient\FCDBLog.exe
C:\Program Files\Fortinet\FortiClient\fcappdb.exe
C:\Program Files\Fortinet\FortiClient\FortiProxy.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Fortinet\FortiClient\FortiTray.exe
C:\Windows\System32\M-AudioTaskBarIcon.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Windows\system32\FortiSSLVPNdaemon.exe
C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\Windows\system32\nlssrv32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Users\Mr.Roboto\Desktop\Malware Troubleshoot\dds(2).scr
C:\PROGRA~1\Fortinet\FORTIC~1\FORTIS~1.EXE
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.6.0.32\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.6.0.32\IPSBHO.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.6.0.32\coIEPlg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [nnomlisys] rundll32.exe "kheeda.dll",DllRegisterServer
uRun: [effgfgdrv] rundll32.exe "pmkiih.dll",s
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [RemoteControl10] "c:\program files\cyberlink\powerdvd10\PDVD10Serv.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [hgfffdsys] rundll32.exe "kheeda.dll",DllRegisterServer
mRun: [yaayaxdrv] rundll32.exe "pmkiih.dll",s
dRun: [awursssys] rundll32.exe "kheeda.dll",DllRegisterServer
dRun: [ddddabdrv] rundll32.exe "pmkiih.dll",s
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
LSA: Authentication Packages = msv1_0 kheeda.dll
mASetup: {9C450606-ED24-4958-92BA-B8940C99D441} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\users\mr33d6~1.rob\appdata\roaming\mozilla\firefox\profiles\ayvu7f5x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?r0=1269792079
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\fortinet\sslvpnclient\npccplugin.dll
FF - plugin: c:\program files\fortinet\sslvpnclient\nptcplugin.dll
FF - plugin: c:\users\mr.roboto\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1106000.020\symds.sys [2010-4-6 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1106000.020\symefa.sys [2010-4-6 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1106000.020\cchpx86.sys [2010-4-6 501888]
R1 fortiapd;fortiapd;c:\windows\system32\drivers\fortiapd.sys [2009-12-15 13416]
R1 Fortips;Fortips;c:\windows\system32\drivers\fortips.sys [2009-12-15 98024]
R1 FortiRdr;FortiRdr;c:\windows\system32\drivers\FortiRdr2.sys [2009-12-15 35432]
R1 FortiShield;FortiShield;c:\windows\system32\drivers\FortiShield.sys [2009-12-15 36968]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\ipsdefs\20100429.001\IDSvix86.sys [2010-5-3 343088]
R1 SWIPsec;SonicWALL IPsec Driver;c:\windows\system32\drivers\SWIPsec.sys [2010-4-29 87064]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1106000.020\ironx86.sys [2010-4-6 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1106000.020\symtdiv.sys [2010-4-6 340016]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/03/29 17:04:42];c:\program files\cyberlink\powerdvd10\navfilter\000.fcl [2010-3-13 87536]
R2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\system32\FortiSSLVPNdaemon.exe [2009-7-28 703008]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.6.0.32\ccsvchst.exe [2010-4-6 126392]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [2010-1-15 57344]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-5-4 1153368]
R2 SWGVCSvc;SonicWALL Global VPN Client Service;c:\program files\sonicwall\sonicwall global vpn client\SWGVCSvc.exe [2009-3-5 227352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-3-30 102448]
R3 Fortidrv2;Fortinet Packet Filter Service;c:\windows\system32\drivers\fortidrv.sys [2009-4-6 22432]
R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [2009-7-21 36384]
R3 RRNetCapMP;RRNetCapMP;c:\windows\system32\drivers\rrnetcap.sys [2009-11-26 27168]
S3 ft_vnic;Fortinet network virtual adapter;c:\windows\system32\drivers\ftvnic.sys [2010-4-29 14496]
S3 MAUSBFASTTRACKPRO;Service for M-Audio FastTrack Pro;c:\windows\system32\drivers\MAudioFastTrackPro.sys [2009-11-9 158600]
S3 RRNetCap;RRNetCap Service;c:\windows\system32\drivers\rrnetcap.sys [2009-11-26 27168]
S3 SWVNIC;SonicWALL Virtual Miniport;c:\windows\system32\drivers\SWVNIC.sys [2009-3-4 21016]

=============== Created Last 30 ================

2010-05-06 06:03:51 0 d-sh--w- C:\$RECYCLE.BIN
2010-05-06 05:42:10 98816 ----a-w- c:\windows\sed.exe
2010-05-06 05:42:10 77312 ----a-w- c:\windows\MBR.exe
2010-05-06 05:42:10 256512 ----a-w- c:\windows\PEV.exe
2010-05-06 05:42:10 161792 ----a-w- c:\windows\SWREG.exe
2010-05-06 01:07:43 97792 ---ha-w- c:\windows\system32\pmkiih.dll
2010-05-05 21:20:42 0 ----a-w- c:\users\mr.roboto\defogger_reenable
2010-05-05 11:05:48 321375674 ----a-w- c:\windows\MEMORY.DMP
2010-05-05 08:09:08 0 d-----w- C:\VundoFix Backups
2010-05-05 08:06:04 97792 ---ha-w- c:\windows\system32\tuttqo.dll
2010-05-05 01:54:14 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-05 01:54:14 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-05 01:41:44 0 d-----w- c:\program files\CCleaner
2010-05-05 01:07:49 97792 ---ha-w- c:\windows\system32\rqrrqn.dll
2010-05-04 18:41:28 0 d-----w- c:\program files\Trend Micro
2010-05-03 00:04:21 0 d-----w- c:\program files\eMule
2010-04-30 20:01:45 0 d-----w- c:\program files\Groove Monkee
2010-04-30 04:01:51 0 d-----w- c:\users\mr33d6~1.rob\appdata\roaming\Malwarebytes
2010-04-30 03:49:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-30 03:49:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-30 03:49:56 0 d-----w- c:\programdata\Malwarebytes
2010-04-30 03:49:55 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 18:47:27 0 d-----w- c:\users\mr33d6~1.rob\appdata\roaming\SonicWALL
2010-04-29 16:44:25 0 d-----w- C:\dealerdata
2010-04-29 15:12:52 14496 ----a-w- c:\windows\system32\drivers\ftvnic.sys
2010-04-29 15:12:43 0 d-----w- c:\program files\common files\Fortinet
2010-04-29 15:12:40 0 d-----w- c:\program files\Fortinet
2010-04-29 15:11:39 0 d-----w- c:\programdata\Applications
2010-04-29 15:10:21 87064 ----a-w- c:\windows\system32\drivers\SWIPsec.sys
2010-04-29 15:08:53 0 d-----w- c:\program files\SonicWALL
2010-04-29 14:54:38 0 d-----w- c:\program files\common files\Deterministic Networks
2010-04-29 14:54:33 0 d-----w- c:\program files\Cisco Systems
2010-04-29 14:54:17 1593 ----a-w- c:\windows\VPNInstall.MIF
2010-04-29 14:49:23 29354 ------w- c:\windows\system32\WEMU387.386
2010-04-29 14:49:23 27136 ------w- c:\windows\system32\CTL3DNT.DLL
2010-04-29 14:49:23 13312 ------w- c:\windows\system32\SVRAPI.DLL
2010-04-29 14:49:22 26624 ------w- c:\windows\system32\CTL3D95.DLL
2010-04-29 14:49:17 2677 ----a-w- c:\windows\pw5.ini
2010-04-29 14:46:24 306688 ----a-w- c:\windows\IsUninst.exe
2010-04-26 20:30:55 0 d-----w- c:\program files\Lame for Audacity
2010-04-26 20:29:21 0 d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
2010-04-24 22:45:34 95744 ---ha-w- c:\windows\system32\ssrron.dll
2010-04-24 22:40:46 2 ----a-w- c:\users\mr.roboto\tenmy.ini
2010-04-24 22:40:28 89088 ---ha-w- c:\windows\system32\kheeda.dll
2010-04-24 22:40:18 372001 ----a-w- c:\users\mr.roboto\windrvswld94.exe
2010-04-24 18:54:45 0 d-----w- c:\program files\Toontrack
2010-04-23 19:06:28 0 d-----w- c:\users\mr33d6~1.rob\appdata\roaming\Antares
2010-04-23 19:06:27 0 d-----w- c:\program files\Antares Audio Technologies
2010-04-23 19:06:19 1777664 ----a-w- c:\windows\system32\gdiplus.dll
2010-04-23 01:20:43 0 d-----w- c:\program files\Waves
2010-04-22 08:21:52 0 d-----w- c:\users\mr33d6~1.rob\appdata\roaming\Waves Audio
2010-04-22 08:19:05 0 d--h--w- c:\users\mr33d6~1.rob\appdata\roaming\FDBTemp
2010-04-16 01:22:26 0 d-----w- c:\program files\common files\DigiDesign
2010-04-15 21:37:34 48 ----a-w- c:\windows\system32\w3data.vss
2010-04-15 21:37:34 48 ----a-w- c:\windows\msocreg32.dat
2010-04-15 21:20:57 0 d-----w- c:\program files\VstPlugIns
2010-04-15 21:20:56 0 d-----w- c:\program files\IK Multimedia
2010-04-13 21:30:53 0 d-----w- c:\program files\CDex
2010-04-13 20:01:47 0 d-----w- c:\program files\PixiePack Codec Pack
2010-04-13 19:59:36 0 d-----w- c:\program files\RapidSolution
2010-04-13 19:59:35 0 d-----w- c:\programdata\RapidSolution
2010-04-13 19:43:56 0 d-----w- c:\program files\common files\Real
2010-04-11 00:42:51 307200 ----a-w- c:\windows\system32\iFPSP.dll
2010-04-11 00:42:50 14540 ----a-w- c:\windows\system32\drivers\T10.SYS
2010-04-11 00:42:50 14531 ----a-w- c:\windows\system32\drivers\N10.SYS
2010-04-11 00:42:50 14531 ----a-w- c:\windows\system32\drivers\ifpusb.sys
2010-04-11 00:42:50 14531 ----a-w- c:\windows\system32\drivers\Ifp900.sys
2010-04-11 00:42:50 14531 ----a-w- c:\windows\system32\drivers\Ifp800.sys
2010-04-11 00:42:50 14531 ----a-w- c:\windows\system32\drivers\Ifp700.sys
2010-04-11 00:42:50 14531 ----a-w- c:\windows\system32\drivers\Ifp500.sys
2010-04-11 00:42:50 14531 ----a-w- c:\windows\system32\drivers\ifp300.sys
2010-04-11 00:42:50 14531 ----a-w- c:\windows\system32\drivers\Ifp1000.sys
2010-04-11 00:42:46 0 d-----w- c:\program files\iriver
2010-04-09 23:37:12 0 d--h--w- c:\windows\PIF
2010-04-07 18:30:31 0 d-----w- c:\users\mr33d6~1.rob\appdata\roaming\Unity
2010-04-07 14:28:12 104768 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2010-04-07 05:39:49 3072 ----a-w- c:\windows\system32\Viveza2FC32.dll
2010-04-07 03:06:11 0 d-----w- c:\users\mr33d6~1.rob\appdata\roaming\Nik Software
2010-04-07 02:39:08 0 d-----w- c:\program files\Nik Software
2010-04-07 01:28:52 0 d-----w- c:\windows\MSSecurityNS
2010-04-07 01:28:52 0 d-----w- c:\windows\MSSecurityNi
2010-04-06 22:33:08 0 d-----w- c:\program files\common files\Nikon
2010-04-06 22:33:05 0 d-----w- c:\program files\Nikon
2010-04-06 22:32:30 0 d-----w- c:\programdata\Ultima_T15
2010-04-06 22:32:30 0 d-----w- c:\programdata\EnterNHelp
2010-04-06 22:32:30 0 ----a-w- c:\programdata\PKP_DLdy.DAT

==================== Find3M ====================

2010-04-29 15:14:00 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-29 15:14:00 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-29 15:13:59 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-02 01:02:19 170252 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-31 07:06:28 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-03-30 00:00:29 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-03-30 00:00:28 353576 ------w- c:\windows\system32\msvcr71.dll
2010-03-29 06:26:35 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-29 06:26:35 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-29 06:26:35 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-28 09:19:00 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-03-28 09:18:30 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-03-28 09:13:45 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-03-28 05:30:41 174 --sha-w- c:\program files\desktop.ini
2010-03-28 05:15:29 101888 ------w- c:\windows\system32\ifxcardm.dll
2010-03-28 05:15:25 82432 ------w- c:\windows\system32\axaltocm.dll
2010-03-28 01:41:01 499712 ----a-w- c:\windows\system32\kerberos.dll
2010-03-28 01:41:01 270848 ----a-w- c:\windows\system32\schannel.dll
2010-03-27 21:38:12 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-03-27 21:38:12 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-03-27 21:38:12 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-03-27 21:38:12 23552 ----a-w- c:\windows\system32\lpk.dll
2010-03-27 21:38:12 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-03-27 21:38:12 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-03-27 21:36:05 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-27 21:36:04 72704 ----a-w- c:\windows\system32\admparse.dll
2010-03-27 21:35:59 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-27 21:35:59 48128 ----a-w- c:\windows\system32\mshtmler.dll
2010-03-27 21:34:10 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-03-27 21:34:10 272896 ----a-w- c:\windows\system32\polstore.dll
2010-03-27 21:31:44 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-03-27 21:31:44 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-03-27 21:27:58 17920 ----a-w- c:\windows\system32\netevent.dll
2010-03-27 21:27:58 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-03-27 21:27:57 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-03-27 21:27:57 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-03-27 21:27:57 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-03-27 21:27:57 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-03-27 21:27:57 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-03-27 21:27:57 105984 ----a-w- c:\windows\system32\netiohlp.dll
2010-03-27 21:27:57 10240 ----a-w- c:\windows\system32\finger.exe
2010-03-27 21:24:10 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2010-03-27 21:24:09 68096 ----a-w- c:\windows\system32\wlanhlp.dll
2010-03-27 21:24:09 65024 ----a-w- c:\windows\system32\wlanapi.dll
2010-03-27 21:24:09 513536 ----a-w- c:\windows\system32\wlansvc.dll
2010-03-27 21:24:09 302592 ----a-w- c:\windows\system32\wlansec.dll
2010-03-27 21:24:09 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2010-03-27 21:24:06 15181 ----a-w- c:\windows\system32\gatherWirelessInfo.vbs
2010-03-27 21:22:53 1401856 ----a-w- c:\windows\system32\msxml6.dll
2010-03-27 21:22:53 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-03-27 21:22:52 2048 ----a-w- c:\windows\system32\msxml3r.dll
2010-03-27 21:22:51 2048 ----a-w- c:\windows\system32\msxml6r.dll
2010-03-27 21:21:37 72704 ----a-w- c:\windows\system32\secur32.dll
2010-03-27 21:21:37 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2010-03-27 21:21:37 218624 ----a-w- c:\windows\system32\msv1_0.dll
2010-03-27 21:21:37 175104 ----a-w- c:\windows\system32\wdigest.dll
2010-03-27 21:21:36 9728 ----a-w- c:\windows\system32\lsass.exe
2010-03-27 21:21:36 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2010-03-27 21:19:22 98816 ----a-w- c:\windows\system32\mfps.dll
2010-03-27 21:19:22 53248 ----a-w- c:\windows\system32\rrinstaller.exe
2010-03-27 21:19:22 2868224 ----a-w- c:\windows\system32\mf.dll
2010-03-27 21:19:22 24576 ----a-w- c:\windows\system32\mfpmp.exe
2010-03-27 21:19:22 2048 ----a-w- c:\windows\system32\mferror.dll
2010-03-27 21:14:54 71680 ----a-w- c:\windows\system32\atl.dll
2010-03-27 21:08:09 160256 ----a-w- c:\windows\system32\wkssvc.dll
2010-03-27 21:07:01 53248 ----a-w- c:\windows\system32\tsgqec.dll
2010-03-27 21:07:01 136192 ----a-w- c:\windows\system32\aaclient.dll
2010-03-27 21:07:00 2066432 ----a-w- c:\windows\system32\mstscax.dll
2010-03-27 20:52:51 2048 ----a-w- c:\windows\system32\tzres.dll
2010-03-27 20:51:44 623616 ----a-w- c:\windows\system32\localspl.dll
2010-03-27 20:42:59 7042560 ----a-w- c:\windows\system32\NlsLexicons081a.dll
2010-03-27 20:39:45 6656 ----a-w- c:\windows\system32\kbd106n.dll
2010-03-27 20:35:36 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-03-27 20:35:36 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-03-27 20:28:44 37888 ----a-w- c:\windows\system32\printcom.dll
2010-03-27 20:28:00 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-03-27 20:25:46 14848 ----a-w- c:\windows\system32\wshrm.dll
2010-03-27 20:24:54 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2010-03-27 20:23:46 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-03-27 20:23:46 471552 ----a-w- c:\windows\system32\secproc.dll
2010-03-27 20:23:46 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-03-27 20:23:46 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-03-27 20:23:46 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-03-27 20:23:46 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-03-27 20:23:46 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-03-27 20:23:45 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-03-27 20:23:45 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-03-27 20:20:20 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-03-27 20:20:20 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-03-27 20:00:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-03-27 19:50:42 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-03-27 19:50:41 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-03-27 19:50:40 1696768 ----a-w- c:\windows\system32\gameux.dll
2010-03-27 19:49:46 84480 ----a-w- c:\windows\system32\INETRES.dll
2010-03-27 19:49:33 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-03-27 19:48:58 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2010-03-27 19:48:29 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-27 19:48:29 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-27 19:48:29 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-27 19:47:25 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2007-02-21 19:49:52 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 8:34:32.62 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:04 PM

