Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

services.exe and svchost.exe being hijacked by spam malware/virus


  • This topic is locked This topic is locked
32 replies to this topic

#1 smw5003

smw5003

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 08 May 2010 - 03:18 PM

Original topic here: http://www.bleepingcomputer.com/forums/ind...howtopic=315442 ~ OB

For the past 3 weeks, I've been infected by several different varieties of malware including fake anti-virus programs, rootkits, a malware that disables my task manager and regedit as well as introduce other generic malware to infect my system.
I've cleaned most of the malware by downloading several anti-malware programs as well as manual cleaning by myself, but there appears to be one or a few more viruses that I have not been able to find that uses my services.exe and possibly svchost.exe to send out hundreds of spam mails to other computers.
I attempted to run a combofix scan because that's what my ISP suggested, but every attempt ends with a blue-screen-of-death or it just freezes/doesn't start
Attached is a dds log as well as a gmer log.
If anything else is required, I will gladly comply

Jesse

I'm supposed to post the dds, right?

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Shade at 19:26:45.14 on Fri 05/07/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_16
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.2939.2475 [GMT -10:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Shade\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
mURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRunOnce: []
mRunOnce: [GrpConv] grpconv -o
dRun: [hsf87efjhdsf87f3jfsdi7fhsujfd] c:\windows\system32\spoolsv.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {A6DF5C8E-42E0-4659-B997-CE004FDD4A35} = 156.154.70.22,156.154.71.22
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\shade\appdata\roaming\mozilla\firefox\profiles\871gg2z5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2536667&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Castle Age Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\users\shade\appdata\roaming\mozilla\firefox\profiles\871gg2z5.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\shade\appdata\roaming\mozilla\firefox\profiles\871gg2z5.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\users\shade\appdata\roaming\mozilla\firefox\profiles\871gg2z5.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\FFExternalAlert.dll
FF - component: c:\users\shade\appdata\roaming\mozilla\firefox\profiles\871gg2z5.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\RadioWMPCore.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-2-14 218592]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2010-4-9 16744]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-4-9 30112]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo livepcsupport\CLPSLS.exe [2010-2-19 148744]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-8-18 7168]
R3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2008-4-28 3658752]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-4-9 218560]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 61440]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-5-6 112592]
S2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-16 40960]
S2 PEVSystemStart;PEVSystemStart;c:\combofix\PEV.cfxxe [2010-5-7 256512]
S2 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2008-8-18 46392]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-4-17 14216]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-4-17 8456]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2010-5-1 35816]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2010-5-1 24416]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-2-14 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-2-14 1142224]
S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-8-21 9216]

=============== Created Last 30 ================

2010-05-08 05:21:55 0 d-s---w- C:\ComboFix
2010-05-08 04:33:29 98816 ----a-w- c:\windows\sed.exe
2010-05-08 04:33:29 77312 ----a-w- c:\windows\MBR.exe
2010-05-08 04:33:29 256512 ----a-w- c:\windows\PEV.exe
2010-05-08 04:33:29 161792 ----a-w- c:\windows\SWREG.exe
2010-05-08 02:37:15 0 d-----w- C:\32788R22FWJFW.8.tmp
2010-05-08 02:36:17 0 d-----w- C:\32788R22FWJFW.7.tmp
2010-05-08 02:30:30 0 d-----w- C:\32788R22FWJFW.6.tmp
2010-05-08 02:29:51 0 d-----w- C:\32788R22FWJFW.5.tmp
2010-05-08 02:29:15 0 d-----w- C:\32788R22FWJFW.4.tmp
2010-05-08 02:13:30 0 d-----w- C:\32788R22FWJFW.3.tmp
2010-05-07 21:30:41 0 d-----w- C:\32788R22FWJFW.2.tmp
2010-05-07 21:08:10 0 d-----w- C:\32788R22FWJFW.1.tmp
2010-05-07 00:56:06 767952 ----a-w- c:\windows\BDTSupport.dll
2010-05-07 00:56:05 882 ----a-w- c:\windows\RegSDImport.xml
2010-05-07 00:56:05 879 ----a-w- c:\windows\RegISSImport.xml
2010-05-07 00:56:05 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-05-07 00:56:05 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-05-07 00:56:05 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-05-07 00:56:05 131 ----a-w- c:\windows\IDB.zip
2010-05-07 00:56:05 1152444 ----a-w- c:\windows\UDB.zip
2010-05-04 02:36:12 0 d-----w- c:\users\shade\appdata\roaming\Intel
2010-05-04 02:29:24 0 d-----w- c:\programdata\SecTaskMan
2010-05-04 02:21:54 23 --sha-w- c:\windows\system32\edacded0.dat
2010-05-04 02:21:54 23 ----a-w- c:\windows\system32\bcdadac7.xml
2010-05-04 02:21:47 0 d-----w- c:\program files\jv16 PowerTools 2009
2010-05-04 00:31:15 0 d-----w- c:\programdata\WindowsSearch
2010-05-03 20:33:01 65536 --sha-w- c:\users\shade\ntuser.dat{f887affc-56f2-11df-96ac-0022fad3c450}.TM.blf
2010-05-03 20:33:01 524288 --sha-w- c:\users\shade\ntuser.dat{f887affc-56f2-11df-96ac-0022fad3c450}.TMContainer00000000000000000002.regtrans-ms
2010-05-03 20:33:01 524288 --sha-w- c:\users\shade\ntuser.dat{f887affc-56f2-11df-96ac-0022fad3c450}.TMContainer00000000000000000001.regtrans-ms
2010-05-02 13:42:57 0 d-----w- c:\program files\GameSpy Arcade
2010-05-02 08:54:45 0 d-----w- C:\Backreg
2010-05-02 08:30:11 296077371 ----a-w- c:\windows\MEMORY.DMP
2010-05-02 02:14:32 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-02 02:14:03 0 d-----w- c:\program files\DAEMON Tools Lite
2010-05-02 02:13:32 0 d-----w- c:\users\shade\appdata\roaming\DAEMON Tools Lite
2010-05-02 02:13:29 0 d-----w- c:\programdata\DAEMON Tools Lite
2010-05-01 19:58:39 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-05-01 19:46:23 37600 ----a-w- c:\windows\system32\Partizan.exe
2010-05-01 19:46:23 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-05-01 19:45:16 2 --shatr- c:\windows\winstart.bat
2010-05-01 19:44:40 0 d-----w- c:\program files\Greatis
2010-04-30 13:37:32 0 d--h--w- C:\VritualRoot
2010-04-30 13:23:20 0 d-----w- c:\programdata\COMODO
2010-04-30 13:23:08 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-04-30 13:13:15 32000 ----a-w- c:\windows\system32\drivers\tap0901.sys
2010-04-30 13:13:15 0 d-----w- c:\program files\Comodo
2010-04-30 13:12:28 0 d-----w- c:\programdata\Comodo Downloader
2010-04-20 07:26:17 0 d-----w- c:\program files\iPod
2010-04-20 07:26:09 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-20 07:20:36 0 d-----w- c:\program files\Bonjour
2010-04-19 18:55:37 0 d-----w- c:\windows\system32\SPReview
2010-04-19 12:44:45 0 d-----w- c:\program files\Conduit
2010-04-19 12:44:44 0 d-----w- c:\program files\Zynga
2010-04-19 12:21:41 0 d-----w- c:\windows\system32\EventProviders
2010-04-18 11:02:08 0 d-----w- c:\programdata\PMB Files
2010-04-18 11:00:19 0 d-----w- c:\program files\Pando Networks
2010-04-18 05:15:05 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
2010-04-18 05:15:05 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
2010-04-18 05:15:05 1711232 ----a-w- c:\windows\system32\BootMan.exe
2010-04-18 05:15:05 14848 ----a-w- c:\windows\system32\EuEpmGdi.dll
2010-04-18 05:15:05 14216 ----a-w- c:\windows\system32\epmntdrv.sys
2010-04-18 05:15:00 0 d-----w- c:\program files\EASEUS
2010-04-18 04:36:02 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-18 04:36:02 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-18 04:36:02 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-18 04:36:02 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-18 04:36:01 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-18 04:35:53 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-18 04:35:53 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-18 04:35:53 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-18 04:35:50 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-18 04:35:49 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-18 04:35:48 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-04-18 04:35:32 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-16 06:56:52 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-16 06:56:46 0 d-----w- c:\users\shade\appdata\roaming\SUPERAntiSpyware.com
2010-04-16 06:56:46 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-14 03:51:48 0 d-----w- c:\users\shade\appdata\roaming\Auslogics
2010-04-14 03:51:45 0 d-----w- c:\program files\Auslogics
2010-04-13 16:11:48 0 d-----w- c:\program files\CCleaner
2010-04-13 16:02:35 0 d-----w- c:\windows\pss
2010-04-12 23:35:32 0 d-----w- c:\program files\Unlocker
2010-04-12 21:04:27 0 d--h--w- c:\windows\PIF
2010-04-12 11:08:03 92672 ----a-w- c:\windows\system32\KillBox.exe
2010-04-12 10:00:15 0 d-----w- C:\!KillBox
2010-04-12 09:36:18 1189 ----a-w- c:\programdata\pragmamfeklnmal.dll
2010-04-12 09:36:10 0 d-----w- c:\windows\PRAGMAsqhrpxnppi
2010-04-12 09:31:56 0 d-sh--w- C:\found.000
2010-04-09 11:26:12 277240 ----a-w- c:\windows\system32\guard32.dll
2010-04-09 11:25:30 30112 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-04-09 11:25:28 218560 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-04-09 11:25:28 16744 ----a-w- c:\windows\system32\drivers\cmderd.sys

==================== Find3M ====================

2010-05-03 18:00:26 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-03 18:00:26 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-30 13:16:00 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-29 17:43:31 5032 ----a-w- c:\users\shade\appdata\roaming\wklnhst.dat
2010-04-19 19:14:15 30808 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-04-19 18:59:45 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-04-12 22:45:27 174 --sha-w- c:\program files\desktop.ini
2010-04-09 00:29:32 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-02 03:42:31 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-29 20:06:14 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-08 17:59:18 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-24 20:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:39:35 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:37:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-19 19:27:36 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27:16 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27:16 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27:16 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27:16 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27:16 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2010-02-18 22:24:50 150904 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-12 21:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 21:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-01-21 03:18:38 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-16 01:02:58 13 --sha-r- c:\windows\system32\drivers\fbd.sys
2009-07-16 01:02:55 4 --sha-r- c:\windows\system32\drivers\taishop.sys

============= FINISH: 19:29:02.86 ===============

Attached Files


Edited by Orange Blossom, 08 May 2010 - 08:19 PM.


BC AdBot (Login to Remove)

 


#2 smw5003

smw5003
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 08 May 2010 - 06:58 PM

bump again...
I'm back and will be online for replies
I'll be refreshing every 5-10 minutes, please someone post a reply

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our MRT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the MRT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Orange Blossom ~ forum moderator


well, at least I got a reply smile.gif
I'll be patient, but my ISP might cut my internet soon if I don't resolve this spam problem sad.gif
So if someone who can take a quick look at my logs to see if it's a simple case to solve, it would be much appreciated
(tho to be honest, this virus is quite a pain for me to find)

Edited by smw5003, 08 May 2010 - 09:14 PM.


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:59 PM

Posted 10 May 2010 - 04:50 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 smw5003

smw5003
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 10 May 2010 - 09:58 PM

Results incoming!
Thanks so much for responding
This problem has been going on for a month, I think
A malware was downloaded 11:50 pm on 4/11/10
Which is the root of all my problems; it downloaded several different malwares to infect my computer
Here are the logs:

OTL logfile created on: 5/10/2010 3:30:57 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\Shade\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 43.00% Memory free
6.00 Gb Paging File | 3.00 Gb Available in Paging File | 57.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 224.17 Gb Total Space | 73.05 Gb Free Space | 32.59% Space Free | Partition Type: NTFS
Drive D: | 7.70 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FIRE
Current User Name: Shade
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/10 15:29:04 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\Shade\Desktop\OTL.exe
PRC - [2010/04/09 01:26:14 | 001,769,216 | ---- | M] () -- C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
PRC - [2010/04/09 01:26:02 | 002,029,456 | ---- | M] (COMODO) -- C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
PRC - [2010/04/01 19:14:00 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/02/19 17:00:24 | 000,148,744 | ---- | M] (COMODO) -- C:\Program Files\Comodo\COMODO livePCsupport\CLPSLS.exe
PRC - [2008/10/28 20:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/08/04 11:46:22 | 000,046,392 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA Service Station\TMachInfo.exe
PRC - [2008/07/18 17:39:30 | 000,083,312 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
PRC - [2008/04/30 16:10:10 | 000,466,944 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2008/04/16 21:19:48 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2008/04/15 14:54:42 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/04/08 12:14:50 | 006,037,504 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2008/02/06 10:52:40 | 000,431,456 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
PRC - [2007/12/03 14:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\SMARTLogService\TosIPCSrv.exe
PRC - [2007/11/21 14:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe
PRC - [2006/10/05 09:10:12 | 000,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe


