Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"antispyware soft"


  • This topic is locked This topic is locked
17 replies to this topic

#1 scs

scs

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 19 May 2010 - 07:34 PM

Hi,

Thank you in advance; any help is very much appreciated.

I was asked by Orange Blossom to paste / attach the following logs as a new post to this forum. She also said that since I had already ran "ComboFix" to go ahead and post that too.

Earlier today I posted a detailed description of symptoms and actions taken since symptoms occurred. For your reference, here is my original post link: [topic="http://www.bleepingcomputer.com/forums/t/317830/browser-redirect-problem/"]http://www.bleepingcomputer.com/forums/t/317830/browser-redirect-problem/[/topic]

If you need the description repasted here I can do that, just let me know. I am just trying to avoid clutter on the post. I can also post logs from malwarebyte and ESET too, just let me know.

As per her instructions, I did the following:

- Ran defogger to disable cd emulation
- Ran DDS
- Ran GMER

The logs are pasted in order they were executed as follows:

1st - ComboFix
2nd - DDS.TXT is pasted (Please note that I preceded the the paste with 10 asterisks **********
3rd - ATTACH.TXT is attached
4th - ARK.TXT is attached




ComboFix 10-05-16.02 - stephen 05/18/2010 17:54:56.3.2 - x86

Microsoft® Windows Vista™ Home Premium
6.0.6002.2.1252.1.1033.18.3327.2111 [GMT -7:00]

Running from: c:\users\stephen\Desktop\ComboFix.exe

SP: Windows Defender *enabled* (Updated)
{D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

* Resident AV is active



.



((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))

.



c:\programdata\pswi_preloaded.exe

c:\users\stephen\g2mdlhlpx.exe

H:\autorun.inf

e:\$recycle.bin\S-1-5-21-2589552120-922938771-1909082347-1000\$R622F40\aiepr
.exe . . . . failed to delete

e:\$recycle.bin\S-1-5-21-2589552120-922938771-1909082347-1000\$R622F40\UNWIS
E.EXE . . . . failed to delete

e:\$recycle.bin\S-1-5-21-2589552120-922938771-1909082347-1000\$RQR0TZQ\drvac
t32.dll . . . . failed to delete

e:\$recycle.bin\S-1-5-21-2589552120-922938771-1909082347-1000\$RQR0TZQ\INETW
H32.DLL . . . . failed to delete

e:\$recycle.bin\S-1-5-21-2589552120-922938771-1909082347-1000\$RQR0TZQ\Regsv
r32.exe . . . . failed to delete

e:\$recycle.bin\S-1-5-21-2589552120-922938771-1909082347-1000\$RQR0TZQ\vboxs
430.dll . . . . failed to delete



.

((((((((((((((((((((((((( Files Created from 2010-04-19 to 2010-05-19
)))))))))))))))))))))))))))))))

.



2010-05-19 01:42 . 2010-05-19 02:01 -------- d-----w-
c:\users\stephen\AppData\Local\temp

2010-05-17 00:55 . 2010-05-17 00:55 -------- d-----w-
c:\program files\MSI Afterburner

2010-05-17 00:42 . 2010-05-17 00:42 -------- d-----w-
c:\users\stephen\AppData\Roaming\ATI

2010-05-17 00:42 . 2010-05-17 00:42 -------- d-----w-
c:\users\stephen\AppData\Local\ATI

2010-05-17 00:42 . 2010-05-17 00:42 -------- d-----w-
c:\programdata\ATI

2010-05-17 00:38 . 2010-05-17 00:38 -------- d-----w-
c:\program files\Common Files\ATI Technologies

2010-05-17 00:35 . 2009-11-18 10:24 97792 ----a-w-
c:\windows\system32\drivers\AtiHdmi.sys

2010-05-17 00:10 . 2010-05-17 00:10 0 ----a-w-
c:\windows\ativpsrm.bin

2010-05-16 22:29 . 2010-05-17 00:40 -------- d-----w-
c:\program files\ATI Technologies

2010-05-16 22:29 . 2010-05-16 22:29 -------- d-----w-
c:\program files\ATI

2010-05-15 21:20 . 2010-05-15 21:20 -------- d-----w-
c:\users\stephen\AppData\Roaming\Malwarebytes

2010-05-15 21:20 . 2010-04-29 22:39 38224 ----a-w-
c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-15 21:20 . 2010-05-15 21:20 -------- d-----w-
c:\program files\Malwarebytes' Anti-Malware

2010-05-15 21:20 . 2010-05-15 21:20 -------- d-----w-
c:\programdata\Malwarebytes

2010-05-15 21:20 . 2010-04-29 22:39 20952 ----a-w-
c:\windows\system32\drivers\mbam.sys

2010-05-15 02:00 . 2010-05-15 02:00 -------- d-----w-
c:\windows\Sun

2010-05-15 01:03 . 2010-05-16 04:04 -------- d-----w-
c:\users\stephen\AppData\Local\boebrwujr

2010-05-14 23:41 . 2010-05-14 23:41 -------- d-----w-
c:\users\stephen\AppData\Local\ESET

2010-05-14 23:39 . 2010-05-14 23:39 -------- d-----w-
c:\program files\ESET

2010-05-14 22:52 . 2010-05-14 22:53 -------- d-----w-
c:\windows\preftech(delete)

2010-05-12 04:19 . 2010-01-29 15:40 738816 ----a-w-
c:\windows\system32\inetcomm.dll

2010-05-07 01:53 . 2010-02-20 23:06 24064 ----a-w-
c:\windows\system32\nshhttp.dll

2010-05-07 01:53 . 2010-02-20 23:05 30720 ----a-w-
c:\windows\system32\httpapi.dll

2010-05-07 01:53 . 2010-02-20 20:53 411648 ----a-w-
c:\windows\system32\drivers\http.sys

2010-05-02 06:16 . 2010-05-02 06:16 -------- d-----w-
c:\program files\MagicISO



.

(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-18 23:35 . 2009-01-25 06:34 -------- d-----w-
c:\users\stephen\AppData\Roaming\uTorrent

2010-05-18 19:03 . 2008-12-25 10:15 -------- d-----w-
c:\users\stephen\AppData\Roaming\Corel

2010-05-18 19:03 . 2008-12-25 10:15 2620 --sha-w-
c:\windows\system32\KGyGaAvL.sys

2010-05-18 07:42 . 2009-02-11 17:22 -------- d-----w-
c:\programdata\Google Updater

2010-05-17 00:34 . 2010-05-17 00:34 10134 ----a-r-
c:\users\stephen\AppData\Roaming\Microsoft\Installer\{A142397C-14FE-9966-71A
7-9F5DE2F211B0}\ARPPRODUCTICON.exe

2010-05-16 22:26 . 2009-01-17 05:19 1356 ----a-w-
c:\users\stephen\AppData\Local\d3d9caps.dat

2010-05-16 22:01 . 2009-09-09 18:15 -------- d-----w-
c:\users\stephen\AppData\Roaming\mjusbsp

2010-05-16 21:47 . 2009-03-25 18:29 -------- d-----w-
c:\program files\Coupons

2010-05-16 21:46 . 2009-01-19 08:01 -------- d-----w-
c:\program files\iCoolPlayer

2010-05-16 05:39 . 2009-11-14 21:36 35085 ----a-w-
c:\programdata\nvModes.dat

2010-05-15 20:38 . 2008-12-25 10:06 -------- d-----w-
c:\program files\Corel

2010-05-15 07:53 . 2006-11-02 11:18 -------- d-----w-
c:\program files\Windows Mail

2010-05-15 02:04 . 2008-12-25 05:32 135128 ----a-w-
c:\users\stephen\AppData\Local\GDIPFONTCACHEV1.DAT

2010-05-15 00:27 . 2009-01-17 03:08 -------- d-----w-
c:\program files\Common Files\Roxio Shared

2010-05-15 00:26 . 2009-01-17 03:08 -------- d-----w-
c:\programdata\Roxio

2010-05-14 23:51 . 2008-12-25 08:17 -------- d-----w-
c:\programdata\Microsoft Help

2010-05-14 23:27 . 2009-04-01 20:32 -------- d-----w-
c:\program files\Common Files\Wise Installation Wizard

2010-05-14 23:27 . 2009-11-30 17:36 -------- d-----w-
c:\users\stephen\AppData\Roaming\SUPERAntiSpyware.com

2010-05-14 23:27 . 2009-11-30 17:36 -------- d-----w-
c:\program files\SUPERAntiSpyware

2010-05-08 03:48 . 2009-03-22 20:23 -------- d-----w-
c:\users\stephen\AppData\Roaming\dvdcss

2010-05-07 02:27 . 2008-12-25 06:46 -------- d-----w-
c:\programdata\NVIDIA

2010-05-07 02:03 . 2009-04-01 10:22 167016 ----a-w-
c:\windows\DUMP6067.tmp

2010-05-07 02:00 . 2009-11-14 22:17 -------- d-----w-
c:\program files\NVIDIA Corporation

2010-05-06 17:36 . 2009-10-03 08:54 221568 ------w-
c:\windows\system32\MpSigStub.exe

2010-04-12 07:41 . 2009-01-02 21:20 -------- d-----w-
c:\program files\Google

2010-03-25 03:33 . 2010-03-25 03:33 41312 ----a-w-
c:\windows\system32\drivers\epfwwfp.sys

2010-03-25 03:33 . 2010-03-25 03:33 32584 ----a-w-
c:\windows\system32\drivers\epfwndis.sys

2010-03-25 03:33 . 2010-03-25 03:33 134488 ----a-w-
c:\windows\system32\drivers\epfw.sys

2010-03-25 03:31 . 2010-03-25 03:31 114984 ----a-w-
c:\windows\system32\drivers\ehdrv.sys

2010-03-25 03:24 . 2010-03-25 03:24 31032 ----a-w-
c:\windows\system32\ntaccess_64.sys

2010-03-25 03:24 . 2010-03-25 03:24 25400 ----a-w-
c:\windows\system32\Ntaccess.sys

2010-03-25 03:23 . 2010-03-25 03:23 133512 ----a-w-
c:\windows\system32\drivers\eamonm.sys

2010-03-05 14:01 . 2010-04-13 21:30 420352 ----a-w-
c:\windows\system32\vbscript.dll

2010-02-26 23:51 . 2010-02-26 23:51 138584 ----a-w-
c:\users\stephen\AppData\Roaming\mjusbsp\ug00000\magicJack.dll

2010-02-26 23:51 . 2010-05-16 22:00 6870864 ---ha-w-
c:\users\stephen\AppData\Roaming\mjusbsp\in00000\setup.exe

2010-02-26 23:51 . 2010-03-14 22:40 6870864 ---ha-w-
c:\users\stephen\AppData\Roaming\mjusbsp\Upgrade\setup2.exe

2010-02-26 23:51 . 2010-02-26 23:51 6870864 ----a-w-
c:\users\stephen\AppData\Roaming\mjusbsp\ug00000\setup.exe

2010-02-26 23:51 . 2010-02-26 23:51 705936 ----a-w-
c:\users\stephen\AppData\Roaming\mjusbsp\magicJackLoader.exe

2010-02-26 23:51 . 2010-02-26 23:51 480608 ----a-w-
c:\users\stephen\AppData\Roaming\mjusbsp\octvqe1_apiw.dll

2010-02-26 23:51 . 2010-02-26 23:51 214360 ----a-w-
c:\users\stephen\AppData\Roaming\mjusbsp\TjVista.dll

2010-02-26 23:50 . 2010-02-26 23:50 324952 ----a-w-
c:\users\stephen\AppData\Roaming\mjusbsp\TjIpSys.dll

2010-02-26 23:50 . 2010-02-26 23:50 615792 ----a-w-
c:\users\stephen\AppData\Roaming\mjusbsp\SJHandsetMagicJack.dll

2010-02-26 23:50 . 2010-02-26 23:50 87384 ----a-w-
c:\users\stephen\AppData\Roaming\mjusbsp\st00000\mjsetup.exe

2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w-
c:\users\stephen\AppData\Roaming\mjusbsp\st00000\magicJack.dll

2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w-
c:\users\stephen\AppData\Roaming\mjusbsp\magicJack.dll

2010-02-26 23:46 . 2010-02-26 23:46 12526424 ----a-w-
c:\users\stephen\AppData\Roaming\mjusbsp\magicJack.exe

2010-02-26 23:45 . 2010-05-16 22:00 743872 ---ha-w-
c:\users\stephen\AppData\Roaming\mjusbsp\ar00000\install.exe

2010-02-26 23:45 . 2010-03-14 22:40 743872 ---ha-w-
c:\users\stephen\AppData\Roaming\mjusbsp\Upgrade\install2.exe

2010-02-26 23:45 . 2010-02-26 23:45 743872 ----a-w-
c:\users\stephen\AppData\Roaming\mjusbsp\ug00000\install.exe

2010-02-26 23:45 . 2010-02-26 23:45 87384 ----a-w-
c:\users\stephen\AppData\Roaming\mjusbsp\in00000\mjsetup.exe

2010-02-26 23:45 . 2010-02-26 23:45 138584 ----a-w-
c:\users\stephen\AppData\Roaming\mjusbsp\in00000\magicJack.dll

2010-02-26 23:44 . 2010-02-26 23:44 138584 ----a-w-
c:\users\stephen\AppData\Roaming\mjusbsp\lr00000\magicJack.dll

2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w-
c:\users\stephen\AppData\Roaming\mjusbsp\ug00000\magicJackSplash.exe

2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w-
c:\users\stephen\AppData\Roaming\mjusbsp\st00000\magicJackSplash.exe

2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w-
c:\users\stephen\AppData\Roaming\mjusbsp\magicJackSplash.exe

2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w-
c:\users\stephen\AppData\Roaming\mjusbsp\in00000\magicJackSplash.exe

2010-02-26 23:43 . 2010-02-26 23:43 50520 ----a-w-
c:\users\stephen\AppData\Roaming\mjusbsp\cdloader2.exe

2010-02-23 11:10 . 2010-04-13 21:30 212992 ----a-w-
c:\windows\system32\drivers\mrxsmb10.sys

2010-02-23 11:10 . 2010-04-13 21:30 79360 ----a-w-
c:\windows\system32\drivers\mrxsmb20.sys

2010-02-23 11:10 . 2010-04-13 21:30 106496 ----a-w-
c:\windows\system32\drivers\mrxsmb.sys

2010-02-23 06:39 . 2010-03-30 19:20 916480 ----a-w-
c:\windows\system32\wininet.dll

2010-02-23 06:33 . 2010-03-30 19:20 71680 ----a-w-
c:\windows\system32\iesetup.dll

2010-02-23 06:33 . 2010-03-30 19:20 109056 ----a-w-
c:\windows\system32\iesysprep.dll

2010-02-23 04:55 . 2010-03-30 19:20 133632 ----a-w-
c:\windows\system32\ieUnatt.exe

2010-02-23 03:13 . 2010-03-09 05:29 52224 ----a-w-
c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\e
xtensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.
dll

2010-02-23 03:13 . 2010-03-09 05:29 101376 ----a-w-
c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\e
xtensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll

2010-02-21 03:27 . 2010-02-21 03:27 2131336 ----a-w-
c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\e
xtensions\toolbar@ask.com\chrome\temp\askToolbar.exe

2010-02-18 14:07 . 2010-04-13 21:30 904576 ----a-w-
c:\windows\system32\drivers\tcpip.sys

2010-02-18 14:07 . 2010-04-13 21:30 3600776 ----a-w-
c:\windows\system32\ntkrnlpa.exe

2010-02-18 14:07 . 2010-04-13 21:30 3548040 ----a-w-
c:\windows\system32\ntoskrnl.exe

2010-02-18 13:30 . 2010-04-13 21:30 200704 ----a-w-
c:\windows\system32\iphlpsvc.dll

2010-02-18 11:28 . 2010-04-13 21:30 25088 ----a-w-
c:\windows\system32\drivers\tunnel.sys

2008-12-25 10:15 . 2008-12-25 10:15 88 --sh--r-
c:\windows\System32\152EA7914C.sys

.