Posted 09 May 2010 - 04:37 AM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 fuadramsey

fuadramsey
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 09 May 2010 - 02:42 PM

Thanks for the help, I really appreciate it.

Here is my updated DDS file below.

I was unable to run GMER. I also tried to run it in safe mode. In both instances the program would start to scan and then I would get a windows prompt saying that "a problem has caused gmer.exe to stop working"


Thanks again!



DDS (Ver_10-03-17.01) - NTFSx86
Run by Mr.Roboto at 10:08:14.52 on Sun 05/09/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1918.1134 [GMT -7:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\M-AudioTaskBarIcon.exe
C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Windows\system32\FortiSSLVPNdaemon.exe
C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\Windows\system32\nlssrv32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\mobsync.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Users\Mr.Roboto\Desktop\Bleeping Computer\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.6.0.32\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.6.0.32\IPSBHO.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.6.0.32\coIEPlg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
uRun: [cbxwxydrv] rundll32.exe "fcyxxw.dll",s
uRun: [mlmjkhsys] rundll32.exe "kheeda.dll",DllRegisterServer
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [RemoteControl10] "c:\program files\cyberlink\powerdvd10\PDVD10Serv.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mlkjhisys] rundll32.exe "kheeda.dll",DllRegisterServer
mRun: [byyvvwdrv] rundll32.exe "fcyxxw.dll",s
dRun: [ljgdabsys] rundll32.exe "kheeda.dll",DllRegisterServer
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
LSA: Authentication Packages = msv1_0 kheeda.dll
mASetup: {9C450606-ED24-4958-92BA-B8940C99D441} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\users\mr33d6~1.rob\appdata\roaming\mozilla\firefox\profiles\ayvu7f5x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?r0=1269792079
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\fortinet\sslvpnclient\npccplugin.dll
FF - plugin: c:\program files\fortinet\sslvpnclient\nptcplugin.dll
FF - plugin: c:\users\mr.roboto\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1106000.020\symds.sys [2010-4-6 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1106000.020\symefa.sys [2010-4-6 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1106000.020\cchpx86.sys [2010-4-6 501888]
R1 fortiapd;fortiapd;c:\windows\system32\drivers\fortiapd.sys [2009-12-15 13416]
R1 Fortips;Fortips;c:\windows\system32\drivers\fortips.sys [2009-12-15 98024]
R1 FortiRdr;FortiRdr;c:\windows\system32\drivers\FortiRdr2.sys [2009-12-15 35432]
R1 FortiShield;FortiShield;c:\windows\system32\drivers\FortiShield.sys [2009-12-15 36968]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\ipsdefs\20100505.001\IDSvix86.sys [2010-5-7 343088]
R1 SWIPsec;SonicWALL IPsec Driver;c:\windows\system32\drivers\SWIPsec.sys [2010-4-29 87064]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1106000.020\ironx86.sys [2010-4-6 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1106000.020\symtdiv.sys [2010-4-6 340016]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/03/29 17:04:42];c:\program files\cyberlink\powerdvd10\navfilter\000.fcl [2010-3-13 87536]
R2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\system32\FortiSSLVPNdaemon.exe [2009-7-28 703008]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.6.0.32\ccsvchst.exe [2010-4-6 126392]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [2010-1-15 57344]
R2 SWGVCSvc;SonicWALL Global VPN Client Service;c:\program files\sonicwall\sonicwall global vpn client\SWGVCSvc.exe [2009-3-5 227352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-3-30 102448]
R3 Fortidrv2;Fortinet Packet Filter Service;c:\windows\system32\drivers\fortidrv.sys [2009-4-6 22432]
R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [2009-7-21 36384]
R3 RRNetCapMP;RRNetCapMP;c:\windows\system32\drivers\rrnetcap.sys [2009-11-26 27168]
S3 ft_vnic;Fortinet network virtual adapter;c:\windows\system32\drivers\ftvnic.sys [2010-4-29 14496]
S3 MAUSBFASTTRACKPRO;Service for M-Audio FastTrack Pro;c:\windows\system32\drivers\MAudioFastTrackPro.sys [2009-11-9 158600]
S3 RRNetCap;RRNetCap Service;c:\windows\system32\drivers\rrnetcap.sys [2009-11-26 27168]
S3 SWVNIC;SonicWALL Virtual Miniport;c:\windows\system32\drivers\SWVNIC.sys [2009-3-4 21016]

=============== Created Last 30 ================

2010-05-09 08:28:46 0 d-sh--w- C:\$RECYCLE.BIN
2010-05-09 08:08:38 0 d-----w- C:\combo-fix
2010-05-09 08:06:30 90624 ---ha-w- c:\windows\system32\fcyxxw.dll
2010-05-07 04:50:32 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-07 04:47:52 0 d-----w- c:\programdata\Lavasoft
2010-05-06 05:42:10 98816 ----a-w- c:\windows\sed.exe
2010-05-06 05:42:10 77312 ----a-w- c:\windows\MBR.exe
2010-05-06 05:42:10 256512 ----a-w- c:\windows\PEV.exe
2010-05-06 05:42:10 161792 ----a-w- c:\windows\SWREG.exe
2010-05-06 01:07:43 97792 ---ha-w- c:\windows\system32\pmkiih.dll
2010-05-05 21:20:42 0 ----a-w- c:\users\mr.roboto\defogger_reenable
2010-05-05 11:05:48 240655802 ----a-w- c:\windows\MEMORY.DMP
2010-05-05 08:09:08 0 d-----w- C:\VundoFix Backups
2010-05-05 08:06:04 97792 ---ha-w- c:\windows\system32\tuttqo.dll
2010-05-05 01:54:14 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-05 01:54:14 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-05 01:41:44 0 d-----w- c:\program files\CCleaner
2010-05-05 01:07:49 97792 ---ha-w- c:\windows\system32\rqrrqn.dll
2010-05-04 18:41:28 0 d-----w- c:\program files\Trend Micro
2010-05-03 00:04:21 0 d-----w- c:\program files\eMule
2010-04-30 20:01:45 0 d-----w- c:\program files\Groove Monkee
2010-04-30 04:01:51 0 d-----w- c:\users\mr33d6~1.rob\appdata\roaming\Malwarebytes
2010-04-30 03:49:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-30 03:49:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-30 03:49:56 0 d-----w- c:\programdata\Malwarebytes
2010-04-30 03:49:55 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 18:47:27 0 d-----w- c:\users\mr33d6~1.rob\appdata\roaming\SonicWALL
2010-04-29 16:44:25 0 d-----w- C:\dealerdata
2010-04-29 15:12:52 14496 ----a-w- c:\windows\system32\drivers\ftvnic.sys
2010-04-29 15:12:43 0 d-----w- c:\program files\common files\Fortinet
2010-04-29 15:12:40 0 d-----w- c:\program files\Fortinet
2010-04-29 15:11:39 0 d-----w- c:\programdata\Applications
2010-04-29 15:10:21 87064 ----a-w- c:\windows\system32\drivers\SWIPsec.sys
2010-04-29 15:08:53 0 d-----w- c:\program files\SonicWALL
2010-04-29 14:54:38 0 d-----w- c:\program files\common files\Deterministic Networks
2010-04-29 14:54:33 0 d-----w- c:\program files\Cisco Systems
2010-04-29 14:54:17 1593 ----a-w- c:\windows\VPNInstall.MIF
2010-04-29 14:49:23 29354 ------w- c:\windows\system32\WEMU387.386
2010-04-29 14:49:23 27136 ------w- c:\windows\system32\CTL3DNT.DLL
2010-04-29 14:49:23 13312 ------w- c:\windows\system32\SVRAPI.DLL
2010-04-29 14:49:22 26624 ------w- c:\windows\system32\CTL3D95.DLL
2010-04-29 14:49:17 2668 ----a-w- c:\windows\pw5.ini
2010-04-29 14:46:24 306688 ----a-w- c:\windows\IsUninst.exe
2010-04-26 20:30:55 0 d-----w- c:\program files\Lame for Audacity
2010-04-26 20:29:21 0 d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
2010-04-24 22:45:34 95744 ---ha-w- c:\windows\system32\ssrron.dll
2010-04-24 22:40:46 2 ----a-w- c:\users\mr.roboto\tenmy.ini
2010-04-24 22:40:28 89088 ---ha-w- c:\windows\system32\kheeda.dll
2010-04-24 22:40:18 372001 ----a-w- c:\users\mr.roboto\windrvswld94.exe
2010-04-24 18:54:45 0 d-----w- c:\program files\Toontrack
2010-04-23 19:06:28 0 d-----w- c:\users\mr33d6~1.rob\appdata\roaming\Antares
2010-04-23 19:06:27 0 d-----w- c:\program files\Antares Audio Technologies
2010-04-23 19:06:19 1777664 ----a-w- c:\windows\system32\gdiplus.dll
2010-04-23 01:20:43 0 d-----w- c:\program files\Waves
2010-04-22 08:21:52 0 d-----w- c:\users\mr33d6~1.rob\appdata\roaming\Waves Audio
2010-04-22 08:19:05 0 d--h--w- c:\users\mr33d6~1.rob\appdata\roaming\FDBTemp
2010-04-16 01:22:26 0 d-----w- c:\program files\common files\DigiDesign
2010-04-15 21:37:34 48 ----a-w- c:\windows\system32\w3data.vss
2010-04-15 21:37:34 48 ----a-w- c:\windows\msocreg32.dat
2010-04-15 21:20:57 0 d-----w- c:\program files\VstPlugIns
2010-04-15 21:20:56 0 d-----w- c:\program files\IK Multimedia
2010-04-13 21:30:53 0 d-----w- c:\program files\CDex
2010-04-13 20:01:47 0 d-----w- c:\program files\PixiePack Codec Pack
2010-04-13 19:59:36 0 d-----w- c:\program files\RapidSolution
2010-04-13 19:59:35 0 d-----w- c:\programdata\RapidSolution
2010-04-13 19:43:56 0 d-----w- c:\program files\common files\Real
2010-04-11 00:42:51 307200 ----a-w- c:\windows\system32\iFPSP.dll
2010-04-11 00:42:50 14540 ----a-w- c:\windows\system32\drivers\T10.SYS
2010-04-11 00:42:50 14531 ----a-w- c:\windows\system32\drivers\N10.SYS
2010-04-11 00:42:50 14531 ----a-w- c:\windows\system32\drivers\ifpusb.sys
2010-04-11 00:42:50 14531 ----a-w- c:\windows\system32\drivers\Ifp900.sys
2010-04-11 00:42:50 14531 ----a-w- c:\windows\system32\drivers\Ifp800.sys
2010-04-11 00:42:50 14531 ----a-w- c:\windows\system32\drivers\Ifp700.sys
2010-04-11 00:42:50 14531 ----a-w- c:\windows\system32\drivers\Ifp500.sys
2010-04-11 00:42:50 14531 ----a-w- c:\windows\system32\drivers\ifp300.sys
2010-04-11 00:42:50 14531 ----a-w- c:\windows\system32\drivers\Ifp1000.sys
2010-04-11 00:42:46 0 d-----w- c:\program files\iriver
2010-04-09 23:37:12 0 d--h--w- c:\windows\PIF