========== Modules (SafeList) ==========

MOD - [2010/05/10 15:29:04 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\Shade\Desktop\OTL.exe
MOD - [2010/05/07 16:44:12 | 000,032,528 | ---- | M] (Microsoft Corporation) -- C:\Users\Shade\Desktop\OLEPRO32.DLL
MOD - [2008/01/20 16:24:37 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2008/01/20 16:23:44 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (PEVSystemStart)
SRV - File not found [Auto | Stopped] -- -- (EvtEng)
SRV - [2010/04/15 18:20:25 | 000,332,720 | ---- | M] (Valve Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/04/09 01:26:14 | 001,769,216 | ---- | M] () [Auto | Running] -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/15 11:50:36 | 001,142,224 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2010/03/11 11:09:22 | 000,366,840 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2010/02/19 17:00:24 | 000,148,744 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe -- (CLPSLS)
SRV - [2010/01/22 09:56:24 | 000,112,592 | ---- | M] (Threat Expert Ltd.) [Auto | Stopped] -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2008/08/04 11:46:22 | 000,046,392 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\TOSHIBA Service Station\TMachInfo.exe -- (TMachInfo)
SRV - [2008/07/18 17:39:30 | 000,083,312 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2008/04/30 16:10:10 | 000,466,944 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
SRV - [2008/04/16 21:19:48 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
SRV - [2008/04/15 14:54:42 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2008/02/06 10:52:40 | 000,431,456 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2008/01/20 16:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/12/03 14:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe -- (TOSHIBA SMART Log Service)
SRV - [2007/11/21 14:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)
SRV - [2006/10/05 09:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2005/11/13 22:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - [2010/05/08 08:36:38 | 000,024,416 | ---- | M] (Greatis Software) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\regguard.sys -- (RegGuard)
DRV - [2010/05/01 16:14:32 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/05/01 09:46:23 | 000,035,816 | ---- | M] (Greatis Software) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Partizan.sys -- (Partizan)
DRV - [2010/04/30 06:14:38 | 000,061,440 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/04/09 01:25:30 | 000,074,408 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\Windows\System32\drivers\inspect.sys -- (inspect)
DRV - [2010/04/09 01:25:30 | 000,030,112 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\Windows\System32\drivers\cmdhlp.sys -- (cmdHlp)
DRV - [2010/04/09 01:25:28 | 000,218,560 | ---- | M] (COMODO) [File_System | System | Running] -- C:\Windows\System32\drivers\cmdGuard.sys -- (cmdGuard)
DRV - [2010/04/09 01:25:28 | 000,016,744 | ---- | M] (COMODO) [File_System | System | Running] -- C:\Windows\System32\drivers\cmderd.sys -- (cmderd)
DRV - [2010/03/29 10:06:14 | 000,218,592 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2010/02/23 11:51:14 | 000,014,216 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\epmntdrv.sys -- (epmntdrv)
DRV - [2010/02/23 11:51:14 | 000,008,456 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\EuGdiDrv.sys -- (EuGdiDrv)
DRV - [2010/02/17 11:15:58 | 000,012,872 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/10/14 19:08:32 | 000,032,000 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tap0901.sys -- (tap0901)
DRV - [2009/03/11 13:17:20 | 000,063,488 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTSTOR.sys -- (RTSTOR)
DRV - [2008/08/14 10:40:40 | 000,203,312 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2008/07/18 15:52:16 | 000,279,376 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\tos_sps32.sys -- (tos_sps32)
DRV - [2008/06/12 15:43:16 | 002,381,312 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2008/04/28 03:29:26 | 003,658,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) Intel®
DRV - [2008/04/15 14:53:44 | 000,312,344 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2008/04/15 07:05:08 | 000,118,784 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008/04/09 15:00:04 | 002,095,512 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/01/20 16:23:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/20 16:23:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/20 16:23:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/20 16:23:26 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/20 16:23:26 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/20 16:23:26 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/20 16:23:25 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/20 16:23:25 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/20 16:23:24 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/20 16:23:24 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2008/01/20 16:23:24 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/20 16:23:23 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/20 16:23:23 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/20 16:23:23 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/20 16:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/20 16:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/20 16:23:23 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/20 16:23:22 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/20 16:23:21 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/20 16:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/20 16:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/20 16:23:20 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/20 16:23:00 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/20 16:23:00 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/20 16:23:00 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2008/01/18 06:22:00 | 000,009,216 | ---- | M] (Inventec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\sysprep\PEDRV.SYS -- (SVRPEDRV)
DRV - [2007/12/17 08:45:20 | 000,018,432 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\UVCFTR_S.SYS -- (UVCFTR)
DRV - [2007/12/14 08:53:24 | 000,024,200 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2007/11/09 11:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV - [2006/11/28 12:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/11/20 11:11:14 | 000,007,168 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\FwLnk.sys -- (FwLnk)
DRV - [2006/11/08 20:32:00 | 000,219,264 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10i.sys -- (KR10I)
DRV - [2006/11/08 20:31:00 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10n.sys -- (KR10N)
DRV - [2006/11/01 23:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/01 23:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/01 23:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/01 23:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/01 23:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/01 23:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/01 23:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/01 23:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/01 23:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/01 23:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/01 23:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/01 22:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/01 22:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/01 22:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/01 22:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/01 22:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/01 22:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/01 21:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?br...B&bmod=TSHB
IE - HKLM\..\URLSearchHook: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-233040595-3233005408-884354526-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-233040595-3233005408-884354526-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.google.com/
IE - HKU\S-1-5-21-233040595-3233005408-884354526-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-233040595-3233005408-884354526-1000\..\URLSearchHook: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-233040595-3233005408-884354526-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-233040595-3233005408-884354526-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.defaultthis.engineName: "Castle Age Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2536667&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Castle Age Customized Web Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:2.5.7.3
FF - prefs.js..extensions.enabledItems: {aac4043a-8832-4abe-9963-35377f30b8e6}:2.6.0.15


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/19 21:23:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/27 02:50:39 | 000,000,000 | ---D | M]

[2009/08/17 01:47:21 | 000,000,000 | ---D | M] -- C:\Users\Shade\AppData\Roaming\Mozilla\Extensions
[2009/08/17 01:47:21 | 000,000,000 | ---D | M] -- C:\Users\Shade\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2009/08/16 19:11:54 | 000,000,000 | ---D | M] -- C:\Users\Shade\AppData\Roaming\Mozilla\Extensions\songbird@songbirdnest.com
[2010/05/08 09:44:32 | 000,000,000 | ---D | M] -- C:\Users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\extensions
[2010/04/15 19:38:08 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/15 19:38:08 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
[2010/04/25 06:33:22 | 000,000,000 | ---D | M] (Castle Age Toolbar) -- C:\Users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}
[2010/03/30 06:42:06 | 000,002,425 | ---- | M] () -- C:\Users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\searchplugins\askcom.xml
[2010/03/30 06:41:57 | 000,001,836 | ---- | M] () -- C:\Users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\searchplugins\bing-ff.xml
[2010/04/21 12:08:06 | 000,000,923 | ---- | M] () -- C:\Users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\searchplugins\conduit.xml
[2010/05/08 09:44:32 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/29 10:29:15 | 000,002,191 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml
[2010/03/29 10:37:19 | 000,002,401 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\browserzinc126.xml
[2010/03/30 06:41:05 | 000,002,401 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\browserzinc127.xml

O1 HOSTS File: ([2010/04/22 19:25:52 | 000,000,734 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O2 - BHO: (Zynga Toolbar) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (Zynga Toolbar) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-233040595-3233005408-884354526-1000\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKU\S-1-5-21-233040595-3233005408-884354526-1000\..\Toolbar\WebBrowser: (Zynga Toolbar) - {7B13EC3E-999A-4B70-B9CB-2617B8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-233040595-3233005408-884354526-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-233040595-3233005408-884354526-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} http://download.microsoft.com/download/B/3...44/igdtoolx.cab (IGDTester Class)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.25.227.55 209.18.47.61 24.25.227.53
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\Windows\System32\guard32.dll) - C:\Windows\System32\guard32.dll (COMODO)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 11:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/12/08 12:33:29 | 000,000,000 | R--D | M] - D:\autorun -- [ UDF ]
O32 - AutoRun File - [2005/12/06 12:18:38 | 001,695,744 | R--- | M] (Electronic Arts) - D:\Autorun.exe -- [ UDF ]
O32 - AutoRun File - [2005/11/18 11:44:26 | 000,000,049 | R--- | M] () - D:\autorun.inf -- [ UDF ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (Partizan) - C:\Windows\System32\Partizan.exe (Greatis Software)
O34 - HKLM BootExecute: (ootExecute settings...) - File not found
O34 - HKLM BootExecute: (0) - File not found
O34 - HKLM BootExecute: (04) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-233040595-3233005408-884354526-1000..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-233040595-3233005408-884354526-1000\...exe [@ = exefile] -- "%1" %*

MsConfig - State: "services" - 2
MsConfig - State: "startup" - 0

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: CLPSLS - C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe (COMODO)
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: NTDS - File not found
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PEVSystemStart - File not found
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: procexp90.Sys - Driver
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} -
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\Windows\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.yv12 - C:\Windows\System32\DivX.dll (DivX, Inc.)

