Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sound, IE Do not work. Other misc problems.


  • This topic is locked This topic is locked
15 replies to this topic

#1 ndtokar

ndtokar

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 31 May 2010 - 04:55 PM

I use a Toshiba laptop about 5 years old & use wireless cable internet. My operating system is Windows XP. Out of nowhere, sound fails to work. Internet explorer is not coming up & gives a warning of "0x10007of7 Cannot be read" & numerous other error messages. Other misc. problems occur, such as slow & lagged computer. Very suspicious activity I have never seen before. For example, when clicking on the speaker in the bottom right task menu, a message comes up: "There are no active mixer devices available. To install mixer devices, go to control panel, click printers and other hardware, and then click add hardware. This program will now close." I am afraid there is something very wrong. PLEASE HELP!!!!!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Nate at 17:13:42.87 on Mon 05/31/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.100 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Nate\Desktop\new vex\RedVex 3.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\WINDOWS\System32\svchost.exe"
C:\Documents and Settings\Nate\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: LimeWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: LimeWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Qjane] rundll32.exe "c:\windows\smsubdla.dll",Startup
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TempRemove] "c:\program files\crystal ball\cb predictor\terminator.exe"
StartupFolder: c:\docume~1\nate\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 207.5.72.43 EXVBE014-13
Hosts: 207.5.72.43 EXVBE014-13.exch014.msoutlookonline.net
Hosts: 207.5.72.46 DC014-3.exch014.msoutlookonline.net
Hosts: 207.5.72.47 DC014-4.exch014.msoutlookonline.net

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nate\applic~1\mozilla\firefox\profiles\etwl49t0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

============= SERVICES / DRIVERS ===============

S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [2008-8-9 3768]

=============== Created Last 30 ================

2010-05-31 21:06:47 0 ----a-w- c:\documents and settings\nate\defogger_reenable
2010-05-30 07:46:19 0 d-----w- c:\windows\system32\scripting
2010-05-30 07:46:16 0 d-----w- c:\windows\l2schemas
2010-05-30 07:46:15 0 d-----w- c:\windows\system32\en
2010-05-30 07:46:15 0 d-----w- c:\windows\system32\bits
2010-05-30 07:41:17 0 d-----w- c:\windows\network diagnostic
2010-05-30 07:39:34 1374 ----a-w- c:\windows\imsins.BAK
2010-05-30 07:35:33 0 d-----w- c:\windows\EHome
2010-05-29 19:52:08 772096 ----a-w- c:\windows\system32\drivers\gzvofiih.sys
2010-05-29 19:51:32 40960 ---ha-w- c:\windows\system32\dmrestat.dll
2010-05-08 18:23:27 0 d-sh--w- c:\documents and settings\nate\IECompatCache

==================== Find3M ====================

2010-03-26 03:04:00 43081 ----a-w- c:\windows\DIIUnin.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

============= FINISH: 17:15:26.18 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 ndtokar

ndtokar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 02 June 2010 - 11:06 AM

This problem now re-directs me to malware sw sites to buy maleware/ virus programs.

When I try to access other websites, the screen tells me that I am not connected to the internet.

I believe this has now escalated to something even worse!! PLEASE HELP! I have extremely expensive software programs on my computer and am afraid something very bad will happen!!

#3 ndtokar

ndtokar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 02 June 2010 - 08:37 PM

UPDATE ON CONDITION OF COMPUTER:

I now cannot open anything without an error message. The error message says "Application cannot be executed. The File "(any file on computer) is infected. Do you want to activate your antivirus software now?

Along with that I have numerous attempts of hackers trying to get me to buy antivirus software. Please help me! This is getting worse everyday. At the beginning of thread I include everything that was asked for from the help guide!

THANK YOU!!

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:11 PM

Posted 03 June 2010 - 05:48 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 ndtokar

ndtokar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 03 June 2010 - 02:23 PM

UPDATE ON COMPUTER:: IE still malfunctions with "0x10007of7 Cannot be read" attempts to re-direct me from websites to purchase anti-virus sw is still and winning free prizes is still happening. The re-directing is not happening as often but there seems to be different attempts to trick me into buying this stuff or claiming prizes.