==================== Find3M ====================

2010-04-29 15:14:00 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-29 15:14:00 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-29 15:13:59 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-07 14:28:12 104768 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2010-04-06 22:32:30 0 ----a-w- c:\programdata\PKP_DLdy.DAT
2010-04-02 01:02:19 170252 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-31 07:06:28 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-03-30 00:00:29 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-03-30 00:00:28 353576 ------w- c:\windows\system32\msvcr71.dll
2010-03-29 06:26:35 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-29 06:26:35 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-29 06:26:35 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-28 09:19:00 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-03-28 09:18:30 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-03-28 09:13:45 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-03-28 05:30:41 174 --sha-w- c:\program files\desktop.ini
2010-03-28 05:15:29 101888 ------w- c:\windows\system32\ifxcardm.dll
2010-03-28 05:15:25 82432 ------w- c:\windows\system32\axaltocm.dll
2010-03-28 01:41:01 499712 ----a-w- c:\windows\system32\kerberos.dll
2010-03-28 01:41:01 270848 ----a-w- c:\windows\system32\schannel.dll
2010-03-27 21:38:12 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-03-27 21:38:12 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-03-27 21:38:12 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-03-27 21:38:12 23552 ----a-w- c:\windows\system32\lpk.dll
2010-03-27 21:38:12 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-03-27 21:38:12 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-03-27 21:36:05 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-27 21:36:04 72704 ----a-w- c:\windows\system32\admparse.dll
2010-03-27 21:35:59 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-27 21:35:59 48128 ----a-w- c:\windows\system32\mshtmler.dll
2010-03-27 21:34:10 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-03-27 21:34:10 272896 ----a-w- c:\windows\system32\polstore.dll
2010-03-27 21:31:44 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-03-27 21:31:44 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-03-27 21:27:58 17920 ----a-w- c:\windows\system32\netevent.dll
2010-03-27 21:27:58 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-03-27 21:27:57 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-03-27 21:27:57 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-03-27 21:27:57 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-03-27 21:27:57 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-03-27 21:27:57 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-03-27 21:27:57 105984 ----a-w- c:\windows\system32\netiohlp.dll
2010-03-27 21:27:57 10240 ----a-w- c:\windows\system32\finger.exe
2010-03-27 21:24:10 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2010-03-27 21:24:09 68096 ----a-w- c:\windows\system32\wlanhlp.dll
2010-03-27 21:24:09 65024 ----a-w- c:\windows\system32\wlanapi.dll
2010-03-27 21:24:09 513536 ----a-w- c:\windows\system32\wlansvc.dll
2010-03-27 21:24:09 302592 ----a-w- c:\windows\system32\wlansec.dll
2010-03-27 21:24:09 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2010-03-27 21:24:06 15181 ----a-w- c:\windows\system32\gatherWirelessInfo.vbs
2010-03-27 21:22:53 1401856 ----a-w- c:\windows\system32\msxml6.dll
2010-03-27 21:22:53 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-03-27 21:22:52 2048 ----a-w- c:\windows\system32\msxml3r.dll
2010-03-27 21:22:51 2048 ----a-w- c:\windows\system32\msxml6r.dll
2010-03-27 21:21:37 72704 ----a-w- c:\windows\system32\secur32.dll
2010-03-27 21:21:37 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2010-03-27 21:21:37 218624 ----a-w- c:\windows\system32\msv1_0.dll
2010-03-27 21:21:37 175104 ----a-w- c:\windows\system32\wdigest.dll
2010-03-27 21:21:36 9728 ----a-w- c:\windows\system32\lsass.exe
2010-03-27 21:21:36 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2010-03-27 21:19:22 98816 ----a-w- c:\windows\system32\mfps.dll
2010-03-27 21:19:22 53248 ----a-w- c:\windows\system32\rrinstaller.exe
2010-03-27 21:19:22 2868224 ----a-w- c:\windows\system32\mf.dll
2010-03-27 21:19:22 24576 ----a-w- c:\windows\system32\mfpmp.exe
2010-03-27 21:19:22 2048 ----a-w- c:\windows\system32\mferror.dll
2010-03-27 21:14:54 71680 ----a-w- c:\windows\system32\atl.dll
2010-03-27 21:08:09 160256 ----a-w- c:\windows\system32\wkssvc.dll
2010-03-27 21:07:01 53248 ----a-w- c:\windows\system32\tsgqec.dll
2010-03-27 21:07:01 136192 ----a-w- c:\windows\system32\aaclient.dll
2010-03-27 21:07:00 2066432 ----a-w- c:\windows\system32\mstscax.dll
2010-03-27 20:52:51 2048 ----a-w- c:\windows\system32\tzres.dll
2010-03-27 20:51:44 623616 ----a-w- c:\windows\system32\localspl.dll
2010-03-27 20:42:59 7042560 ----a-w- c:\windows\system32\NlsLexicons081a.dll
2010-03-27 20:39:45 6656 ----a-w- c:\windows\system32\kbd106n.dll
2010-03-27 20:35:36 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-03-27 20:35:36 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-03-27 20:28:44 37888 ----a-w- c:\windows\system32\printcom.dll
2010-03-27 20:28:00 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-03-27 20:25:46 14848 ----a-w- c:\windows\system32\wshrm.dll
2010-03-27 20:24:54 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2010-03-27 20:23:46 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-03-27 20:23:46 471552 ----a-w- c:\windows\system32\secproc.dll
2010-03-27 20:23:46 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-03-27 20:23:46 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-03-27 20:23:46 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-03-27 20:23:46 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-03-27 20:23:46 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-03-27 20:23:45 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-03-27 20:23:45 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-03-27 20:20:20 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-03-27 20:20:20 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-03-27 20:00:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-03-27 19:50:42 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-03-27 19:50:41 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-03-27 19:50:40 1696768 ----a-w- c:\windows\system32\gameux.dll
2010-03-27 19:49:46 84480 ----a-w- c:\windows\system32\INETRES.dll
2010-03-27 19:49:33 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-03-27 19:48:58 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2010-03-27 19:48:29 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-27 19:48:29 30720 ----a-w- c:\windows\system32\httpapi.dll
2007-02-21 19:49:52 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 10:09:08.15 ===============

Attached Files



#4 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:04 PM

Posted 10 May 2010 - 07:34 AM

Hi,


Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Emule). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


1. Please Download ComboFix
Here is a Tutorial on using ComboFix: A guide and tutorial on using ComboFix
  • Save it to your Desktop
  • Do NOT run ComboFix yet
  • Here is an alternative link to download ComboFix, if the above one is not working for you:
2. Disable Your AntiVirus and AntiSpyware Programs
  • You should be able to Right-Click on the program's icon in the System Tray and get an option to shut-down/disable each program.
  • These programs may interfere with our fix. We will re-enable them when we are done.
3. Double click on ComboFix.exe that you just saved to your Desktop
  • Follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. The Recovery Console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • It is strongly recommended to have the Recovery Console installed on your machine before doing any malware removal.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

NOTE: If the Microsoft Windows Recovery Console is already installed, you will not receive a prompt from ComboFix regarding the Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
4. Re-enable Your AntiVirus and AntiSpyware Programs That You Disabled in Step 2.

5. What I need in Your Next Reply:
  • ComboFix.txt




We Need to check for Rootkits with RootRepeal
  1. Download RootRepeal from the following location and save it to your desktop.
  2. Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  3. Open on your desktop.
  4. Click the tab.
  5. Click the button.
  6. Check all seven boxes:
  7. Push Ok
  8. Check the box for your main system drive (Usually C:), and press Ok.
  9. Allow RootRepeal to run a scan of your system. This may take some time.
  10. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#5 fuadramsey

fuadramsey
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 10 May 2010 - 10:25 PM

Hi,

Attached is the combo fix log. It restarted my computer and then generated the report.

I was unable to run rootrepeal. After I pressed scan (after making your directed selectoins) it would just hang and show no progress. I let it sit for a few hours and nothing changed. I also tried to run it in safe mode and it did not work there either.


Thanks!

Attached Files



#6 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:04 PM

Posted 11 May 2010 - 02:09 PM

Hi,


Please make sure you have disabled Windows Defender before running this.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
Collect:
c:\windows\System32\fcyxxw.dll
c:\windows\System32\kheeda.dll
c:\windows\system32\pmkiih.dll
c:\windows\system32\tuttqo.dll
c:\windows\system32\rqrrqn.dll
c:\windows\system32\ssrron.dll
c:\users\mr.roboto\tenmy.ini

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cbxwxydrv"=-
"mlmjkhsys"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mlkjhisys"=-
"byyvvwdrv"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ljgdabsys"=-
"ljgedbdrv"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Also,please include new DDS logs.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#7 fuadramsey

fuadramsey
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 11 May 2010 - 03:48 PM

Okay, I was unable to bring up Windows Defender, so I disabled the service in services.msc

Here is the updated DDS log below.

Attached is the new combofix log file.


Thanks again!

Jamie









DDS (Ver_10-03-17.01) - NTFSx86
Run by Mr.Roboto at 13:39:29.15 on Tue 05/11/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1918.1052 [GMT -7:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Program Files\Fortinet\FortiClient\scheduler.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Fortinet\FortiClient\FCDBLog.exe
C:\Program Files\Fortinet\FortiClient\fcappdb.exe
C:\Program Files\Fortinet\FortiClient\FortiProxy.exe
C:\Program Files\Fortinet\FortiClient\FortiTray.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\rundll32.exe
C:\Windows\System32\M-AudioTaskBarIcon.exe
C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Windows\system32\FortiSSLVPNdaemon.exe
C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\Windows\system32\nlssrv32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Explorer.exe
C:\Windows\system32\DllHost.exe
C:\Users\Mr.Roboto\Desktop\Bleeping Computer\dds.scr
C:\PROGRA~1\Fortinet\FORTIC~1\FORTIS~1.EXE
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.6.0.32\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.6.0.32\IPSBHO.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.6.0.32\coIEPlg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [RemoteControl10] "c:\program files\cyberlink\powerdvd10\PDVD10Serv.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
mASetup: {9C450606-ED24-4958-92BA-B8940C99D441} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\users\mr33d6~1.rob\appdata\roaming\mozilla\firefox\profiles\ayvu7f5x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?r0=1269792079
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\fortinet\sslvpnclient\npccplugin.dll
FF - plugin: c:\program files\fortinet\sslvpnclient\nptcplugin.dll
FF - plugin: c:\users\mr.roboto\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1106000.020\symds.sys [2010-4-6 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1106000.020\symefa.sys [2010-4-6 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1106000.020\cchpx86.sys [2010-4-6 501888]
R1 fortiapd;fortiapd;c:\windows\system32\drivers\fortiapd.sys [2009-12-15 13416]
R1 Fortips;Fortips;c:\windows\system32\drivers\fortips.sys [2009-12-15 98024]
R1 FortiRdr;FortiRdr;c:\windows\system32\drivers\FortiRdr2.sys [2009-12-15 35432]
R1 FortiShield;FortiShield;c:\windows\system32\drivers\FortiShield.sys [2009-12-15 36968]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\ipsdefs\20100505.001\IDSvix86.sys [2010-5-7 343088]
R1 SWIPsec;SonicWALL IPsec Driver;c:\windows\system32\drivers\SWIPsec.sys [2010-4-29 87064]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1106000.020\ironx86.sys [2010-4-6 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1106000.020\symtdiv.sys [2010-4-6 340016]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/03/29 17:04:42];c:\program files\cyberlink\powerdvd10\navfilter\000.fcl [2010-3-13 87536]
R2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\system32\FortiSSLVPNdaemon.exe [2009-7-28 703008]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.6.0.32\ccsvchst.exe [2010-4-6 126392]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [2010-1-15 57344]
R2 SWGVCSvc;SonicWALL Global VPN Client Service;c:\program files\sonicwall\sonicwall global vpn client\SWGVCSvc.exe [2009-3-5 227352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-3-30 102448]
R3 Fortidrv2;Fortinet Packet Filter Service;c:\windows\system32\drivers\fortidrv.sys [2009-4-6 22432]
R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [2009-7-21 36384]
R3 RRNetCapMP;RRNetCapMP;c:\windows\system32\drivers\rrnetcap.sys [2009-11-26 27168]
S3 ft_vnic;Fortinet network virtual adapter;c:\windows\system32\drivers\ftvnic.sys [2010-4-29 14496]
S3 MAUSBFASTTRACKPRO;Service for M-Audio FastTrack Pro;c:\windows\system32\drivers\MAudioFastTrackPro.sys [2009-11-9 158600]
S3 RRNetCap;RRNetCap Service;c:\windows\system32\drivers\rrnetcap.sys [2009-11-26 27168]
S3 SWVNIC;SonicWALL Virtual Miniport;c:\windows\system32\drivers\SWVNIC.sys [2009-3-4 21016]

=============== Created Last 30 ================

2010-05-11 20:26:49 0 d-----w- C:\$RECYCLE.BIN
2010-05-10 06:18:21 198129 ----a-w- C:\PP-OH004-03312010.rr
2010-05-09 08:08:38 0 d-----w- C:\combo-fix
2010-05-07 04:50:32 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-07 04:47:52 0 d-----w- c:\programdata\Lavasoft
2010-05-06 05:42:10 98816 ----a-w- c:\windows\sed.exe
2010-05-06 05:42:10 77312 ----a-w- c:\windows\MBR.exe
2010-05-06 05:42:10 256512 ----a-w- c:\windows\PEV.exe
2010-05-06 05:42:10 161792 ----a-w- c:\windows\SWREG.exe
2010-05-06 01:07:43 97792 ---ha-w- c:\windows\system32\pmkiih.dll
2010-05-05 21:20:42 0 ----a-w- c:\users\mr.roboto\defogger_reenable
2010-05-05 11:05:48 299429274 ----a-w- c:\windows\MEMORY.DMP
2010-05-05 08:09:08 0 d-----w- C:\VundoFix Backups
2010-05-05 08:06:04 97792 ---ha-w- c:\windows\system32\tuttqo.dll
2010-05-05 01:54:14 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-05 01:54:14 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-05 01:41:44 0 d-----w- c:\program files\CCleaner
2010-05-05 01:07:49 97792 ---ha-w- c:\windows\system32\rqrrqn.dll
2010-05-04 18:41:28 0 d-----w- c:\program files\Trend Micro
2010-05-03 00:04:21 0 d-----w- c:\program files\eMule
2010-04-30 20:01:45 0 d-----w- c:\program files\Groove Monkee
2010-04-30 04:01:51 0 d-----w- c:\users\mr33d6~1.rob\appdata\roaming\Malwarebytes
2010-04-30 03:49:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-30 03:49:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-30 03:49:56 0 d-----w- c:\programdata\Malwarebytes
2010-04-30 03:49:55 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 18:47:27 0 d-----w- c:\users\mr33d6~1.rob\appdata\roaming\SonicWALL
2010-04-29 16:44:25 0 d-----w- C:\dealerdata
2010-04-29 15:12:52 14496 ----a-w- c:\windows\system32\drivers\ftvnic.sys
2010-04-29 15:12:43 0 d-----w- c:\program files\common files\Fortinet
2010-04-29 15:12:40 0 d-----w- c:\program files\Fortinet
2010-04-29 15:11:39 0 d-----w- c:\programdata\Applications
2010-04-29 15:10:21 87064 ----a-w- c:\windows\system32\drivers\SWIPsec.sys
2010-04-29 15:08:53 0 d-----w- c:\program files\SonicWALL
2010-04-29 14:54:38 0 d-----w- c:\program files\common files\Deterministic Networks
2010-04-29 14:54:33 0 d-----w- c:\program files\Cisco Systems
2010-04-29 14:54:17 1593 ----a-w- c:\windows\VPNInstall.MIF
2010-04-29 14:49:23 29354 ------w- c:\windows\system32\WEMU387.386
2010-04-29 14:49:23 27136 ------w- c:\windows\system32\CTL3DNT.DLL
2010-04-29 14:49:23 13312 ------w- c:\windows\system32\SVRAPI.DLL
2010-04-29 14:49:22 26624 ------w- c:\windows\system32\CTL3D95.DLL
2010-04-29 14:49:17 2668 ----a-w- c:\windows\pw5.ini
2010-04-29 14:46:24 306688 ----a-w- c:\windows\IsUninst.exe
2010-04-26 20:30:55 0 d-----w- c:\program files\Lame for Audacity
2010-04-26 20:29:21 0 d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
2010-04-24 22:45:34 95744 ---ha-w- c:\windows\system32\ssrron.dll
2010-04-24 22:40:46 2 ----a-w- c:\users\mr.roboto\tenmy.ini
2010-04-24 22:40:18 372001 ----a-w- c:\users\mr.roboto\windrvswld94.exe
2010-04-24 18:54:45 0 d-----w- c:\program files\Toontrack
2010-04-23 19:06:28 0 d-----w- c:\users\mr33d6~1.rob\appdata\roaming\Antares
2010-04-23 19:06:27 0 d-----w- c:\program files\Antares Audio Technologies
2010-04-23 19:06:19 1777664 ----a-w- c:\windows\system32\gdiplus.dll
2010-04-23 01:20:43 0 d-----w- c:\program files\Waves
2010-04-22 08:21:52 0 d-----w- c:\users\mr33d6~1.rob\appdata\roaming\Waves Audio
2010-04-22 08:19:05 0 d--h--w- c:\users\mr33d6~1.rob\appdata\roaming\FDBTemp
2010-04-16 01:22:26 0 d-----w- c:\program files\common files\DigiDesign
2010-04-15 21:37:34 48 ----a-w- c:\windows\system32\w3data.vss
2010-04-15 21:37:34 48 ----a-w- c:\windows\msocreg32.dat
2010-04-15 21:20:57 0 d-----w- c:\program files\VstPlugIns
2010-04-15 21:20:56 0 d-----w- c:\program files\IK Multimedia
2010-04-13 21:30:53 0 d-----w- c:\program files\CDex
2010-04-13 20:01:47 0 d-----w- c:\program files\PixiePack Codec Pack
2010-04-13 19:59:36 0 d-----w- c:\program files\RapidSolution
2010-04-13 19:59:35 0 d-----w- c:\programdata\RapidSolution
2010-04-13 19:43:56 0 d-----w- c:\program files\common files\Real