NetSvcs: Ias - C:\Windows\System32\ias [2010/04/15 19:36:33 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/05/10 15:29:01 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Users\Shade\Desktop\OTL.exe
[2010/05/08 09:24:54 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/05/08 09:24:38 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/05/08 09:24:37 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/05/08 01:38:08 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/05/08 01:38:00 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/05/08 01:38:00 | 000,000,000 | ---D | C] -- C:\Users\Shade\AppData\Local\temp
[2010/05/08 01:11:28 | 000,000,000 | ---D | C] -- C:\VritualRoot
[2010/05/07 18:33:29 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/05/07 18:33:29 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/05/07 18:33:29 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/05/07 18:33:23 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/05/07 16:44:12 | 000,941,840 | ---- | C] (Microsoft Corporation) -- C:\Users\Shade\Desktop\MFC42.DLL
[2010/05/07 16:44:12 | 000,939,792 | ---- | C] (Microsoft Corporation) -- C:\Users\Shade\Desktop\MFC42U.DLL
[2010/05/07 16:44:12 | 000,271,632 | ---- | C] (Microsoft Corporation) -- C:\Users\Shade\Desktop\MSVCRT.DLL
[2010/05/07 16:44:12 | 000,032,528 | ---- | C] (Microsoft Corporation) -- C:\Users\Shade\Desktop\OLEPRO32.DLL
[2010/05/07 16:37:15 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW.8.tmp
[2010/05/07 16:36:17 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW.7.tmp
[2010/05/07 16:30:30 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW.6.tmp
[2010/05/07 16:29:51 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW.5.tmp
[2010/05/07 16:29:15 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW.4.tmp
[2010/05/07 16:13:30 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW.3.tmp
[2010/05/07 11:30:41 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW.2.tmp
[2010/05/07 11:08:10 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW.1.tmp
[2010/05/07 10:46:39 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/06 15:46:36 | 000,000,000 | ---D | C] -- C:\Users\Shade\AppData\Local\Threat Expert
[2010/05/06 14:56:05 | 001,652,688 | ---- | C] (Threat Expert Ltd.) -- C:\Windows\PCTBDCore.dll
[2010/05/06 14:56:05 | 000,165,840 | ---- | C] (Threat Expert Ltd.) -- C:\Windows\PCTBDRes.dll
[2010/05/06 14:56:05 | 000,149,456 | ---- | C] (PC Tools) -- C:\Windows\SGDetectionTool.dll
[2010/05/03 16:36:12 | 000,000,000 | ---D | C] -- C:\Users\Shade\AppData\Roaming\Intel
[2010/05/03 16:29:24 | 000,000,000 | ---D | C] -- C:\ProgramData\SecTaskMan
[2010/05/03 16:21:47 | 000,000,000 | ---D | C] -- C:\Program Files\jv16 PowerTools 2009
[2010/05/03 14:31:15 | 000,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch
[2010/05/02 03:42:57 | 000,000,000 | ---D | C] -- C:\Program Files\GameSpy Arcade
[2010/05/01 23:05:28 | 000,000,000 | ---D | C] -- C:\Users\Shade\AppData\Local\COMODO
[2010/05/01 22:54:45 | 000,000,000 | ---D | C] -- C:\Backreg
[2010/05/01 16:13:32 | 000,000,000 | ---D | C] -- C:\Users\Shade\AppData\Roaming\DAEMON Tools Lite
[2010/05/01 16:13:29 | 000,000,000 | ---D | C] -- C:\ProgramData\DAEMON Tools Lite
[2010/05/01 15:59:49 | 000,000,000 | ---D | C] -- C:\Users\Shade\Desktop\Cleaner Programs
[2010/05/01 15:59:41 | 000,000,000 | ---D | C] -- C:\Users\Shade\Desktop\Stuff
[2010/05/01 09:58:39 | 000,024,416 | ---- | C] (Greatis Software) -- C:\Windows\System32\drivers\regguard.sys
[2010/05/01 09:53:27 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\RegRunInfo
[2010/05/01 09:46:23 | 000,037,600 | ---- | C] (Greatis Software) -- C:\Windows\System32\Partizan.exe
[2010/05/01 09:46:23 | 000,035,816 | ---- | C] (Greatis Software) -- C:\Windows\System32\drivers\Partizan.sys
[2010/05/01 09:44:50 | 000,000,000 | ---D | C] -- C:\Users\Shade\Documents\RegRun2
[2010/05/01 09:44:40 | 000,000,000 | ---D | C] -- C:\Program Files\Greatis
[2010/04/30 03:23:20 | 000,000,000 | ---D | C] -- C:\ProgramData\COMODO
[2010/04/30 03:13:15 | 000,032,000 | ---- | C] (The OpenVPN Project) -- C:\Windows\System32\drivers\tap0901.sys
[2010/04/30 03:13:15 | 000,000,000 | ---D | C] -- C:\Program Files\Comodo
[2010/04/30 03:12:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Comodo Downloader
[2010/04/21 19:06:02 | 000,000,000 | --SD | C] -- C:\Users\Shade\Documents\My Pando Packages
[2010/04/21 19:05:48 | 000,000,000 | ---D | C] -- C:\Users\Shade\AppData\Local\Pando
[2010/04/19 21:26:17 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/04/19 21:26:09 | 000,000,000 | ---D | C] -- C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/04/19 21:20:36 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/04/19 08:55:37 | 000,000,000 | ---D | C] -- C:\Windows\System32\SPReview
[2010/04/19 06:55:54 | 000,000,000 | ---D | C] -- C:\Users\Shade\Documents\Command and Conquer Generals Zero Hour Data
[2010/04/19 06:46:33 | 000,000,000 | ---D | C] -- C:\Users\Shade\Documents\Command and Conquer Generals Data
[2010/04/19 02:44:45 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2010/04/19 02:44:44 | 000,000,000 | ---D | C] -- C:\Program Files\Zynga
[2010/04/19 02:21:41 | 000,000,000 | ---D | C] -- C:\Windows\System32\EventProviders
[2010/04/18 01:02:08 | 000,000,000 | ---D | C] -- C:\ProgramData\PMB Files
[2010/04/18 01:00:19 | 000,000,000 | ---D | C] -- C:\Program Files\Pando Networks
[2010/04/17 19:15:00 | 000,000,000 | ---D | C] -- C:\Program Files\EASEUS
[2010/04/17 18:36:02 | 000,420,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2010/04/17 18:36:01 | 000,062,464 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\System32\l3codeca.acm
[2010/04/17 18:35:50 | 003,598,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2010/04/17 18:35:49 | 003,545,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2010/04/15 20:56:52 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/04/15 20:56:46 | 000,000,000 | ---D | C] -- C:\Users\Shade\AppData\Roaming\SUPERAntiSpyware.com
[2010/04/15 20:56:46 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/04/13 17:51:48 | 000,000,000 | ---D | C] -- C:\Users\Shade\AppData\Roaming\Auslogics
[2010/04/13 17:51:45 | 000,000,000 | ---D | C] -- C:\Program Files\Auslogics
[2010/04/13 06:11:48 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/04/13 06:02:35 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010/04/12 15:57:04 | 000,000,000 | ---D | C] -- C:\Users\Shade\AppData\Roaming\Toshiba
[2010/04/12 13:35:32 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker
[2010/04/12 11:04:27 | 000,000,000 | -H-D | C] -- C:\Windows\PIF
[2010/04/12 01:35:29 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/04/12 01:08:03 | 000,092,672 | ---- | C] (Option^Explicit Software vbtechcd@gmail.com) -- C:\Windows\System32\KillBox.exe
[2010/04/12 00:00:15 | 000,000,000 | ---D | C] -- C:\!KillBox
[2010/04/11 23:31:56 | 000,000,000 | ---D | C] -- C:\found.000
[8 C:\*.tmp files -> C:\*.tmp -> ]
[4 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/10 15:35:24 | 002,097,152 | -HS- | M] () -- C:\Users\Shade\ntuser.dat
[2010/05/10 15:29:04 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\Shade\Desktop\OTL.exe
[2010/05/10 15:26:34 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/10 15:26:34 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/10 15:26:28 | 001,474,832 | ---- | M] () -- C:\Windows\System32\drivers\sfi.dat
[2010/05/08 09:26:35 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/05/08 08:43:36 | 000,524,288 | -HS- | M] () -- C:\Users\Shade\ntuser.dat{f887affc-56f2-11df-96ac-0022fad3c450}.TMContainer00000000000000000001.regtrans-ms
[2010/05/08 08:43:36 | 000,065,536 | -HS- | M] () -- C:\Users\Shade\ntuser.dat{f887affc-56f2-11df-96ac-0022fad3c450}.TM.blf
[2010/05/08 08:36:38 | 000,024,416 | ---- | M] (Greatis Software) -- C:\Windows\System32\drivers\regguard.sys
[2010/05/08 01:32:13 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/05/08 01:15:13 | 000,000,000 | ---- | M] () -- C:\Users\Shade\defogger_reenable
[2010/05/08 01:13:44 | 000,000,000 | ---- | M] () -- C:\Users\Shade\AppData\Roaming\swin32.exe
[2010/05/07 20:29:49 | 000,050,477 | ---- | M] () -- C:\Users\Shade\Desktop\Defogger.exe
[2010/05/07 18:31:44 | 000,326,584 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/05/07 16:44:33 | 001,206,048 | ---- | M] () -- C:\Users\Shade\Desktop\paintnt.exe
[2010/05/07 16:44:12 | 000,941,840 | ---- | M] (Microsoft Corporation) -- C:\Users\Shade\Desktop\MFC42.DLL
[2010/05/07 16:44:12 | 000,939,792 | ---- | M] (Microsoft Corporation) -- C:\Users\Shade\Desktop\MFC42U.DLL
[2010/05/07 16:44:12 | 000,271,632 | ---- | M] (Microsoft Corporation) -- C:\Users\Shade\Desktop\MSVCRT.DLL
[2010/05/07 16:44:12 | 000,032,528 | ---- | M] (Microsoft Corporation) -- C:\Users\Shade\Desktop\OLEPRO32.DLL
[2010/05/07 11:08:05 | 000,000,551 | ---- | M] () -- C:\Users\Shade\Desktop\ComboFix - Shortcut.lnk
[2010/05/06 10:36:38 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2010/05/03 16:21:54 | 000,000,023 | -HS- | M] () -- C:\Windows\System32\edacded0.dat
[2010/05/03 16:21:54 | 000,000,023 | ---- | M] () -- C:\Windows\System32\bcdadac7.xml
[2010/05/03 10:37:54 | 000,707,996 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/05/03 10:37:54 | 000,607,898 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/05/03 10:37:54 | 000,105,368 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/05/03 10:33:01 | 000,524,288 | -HS- | M] () -- C:\Users\Shade\ntuser.dat{f887affc-56f2-11df-96ac-0022fad3c450}.TMContainer00000000000000000002.regtrans-ms
[2010/05/02 04:39:24 | 000,524,288 | -HS- | M] () -- C:\Users\Shade\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/05/02 04:39:24 | 000,065,536 | -HS- | M] () -- C:\Users\Shade\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/05/01 16:14:32 | 000,691,696 | ---- | M] () -- C:\Windows\System32\drivers\sptd.sys
[2010/05/01 09:46:23 | 000,037,600 | ---- | M] (Greatis Software) -- C:\Windows\System32\Partizan.exe
[2010/05/01 09:46:23 | 000,035,816 | ---- | M] (Greatis Software) -- C:\Windows\System32\drivers\Partizan.sys
[2010/05/01 09:45:16 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2010/05/01 09:45:16 | 000,001,688 | ---- | M] () -- C:\Windows\System32\autoexec.nt
[2010/05/01 09:45:16 | 000,000,002 | RHS- | M] () -- C:\Windows\winstart.bat
[2010/04/30 02:45:15 | 000,000,036 | ---- | M] () -- C:\Users\Shade\AppData\Local\housecall.guid.cache
[2010/04/29 07:43:31 | 000,005,032 | ---- | M] () -- C:\Users\Shade\AppData\Roaming\wklnhst.dat
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\Windows\PEV.exe
[2010/04/22 19:25:52 | 000,000,734 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/04/22 11:43:56 | 000,010,240 | ---- | M] () -- C:\Users\Shade\Desktop\Last Paper.wps
[2010/04/22 09:32:57 | 000,001,012 | -HS- | M] () -- C:\Users\Shade\AppData\Local\PF2wQ8R8yh
[2010/04/22 09:32:57 | 000,001,012 | -HS- | M] () -- C:\ProgramData\PF2wQ8R8yh
[2010/04/21 19:05:45 | 000,001,748 | ---- | M] () -- C:\Users\Public\Desktop\Pando.lnk
[2010/04/19 21:26:54 | 000,001,804 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/04/17 09:14:04 | 000,124,416 | ---- | M] () -- C:\Users\Shade\Desktop\o.dat
[2010/04/16 14:52:07 | 000,000,049 | ---- | M] () -- C:\boot.ini
[2010/04/15 19:07:24 | 000,000,680 | ---- | M] () -- C:\Users\Shade\AppData\Local\d3d9caps.dat
[2010/04/15 12:57:15 | 000,002,249 | ---- | M] () -- C:\Users\Shade\Desktop\iTunes.lnk
[2010/04/14 19:44:22 | 000,009,728 | ---- | M] () -- C:\Users\Shade\Documents\New Beginning.wps
[2010/04/12 12:45:27 | 000,000,749 | RH-- | M] () -- C:\Windows\WindowsShell.Manifest
[2010/04/12 02:54:40 | 000,000,006 | RH-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/12 02:24:42 | 000,005,632 | ---- | M] () -- C:\Users\Shade\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/12 00:13:15 | 000,092,672 | ---- | M] (Option^Explicit Software vbtechcd@gmail.com) -- C:\Windows\System32\KillBox.exe
[2010/04/11 23:37:15 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2010/04/11 23:37:15 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[8 C:\*.tmp files -> C:\*.tmp -> ]
[4 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/08 01:15:13 | 000,000,000 | ---- | C] () -- C:\Users\Shade\defogger_reenable
[2010/05/08 01:13:44 | 000,000,000 | ---- | C] () -- C:\Users\Shade\AppData\Roaming\swin32.exe
[2010/05/07 20:32:10 | 000,293,376 | ---- | C] () -- C:\Users\Shade\Desktop\gmer.exe
[2010/05/07 20:29:45 | 000,050,477 | ---- | C] () -- C:\Users\Shade\Desktop\Defogger.exe
[2010/05/07 18:33:29 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/05/07 18:33:29 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/05/07 18:33:29 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/05/07 18:33:29 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/05/07 18:33:29 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/05/07 16:44:32 | 001,206,048 | ---- | C] () -- C:\Users\Shade\Desktop\paintnt.exe
[2010/05/07 11:08:05 | 000,000,551 | ---- | C] () -- C:\Users\Shade\Desktop\ComboFix - Shortcut.lnk
[2010/05/06 14:56:06 | 000,767,952 | ---- | C] () -- C:\Windows\BDTSupport.dll
[2010/05/06 14:56:05 | 001,152,444 | ---- | C] () -- C:\Windows\UDB.zip
[2010/05/06 14:56:05 | 000,000,882 | ---- | C] () -- C:\Windows\RegSDImport.xml
[2010/05/06 14:56:05 | 000,000,879 | ---- | C] () -- C:\Windows\RegISSImport.xml
[2010/05/06 14:56:05 | 000,000,131 | ---- | C] () -- C:\Windows\IDB.zip
[2010/05/03 16:21:54 | 000,000,023 | -HS- | C] () -- C:\Windows\System32\edacded0.dat
[2010/05/03 16:21:54 | 000,000,023 | ---- | C] () -- C:\Windows\System32\bcdadac7.xml
[2010/05/03 10:33:01 | 000,524,288 | -HS- | C] () -- C:\Users\Shade\ntuser.dat{f887affc-56f2-11df-96ac-0022fad3c450}.TMContainer00000000000000000002.regtrans-ms
[2010/05/03 10:33:01 | 000,524,288 | -HS- | C] () -- C:\Users\Shade\ntuser.dat{f887affc-56f2-11df-96ac-0022fad3c450}.TMContainer00000000000000000001.regtrans-ms
[2010/05/03 10:33:01 | 000,065,536 | -HS- | C] () -- C:\Users\Shade\ntuser.dat{f887affc-56f2-11df-96ac-0022fad3c450}.TM.blf
[2010/05/01 16:14:32 | 000,691,696 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys
[2010/05/01 09:45:16 | 000,000,002 | RHS- | C] () -- C:\Windows\winstart.bat
[2010/04/30 03:23:08 | 001,474,832 | ---- | C] () -- C:\Windows\System32\drivers\sfi.dat
[2010/04/30 02:45:15 | 000,000,036 | ---- | C] () -- C:\Users\Shade\AppData\Local\housecall.guid.cache
[2010/04/22 09:32:57 | 000,001,012 | -HS- | C] () -- C:\Users\Shade\AppData\Local\PF2wQ8R8yh
[2010/04/22 09:32:57 | 000,001,012 | -HS- | C] () -- C:\ProgramData\PF2wQ8R8yh
[2010/04/21 19:05:45 | 000,001,748 | ---- | C] () -- C:\Users\Public\Desktop\Pando.lnk
[2010/04/20 15:07:31 | 000,010,240 | ---- | C] () -- C:\Users\Shade\Desktop\Last Paper.wps
[2010/04/19 21:26:53 | 000,001,804 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/04/17 19:15:05 | 001,711,232 | ---- | C] () -- C:\Windows\System32\BootMan.exe
[2010/04/17 19:15:05 | 000,086,408 | ---- | C] () -- C:\Windows\System32\setupempdrv03.exe
[2010/04/17 19:15:05 | 000,014,848 | ---- | C] () -- C:\Windows\System32\EuEpmGdi.dll
[2010/04/17 19:15:05 | 000,014,216 | ---- | C] () -- C:\Windows\System32\epmntdrv.sys
[2010/04/17 19:15:05 | 000,008,456 | ---- | C] () -- C:\Windows\System32\EuGdiDrv.sys
[2010/04/17 09:14:04 | 000,124,416 | ---- | C] () -- C:\Users\Shade\Desktop\o.dat
[2010/04/16 14:52:07 | 000,000,049 | ---- | C] () -- C:\boot.ini
[2010/04/15 12:57:15 | 000,002,249 | ---- | C] () -- C:\Users\Shade\Desktop\iTunes.lnk
[2010/04/14 19:27:16 | 000,009,728 | ---- | C] () -- C:\Users\Shade\Documents\New Beginning.wps
[2010/04/11 23:37:15 | 000,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2010/04/11 23:37:15 | 000,000,000 | RHS- | C] () -- C:\IO.SYS
[2010/02/14 05:44:01 | 000,767,952 | ---- | C] () -- C:\Windows\BDTSupport.dll.old
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/15 15:02:58 | 000,000,013 | RHS- | C] () -- C:\Windows\System32\drivers\fbd.sys
[2009/07/15 15:02:55 | 000,000,004 | RHS- | C] () -- C:\Windows\System32\drivers\taishop.sys
[2009/05/10 06:12:04 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2009/05/10 06:12:04 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2009/05/10 06:12:04 | 000,010,150 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2009/05/10 06:12:04 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2008/08/18 08:36:20 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2008/06/12 15:59:22 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1502.dll
[2006/11/02 02:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/01 21:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/03/09 06:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/01/20 16:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\ERDNT\cache\agp440.sys
[2008/01/20 16:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\drivers\agp440.sys
[2008/01/20 16:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/20 16:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/20 16:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2008/03/24 17:22:22 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=2D77788D0B7FE269044F58C86AE099CE -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_3e1ecd89\AGP440.sys
[2008/03/24 17:22:22 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=2D77788D0B7FE269044F58C86AE099CE -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.22142_none_ba734aead7ed1bb6\AGP440.sys
[2008/03/25 17:38:23 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=ED91751834103DB2A74470CD763A49FE -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_e4087235\AGP440.sys
[2008/03/25 17:38:23 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=ED91751834103DB2A74470CD763A49FE -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.20800_none_b8b64d46daa7e57a\AGP440.sys
[2006/11/01 23:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/03/11 20:38:18 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=0D83C87A801A3DFCD1BF73893FE7518C -- C:\Windows\ERDNT\cache\atapi.sys
[2008/03/11 20:38:18 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=0D83C87A801A3DFCD1BF73893FE7518C -- C:\Windows\System32\drivers\atapi.sys
[2008/03/11 20:38:18 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=0D83C87A801A3DFCD1BF73893FE7518C -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_4c9c5a00\atapi.sys
[2008/03/11 20:38:18 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=0D83C87A801A3DFCD1BF73893FE7518C -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18034_none_dd1bb97e219e87cb\atapi.sys
[2009/04/10 20:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2009/04/10 23:32:28 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/20 16:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/20 16:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/01 23:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2008/03/11 20:24:20 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=96DC4E1A9F90CCD489950A8935425C59 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.22134_none_dda556493abc2795\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/01 23:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\ERDNT\cache\cngaudit.dll
[2006/11/01 23:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/01 23:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTOR.SYS >
[2008/04/15 14:54:16 | 000,388,120 | ---- | M] (Intel Corporation) MD5=8D58627FEF3F8767665D9F4DC91CBD97 -- C:\Program Files\Intel\Intel Matrix Storage Manager\driver64\IaStor.sys
[2008/04/15 14:53:44 | 000,312,344 | ---- | M] (Intel Corporation) MD5=DB0CC620B27A928D968C1A1E9CD9CB87 -- C:\Program Files\Intel\Intel Matrix Storage Manager\driver\IaStor.sys
[2008/04/15 14:53:44 | 000,312,344 | ---- | M] (Intel Corporation) MD5=DB0CC620B27A928D968C1A1E9CD9CB87 -- C:\Windows\System32\drivers\iaStor.sys
[2008/04/15 14:53:44 | 000,312,344 | ---- | M] (Intel Corporation) MD5=DB0CC620B27A928D968C1A1E9CD9CB87 -- C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_77c04a30\iaStor.sys