OTL. TXT LOG:

OTL logfile created on: 6/3/2010 1:27:14 PM - Run 1
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\Nate\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

446.00 Mb Total Physical Memory | 41.00 Mb Available Physical Memory | 9.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 26.00% Paging File free
Paging file location(s): C:\pagefile.sys 2096 2096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.23 Gb Total Space | 39.55 Gb Free Space | 53.28% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NATHAN
Current User Name: Nate
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/03 13:26:42 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nate\Desktop\OTL.exe
PRC - [2010/05/08 17:07:41 | 001,095,168 | ---- | M] () -- C:\Documents and Settings\Nate\Desktop\new vex\RedVex 3.exe
PRC - [2010/03/09 00:10:51 | 000,061,440 | ---- | M] (Blizzard North) -- C:\Program Files\Diablo II\Game.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/06/03 13:26:42 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nate\Desktop\OTL.exe
MOD - [2010/05/29 15:51:32 | 000,040,960 | -H-- | M] () -- C:\WINDOWS\system32\dmrestat.dll
MOD - [2008/04/13 20:12:08 | 000,179,200 | ---- | M] () -- C:\WINDOWS\emiyaloqe.dll
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2006/02/07 20:30:40 | 000,035,840 | ---- | M] (TOSHIBA Corp.) [Disabled | Stopped] -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- (TAPPSRV)
SRV - [2005/07/12 21:14:42 | 000,040,960 | ---- | M] () [Disabled | Stopped] -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2005/01/17 20:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Disabled | Stopped] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2004/08/28 04:33:00 | 000,110,592 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) [Disabled | Stopped] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)


========== Driver Services (SafeList) ==========

DRV - [2008/06/04 10:18:22 | 000,003,768 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MovRVDrv32.sys -- (MovRVDrv32)
DRV - [2008/06/04 10:18:20 | 000,508,544 | ---- | M] (Windows ® 2000/XP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SndTDriverV32.sys -- (SndTDriverV32)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2006/04/01 00:20:38 | 000,043,776 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Tvs.sys -- (Tvs)
DRV - [2006/03/20 15:30:20 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2006/03/04 00:29:50 | 001,124,097 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/03/02 19:46:54 | 000,191,968 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2006/01/18 22:41:58 | 000,080,512 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2005/12/09 19:48:40 | 004,123,136 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/10/20 18:03:42 | 000,006,144 | ---- | M] (Toshiba Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NBSMI.sys -- (TVALD)
DRV - [2005/09/15 03:49:52 | 000,468,768 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2005/08/24 19:20:28 | 000,009,472 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tbiosdrv.sys -- (tbiosdrv)
DRV - [2005/08/04 02:10:18 | 001,273,344 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/06/02 07:33:00 | 000,102,384 | ---- | M] (Matsubleepa Electric Industrial Co.,Ltd.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\meiudf.sys -- (meiudf)
DRV - [2004/08/03 18:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/01/29 18:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)
DRV - [2003/01/10 16:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart

IE - HKU\S-1-5-21-1359673756-1645347318-4255229552-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1359673756-1645347318-4255229552-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1359673756-1645347318-4255229552-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-1359673756-1645347318-4255229552-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1359673756-1645347318-4255229552-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1359673756-1645347318-4255229552-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1359673756-1645347318-4255229552-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-1359673756-1645347318-4255229552-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com"

FF - HKLM\software\mozilla\Firefox\Extensions\\{4EFF20CE-29CF-4FCA-8C43-5EB2BA610CBB}: C:\Documents and Settings\Nate\Local Settings\Application Data\{4EFF20CE-29CF-4FCA-8C43-5EB2BA610CBB} [2010/06/01 18:07:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/02 16:03:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/02 16:03:48 | 000,000,000 | ---D | M]