==================== Find3M ====================

2010-04-29 15:14:00 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-29 15:14:00 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-29 15:13:59 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-07 14:28:12 104768 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2010-04-06 22:32:30 0 ----a-w- c:\programdata\PKP_DLdy.DAT
2010-04-02 01:02:19 170252 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-31 07:06:28 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-03-30 00:00:29 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-03-30 00:00:28 353576 ------w- c:\windows\system32\msvcr71.dll
2010-03-29 06:26:35 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-29 06:26:35 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-29 06:26:35 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-28 09:19:00 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-03-28 09:18:30 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-03-28 09:13:45 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-03-28 05:30:41 174 --sha-w- c:\program files\desktop.ini
2010-03-28 05:15:29 101888 ------w- c:\windows\system32\ifxcardm.dll
2010-03-28 05:15:25 82432 ------w- c:\windows\system32\axaltocm.dll
2010-03-28 01:41:01 499712 ----a-w- c:\windows\system32\kerberos.dll
2010-03-28 01:41:01 270848 ----a-w- c:\windows\system32\schannel.dll
2010-03-27 21:38:12 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-03-27 21:38:12 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-03-27 21:38:12 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-03-27 21:38:12 23552 ----a-w- c:\windows\system32\lpk.dll
2010-03-27 21:38:12 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-03-27 21:38:12 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-03-27 21:36:05 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-27 21:36:04 72704 ----a-w- c:\windows\system32\admparse.dll
2010-03-27 21:35:59 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-27 21:35:59 48128 ----a-w- c:\windows\system32\mshtmler.dll
2010-03-27 21:34:10 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-03-27 21:34:10 272896 ----a-w- c:\windows\system32\polstore.dll
2010-03-27 21:31:44 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-03-27 21:31:44 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-03-27 21:27:58 17920 ----a-w- c:\windows\system32\netevent.dll
2010-03-27 21:27:58 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-03-27 21:27:57 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-03-27 21:27:57 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-03-27 21:27:57 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-03-27 21:27:57 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-03-27 21:27:57 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-03-27 21:27:57 105984 ----a-w- c:\windows\system32\netiohlp.dll
2010-03-27 21:27:57 10240 ----a-w- c:\windows\system32\finger.exe
2010-03-27 21:24:10 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2010-03-27 21:24:09 68096 ----a-w- c:\windows\system32\wlanhlp.dll
2010-03-27 21:24:09 65024 ----a-w- c:\windows\system32\wlanapi.dll
2010-03-27 21:24:09 513536 ----a-w- c:\windows\system32\wlansvc.dll
2010-03-27 21:24:09 302592 ----a-w- c:\windows\system32\wlansec.dll
2010-03-27 21:24:09 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2010-03-27 21:24:06 15181 ----a-w- c:\windows\system32\gatherWirelessInfo.vbs
2010-03-27 21:22:53 1401856 ----a-w- c:\windows\system32\msxml6.dll
2010-03-27 21:22:53 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-03-27 21:22:52 2048 ----a-w- c:\windows\system32\msxml3r.dll
2010-03-27 21:22:51 2048 ----a-w- c:\windows\system32\msxml6r.dll
2010-03-27 21:21:37 72704 ----a-w- c:\windows\system32\secur32.dll
2010-03-27 21:21:37 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2010-03-27 21:21:37 218624 ----a-w- c:\windows\system32\msv1_0.dll
2010-03-27 21:21:37 175104 ----a-w- c:\windows\system32\wdigest.dll
2010-03-27 21:21:36 9728 ----a-w- c:\windows\system32\lsass.exe
2010-03-27 21:21:36 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2010-03-27 21:19:22 98816 ----a-w- c:\windows\system32\mfps.dll
2010-03-27 21:19:22 53248 ----a-w- c:\windows\system32\rrinstaller.exe
2010-03-27 21:19:22 2868224 ----a-w- c:\windows\system32\mf.dll
2010-03-27 21:19:22 24576 ----a-w- c:\windows\system32\mfpmp.exe
2010-03-27 21:19:22 2048 ----a-w- c:\windows\system32\mferror.dll
2010-03-27 21:14:54 71680 ----a-w- c:\windows\system32\atl.dll
2010-03-27 21:08:09 160256 ----a-w- c:\windows\system32\wkssvc.dll
2010-03-27 21:07:01 53248 ----a-w- c:\windows\system32\tsgqec.dll
2010-03-27 21:07:01 136192 ----a-w- c:\windows\system32\aaclient.dll
2010-03-27 21:07:00 2066432 ----a-w- c:\windows\system32\mstscax.dll
2010-03-27 20:52:51 2048 ----a-w- c:\windows\system32\tzres.dll
2010-03-27 20:51:44 623616 ----a-w- c:\windows\system32\localspl.dll
2010-03-27 20:42:59 7042560 ----a-w- c:\windows\system32\NlsLexicons081a.dll
2010-03-27 20:39:45 6656 ----a-w- c:\windows\system32\kbd106n.dll
2010-03-27 20:35:36 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-03-27 20:35:36 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-03-27 20:28:44 37888 ----a-w- c:\windows\system32\printcom.dll
2010-03-27 20:28:00 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-03-27 20:25:46 14848 ----a-w- c:\windows\system32\wshrm.dll
2010-03-27 20:24:54 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2010-03-27 20:23:46 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-03-27 20:23:46 471552 ----a-w- c:\windows\system32\secproc.dll
2010-03-27 20:23:46 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-03-27 20:23:46 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-03-27 20:23:46 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-03-27 20:23:46 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-03-27 20:23:46 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-03-27 20:23:45 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-03-27 20:23:45 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-03-27 20:20:20 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-03-27 20:20:20 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-03-27 20:00:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-03-27 19:50:42 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-03-27 19:50:41 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-03-27 19:50:40 1696768 ----a-w- c:\windows\system32\gameux.dll
2010-03-27 19:49:46 84480 ----a-w- c:\windows\system32\INETRES.dll
2010-03-27 19:49:33 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-03-27 19:48:58 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2010-03-27 19:48:29 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-27 19:48:29 30720 ----a-w- c:\windows\system32\httpapi.dll
2007-02-21 19:49:52 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 13:39:52.25 ===============

Attached Files



#8 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:04 PM

Posted 12 May 2010 - 09:13 AM

Hi,



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
Collect::
c:\windows\system32\pmkiih.dll
c:\windows\system32\tuttqo.dll
c:\windows\system32\rqrrqn.dll
c:\windows\system32\ssrron.dll
c:\users\mr.roboto\tenmy.ini
c:\users\mr.roboto\windrvswld94.exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized



Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.


Elle


Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#9 fuadramsey

fuadramsey
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 13 May 2010 - 12:37 AM

Thanks!

Below is the combo fix log, OTL.txt, OTL extra, and the sarscan log in that order.

There were no files flagged for removal in the sophos program that were recomened for removal.






________________________________________________________________________________


ComboFix 10-05-10.02 - Mr.Roboto 05/12/2010 17:53:38.7.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1918.1064 [GMT -7:00]
Running from: c:\users\Mr.Roboto\Desktop\Bleeping Computer\ComboFix.exe
Command switches used :: c:\users\Mr.Roboto\Desktop\Bleeping Computer\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

file zipped: c:\users\mr.roboto\tenmy.ini
file zipped: c:\windows\system32\pmkiih.dll
file zipped: c:\windows\system32\rqrrqn.dll
file zipped: c:\windows\system32\ssrron.dll
file zipped: c:\windows\system32\tuttqo.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\mr.roboto\tenmy.ini
c:\windows\system32\msvcsv60.dll
c:\windows\system32\pmkiih.dll
c:\windows\system32\rqrrqn.dll
c:\windows\system32\ssrron.dll
c:\windows\system32\tuttqo.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-13 to 2010-05-13 )))))))))))))))))))))))))))))))
.