< MD5 for: IASTORV.SYS >
[2008/01/20 16:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\drivers\iaStorV.sys
[2008/01/20 16:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/20 16:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/01 23:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: KR10N.SYS >
[2006/11/08 20:31:00 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) MD5=6A4ADB9186DD0E114E623DAF57E42B31 -- C:\Windows\System32\drivers\KR10N.sys
[2006/11/08 20:31:00 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) MD5=6A4ADB9186DD0E114E623DAF57E42B31 -- C:\Windows\System32\DriverStore\FileRepository\kr10.inf_c681c175\KR10N.sys
[2005/09/26 22:57:00 | 000,207,104 | ---- | M] (TOSHIBA CORPORATION) MD5=A1963360E74931222A67356C8AD48378 -- C:\Windows\System32\DriverStore\FileRepository\kr10n.inf_f8c77270\KR10N.sys

< MD5 for: NETLOGON.DLL >
[2009/04/10 20:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2009/04/10 23:28:24 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2008/01/20 16:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\ERDNT\cache\netlogon.dll
[2008/01/20 16:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\System32\netlogon.dll
[2008/01/20 16:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVRAID.SYS >
[2008/01/20 16:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) MD5=2EDF9E7751554B42CBB60116DE727101 -- C:\Windows\System32\drivers\nvraid.sys
[2008/01/20 16:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) MD5=2EDF9E7751554B42CBB60116DE727101 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvraid.sys
[2008/01/20 16:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) MD5=2EDF9E7751554B42CBB60116DE727101 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvraid.sys
[2006/11/01 23:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) MD5=E69E946F80C1C31C53003BFBF50CBB7C -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvraid.sys

< MD5 for: NVSTOR.SYS >
[2006/11/01 23:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/20 16:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\drivers\nvstor.sys
[2008/01/20 16:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/20 16:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >
[2008/01/20 16:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\ERDNT\cache\scecli.dll
[2008/01/20 16:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\System32\scecli.dll
[2008/01/20 16:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2009/04/10 20:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll
[2009/04/10 23:28:26 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 01:31:42 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtmsft.dll
[2009/03/08 01:31:37 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtrans.dll
[2008/01/20 16:24:42 | 000,242,744 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2008/01/20 16:24:38 | 000,225,792 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll
[4 C:\Windows\system32\*.tmp files -> C:\Windows\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2010/05/01 16:14:32 | 000,691,696 | ---- | M] () Unable to obtain MD5 -- C:\Windows\System32\drivers\sptd.sys

< %systemroot%\System32\config\*.sav >
[2008/08/18 07:51:06 | 012,820,480 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2008/08/18 07:51:02 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2008/08/18 07:51:06 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2008/08/18 07:51:12 | 017,186,816 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2008/08/18 07:51:13 | 006,635,520 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemroot%\system32\drivers\*.sys /90 >
[2010/04/09 01:25:28 | 000,016,744 | ---- | M] (COMODO) -- C:\Windows\System32\drivers\cmderd.sys
[2010/04/09 01:25:28 | 000,218,560 | ---- | M] (COMODO) -- C:\Windows\System32\drivers\cmdGuard.sys
[2010/04/09 01:25:30 | 000,030,112 | ---- | M] (COMODO) -- C:\Windows\System32\drivers\cmdhlp.sys
[2010/02/20 11:18:40 | 000,411,136 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\http.sys
[2010/04/09 01:25:30 | 000,074,408 | ---- | M] (COMODO) -- C:\Windows\System32\drivers\inspect.sys
[2010/02/23 01:32:31 | 000,105,984 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb.sys
[2010/02/23 01:32:36 | 000,212,992 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb10.sys
[2010/02/23 01:32:33 | 000,078,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb20.sys
[2010/05/01 09:46:23 | 000,035,816 | ---- | M] (Greatis Software) -- C:\Windows\System32\drivers\Partizan.sys
[2010/03/29 10:06:14 | 000,218,592 | ---- | M] (PC Tools) -- C:\Windows\System32\drivers\PCTCore.sys
[2010/04/08 14:29:32 | 000,063,360 | ---- | M] (PC Tools) -- C:\Windows\System32\drivers\pctplsg.sys
[2010/05/08 08:36:38 | 000,024,416 | ---- | M] (Greatis Software) -- C:\Windows\System32\drivers\regguard.sys
[2010/05/01 16:14:32 | 000,691,696 | ---- | M] () -- C:\Windows\System32\drivers\sptd.sys
[2010/02/18 04:49:38 | 000,898,952 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tcpip.sys
[2010/02/18 01:52:00 | 000,025,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tunnel.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 163 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:D1B5B4F1
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:A8ADE5D8
< End of report >

---
---
--- Extras
---
---

OTL Extras logfile created on: 5/10/2010 3:30:58 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\Shade\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 43.00% Memory free
6.00 Gb Paging File | 3.00 Gb Available in Paging File | 57.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 224.17 Gb Total Space | 73.05 Gb Free Space | 32.59% Space Free | Partition Type: NTFS
Drive D: | 7.70 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FIRE
Current User Name: Shade
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-233040595-3233005408-884354526-1000\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{5D99332A-32DD-45E7-A667-BA2B15629FA0}" = lport=3724 | protocol=6 | dir=in | name=blizzard downloader: 3724 |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0DD1AC9D-93ED-40EB-8FD7-D20021C09981}" = protocol=6 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{18A50A3A-E4AF-4EAC-969C-2AFD0CF9647A}" = protocol=6 | dir=in | app=c:\program files\steam\steam.exe |
"{24729356-2761-4072-9F87-54EAFC3EC479}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10192-to-3.2.0.10314-enus-downloader.exe |
"{3395E2BF-255D-4592-9970-4A7F87392BA1}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"{39B69649-6043-4714-A508-0723BF6E377A}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-enus-downloader.exe |
"{478AB617-B8C6-4CA0-B807-47E2F74A4341}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{48DA10EF-F776-44E5-942F-35EE5EFF7FF0}" = dir=in | app=c:\program files\pando networks\pando\pando.exe |
"{54D013B8-42B6-4A00-A884-865635904AD7}" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.2.0.10314-to-3.2.2.10482-enus-downloader.exe |
"{63DBA1F6-9DCE-498B-941C-439FA48D3F53}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10192-to-3.2.0.10314-enus-downloader.exe |
"{6512CC5E-01C8-478D-B1D0-70914758D130}" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\backgrounddownloader.exe |
"{80B47DDB-137C-494A-B833-C65988128458}" = protocol=17 | dir=in | app=c:\program files\ventrilo\ventrilo.exe |
"{8F21A8B4-E840-4470-8606-83C842727F24}" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\backgrounddownloader.exe |
"{97BF1483-908E-467D-8A97-59840B802436}" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.2.0-enus-downloader.exe |
"{9A0DBE85-2086-449A-86F5-79D3010110BD}" = protocol=6 | dir=in | app=c:\program files\ventrilo\ventrilo.exe |
"{9C3C01C8-3C29-49C0-B439-7B1B9ABF788E}" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.2.0-enus-downloader.exe |
"{9D602C30-CFB7-4083-A319-28679B52D969}" = dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{9DF82391-E110-4F17-BCFF-8EC051262720}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-enus-downloader.exe |
"{A3875A33-0B37-4B7E-8211-7FDEF80D52BE}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"{B483F2EF-3983-45C5-954E-E6FCAEE50CA6}" = protocol=6 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{B67B800E-610E-4720-828A-73E77E8FD8D9}" = protocol=17 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{C853C440-26BA-4AEE-BF00-953E2F9CA003}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{CB432505-904A-48E7-9E4F-34141C590FA8}" = protocol=17 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{DC216489-EB18-4EFC-B254-2D46C25B5C7F}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{E607DD20-9EC8-4FC3-A452-28961C49EBAB}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{E68DAF7B-8161-4A24-8D10-A82EE7C23F91}" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.2.0.10314-to-3.2.2.10482-enus-downloader.exe |
"{F35BE3A3-1C8D-4C1D-BCF3-7BF9470A9599}" = protocol=17 | dir=in | app=c:\program files\steam\steam.exe |
"TCP Query User{081D217B-690D-4645-BD5B-BE3373F1A9B8}C:\program files\java\jre1.6.0_06\launch4j-tmp\wowd.exe" = protocol=6 | dir=in | app=c:\program files\java\jre1.6.0_06\launch4j-tmp\wowd.exe |
"TCP Query User{09AC0D0F-C434-421E-B41C-428FFE2D9911}C:\users\public\games\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
"TCP Query User{95438B4C-41E0-4575-BE41-F3D3D5D74C7C}C:\program files\steam\steamapps\traitor299\counter-strike source\hl2.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\traitor299\counter-strike source\hl2.exe |
"TCP Query User{9981B5A0-3AC2-4B04-A735-5EBFB641EBE6}C:\users\public\games\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
"TCP Query User{ACF2CA8F-6E66-4ECA-87C4-72874F68B80A}C:\users\public\games\world of warcraft\repair.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\repair.exe |
"UDP Query User{03D5335A-7592-4ED6-BEB9-6075AA72A401}C:\users\public\games\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |
"UDP Query User{40CC0565-9966-4764-BF87-D305D2D9580D}C:\program files\steam\steamapps\traitor299\counter-strike source\hl2.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\traitor299\counter-strike source\hl2.exe |
"UDP Query User{5FBC58C6-B6D5-4323-AB16-9641ECB4E992}C:\users\public\games\world of warcraft\repair.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\repair.exe |
"UDP Query User{8AF38C4A-B063-4626-B9CC-183B6D9A3915}C:\program files\java\jre1.6.0_06\launch4j-tmp\wowd.exe" = protocol=17 | dir=in | app=c:\program files\java\jre1.6.0_06\launch4j-tmp\wowd.exe |
"UDP Query User{B62BC02B-F7AE-4DB9-AD84-002DA7D04EED}C:\users\public\games\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0D5D0BEE-FBA9-4928-A50D-6CDFAB827755}" = TOSHIBA ConfigFree
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{26921B2E-3E62-47F9-A514-1FC4A83BD738}" = Intel® PROSet/Wireless WiFi Software
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 16
"{2883F6F5-0509-43F3-868C-D50330DD9DD3}" = TOSHIBA Hardware Setup
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{3248F0A8-6813-11D6-A77B-00B0D0160060}" = Java™ 6 Update 6
"{37C866E4-AA67-4725-9E95-A39968DD7960}" = Camera Assistant Software for Toshiba
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{4B1E87C3-00DE-4898-8E39-E390AAEF2391}" = TOSHIBA Supervisor Password
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"{66D6F3BD-CA23-41A4-9FA3-96B26B32528C}" = Command & Conquer The First Decade
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76BC2442-0002-47FA-9617-43BAD82BEF4C}" = Bonjour
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{996A2FAA-7514-4628-9D12-A8FC34A0016E}" = iTunes
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A31A5DFC-3439-48FC-99BB-5174168AE471}" = COMODO livePCsupport
"{AC6569FA-6919-442A-8552-073BE69E247A}" = TOSHIBA Service Station
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B5C3B892-0849-476C-9F46-B12F84819D57}" = Apple Mobile Device Support
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Disc Creator
"{BF065AA8-D2B7-4F49-931A-63E1FB9899E2}" = VitalSource Bookshelf
"{C53D16CC-E56F-47B8-906E-70AAF8EABB4F}" = Toshiba Registration
"{CC6B1BB4-4E06-4A5B-A166-B371B551324B}" = COMODO Internet Security
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{E1E56B8A-1AAF-422A-91DB-625059FB9863}" = TOSHIBA Desktop Links
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Aleks 3.12" = Aleks 3.12
"Browser Defender_is1" = Browser Defender 2.0.6.15
"CCleaner" = CCleaner
"Comodo TrustConnect™_is1" = Comodo TrustConnect™ v.1.7.1
"DivX Setup.divx.com" = DivX Setup
"EASEUS Partition Master Home Edition_is1" = EASEUS Partition Master 5.5.1 Home Edition
"FrostWire" = FrostWire 4.18.6
"Greatis Reanimator_is1" = RegRun Reanimator
"Halo" = Microsoft Halo
"HDMI" = Intel® Graphics Media Accelerator Driver
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"jv16 PowerTools 2009_is1" = jv16 PowerTools 2009
"LimeWire" = LimeWire 5.2.13
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"ProInst" = Intel PROSet Wireless
"Spyware Doctor" = Spyware Doctor 7.0
"Steam App 340" = Half-Life 2: Lost Coast
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"Unlocker" = Unlocker 1.8.9
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"WinRAR archiver" = WinRAR archiver
"World of Warcraft" = World of Warcraft
"Zynga Toolbar" = Zynga Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/3/2010 6:35:50 AM | Computer Name = FIRE | Source = Bonjour Service | ID = 100
Description = 400: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 5/3/2010 6:35:50 AM | Computer Name = FIRE | Source = Bonjour Service | ID = 100
Description = 404: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 5/3/2010 6:35:50 AM | Computer Name = FIRE | Source = Bonjour Service | ID = 100
Description = 408: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 5/3/2010 8:04:13 AM | Computer Name = FIRE | Source = EventSystem | ID = 4609
Description =