[2010/02/27 17:22:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nate\Application Data\Mozilla\Extensions
[2010/02/27 17:22:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nate\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/02/27 17:22:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nate\Application Data\Mozilla\Firefox\Profiles\etwl49t0.default\extensions
[2010/02/27 17:22:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nate\Application Data\Mozilla\Firefox\Profiles\etwl49t0.default\extensions\toolbar@ask.com
[2009/07/21 00:13:55 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2007/02/05 16:20:53 | 000,001,040 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 207.5.72.43 EXVBE014-13
O1 - Hosts: 207.5.72.43 EXVBE014-13.exch014.msoutlookonline.net
O1 - Hosts: 207.5.72.46 DC014-3.exch014.msoutlookonline.net
O1 - Hosts: 207.5.72.47 DC014-4.exch014.msoutlookonline.net
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (LimeWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (LimeWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1359673756-1645347318-4255229552-1006\..\Toolbar\WebBrowser: (LimeWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Wyuxixe] C:\WINDOWS\emiyaloqe.DLL ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1359673756-1645347318-4255229552-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} http://www.cvsphoto.com/upload/activex/v3_...veX_Control.cab (Photo Upload Plugin Class)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} http://www.cvsphoto.com/upload/activex/v3_...veX_Control.cab (Photo Upload Plugin Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\WgaLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Nate\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Nate\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/03/20 14:09:01 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{4e45f700-56cc-11de-ac41-00038a000015}\Shell - "" = AutoRun
O33 - MountPoints2\{4e45f700-56cc-11de-ac41-00038a000015}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4e45f700-56cc-11de-ac41-00038a000015}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\{606e9778-7c10-11de-ac4e-00038a000015}\Shell - "" = AutoRun
O33 - MountPoints2\{606e9778-7c10-11de-ac4e-00038a000015}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{606e9778-7c10-11de-ac4e-00038a000015}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\{7ee31c88-aff8-11db-abb1-00038a000015}\Shell\AutoRun\command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\{7ee31c88-aff8-11db-abb1-00038a000015}\Shell\Shell00\Command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\{7ee31c88-aff8-11db-abb1-00038a000015}\Shell\Shell01\Command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\{7ee31c88-aff8-11db-abb1-00038a000015}\Shell\Shell02\Command - "" = F:\Autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: fastinit - (C:\WINDOWS\system32\dmrestat.dll) - C:\WINDOWS\system32\dmrestat.dll ()
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/03 13:26:41 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Nate\Desktop\OTL.exe
[2010/06/02 23:03:29 | 086,402,920 | ---- | C] (Emsi Software GmbH ) -- C:\Documents and Settings\Nate\Desktop\a2FreeSetup.exe
[2010/06/02 09:15:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nate\Local Settings\Application Data\jdxcfamye
[2010/06/01 18:07:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nate\Local Settings\Application Data\{4EFF20CE-29CF-4FCA-8C43-5EB2BA610CBB}
[2010/05/31 17:20:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nate\Desktop\gmer
[2010/05/31 12:03:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nate\Local Settings\Application Data\Help
[2010/05/31 12:03:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nate\Application Data\Help
[2010/05/31 02:58:14 | 000,272,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\bthport.sys
[2010/05/31 02:56:37 | 000,138,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\afd.sys
[2010/05/31 02:56:20 | 000,353,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srv.sys
[2010/05/31 02:56:01 | 000,455,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2010/05/31 02:55:58 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2010/05/31 02:54:38 | 000,119,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\t2embed.dll
[2010/05/31 02:54:38 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fontsub.dll
[2010/05/31 02:54:35 | 000,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2010/05/31 02:54:32 | 002,146,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2010/05/31 02:54:31 | 002,189,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2010/05/31 02:54:30 | 002,024,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2010/05/31 02:54:08 | 000,203,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rmcast.sys
[2010/05/31 02:50:56 | 000,337,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\netapi32.dll