2010-05-13 01:03 . 2010-05-13 01:03 -------- d-----w- c:\users\Mr.Roboto\AppData\Local\temp
2010-05-13 01:03 . 2010-05-13 01:03 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-13 01:03 . 2010-05-13 01:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-09 08:08 . 2010-05-09 08:32 -------- d-----w- C:\combo-fix
2010-05-07 04:50 . 2010-05-07 04:50 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-07 04:47 . 2010-05-09 14:59 -------- d-----w- c:\programdata\Lavasoft
2010-05-05 08:09 . 2010-05-05 08:09 -------- d-----w- C:\VundoFix Backups
2010-05-05 01:54 . 2010-05-09 15:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-05 01:54 . 2010-05-09 15:23 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-05 01:41 . 2010-05-05 01:41 -------- d-----w- c:\program files\CCleaner
2010-05-04 18:41 . 2010-05-04 18:41 388096 ----a-r- c:\users\Mr.Roboto\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-04 18:41 . 2010-05-04 18:41 -------- d-----w- c:\program files\Trend Micro
2010-05-04 04:35 . 2010-05-05 01:20 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-03 07:17 . 2010-05-03 07:17 -------- d-----w- c:\users\Public\Software
2010-05-03 00:18 . 2010-05-03 00:18 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-03 00:04 . 2010-05-05 00:10 -------- d-----w- c:\program files\eMule
2010-04-30 20:01 . 2010-04-30 20:05 -------- d-----w- c:\program files\Groove Monkee
2010-04-30 04:01 . 2010-04-30 04:01 -------- d-----w- c:\users\Mr.Roboto\AppData\Roaming\Malwarebytes
2010-04-30 03:49 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-30 03:49 . 2010-04-30 03:49 -------- d-----w- c:\programdata\Malwarebytes
2010-04-30 03:49 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-30 03:49 . 2010-05-05 00:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 18:47 . 2010-04-29 18:47 -------- d-----w- c:\users\Mr.Roboto\AppData\Roaming\SonicWALL
2010-04-29 15:12 . 2009-02-16 21:23 14496 ----a-w- c:\windows\system32\drivers\ftvnic.sys
2010-04-29 15:12 . 2010-04-29 15:12 -------- d-----w- c:\program files\Common Files\Fortinet
2010-04-29 15:12 . 2010-04-29 15:13 -------- d-----w- c:\program files\Fortinet
2010-04-29 15:11 . 2010-04-29 15:11 -------- d-----w- c:\programdata\Applications
2010-04-29 15:10 . 2009-03-06 06:58 87064 ----a-w- c:\windows\system32\drivers\SWIPsec.sys
2010-04-29 15:08 . 2010-04-29 15:08 -------- d-----w- c:\program files\SonicWALL
2010-04-29 14:54 . 2010-04-29 15:08 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2010-04-29 14:54 . 2010-04-29 14:54 -------- d-----w- c:\program files\Cisco Systems
2010-04-29 14:49 . 1999-12-21 07:00 27136 ------w- c:\windows\system32\CTL3DNT.DLL
2010-04-29 14:49 . 1999-12-21 07:00 13312 ------w- c:\windows\system32\SVRAPI.DLL
2010-04-29 14:49 . 1999-12-21 07:00 26624 ------w- c:\windows\system32\CTL3D95.DLL
2010-04-29 14:46 . 1998-10-29 23:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-04-26 20:30 . 2010-04-26 20:30 -------- d-----w- c:\program files\Lame for Audacity
2010-04-26 20:30 . 2010-04-30 07:43 -------- d-----w- c:\users\Mr.Roboto\AppData\Roaming\Audacity
2010-04-26 20:29 . 2010-04-26 20:29 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
2010-04-24 22:40 . 2010-04-24 22:40 45056 ----a-r- c:\users\Mr.Roboto\AppData\Roaming\Microsoft\Installer\{009AC76E-1A66-4682-82B7-417E77F3C648}\ARPPRODUCTICON.exe
2010-04-24 19:47 . 2010-04-24 19:47 2998 ----a-r- c:\users\Mr.Roboto\AppData\Roaming\Microsoft\Installer\{8967ABFB-CBCA-4EC0-8DE8-A01135267C16}\ARPPRODUCTICON.exe
2010-04-24 19:45 . 2010-04-24 19:45 8854 ----a-r- c:\users\Mr.Roboto\AppData\Roaming\Microsoft\Installer\{5866520C-8857-4986-833A-039F4584C3F7}\UNINST_Uninstall_T_5866520C88574986833A039F4584C3F7.exe
2010-04-24 19:45 . 2010-04-24 19:45 67646 ----a-r- c:\users\Mr.Roboto\AppData\Roaming\Microsoft\Installer\{5866520C-8857-4986-833A-039F4584C3F7}\Toontrack_solo.exe_5866520C88574986833A039F4584C3F7_1.exe
2010-04-24 19:45 . 2010-04-24 19:45 67646 ----a-r- c:\users\Mr.Roboto\AppData\Roaming\Microsoft\Installer\{5866520C-8857-4986-833A-039F4584C3F7}\Toontrack_solo.exe_5866520C88574986833A039F4584C3F7.exe
2010-04-24 19:45 . 2010-04-24 19:45 67646 ----a-r- c:\users\Mr.Roboto\AppData\Roaming\Microsoft\Installer\{5866520C-8857-4986-833A-039F4584C3F7}\ARPPRODUCTICON.exe
2010-04-24 18:54 . 2010-04-24 19:47 -------- d-----w- c:\program files\Toontrack
2010-04-23 19:06 . 2010-04-23 19:06 -------- d-----w- c:\users\Mr.Roboto\AppData\Roaming\Antares
2010-04-23 19:06 . 2010-04-23 19:06 -------- d-----w- c:\program files\Antares Audio Technologies
2010-04-23 19:06 . 2003-06-20 19:28 1777664 ----a-w- c:\windows\system32\gdiplus.dll
2010-04-23 05:46 . 2010-04-23 05:46 3128 ----a-r- c:\users\Mr.Roboto\AppData\Roaming\Microsoft\Installer\{8094F7AE-CA21-4AF2-A256-BC918CE0E796}\ARPPRODUCTICON.exe
2010-04-23 05:03 . 2010-04-23 05:03 3128 ----a-r- c:\users\Mr.Roboto\AppData\Roaming\Microsoft\Installer\{DB1299AF-9EE0-422B-959E-F4171B2AE0F7}\ARPPRODUCTICON.exe
2010-04-23 04:08 . 2010-04-23 04:08 3128 ----a-r- c:\users\Mr.Roboto\AppData\Roaming\Microsoft\Installer\{82DF9225-13EC-41BD-BE31-AAB121B38166}\ARPPRODUCTICON.exe
2010-04-23 01:20 . 2010-04-23 01:20 -------- d-----w- c:\program files\Waves
2010-04-22 08:21 . 2010-04-22 08:21 -------- d-----w- c:\users\Mr.Roboto\AppData\Roaming\Waves Audio
2010-04-22 08:19 . 2010-04-22 08:19 45056 ----a-r- c:\users\Mr.Roboto\AppData\Roaming\Microsoft\Installer\{6815FCDD-401D-481E-BA88-31B4754C2B46}\ARPPRODUCTICON.exe
2010-04-22 08:19 . 2010-04-22 08:19 -------- d--h--w- c:\users\Mr.Roboto\AppData\Roaming\FDBTemp
2010-04-21 22:20 . 2010-04-21 22:20 3128 ----a-r- c:\users\Mr.Roboto\AppData\Roaming\Microsoft\Installer\{D1EBF11E-8CE3-4EF5-8E2D-FD5B8D6BD294}\ARPPRODUCTICON.exe
2010-04-21 21:43 . 2010-04-21 21:43 3128 ----a-r- c:\users\Mr.Roboto\AppData\Roaming\Microsoft\Installer\{2CC4BC82-41CF-43D3-B533-7283AA8BB86F}\ARPPRODUCTICON.exe
2010-04-21 01:23 . 2010-04-21 01:23 3128 ----a-r- c:\users\Mr.Roboto\AppData\Roaming\Microsoft\Installer\{430399DC-98BC-4A7F-8F8E-77981CABAE05}\ARPPRODUCTICON.exe
2010-04-21 00:59 . 2010-04-21 00:59 3128 ----a-r- c:\users\Mr.Roboto\AppData\Roaming\Microsoft\Installer\{43E8D9E7-AFC9-4BA3-8106-B95E02B87AB7}\ARPPRODUCTICON.exe
2010-04-21 00:51 . 2010-04-21 00:51 3128 ----a-r- c:\users\Mr.Roboto\AppData\Roaming\Microsoft\Installer\{BB5A44CB-3045-43E2-BEB0-B64E477D4633}\ARPPRODUCTICON.exe
2010-04-17 23:48 . 2010-04-17 23:48 -------- d-----w- c:\users\Mr.Roboto\AppData\Roaming\Canon
2010-04-17 07:39 . 2010-04-17 07:39 3128 ----a-r- c:\users\Mr.Roboto\AppData\Roaming\Microsoft\Installer\{147567F0-8575-4BE0-B5B3-62706C67FA5A}\ARPPRODUCTICON.exe
2010-04-16 01:22 . 2010-04-16 01:22 -------- d-----w- c:\program files\Common Files\DigiDesign
2010-04-15 21:37 . 2010-05-12 22:46 48 ----a-w- c:\windows\msocreg32.dat
2010-04-15 21:20 . 2010-05-03 07:17 -------- d-----w- c:\program files\VstPlugIns
2010-04-15 21:20 . 2010-04-22 08:14 -------- d-----w- c:\program files\IK Multimedia
2010-04-15 21:20 . 2010-04-15 21:20 -------- d-----w- c:\users\Mr.Roboto\AppData\Roaming\InstallShield
2010-04-13 21:41 . 2010-04-13 21:41 495616 ----a-w- c:\programdata\RapidSolution\Tunebite_2009\EncodingBackend\lame_enc.dll
2010-04-13 21:30 . 2010-05-12 01:38 -------- d-----w- c:\program files\CDex
2010-04-13 21:22 . 2010-04-13 21:22 476512 ----a-w- c:\programdata\RapidSolution\Tunebite_2009\RadioRip\RadioRip.dll
2010-04-13 21:22 . 2010-04-13 21:22 169312 ----a-w- c:\programdata\RapidSolution\Tunebite_2009\RadioRip\PlgSoundclick.dll
2010-04-13 21:22 . 2010-04-13 21:22 111968 ----a-w- c:\programdata\RapidSolution\Tunebite_2009\RadioRip\PlgPandora.dll
2010-04-13 21:22 . 2010-04-13 21:22 128352 ----a-w- c:\programdata\RapidSolution\Tunebite_2009\RadioRip\PlgMyspace.dll
2010-04-13 21:22 . 2010-04-13 21:22 111968 ----a-w- c:\programdata\RapidSolution\Tunebite_2009\RadioRip\PlgLastfm.dll
2010-04-13 21:22 . 2010-04-13 21:22 99680 ----a-w- c:\programdata\RapidSolution\Tunebite_2009\RadioRip\PlgIJigg.dll
2010-04-13 21:22 . 2010-04-13 21:22 230752 ----a-w- c:\programdata\RapidSolution\Tunebite_2009\RadioRip\PlgHypemachine.dll
2010-04-13 21:22 . 2010-04-13 21:22 120160 ----a-w- c:\programdata\RapidSolution\Tunebite_2009\RadioRip\PlgGeneral.dll
2010-04-13 21:22 . 2010-04-13 21:22 91488 ----a-w- c:\programdata\RapidSolution\Tunebite_2009\RadioRip\PlgDefault.dll
2010-04-13 21:22 . 2010-04-13 21:22 140640 ----a-w- c:\programdata\RapidSolution\Tunebite_2009\RadioRip\PlgDeezer.dll
2010-04-13 20:01 . 2010-04-13 20:01 -------- d-----w- c:\program files\PixiePack Codec Pack
2010-04-13 19:59 . 2010-04-13 19:59 -------- d-----w- c:\program files\RapidSolution
2010-04-13 19:59 . 2010-04-13 19:59 -------- d-----w- c:\programdata\RapidSolution
2010-04-13 19:55 . 2010-04-13 19:55 -------- d-----w- c:\users\Mr.Roboto\AppData\Local\RapidSolution
2010-04-13 19:43 . 2010-04-13 19:44 -------- d-----w- c:\program files\Common Files\Real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-11 03:26 . 2010-03-31 06:10 -------- d-----w- c:\programdata\FLEXnet
2010-05-07 15:32 . 2010-03-29 02:23 -------- d-----w- c:\users\Mr.Roboto\AppData\Roaming\BitTorrent
2010-05-02 19:21 . 2010-03-28 23:41 -------- d-----w- c:\program files\Rhapsody
2010-04-30 05:41 . 2010-03-28 19:25 -------- d-----w- c:\users\Mr.Roboto\AppData\Roaming\REAPER
2010-04-29 23:26 . 2010-03-28 19:24 -------- d-----w- c:\program files\REAPER
2010-04-29 14:49 . 2010-03-29 06:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-29 14:49 . 2010-03-29 06:26 -------- d-----w- c:\program files\Symantec
2010-04-22 08:14 . 2010-03-29 04:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-21 00:33 . 2010-03-29 04:08 -------- d-----w- c:\program files\Elaborate Bytes
2010-04-17 23:50 . 2010-03-28 18:46 -------- d-----w- c:\programdata\Microsoft Help
2010-04-11 00:42 . 2010-04-11 00:42 -------- d-----w- c:\program files\iriver
2010-04-11 00:42 . 2010-03-29 23:55 -------- d-----w- c:\program files\Common Files\InstallShield
2010-04-07 18:30 . 2010-04-07 18:30 -------- d-----w- c:\users\Mr.Roboto\AppData\Roaming\Unity
2010-04-07 14:28 . 2010-04-07 14:28 104768 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2010-04-07 04:30 . 2010-04-07 03:06 -------- d-----w- c:\users\Mr.Roboto\AppData\Roaming\Nik Software
2010-04-07 04:25 . 2010-04-07 02:39 -------- d-----w- c:\program files\Nik Software
2010-04-07 04:22 . 2010-04-07 04:22 2004 ----a-w- c:\windows\Registration\e10f24f0-652e-11dd-ad8b-0800200c9a66.dll
2010-04-06 23:02 . 2010-04-06 23:02 49152 ----a-r- c:\users\Mr.Roboto\AppData\Roaming\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2010-04-06 23:02 . 2010-04-06 22:33 -------- d-----w- c:\program files\Common Files\Nikon
2010-04-06 23:00 . 2010-04-06 22:33 -------- d-----w- c:\program files\Nikon
2010-04-06 22:32 . 2010-04-06 22:32 0 ----a-w- c:\programdata\PKP_DLdy.DAT
2010-04-06 22:32 . 2010-04-06 22:32 -------- d-----w- c:\programdata\Ultima_T15
2010-04-06 22:32 . 2010-04-06 22:32 -------- d-----w- c:\programdata\EnterNHelp
2010-04-02 01:02 . 2010-04-02 01:02 170252 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-31 23:46 . 2010-03-31 23:41 -------- d-----w- c:\users\Mr.Roboto\AppData\Roaming\Apple Computer
2010-03-31 23:43 . 2010-03-31 23:34 -------- d-----w- c:\programdata\Apple
2010-03-31 23:40 . 2010-03-31 23:39 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-03-31 23:40 . 2010-03-31 23:39 -------- d-----w- c:\program files\iTunes
2010-03-31 23:39 . 2010-03-31 23:39 -------- d-----w- c:\program files\iPod
2010-03-31 23:39 . 2010-03-31 23:34 -------- d-----w- c:\program files\Common Files\Apple
2010-03-31 23:39 . 2010-03-31 23:37 -------- d-----w- c:\programdata\Apple Computer
2010-03-31 23:38 . 2010-03-31 23:37 -------- d-----w- c:\program files\QuickTime
2010-03-31 23:37 . 2010-03-31 23:37 -------- d-----w- c:\program files\Apple Software Update
2010-03-31 23:34 . 2010-03-31 23:34 -------- d-----w- c:\program files\Bonjour
2010-03-31 07:06 . 2010-03-31 07:06 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-03-31 06:59 . 2010-03-30 22:36 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-31 06:59 . 2010-03-27 18:56 101600 ----a-w- c:\users\Mr.Roboto\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-31 05:55 . 2010-03-31 05:55 -------- d-----w- c:\programdata\ALM
2010-03-31 04:24 . 2010-03-31 04:24 -------- d-----w- c:\program files\Adobe Media Player
2010-03-31 04:23 . 2010-03-31 04:23 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-31 04:19 . 2010-03-31 04:19 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-03-30 23:53 . 2010-03-30 23:53 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-03-30 01:34 . 2010-03-30 00:05 -------- d-----w- c:\programdata\Knowledge Adventure
2010-03-30 00:06 . 2010-03-29 04:42 -------- d-----w- c:\programdata\CyberLink
2010-03-30 00:06 . 2010-03-29 04:42 -------- d-----w- c:\users\Mr.Roboto\AppData\Roaming\CyberLink
2010-03-30 00:04 . 2010-03-30 00:01 -------- d-----w- c:\program files\CyberLink
2010-03-30 00:04 . 2010-03-30 00:04 -------- d-----w- c:\program files\Common Files\CyberLink
2010-03-30 00:00 . 2010-03-29 04:40 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-03-30 00:00 . 2010-03-29 04:40 353576 ------w- c:\windows\system32\msvcr71.dll
2010-03-30 00:00 . 2010-03-30 00:00 53319 ----a-w- c:\programdata\Temp\{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}\PostBuild.exe
2010-03-29 23:56 . 2010-03-29 23:55 -------- d-----w- c:\program files\Common Files\Knowledge Adventure
2010-03-29 23:55 . 2010-03-29 23:55 -------- d-----w- c:\program files\JumpStart
2010-03-29 06:33 . 2010-03-29 06:33 -------- d-----w- c:\users\Mr.Roboto\AppData\Roaming\Tific
2010-03-29 06:27 . 2010-03-29 06:26 -------- d-----w- c:\programdata\Norton
2010-03-29 06:26 . 2010-03-29 06:26 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-29 06:26 . 2010-03-29 06:26 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-29 06:26 . 2010-03-29 06:26 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-29 06:26 . 2010-03-29 06:26 -------- d-----w- c:\program files\Norton Internet Security
2010-03-29 06:26 . 2010-03-29 06:26 -------- d-----w- c:\programdata\NortonInstaller
2010-03-29 06:26 . 2010-03-29 06:26 -------- d-----w- c:\program files\NortonInstaller
2010-03-29 06:13 . 2010-03-29 06:13 -------- d-----w- c:\users\Mr.Roboto\AppData\Roaming\InfraRecorder
2010-03-29 06:13 . 2010-03-29 06:13 -------- d-----w- c:\program files\InfraRecorder
2010-03-29 04:08 . 2010-03-29 04:08 -------- d-----w- c:\programdata\SlySoft
2010-03-29 04:04 . 2010-03-29 04:04 -------- d-----w- c:\program files\SlySoft
2010-03-29 02:23 . 2010-03-29 02:23 -------- d-----w- c:\program files\BitTorrent
2010-03-28 19:26 . 2010-03-28 19:26 -------- d-----w- c:\program files\M-Audio
2010-03-28 18:49 . 2010-03-28 18:49 -------- d-----w- c:\program files\Microsoft Works
2010-03-28 18:48 . 2010-03-28 18:48 -------- d-----w- c:\program files\Microsoft.NET
2010-03-28 16:41 . 2010-03-28 16:41 -------- d-----w- c:\program files\7-Zip
2010-03-28 16:00 . 2010-03-28 16:00 0 ----a-w- c:\windows\nsreg.dat
2010-03-28 09:24 . 2010-03-28 03:25 -------- d-----w- c:\programdata\NVIDIA
2010-03-28 09:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-03-28 09:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-03-28 09:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-03-28 09:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-03-28 09:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-03-28 09:19 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-28 09:19 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-03-28 09:19 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-03-28 09:18 . 2010-03-28 09:18 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-03-28 05:15 . 2006-11-02 10:32 101888 ------w- c:\windows\system32\ifxcardm.dll
2010-03-28 05:15 . 2006-11-02 10:32 82432 ------w- c:\windows\system32\axaltocm.dll
2010-03-28 01:41 . 2010-03-28 01:41 -------- d-----w- c:\program files\Realtek
2010-03-28 01:41 . 2010-03-28 01:41 499712 ----a-w- c:\windows\system32\kerberos.dll
2010-03-28 01:41 . 2010-03-28 01:41 270848 ----a-w- c:\windows\system32\schannel.dll
2010-03-27 21:38 . 2010-03-27 21:38 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-03-27 21:38 . 2010-03-27 21:38 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-03-27 21:38 . 2010-03-27 21:38 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-03-27 21:38 . 2010-03-27 21:38 23552 ----a-w- c:\windows\system32\lpk.dll
2010-03-27 21:38 . 2010-03-27 21:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-03-27 21:38 . 2010-03-27 21:38 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-03-27 21:36 . 2010-03-27 21:36 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-27 21:36 . 2010-03-27 21:36 72704 ----a-w- c:\windows\system32\admparse.dll
2010-03-27 21:35 . 2010-03-27 21:35 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-27 21:35 . 2010-03-27 21:35 48128 ----a-w- c:\windows\system32\mshtmler.dll
2010-03-27 21:34 . 2010-03-27 21:34 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-03-27 21:34 . 2010-03-27 21:34 272896 ----a-w- c:\windows\system32\polstore.dll
2010-03-27 21:31 . 2010-03-27 21:31 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-03-27 21:31 . 2010-03-27 21:31 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-03-27 21:27 . 2010-03-27 21:27 17920 ----a-w- c:\windows\system32\netevent.dll
2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2010-04-09 3378112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
"M-Audio Taskbar Icon"="c:\windows\system32\M-AudioTaskBarIcon.exe" [2009-11-09 643592]
"RemoteControl10"="c:\program files\CyberLink\PowerDVD10\PDVD10Serv.exe" [2010-02-02 87336]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2010-4-29 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:58,9e,dc,6e,58,ce,ca,01