Error - 5/3/2010 8:05:56 AM | Computer Name = FIRE | Source = WinMgmt | ID = 10
Description =

Error - 5/3/2010 8:09:27 AM | Computer Name = FIRE | Source = VSS | ID = 8194
Description =

Error - 5/3/2010 8:13:09 AM | Computer Name = FIRE | Source = WinMgmt | ID = 10
Description =

Error - 5/3/2010 8:16:26 AM | Computer Name = FIRE | Source = WinMgmt | ID = 10
Description =

Error - 5/3/2010 8:20:01 AM | Computer Name = FIRE | Source = VSS | ID = 8194
Description =

Error - 5/3/2010 8:23:01 AM | Computer Name = FIRE | Source = VSS | ID = 8194
Description =

[ System Events ]
Error - 5/10/2010 2:57:05 PM | Computer Name = FIRE | Source = Microsoft-Windows-Servicing | ID = 4375
Description =

Error - 5/10/2010 2:57:05 PM | Computer Name = FIRE | Source = Microsoft-Windows-Servicing | ID = 4375
Description =

Error - 5/10/2010 2:57:05 PM | Computer Name = FIRE | Source = Microsoft-Windows-Servicing | ID = 4375
Description =

Error - 5/10/2010 2:57:05 PM | Computer Name = FIRE | Source = Microsoft-Windows-Servicing | ID = 4375
Description =

Error - 5/10/2010 2:57:05 PM | Computer Name = FIRE | Source = Microsoft-Windows-Servicing | ID = 4375
Description =

Error - 5/10/2010 2:57:05 PM | Computer Name = FIRE | Source = Microsoft-Windows-Servicing | ID = 4375
Description =

Error - 5/10/2010 2:57:05 PM | Computer Name = FIRE | Source = Microsoft-Windows-Servicing | ID = 4375
Description =

Error - 5/10/2010 2:57:05 PM | Computer Name = FIRE | Source = Microsoft-Windows-Servicing | ID = 4375
Description =

Error - 5/10/2010 2:57:05 PM | Computer Name = FIRE | Source = Microsoft-Windows-Servicing | ID = 4375
Description =

Error - 5/10/2010 2:57:05 PM | Computer Name = FIRE | Source = Microsoft-Windows-Servicing | ID = 4385
Description =


< End of report >


#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:59 PM

Posted 11 May 2010 - 07:09 AM

Hi,

could you please run a fresh scan with ComboFix:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please also provide the logs from the previous runs of ComboFix.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 smw5003

smw5003
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 11 May 2010 - 04:26 PM

Attempting to run Combofix in regular Windows mode (I'm using Vista) isn't working.
I run Combofix, it loads fully, then nothing happens...
Before I ran Combofix however, I used Defogger to turn off any CD emulators, and it restarted my computer.
The weird thing is that my Checkdisk started to run on reboot.
It was broken before because viruses corrupted or disabled it; before, I couldn't even manually start checkdisk
It found no bad sectors, then rebooted my computer.
I'm going to run Combofix in Safe mode, because it seems to have worked in that mode when I tried before.
Is there anything else I should be aware of, or do?

Edit: After numerous (about 16) and various attempts at getting Combofix to run, I currently conclude it's impossible for me to get this application to work sad.gif
~6 attempts in normal Windows mode: All of them fully loaded, but Combofix failed to start.
9 attempts in Safe mode with and without networking: 5 attempts gave me the blue screen of death with no specific reason stated, 4 other times Combofix froze after completing section 2 (I waited about 10-20 mins on a couple of those freezes).
1 attempt in Safe mode on the Administrator account: Blue screen of death, similar to the ones on my normal account.
Blue screen of death usually came after section 2 of Combofix.
One time, however, Combofix seemed almost complete, and was deleting files or something (it was scrolling by too fast), then it went to blue screen of death.
In safe mode just about everything, antiviruses included, are turned off, so there should be no interference from that...
I can't really think of anything else, other than the malware itself interfering with Combofix.
Is there a different program you can suggest to me, or some tips to somehow make me able to run Combofix?

Edited by smw5003, 11 May 2010 - 05:23 PM.


#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:59 PM

Posted 11 May 2010 - 05:57 PM

Hi,

please delete the copy of ComboFix you have downloaded and download a fresh one. Save it to fun.com and try to launch it once more. If that ain't working let me know.

regards myirt

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 smw5003

smw5003
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 11 May 2010 - 06:54 PM

...Seems to have worked
I was able to run Combofix in normal mode before my account fully logged in
I'm going to attach the log because I'd rather not make this thread longer than it already is :S
Unless you prefer me to paste it in my posts, I will continue to attach log files
Thanks for the help smile.gif

Attached Files



#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:59 PM

Posted 12 May 2010 - 07:01 AM

Hi,

I actually prefer to have the logs pasted in the thread even though that makes for more scrolling. smile.gif So please don't attach them.

Please run the following script with ComboFix we need to remove a couple more entries:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RenV::
c:\program files\Camera Assistant Software for Toshiba\traybar .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Toshiba\FlashCards\tcrdmain .exe
c:\program files\Toshiba\Power Saver\tpwrmain .exe
c:\program files\Toshiba\SmoothView\smoothview .exe
c:\program files\Toshiba\TBS\hson .exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 smw5003

smw5003
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 12 May 2010 - 03:30 PM

Fair enough, I'll post the logs in my replies from now on.
Here is the log, and as far as I know, all the files in that CFScript.txt are genuine and "probably" not infected.


ComboFix 10-05-12.01 - Shade 05/12/2010 10:09:54.8.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2939.1668 [GMT -10:00]
Running from: c:\users\Shade\Desktop\fun.com.exe
Command switches used :: c:\users\Shade\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Shade\AppData\Roaming\swin32.exe

.
((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))
.