[2010/05/30 05:33:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2010/05/30 03:46:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2010/05/30 03:46:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2010/05/30 03:46:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2010/05/30 03:46:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2010/05/30 03:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic
[2010/05/30 03:35:37 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2010/05/30 03:35:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\EHome
[2010/05/30 02:16:47 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Nate\Recent
[2010/05/29 15:50:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/05/29 15:50:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/05/29 02:59:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/29 02:59:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/08 17:19:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nate\Desktop\Fastmod v2.1 Plugin
[2010/05/08 17:18:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nate\Desktop\Telewalk 0.1 Plugin
[2010/05/08 17:16:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nate\Desktop\Condom
[2010/05/08 17:15:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nate\Desktop\Claw_1.3
[2010/05/08 17:05:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nate\Desktop\new vex
[2010/05/08 14:23:27 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Nate\IECompatCache
[2006/03/20 14:40:34 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\DLLVGA.dll
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/03 13:29:56 | 000,772,096 | ---- | M] () -- C:\WINDOWS\System32\drivers\gzvofiih.sys
[2010/06/03 13:29:02 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{3BA7B010-1B73-448B-B453-88D416BAADA2}.job
[2010/06/03 13:28:07 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Nate\Desktop\byxjitj6.exe
[2010/06/03 13:26:42 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nate\Desktop\OTL.exe
[2010/06/03 13:06:29 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Qvuhoge.dat
[2010/06/03 13:01:00 | 000,000,232 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2010/06/03 03:17:29 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/03 03:17:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/03 03:17:18 | 467,775,488 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/03 01:31:55 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Dwihe.bin
[2010/06/02 23:03:29 | 086,402,920 | ---- | M] (Emsi Software GmbH ) -- C:\Documents and Settings\Nate\Desktop\a2FreeSetup.exe
[2010/06/02 22:45:11 | 005,505,024 | -H-- | M] () -- C:\Documents and Settings\Nate\NTUSER.DAT
[2010/06/02 22:45:11 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Nate\ntuser.ini
[2010/06/02 22:45:06 | 006,388,512 | -H-- | M] () -- C:\Documents and Settings\Nate\Local Settings\Application Data\IconCache.db
[2010/06/02 22:38:03 | 000,001,258 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/02 22:38:03 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/02 22:38:03 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/06/02 22:20:58 | 000,002,557 | ---- | M] () -- C:\WINDOWS\eruqehis.dll
[2010/06/02 21:32:46 | 000,002,557 | ---- | M] () -- C:\WINDOWS\udaxehizajifo.dll
[2010/06/02 21:27:13 | 000,002,557 | ---- | M] () -- C:\WINDOWS\apovehulato.dll
[2010/06/02 09:07:04 | 000,448,156 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/02 09:07:04 | 000,387,078 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/02 09:07:04 | 000,055,258 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/02 09:05:25 | 000,272,576 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/05/31 17:19:02 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Nate\Desktop\gmer.zip
[2010/05/31 17:08:58 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Nate\Desktop\dds.scr
[2010/05/31 17:06:47 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Nate\defogger_reenable
[2010/05/31 17:06:27 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Nate\Desktop\Defogger.exe
[2010/05/31 16:59:44 | 000,071,032 | ---- | M] () -- C:\Documents and Settings\Nate\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/31 02:45:48 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/30 05:35:58 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/30 03:40:50 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/05/29 15:51:32 | 000,040,960 | -H-- | M] () -- C:\WINDOWS\System32\dmrestat.dll
[2010/05/08 17:19:09 | 000,048,115 | ---- | M] () -- C:\Documents and Settings\Nate\Desktop\Fastmod v2.1 Plugin.rar
[2010/05/08 17:18:43 | 000,034,608 | ---- | M] () -- C:\Documents and Settings\Nate\Desktop\Telewalk 0.1 Plugin.rar
[2010/05/08 17:16:06 | 000,486,093 | ---- | M] () -- C:\Documents and Settings\Nate\Desktop\Condom.zip
[2010/05/08 17:14:45 | 000,068,464 | ---- | M] () -- C:\Documents and Settings\Nate\Desktop\Claw_1.3.rar
[2010/05/08 17:05:03 | 000,666,383 | ---- | M] () -- C:\Documents and Settings\Nate\Desktop\Redvex_3.0.1_11-28-07.zip