R3 ft_vnic;Fortinet network virtual adapter;c:\windows\system32\DRIVERS\ftvnic.sys [2009-02-16 14496]
R3 MAUSBFASTTRACKPRO;Service for M-Audio FastTrack Pro;c:\windows\system32\DRIVERS\MAudioFastTrackPro.sys [2009-11-09 158600]
R3 RRNetCap;RRNetCap Service;c:\windows\system32\DRIVERS\rrnetcap.sys [2009-11-26 27168]
R3 SWVNIC;SonicWALL Virtual Miniport;c:\windows\system32\DRIVERS\swvnic.sys [2009-03-05 21016]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1106000.020\SYMDS.SYS [2009-10-15 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1106000.020\SYMEFA.SYS [2010-02-04 172592]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [2010-04-29 537136]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1106000.020\ccHPx86.sys [2010-02-25 501888]
S1 fortiapd;fortiapd;c:\windows\system32\drivers\fortiapd.sys [2009-12-15 13416]
S1 Fortips;Fortips;c:\windows\system32\drivers\fortips.sys [2009-12-15 98024]
S1 FortiRdr;FortiRdr;c:\windows\system32\drivers\FortiRdr2.sys [2009-12-15 35432]
S1 FortiShield;FortiShield;c:\windows\system32\drivers\FortiShield.sys [2009-12-15 36968]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100505.001\IDSvix86.sys [2009-11-17 343088]
S1 SWIPsec;SonicWALL IPsec Driver;c:\windows\system32\Drivers\SWIPsec.sys [2009-03-06 87064]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1106000.020\Ironx86.SYS [2010-02-27 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NIS\1106000.020\SYMTDIV.SYS [2010-02-04 340016]
S2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/03/29 17:04];c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl [2010-03-13 09:58 87536]
S2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\system32\FortiSSLVPNdaemon.exe [2009-07-29 703008]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe [2010-02-25 126392]
S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [2010-01-15 57344]
S2 SWGVCSvc;SonicWALL Global VPN Client Service;c:\program files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe [2009-03-06 227352]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-03-29 102448]
S3 Fortidrv2;Fortinet Packet Filter Service;c:\windows\system32\DRIVERS\fortidrv.sys [2009-04-06 22432]
S3 pppop;PPPoP WAN Adapter;c:\windows\system32\DRIVERS\pppop.sys [2009-07-22 36384]
S3 RRNetCapMP;RRNetCapMP;c:\windows\system32\DRIVERS\rrnetcap.sys [2009-11-26 27168]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9C450606-ED24-4958-92BA-B8940C99D441}]
2009-03-04 23:32 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
FF - ProfilePath - c:\users\Mr.Roboto\AppData\Roaming\Mozilla\Firefox\Profiles\ayvu7f5x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?r0=1269792079
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Fortinet\SslvpnClient\npccplugin.dll
FF - plugin: c:\program files\Fortinet\SslvpnClient\nptcplugin.dll
FF - plugin: c:\users\Mr.Roboto\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-12 18:03
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.6.0.32\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl"
.
Completion time: 2010-05-12 18:08:00
ComboFix-quarantined-files.txt 2010-05-13 01:07
ComboFix2.txt 2010-05-11 20:03
ComboFix3.txt 2010-05-11 00:34
ComboFix4.txt 2010-05-09 08:31
ComboFix5.txt 2010-05-11 20:13

Pre-Run: 159,093,473,280 bytes free
Post-Run: 159,069,081,600 bytes free

- - End Of File - - 82719BB385E6E4DF403A2EB7256EBF2B
Upload was successful





_______________________________________________________________________________________





OTL logfile created on: 5/12/2010 6:14:50 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\Mr.Roboto\Desktop\Bleeping Computer
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 48.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 148.18 Gb Free Space | 63.63% Space Free | Partition Type: NTFS
Drive D: | 368.10 Gb Total Space | 172.19 Gb Free Space | 46.78% Space Free | Partition Type: NTFS
Drive E: | 97.66 Gb Total Space | 30.95 Gb Free Space | 31.70% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MRROBOTO
Current User Name: Mr.Roboto
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/12 09:51:04 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\Mr.Roboto\Desktop\Bleeping Computer\OTL.exe
PRC - [2010/04/09 07:15:14 | 003,378,112 | ---- | M] (SlySoft, Inc.) -- C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/02/25 16:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccsvchst.exe
PRC - [2010/02/02 14:08:56 | 000,087,336 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe
PRC - [2010/01/15 06:27:56 | 000,057,344 | ---- | M] (Nalpeiron Ltd.) -- C:\Windows\System32\nlssrv32.exe
PRC - [2009/11/09 13:56:38 | 000,643,592 | ---- | M] (Avid Technology, Inc.) -- C:\Windows\System32\M-AudioTaskBarIcon.exe
PRC - [2009/07/28 17:11:06 | 000,703,008 | ---- | M] (Fortinet Inc.) -- C:\Windows\System32\FortiSSLVPNdaemon.exe
PRC - [2009/04/10 23:27:38 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/03/05 23:57:56 | 000,227,352 | ---- | M] (SonicWALL, Inc.) -- C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe
PRC - [2008/06/11 22:43:26 | 000,640,376 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
PRC - [2007/07/16 11:58:02 | 001,524,512 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe


========== Modules (SafeList) ==========

MOD - [2010/05/12 09:51:04 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\Mr.Roboto\Desktop\Bleeping Computer\OTL.exe
MOD - [2010/03/26 16:52:36 | 000,415,088 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.6.0.32\asoehook.dll
MOD - [2010/02/04 11:17:27 | 000,129,984 | ---- | M] (SlySoft, Inc.) -- C:\Program Files\SlySoft\AnyDVD\ADvdDiscHlp.dll
MOD - [2009/07/12 01:02:02 | 000,653,120 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.6.0.32\microsoft.vc90.crt\msvcr90.dll
MOD - [2009/07/12 01:02:00 | 000,569,664 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.6.0.32\microsoft.vc90.crt\msvcp90.dll
MOD - [2009/04/10 23:21:40 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2008/01/18 23:33:02 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/03/30 21:19:03 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/02/25 16:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe -- (NIS)
SRV - [2010/01/15 06:27:56 | 000,057,344 | ---- | M] (Nalpeiron Ltd.) [Auto | Running] -- C:\Windows\System32\nlssrv32.exe -- (nlsX86cc)
SRV - [2009/12/15 11:18:04 | 000,053,266 | ---- | M] (Fortinet Inc.) [Auto | Stopped] -- C:\Program Files\Fortinet\FortiClient\scheduler.exe -- (FA_Scheduler)
SRV - [2009/07/28 17:11:06 | 000,703,008 | ---- | M] (Fortinet Inc.) [Auto | Running] -- C:\Windows\System32\FortiSSLVPNdaemon.exe -- (FortiSslvpnDaemon)
SRV - [2009/03/05 23:57:56 | 000,227,352 | ---- | M] (SonicWALL, Inc.) [Auto | Running] -- C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe -- (SWGVCSvc)
SRV - [2008/01/18 23:38:26 | 000,272,952 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/07/16 11:58:02 | 001,524,512 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2010/05/10 20:39:01 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100512.022\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/05/10 20:39:01 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100512.022\NAVENG.SYS -- (NAVENG)
DRV - [2010/04/29 10:44:04 | 000,537,136 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100429.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2010/04/07 07:28:12 | 000,104,768 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AnyDVD.sys -- (AnyDVD)
DRV - [2010/03/28 23:42:10 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/03/28 23:42:10 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/03/28 23:26:35 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/03/13 02:58:52 | 000,087,536 | ---- | M] (CyberLink Corp.) [2010/03/29 17:04:42] [Kernel | Auto | Running] -- C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl -- ({1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC})
DRV - [2010/02/26 19:23:54 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\NIS\1106000.020\Ironx86.SYS -- (SymIRON)
DRV - [2010/02/26 19:23:21 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\Drivers\NIS\1106000.020\SRTSP.SYS -- (SRTSP)
DRV - [2010/02/26 19:23:21 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\NIS\1106000.020\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2010/02/25 16:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\NIS\1106000.020\ccHPx86.sys -- (ccHP)
DRV - [2010/02/03 18:40:52 | 000,340,016 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\NIS\1106000.020\SYMTDIV.SYS -- (SYMTDIv)
DRV - [2010/02/03 18:40:50 | 000,172,592 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\system32\drivers\NIS\1106000.020\SYMEFA.SYS -- (SymEFA)
DRV - [2010/01/01 10:20:34 | 000,026,024 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\Windows\System32\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV - [2009/12/15 11:42:12 | 000,035,432 | ---- | M] (Fortinet Inc) [Kernel | System | Running] -- C:\Windows\System32\drivers\FortiRdr2.sys -- (FortiRdr)
DRV - [2009/12/15 11:41:54 | 000,036,968 | ---- | M] (Fortinet Inc) [File_System | System | Running] -- C:\Windows\System32\drivers\FortiShield.sys -- (FortiShield)
DRV - [2009/12/15 11:41:50 | 000,098,024 | ---- | M] (Fortinet Inc) [Kernel | System | Running] -- C:\Windows\System32\drivers\fortips.sys -- (Fortips)
DRV - [2009/12/15 11:41:42 | 000,013,416 | ---- | M] (Fortinet Inc) [Kernel | System | Running] -- C:\Windows\System32\drivers\fortiapd.sys -- (fortiapd)
DRV - [2009/11/26 14:28:52 | 000,037,920 | ---- | M] (RapidSolution Software AG) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tbhsd.sys -- (tbhsd)
DRV - [2009/11/26 14:28:30 | 000,027,168 | ---- | M] (RapidSolution Software AG) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rrnetcap.sys -- (RRNetCapMP)
DRV - [2009/11/26 14:28:30 | 000,027,168 | ---- | M] (RapidSolution Software AG) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rrnetcap.sys -- (RRNetCap)
DRV - [2009/11/16 17:51:14 | 000,343,088 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100505.001\IDSvix86.sys -- (IDSVix86)
DRV - [2009/11/09 13:56:10 | 000,158,600 | ---- | M] (Avid Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\MAudioFastTrackPro.sys -- (MAUSBFASTTRACKPRO)
DRV - [2009/10/14 20:50:05 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\NIS\1106000.020\SYMDS.SYS -- (SymDS)
DRV - [2009/08/09 14:25:56 | 000,029,696 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VClone.sys -- (VClone)
DRV - [2009/07/21 17:53:06 | 000,036,384 | ---- | M] (Fortinet Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pppop.sys -- (pppop)
DRV - [2009/04/10 21:42:56 | 000,073,216 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2009/04/06 13:20:08 | 000,022,432 | ---- | M] (Fortinet Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\fortidrv.sys -- (Fortidrv2)
DRV - [2009/03/05 23:58:12 | 000,087,064 | ---- | M] (SonicWALL, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\SWIPsec.sys -- (SWIPsec)
DRV - [2009/03/04 18:03:32 | 000,021,016 | ---- | M] (SonicWALL, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SWVNIC.sys -- (SWVNIC)
DRV - [2009/02/16 14:23:26 | 000,014,496 | ---- | M] (Fortinet Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ftvnic.sys -- (ft_vnic)
DRV - [2009/02/11 12:38:14 | 002,324,512 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/11/16 18:39:44 | 000,131,984 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dne2000.sys -- (DNE)
DRV - [2008/08/14 07:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\adfs.sys -- (adfs)
DRV - [2008/08/01 19:51:14 | 001,052,704 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/05/22 21:49:00 | 007,465,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007/10/26 18:51:22 | 000,110,624 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\nvstor32.sys -- (nvstor32)
DRV - [2007/07/16 11:57:12 | 000,306,299 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2007/02/21 12:49:47 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2007/02/21 12:49:47 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2007/02/21 12:49:47 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2007/01/18 15:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2007/01/05 22:59:42 | 000,035,920 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2007/01/05 22:59:34 | 000,086,096 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid) NVIDIA nForce™
DRV - [2006/11/02 02:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 02:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 02:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 02:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 02:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 02:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 02:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 02:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 02:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 02:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 02:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 02:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 02:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 02:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 02:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 02:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 02:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 02:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 02:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 02:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 02:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 02:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 02:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 02:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 02:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 02:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 02:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 02:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 02:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 02:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 01:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 01:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 01:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 01:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 01:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 01:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 00:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 00:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2004/03/29 17:28:24 | 000,014,531 | ---- | M] (iRiver, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\ifp800.sys -- (IFP800)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-4061500785-3989173201-3202516345-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-4061500785-3989173201-3202516345-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/?r0=1269792079"
FF - prefs.js..extensions.enabledItems: {37E4D8EA-8BDA-4831-8EA1-89053939A250}:3.0.0.1
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:4.6

FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\IPSFFPlgn\ [2010/04/26 15:17:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\coFFPlgn\ [2010/03/28 23:27:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/18 20:33:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/01 21:19:43 | 000,000,000 | ---D | M]