2010-05-12 20:16 . 2010-05-12 20:16 -------- d-----w- c:\users\Shade\AppData\Local\temp
2010-05-12 20:16 . 2010-05-12 20:16 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-12 20:16 . 2010-05-12 20:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-12 20:16 . 2010-05-12 20:16 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-05-12 20:08 . 2010-05-12 20:08 -------- d-----w- C:\32788R22FWJFW
2010-05-12 20:06 . 2010-05-12 20:08 -------- d-----w- C:\fun.com27559f
2010-05-12 20:05 . 2010-05-12 20:06 -------- d-----w- C:\fun.com10714f
2010-05-11 23:28 . 2010-05-11 23:42 -------- d-----w- C:\fun.com
2010-05-11 22:13 . 2010-05-11 23:28 -------- d-----w- C:\ComboFix
2010-05-11 21:15 . 2010-05-11 21:15 -------- d-----w- C:\found.001
2010-05-08 11:11 . 2010-05-08 11:11 -------- d-----w- C:\VritualRoot
2010-05-08 02:44 . 2010-05-08 02:44 330512 ----a-w- c:\users\Shade\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\MSPAINT.EXE
2010-05-08 02:37 . 2010-05-08 02:41 -------- d-----w- C:\32788R22FWJFW.8.tmp
2010-05-08 02:30 . 2010-05-08 02:33 -------- d-----w- C:\32788R22FWJFW.6.tmp
2010-05-08 02:29 . 2010-05-08 02:30 -------- d-----w- C:\32788R22FWJFW.5.tmp
2010-05-08 02:29 . 2010-05-08 02:29 -------- d-----w- C:\32788R22FWJFW.4.tmp
2010-05-08 02:13 . 2010-05-08 02:29 -------- d-----w- C:\32788R22FWJFW.3.tmp
2010-05-07 21:08 . 2010-05-07 21:30 -------- d-----w- C:\32788R22FWJFW.1.tmp
2010-05-07 01:46 . 2010-05-07 01:46 -------- d-----w- c:\users\Shade\AppData\Local\Threat Expert
2010-05-07 00:56 . 2010-01-22 19:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-05-07 00:56 . 2010-01-22 19:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-05-07 00:56 . 2010-01-22 19:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-05-07 00:56 . 2010-01-22 19:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-05-07 00:56 . 2009-10-28 11:36 1152444 ----a-w- c:\windows\UDB.zip
2010-05-07 00:56 . 2008-11-26 22:08 131 ----a-w- c:\windows\IDB.zip
2010-05-04 02:36 . 2010-05-04 02:36 -------- d-----w- c:\users\Shade\AppData\Roaming\Intel
2010-05-04 02:30 . 2008-01-21 02:25 1203792 ----a-w- c:\programdata\SecTaskMan\_enviewlist.dll
2010-05-04 02:30 . 2008-01-21 02:24 798720 ----a-w- c:\programdata\SecTaskMan\_entreelist.dll
2010-05-04 02:30 . 2010-05-04 02:30 92 ----a-w- c:\programdata\SecTaskMan\icn_F20E0AD5B079B424FB1415A305814E0C.dll
2010-05-04 02:30 . 2010-05-04 02:30 1180 ----a-w- c:\programdata\SecTaskMan\icn_F65865963B6B0EB4ABB0F894B53E0233.dll
2010-05-04 02:21 . 2010-05-04 02:21 23 --sha-w- c:\windows\system32\edacded0.dat
2010-05-04 02:21 . 2010-05-04 02:21 -------- d-----w- c:\program files\jv16 PowerTools 2009
2010-05-04 00:31 . 2010-05-04 00:31 -------- d-----w- c:\programdata\WindowsSearch
2010-05-02 09:05 . 2010-05-02 09:05 -------- d-----w- c:\users\Shade\AppData\Local\COMODO
2010-05-02 08:54 . 2010-05-02 08:54 -------- d-----w- C:\Backreg
2010-05-02 02:14 . 2010-05-02 02:14 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-02 02:13 . 2010-05-02 13:38 -------- d-----w- c:\users\Shade\AppData\Roaming\DAEMON Tools Lite
2010-05-02 02:13 . 2010-05-02 02:13 -------- d-----w- c:\programdata\DAEMON Tools Lite
2010-05-02 00:29 . 2010-05-02 00:29 -------- d-----w- c:\windows\system32\Spool\prtprocs\w32x86\en-US
2010-05-01 19:58 . 2010-05-08 18:36 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-05-01 19:46 . 2010-05-01 19:46 37600 ----a-w- c:\windows\system32\Partizan.exe
2010-05-01 19:46 . 2010-05-01 19:46 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-05-01 19:45 . 2010-05-01 19:45 2 --shatr- c:\windows\winstart.bat
2010-05-01 19:44 . 2010-05-01 19:44 -------- d-----w- c:\program files\Greatis
2010-04-30 13:23 . 2010-04-30 13:37 -------- d-----w- c:\programdata\COMODO
2010-04-30 13:23 . 2010-05-12 20:09 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-04-30 13:13 . 2010-04-30 13:15 -------- d-----w- c:\program files\Comodo
2010-04-30 13:13 . 2009-10-15 05:08 32000 ----a-w- c:\windows\system32\drivers\tap0901.sys
2010-04-30 13:13 . 2010-04-30 13:13 1510584 ----a-w- c:\programdata\Comodo Downloader\trustconnectclient.exe
2010-04-30 13:12 . 2010-04-30 13:13 -------- d-----w- c:\programdata\Comodo Downloader
2010-04-25 16:33 . 2010-04-21 22:08 52224 ----a-w- c:\users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\FFExternalAlert.dll
2010-04-25 16:33 . 2010-04-21 22:08 101376 ----a-w- c:\users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\RadioWMPCore.dll
2010-04-22 05:05 . 2010-04-22 05:05 -------- d-----w- c:\users\Shade\AppData\Local\Pando
2010-04-20 07:26 . 2010-04-20 07:26 -------- d-----w- c:\program files\iPod
2010-04-20 07:26 . 2010-04-20 07:26 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-20 07:20 . 2010-04-20 07:20 -------- d-----w- c:\program files\Bonjour
2010-04-20 07:18 . 2010-04-20 07:18 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-19 18:55 . 2010-04-19 18:55 -------- d-----w- c:\windows\system32\SPReview
2010-04-19 12:44 . 2010-04-19 12:44 -------- d-----w- c:\program files\Conduit
2010-04-19 12:44 . 2010-04-19 12:44 -------- d-----w- c:\program files\Zynga
2010-04-19 12:21 . 2010-04-19 12:21 -------- d-----w- c:\windows\system32\EventProviders
2010-04-18 11:02 . 2010-04-18 11:02 -------- d-----w- c:\programdata\PMB Files
2010-04-18 11:00 . 2010-04-22 05:05 -------- d-----w- c:\program files\Pando Networks
2010-04-18 05:15 . 2010-04-09 03:16 1711232 ----a-w- c:\windows\system32\BootMan.exe
2010-04-18 05:15 . 2010-02-23 21:51 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
2010-04-18 05:15 . 2010-02-23 21:51 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
2010-04-18 05:15 . 2010-02-23 21:51 14216 ----a-w- c:\windows\system32\epmntdrv.sys
2010-04-18 05:15 . 2010-02-23 21:51 14848 ----a-w- c:\windows\system32\EuEpmGdi.dll
2010-04-18 05:15 . 2010-04-18 05:15 -------- d-----w- c:\program files\EASEUS
2010-04-18 04:36 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-18 04:36 . 2010-02-23 11:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-18 04:36 . 2010-02-23 11:32 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-18 04:36 . 2010-02-23 11:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-18 04:35 . 2010-02-18 14:49 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-18 04:35 . 2010-02-18 14:11 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-18 04:35 . 2010-02-18 11:52 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-18 04:35 . 2010-02-18 14:49 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-18 04:35 . 2010-02-18 14:49 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-18 04:35 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-04-18 04:35 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-16 06:57 . 2010-04-16 06:57 52224 ----a-w- c:\users\Shade\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-16 06:57 . 2010-04-28 06:29 117760 ----a-w- c:\users\Shade\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-16 06:56 . 2010-04-16 06:56 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-16 06:56 . 2010-04-30 16:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-16 06:56 . 2010-04-16 06:56 -------- d-----w- c:\users\Shade\AppData\Roaming\SUPERAntiSpyware.com
2010-04-16 04:23 . 2010-04-16 04:23 -------- d-----w- c:\users\Administrator\AppData\Roaming\Ventrilo
2010-04-14 03:51 . 2010-04-14 03:51 -------- d-----w- c:\users\Shade\AppData\Roaming\Auslogics
2010-04-14 03:51 . 2010-04-14 03:51 -------- d-----w- c:\program files\Auslogics
2010-04-13 16:11 . 2010-04-13 16:11 -------- d-----w- c:\program files\CCleaner
2010-04-13 15:48 . 2010-04-13 15:48 85576 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-13 14:09 . 2010-04-13 14:09 -------- d-----w- c:\users\Administrator\AppData\Local\Adobe
2010-04-13 11:40 . 2010-04-13 11:40 -------- d-----w- c:\users\Administrator\AppData\Local\Mozilla
2010-04-13 01:57 . 2010-04-13 01:57 -------- d-----w- c:\users\Shade\AppData\Roaming\Toshiba
2010-04-12 23:35 . 2010-04-12 23:37 -------- d-----w- c:\program files\Unlocker
2010-04-12 22:41 . 2010-04-12 22:41 -------- d-----w- c:\users\Administrator\AppData\Roaming\Registry Mechanic
2010-04-12 21:04 . 2010-04-12 21:04 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 20:04 . 2009-09-09 17:22 5032 ----a-w- c:\users\Shade\AppData\Roaming\wklnhst.dat
2010-05-07 20:49 . 2010-02-14 15:41 -------- d-----w- c:\program files\Spyware Doctor
2010-05-07 01:35 . 2010-05-04 02:29 -------- d-----w- c:\programdata\SecTaskMan
2010-05-06 20:36 . 2010-02-14 16:02 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 07:59 . 2009-07-16 20:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-04 01:13 . 2008-08-18 17:52 -------- d-----w- c:\programdata\WildTangent
2010-05-03 18:15 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-05-03 18:15 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-05-02 13:40 . 2006-11-02 12:37 -------- d-----w- c:\program files\Microsoft Games
2010-05-02 02:03 . 2009-08-17 11:47 -------- d-----w- c:\users\Shade\AppData\Roaming\LimeWire
2010-04-27 18:44 . 2009-08-17 07:22 -------- d-----w- c:\users\Shade\AppData\Roaming\Apple Computer
2010-04-27 12:50 . 2008-08-18 18:44 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-20 07:26 . 2010-03-16 12:01 -------- d-----w- c:\program files\iTunes
2010-04-20 07:26 . 2009-08-17 07:20 -------- d-----w- c:\program files\Common Files\Apple
2010-04-20 07:23 . 2009-08-17 07:21 -------- d-----w- c:\program files\QuickTime
2010-04-19 19:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-04-19 19:18 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-19 19:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-04-19 19:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-04-19 19:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-04-19 18:59 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-04-18 10:37 . 2009-07-27 21:08 -------- d-----w- c:\program files\Steam
2010-04-17 21:27 . 2009-11-07 18:46 -------- d-----w- c:\users\Shade\AppData\Roaming\FrostWire
2010-04-16 05:38 . 2008-08-18 18:03 -------- d-----w- c:\programdata\Ulead Systems
2010-04-16 05:37 . 2008-08-18 17:10 -------- d-----w- c:\program files\Toshiba
2010-04-16 05:37 . 2008-08-18 17:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-16 05:37 . 2009-07-27 21:08 -------- d-----w- c:\program files\Common Files\Steam
2010-04-16 05:37 . 2008-08-18 18:03 -------- d-----w- c:\program files\Common Files\Ulead Systems
2010-04-16 05:37 . 2009-05-10 16:17 -------- d-----w- c:\program files\Camera Assistant Software for Toshiba
2010-04-16 05:34 . 2009-07-16 20:44 -------- d-----w- c:\users\Shade\AppData\Roaming\Ventrilo
2010-04-16 05:34 . 2009-08-17 05:11 -------- d-----w- c:\users\Shade\AppData\Roaming\Songbird2
2010-04-16 05:07 . 2009-11-26 07:40 680 ----a-w- c:\users\Shade\AppData\Local\d3d9caps.dat
2010-04-13 22:12 . 2010-02-14 15:41 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-12 21:38 . 2010-04-12 21:37 -------- d-----w- c:\users\Administrator\AppData\Roaming\LimeWire
2010-04-12 19:43 . 2010-04-12 19:43 -------- d-----w- c:\users\Administrator\AppData\Roaming\InstallShield
2010-04-12 19:42 . 2010-04-12 19:42 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2010-04-12 10:13 . 2010-04-12 11:08 92672 ----a-w- c:\windows\system32\KillBox.exe
2010-04-09 11:26 . 2010-04-09 11:26 277240 ----a-w- c:\windows\system32\guard32.dll
2010-04-09 11:25 . 2010-04-09 11:25 74408 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-04-09 11:25 . 2010-04-09 11:25 30112 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-04-09 11:25 . 2010-04-09 11:25 218560 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-04-09 11:25 . 2010-04-09 11:25 16744 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-04-09 00:29 . 2010-02-14 15:41 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-02 03:53 . 2010-01-31 10:26 -------- d-----w- c:\program files\Aleks 3.12
2010-04-02 03:42 . 2010-04-02 03:43 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-02 03:42 . 2008-08-18 18:10 -------- d-----w- c:\program files\Java
2010-03-30 17:04 . 2010-03-29 20:25 -------- d-----w- c:\program files\Microsoft
2010-03-30 17:03 . 2010-03-29 11:45 -------- d--h--w- c:\program files\InstallJammer Registry
2010-03-29 21:17 . 2009-05-10 15:51 -------- d-----w- c:\programdata\Microsoft Help
2010-03-29 20:36 . 2010-03-29 20:36 -------- d-----w- c:\program files\Common Files\Live Access Operator
2010-03-29 20:06 . 2010-02-14 15:41 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-26 23:29 . 2009-07-16 01:03 85576 ----a-w- c:\users\Shade\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-25 05:33 . 2010-03-25 05:33 -------- d-----w- c:\program files\EA Games
2010-03-25 01:03 . 2010-03-28 20:56 52224 ----a-w- c:\users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
2010-03-25 01:03 . 2010-03-28 20:56 101376 ----a-w- c:\users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
2010-03-22 17:01 . 2010-03-22 17:00 -------- d-----w- c:\users\Shade\AppData\Roaming\DivX
2010-03-22 17:01 . 2010-03-22 16:58 -------- d-----w- c:\programdata\DivX
2010-03-16 18:54 . 2010-03-16 18:54 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2010-02-18 22:24 . 2010-02-18 22:24 150904 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-12 21:46 . 2010-02-12 21:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 21:46 . 2010-02-12 21:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-07-16 01:02 . 2009-07-16 01:02 13 --sha-r- c:\windows\System32\drivers\fbd.sys
2009-07-16 01:02 . 2009-07-16 01:02 4 --sha-r- c:\windows\System32\drivers\taishop.sys
.
CODE
<pre>
c:\program files\Camera Assistant Software for Toshiba\traybar .exe
c:\program files\DivX\DivX Update\divxupdate .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Toshiba\FlashCards\tcrdmain .exe
c:\program files\Toshiba\Power Saver\tpwrmain .exe
c:\program files\Toshiba\SmoothView\smoothview .exe
c:\program files\Toshiba\TBS\hson .exe
</pre>


((((((((((((((((((((((((((((( SnapShot@2010-05-08_11.32.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-02 07:28 . 2006-11-02 08:48 84480 c:\windows\winsxs\x86_microsoft-windows-mail-comm-dll_31bf3856ad364e35_6.0.6002.18197_none_7b3d56a455f59b03\INETRES.dll
+ 2006-11-02 07:28 . 2006-11-02 08:48 84480 c:\windows\winsxs\x86_microsoft-windows-mail-comm-dll_31bf3856ad364e35_6.0.6001.18416_none_79ac63d2588f4d00\INETRES.dll
+ 2008-01-21 01:58 . 2010-05-11 23:32 55254 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-05-11 23:32 81090 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-16 01:04 . 2010-05-11 23:32 10928 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-233040595-3233005408-884354526-1000_UserData.bin
- 2009-07-16 01:00 . 2010-05-08 11:11 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-16 01:00 . 2010-05-12 19:52 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-16 01:00 . 2010-05-08 11:11 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-16 01:00 . 2010-05-12 19:52 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-09-04 08:03 . 2010-05-03 18:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-09-04 08:03 . 2010-05-08 19:26 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-09-04 08:03 . 2010-05-03 18:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-09-04 08:03 . 2010-05-08 19:26 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-09-04 08:03 . 2010-05-08 19:26 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-09-04 08:03 . 2010-05-03 18:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 10:25 . 2010-05-03 18:00 51200 c:\windows\inf\infpub.dat
+ 2006-11-02 10:25 . 2010-05-12 02:48 51200 c:\windows\inf\infpub.dat
+ 2010-05-11 23:29 . 2010-05-11 23:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-05-08 11:11 . 2010-05-08 11:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-05-08 11:11 . 2010-05-08 11:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-05-11 23:29 . 2010-05-11 23:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2006-11-02 10:33 . 2010-05-03 20:37 607898 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-05-11 23:36 607898 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-05-11 23:36 105368 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2010-05-03 20:37 105368 c:\windows\System32\perfc009.dat
- 2009-07-16 01:00 . 2010-05-08 11:11 344064 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-16 01:00 . 2010-05-12 19:52 344064 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-04-05 23:06 . 2010-05-08 11:10 739920 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2010-04-05 23:06 . 2010-05-11 23:28 739920 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2006-11-02 10:25 . 2010-05-03 18:00 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 10:25 . 2010-05-12 02:48 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 12:34 . 2006-11-02 12:34 2836992 c:\windows\winsxs\x86_microsoft-windows-mail-core-dll_31bf3856ad364e35_6.0.6002.18197_none_5a0aedc022b31946\MSOERES.dll
+ 2006-11-02 12:34 . 2006-11-02 12:34 2836992 c:\windows\winsxs\x86_microsoft-windows-mail-core-dll_31bf3856ad364e35_6.0.6001.18416_none_5879faee254ccb43\MSOERES.dll
- 2006-11-02 10:22 . 2010-05-07 10:15 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2006-11-02 10:22 . 2010-05-12 19:56 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2010-05-12 20:07 . 2010-05-12 20:08 6434816 c:\windows\ERDNT\Hiv-backup\schema.dat
+ 2009-09-05 03:35 . 2010-05-12 19:56 492757580 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-02-22 22:05 2353176 ----a-w- c:\program files\Zynga\tbZyng.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-04-09 2029456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"hsf87efjhdsf87f3jfsdi7fhsujfd"="c:\windows\system32\spoolsv.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-04 01:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Pando"=c:\program files\Pando Networks\Pando\Pando.exe /Minimized
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