[2010/05/06 17:05:05 | 000,017,920 | ---- | M] () -- C:\Documents and Settings\Nate\Desktop\MINITAB6.MPJ
[2010/05/06 00:51:36 | 000,053,248 | ---- | M] () -- C:\Documents and Settings\Nate\Desktop\Chapter 6.doc
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/03 13:28:04 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Nate\Desktop\byxjitj6.exe
[2010/06/02 22:36:36 | 467,775,488 | -HS- | C] () -- C:\hiberfil.sys
[2010/06/02 22:20:58 | 000,002,557 | ---- | C] () -- C:\WINDOWS\eruqehis.dll
[2010/06/02 21:32:46 | 000,002,557 | ---- | C] () -- C:\WINDOWS\udaxehizajifo.dll
[2010/06/02 21:27:13 | 000,002,557 | ---- | C] () -- C:\WINDOWS\apovehulato.dll
[2010/06/01 18:08:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Dwihe.bin
[2010/06/01 18:07:59 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Qvuhoge.dat
[2010/05/31 17:18:59 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Nate\Desktop\gmer.zip
[2010/05/31 17:07:59 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Nate\Desktop\dds.scr
[2010/05/31 17:06:47 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Nate\defogger_reenable
[2010/05/31 17:06:18 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Nate\Desktop\Defogger.exe
[2010/05/30 03:39:34 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/05/29 15:52:08 | 000,772,096 | ---- | C] () -- C:\WINDOWS\System32\drivers\gzvofiih.sys
[2010/05/29 15:51:32 | 000,040,960 | -H-- | C] () -- C:\WINDOWS\System32\dmrestat.dll
[2010/05/08 17:19:08 | 000,048,115 | ---- | C] () -- C:\Documents and Settings\Nate\Desktop\Fastmod v2.1 Plugin.rar
[2010/05/08 17:18:43 | 000,034,608 | ---- | C] () -- C:\Documents and Settings\Nate\Desktop\Telewalk 0.1 Plugin.rar
[2010/05/08 17:16:03 | 000,486,093 | ---- | C] () -- C:\Documents and Settings\Nate\Desktop\Condom.zip
[2010/05/08 17:14:45 | 000,068,464 | ---- | C] () -- C:\Documents and Settings\Nate\Desktop\Claw_1.3.rar
[2010/05/08 17:04:47 | 000,666,383 | ---- | C] () -- C:\Documents and Settings\Nate\Desktop\Redvex_3.0.1_11-28-07.zip
[2010/05/06 17:05:04 | 000,017,920 | ---- | C] () -- C:\Documents and Settings\Nate\Desktop\MINITAB6.MPJ
[2010/05/06 00:51:36 | 000,053,248 | ---- | C] () -- C:\Documents and Settings\Nate\Desktop\Chapter 6.doc
[2010/01/23 16:15:36 | 000,497,664 | ---- | C] () -- C:\WINDOWS\System32\CBPRED.DLL
[2008/07/08 00:20:47 | 000,364,544 | ---- | C] () -- C:\WINDOWS\System32\js32.dll
[2008/06/12 22:59:22 | 000,001,751 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/08/15 03:02:58 | 000,000,197 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2007/07/14 09:41:33 | 000,000,047 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/01/14 21:38:25 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2006/09/13 11:52:40 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/09/01 17:35:47 | 000,013,600 | ---- | C] () -- C:\WINDOWS\System32\sasperf.dll
[2006/08/29 13:06:02 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/08/16 23:47:04 | 000,000,031 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2006/08/14 03:20:25 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2006/08/14 03:20:25 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2006/08/14 03:20:25 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2006/04/10 16:00:10 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/04/10 14:58:21 | 000,029,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSXT_kern_i386.sys
[2006/03/20 19:26:30 | 000,036,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\CSIIDecoder_kern_i386.sys
[2006/03/20 15:20:51 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006/03/20 15:20:51 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006/03/20 15:20:51 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006/03/20 15:20:51 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006/03/20 15:20:51 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006/03/20 15:20:51 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/03/20 15:17:30 | 000,000,216 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/03/20 15:03:16 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\TDispVol.dll
[2006/03/20 15:02:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2006/03/20 14:46:03 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2006/03/20 14:46:03 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2006/03/20 14:46:03 | 000,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2006/03/20 14:46:03 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2006/03/20 14:40:34 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\TCtrlIO.dll
[2006/03/20 14:13:25 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/03/20 12:53:09 | 000,000,341 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/03/20 12:49:38 | 000,179,200 | ---- | C] () -- C:\WINDOWS\emiyaloqe.dll
[2006/03/20 12:49:38 | 000,016,280 | ---- | C] () -- C:\WINDOWS\aqumipusovo.dll
[2005/08/24 19:20:28 | 000,009,472 | ---- | C] () -- C:\WINDOWS\System32\drivers\tbiosdrv.sys
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4B7BEAFF
< End of report >