((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4



[HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2010-02-05 00:50 1197448 ----a-w-
c:\program files\Ask.com\GenericAskToolbar.dll



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program
files\Ask.com\GenericAskToolbar.dll" [2010-02-05 1197448]



[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]



[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program
files\Ask.com\GenericAskToolbar.dll" [2010-02-05 1197448]



[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11
1233920]

"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-04-01 507904]

"cdloader"="c:\users\stephen\AppData\Roaming\mjusbsp\cdloader2.exe"
[2010-02-26 50520]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe"
[2008-01-19 1008184]

"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2009-07-01 163872]

"GrooveMonitor"="c:\program files\Microsoft
Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"RtHDVCpl"="RtHDVCpl.exe" [2008-03-26 5369856]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]

"sendmng"="c:\program files\OneSuiteFax\Client\SendMng.exe" [2008-03-31
520192]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader
9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
[2010-03-24 952768]

"StartCCC"="c:\program files\ATI
Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-25 98304]



c:\users\stephen\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft
Office\Office12\ONENOTEM.EXE [2009-2-26 97680]



c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

NDAS Device Management.lnk - c:\program files\NDAS\System\ndasmgmt.exe
[2009-1-19 341480]



[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste
m]

"EnableUIADesktopToggle"= 0 (0x0)



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDef
end]

@="Service"



[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\AdobeCS4ServiceManager]

2010-01-28 04:04 611712 ----a-w- c:\program
files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\egui]

2010-03-25 03:31 2145000 ----a-w-
c:\program files\ESET\ESET Smart Security\egui.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\googletalk]

2007-01-01 21:22 3739648 ----a-w-
c:\users\stephen\AppData\Roaming\Google\Google Talk\googletalk.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\ISUSPM]

2007-08-30 18:50 205480 ----a-w- c:\program
files\Common Files\InstallShield\UpdateService\ISUSPM.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]

2010-04-29 22:39 1090952 ----a-w-
c:\program files\Malwarebytes' Anti-Malware\mbam.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP4
Player]

2008-11-06 17:23 772096 ----a-w- c:\program
files\MP4 Player\Mp4Player.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\msnmsgr]

2009-02-07 01:51 3885408 ----a-w-
c:\program files\Windows Live\Messenger\msnmsgr.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Skytel]

2007-11-21 02:15 1826816 ----a-w-
c:\windows\SkyTel.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\SunJavaUpdateSched]

2010-01-11 23:21 246504 ----a-w- c:\program
files\Common Files\Java\Java Update\jusched.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-01-17 00:32 39408 ----a-w- c:\program
files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe



[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\uTorrent]

2010-05-17 01:09 322352 ----a-w- c:\program
files\uTorrent\uTorrent.exe



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"VistaSp2"=hex(cool.gif:da,33,c4,3a,f9,e6,c9,01



R0 amvi;amvi;c:\windows\System32\drivers\djduta.sys [x]

R4 gupdate1c98c6d7408d6b0;Google Update Service
(gupdate1c98c6d7408d6b0);c:\program files\Google\Update\GoogleUpdate.exe
[2009-02-11 133104]

S0 ndasfs;ndasfs;c:\windows\system32\DRIVERS\ndasfs.sys [2009-01-19 285160]

S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-03-25 114984]

S1 ndasfat;NDAS FAT File System
Service;c:\windows\system32\DRIVERS\ndasfat.sys [2009-01-19 416232]

S1 ndasrofs;NDAS ROFS File System
Service;c:\windows\system32\DRIVERS\ndasrofs.sys [2009-01-19 769512]

S2 AMD External Events Utility;AMD External Events
Utility;c:\windows\system32\atiesrxx.exe [2009-11-25 172032]

S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-03-25 133512]

S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe
[2010-03-25 810120]

S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2010-03-25
41312]

S2 MSSQL$PCS;SQL Server (PCS);c:\program files\Microsoft SQL
Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]





[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ
FontCache

.

Contents of the 'Scheduled Tasks' folder



2010-05-18 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
[2009-01-02 10:02]



2010-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 17:23]



2010-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 17:23]



2010-05-19
c:\windows\Tasks\User_Feed_Synchronization-{2CCF250D-CF24-4D67-ABDC-8554A179
4A31}.job

- c:\windows\system32\msfeedssync.exe [2010-03-30 04:54]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5555



uInternet Settings,ProxyOverride =

IE: &Winamp Search - c:\programdata\Winamp
Toolbar\ieToolbar\resources\en-US\local\search.html

IE: Download with &FileFactory Turbo - c:\program files\FileFactory
Turbo\Plugins\IE\FileFactoryIE.html

IE: E&xport to Microsoft Excel -
c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google
Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewik
i.html

LSP: c:\program files\NVIDIA
Corporation\NetworkAccessManager\bin32\nvLsp.dll

Trusted Zone: com\www.msi

Trusted Zone: com.tw

\asia.msi

Trusted Zone: com.tw

\global.msi

DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} -
hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab



FF - ProfilePath -
c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\

FF - prefs.js: browser.search.defaulturl -
hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - google.com

FF - prefs.js: network.proxy.type - 0

FF - component:
c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\e
xtensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.d
ll

FF - component:
c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\e
xtensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component:
c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\e
xtensions\{6FF1D3C4-61BC-4021-89B7-AF8A8F784EBB}\components\snagitmozextensi
on.dll

FF - component:
c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\e
xtensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dl
l

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google
Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npsharedview.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: c:\users\stephen\AppData\Roaming\Mozilla\plugins\npatgpc.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant:
{20a82645-c095-46ed-80e3-08825760534b} -
c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation
Foundation\DotNetAssistantExtension\



---- FIREFOX POLICIES ----



FF - user.js: browser.sessionstore.resume_from_crash - false

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla
Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js -
pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js -
pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js -
pref("dom.ipc.plugins.timeoutSecs", 10);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled",
false);

c:\program files\Mozilla Firefox\greprefs\all.js -
pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_availab
le_pref", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",
"chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description",
"chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -



WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

HKCU-Run-CardScan AutoSync - (no file)







**************************************************************************



catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net



Rootkit scan 2010-05-18 19:00

Windows 6.0.6002 Service Pack 2 NTFS



scanning hidden processes ...



scanning hidden autostart entries ...



scanning hidden files ...



scan completed successfully

hidden files: 0



**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes
---------------------



- - - - - - - > 'lsass.exe'(792)

c:\windows\system32\ARstore.dll



- - - - - - - > 'Explorer.exe'(2388)

c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nvLsp.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\windows\system32\atieclxx.exe

c:\program files\NDAS\System\ndassvc.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\system32\DFDWiz.exe

c:\windows\RtHDVCpl.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

.

**************************************************************************

.

Completion time: 2010-05-18 19:09:30 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-19 02:09



Pre-Run: 236,048,961,536 bytes free

Post-Run: 245,190,004,736 bytes free



- - End Of File - - 5AD4CC76B745EBBAAA886271F5C4977E


ComboFix 10-05-16.02 - stephen 05/18/2010 17:54:56.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3327.2111 [GMT -7:00]
Running from: c:\users\stephen\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\pswi_preloaded.exe
c:\users\stephen\g2mdlhlpx.exe
H:\autorun.inf
e:\$recycle.bin\S-1-5-21-2589552120-922938771-1909082347-1000\$R622F40\aiepr.exe . . . . failed to delete
e:\$recycle.bin\S-1-5-21-2589552120-922938771-1909082347-1000\$R622F40\UNWISE.EXE . . . . failed to delete
e:\$recycle.bin\S-1-5-21-2589552120-922938771-1909082347-1000\$RQR0TZQ\drvact32.dll . . . . failed to delete
e:\$recycle.bin\S-1-5-21-2589552120-922938771-1909082347-1000\$RQR0TZQ\INETWH32.DLL . . . . failed to delete
e:\$recycle.bin\S-1-5-21-2589552120-922938771-1909082347-1000\$RQR0TZQ\Regsvr32.exe . . . . failed to delete
e:\$recycle.bin\S-1-5-21-2589552120-922938771-1909082347-1000\$RQR0TZQ\vboxs430.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2010-04-19 to 2010-05-19 )))))))))))))))))))))))))))))))
.

2010-05-19 01:42 . 2010-05-19 02:01 -------- d-----w- c:\users\stephen\AppData\Local\temp
2010-05-17 00:55 . 2010-05-17 00:55 -------- d-----w- c:\program files\MSI Afterburner
2010-05-17 00:42 . 2010-05-17 00:42 -------- d-----w- c:\users\stephen\AppData\Roaming\ATI
2010-05-17 00:42 . 2010-05-17 00:42 -------- d-----w- c:\users\stephen\AppData\Local\ATI
2010-05-17 00:42 . 2010-05-17 00:42 -------- d-----w- c:\programdata\ATI
2010-05-17 00:38 . 2010-05-17 00:38 -------- d-----w- c:\program files\Common Files\ATI Technologies
2010-05-17 00:35 . 2009-11-18 10:24 97792 ----a-w- c:\windows\system32\drivers\AtiHdmi.sys
2010-05-17 00:10 . 2010-05-17 00:10 0 ----a-w- c:\windows\ativpsrm.bin
2010-05-16 22:29 . 2010-05-17 00:40 -------- d-----w- c:\program files\ATI Technologies
2010-05-16 22:29 . 2010-05-16 22:29 -------- d-----w- c:\program files\ATI
2010-05-15 21:20 . 2010-05-15 21:20 -------- d-----w- c:\users\stephen\AppData\Roaming\Malwarebytes
2010-05-15 21:20 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-15 21:20 . 2010-05-15 21:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-15 21:20 . 2010-05-15 21:20 -------- d-----w- c:\programdata\Malwarebytes
2010-05-15 21:20 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-15 02:00 . 2010-05-15 02:00 -------- d-----w- c:\windows\Sun
2010-05-15 01:03 . 2010-05-16 04:04 -------- d-----w- c:\users\stephen\AppData\Local\boebrwujr
2010-05-14 23:41 . 2010-05-14 23:41 -------- d-----w- c:\users\stephen\AppData\Local\ESET
2010-05-14 23:39 . 2010-05-14 23:39 -------- d-----w- c:\program files\ESET
2010-05-14 22:52 . 2010-05-14 22:53 -------- d-----w- c:\windows\preftech(delete)
2010-05-12 04:19 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-07 01:53 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-05-07 01:53 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-05-07 01:53 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-05-02 06:16 . 2010-05-02 06:16 -------- d-----w- c:\program files\MagicISO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-18 23:35 . 2009-01-25 06:34 -------- d-----w- c:\users\stephen\AppData\Roaming\uTorrent
2010-05-18 19:03 . 2008-12-25 10:15 -------- d-----w- c:\users\stephen\AppData\Roaming\Corel
2010-05-18 19:03 . 2008-12-25 10:15 2620 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-05-18 07:42 . 2009-02-11 17:22 -------- d-----w- c:\programdata\Google Updater
2010-05-17 00:34 . 2010-05-17 00:34 10134 ----a-r- c:\users\stephen\AppData\Roaming\Microsoft\Installer\{A142397C-14FE-9966-71A7-9F5DE2F211B0}\ARPPRODUCTICON.exe
2010-05-16 22:26 . 2009-01-17 05:19 1356 ----a-w- c:\users\stephen\AppData\Local\d3d9caps.dat
2010-05-16 22:01 . 2009-09-09 18:15 -------- d-----w- c:\users\stephen\AppData\Roaming\mjusbsp
2010-05-16 21:47 . 2009-03-25 18:29 -------- d-----w- c:\program files\Coupons
2010-05-16 21:46 . 2009-01-19 08:01 -------- d-----w- c:\program files\iCoolPlayer
2010-05-16 05:39 . 2009-11-14 21:36 35085 ----a-w- c:\programdata\nvModes.dat
2010-05-15 20:38 . 2008-12-25 10:06 -------- d-----w- c:\program files\Corel
2010-05-15 07:53 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-15 02:04 . 2008-12-25 05:32 135128 ----a-w- c:\users\stephen\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-15 00:27 . 2009-01-17 03:08 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-05-15 00:26 . 2009-01-17 03:08 -------- d-----w- c:\programdata\Roxio
2010-05-14 23:51 . 2008-12-25 08:17 -------- d-----w- c:\programdata\Microsoft Help
2010-05-14 23:27 . 2009-04-01 20:32 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-14 23:27 . 2009-11-30 17:36 -------- d-----w- c:\users\stephen\AppData\Roaming\SUPERAntiSpyware.com
2010-05-14 23:27 . 2009-11-30 17:36 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-08 03:48 . 2009-03-22 20:23 -------- d-----w- c:\users\stephen\AppData\Roaming\dvdcss
2010-05-07 02:27 . 2008-12-25 06:46 -------- d-----w- c:\programdata\NVIDIA
2010-05-07 02:03 . 2009-04-01 10:22 167016 ----a-w- c:\windows\DUMP6067.tmp
2010-05-07 02:00 . 2009-11-14 22:17 -------- d-----w- c:\program files\NVIDIA Corporation
2010-05-06 17:36 . 2009-10-03 08:54 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-12 07:41 . 2009-01-02 21:20 -------- d-----w- c:\program files\Google
2010-03-25 03:33 . 2010-03-25 03:33 41312 ----a-w- c:\windows\system32\drivers\epfwwfp.sys
2010-03-25 03:33 . 2010-03-25 03:33 32584 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2010-03-25 03:33 . 2010-03-25 03:33 134488 ----a-w- c:\windows\system32\drivers\epfw.sys
2010-03-25 03:31 . 2010-03-25 03:31 114984 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2010-03-25 03:24 . 2010-03-25 03:24 31032 ----a-w- c:\windows\system32\ntaccess_64.sys
2010-03-25 03:24 . 2010-03-25 03:24 25400 ----a-w- c:\windows\system32\Ntaccess.sys
2010-03-25 03:23 . 2010-03-25 03:23 133512 ----a-w- c:\windows\system32\drivers\eamonm.sys
2010-03-05 14:01 . 2010-04-13 21:30 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 23:51 . 2010-02-26 23:51 138584 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\ug00000\magicJack.dll
2010-02-26 23:51 . 2010-05-16 22:00 6870864 ---ha-w- c:\users\stephen\AppData\Roaming\mjusbsp\in00000\setup.exe
2010-02-26 23:51 . 2010-03-14 22:40 6870864 ---ha-w- c:\users\stephen\AppData\Roaming\mjusbsp\Upgrade\setup2.exe
2010-02-26 23:51 . 2010-02-26 23:51 6870864 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\ug00000\setup.exe
2010-02-26 23:51 . 2010-02-26 23:51 705936 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\magicJackLoader.exe
2010-02-26 23:51 . 2010-02-26 23:51 480608 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\octvqe1_apiw.dll
2010-02-26 23:51 . 2010-02-26 23:51 214360 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\TjVista.dll
2010-02-26 23:50 . 2010-02-26 23:50 324952 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\TjIpSys.dll
2010-02-26 23:50 . 2010-02-26 23:50 615792 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\SJHandsetMagicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 87384 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\st00000\mjsetup.exe
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\st00000\magicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\magicJack.dll
2010-02-26 23:46 . 2010-02-26 23:46 12526424 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\magicJack.exe
2010-02-26 23:45 . 2010-05-16 22:00 743872 ---ha-w- c:\users\stephen\AppData\Roaming\mjusbsp\ar00000\install.exe
2010-02-26 23:45 . 2010-03-14 22:40 743872 ---ha-w- c:\users\stephen\AppData\Roaming\mjusbsp\Upgrade\install2.exe
2010-02-26 23:45 . 2010-02-26 23:45 743872 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\ug00000\install.exe
2010-02-26 23:45 . 2010-02-26 23:45 87384 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\in00000\mjsetup.exe
2010-02-26 23:45 . 2010-02-26 23:45 138584 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\in00000\magicJack.dll
2010-02-26 23:44 . 2010-02-26 23:44 138584 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\lr00000\magicJack.dll
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\ug00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\st00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\in00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 50520 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\cdloader2.exe
2010-02-23 11:10 . 2010-04-13 21:30 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 11:10 . 2010-04-13 21:30 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 11:10 . 2010-04-13 21:30 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 06:39 . 2010-03-30 19:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-30 19:20 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-30 19:20 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-30 19:20 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-23 03:13 . 2010-03-09 05:29 52224 ----a-w- c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
2010-02-23 03:13 . 2010-03-09 05:29 101376 ----a-w- c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
2010-02-21 03:27 . 2010-02-21 03:27 2131336 ----a-w- c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
2010-02-18 14:07 . 2010-04-13 21:30 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-18 14:07 . 2010-04-13 21:30 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-18 14:07 . 2010-04-13 21:30 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-18 13:30 . 2010-04-13 21:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-02-18 11:28 . 2010-04-13 21:30 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2008-12-25 10:15 . 2008-12-25 10:15 88 --sh--r- c:\windows\System32\152EA7914C.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-05 00:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-05 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-05 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-04-01 507904]
"cdloader"="c:\users\stephen\AppData\Roaming\mjusbsp\cdloader2.exe" [2010-02-26 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2009-07-01 163872]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-26 5369856]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"sendmng"="c:\program files\OneSuiteFax\Client\SendMng.exe" [2008-03-31 520192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-25 98304]