R0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-02-23 14216]
R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-02-23 8456]
R3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2010-05-01 35816]
R3 RegGuard;RegGuard;c:\windows\system32\Drivers\regguard.sys [2010-05-08 24416]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2010-03-11 366840]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-29 218592]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [2010-04-09 16744]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2010-04-09 218560]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2010-04-09 30112]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-04-30 61440]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-22 112592]
S2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO livePCsupport\CLPSLS.exe [2010-02-20 148744]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-28 3658752]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uInternet Settings,ProxyOverride = *.local
TCP: {A6DF5C8E-42E0-4659-B997-CE004FDD4A35} = 156.154.70.22,156.154.71.22
FF - ProfilePath - c:\users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2536667&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\FFExternalAlert.dll
FF - component: c:\users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\RadioWMPCore.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2e,d0,f2,d8,f6,e2,9b,41,a8,c3,6d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2e,d0,f2,d8,f6,e2,9b,41,a8,c3,6d,\

[HKEY_LOCAL_MACHINE\software\GEAR Software\DIFx\{81063354-9060-42B2-A000-1EBE96778AA9}]
@DACL=(02 0000)
"Path"="c:\\Windows\\system32\\DRVSTORE\\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\\GEARAspiWDM.inf"

[HKEY_LOCAL_MACHINE\software\GEAR Software\DIFx\{996A2FAA-7514-4628-9D12-A8FC34A0016E}]
@DACL=(02 0000)
"Path"="c:\\Windows\\system32\\DRVSTORE\\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\\GEARAspiWDM.inf"

[HKEY_LOCAL_MACHINE\software\GEAR Software\DIFx\{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}]
@DACL=(02 0000)
"Path"="c:\\Windows\\system32\\DRVSTORE\\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\\GEARAspiWDM.inf"

[HKEY_LOCAL_MACHINE\software\GEAR Software\DIFx\{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}]
@DACL=(02 0000)
"Path"="c:\\Windows\\system32\\DRVSTORE\\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\\GEARAspiWDM.inf"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-05-12 10:20:19
ComboFix-quarantined-files.txt 2010-05-12 20:20
ComboFix2.txt 2010-05-11 23:42
ComboFix3.txt 2010-05-08 11:37

Pre-Run: 72,539,115,520 bytes free
Post-Run: 72,563,699,712 bytes free

- - End Of File - - 6CFA8E571CA45CC010D3EB405C314112


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:59 PM

Posted 12 May 2010 - 03:47 PM

Hi,

oh they are infected, believe me. laugh.gif You have been infected by a vundo variant that infects legitimate files.

With the script ComboFix normally disinfects the files by restoring healthy files. This has not worked, I would like you to run the following script and post the log back.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RenV::
c:\program files\Camera Assistant Software for Toshiba\traybar .exe
c:\program files\DivX\DivX Update\divxupdate .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Toshiba\FlashCards\tcrdmain .exe
c:\program files\Toshiba\Power Saver\tpwrmain .exe
c:\program files\Toshiba\SmoothView\smoothview .exe
c:\program files\Toshiba\TBS\hson .exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 smw5003

smw5003
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 12 May 2010 - 11:58 PM

Here is the new post!
Apparently this infection is ANCIENT if it's affecting the files mentioned above, they havent been modified for roughly a year O_O
Either that, or they somehow masked the modify/creation dates...


ComboFix 10-05-12.01 - Shade 05/12/2010 18:31:59.9.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2939.1932 [GMT -10:00]
Running from: c:\users\Shade\Desktop\fun.com.exe
Command switches used :: c:\users\Shade\Desktop\CFscript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-04-13 to 2010-05-13 )))))))))))))))))))))))))))))))
.

2010-05-13 04:38 . 2010-05-13 04:38 -------- d-----w- c:\users\Shade\AppData\Local\temp
2010-05-13 04:38 . 2010-05-13 04:38 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-13 04:38 . 2010-05-13 04:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-13 04:38 . 2010-05-13 04:38 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-05-13 04:22 . 2010-05-13 04:30 -------- d-----w- C:\fun.com15262f
2010-05-12 21:53 . 2010-05-13 04:22 -------- d-----w- C:\fun.com9611f
2010-05-12 20:08 . 2010-05-12 20:20 -------- d-----w- C:\fun.com1437f
2010-05-12 20:06 . 2010-05-12 20:08 -------- d-----w- C:\fun.com27559f
2010-05-12 20:05 . 2010-05-12 20:06 -------- d-----w- C:\fun.com10714f
2010-05-11 23:28 . 2010-05-11 23:42 -------- d-----w- C:\fun.com
2010-05-11 22:13 . 2010-05-11 23:28 -------- d-----w- C:\ComboFix
2010-05-11 21:15 . 2010-05-11 21:15 -------- d-----w- C:\found.001
2010-05-08 11:11 . 2010-05-08 11:11 -------- d-----w- C:\VritualRoot
2010-05-08 02:44 . 2010-05-08 02:44 330512 ----a-w- c:\users\Shade\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\MSPAINT.EXE
2010-05-08 02:37 . 2010-05-08 02:41 -------- d-----w- C:\32788R22FWJFW.8.tmp
2010-05-08 02:30 . 2010-05-08 02:33 -------- d-----w- C:\32788R22FWJFW.6.tmp
2010-05-08 02:29 . 2010-05-08 02:30 -------- d-----w- C:\32788R22FWJFW.5.tmp
2010-05-08 02:29 . 2010-05-08 02:29 -------- d-----w- C:\32788R22FWJFW.4.tmp
2010-05-08 02:13 . 2010-05-08 02:29 -------- d-----w- C:\32788R22FWJFW.3.tmp
2010-05-07 21:08 . 2010-05-07 21:30 -------- d-----w- C:\32788R22FWJFW.1.tmp
2010-05-07 01:46 . 2010-05-07 01:46 -------- d-----w- c:\users\Shade\AppData\Local\Threat Expert
2010-05-07 00:56 . 2010-01-22 19:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-05-07 00:56 . 2010-01-22 19:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-05-07 00:56 . 2010-01-22 19:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-05-07 00:56 . 2010-01-22 19:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-05-07 00:56 . 2009-10-28 11:36 1152444 ----a-w- c:\windows\UDB.zip
2010-05-07 00:56 . 2008-11-26 22:08 131 ----a-w- c:\windows\IDB.zip
2010-05-04 02:36 . 2010-05-04 02:36 -------- d-----w- c:\users\Shade\AppData\Roaming\Intel
2010-05-04 02:30 . 2008-01-21 02:25 1203792 ----a-w- c:\programdata\SecTaskMan\_enviewlist.dll
2010-05-04 02:30 . 2008-01-21 02:24 798720 ----a-w- c:\programdata\SecTaskMan\_entreelist.dll
2010-05-04 02:30 . 2010-05-04 02:30 92 ----a-w- c:\programdata\SecTaskMan\icn_F20E0AD5B079B424FB1415A305814E0C.dll
2010-05-04 02:30 . 2010-05-04 02:30 1180 ----a-w- c:\programdata\SecTaskMan\icn_F65865963B6B0EB4ABB0F894B53E0233.dll
2010-05-04 02:21 . 2010-05-04 02:21 23 --sha-w- c:\windows\system32\edacded0.dat
2010-05-04 02:21 . 2010-05-04 02:21 -------- d-----w- c:\program files\jv16 PowerTools 2009
2010-05-04 00:31 . 2010-05-04 00:31 -------- d-----w- c:\programdata\WindowsSearch
2010-05-02 09:05 . 2010-05-02 09:05 -------- d-----w- c:\users\Shade\AppData\Local\COMODO
2010-05-02 08:54 . 2010-05-02 08:54 -------- d-----w- C:\Backreg
2010-05-02 02:14 . 2010-05-02 02:14 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-02 02:13 . 2010-05-02 13:38 -------- d-----w- c:\users\Shade\AppData\Roaming\DAEMON Tools Lite
2010-05-02 02:13 . 2010-05-02 02:13 -------- d-----w- c:\programdata\DAEMON Tools Lite
2010-05-02 00:29 . 2010-05-02 00:29 -------- d-----w- c:\windows\system32\Spool\prtprocs\w32x86\en-US
2010-05-01 19:58 . 2010-05-08 18:36 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-05-01 19:46 . 2010-05-01 19:46 37600 ----a-w- c:\windows\system32\Partizan.exe
2010-05-01 19:46 . 2010-05-01 19:46 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-05-01 19:45 . 2010-05-01 19:45 2 --shatr- c:\windows\winstart.bat
2010-05-01 19:44 . 2010-05-01 19:44 -------- d-----w- c:\program files\Greatis
2010-04-30 13:23 . 2010-04-30 13:37 -------- d-----w- c:\programdata\COMODO
2010-04-30 13:23 . 2010-05-13 04:34 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-04-30 13:13 . 2010-04-30 13:15 -------- d-----w- c:\program files\Comodo
2010-04-30 13:13 . 2009-10-15 05:08 32000 ----a-w- c:\windows\system32\drivers\tap0901.sys
2010-04-30 13:13 . 2010-04-30 13:13 1510584 ----a-w- c:\programdata\Comodo Downloader\trustconnectclient.exe
2010-04-30 13:12 . 2010-04-30 13:13 -------- d-----w- c:\programdata\Comodo Downloader
2010-04-25 16:33 . 2010-04-21 22:08 52224 ----a-w- c:\users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\FFExternalAlert.dll
2010-04-25 16:33 . 2010-04-21 22:08 101376 ----a-w- c:\users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\RadioWMPCore.dll
2010-04-22 05:05 . 2010-04-22 05:05 -------- d-----w- c:\users\Shade\AppData\Local\Pando
2010-04-20 07:26 . 2010-04-20 07:26 -------- d-----w- c:\program files\iPod
2010-04-20 07:26 . 2010-04-20 07:26 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-20 07:20 . 2010-04-20 07:20 -------- d-----w- c:\program files\Bonjour
2010-04-20 07:18 . 2010-04-20 07:18 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-19 18:55 . 2010-04-19 18:55 -------- d-----w- c:\windows\system32\SPReview
2010-04-19 12:44 . 2010-04-19 12:44 -------- d-----w- c:\program files\Conduit
2010-04-19 12:44 . 2010-04-19 12:44 -------- d-----w- c:\program files\Zynga
2010-04-19 12:21 . 2010-04-19 12:21 -------- d-----w- c:\windows\system32\EventProviders
2010-04-18 11:02 . 2010-04-18 11:02 -------- d-----w- c:\programdata\PMB Files
2010-04-18 11:00 . 2010-04-22 05:05 -------- d-----w- c:\program files\Pando Networks
2010-04-18 05:15 . 2010-04-09 03:16 1711232 ----a-w- c:\windows\system32\BootMan.exe
2010-04-18 05:15 . 2010-02-23 21:51 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
2010-04-18 05:15 . 2010-02-23 21:51 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
2010-04-18 05:15 . 2010-02-23 21:51 14216 ----a-w- c:\windows\system32\epmntdrv.sys
2010-04-18 05:15 . 2010-02-23 21:51 14848 ----a-w- c:\windows\system32\EuEpmGdi.dll
2010-04-18 05:15 . 2010-04-18 05:15 -------- d-----w- c:\program files\EASEUS
2010-04-18 04:36 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-18 04:36 . 2010-02-23 11:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-18 04:36 . 2010-02-23 11:32 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-18 04:36 . 2010-02-23 11:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-18 04:35 . 2010-02-18 14:49 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-18 04:35 . 2010-02-18 14:11 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-18 04:35 . 2010-02-18 11:52 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-18 04:35 . 2010-02-18 14:49 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-18 04:35 . 2010-02-18 14:49 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-18 04:35 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-04-18 04:35 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-16 06:57 . 2010-04-16 06:57 52224 ----a-w- c:\users\Shade\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-16 06:57 . 2010-04-28 06:29 117760 ----a-w- c:\users\Shade\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-16 06:56 . 2010-04-16 06:56 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-16 06:56 . 2010-04-30 16:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-16 06:56 . 2010-04-16 06:56 -------- d-----w- c:\users\Shade\AppData\Roaming\SUPERAntiSpyware.com
2010-04-16 04:23 . 2010-04-16 04:23 -------- d-----w- c:\users\Administrator\AppData\Roaming\Ventrilo
2010-04-14 03:51 . 2010-04-14 03:51 -------- d-----w- c:\users\Shade\AppData\Roaming\Auslogics
2010-04-14 03:51 . 2010-04-14 03:51 -------- d-----w- c:\program files\Auslogics
2010-04-13 16:11 . 2010-04-13 16:11 -------- d-----w- c:\program files\CCleaner
2010-04-13 15:48 . 2010-04-13 15:48 85576 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-13 14:09 . 2010-04-13 14:09 -------- d-----w- c:\users\Administrator\AppData\Local\Adobe
2010-04-13 11:40 . 2010-04-13 11:40 -------- d-----w- c:\users\Administrator\AppData\Local\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 20:04 . 2009-09-09 17:22 5032 ----a-w- c:\users\Shade\AppData\Roaming\wklnhst.dat
2010-05-07 20:49 . 2010-02-14 15:41 -------- d-----w- c:\program files\Spyware Doctor
2010-05-07 01:35 . 2010-05-04 02:29 -------- d-----w- c:\programdata\SecTaskMan
2010-05-06 20:36 . 2010-02-14 16:02 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 07:59 . 2009-07-16 20:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-04 01:13 . 2008-08-18 17:52 -------- d-----w- c:\programdata\WildTangent
2010-05-03 18:15 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-05-03 18:15 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-05-02 13:40 . 2006-11-02 12:37 -------- d-----w- c:\program files\Microsoft Games
2010-05-02 02:03 . 2009-08-17 11:47 -------- d-----w- c:\users\Shade\AppData\Roaming\LimeWire
2010-04-27 18:44 . 2009-08-17 07:22 -------- d-----w- c:\users\Shade\AppData\Roaming\Apple Computer
2010-04-27 12:50 . 2008-08-18 18:44 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-20 07:26 . 2010-03-16 12:01 -------- d-----w- c:\program files\iTunes
2010-04-20 07:26 . 2009-08-17 07:20 -------- d-----w- c:\program files\Common Files\Apple
2010-04-20 07:23 . 2009-08-17 07:21 -------- d-----w- c:\program files\QuickTime
2010-04-19 19:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-04-19 19:18 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-19 19:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-04-19 19:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-04-19 19:18 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-04-19 18:59 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-04-18 10:37 . 2009-07-27 21:08 -------- d-----w- c:\program files\Steam
2010-04-17 21:27 . 2009-11-07 18:46 -------- d-----w- c:\users\Shade\AppData\Roaming\FrostWire
2010-04-16 05:38 . 2008-08-18 18:03 -------- d-----w- c:\programdata\Ulead Systems
2010-04-16 05:37 . 2008-08-18 17:10 -------- d-----w- c:\program files\Toshiba
2010-04-16 05:37 . 2008-08-18 17:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-16 05:37 . 2009-07-27 21:08 -------- d-----w- c:\program files\Common Files\Steam
2010-04-16 05:37 . 2008-08-18 18:03 -------- d-----w- c:\program files\Common Files\Ulead Systems
2010-04-16 05:37 . 2009-05-10 16:17 -------- d-----w- c:\program files\Camera Assistant Software for Toshiba
2010-04-16 05:34 . 2009-07-16 20:44 -------- d-----w- c:\users\Shade\AppData\Roaming\Ventrilo
2010-04-16 05:34 . 2009-08-17 05:11 -------- d-----w- c:\users\Shade\AppData\Roaming\Songbird2
2010-04-16 05:07 . 2009-11-26 07:40 680 ----a-w- c:\users\Shade\AppData\Local\d3d9caps.dat
2010-04-13 22:12 . 2010-02-14 15:41 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-13 01:57 . 2010-04-13 01:57 -------- d-----w- c:\users\Shade\AppData\Roaming\Toshiba
2010-04-12 23:37 . 2010-04-12 23:35 -------- d-----w- c:\program files\Unlocker
2010-04-12 22:41 . 2010-04-12 22:41 -------- d-----w- c:\users\Administrator\AppData\Roaming\Registry Mechanic
2010-04-12 21:38 . 2010-04-12 21:37 -------- d-----w- c:\users\Administrator\AppData\Roaming\LimeWire
2010-04-12 19:43 . 2010-04-12 19:43 -------- d-----w- c:\users\Administrator\AppData\Roaming\InstallShield
2010-04-12 19:42 . 2010-04-12 19:42 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2010-04-12 10:13 . 2010-04-12 11:08 92672 ----a-w- c:\windows\system32\KillBox.exe
2010-04-09 11:26 . 2010-04-09 11:26 277240 ----a-w- c:\windows\system32\guard32.dll
2010-04-09 11:25 . 2010-04-09 11:25 74408 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-04-09 11:25 . 2010-04-09 11:25 30112 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-04-09 11:25 . 2010-04-09 11:25 218560 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-04-09 11:25 . 2010-04-09 11:25 16744 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-04-09 00:29 . 2010-02-14 15:41 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-02 03:53 . 2010-01-31 10:26 -------- d-----w- c:\program files\Aleks 3.12
2010-04-02 03:42 . 2010-04-02 03:43 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-02 03:42 . 2008-08-18 18:10 -------- d-----w- c:\program files\Java
2010-03-30 17:04 . 2010-03-29 20:25 -------- d-----w- c:\program files\Microsoft
2010-03-30 17:03 . 2010-03-29 11:45 -------- d--h--w- c:\program files\InstallJammer Registry
2010-03-29 21:17 . 2009-05-10 15:51 -------- d-----w- c:\programdata\Microsoft Help
2010-03-29 20:36 . 2010-03-29 20:36 -------- d-----w- c:\program files\Common Files\Live Access Operator
2010-03-29 20:06 . 2010-02-14 15:41 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-26 23:29 . 2009-07-16 01:03 85576 ----a-w- c:\users\Shade\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-25 05:33 . 2010-03-25 05:33 -------- d-----w- c:\program files\EA Games
2010-03-25 01:03 . 2010-03-28 20:56 52224 ----a-w- c:\users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
2010-03-25 01:03 . 2010-03-28 20:56 101376 ----a-w- c:\users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
2010-03-22 17:01 . 2010-03-22 17:00 -------- d-----w- c:\users\Shade\AppData\Roaming\DivX
2010-03-22 17:01 . 2010-03-22 16:58 -------- d-----w- c:\programdata\DivX
2010-03-16 18:54 . 2010-03-16 18:54 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2010-02-18 22:24 . 2010-02-18 22:24 150904 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-12 21:46 . 2010-02-12 21:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 21:46 . 2010-02-12 21:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-07-16 01:02 . 2009-07-16 01:02 13 --sha-r- c:\windows\System32\drivers\fbd.sys
2009-07-16 01:02 . 2009-07-16 01:02 4 --sha-r- c:\windows\System32\drivers\taishop.sys
.
CODE
<pre>
c:\program files\Camera Assistant Software for Toshiba\traybar .exe
c:\program files\DivX\DivX Update\divxupdate .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Toshiba\FlashCards\tcrdmain .exe
c:\program files\Toshiba\Power Saver\tpwrmain .exe
c:\program files\Toshiba\SmoothView\smoothview .exe
c:\program files\Toshiba\TBS\hson .exe
</pre>