Extras.Txt Log:

OTL Extras logfile created on: 6/3/2010 1:27:14 PM - Run 1
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\Nate\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

446.00 Mb Total Physical Memory | 41.00 Mb Available Physical Memory | 9.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 26.00% Paging File free
Paging file location(s): C:\pagefile.sys 2096 2096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.23 Gb Total Space | 39.55 Gb Free Space | 53.28% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NATHAN
Current User Name: Nate
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.js [@ = JSFile] -- Reg Error: Key error. File not found

[HKEY_USERS\S-1-5-21-1359673756-1645347318-4255229552-1006\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
jsfile [open] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\TOSHIBA\ivp\NetInt\Netint.exe" = C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine -- (TOSHIBA Corporation)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader -- (AOL LLC)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon -- File not found
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed -- File not found
"C:\Program Files\Common Files\AOL\1142882959\EE\AOLServiceHost.exe" = C:\Program Files\Common Files\AOL\1142882959\EE\AOLServiceHost.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\System Information\sinf.exe" = C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe" = C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe" = C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe" = C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" = C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Engine -- File not found
"C:\Program Files\Common Files\AOL\1142882959\EE\aim6.exe" = C:\Program Files\Common Files\AOL\1142882959\EE\aim6.exe:*:Enabled:AIM -- File not found
"C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" = C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe:*:Enabled:Dreamweaver MX 2004 -- File not found
"C:\Program Files\Abacast\Abaclient.exe" = C:\Program Files\Abacast\Abaclient.exe:*:Disabled:Abaclient -- File not found
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- (AOL LLC)
"C:\Program Files\Starcraft\StarCraft.exe" = C:\Program Files\Starcraft\StarCraft.exe:*:Enabled:Starcraft -- (Blizzard Entertainment)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\Steam\steamapps\voyaging\counter-strike\hl.exe" = C:\Program Files\Steam\steamapps\voyaging\counter-strike\hl.exe:*:Enabled:Half-Life Launcher -- (Valve)
"C:\Documents and Settings\Nate\Desktop\tppk\penor1.exe.exe" = C:\Documents and Settings\Nate\Desktop\tppk\penor1.exe.exe:*:Enabled:penor1.exe -- File not found
"C:\Program Files\SAS\SAS 9.1\sas.exe" = C:\Program Files\SAS\SAS 9.1\sas.exe:*:Enabled:SAS 9.1 for Windows -- ()
"C:\Documents and Settings\Nate\Desktop\REDVEX\penor1.exe.exe" = C:\Documents and Settings\Nate\Desktop\REDVEX\penor1.exe.exe:*:Enabled:penor1.exe -- File not found
"C:\Documents and Settings\Nate\Desktop\vex\bleep.exe" = C:\Documents and Settings\Nate\Desktop\vex\bleep.exe:*:Enabled:bleep -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\DOCUME~1\Nate\LOCALS~1\Temp\ADLQpPGDyS.exe" = C:\DOCUME~1\Nate\LOCALS~1\Temp\ADLQpPGDyS.exe:*:Enabled:svchost -- File not found
"C:\Documents and Settings\Nate\Desktop\new vex\RedVex 3.exe" = C:\Documents and Settings\Nate\Desktop\new vex\RedVex 3.exe:*:Enabled:RedVex 3 -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{05832D65-6EDB-4D32-BA78-BCD0E2B91C02}" = Atheros Wireless LAN MiniPCI/PCIe card Driver
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{425A2BC2-AA64-4107-9C29-484245BBEA05}" = TOSHIBA Software Upgrades
"{47D2103B-FD51-4017-9C20-DD408B17D726}" = Office 2003 Trial Assistant
"{5D96E2B1-D9AC-46E0-9073-425C5F63E338}" = Touch and Launch
"{64212898-097F-4F3F-AECA-6D34A7EF82DF}" = TOSHIBA Zooming Utility
"{64DD71BC-3109-4C88-9AD3-D5422644B722}" = TOSHIBA Hotkey Utility
"{68624FB8-2512-46B5-9664-64366DCCB3EB}" = SAS 9.1
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69BE47C2-36FE-4397-8199-85D8EAE69982}" = TOSHIBA TouchPad ON/Off Utility
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6DE13770-01B7-4366-8DA6-48237793F445}" = VoiceOver Kit
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{78C68CB9-3DF5-44F3-AB9D-FA305C5EB85C}" = TOSHIBA Utilities
"{86B3F2D6-AC2B-4E88-8AE1-F2F77F781B0C}" = EndNote X3
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{8B12BA86-ADAC-4BA6-B441-FFC591087252}" = TOSHIBA Virtual Sound
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD for TOSHIBA
"{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}" = DVD-RAM Driver
"{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}" = TOSHIBA Controls
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet NIC Driver
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{DE057B84-3977-4107-AA5C-BD0600CDC8DF}" = MINITAB 14 Student
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6C405D2-C50D-4D10-B89E-73A233A14D74}" = Toshiba Registration
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AIM_6" = AIM 6
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"CCleaner" = CCleaner (remove only)
"Crystal Ball 2000" = Crystal Ball 2000
"Diablo II" = Diablo II
"e7b5d423e2fcc19f6c91a3c2b5238c8a" = SAS Private JRE (J2SE™ Java Runtime Environment 1.4.1)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{DE057B84-3977-4107-AA5C-BD0600CDC8DF}" = MINITAB 14 Student
"LimeWire" = LimeWire 5.4.8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.5.1)" = Mozilla Firefox (3.5.1)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PC Diagnostic Tool" = TOSHIBA PC Diagnostic Tool
"Power Saver" = TOSHIBA Power Saver
"RealPlayer 6.0" = RealPlayer Basic
"ResearchSoft Direct Export Helper" = ResearchSoft Direct Export Helper
"Starcraft" = Starcraft
"Steam App 10" = Counter-Strike
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TOSHIBA Game Console" = TOSHIBA Game Console
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/31/2010 8:53:27 PM | Computer Name = NATHAN | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/1/2010 10:58:48 AM | Computer Name = NATHAN | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x100070f7.