c:\users\stephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NDAS Device Management.lnk - c:\program files\NDAS\System\ndasmgmt.exe [2009-1-19 341480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2010-01-28 04:04 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
2010-03-25 03:31 2145000 ----a-w- c:\program files\ESET\ESET Smart Security\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\users\stephen\AppData\Roaming\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-08-30 18:50 205480 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 22:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP4 Player]
2008-11-06 17:23 772096 ----a-w- c:\program files\MP4 Player\Mp4Player.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-02-07 01:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-11-21 02:15 1826816 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 23:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-17 00:32 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-05-17 01:09 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:da,33,c4,3a,f9,e6,c9,01

R0 amvi;amvi;c:\windows\System32\drivers\djduta.sys [x]
R4 gupdate1c98c6d7408d6b0;Google Update Service (gupdate1c98c6d7408d6b0);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 133104]
S0 ndasfs;ndasfs;c:\windows\system32\DRIVERS\ndasfs.sys [2009-01-19 285160]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-03-25 114984]
S1 ndasfat;NDAS FAT File System Service;c:\windows\system32\DRIVERS\ndasfat.sys [2009-01-19 416232]
S1 ndasrofs;NDAS ROFS File System Service;c:\windows\system32\DRIVERS\ndasrofs.sys [2009-01-19 769512]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-25 172032]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-03-25 133512]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2010-03-25 810120]
S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2010-03-25 41312]
S2 MSSQL$PCS;SQL Server (PCS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-02 10:02]

2010-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 17:23]

2010-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 17:23]

2010-05-19 c:\windows\Tasks\User_Feed_Synchronization-{2CCF250D-CF24-4D67-ABDC-8554A1794A31}.job
- c:\windows\system32\msfeedssync.exe [2010-03-30 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555


uInternet Settings,ProxyOverride =
IE: &Winamp Search - c:\programdata\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Download with &FileFactory Turbo - c:\program files\FileFactory Turbo\Plugins\IE\FileFactoryIE.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nvLsp.dll
Trusted Zone: com\www.msi
Trusted Zone: com.tw

\asia.msi
Trusted Zone: com.tw

\global.msi
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab


FF - ProfilePath - c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.type - 0
FF - component: c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - component: c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\{6FF1D3C4-61BC-4021-89B7-AF8A8F784EBB}\components\snagitmozextension.dll
FF - component: c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsharedview.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\stephen\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-CardScan AutoSync - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


Rootkit scan 2010-05-18 19:00
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(792)
c:\windows\system32\ARstore.dll

- - - - - - - > 'Explorer.exe'(2388)
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nvLsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\atieclxx.exe
c:\program files\NDAS\System\ndassvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\DFDWiz.exe
c:\windows\RtHDVCpl.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2010-05-18 19:09:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-19 02:09

Pre-Run: 236,048,961,536 bytes free
Post-Run: 245,190,004,736 bytes free

- - End Of File - - 5AD4CC76B745EBBAAA886271F5C4977E

Sorry, forgot to paste DDS.TXT log data. Here is is:

DDS (Ver_10-03-17.01) - NTFSx86
Run by stephen at 16:18:02.61 on Wed 05/19/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3327.1978 [GMT -7:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\nvraidservice.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\OneSuiteFax\Client\SendMng.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DFDWiz.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\stephen\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Orb] "c:\program files\winamp remote\bin\OrbTray.exe" /background
uRun: [cdloader] "c:\users\stephen\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [sendmng] "c:\program files\onesuitefax\client\SendMng.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
StartupFolder: c:\users\stephen\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ndasde~1.lnk - c:\program files\ndas\system\ndasmgmt.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Winamp Search - c:\programdata\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: Download with &FileFactory Turbo - c:\program files\filefactory turbo\plugins\ie\FileFactoryIE.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvLsp.dll
Trusted Zone: com\www.msi
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20New%20York%20Fortune/Images/stg_drm.ocx
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20New%20York%20Fortune/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://netaphor.webex.com/client/T27L/webex/ieatgpc1.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\stephen\appdata\roaming\mozilla\firefox\profiles\shzagy8d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.type - 0
FF - component: c:\users\stephen\appdata\roaming\mozilla\firefox\profiles\shzagy8d.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - component: c:\users\stephen\appdata\roaming\mozilla\firefox\profiles\shzagy8d.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\stephen\appdata\roaming\mozilla\firefox\profiles\shzagy8d.default\extensions\{6ff1d3c4-61bc-4021-89b7-af8a8f784ebb}\components\snagitmozextension.dll
FF - component: c:\users\stephen\appdata\roaming\mozilla\firefox\profiles\shzagy8d.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 lfsfilt;NDAS Lean File Sharing Service;c:\windows\system32\drivers\lfsfilt.sys [2009-1-19 274920]
R0 lpx;LPX Protocol;c:\windows\system32\drivers\lpx.sys [2009-1-19 100840]
R0 ndasfs;ndasfs;c:\windows\system32\drivers\ndasfs.sys [2009-1-19 285160]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-3-24 114984]
R1 ndasfat;NDAS FAT File System Service;c:\windows\system32\drivers\ndasfat.sys [2009-1-19 416232]
R1 ndasrofs;NDAS ROFS File System Service;c:\windows\system32\drivers\ndasrofs.sys [2009-1-19 769512]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-5-16 172032]
R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-3-24 133512]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2010-3-24 810120]
R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2010-3-24 41312]
R2 MSSQL$PCS;SQL Server (PCS);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R3 ndasbus;NDAS Bus Driver;c:\windows\system32\drivers\ndasbus.sys [2009-1-19 121832]
R3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\drivers\ndasscsi.sys [2009-1-19 276968]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-12-24 21504]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-8-16 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S4 gupdate1c98c6d7408d6b0;Google Update Service (gupdate1c98c6d7408d6b0);c:\program files\google\update\GoogleUpdate.exe [2009-2-11 133104]

=============== Created Last 30 ================

2010-05-19 23:17:10 0 ----a-w- c:\users\stephen\defogger_reenable
2010-05-19 02:08:16 0 d-sh--w- C:\$RECYCLE.BIN
2010-05-18 01:52:48 77312 ----a-w- c:\windows\MBR.exe
2010-05-18 01:52:46 256512 ----a-w- c:\windows\PEV.exe
2010-05-18 01:52:45 98816 ----a-w- c:\windows\sed.exe
2010-05-18 01:52:45 161792 ----a-w- c:\windows\SWREG.exe
2010-05-17 00:55:06 0 d-----w- c:\program files\MSI Afterburner
2010-05-17 00:42:14 0 d-----w- c:\programdata\ATI
2010-05-17 00:38:41 0 d-----w- c:\program files\common files\ATI Technologies
2010-05-17 00:35:45 97792 ----a-w- c:\windows\system32\drivers\AtiHdmi.sys
2010-05-17 00:10:06 0 ----a-w- c:\windows\ativpsrm.bin
2010-05-16 22:29:56 0 d-----w- c:\program files\ATI Technologies
2010-05-16 22:29:53 0 d-----w- c:\program files\ATI
2010-05-15 21:20:50 0 d-----w- c:\users\stephen\appdata\roaming\Malwarebytes
2010-05-15 21:20:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-15 21:20:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-15 21:20:40 0 d-----w- c:\programdata\Malwarebytes
2010-05-15 21:20:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-14 23:41:45 0 d-----w- c:\users\stephen\appdata\roaming\ESET
2010-05-14 23:39:34 0 d-----w- c:\programdata\ESET
2010-05-14 23:39:34 0 d-----w- c:\program files\ESET
2010-05-14 22:52:41 0 d-----w- c:\windows\preftech(delete)
2010-05-12 04:19:31 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-07 01:53:59 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-05-07 01:53:58 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-05-07 01:53:58 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-05-02 06:16:35 0 d-----w- c:\program files\MagicISO

==================== Find3M ====================

2010-05-18 19:03:28 2620 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-05-17 00:38:13 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-17 00:38:13 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-17 00:38:06 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-16 05:39:11 35085 ----a-w- c:\programdata\nvModes.dat
2010-05-07 02:03:49 167016 ----a-w- c:\windows\DUMP6067.tmp
2010-05-06 17:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-03-25 03:33:54 41312 ----a-w- c:\windows\system32\drivers\epfwwfp.sys
2010-03-25 03:33:50 32584 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2010-03-25 03:33:46 134488 ----a-w- c:\windows\system32\drivers\epfw.sys
2010-03-25 03:31:06 114984 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2010-03-25 03:24:34 31032 ----a-w- c:\windows\system32\ntaccess_64.sys
2010-03-25 03:24:28 25400 ----a-w- c:\windows\system32\Ntaccess.sys
2010-03-25 03:23:54 133512 ----a-w- c:\windows\system32\drivers\eamonm.sys
2010-03-05 14:01:02 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-14 23:13:10 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-12-25 07:49:44 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-11-13 01:46:36 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-11-13 01:46:36 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-11-13 01:46:36 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-12-25 10:15:05 88 --sh--r- c:\windows\system32\152EA7914C.sys

============= FINISH: 16:19:37.35 ===============


Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 19 May 2010 - 08:47 PM.


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:04 AM

Posted 22 May 2010 - 05:32 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 scs

scs
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 22 May 2010 - 11:54 AM

Hi Shannon,

Thank you for the reply.

Below is a paste of my original post (posted in a different forum) that contains the detailed description that you requested.

I have already posted all the logs that you have asked for and more.

I can re-run if you really think it will make a difference, but, asper previously instructed, I have unplugged my computer from the network and not used it since running the following:

- DeFogger
- DDS
- GMER

Here is the problem description (Note I ran ComboFix before my first post, I now know I was not supposed to do that):

Hi,

This past weekend I noticed that my browser started redirecting to anonymous sites from google search links. I also noticed a fictitious antispyware called antispyware soft pop up on my screen. I also happened to purchase a new graphics card at about that same time. Rather than use the CD included in the box I decided to download the latest and greatest drivers directly from msi's home site. That is when I noticed the next symptom; I could no longer download a file. It would get to 99% and then get a host rest error.

At that point I rebooted in safe mode with networking and began to research the problem online and look for the best antispyware download. I decided on ESET. I downloaded and then ran the trial after a reboot to normal mode. ESET found numerous suspicious files and cleaned or quarantined them. I rebooted, opened up mozilla, ran a google search, clicked on it and all seemed okay until I clicked on another search link.

At that point all problems returned. I found that I could use google search links by copying the link and manually pasting into a new broswer window.

I decided to search for manual resolutions and found a fix to search for and delete some file and then go into the registry and delete some entries. After doing so all seemed fine for a while, but then later reincarnated itself will all previous problem and more. Now my email wouldn't work (outlook) and I started getting a persistent error box stating that the username and password for my proxyserver were invalid 0.0.0.0.

At this point I rebooted back in safe with networking mode and then found a download called malwarebytes and ran it with the same outcome as all the other remedies, although it found things that ESET did not.

Back to Safe mode again! The next thing I did I now realize I should not have done after reading through your forum. I downloaded and ran "ComboFix", so my apologies for jumping the gun on that but I was in panic mode at that point and didn't fully read before acting. However, I probably lucked out. It crashed on the first several attempts until I finally figured out to disable ESET in the Start menu and then reboot. I also disabled a lot of other items on startup that I thought looked suspicious or were otherwise not essential. For example, I disabled all JAVA related items because I suspected an intrusion via JAVA for a while now. After reboot ComboFix ran through all phases and created a log file. As per your site instructions I am not posting it unless directed to do so.