((((((((((((((((((((((((((((( SnapShot@2010-05-08_11.32.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-02 07:28 . 2006-11-02 08:48 84480 c:\windows\winsxs\x86_microsoft-windows-mail-comm-dll_31bf3856ad364e35_6.0.6002.18197_none_7b3d56a455f59b03\INETRES.dll
+ 2006-11-02 07:28 . 2006-11-02 08:48 84480 c:\windows\winsxs\x86_microsoft-windows-mail-comm-dll_31bf3856ad364e35_6.0.6001.18416_none_79ac63d2588f4d00\INETRES.dll
+ 2008-01-21 01:58 . 2010-05-13 04:27 55574 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-05-13 04:27 81106 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-16 01:04 . 2010-05-13 04:27 10928 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-233040595-3233005408-884354526-1000_UserData.bin
+ 2009-07-16 01:00 . 2010-05-13 04:24 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-16 01:00 . 2010-05-08 11:11 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-16 01:00 . 2010-05-13 04:24 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-16 01:00 . 2010-05-08 11:11 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-09-04 08:03 . 2010-05-03 18:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-09-04 08:03 . 2010-05-08 19:26 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-09-04 08:03 . 2010-05-08 19:26 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-09-04 08:03 . 2010-05-03 18:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-09-04 08:03 . 2010-05-03 18:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-09-04 08:03 . 2010-05-08 19:26 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 10:25 . 2010-05-12 02:48 51200 c:\windows\inf\infpub.dat
- 2006-11-02 10:25 . 2010-05-03 18:00 51200 c:\windows\inf\infpub.dat
+ 2010-05-13 04:24 . 2010-05-13 04:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-05-08 11:11 . 2010-05-08 11:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-05-08 11:11 . 2010-05-08 11:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-05-13 04:24 . 2010-05-13 04:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2010-05-13 04:30 607898 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-05-03 20:37 607898 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-05-03 20:37 105368 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2010-05-13 04:30 105368 c:\windows\System32\perfc009.dat
+ 2009-07-16 01:00 . 2010-05-13 04:24 344064 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-16 01:00 . 2010-05-08 11:11 344064 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-04-05 23:06 . 2010-05-13 04:23 739920 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2010-04-05 23:06 . 2010-05-08 11:10 739920 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2006-11-02 10:25 . 2010-05-12 02:48 143360 c:\windows\inf\infstrng.dat
- 2006-11-02 10:25 . 2010-05-03 18:00 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 12:34 . 2006-11-02 12:34 2836992 c:\windows\winsxs\x86_microsoft-windows-mail-core-dll_31bf3856ad364e35_6.0.6002.18197_none_5a0aedc022b31946\MSOERES.dll
+ 2006-11-02 12:34 . 2006-11-02 12:34 2836992 c:\windows\winsxs\x86_microsoft-windows-mail-core-dll_31bf3856ad364e35_6.0.6001.18416_none_5879faee254ccb43\MSOERES.dll
+ 2006-11-02 10:22 . 2010-05-12 19:56 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2006-11-02 10:22 . 2010-05-07 10:15 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-09-05 03:35 . 2010-05-12 19:56 492757580 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-02-22 22:05 2353176 ----a-w- c:\program files\Zynga\tbZyng.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-04-09 2029456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"hsf87efjhdsf87f3jfsdi7fhsujfd"="c:\windows\system32\spoolsv.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-04 01:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Pando"=c:\program files\Pando Networks\Pando\Pando.exe /Minimized
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

R0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-22 112592]
R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-02-23 14216]
R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-02-23 8456]
R3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2010-05-01 35816]
R3 RegGuard;RegGuard;c:\windows\system32\Drivers\regguard.sys [2010-05-08 24416]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2010-03-11 366840]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-29 218592]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [2010-04-09 16744]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2010-04-09 218560]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2010-04-09 30112]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-04-30 61440]
S2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO livePCsupport\CLPSLS.exe [2010-02-20 148744]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-28 3658752]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uInternet Settings,ProxyOverride = *.local
TCP: {A6DF5C8E-42E0-4659-B997-CE004FDD4A35} = 156.154.70.22,156.154.71.22
FF - ProfilePath - c:\users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2536667&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\FFExternalAlert.dll
FF - component: c:\users\Shade\AppData\Roaming\Mozilla\Firefox\Profiles\871gg2z5.default\extensions\{aac4043a-8832-4abe-9963-35377f30b8e6}\components\RadioWMPCore.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2e,d0,f2,d8,f6,e2,9b,41,a8,c3,6d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2e,d0,f2,d8,f6,e2,9b,41,a8,c3,6d,\

[HKEY_LOCAL_MACHINE\software\GEAR Software\DIFx\{81063354-9060-42B2-A000-1EBE96778AA9}]
@DACL=(02 0000)
"Path"="c:\\Windows\\system32\\DRVSTORE\\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\\GEARAspiWDM.inf"

[HKEY_LOCAL_MACHINE\software\GEAR Software\DIFx\{996A2FAA-7514-4628-9D12-A8FC34A0016E}]
@DACL=(02 0000)
"Path"="c:\\Windows\\system32\\DRVSTORE\\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\\GEARAspiWDM.inf"

[HKEY_LOCAL_MACHINE\software\GEAR Software\DIFx\{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}]
@DACL=(02 0000)
"Path"="c:\\Windows\\system32\\DRVSTORE\\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\\GEARAspiWDM.inf"

[HKEY_LOCAL_MACHINE\software\GEAR Software\DIFx\{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}]
@DACL=(02 0000)
"Path"="c:\\Windows\\system32\\DRVSTORE\\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\\GEARAspiWDM.inf"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-05-12 18:41:32
ComboFix-quarantined-files.txt 2010-05-13 04:41
ComboFix2.txt 2010-05-12 20:20
ComboFix3.txt 2010-05-11 23:42
ComboFix4.txt 2010-05-08 11:37

Pre-Run: 72,825,073,664 bytes free
Post-Run: 72,784,052,224 bytes free

- - End Of File - - FB098FBE54AA02E0E4F5E4CAFBB3FDEE



#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:59 PM

Posted 13 May 2010 - 01:34 PM

Hi,


please run the following script as well:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RenV::
c:\program files\Camera Assistant Software for Toshiba\traybar .exe
c:\program files\DivX\DivX Update\divxupdate .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Toshiba\FlashCards\tcrdmain .exe
c:\program files\Toshiba\Power Saver\tpwrmain .exe
c:\program files\Toshiba\SmoothView\smoothview .exe
c:\program files\Toshiba\TBS\hson .exe
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"hsf87efjhdsf87f3jfsdi7fhsujfd"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

Edited by myrti, 13 May 2010 - 01:35 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 smw5003

smw5003
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 13 May 2010 - 09:13 PM

Uh...
I tried to drag and drop like I've always done, but this time it displays:
Windows cannot access the specified device, path or file. You may not have the appropriate
permissions to access the item.
....
I've also checked the security on combofix, and it says I cannot see who owns/has permission for it
I cannot delete and redownload it either because of permissions
Should I override the permissions? or what else?

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:59 PM

Posted 14 May 2010 - 03:09 AM

Hi,

can you please try to run the file without any scripts? If you can't run it, can you delete the file?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users