[2010/03/28 09:00:10 | 000,000,000 | ---D | M] -- C:\Users\Mr.Roboto\AppData\Roaming\Mozilla\Extensions
[2010/05/11 22:04:40 | 000,000,000 | ---D | M] -- C:\Users\Mr.Roboto\AppData\Roaming\Mozilla\Firefox\Profiles\ayvu7f5x.default\extensions
[2010/03/28 09:11:08 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Mr.Roboto\AppData\Roaming\Mozilla\Firefox\Profiles\ayvu7f5x.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/30 15:33:01 | 000,000,000 | ---D | M] (PDF Download) -- C:\Users\Mr.Roboto\AppData\Roaming\Mozilla\Firefox\Profiles\ayvu7f5x.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
[2010/03/28 09:00:00 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/05/11 13:26:46 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\coieplg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-4061500785-3989173201-3202516345-1000\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-4061500785-3989173201-3202516345-1000\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\coieplg.dll (Symantec Corporation)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [M-Audio Taskbar Icon] C:\Windows\System32\M-AudioTaskBarIcon.exe (Avid Technology, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [RemoteControl10] C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-4061500785-3989173201-3202516345-1000..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe (SlySoft, Inc.)
O4 - HKU\S-1-5-21-4061500785-3989173201-3202516345-1000..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2 [2010/05/12 09:50:28 | 000,000,000 | ---D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2 [2010/05/12 09:50:28 | 000,000,000 | ---D | M]
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4061500785-3989173201-3202516345-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4061500785-3989173201-3202516345-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-4061500785-3989173201-3202516345-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-4061500785-3989173201-3202516345-1000\..Trusted Domains: real.com ([rhap-app-4-0] https in Trusted sites)
O15 - HKU\S-1-5-21-4061500785-3989173201-3202516345-1000\..Trusted Domains: real.com ([rhapreg] https in Trusted sites)
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} http://cdn.scan.onecare.live.com/resource/...s/wlscctrl2.cab (Windows Live OneCare safety scanner control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img23.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img23.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 14:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/12 18:09:46 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/05/12 18:09:42 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/05/12 18:09:42 | 000,000,000 | ---D | C] -- C:\Users\Mr.Roboto\AppData\Local\temp
[2010/05/12 17:27:56 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/05/12 10:38:15 | 000,000,000 | ---D | C] -- C:\Users\Mr.Roboto\Documents\NEW Woo Wordpress Themes - All 35 - Professtionnal WordPress Themes
[2010/05/09 09:51:03 | 000,000,000 | ---D | C] -- C:\Users\Mr.Roboto\Desktop\Bleeping Computer
[2010/05/09 01:08:38 | 000,000,000 | ---D | C] -- C:\combo-fix
[2010/05/08 09:43:15 | 000,000,000 | ---D | C] -- C:\Users\Mr.Roboto\Desktop\Malwarebyte
[2010/05/06 21:50:32 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2010/05/06 21:47:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2010/05/06 21:45:38 | 097,364,760 | ---- | C] (Lavasoft ) -- C:\Users\Mr.Roboto\Desktop\Ad-AwareInstaller.exe
[2010/05/05 22:42:10 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/05/05 22:42:10 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/05/05 22:42:10 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/05/05 22:42:02 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/05/05 22:41:43 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/05 01:09:08 | 000,000,000 | ---D | C] -- C:\VundoFix Backups
[2010/05/04 18:54:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/05/04 18:54:14 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/05/04 18:41:44 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/05/04 11:41:28 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/05/03 21:35:17 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/05/02 17:18:54 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2010/05/02 17:04:21 | 000,000,000 | ---D | C] -- C:\Program Files\eMule
[2010/04/30 13:01:45 | 000,000,000 | ---D | C] -- C:\Program Files\Groove Monkee
[2010/04/30 07:11:28 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/04/29 21:01:51 | 000,000,000 | ---D | C] -- C:\Users\Mr.Roboto\AppData\Roaming\Malwarebytes
[2010/04/29 20:49:58 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/29 20:49:56 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/29 20:49:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/04/29 20:49:55 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/29 11:47:27 | 000,000,000 | ---D | C] -- C:\Users\Mr.Roboto\AppData\Roaming\SonicWALL
[2010/04/29 08:30:16 | 000,000,000 | ---D | C] -- C:\Users\Mr.Roboto\Desktop\Superior Drummer
[2010/04/29 08:12:52 | 000,014,496 | ---- | C] (Fortinet Inc.) -- C:\Windows\System32\drivers\ftvnic.sys
[2010/04/29 08:12:43 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Fortinet
[2010/04/29 08:12:40 | 000,000,000 | ---D | C] -- C:\Program Files\Fortinet
[2010/04/29 08:11:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Applications
[2010/04/29 08:10:21 | 000,087,064 | ---- | C] (SonicWALL, Inc.) -- C:\Windows\System32\drivers\SWIPsec.sys
[2010/04/29 08:08:53 | 000,000,000 | ---D | C] -- C:\Program Files\SonicWALL
[2010/04/29 07:54:38 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Deterministic Networks
[2010/04/29 07:54:33 | 000,000,000 | ---D | C] -- C:\Program Files\Cisco Systems
[2010/04/29 07:49:23 | 000,027,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\CTL3DNT.DLL
[2010/04/29 07:49:23 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\SVRAPI.DLL
[2010/04/29 07:49:22 | 000,026,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\CTL3D95.DLL
[2010/04/29 07:46:24 | 000,306,688 | ---- | C] (InstallShield Software Corporation) -- C:\Windows\IsUninst.exe
[2010/04/27 17:50:56 | 000,000,000 | ---D | C] -- C:\Users\Mr.Roboto\Documents\Rat Soup
[2010/04/26 13:30:55 | 000,000,000 | ---D | C] -- C:\Program Files\Lame for Audacity
[2010/04/26 13:30:06 | 000,000,000 | ---D | C] -- C:\Users\Mr.Roboto\AppData\Roaming\Audacity
[2010/04/26 13:29:21 | 000,000,000 | ---D | C] -- C:\Program Files\Audacity 1.3 Beta (Unicode)
[2010/04/24 12:19:52 | 000,000,000 | ---D | C] -- C:\Users\Mr.Roboto\Documents\Toontrack
[2010/04/24 11:54:45 | 000,000,000 | ---D | C] -- C:\Program Files\Toontrack
[2010/04/23 13:29:16 | 000,000,000 | ---D | C] -- C:\Users\Mr.Roboto\Desktop\Use Me Raw Files
[2010/04/23 12:06:28 | 000,000,000 | ---D | C] -- C:\Users\Mr.Roboto\AppData\Roaming\Antares
[2010/04/23 12:06:27 | 000,000,000 | ---D | C] -- C:\Program Files\Antares Audio Technologies
[2010/04/23 12:06:19 | 001,777,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\gdiplus.dll
[2010/04/22 18:20:43 | 000,000,000 | ---D | C] -- C:\Program Files\Waves
[2010/04/22 01:21:52 | 000,000,000 | ---D | C] -- C:\Users\Mr.Roboto\AppData\Roaming\Waves Audio
[2010/04/22 01:19:05 | 000,000,000 | -H-D | C] -- C:\Users\Mr.Roboto\AppData\Roaming\FDBTemp
[2010/04/18 20:38:25 | 000,000,000 | ---D | C] -- C:\Users\Mr.Roboto\Documents\23 Boats You Can Build ~ Plans and Diagrams ~mahasonaz~
[2010/04/18 20:35:53 | 000,000,000 | ---D | C] -- C:\Users\Mr.Roboto\Documents\The Boat Builders Free Plans v2.0
[2010/04/17 16:48:21 | 000,000,000 | ---D | C] -- C:\Users\Mr.Roboto\AppData\Roaming\Canon
[2010/04/15 18:22:26 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DigiDesign
[2010/04/15 14:20:57 | 000,000,000 | ---D | C] -- C:\Program Files\VstPlugIns
[2010/04/15 14:20:56 | 000,000,000 | ---D | C] -- C:\Program Files\IK Multimedia
[2010/04/15 14:20:47 | 000,000,000 | ---D | C] -- C:\Users\Mr.Roboto\AppData\Roaming\InstallShield
[2010/04/14 17:55:33 | 000,000,000 | ---D | C] -- C:\Users\Mr.Roboto\Documents\REAPER Media
[2010/04/13 14:30:53 | 000,000,000 | ---D | C] -- C:\Program Files\CDex
[2010/04/13 13:01:47 | 000,000,000 | ---D | C] -- C:\Program Files\PixiePack Codec Pack
[2010/04/13 12:59:36 | 000,000,000 | ---D | C] -- C:\Program Files\RapidSolution
[2010/04/13 12:59:35 | 000,000,000 | ---D | C] -- C:\ProgramData\RapidSolution
[2010/04/13 12:55:24 | 000,000,000 | ---D | C] -- C:\Users\Mr.Roboto\AppData\Local\RapidSolution
[2010/04/13 12:43:56 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Real

========== Files - Modified Within 30 Days ==========

[2010/05/12 18:15:03 | 002,883,584 | -HS- | M] () -- C:\Users\Mr.Roboto\NTUSER.DAT
[2010/05/12 18:03:40 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/05/12 16:50:49 | 000,002,565 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
[2010/05/12 16:50:47 | 000,005,216 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/12 16:50:47 | 000,005,216 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/12 16:50:41 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/05/12 16:50:35 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/05/12 16:50:32 | 2011,750,400 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/12 16:49:08 | 000,524,288 | -HS- | M] () -- C:\Users\Mr.Roboto\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/05/12 16:49:08 | 000,065,536 | -HS- | M] () -- C:\Users\Mr.Roboto\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/05/12 16:48:32 | 002,395,235 | -H-- | M] () -- C:\Users\Mr.Roboto\AppData\Local\IconCache.db
[2010/05/12 15:46:31 | 000,000,048 | ---- | M] () -- C:\Windows\System32\w3data.vss
[2010/05/12 15:46:31 | 000,000,048 | ---- | M] () -- C:\Windows\msocreg32.dat
[2010/05/12 10:22:57 | 000,001,905 | ---- | M] () -- C:\Windows\diagwrn.xml
[2010/05/12 10:22:57 | 000,001,905 | ---- | M] () -- C:\Windows\diagerr.xml
[2010/05/12 09:14:34 | 000,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/05/12 09:14:34 | 000,595,446 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/05/12 09:14:34 | 000,101,144 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/05/12 08:23:48 | 307,580,378 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/05/12 00:53:11 | 000,009,216 | ---- | M] () -- C:\Users\Mr.Roboto\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/11 16:10:01 | 000,000,081 | ---- | M] () -- C:\Users\Mr.Roboto\Desktop\Infected with Trojan.Vundo.URL
[2010/05/11 13:26:46 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/05/09 23:41:46 | 000,001,778 | -H-- | M] () -- C:\Users\Mr.Roboto\Documents\Default.rdp
[2010/05/09 23:16:36 | 000,002,668 | ---- | M] () -- C:\Windows\pw5.ini
[2010/05/09 19:30:10 | 000,198,129 | ---- | M] () -- C:\PP-OH004-03312010.rr
[2010/05/08 15:37:57 | 000,000,709 | ---- | M] () -- C:\Users\Mr.Roboto\Desktop\Malwarebytes' Anti-Malware - Shortcut.lnk
[2010/05/06 21:50:31 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2010/05/06 21:46:41 | 097,364,760 | ---- | M] (Lavasoft ) -- C:\Users\Mr.Roboto\Desktop\Ad-AwareInstaller.exe
[2010/05/05 14:20:42 | 000,000,000 | ---- | M] () -- C:\Users\Mr.Roboto\defogger_reenable
[2010/05/04 20:27:39 | 000,001,252 | ---- | M] () -- C:\Users\Mr.Roboto\Documents\cc_20100504_202736.reg
[2010/05/04 18:44:39 | 000,029,824 | ---- | M] () -- C:\Users\Mr.Roboto\Documents\cc_20100504_184424.reg
[2010/05/04 17:12:35 | 000,002,855 | ---- | M] () -- C:\Users\Mr.Roboto\Desktop\mbam.com - Shortcut.pif
[2010/05/03 17:53:49 | 000,000,125 | -HS- | M] () -- C:\ProgramData\.zreglib
[2010/05/02 17:02:24 | 002,558,976 | ---- | M] () -- C:\Users\Mr.Roboto\Desktop\Ford Shop Spring 2010.xls
[2010/05/02 12:21:32 | 000,870,128 | ---- | M] () -- C:\Users\Mr.Roboto\AppData\Roaming\mcs.rma
[2010/05/02 12:21:32 | 000,000,004 | ---- | M] () -- C:\Users\Mr.Roboto\AppData\Roaming\C8FB42
[2010/04/29 16:26:07 | 000,000,776 | ---- | M] () -- C:\Users\Public\Desktop\REAPER.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/29 07:55:56 | 000,001,593 | ---- | M] () -- C:\Windows\VPNInstall.MIF
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\Windows\PEV.exe
[2010/04/21 14:44:49 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2010/04/21 14:44:49 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/04/13 12:46:19 | 000,000,365 | ---- | M] () -- C:\Users\Mr.Roboto\Desktop\Music.lnk

========== Files Created - No Company Name ==========

[2010/05/12 10:05:02 | 000,001,905 | ---- | C] () -- C:\Windows\diagwrn.xml
[2010/05/12 10:05:02 | 000,001,905 | ---- | C] () -- C:\Windows\diagerr.xml
[2010/05/11 16:10:01 | 000,000,081 | ---- | C] () -- C:\Users\Mr.Roboto\Desktop\Infected with Trojan.Vundo.URL
[2010/05/10 20:01:47 | 2011,750,400 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/09 23:18:21 | 000,198,129 | ---- | C] () -- C:\PP-OH004-03312010.rr
[2010/05/08 15:37:57 | 000,000,709 | ---- | C] () -- C:\Users\Mr.Roboto\Desktop\Malwarebytes' Anti-Malware - Shortcut.lnk
[2010/05/05 22:42:10 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/05/05 22:42:10 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/05/05 22:42:10 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/05/05 22:42:10 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/05/05 22:42:10 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/05/05 14:20:42 | 000,000,000 | ---- | C] () -- C:\Users\Mr.Roboto\defogger_reenable
[2010/05/05 04:05:48 | 307,580,378 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/05/04 20:27:37 | 000,001,252 | ---- | C] () -- C:\Users\Mr.Roboto\Documents\cc_20100504_202736.reg
[2010/05/04 18:44:29 | 000,029,824 | ---- | C] () -- C:\Users\Mr.Roboto\Documents\cc_20100504_184424.reg
[2010/05/04 17:12:35 | 000,002,855 | ---- | C] () -- C:\Users\Mr.Roboto\Desktop\mbam.com - Shortcut.pif
[2010/05/02 11:16:09 | 002,558,976 | ---- | C] () -- C:\Users\Mr.Roboto\Desktop\Ford Shop Spring 2010.xls
[2010/04/29 16:26:06 | 000,000,776 | ---- | C] () -- C:\Users\Public\Desktop\REAPER.lnk
[2010/04/29 09:58:25 | 000,001,778 | -H-- | C] () -- C:\Users\Mr.Roboto\Documents\Default.rdp
[2010/04/29 07:54:43 | 000,002,565 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
[2010/04/29 07:54:17 | 000,001,593 | ---- | C] () -- C:\Windows\VPNInstall.MIF
[2010/04/29 07:49:23 | 000,029,354 | ---- | C] () -- C:\Windows\System32\WEMU387.386
[2010/04/29 07:49:17 | 000,002,668 | ---- | C] () -- C:\Windows\pw5.ini
[2010/04/21 14:44:49 | 000,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2010/04/21 14:44:49 | 000,000,000 | RHS- | C] () -- C:\IO.SYS
[2010/04/15 14:37:34 | 000,000,048 | ---- | C] () -- C:\Windows\System32\w3data.vss
[2010/04/15 14:37:34 | 000,000,048 | ---- | C] () -- C:\Windows\msocreg32.dat
[2010/04/13 12:46:19 | 000,000,365 | ---- | C] () -- C:\Users\Mr.Roboto\Desktop\Music.lnk
[2010/04/13 12:44:05 | 000,000,004 | ---- | C] () -- C:\Users\Mr.Roboto\AppData\Roaming\C8FB42
[2010/04/13 12:44:04 | 000,870,128 | ---- | C] () -- C:\Users\Mr.Roboto\AppData\Roaming\mcs.rma
[2010/04/06 22:39:49 | 000,003,072 | ---- | C] () -- C:\Windows\System32\Viveza2FC32.dll
[2010/03/29 16:56:52 | 000,000,087 | ---- | C] () -- C:\Windows\ka.ini
[2010/03/28 01:59:11 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/03/02 11:33:32 | 000,067,584 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/03/02 11:33:32 | 000,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest
[2007/07/16 11:58:10 | 000,197,408 | ---- | C] () -- C:\Windows\System32\vpnapi.dll
[2006/11/02 05:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 00:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 152 bytes -> C:\ProgramData\Temp:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\ProgramData\Temp:A8ADE5D8
< End of report >