The good news is that it fixed some things. With a cringe, I reluctantly restarted ESET and dared to try outlook again. ESET prompted me to allow or disallow each remote connection. Prior to allowing each, I independently verified the IP address of each from another PC. My email works fine now and the malware programs show no signs of still being on my computer.

However, I have not had the courage to open any browser since running "ComboFix". After reading your forums more (from another pc) I decided that it is best to have the experts advise from this point before I open another can of worms.

Thanks in advance and sorry for the book, but I wanted to provide as much relevant information as possible from point of first symptom to now.

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:04 PM

Posted 23 May 2010 - 07:40 AM

Hello and Welcome to BleepingComputer. smile.gif

What is your E:\ drive? Is it a removable device?

Please provide a log from OTL:
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 scs

scs
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 23 May 2010 - 12:15 PM

Hi Myrti,

Drive E:\ is a 1 TB USB drive that I copied my important files to and then disconnected.

Sorry for the delayed response. I disconnected my pc from the internet several days ago so I am having to sneakernet. Also, I had to reboot my pc in order to carryout the task you requested. 100% of pc was being used with 48 active processes, although less than 20 showed up in task manager and none had more than 2% cpu usage at any given time. When I opened explorer to copy otl.exe there was no response and my task bar would show from 1 to 3 window explorer items.

Rebooting seems to have fixed that for now.

Thanks for your help. Here are the contents of the OTL logs.

OTL.TXT

OTL logfile created on: 5/23/2010 9:44:21 AM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Users\stephen\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 69.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 838.37 Gb Total Space | 194.57 Gb Free Space | 23.21% Space Free | Partition Type: NTFS
Drive D: | 232.88 Gb Total Space | 155.09 Gb Free Space | 66.60% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 1008.97 Mb Total Space | 1005.67 Mb Free Space | 99.67% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
Drive H: | 465.76 Gb Total Space | 265.03 Gb Free Space | 56.90% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive J: | 559.31 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: STEPHEN-PC
Current User Name: stephen
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/23 09:20:24 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\stephen\Desktop\OTL(2).exe
PRC - [2010/03/24 20:31:50 | 000,810,120 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe
PRC - [2009/11/24 22:17:34 | 000,368,640 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2009/11/24 22:17:04 | 000,172,032 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2009/07/01 09:37:06 | 000,037,888 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe
PRC - [2009/06/30 18:40:20 | 000,163,872 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvraidservice.exe
PRC - [2009/05/27 04:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2009/04/10 23:28:15 | 000,117,248 | ---- | M] () -- \\?\C:\Windows\System32\wbem\WMIADAP.EXE
PRC - [2009/04/10 23:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/03/30 16:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
PRC - [2009/03/30 16:28:36 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
PRC - [2009/02/26 15:24:50 | 000,097,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
PRC - [2009/01/19 16:42:16 | 000,411,112 | ---- | M] (XIMETA, Inc.) -- C:\Program Files\NDAS\System\ndassvc.exe
PRC - [2009/01/19 16:42:16 | 000,341,480 | ---- | M] (XIMETA, Inc.) -- C:\Program Files\NDAS\System\ndasmgmt.exe
PRC - [2008/11/24 23:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/03/31 05:52:20 | 000,520,192 | ---- | M] (Sagem-Interstar Inc.) -- C:\Program Files\OneSuiteFax\Client\SendMng.exe
PRC - [2008/03/26 14:21:30 | 005,369,856 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2008/01/19 00:38:40 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe


========== Modules (SafeList) ==========

MOD - [2010/05/23 09:20:24 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\stephen\Desktop\OTL(2).exe
MOD - [2009/04/10 23:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2008/01/19 00:33:02 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (RoxLiveShare9)
SRV - File not found [Disabled | Stopped] -- -- (ProtexisLicensing)
SRV - [2010/03/24 20:39:48 | 000,033,560 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe -- (EhttpSrv)
SRV - [2010/03/24 20:31:50 | 000,810,120 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn)
SRV - [2009/11/24 22:17:04 | 000,172,032 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2009/09/24 18:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/08/11 20:59:17 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/08/10 16:59:50 | 000,178,720 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe -- (nSvcIp)
SRV - [2009/08/10 16:59:48 | 000,387,616 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe -- (ForceWare Intelligent Application Manager (IAM)) ForceWare Intelligent Application Manager (IAM)
SRV - [2009/05/27 04:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$PCS) SQL Server (PCS)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/03/30 16:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2009/02/22 13:30:12 | 000,104,320 | ---- | M] (Algorithmic Research Ltd.) [Disabled | Stopped] -- C:\Program Files\ARX\ARX CryptoKit\utils\ARCLTSRV.EXE -- (ARcltsrv)
SRV - [2009/02/06 18:08:58 | 000,533,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009/01/19 16:42:16 | 000,411,112 | ---- | M] (XIMETA, Inc.) [Auto | Running] -- C:\Program Files\NDAS\System\ndassvc.exe -- (ndassvc)
SRV - [2008/11/24 23:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 23:31:07 | 000,239,968 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 23:31:07 | 000,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008/10/10 05:45:26 | 000,013,088 | ---- | M] (Intuit Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/01/19 00:38:26 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2010/04/03 22:55:32 | 011,573,800 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/03/24 20:33:54 | 000,041,312 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\epfwwfp.sys -- (epfwwfp)
DRV - [2010/03/24 20:33:50 | 000,032,584 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\epfwndis.sys -- (Epfwndis)
DRV - [2010/03/24 20:33:46 | 000,134,488 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\epfw.sys -- (epfw)
DRV - [2010/03/24 20:31:06 | 000,114,984 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\System32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2010/03/24 20:23:54 | 000,133,512 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\Windows\System32\drivers\eamonm.sys -- (eamonm)
DRV - [2009/11/24 22:51:32 | 005,143,552 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2009/11/18 03:24:50 | 000,097,792 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2009/08/04 18:44:14 | 000,213,024 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\nvstor32.sys -- (nvstor32)
DRV - [2009/08/04 18:44:12 | 000,139,296 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\nvrd32.sys -- (nvrd32)
DRV - [2009/07/30 18:12:56 | 000,282,144 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVNET)
DRV - [2009/05/09 01:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2009/04/10 21:42:54 | 000,073,216 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2009/02/06 18:08:52 | 000,055,280 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\fssfltr.sys -- (fssfltr)
DRV - [2009/01/19 16:43:58 | 000,769,512 | ---- | M] (XIMETA, Inc.) [File_System | System | Running] -- C:\Windows\System32\drivers\ndasrofs.sys -- (ndasrofs)
DRV - [2009/01/19 16:43:46 | 000,416,232 | ---- | M] (XIMETA, Inc.) [File_System | System | Running] -- C:\Windows\System32\drivers\ndasfat.sys -- (ndasfat)
DRV - [2009/01/19 16:43:44 | 000,285,160 | ---- | M] (XIMETA, Inc.) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\ndasfs.sys -- (ndasfs)
DRV - [2009/01/19 16:43:42 | 000,274,920 | ---- | M] (XIMETA, Inc.) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\lfsfilt.sys -- (lfsfilt)
DRV - [2009/01/19 16:43:36 | 000,276,968 | ---- | M] (XIMETA, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndasscsi.sys -- (ndasscsi)
DRV - [2009/01/19 16:43:32 | 000,121,832 | ---- | M] (XIMETA, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ndasbus.sys -- (ndasbus)
DRV - [2009/01/19 16:43:26 | 000,100,840 | ---- | M] (XIMETA, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\lpx.sys -- (lpx)
DRV - [2008/03/26 19:35:54 | 002,103,512 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/01/05 22:59:42 | 000,035,920 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 02:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 02:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 02:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 02:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 02:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 02:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 02:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 02:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 02:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 02:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 02:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 02:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 02:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 02:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 02:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 02:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 02:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 02:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 02:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 02:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 02:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 02:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 02:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 02:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 02:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 02:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 02:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 02:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 02:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 02:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 02:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 02:49:30 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2006/11/02 02:49:28 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2006/11/02 02:49:20 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2006/11/02 01:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 01:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 01:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 01:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 01:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 01:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 00:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 00:30:56 | 000,429,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvm60x32.sys -- (NVENETFD)
DRV - [2006/11/02 00:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [1999/12/13 04:41:12 | 000,009,696 | R--- | M] (MICRO-STAR INT'L CO., LTD) [Kernel | On_Demand | Stopped] -- J:\Install\GMSIPCI.SYS -- (GMSIPCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-4072351400-4203848050-4040750151-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-4072351400-4203848050-4040750151-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.google.com/
IE - HKU\S-1-5-21-4072351400-4203848050-4040750151-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-4072351400-4203848050-4040750151-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-4072351400-4203848050-4040750151-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-4072351400-4203848050-4040750151-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "google.com"
FF - prefs.js..extensions.enabledItems: autofillForms@blueimp.net:0.9.5.2
FF - prefs.js..extensions.enabledItems: support@lastpass.com:1.66.0
FF - prefs.js..extensions.enabledItems: {6FF1D3C4-61BC-4021-89B7-AF8A8F784EBB}:1.2.0
FF - prefs.js..extensions.enabledItems: {0b38152b-1b20-484d-a11f-5e04a9b0661f}:5.6.11.2
FF - prefs.js..network.proxy.no_proxies_on: ""
FF - prefs.js..network.proxy.type: 0


FF - HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\ProgramData\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2009/06/05 21:05:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.4\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/17 00:22:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.4\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/17 00:22:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2010/05/14 16:39:43 | 000,000,000 | ---D | M]

[2009/01/07 00:23:57 | 000,000,000 | ---D | M] -- C:\Users\stephen\AppData\Roaming\Mozilla\Extensions
[2010/05/18 00:03:31 | 000,000,000 | ---D | M] -- C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions
[2009/09/05 15:53:48 | 000,000,000 | ---D | M] (Winamp Toolbar) -- C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}
[2009/08/01 12:14:23 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/11/30 17:47:00 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/02/21 12:21:51 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/04/04 23:26:06 | 000,000,000 | ---D | M] (Snagit Firefox Extension) -- C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\{6FF1D3C4-61BC-4021-89B7-AF8A8F784EBB}
[2009/06/18 17:37:48 | 000,000,000 | ---D | M] (IE Tab) -- C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2010/03/08 22:29:58 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
[2010/02/21 12:21:16 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2009/10/12 15:15:31 | 000,000,000 | ---D | M] (No name found) -- C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2009/02/22 22:16:41 | 000,000,000 | ---D | M] -- C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\autofillForms@blueimp.net
[2010/04/03 15:03:52 | 000,000,000 | ---D | M] -- C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\personas@christopher.beard
[2010/03/21 13:32:44 | 000,000,000 | ---D | M] -- C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\SkipScreen@SkipScreen
[2010/02/21 12:21:54 | 000,000,000 | ---D | M] -- C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\support@lastpass.com
[2009/12/27 02:11:57 | 000,000,000 | ---D | M] -- C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\thepiratebay@toolbar
[2010/02/22 11:00:28 | 000,000,000 | ---D | M] -- C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\toolbar@ask.com
[2009/09/05 15:53:58 | 000,001,201 | ---- | M] () -- C:\Users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\searchplugins\winamp-search.xml
[2010/05/15 22:23:40 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/09/23 17:48:08 | 000,061,848 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll
[2009/09/25 18:03:10 | 000,071,016 | ---- | M] ( ) -- C:\Program Files\Mozilla Firefox\plugins\npsharedview.dll

O1 HOSTS File: ([2010/05/18 19:00:19 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (HelperObject Class) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll (TechSmith Corporation)
O2 - BHO: (Winamp Toolbar Loader) - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (SnagIt) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll (TechSmith Corporation)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Winamp Toolbar) - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O3 - HKU\S-1-5-21-4072351400-4203848050-4040750151-1000\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-4072351400-4203848050-4040750151-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-4072351400-4203848050-4040750151-1000\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKU\S-1-5-21-4072351400-4203848050-4040750151-1000\..\Toolbar\WebBrowser: (Winamp Toolbar) - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O4 - HKLM..\Run: [NVRaidService] C:\Windows\System32\nvraidservice.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [sendmng] C:\Program Files\OneSuiteFax\Client\SendMng.exe (Sagem-Interstar Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-4072351400-4203848050-4040750151-1000..\Run: [cdloader] C:\Users\stephen\AppData\Roaming\mjusbsp\cdloader2.exe (magicJack L.P.)
O4 - HKU\S-1-5-21-4072351400-4203848050-4040750151-1000..\Run: [Orb] C:\Program Files\Winamp Remote\bin\OrbTray.exe (Orb Networks)
O4 - Startup: C:\Users\stephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4072351400-4203848050-4040750151-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4072351400-4203848050-4040750151-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html ()
O8 - Extra context menu item: Download with &FileFactory Turbo - C:\Program Files\FileFactory Turbo\Plugins\IE\FileFactoryIE.html ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nvLsp.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nvLsp.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nvLsp.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nvLsp.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nvLsp.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nvLsp.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nvLsp.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nvLsp.dll (NVIDIA)
O15 - HKU\S-1-5-21-4072351400-4203848050-4040750151-1000\..Trusted Domains: com ([www.msi] http in Trusted sites)
O15 - HKU\S-1-5-21-4072351400-4203848050-4040750151-1000\..Trusted Domains: com.tw ([asia.msi] http in Trusted sites)
O15 - HKU\S-1-5-21-4072351400-4203848050-4040750151-1000\..Trusted Domains: com.tw ([global.msi] http in Trusted sites)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20New%20York%20Fortune/Images/stg_drm.ocx (SpinTop DRM Control)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab (System Requirements Lab Class)
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} http://cdn.scan.onecare.live.com/resource/...s/wlscctrl2.cab (Windows Live OneCare safety scanner control)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab (DLM Control)
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab (NVIDIA Smart Scan)
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} http://liveupdate.msi.com.tw/autobios/LOnline/install.cab (WebSDev Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20New%20York%20Fortune/Images/armhelper.ocx (ArmHelper Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://netaphor.webex.com/client/T27L/webex/ieatgpc1.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img1.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img1.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 14:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/09/18 14:43:36 | 000,000,024 | ---- | M] () - D:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2001/02/22 02:04:58 | 000,000,046 | R--- | M] () - J:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/23 09:40:55 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Users\stephen\Desktop\OTL(2).exe
[2010/05/18 19:09:37 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/05/18 19:09:37 | 000,000,000 | ---D | C] -- C:\Users\stephen\AppData\Local\temp
[2010/05/18 19:08:16 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/05/18 17:50:49 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/05/17 18:52:48 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/05/17 18:52:45 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/05/17 18:52:44 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/05/17 18:52:20 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/05/17 18:51:39 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/17 09:25:00 | 000,000,000 | ---D | C] -- C:\Users\stephen\Documents\Downloads
[2010/05/16 17:55:06 | 000,000,000 | ---D | C] -- C:\Program Files\MSI Afterburner
[2010/05/16 17:42:14 | 000,000,000 | ---D | C] -- C:\Users\stephen\AppData\Roaming\ATI
[2010/05/16 17:42:14 | 000,000,000 | ---D | C] -- C:\Users\stephen\AppData\Local\ATI
[2010/05/16 17:42:14 | 000,000,000 | ---D | C] -- C:\ProgramData\ATI
[2010/05/16 17:38:41 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ATI Technologies
[2010/05/16 17:35:45 | 000,097,792 | ---- | C] (ATI Technologies, Inc.) -- C:\Windows\System32\drivers\AtiHdmi.sys
[2010/05/16 15:30:03 | 013,487,616 | ---- | C] (ATI Technologies Inc.) -- C:\Windows\System32\atioglxx.dll
[2010/05/16 15:30:03 | 005,143,552 | ---- | C] (ATI Technologies Inc.) -- C:\Windows\System32\drivers\atikmdag.sys
[2010/05/16 15:30:03 | 003,629,056 | ---- | C] (Advanced Micro Devices Inc.) -- C:\Windows\System32\aticaldd.dll
[2010/05/16 15:30:03 | 003,617,792 | ---- | C] (ATI Technologies Inc. ) -- C:\Windows\System32\atiumdag.dll
[2010/05/16 15:30:03 | 003,055,616 | ---- | C] (ATI Technologies Inc. ) -- C:\Windows\System32\atidxx32.dll
[2010/05/16 15:30:03 | 002,899,968 | ---- | C] (Advanced Micro Devices, Inc. ) -- C:\Windows\System32\atiumdva.dll
[2010/05/16 15:30:03 | 000,446,464 | ---- | C] (Advanced Micro Devices, Inc.) -- C:\Windows\System32\ATIDEMGX.dll
[2010/05/16 15:30:03 | 000,368,640 | ---- | C] (AMD) -- C:\Windows\System32\atieclxx.exe
[2010/05/16 15:30:03 | 000,356,352 | ---- | C] (ATI Technologies, Inc.) -- C:\Windows\System32\atipdlxx.dll
[2010/05/16 15:30:03 | 000,274,432 | ---- | C] (ATI Technologies, Inc.) -- C:\Windows\System32\Oemdspif.dll
[2010/05/16 15:30:03 | 000,225,280 | ---- | C] (Advanced Micro Devices, Inc.) -- C:\Windows\System32\atiadlxx.dll
[2010/05/16 15:30:03 | 000,172,032 | ---- | C] (AMD) -- C:\Windows\System32\atiesrxx.exe
[2010/05/16 15:30:03 | 000,159,744 | ---- | C] (AMD) -- C:\Windows\System32\atitmmxx.dll
[2010/05/16 15:30:03 | 000,118,784 | ---- | C] (Advanced Micro Devices, Inc.) -- C:\Windows\System32\atibtmon.exe
[2010/05/16 15:30:03 | 000,053,248 | ---- | C] (ATI Technologies Inc.) -- C:\Windows\System32\drivers\ati2erec.dll
[2010/05/16 15:30:03 | 000,053,248 | ---- | C] (Advanced Micro Devices Inc.) -- C:\Windows\System32\aticalrt.dll
[2010/05/16 15:30:03 | 000,053,248 | ---- | C] (Advanced Micro Devices Inc.) -- C:\Windows\System32\aticalcl.dll
[2010/05/16 15:30:03 | 000,052,224 | ---- | C] (Advanced Micro Devices, Inc. ) -- C:\Windows\System32\atimpc32.dll
[2010/05/16 15:30:03 | 000,052,224 | ---- | C] (Advanced Micro Devices, Inc. ) -- C:\Windows\System32\amdpcom32.dll
[2010/05/16 15:30:03 | 000,043,520 | ---- | C] (ATI Technologies, Inc.) -- C:\Windows\System32\ati2edxx.dll
[2010/05/16 15:30:03 | 000,011,776 | ---- | C] (AMD) -- C:\Windows\System32\atimuixx.dll
[2010/05/16 15:30:03 | 000,000,000 | ---D | C] -- C:\CIMTEMP
[2010/05/16 15:29:56 | 000,000,000 | ---D | C] -- C:\Program Files\ATI Technologies
[2010/05/16 15:29:53 | 000,000,000 | ---D | C] -- C:\Program Files\ATI
[2010/05/15 14:20:50 | 000,000,000 | ---D | C] -- C:\Users\stephen\AppData\Roaming\Malwarebytes
[2010/05/15 14:20:41 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/05/15 14:20:40 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/05/15 14:20:40 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/15 14:20:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/05/14 19:00:27 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2010/05/14 18:03:15 | 000,000,000 | ---D | C] -- C:\Users\stephen\AppData\Local\boebrwujr
[2010/05/14 16:41:45 | 000,000,000 | ---D | C] -- C:\Users\stephen\AppData\Roaming\ESET
[2010/05/14 16:41:45 | 000,000,000 | ---D | C] -- C:\Users\stephen\AppData\Local\ESET
[2010/05/14 16:39:34 | 000,000,000 | ---D | C] -- C:\ProgramData\ESET
[2010/05/14 16:39:34 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/05/14 15:52:41 | 000,000,000 | ---D | C] -- C:\Windows\preftech(delete)
[2010/05/13 14:47:39 | 000,000,000 | ---D | C] -- C:\Users\stephen\Documents\Mustang
[2010/05/06 18:53:59 | 000,024,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\nshhttp.dll
[2010/05/06 18:53:58 | 000,030,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\httpapi.dll
[2010/05/01 23:16:35 | 000,000,000 | ---D | C] -- C:\Program Files\MagicISO
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/23 09:45:36 | 000,000,422 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{2CCF250D-CF24-4D67-ABDC-8554A1794A31}.job
[2010/05/23 09:42:00 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2010/05/23 09:41:49 | 005,767,168 | -HS- | M] () -- C:\Users\stephen\NTUSER.DAT
[2010/05/23 09:40:00 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/23 09:39:46 | 000,004,448 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/23 09:39:46 | 000,004,448 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/23 09:39:44 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/05/23 09:39:33 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/05/23 09:39:28 | 3489,165,312 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/23 09:28:09 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/23 09:20:24 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\stephen\Desktop\OTL(2).exe
[2010/05/19 16:21:55 | 000,005,710 | ---- | M] () -- C:\Users\stephen\Desktop\Attach.zip
[2010/05/19 16:17:10 | 000,000,000 | ---- | M] () -- C:\Users\stephen\defogger_reenable
[2010/05/19 15:59:21 | 000,816,520 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/05/19 15:59:21 | 000,683,462 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/05/19 15:59:21 | 000,135,104 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/05/19 14:22:06 | 000,284,915 | ---- | M] () -- C:\Users\stephen\Desktop\gmer.zip
[2010/05/19 14:21:32 | 000,525,824 | ---- | M] () -- C:\Users\stephen\Desktop\dds.scr
[2010/05/19 14:21:08 | 000,050,477 | ---- | M] () -- C:\Users\stephen\Desktop\Defogger.exe
[2010/05/19 12:59:02 | 000,524,288 | -HS- | M] () -- C:\Users\stephen\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/05/19 12:59:02 | 000,065,536 | -HS- | M] () -- C:\Users\stephen\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/05/19 12:58:54 | 003,803,415 | -H-- | M] () -- C:\Users\stephen\AppData\Local\IconCache.db
[2010/05/18 19:01:21 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/05/18 19:00:19 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/05/18 14:51:19 | 000,181,248 | ---- | M] () -- C:\Users\stephen\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/18 12:03:28 | 000,002,620 | -HS- | M] () -- C:\Windows\System32\KGyGaAvL.sys
[2010/05/17 09:24:09 | 003,690,041 | R--- | M] () -- C:\Users\stephen\Desktop\ComboFix.exe
[2010/05/17 01:12:54 | 000,000,000 | ---- | M] () -- C:\Users\stephen\Documents\hosts
[2010/05/17 00:22:26 | 000,001,724 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/05/16 17:55:10 | 000,000,883 | ---- | M] () -- C:\Users\stephen\Desktop\MSI Afterburner.lnk
[2010/05/16 17:10:06 | 000,000,000 | ---- | M] () -- C:\Windows\ativpsrm.bin
[2010/05/16 15:26:45 | 000,001,356 | ---- | M] () -- C:\Users\stephen\AppData\Local\d3d9caps.dat
[2010/05/16 15:01:26 | 000,000,903 | ---- | M] () -- C:\Users\stephen\Desktop\magicJack.lnk
[2010/05/15 22:39:11 | 000,035,085 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/05/15 22:38:30 | 000,035,085 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/05/15 00:56:29 | 000,499,720 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/05/14 19:04:11 | 000,135,128 | ---- | M] () -- C:\Users\stephen\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/05/14 17:30:44 | 001,019,904 | ---- | M] () -- C:\Users\stephen\Documents\pa6db.mdb
[2010/05/14 11:46:14 | 000,012,865 | ---- | M] () -- C:\Users\stephen\Documents\Mustang_partedout.xlsx
[2010/05/12 21:19:01 | 000,002,073 | ---- | M] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2010/05/11 19:48:42 | 000,013,848 | ---- | M] () -- C:\Users\stephen\Documents\Mustang.xlsx
[2010/05/06 18:59:02 | 000,000,039 | ---- | M] () -- C:\Windows\vbaddin.ini
[2010/05/06 10:36:38 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2010/05/04 09:09:02 | 000,001,887 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010/05/01 23:16:36 | 000,001,608 | ---- | M] () -- C:\Users\stephen\Desktop\MagicISO.lnk
[2010/05/01 14:26:53 | 003,276,800 | ---- | M] () -- C:\Users\stephen\Documents\Tasks.accdb
[2010/05/01 14:04:48 | 001,818,624 | ---- | M] () -- C:\Users\stephen\Documents\Sales pipeline.accdb
[2010/05/01 13:49:12 | 001,605,632 | ---- | M] () -- C:\Users\stephen\Documents\Projects1.accdb
[2010/05/01 13:47:54 | 001,474,560 | ---- | M] () -- C:\Users\stephen\Documents\Projects.accdb
[2010/05/01 13:25:22 | 002,359,296 | ---- | M] () -- C:\Users\stephen\Documents\Marketing projects.accdb
[2010/05/01 13:23:23 | 000,724,992 | ---- | M] () -- C:\Users\stephen\Documents\Events.accdb
[2010/05/01 13:22:58 | 001,441,792 | ---- | M] () -- C:\Users\stephen\Documents\Issues.accdb
[2010/05/01 13:20:29 | 001,044,480 | ---- | M] () -- C:\Users\stephen\Documents\Contacts.accdb
[2010/05/01 13:12:00 | 002,064,384 | ---- | M] () -- C:\Users\stephen\Documents\Assets.accdb
[2010/04/30 18:48:05 | 001,867,776 | ---- | M] () -- C:\Users\stephen\Documents\Assets_Backup.accdb
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/28 20:49:06 | 000,001,971 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\Windows\PEV.exe
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/19 16:23:51 | 000,293,376 | ---- | C] () -- C:\Users\stephen\Desktop\gmer.exe
[2010/05/19 16:21:55 | 000,005,710 | ---- | C] () -- C:\Users\stephen\Desktop\Attach.zip
[2010/05/19 16:17:10 | 000,000,000 | ---- | C] () -- C:\Users\stephen\defogger_reenable
[2010/05/19 16:12:22 | 000,050,477 | ---- | C] () -- C:\Users\stephen\Desktop\Defogger.exe
[2010/05/19 16:12:17 | 000,525,824 | ---- | C] () -- C:\Users\stephen\Desktop\dds.scr
[2010/05/19 16:12:17 | 000,284,915 | ---- | C] () -- C:\Users\stephen\Desktop\gmer.zip
[2010/05/18 00:23:49 | 000,001,526 | ---- | C] () -- C:\Users\stephen\Disk Recovery Instructions.txt
[2010/05/17 18:52:48 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/05/17 18:52:46 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/05/17 18:52:45 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/05/17 18:52:45 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/05/17 18:52:45 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/05/17 18:20:01 | 003,690,041 | R--- | C] () -- C:\Users\stephen\Desktop\ComboFix.exe
[2010/05/17 01:12:54 | 000,000,000 | ---- | C] () -- C:\Users\stephen\Documents\hosts
[2010/05/16 17:55:10 | 000,000,883 | ---- | C] () -- C:\Users\stephen\Desktop\MSI Afterburner.lnk
[2010/05/16 17:10:06 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2010/05/16 17:10:03 | 3489,165,312 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/16 15:30:03 | 000,402,016 | ---- | C] () -- C:\Windows\System32\atiumdva.cap
[2010/05/16 15:30:03 | 000,294,912 | ---- | C] () -- C:\Windows\System32\ATIODE.exe
[2010/05/16 15:30:03 | 000,196,565 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2010/05/16 15:30:03 | 000,045,056 | ---- | C] () -- C:\Windows\System32\ATIODCLI.exe
[2010/05/16 15:30:03 | 000,019,017 | ---- | C] () -- C:\Windows\atiogl.xml
[2010/05/12 21:19:01 | 000,002,073 | ---- | C] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2010/05/12 15:29:06 | 000,012,865 | ---- | C] () -- C:\Users\stephen\Documents\Mustang_partedout.xlsx
[2010/05/11 09:05:53 | 000,013,848 | ---- | C] () -- C:\Users\stephen\Documents\Mustang.xlsx
[2010/05/01 23:16:36 | 000,001,608 | ---- | C] () -- C:\Users\stephen\Desktop\MagicISO.lnk
[2010/05/01 14:04:56 | 003,276,800 | ---- | C] () -- C:\Users\stephen\Documents\Tasks.accdb
[2010/05/01 13:49:19 | 001,818,624 | ---- | C] () -- C:\Users\stephen\Documents\Sales pipeline.accdb
[2010/05/01 13:48:00 | 001,605,632 | ---- | C] () -- C:\Users\stephen\Documents\Projects1.accdb
[2010/05/01 13:25:27 | 001,474,560 | ---- | C] () -- C:\Users\stephen\Documents\Projects.accdb
[2010/05/01 13:23:29 | 002,359,296 | ---- | C] () -- C:\Users\stephen\Documents\Marketing projects.accdb
[2010/05/01 13:23:03 | 000,724,992 | ---- | C] () -- C:\Users\stephen\Documents\Events.accdb
[2010/05/01 13:20:33 | 001,441,792 | ---- | C] () -- C:\Users\stephen\Documents\Issues.accdb
[2010/05/01 13:18:51 | 001,044,480 | ---- | C] () -- C:\Users\stephen\Documents\Contacts.accdb
[2010/04/30 18:48:08 | 001,867,776 | ---- | C] () -- C:\Users\stephen\Documents\Assets_Backup.accdb
[2010/04/29 06:56:54 | 002,064,384 | ---- | C] () -- C:\Users\stephen\Documents\Assets.accdb
[2009/11/20 13:36:58 | 000,112,504 | ---- | C] () -- C:\Windows\System32\ArMonitor.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/06/16 17:12:51 | 000,010,752 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/06/16 17:12:51 | 000,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest
[2009/06/06 13:44:05 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/02/19 19:59:14 | 000,178,176 | ---- | C] () -- C:\Windows\System32\StellarProfile.dll
[2008/12/25 03:15:05 | 000,002,620 | -HS- | C] () -- C:\Windows\System32\KGyGaAvL.sys
[2008/12/25 03:15:05 | 000,000,088 | RHS- | C] () -- C:\Windows\System32\152EA7914C.sys
[2008/12/25 02:00:54 | 000,000,162 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/02/01 08:18:14 | 000,009,216 | ---- | C] () -- C:\Windows\System32\drivers\FlashSys.sys
[2006/11/02 05:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 00:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Users\stephen\Documents\The Final Cut.m3u:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\stephen\Documents\Stephen Stannard - CEi Cover Letter.doc:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\stephen\Documents\Recommendations For Stephen from LinkedIn.doc:Roxio EMC Stream
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:6DFF1A8A
@Alternate Data Stream - 113 bytes -> C:\ProgramData\TEMP:3E69E337
< End of report >