_________________________________________________________________________________________________




OTL Extras logfile created on: 5/12/2010 6:14:50 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\Mr.Roboto\Desktop\Bleeping Computer
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 48.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 148.18 Gb Free Space | 63.63% Space Free | Partition Type: NTFS
Drive D: | 368.10 Gb Total Space | 172.19 Gb Free Space | 46.78% Space Free | Partition Type: NTFS
Drive E: | 97.66 Gb Total Space | 30.95 Gb Free Space | 31.70% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MRROBOTO
Current User Name: Mr.Roboto
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-4061500785-3989173201-3202516345-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{D9ED25F8-9E2A-4883-B2C9-7343B2EEB4B8}" = lport=5353 | protocol=6 | dir=in | name=adobe csi cs4 |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{29A211D8-8C09-4473-8F6F-B483049E1FCA}" = dir=in | app=c:\program files\fortinet\forticlient\ipsec.exe |
"{3C422D12-A83F-4C82-A1FA-508BFF85D82B}" = dir=in | app=c:\program files\fortinet\forticlient\fortiproxy.exe |
"{42862CC4-AB8E-4D88-9891-0E51D875C6F0}" = protocol=17 | dir=in | app=c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe |
"{577B528E-3EF9-4166-B03E-B14DE97B6FF8}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{9EEBED5D-C597-4923-AB2F-2EEAF164FAD8}" = dir=in | app=c:\program files\fortinet\forticlient\fortiwad.exe |
"{A3EA6CF4-9684-4F65-B073-0BD5A4CBD702}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{A4F90A57-15DF-437A-A368-ED0BF51B3369}" = protocol=17 | dir=in | app=c:\program files\rhapsody\rhapsody.exe |
"{A7E2705E-16FD-4A50-B475-3DACA4A891D6}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{B09878BB-80E9-413C-90A0-EC9BE300BA98}" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{B0BE82A7-33D6-4E60-B61D-4FE0D80F9133}" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{C4DBC1B5-4519-49EE-882F-476DDBE8B8E8}" = dir=in | app=c:\program files\cyberlink\powerdvd10\powerdvd9.exe |
"{CB1CABA3-EF84-4B3F-8B0B-DB777E2DBBF9}" = protocol=6 | dir=in | app=c:\program files\rhapsody\rhapsody.exe |
"{CDADE8BA-D086-4B64-AACE-8EF7EB4F3AE8}" = dir=in | app=c:\program files\cyberlink\powerdvd10\powerdvd cinema\powerdvdcinema10.exe |
"{DAC5D216-CE81-4143-9818-375416B6048E}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{DDF7FE87-1900-44BB-A8BD-0EC96BCC0BD5}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{DE1C7E3F-4CF3-49D4-BFE0-D7A5439CFC72}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{F7773EAC-A137-4FD0-B73D-2B2B1C671CEA}" = protocol=6 | dir=in | app=c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{009AC76E-1A66-4682-82B7-417E77F3C648}" = Superior Drummer Installer
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{147567F0-8575-4BE0-B5B3-62706C67FA5A}" = EZXCocktail
"{14F70205-1940-4000-88C7-BE799A6B2CAD}" = Adobe Soundbooth CS4
"{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}" = Cisco Systems VPN Client 5.0.01.0600
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{212B2756-7648-42DB-98D4-CBE5CC9E2D8F}" = Tunebite
"{236E0A03-6110-485E-B0F9-399215948BB7}" = M-Audio FastTrackPro Driver 6.0.2 (x86)
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{297190A1-4B0D-4CD6-8B9F-3907F15C3FD8}" = Adobe CS4 American English Speech Analysis Models
"{2CC4BC82-41CF-43D3-B533-7283AA8BB86F}" = EZXPercussion
"{34D6AD5A-C03D-45FF-AA8A-8B306E01B96D}" = FortiClient Endpoint Security
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{40624553-811E-400E-B69B-38D8926A66BD}" = SonicWALL Global VPN Client
"{423C4130-EBC3-410A-B3A0-37BBF9D607D5}" = T-RackS 3 Deluxe
"{430399DC-98BC-4A7F-8F8E-77981CABAE05}" = EZXVintage
"{43E8D9E7-AFC9-4BA3-8106-B95E02B87AB7}" = EZdrummer
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{52232EF4-CC12-4C21-ABCF-ADB79618302D}" = Adobe Soundbooth CS4 Codecs
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{561968FD-56A1-49FD-9ED0-F55482C7C5BC}" = Adobe Media Encoder CS4 Exporter
"{5866520C-8857-4986-833A-039F4584C3F7}" = Toontrack solo
"{5986F167-4C6C-4D03-9706-E1189B2A1462}" = iriver Music Manager
"{5DD152A8-BFB3-439E-90CD-5C00C2116E23}" = AmpliTube 3
"{60DB5894-B5A1-4B62-B0F3-669A22C0EE5D}" = Adobe Dynamiclink Support
"{61D6891E-E822-4448-9F9A-0AAAAEB6AF6C}" = Adobe Creative Suite 4 Master Collection
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{67A9747A-E1F5-4E9A-81CC-12B5D5B81B6E}" = Adobe After Effects CS4 Third Party Content
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{6815FCDD-401D-481E-BA88-31B4754C2B46}" = Macromedia Flash Player 8
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{7406DF60-016D-476B-A2C7-55D997592047}" = Adobe OnLocation CS4
"{76BC2442-0002-47FA-9617-43BAD82BEF4C}" = Bonjour
"{7CBD8A89-45F4-4203-9923-673F72603747}" = Adobe Photoshop Lightroom 2.3
"{8094F7AE-CA21-4AF2-A256-BC918CE0E796}" = EZXClaustrophobic
"{8186FF34-D389-4B7E-9A2F-C197585BCFBD}" = Adobe Media Encoder CS4 Importer
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{82DF9225-13EC-41BD-BE31-AAB121B38166}" = EZXNashville
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{87532CAB-7932-4F84-8937-823337622807}" = Adobe Illustrator CS4
"{8967ABFB-CBCA-4EC0-8DE8-A01135267C16}" = EZplayer pro
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{996A2FAA-7514-4628-9D12-A8FC34A0016E}" = iTunes
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C450606-ED24-4958-92BA-B8940C99D441}" = PixiePack Codec Pack
"{A34DCE59-0004-0000-2068-3F8A9926B752}" = FortiClient SSL VPN v4.0.2068
"{AC76BA86-1033-F400-7760-000000000004}" = Adobe Acrobat 9 Pro - English, Français, Deutsch
"{B169BC97-B8AA-4ACA-9CF2-9D0FF5BABDF7}" = Adobe Premiere Pro CS4 Functional Content
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B5C3B892-0849-476C-9F46-B12F84819D57}" = Apple Mobile Device Support
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{BB5A44CB-3045-43E2-BEB0-B64E477D4633}" = EZXFunkmasters
"{BE9CEAAA-F069-4331-BF2F-8D350F6504F4}" = Adobe Media Encoder CS4 Additional Exporter
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C86E7C99-E4AD-79C7-375B-1AEF9A91EC2B}" = Acrobat.com
"{C938BE91-3BB5-4B84-9EF6-88F0505D0038}" = Adobe Premiere Pro CS4 Third Party Content
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF1D7323-8A0A-49C7-83B0-088DB90721E2}" = AmpegSVX
"{D1EBF11E-8CE3-4EF5-8E2D-FD5B8D6BD294}" = EZXTwisted
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{D499F8DE-3F31-4900-9157-61061613704B}" = Adobe Premiere Pro CS4
"{DB1299AF-9EE0-422B-959E-F4171B2AE0F7}" = EZXDfh
"{DEB90B8E-0DCB-48CE-B90E-8842A2BD643E}" = Adobe Media Encoder CS4
"{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}" = CyberLink PowerDVD 10
"{E8EE9410-8AC4-4F43-A626-DDECA75C79F3}" = Adobe Setup
"{EE353798-E875-42E0-B58D-7E6696182EA8}" = Adobe Media Encoder CS4 Dolby
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FB2A5FCC-B81B-48C2-A009-7804694D83E9}" = Adobe Encore CS4 Codecs
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"{FE0646A7-19D0-41B4-A2BB-2C35D644270D}" = Windows Live OneCare safety scanner
"{FE96C49B-DB90-405E-A00E-09E38372F880}" = Camera Control Pro 2
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"7-Zip" = 7-Zip 9.11 beta
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_b2d6abde968e6f277ddbfd501383e02" = Adobe Creative Suite 4 Master Collection
"Antares Autotune Evo VST RTAS_is1" = Antares Autotune Evo VST RTAS v6.0.9
"AnyDVD" = AnyDVD
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.12 (Unicode)
"BitTorrent" = BitTorrent
"CCleaner" = CCleaner
"CDex" = CDex - Open Source Digital Audio CD Extractor
"CloneDVD2" = CloneDVD2
"Color Efex Pro 3.0 Complete Stand-Alone" = Color Efex Pro 3.0 Complete
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Dfine 2.0 Stand-Alone" = Dfine 2.0
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Groove Monkee Power Rock" = Groove Monkee Power Rock
"Groove Monkee Punk" = Groove Monkee Punk
"Groove Monkee Rock and Metal" = Groove Monkee Rock and Metal
"Groove Monkee Twisted" = Groove Monkee Twisted
"InfraRecorder" = InfraRecorder
"InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}" = CyberLink PowerDVD 10
"JumpStart Advanced 1st Grade" = JumpStart Advanced 1st Grade
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"LiveUpdate" = LiveUpdate
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"NIS" = Norton Internet Security
"NVIDIA Drivers" = NVIDIA Drivers
"Procomm Plus" = Symantec Procomm Plus
"REAPER" = REAPER
"Rhapsody" = Rhapsody
"Sharpener Pro 3.0 Stand-Alone" = Sharpener Pro 3.0
"Silver Efex Pro for Stand-Alone" = Silver Efex Pro
"Viveza 2" = Viveza 2
"Waves Mercury Bundle" = Waves Mercury Bundle
"Waves Vocal Bundle v1.1" = Waves Vocal Bundle v1.1
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-4061500785-3989173201-3202516345-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"UnityWebPlayer" = Unity Web Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/12/2010 11:20:32 AM | Computer Name = MrRoboto | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 5/12/2010 11:20:32 AM | Computer Name = MrRoboto | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 561510

Error - 5/12/2010 11:20:32 AM | Computer Name = MrRoboto | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 561510

Error - 5/12/2010 11:20:48 AM | Computer Name = MrRoboto | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 5/12/2010 11:20:48 AM | Computer Name = MrRoboto | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 577110

Error - 5/12/2010 11:20:48 AM | Computer Name = MrRoboto | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 577110

Error - 5/12/2010 11:21:03 AM | Computer Name = MrRoboto | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 5/12/2010 11:21:03 AM | Computer Name = MrRoboto | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 592710

Error - 5/12/2010 11:21:03 AM | Computer Name = MrRoboto | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 592710

Error - 5/12/2010 1:28:23 PM | Computer Name = MrRoboto | Source = Application Hang | ID = 1002
Description = The program Acrobat.exe version 9.0.0.332 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: aac Start Time: 01caf1f84301e397 Termination Time: 60000

[ System Events ]
Error - 3/31/2010 2:50:19 AM | Computer Name = MrRoboto | Source = cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom1.

Error - 3/31/2010 2:50:25 AM | Computer Name = MrRoboto | Source = cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom1.

Error - 3/31/2010 2:50:32 AM | Computer Name = MrRoboto | Source = cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom1.

Error - 3/31/2010 2:50:38 AM | Computer Name = MrRoboto | Source = cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom1.

Error - 3/31/2010 2:59:17 AM | Computer Name = MrRoboto | Source = Service Control Manager | ID = 7000
Description =

Error - 4/5/2010 7:03:34 PM | Computer Name = MrRoboto | Source = Service Control Manager | ID = 7011
Description =

Error - 4/5/2010 7:04:03 PM | Computer Name = MrRoboto | Source = Service Control Manager | ID = 7011
Description =

Error - 4/5/2010 8:11:45 PM | Computer Name = MrRoboto | Source = Service Control Manager | ID = 7011
Description =

Error - 4/5/2010 8:12:14 PM | Computer Name = MrRoboto | Source = Service Control Manager | ID = 7011
Description =

Error - 4/6/2010 6:46:31 PM | Computer Name = MrRoboto | Source = Service Control Manager | ID = 7000
Description =


< End of report >


_________________________________________________________________________________________________






Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 5/12/2010 at 18:37:52 PM
User "Mr.Roboto" on computer "MRROBOTO"
Windows version 6.0 SP 2.0 Service Pack 2 build 6002 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Windows\System32\config\RegBack\SAM.LOG1
Hidden: file C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Lue\Logs\TempLog.Lue
Hidden: file C:\ProgramData\Norton\00000082\00000109\000003c3\cltLMS1.dat
Hidden: file C:\ProgramData\Norton\00000082\00000109\000003c3\cltLMS2.dat
Info: Starting disk scan of D: (NTFS).
Info: Starting disk scan of E: (NTFS).
Stopped logging on 5/12/2010 at 19:44:40 PM




#10 fuadramsey

fuadramsey
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 14 May 2010 - 10:37 PM

Elle,

So how do the logs look? I am still getting crash messages saying that my computer had to restart. I think it's everytime the computer tries to go to sleep.


Thanks!

Jamie

#11 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:04 PM

Posted 16 May 2010 - 06:54 AM

Hi,


The following is referring to CCleaner.
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.


We need to run an OTL Fix
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    [field name="Fix" lines=20]:OTL
    @Alternate Data Stream - 152 bytes -> C:\ProgramData\Temp:DFC5A2B2
    @Alternate Data Stream - 109 bytes -> C:\ProgramData\Temp:A8ADE5D8
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.






Elle

Edited by Blind Faith, 16 May 2010 - 06:54 AM.

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#12 fuadramsey

fuadramsey
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 17 May 2010 - 12:08 AM

Thanks.

Here is the OTL log and the Malware log:

_____________________________________________________________________________________

Error: Unable to interpret <[field name="Fix" lines=20]:OTL> in the current context!
Error: Unable to interpret <@Alternate Data Stream - 152 bytes -> C:\ProgramData\Temp:DFC5A2B2> in the current context!
Error: Unable to interpret <@Alternate Data Stream - 109 bytes -> C:\ProgramData\Temp:A8ADE5D8> in the current context!

OTL by OldTimer - Version 3.2.4.1 log created on 05162010_184644


____________________________________________________________________________________

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4108

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

5/16/2010 7:03:35 PM
mbam-log-2010-05-16 (19-03-35).txt

Scan type: Quick scan
Objects scanned: 123994
Time elapsed: 5 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



#13 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:04 PM

Posted 17 May 2010 - 07:01 AM

Hi,

We need to run the OTL fix again
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :OTL
    @Alternate Data Stream - 152 bytes -> C:\ProgramData\Temp:DFC5A2B2
    @Alternate Data Stream - 109 bytes -> C:\ProgramData\Temp:A8ADE5D8
    :commands
    [EMPTYTEMP]
    [REBOOT]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#14 fuadramsey

fuadramsey
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 17 May 2010 - 09:35 AM

Okay that worked. Here's the log:


All processes killed
========== OTL ==========
ADS C:\ProgramData\Temp:DFC5A2B2 deleted successfully.
ADS C:\ProgramData\Temp:A8ADE5D8 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Mr.Roboto
->Temp folder emptied: 87702906 bytes
->Temporary Internet Files folder emptied: 177312 bytes
->FireFox cache emptied: 86178460 bytes
->Flash cache emptied: 12063 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 64675 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 166.00 mb


OTL by OldTimer - Version 3.2.4.1 log created on 05172010_071736

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


#15 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:04 PM

Posted 18 May 2010 - 02:47 PM

Hi,


Are you still being redirected when clicking on a searchresult?

Start GMER again, this time uncheck everything in the right side of the window, except the option Sections and C:\ drive .Push "Scan" and wait until the results are being generated.Save the produced log on the desktop as ark.txt and post it into your next reply. smile.gif

If GMER still doesn't work, try running it in Safe Mode as well only with Sections and C:\ ticked.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users