EXTRAS.TXT

OTL Extras logfile created on: 5/23/2010 9:44:21 AM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Users\stephen\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 69.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 838.37 Gb Total Space | 194.57 Gb Free Space | 23.21% Space Free | Partition Type: NTFS
Drive D: | 232.88 Gb Total Space | 155.09 Gb Free Space | 66.60% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 1008.97 Mb Total Space | 1005.67 Mb Free Space | 99.67% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
Drive H: | 465.76 Gb Total Space | 265.03 Gb Free Space | 56.90% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive J: | 559.31 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: STEPHEN-PC
Current User Name: stephen
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-4072351400-4203848050-4040750151-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{03D19CC6-805E-4D11-900B-54F9FC1C6794}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{0B54A927-BD7A-436A-B9DB-1477E5DB97D0}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{0E718CFA-EC34-4030-960E-1B92B75D0B3C}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{10C34EDA-ADE8-4B62-A269-B5F37D334D94}" = rport=139 | protocol=6 | dir=out | app=system |
"{1214D9BE-117E-4D59-BF12-0E6054E94CAF}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{383572CB-57E3-401E-A504-C5F718711414}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{556CA3D7-370D-4E14-92C5-CF786980F866}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{57C207F5-ADE7-484F-B9CB-79C086983AF1}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{5F3822EF-13F8-4570-851A-A3955C977614}" = rport=445 | protocol=6 | dir=out | app=system |
"{61A53303-4369-4515-A9CA-51F7B1E9D234}" = rport=138 | protocol=17 | dir=out | app=system |
"{7428F624-B142-4E1C-B946-D462FEBC61A9}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{76BD31D6-707C-4AA2-8544-39484BEFA550}" = lport=80 | protocol=6 | dir=out | app=c:\program files\common files\intuit\update service\intuitupdateservice.exe |
"{83C9A774-F2D9-48FC-A4DB-737A97153014}" = lport=2869 | protocol=6 | dir=in | app=system |
"{8A620318-F119-4EFF-81A2-D941C6C3E700}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{90899AE7-6F77-483A-9521-8B77094FA704}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{92974593-4F83-4E9E-BD97-E3095151B0AA}" = rport=137 | protocol=17 | dir=out | app=system |
"{9473C86A-F1EB-402F-912A-6FB5FDEFB188}" = lport=5353 | protocol=6 | dir=in | name=adobe csi cs4 |
"{AB9E0E54-3EE5-4C69-B039-2AA51824FEB8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{B02FA7D0-230D-47CF-8FFD-6848BAFD62F6}" = lport=138 | protocol=17 | dir=in | app=system |
"{B3DB378A-95BF-44FE-882F-FB6327AE7890}" = lport=139 | protocol=6 | dir=in | app=system |
"{BA3FFE8F-DF8A-43BB-8159-1A57C2D16C7C}" = lport=137 | protocol=17 | dir=in | app=system |
"{C6A93554-257E-4E13-A08B-619AE9E136EF}" = lport=80 | protocol=6 | dir=out | app=c:\program files\common files\intuit\update service\intuitupdater.exe |
"{E22F13E8-8D31-4366-B7DE-BC1F101B7CA0}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{F76E93BE-F0B3-43AD-81AF-0F816ECA7C8B}" = lport=445 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{066839F1-5CC8-4904-9165-F7111138CCE7}" = protocol=17 | dir=in | app=c:\program files\print audit inc\print audit 6\client\pa6clint.exe |
"{159DF947-CD83-4064-9432-4F4201781505}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{1F6AE4AC-F8E6-4186-BD37-30391A22FD5B}" = protocol=6 | dir=in | app=c:\program files\microsoft office\live meeting 8\console\pwconsole.exe |
"{2BC73B98-D136-4134-9854-EB182F273A38}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{2E21D503-4793-4A26-A486-F627597611AE}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{3F9C2892-DD52-4D49-A2BF-D03DA15F0706}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{46CEE23B-7E69-478A-A546-A009B48E5AC9}" = protocol=6 | dir=in | app=c:\program files\microsoft office\live meeting 8\console\pwconsole.exe |
"{54503F0B-BA44-486B-9425-4482869DB3BE}" = protocol=17 | dir=in | app=c:\program files\winamp remote\bin\orb.exe |
"{547CA610-986B-4788-A117-CDCDFECA8A00}" = protocol=6 | dir=in | app=c:\program files\print audit inc\print audit 6\data\pa6clcom.exe |
"{5761B722-0F8B-43F9-B410-B88F74B09107}" = protocol=6 | dir=in | app=c:\program files\print audit inc\print audit 6\client\pa6clint.exe |
"{6C67C792-C305-4D78-9966-E84315335BA9}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{70BEDE0F-9B8C-403C-BC8A-71AB11218BC5}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{81C052F8-A36E-4EAD-AB1A-6396D47B8598}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{89F7998D-C58D-40B1-A440-119AB17761B7}" = protocol=17 | dir=in | app=c:\program files\winamp remote\bin\orbir.exe |
"{961DB487-DD94-4187-B156-7FA8BF8C2D8E}" = protocol=17 | dir=in | app=c:\program files\winamp remote\bin\orbtray.exe |
"{97E85DEE-5A4D-4F48-A814-92A6342623E5}" = protocol=6 | dir=in | app=c:\program files\winamp remote\bin\orbstreamerclient.exe |
"{9D39DBCA-3613-4834-AF1C-ACE697D799D6}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{A1ACC853-ABD9-4962-802F-92E954CC2214}" = protocol=17 | dir=in | app=c:\program files\print audit inc\print audit 6\data\pa6clcom.exe |
"{AF88DDC4-2205-4DEB-AECA-D24729B4B42D}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{B456347D-057A-455B-83D8-8675892D6770}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{BDF43427-2810-4AE5-B043-15513FB46432}" = protocol=6 | dir=in | app=c:\program files\winamp remote\bin\orbtray.exe |
"{C0DE8BB3-3B4A-47A7-8E2B-9A804CB00169}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{C3305461-F8A7-47E4-A12A-4226E9A05F12}" = protocol=17 | dir=in | app=c:\program files\microsoft office\live meeting 8\console\pwconsole.exe |
"{C84FE7A6-9259-4AE8-BDA3-CB90227BC20C}" = protocol=17 | dir=in | app=c:\program files\winamp remote\bin\orbstreamerclient.exe |
"{C8A5DB02-E002-4C46-8B56-040F9C98599E}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{D83390D9-00C3-4E41-A667-8156090A4DCC}" = protocol=6 | dir=in | app=c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe |
"{DAE938CA-C6FF-41B5-B75F-46264DD46632}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{EB3AFACE-9FD5-4346-843E-80B11BE8828B}" = protocol=17 | dir=in | app=c:\program files\microsoft office\live meeting 8\console\pwconsole.exe |
"{ED502161-A34F-4B0F-A3EF-FA92F53FD3BE}" = protocol=6 | dir=in | app=c:\program files\winamp remote\bin\orbir.exe |
"{F0FFC833-F246-4E88-958D-9B5524734341}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{F1CF31EF-58A5-4EEF-B141-7D456EF260A3}" = protocol=17 | dir=in | app=c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe |
"{F866DD34-0D53-4C00-AFAA-13FE3BCCFB2C}" = protocol=6 | dir=in | app=c:\program files\winamp remote\bin\orb.exe |
"TCP Query User{1FF27034-FE59-47E8-B4BC-598AAD065F52}C:\program files\winamp\winamp.exe" = protocol=6 | dir=in | app=c:\program files\winamp\winamp.exe |
"TCP Query User{82E9FB24-4CDD-4E4E-9162-D23507375FFA}C:\program files\microsoft office\live meeting 8\console\pwconsole.exe" = protocol=6 | dir=in | app=c:\program files\microsoft office\live meeting 8\console\pwconsole.exe |
"TCP Query User{8D199CAF-4A4A-46DA-AF2A-1CAD7E29A085}C:\users\stephen\appdata\roaming\mjusbsp\magicjack.exe" = protocol=6 | dir=in | app=c:\users\stephen\appdata\roaming\mjusbsp\magicjack.exe |
"TCP Query User{918282E1-CBDB-44FE-B6E6-E08824624FDE}C:\program files\utorrent\utorrent.exe" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"TCP Query User{C711BFC6-5162-4F2B-A787-31F1AB3F43A2}C:\program files\microsoft office\office12\groove.exe" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"TCP Query User{D10B386F-2728-4F39-A9E3-082CD894966F}C:\program files\onesuitefax\client\sendfax.exe" = protocol=6 | dir=in | app=c:\program files\onesuitefax\client\sendfax.exe |
"TCP Query User{E5B82CAC-6A2C-47BD-8C8A-65C0CE878D1D}C:\program files\onesuitefax\client\sendfax.exe" = protocol=6 | dir=in | app=c:\program files\onesuitefax\client\sendfax.exe |
"TCP Query User{F115A41C-3C6C-4E50-9766-9203366D3E05}C:\users\stephen\appdata\roaming\mjusbsp\magicjack.exe" = protocol=6 | dir=in | app=c:\users\stephen\appdata\roaming\mjusbsp\magicjack.exe |
"TCP Query User{F5B5A345-97D5-487D-BC31-1BB01433CCAE}C:\users\stephen\appdata\roaming\macromedia\flash player\www.macromedia.com\bin\octoshape\octoshape.exe" = protocol=6 | dir=in | app=c:\users\stephen\appdata\roaming\macromedia\flash player\www.macromedia.com\bin\octoshape\octoshape.exe |
"UDP Query User{085C8B38-E9BA-4AD2-8B25-3CE48CEBA215}C:\users\stephen\appdata\roaming\macromedia\flash player\www.macromedia.com\bin\octoshape\octoshape.exe" = protocol=17 | dir=in | app=c:\users\stephen\appdata\roaming\macromedia\flash player\www.macromedia.com\bin\octoshape\octoshape.exe |
"UDP Query User{18DBD284-89BA-40D7-A218-1A6A5809FA08}C:\users\stephen\appdata\roaming\mjusbsp\magicjack.exe" = protocol=17 | dir=in | app=c:\users\stephen\appdata\roaming\mjusbsp\magicjack.exe |
"UDP Query User{4401EA91-EF9C-4D77-836A-2F27DC739DB7}C:\program files\microsoft office\live meeting 8\console\pwconsole.exe" = protocol=17 | dir=in | app=c:\program files\microsoft office\live meeting 8\console\pwconsole.exe |
"UDP Query User{5E9749AA-5433-4C8E-BB5C-FF25C037C895}C:\users\stephen\appdata\roaming\mjusbsp\magicjack.exe" = protocol=17 | dir=in | app=c:\users\stephen\appdata\roaming\mjusbsp\magicjack.exe |
"UDP Query User{6BC59B7A-ECAB-4914-884C-4B445C8AF334}C:\program files\utorrent\utorrent.exe" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"UDP Query User{85C3C9E3-3815-4C59-9B48-862AF5E0467E}C:\program files\onesuitefax\client\sendfax.exe" = protocol=17 | dir=in | app=c:\program files\onesuitefax\client\sendfax.exe |
"UDP Query User{A5F52029-E518-4F81-8AC1-DFB93CF889D6}C:\program files\microsoft office\office12\groove.exe" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"UDP Query User{B9287521-9CFE-4A5A-AF50-2E6730ED6374}C:\program files\winamp\winamp.exe" = protocol=17 | dir=in | app=c:\program files\winamp\winamp.exe |
"UDP Query User{C6754C62-ADEC-4439-AC7F-4181081AAB3D}C:\program files\onesuitefax\client\sendfax.exe" = protocol=17 | dir=in | app=c:\program files\onesuitefax\client\sendfax.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{06FEC0F9-D836-A627-C140-29D540A04F9B}" = CCC Help French
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0BF72DB9-CE2A-4F73-B235-5D0E39245FF3}" = Cisco WebEx Meeting Center for Firefox or Chrome
"{0E6ED660-498C-42F7-9EF4-FB0C96DFC01A}" = Snagit 9.1
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID Sign-in Assistant
"{14AFE241-FC6E-4FDB-BCA0-7AD6F4974171}" = Adobe Setup
"{151B385A-DE5C-4592-96B2-38FD6CFA05F8}" = NDAS Software 3.42.2000
"{15ABFF4D-9BA5-A152-4634-826B24407F2D}" = Catalyst Control Center Localization All
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{190297F8-14EC-4ECA-BFAC-72843DBFB382}" = Microsoft SharedView
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{1D50AAF6-E33E-C5E1-944E-93EE577A6106}" = CCC Help English
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 18
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{27F00C63-449B-2FAB-CBE8-24AB80E17449}" = Acrobat.com
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (PCS)
"{30C8AA56-4088-426F-91D1-0EDFD3A25678}" = Adobe Dreamweaver CS4
"{3674DDB1-1EFF-44FC-AD5C-6E2B0F58F518}" = ARX Signature API
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C52E7DA-C431-4239-B66B-1BF703D5B194}" = Windows Live Photo Gallery
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{3F88AADB-7B14-6ECF-29DD-A3373313CFFA}" = CCC Help Italian
"{48BE87F0-9A5A-6A41-9A9A-DCB76A212BDA}" = ATI AVIVO Codecs
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AA4950A-533D-41A7-BF21-F1FE5D108AD1}" = ARX CoSign Client
"{4AB830AC-E256-4D88-9772-FDC4F592DA64}" = WebEx Document Suite
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}" = Junk Mail filter update
"{4E1D8C96-522A-C779-8176-31722F317AF3}" = Catalyst Control Center Graphics Previews Common
"{524228C9-826F-4B58-9E47-4F2E5C7E9F45}" = SnagIt 8
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{55FF6047-9F9F-D6DC-35CE-B19CEB83AE04}" = ATI Catalyst Install Manager
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{5986B068-CCBD-46E3-8817-3EF37C57A7AD}" = ARX Office Signatures
"{5B30AA25-BF39-4BE4-8FEE-51938BAB214D}" = TurboTax 2008 wcaiper
"{5B4C5449-92CF-438F-94CF-40725995023E}" = ARX OmniSign Printer
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{764B8FD0-8C0C-17F0-2963-266781E592E5}" = Skins
"{76CD2979-09C0-493A-84B3-8FD97EF4BCEA}" = Windows Live Family Safety
"{780ABC54-480C-92E9-5C6B-308A5D82E176}" = ccc-utility
"{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}" = NVIDIA ForceWare Network Access Manager
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8ACAF398-B948-6089-C27D-ED6028CD864E}" = CCC Help Swedish
"{8D1B1070-5CA9-9188-A14A-B59751493C3A}" = Catalyst Control Center Graphics Light
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{8E7165FC-5EF2-E3E0-25E9-ED4C650684F9}" = CCC Help Japanese
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ULTIMATER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_VISPROR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ULTIMATER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_VISPROR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ULTIMATER_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}_VISPROR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0054-0409-0000-0000000FF1CE}" = Microsoft Office Visio MUI (English) 2007
"{90120000-0054-0409-0000-0000000FF1CE}_VISPROR_{519D9F45-CBF4-4E57-B419-11F196CCA8AE}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ULTIMATER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_VISPROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ULTIMATER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}_VISPROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002E-0000-0000-0000000FF1CE}" = Microsoft Office Ultimate 2007
"{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91120000-0051-0000-0000-0000000FF1CE}" = Microsoft Office Visio Professional 2007
"{91120000-0051-0000-0000-0000000FF1CE}_VISPROR_{0FD405D3-CAF8-4CA6-8BFD-911D2F8A6585}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{91120000-0051-0000-0000-0000000FF1CE}_VISPROR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0120-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{9516A4F3-A620-4C4B-B17C-750C6B87AF4B}" = ESET Smart Security
"{9624F676-62ED-D881-6004-2B76676A81A5}" = Catalyst Control Center Graphics Previews Vista
"{96FB6F2F-8CCA-D4BD-EC06-815A4476D89B}" = CCC Help Spanish
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{A142397C-14FE-9966-71A7-9F5DE2F211B0}" = Catalyst Control Center InstallProxy
"{A1748ECE-BFC9-42FF-026A-F983A606D2CC}" = Catalyst Control Center Graphics Full Existing
"{A1BF9950-8CDB-468E-83FA-EACFB00EA7D5}" = Windows Live Sync
"{A8E850E1-993D-4FC6-A077-FE400415FE0B}" = ROI Analytics
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC388C78-2619-452C-BFBE-FABCC3194387}" = Microsoft Office Live Meeting 2007
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AC76BA86-7AD7-5760-0000-900000000003}" = Japanese Fonts Support For Adobe Reader 9
"{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}" = Microsoft Office Live Add-in 1.4
"{B0EC4494-075D-BBE3-930A-FFD1D40B89A7}" = Catalyst Control Center Core Implementation
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B79F9CEC-427E-E49D-DD14-63C19653CE67}" = CCC Help Danish
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{BEC5D22B-A966-1D1C-0223-8187C07AC024}" = ccc-core-static
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B8}" = WinZip 12.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1BD700E-92C1-4F3E-B934-0140440B336A}" = CardScan 7.0.5
"{D5D40461-E655-89A5-6273-BBBE9D1F291A}" = CCC Help Chinese Standard
"{DD441AD1-8C25-4F00-8B3B-486C3E253896}" = Passware Kit Standard Demo 9.3
"{DE470267-C671-2337-7D6F-15979539B9AE}" = CCC Help Norwegian
"{E1C7EF5E-3A7B-4ED4-A48B-F70F1B36EAB4}" = Corel Paint Shop Pro Photo XI
"{E2401EA9-4EB4-74A3-4F87-1DB5D7BC7A3A}" = CCC Help Finnish
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{EE046602-85F3-4B87-A734-148C17748848}" = CryptoKit
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F10E67C1-25FA-61A7-A25C-84AD96BF833F}" = CCC Help Dutch
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F5622E83-86B5-4C03-BA6B-26028F83D2B6}" = Catalyst Control Center - Branding
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F9299907-26DA-0237-159E-80BE4060400D}" = Catalyst Control Center Graphics Full New
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FBBBCD0A-111B-3DE7-048B-A99C1C4FBCA2}" = CCC Help German
"{FC55F354-E88F-0311-FA49-26AE81F89A80}" = CCC Help Chinese Traditional
"{FE0646A7-19D0-41B4-A2BB-2C35D644270D}" = Windows Live OneCare safety scanner
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_acce07fd2c8fe7f9e3f26243e626578" = Adobe Dreamweaver CS4
"Afterburner" = MSI Afterburner 1.4.1
"BlueVoda_Website_Builder_1.0" = BlueVoda Website Builder 11.4
"CA Corporation Forms" = CA Corporation Forms
"ColorDetector200_is1" = Color Detector 2.0
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"CryptoKit" = CryptoKit 4.2.13
"E.M. Total Video Player 1.31_is1" = E.M. Total Video Player 1.31
"Ewisoft Website Builder (include eCommerce Builder)_is1" = Ewisoft Website Builder (include eCommerce Builder) Version 5
"FLV Player" = FLV Player 2.0 (build 25)
"Google Chrome" = Google Chrome
"Google Updater" = Google Updater
"InstallShield_{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}" = NVIDIA ForceWare Network Access Manager
"InstallShield_{A8E850E1-993D-4FC6-A077-FE400415FE0B}" = ROI Analytics
"Kernel Ost to Pst (Evaluation Ver)_is1" = Kernel for ost Evaluation ver 7.05.01
"KLiteCodecPack_is1" = K-Lite Codec Pack 3.2.5 Standard
"Magic ISO Maker v5.5 (build 0268)" = Magic ISO Maker v5.5 (build 0268)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MDB Unlock For Access" = MDB Unlock For Access
"MHTML Converter" = MHTML Converter
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Mozilla Firefox (3.6.4)" = Mozilla Firefox (3.6.4)
"MP4 Player" = MP4 Player
"Mystery P.I. - The New York Fortune" = Mystery P.I. - The New York Fortune
"NVIDIA Drivers" = NVIDIA Drivers
"OneSuite Fax" = OneSuite Fax 2009-07
"Orb" = Winamp Remote
"OST2PST v2.1" = OST2PST v2.1
"PerformanceTest_is1" = PerformanceTest v6.1
"RealAlt_is1" = Real Alternative 2.0.1
"Recover Data for OST to PST (Trial Version)_is1" = Recover Data for OST to PST (Trial Version)
"Recovery Toolbox for Outlook_is1" = Recovery Toolbox for Outlook 1.0
"RecoveryFix for Ost - Evaluation ver 4.05.01_is1" = RecoveryFix for Ost - Evaluation ver 4.05.01
"ST6UNST #1" = MDWRecovery by E-Tech Recovery
"Stellar Phoenix Mailbox - Exchange Desktop_is1" = Stellar Phoenix Mailbox - Exchange Desktop v3.0
"SystemRequirementsLab" = System Requirements Lab
"The KMPlayer" = The KMPlayer (remove only)
"TurboTax 2008" = TurboTax 2008
"ULTIMATER" = Microsoft Office Ultimate 2007
"uTorrent" = µTorrent
"VISPROR" = Microsoft Office Visio Professional 2007
"VLC media player" = VLC media player 0.9.8a
"Winamp" = Winamp
"Winamp Toolbar" = Winamp Toolbar
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"Wondershare Video Converter for BlackBerry_is1" = Wondershare Video Converter for BlackBerry(Build 4.0.6.1)

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-4072351400-4203848050-4040750151-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"ac3416a83900c6c5" = iMPS SnapShot
"GoToMeeting" = GoToMeeting 4.5.0.452
"magicJack Outlook Add-In" = magicJack Outlook Add-In 1.0.3.521
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/19/2010 9:08:53 PM | Computer Name = stephen-PC | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.6002.18005, time stamp
0x49e01da5, faulting module MpegSplitter.ax, version 1.0.0.4, time stamp 0x45edac44,
exception code 0xc0000094, fault offset 0x0002456b, process id 0x2d14, application
start time 0x01cac72fdee74810.

Error - 3/22/2010 7:38:30 PM | Computer Name = stephen-PC | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.2.3667, time stamp 0x4b5102f0,
faulting module NPSWF32.dll, version 10.0.45.2, time stamp 0x4b5f91c2, exception
code 0xc0000005, fault offset 0x00077d00, process id 0x1d9c, application start time
0x01cac9838a37c550.

Error - 3/22/2010 8:45:09 PM | Computer Name = stephen-PC | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.2.3667, time stamp 0x4b5102f0,
faulting module jvm.dll, version 16.0.0.13, time stamp 0x4b2ad748, exception code
0xc0000005, fault offset 0x000c7cf2, process id 0x239c, application start time 0x01caca18d07c3fb0.

Error - 3/23/2010 11:33:05 AM | Computer Name = stephen-PC | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.2.3667, time stamp 0x4b5102f0,
faulting module jvm.dll, version 16.0.0.13, time stamp 0x4b2ad748, exception code
0xc0000005, fault offset 0x000c7cf2, process id 0x25a0, application start time 0x01caca23d69beed0.

Error - 3/23/2010 11:53:45 PM | Computer Name = stephen-PC | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.2.3727, time stamp 0x4b9fb052,
faulting module NPSWF32.dll, version 10.0.45.2, time stamp 0x4b5f91c2, exception
code 0xc0000005, fault offset 0x002e8b7f, process id 0xf14, application start time
0x01caca9e3d98ad60.

Error - 3/24/2010 9:05:01 PM | Computer Name = stephen-PC | Source = Application Error | ID = 1000
Description = Faulting application KMPlayer.exe, version 2.9.4.1434, time stamp
0x2a425e19, faulting module DiracSplitter.ax, version 1.2.925.0, time stamp 0x4946e2e2,
exception code 0x40000015, fault offset 0x00003713, process id 0xdcc, application
start time 0x01cacba3fbae1c80.

Error - 3/24/2010 9:30:18 PM | Computer Name = stephen-PC | Source = Application Error | ID = 1000
Description = Faulting application KMPlayer.exe, version 2.9.4.1434, time stamp
0x2a425e19, faulting module DiracSplitter.ax, version 1.2.925.0, time stamp 0x4946e2e2,
exception code 0x40000015, fault offset 0x00003713, process id 0x1ef8, application
start time 0x01cacbb7a2a1d910.

Error - 3/24/2010 9:30:33 PM | Computer Name = stephen-PC | Source = Application Error | ID = 1000
Description = Faulting application KMPlayer.exe, version 2.9.4.1434, time stamp
0x2a425e19, faulting module DiracSplitter.ax, version 1.2.925.0, time stamp 0x4946e2e2,
exception code 0x40000015, fault offset 0x00003713, process id 0x209c, application
start time 0x01cacbbac1027600.

Error - 3/26/2010 9:58:16 PM | Computer Name = stephen-PC | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.2.3727, time stamp 0x4b9fb052,
faulting module js3250.dll, version 0.0.0.0, time stamp 0x4b9f9ac1, exception code
0xc0000005, fault offset 0x0007c91b, process id 0x238, application start time 0x01cacca6f7b5e190.

Error - 3/27/2010 4:32:16 PM | Computer Name = stephen-PC | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.2.3727, time stamp 0x4b9fb052,
faulting module xul.dll, version 1.9.2.3727, time stamp 0x4b9faecb, exception code
0xc0000005, fault offset 0x004369c6, process id 0x2744, application start time 0x01cacdceba08b3d0.

[ OSession Events ]
Error - 2/3/2010 1:02:38 PM | Computer Name = stephen-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 67257
seconds with 25140 seconds of active time. This session ended with a crash.

Error - 4/30/2010 9:47:56 PM | Computer Name = stephen-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 2, Application Name: Microsoft Office Access, Application Version:
12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 447102
seconds with 3120 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 5/21/2010 9:31:03 AM | Computer Name = stephen-PC | Source = volmgr | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/21/2010 12:04:33 PM | Computer Name = stephen-PC | Source = volmgr | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/21/2010 7:09:18 PM | Computer Name = stephen-PC | Source = volmgr | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/21/2010 11:25:03 PM | Computer Name = stephen-PC | Source = volmgr | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/22/2010 7:48:33 AM | Computer Name = stephen-PC | Source = volmgr | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/22/2010 8:48:48 AM | Computer Name = stephen-PC | Source = volmgr | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/22/2010 11:23:48 AM | Computer Name = stephen-PC | Source = volmgr | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/23/2010 12:39:26 PM | Computer Name = stephen-PC | Source = volmgr | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/23/2010 12:39:36 PM | Computer Name = stephen-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 9:38:32 AM on 5/23/2010 was unexpected.

Error - 5/23/2010 12:40:26 PM | Computer Name = stephen-PC | Source = Service Control Manager | ID = 7026
Description =


< End of report >


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:04 PM

Posted 23 May 2010 - 02:03 PM

Hi,

it seems you have been infected by a flash drive infection.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Please also run a fresh scan with ComboFix, make sure you download a fresh copy of ComboFix.
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 scs

scs
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 23 May 2010 - 03:12 PM

Hi Myrti,

No such luck. The only prompt that appeared was windows telling me it's not compatible with my version on windows and asking me if I wanted to run in compatibility mode. I said "no, run as is". Now when I click on it nothing happens and I don't see the process running.

Also had a hard time downloading it to the other computer because AVG kept flagging it as a known virus.

regards,

Stephen

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:04 PM

Posted 24 May 2010 - 02:38 PM

Hi,

what did AVG flash as malware ComboFix or Flash_Disinfector?

Did you run ComboFix?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 scs

scs
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 24 May 2010 - 03:35 PM

Hi Myrti,

It flagged flash_disinfector.exe as follows:

Threat Name: Generic.dx
Severity Level: "4 red Boxes"
Category: trojan
Description: This is a known Trojan/Backdoor. It is recommended that you quarantine this threat.


No, I didn't run CF again because your instructions said to run it after flash_disinfector.exe did its thing. Since it never worked, I didn't want to jump ahead until I heard from you.

Should I go ahead and run it?

#10 scs

scs
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 24 May 2010 - 07:05 PM

I did the following on the infected PC in the following order

1. Reboot
2. Ran ComboFix (Saved as Log_2.txt)
3. Ran Panda USB Vaccine on all USB devices including memory stick
4. Reboot
5. Ran ComboFix Again! (Saved as Log_ComboFix_Post_Panda_C_Vaccine_Reboot.txt)

Based on that can you let me know when you think it's safe for me to try to go back online?

Thanks,

Stephen

Attached Files



#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:04 PM

Posted 26 May 2010 - 05:57 AM

Hi,

there are a couple more files we need to take care off:
Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/317871/antispyware-soft/
Collect::
c:\windows\System32\drivers\djduta.sys
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
Driver::
amvi
Folder::
c:\users\stephen\AppData\Local\boebrwujr


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 scs

scs
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 26 May 2010 - 01:03 PM

Hi Myrti,

I created the script, dragged it into ComboFix, and then clicked on ComboFix. Then ComboFix informed me that ComboFix has expired and asked if I wanted to run it with reduced functionality.

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:04 PM

Posted 26 May 2010 - 02:28 PM

Hi,

please delete the copy of ComboFix you currently have and download a fresh copy. Please run it without a script and post back the log in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 scs

scs
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 26 May 2010 - 08:14 PM

Myrti,

I already downloaded a clean copy of CF and repeated the steps to drag the script and execute before I read your most recent post telling me not to run it with the script. I had to run off for a few hours to take care of some business before it completed, so I just now was able to copy the log file.

I didn't notice any prompts from a message box that were any different from other times that I ran it so I never connected my computer to the network.

Until we have some idea of what is going on, I am trying to stay disconnected unless their is a specific reason to connect the infected PC and then only for the specific period required.

Here is the CF posting with the CScript you asked me to run.

ComboFix 10-05-26.01 - stephen 05/26/2010 14:21:32.8.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3327.2245 [GMT -7:00]
Running from: c:\users\stephen\Desktop\ComboFix.exe
Command switches used :: c:\users\stephen\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\stephen\AppData\Local\boebrwujr

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_amvi


((((((((((((((((((((((((( Files Created from 2010-04-27 to 2010-05-27 )))))))))))))))))))))))))))))))
.

2010-05-26 21:31 . 2010-05-27 01:41 -------- d-----w- c:\users\stephen\AppData\Local\temp
2010-05-26 21:31 . 2010-05-26 21:31 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-26 21:31 . 2010-05-26 21:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-24 23:41 . 2010-05-24 23:41 -------- d-----w- c:\programdata\Panda Security
2010-05-24 23:40 . 2010-05-24 23:40 -------- d-----w- c:\program files\Panda USB Vaccine
2010-05-17 00:55 . 2010-05-17 00:55 -------- d-----w- c:\program files\MSI Afterburner
2010-05-17 00:42 . 2010-05-17 00:42 -------- d-----w- c:\users\stephen\AppData\Roaming\ATI
2010-05-17 00:42 . 2010-05-17 00:42 -------- d-----w- c:\users\stephen\AppData\Local\ATI
2010-05-17 00:42 . 2010-05-17 00:42 -------- d-----w- c:\programdata\ATI
2010-05-17 00:38 . 2010-05-17 00:38 -------- d-----w- c:\program files\Common Files\ATI Technologies
2010-05-17 00:35 . 2009-11-18 10:24 97792 ----a-w- c:\windows\system32\drivers\AtiHdmi.sys
2010-05-17 00:10 . 2010-05-17 00:10 0 ----a-w- c:\windows\ativpsrm.bin
2010-05-16 22:29 . 2010-05-17 00:40 -------- d-----w- c:\program files\ATI Technologies
2010-05-16 22:29 . 2010-05-16 22:29 -------- d-----w- c:\program files\ATI
2010-05-15 21:20 . 2010-05-15 21:20 -------- d-----w- c:\users\stephen\AppData\Roaming\Malwarebytes
2010-05-15 21:20 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-15 21:20 . 2010-05-15 21:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-15 21:20 . 2010-05-15 21:20 -------- d-----w- c:\programdata\Malwarebytes
2010-05-15 21:20 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-15 02:00 . 2010-05-15 02:00 -------- d-----w- c:\windows\Sun
2010-05-14 23:41 . 2010-05-14 23:41 -------- d-----w- c:\users\stephen\AppData\Local\ESET
2010-05-14 23:39 . 2010-05-14 23:39 -------- d-----w- c:\program files\ESET
2010-05-14 22:52 . 2010-05-14 22:53 -------- d-----w- c:\windows\preftech(delete)
2010-05-12 04:19 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-07 01:53 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-05-07 01:53 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-05-07 01:53 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-05-02 06:16 . 2010-05-02 06:16 -------- d-----w- c:\program files\MagicISO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-26 15:52 . 2009-02-11 17:22 -------- d-----w- c:\programdata\Google Updater
2010-05-18 23:35 . 2009-01-25 06:34 -------- d-----w- c:\users\stephen\AppData\Roaming\uTorrent
2010-05-18 19:03 . 2008-12-25 10:15 -------- d-----w- c:\users\stephen\AppData\Roaming\Corel
2010-05-18 19:03 . 2008-12-25 10:15 2620 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-05-17 00:34 . 2010-05-17 00:34 10134 ----a-r- c:\users\stephen\AppData\Roaming\Microsoft\Installer\{A142397C-14FE-9966-71A7-9F5DE2F211B0}\ARPPRODUCTICON.exe
2010-05-16 22:26 . 2009-01-17 05:19 1356 ----a-w- c:\users\stephen\AppData\Local\d3d9caps.dat
2010-05-16 22:01 . 2009-09-09 18:15 -------- d-----w- c:\users\stephen\AppData\Roaming\mjusbsp
2010-05-16 21:47 . 2009-03-25 18:29 -------- d-----w- c:\program files\Coupons
2010-05-16 21:46 . 2009-01-19 08:01 -------- d-----w- c:\program files\iCoolPlayer
2010-05-16 05:39 . 2009-11-14 21:36 35085 ----a-w- c:\programdata\nvModes.dat
2010-05-15 20:38 . 2008-12-25 10:06 -------- d-----w- c:\program files\Corel
2010-05-15 07:53 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-15 02:04 . 2008-12-25 05:32 135128 ----a-w- c:\users\stephen\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-15 00:27 . 2009-01-17 03:08 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-05-15 00:26 . 2009-01-17 03:08 -------- d-----w- c:\programdata\Roxio
2010-05-14 23:51 . 2008-12-25 08:17 -------- d-----w- c:\programdata\Microsoft Help
2010-05-14 23:27 . 2009-04-01 20:32 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-14 23:27 . 2009-11-30 17:36 -------- d-----w- c:\users\stephen\AppData\Roaming\SUPERAntiSpyware.com
2010-05-14 23:27 . 2009-11-30 17:36 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-08 03:48 . 2009-03-22 20:23 -------- d-----w- c:\users\stephen\AppData\Roaming\dvdcss
2010-05-07 02:27 . 2008-12-25 06:46 -------- d-----w- c:\programdata\NVIDIA
2010-05-07 02:03 . 2009-04-01 10:22 167016 ----a-w- c:\windows\DUMP6067.tmp
2010-05-07 02:00 . 2009-11-14 22:17 -------- d-----w- c:\program files\NVIDIA Corporation
2010-05-06 17:36 . 2009-10-03 08:54 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-12 07:41 . 2009-01-02 21:20 -------- d-----w- c:\program files\Google
2010-03-25 03:33 . 2010-03-25 03:33 41312 ----a-w- c:\windows\system32\drivers\epfwwfp.sys
2010-03-25 03:33 . 2010-03-25 03:33 32584 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2010-03-25 03:33 . 2010-03-25 03:33 134488 ----a-w- c:\windows\system32\drivers\epfw.sys
2010-03-25 03:31 . 2010-03-25 03:31 114984 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2010-03-25 03:24 . 2010-03-25 03:24 31032 ----a-w- c:\windows\system32\ntaccess_64.sys
2010-03-25 03:24 . 2010-03-25 03:24 25400 ----a-w- c:\windows\system32\Ntaccess.sys
2010-03-25 03:23 . 2010-03-25 03:23 133512 ----a-w- c:\windows\system32\drivers\eamonm.sys
2010-03-05 14:01 . 2010-04-13 21:30 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 23:51 . 2010-02-26 23:51 138584 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\ug00000\magicJack.dll
2010-02-26 23:51 . 2010-05-16 22:00 6870864 ---ha-w- c:\users\stephen\AppData\Roaming\mjusbsp\in00000\setup.exe
2010-02-26 23:51 . 2010-03-14 22:40 6870864 ---ha-w- c:\users\stephen\AppData\Roaming\mjusbsp\Upgrade\setup2.exe
2010-02-26 23:51 . 2010-02-26 23:51 6870864 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\ug00000\setup.exe
2010-02-26 23:51 . 2010-02-26 23:51 705936 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\magicJackLoader.exe
2010-02-26 23:51 . 2010-02-26 23:51 480608 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\octvqe1_apiw.dll
2010-02-26 23:51 . 2010-02-26 23:51 214360 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\TjVista.dll
2010-02-26 23:50 . 2010-02-26 23:50 324952 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\TjIpSys.dll
2010-02-26 23:50 . 2010-02-26 23:50 615792 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\SJHandsetMagicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 87384 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\st00000\mjsetup.exe
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\st00000\magicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\magicJack.dll
2010-02-26 23:46 . 2010-02-26 23:46 12526424 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\magicJack.exe
2010-02-26 23:45 . 2010-05-16 22:00 743872 ---ha-w- c:\users\stephen\AppData\Roaming\mjusbsp\ar00000\install.exe
2010-02-26 23:45 . 2010-03-14 22:40 743872 ---ha-w- c:\users\stephen\AppData\Roaming\mjusbsp\Upgrade\install2.exe
2010-02-26 23:45 . 2010-02-26 23:45 743872 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\ug00000\install.exe
2010-02-26 23:45 . 2010-02-26 23:45 87384 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\in00000\mjsetup.exe
2010-02-26 23:45 . 2010-02-26 23:45 138584 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\in00000\magicJack.dll
2010-02-26 23:44 . 2010-02-26 23:44 138584 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\lr00000\magicJack.dll
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\ug00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\st00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\in00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 50520 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\cdloader2.exe
2008-12-25 10:15 . 2008-12-25 10:15 88 --sh--r- c:\windows\System32\152EA7914C.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-05-19_02.01.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-25 06:47 . 2010-05-25 00:21 45508 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-05-26 20:48 64988 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2010-05-27 01:40 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-19 20:07 . 2010-05-19 23:31 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012010051920100520\index.dat
+ 2006-11-02 13:02 . 2010-05-27 01:40 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 13:02 . 2010-05-19 01:45 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-06-04 17:52 . 2010-05-18 07:51 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-06-04 17:52 . 2010-05-26 20:46 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-06-04 17:52 . 2010-05-18 07:51 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-04 17:52 . 2010-05-26 20:46 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-04 17:52 . 2010-05-18 07:51 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-06-04 17:52 . 2010-05-26 20:46 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-04-01 10:20 . 2010-05-24 18:56 2594 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-12-25 06:48 . 2010-05-26 20:48 7520 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4072351400-4203848050-4040750151-1000_UserData.bin
+ 2010-05-26 21:35 . 2010-05-26 21:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-05-19 01:45 . 2010-05-19 01:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-05-19 01:45 . 2010-05-19 01:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-05-26 21:35 . 2010-05-26 21:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2006-11-02 10:33 . 2010-05-19 01:52 683462 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-05-26 21:42 683462 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-05-26 21:42 135104 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2010-05-19 01:52 135104 c:\windows\System32\perfc009.dat
- 2009-05-23 21:51 . 2010-05-18 08:23 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-05-23 21:51 . 2010-05-26 21:35 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2006-11-02 13:02 . 2010-05-27 01:40 720896 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-05 00:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-05 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-05 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-04-01 507904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2009-07-01 163872]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-26 5369856]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"sendmng"="c:\program files\OneSuiteFax\Client\SendMng.exe" [2008-03-31 520192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-25 98304]

c:\users\stephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NDAS Device Management.lnk - c:\program files\NDAS\System\ndasmgmt.exe [2009-1-19 341480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2010-01-28 04:04 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2010-02-26 23:43 50520 ----a-w- c:\users\stephen\AppData\Roaming\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
2010-03-25 03:31 2145000 ----a-w- c:\program files\ESET\ESET Smart Security\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\users\stephen\AppData\Roaming\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-08-30 18:50 205480 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 22:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP4 Player]
2008-11-06 17:23 772096 ----a-w- c:\program files\MP4 Player\Mp4Player.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-02-07 01:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-11-21 02:15 1826816 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 23:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-17 00:32 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-05-17 01:09 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:da,33,c4,3a,f9,e6,c9,01

R4 gupdate1c98c6d7408d6b0;Google Update Service (gupdate1c98c6d7408d6b0);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 133104]
S0 ndasfs;ndasfs;c:\windows\system32\DRIVERS\ndasfs.sys [2009-01-19 285160]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-03-25 114984]
S1 ndasfat;NDAS FAT File System Service;c:\windows\system32\DRIVERS\ndasfat.sys [2009-01-19 416232]
S1 ndasrofs;NDAS ROFS File System Service;c:\windows\system32\DRIVERS\ndasrofs.sys [2009-01-19 769512]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-25 172032]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-03-25 133512]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2010-03-25 810120]
S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2010-03-25 41312]
S2 MSSQL$PCS;SQL Server (PCS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-02 10:02]

2010-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 17:23]

2010-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 17:23]

2010-05-27 c:\windows\Tasks\User_Feed_Synchronization-{2CCF250D-CF24-4D67-ABDC-8554A1794A31}.job
- c:\windows\system32\msfeedssync.exe [2010-03-30 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Winamp Search - c:\programdata\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Download with &FileFactory Turbo - c:\program files\FileFactory Turbo\Plugins\IE\FileFactoryIE.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nvLsp.dll
Trusted Zone: com\www.msi
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
FF - ProfilePath - c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.type - 0
FF - component: c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - component: c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\{6FF1D3C4-61BC-4021-89B7-AF8A8F784EBB}\components\snagitmozextension.dll
FF - component: c:\users\stephen\AppData\Roaming\Mozilla\Firefox\Profiles\shzagy8d.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsharedview.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\stephen\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-26 18:41
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(744)
c:\windows\system32\ARstore.dll

- - - - - - - > 'Explorer.exe'(496)
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nvLsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\atieclxx.exe
c:\program files\NDAS\System\ndassvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Panda USB Vaccine\USBVaccine.exe
c:\windows\RtHDVCpl.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Internet Explorer\IELowutil.exe
.
**************************************************************************
.
Completion time: 2010-05-26 18:48:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-27 01:48
ComboFix2.txt 2010-05-25 00:54
ComboFix3.txt 2010-05-24 23:30
ComboFix4.txt 2010-05-19 02:09

Pre-Run: 195,408,289,792 bytes free
Post-Run: 189,873,561,600 bytes free

- - End Of File - - B7EA9AE6829797A5F9F53E2DB7742CF3


#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:04 PM

Posted 28 May 2010 - 06:48 AM

Hi,

the log is looking clean. Could you please reconnect and let me know if the PC behaves normally now.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users