Error - 6/1/2010 11:05:29 AM | Computer Name = NATHAN | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module , version 0.0.0.0, fault address 0x00000000.

Error - 6/1/2010 6:07:59 PM | Computer Name = NATHAN | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module smsubdla.dll, version 2.1.0.0, fault address 0x00002e4b.

Error - 6/2/2010 9:29:13 AM | Computer Name = NATHAN | Source = Application Error | ID = 1000
Description = Faulting application rwqbraetssd.exe, version 2.1.0.5, faulting module
unknown, version 0.0.0.0, fault address 0x0005fa90.

Error - 6/2/2010 9:29:13 AM | Computer Name = NATHAN | Source = Application Error | ID = 1000
Description = Faulting application rwqbraetssd.exe, version 2.1.0.5, faulting module
unknown, version 0.0.0.0, fault address 0x0005fa90.

Error - 6/2/2010 8:28:43 PM | Computer Name = NATHAN | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module Flash10c.ocx, version 10.0.32.18, fault address 0x00204784.

Error - 6/3/2010 3:12:06 AM | Computer Name = NATHAN | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module Flash10c.ocx, version 10.0.32.18, fault address 0x000e672a.

Error - 6/3/2010 3:21:20 AM | Computer Name = NATHAN | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x000101b3.

Error - 6/3/2010 1:05:54 PM | Computer Name = NATHAN | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module , version 0.0.0.0, fault address 0x00000000.

[ System Events ]
Error - 6/2/2010 10:51:59 PM | Computer Name = NATHAN | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service MDM with arguments
"" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}

Error - 6/2/2010 11:31:04 PM | Computer Name = NATHAN | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service MDM with arguments
"" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}

Error - 6/3/2010 3:17:47 AM | Computer Name = NATHAN | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 6/3/2010 3:17:47 AM | Computer Name = NATHAN | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 6/3/2010 3:21:34 AM | Computer Name = NATHAN | Source = Service Control Manager | ID = 7034
Description = The Bonjour Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 6/3/2010 3:21:37 AM | Computer Name = NATHAN | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 6/3/2010 3:21:51 AM | Computer Name = NATHAN | Source = Service Control Manager | ID = 7034
Description = The Application Layer Gateway Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 6/3/2010 3:22:25 AM | Computer Name = NATHAN | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service MDM with arguments
"" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}

Error - 6/3/2010 3:22:25 AM | Computer Name = NATHAN | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service MDM with arguments
"" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}

Error - 6/3/2010 1:06:09 PM | Computer Name = NATHAN | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service MDM with arguments
"" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}


< End of report >


GMER.LOG:


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-03 15:22:56
Windows 5.1.2600 Service Pack 3
Running: byxjitj6.exe; Driver: C:\DOCUME~1\Nate\LOCALS~1\Temp\ugldqpow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text gzvofiih.sys F742E012 25 Bytes [FF, 35, 0B, E3, 42, F7, 8F, ...]
.text gzvofiih.sys F742E02C 68 Bytes [41, F7, 66, D3, DE, 8B, 74, ...]
.text gzvofiih.sys F742E071 409 Bytes [00, F6, C2, F2, 84, DD, 68, ...]
.text gzvofiih.sys F742E20B 222 Bytes [74, 24, 1C, 8F, 45, 00, 68, ...]
.text gzvofiih.sys F742E2EA 18 Bytes [66, 89, 45, 00, 66, C7, 04, ...]
.text ...
? C:\WINDOWS\system32\drivers\gzvofiih.sys A device attached to the system is not functioning.
PAGE Ntfs.sys F7314E55 4 Bytes CALL 84FD8311

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0019000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0148000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0018000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[872] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[872] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[872] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[872] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00DA000A
.text C:\WINDOWS\System32\svchost.exe[872] ole32.dll!CoCreateInstance 7750057E 3 Bytes JMP 00DC000A
.text C:\WINDOWS\System32\svchost.exe[872] ole32.dll!CoCreateInstance + 4 77500582 1 Byte [89]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0147000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0148000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0146000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
? C:\WINDOWS\System32\svchost.exe[1116] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: imagehlp.dll
.text C:\WINDOWS\Explorer.EXE[1348] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1348] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1348] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[208] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[792] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[792] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[792] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[792] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[792] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[792] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[792] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[792] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\system32\wscntfy.exe[792] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[908] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] 81EC8B55
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 000814EC
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 6A575300
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] FF335B04
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] 6A575757
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 7D895701
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] F045C7F8
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 00004E20
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] FFFC5D89
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 40208015
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] F4458900
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] 840FC73B
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] 00000132
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] 94358B56
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 458D53D6
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] 066A50F0
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] FFF475FF
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 458D53D6
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] 056A50F0
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] FFF475FF
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 0C5D8BD6
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] EC858D00
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 68FFFFF7
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] 00000800
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] AC15FF50
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] 83004020
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] 07EB10C4
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] F7EC85C6
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] 5700FFFF
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 0C320068
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] 8DFF6A8C
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] FFF7EC85
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 75FF50FF
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] F475FF08
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 209015FF
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] F08B0040
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] 3BF87589
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] A9840FF7
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 39000000
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 1F75087B
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] FC458D57
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] EC458D50
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 00056850
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] FF562000
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] 40208C15
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] EC458B06
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 8D084389
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] 6850FC45
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 00000800
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] F7EC858D
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] 5650FFFF
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] 208815FF
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] 4EEB0040
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 74FC7D39
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 04438B5E
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 8BFC4503
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] FF565033
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 4020A815
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 89595900
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] 74C73B03
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 047B8B37
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 03FC4D8B
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] ECB58DF8
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] F3FFFFF7
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] FC458BA4
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 6850FC45
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 00000800
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] F7EC858D
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] FF50FFFF
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] 15FFF875
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] [00402088] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] C085FF33
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 0FEBAE75
IAT C:\WINDOWS\System32\svchost.exe[1116] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 0874F73B
IAT C:\WINDOWS\notepad.exe[1160] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\notepad.exe[1160] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\notepad.exe[1160] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\notepad.exe[1160] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\notepad.exe[1160] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\notepad.exe[1160] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\notepad.exe[1160] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\notepad.exe[1160] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\notepad.exe[1160] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\notepad.exe[1160] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\notepad.exe[1160] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1348] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!CreateProcessW] [10001000] C:\WINDOWS\system32\dmrestat.dll
IAT C:\WINDOWS\Explorer.EXE[1348] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [10001000] C:\WINDOWS\system32\dmrestat.dll
IAT C:\WINDOWS\Explorer.EXE[1348] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [10001072] C:\WINDOWS\system32\dmrestat.dll
IAT C:\WINDOWS\Explorer.EXE[1348] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [10001000] C:\WINDOWS\system32\dmrestat.dll
IAT C:\WINDOWS\Explorer.EXE[1348] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [10001000] C:\WINDOWS\system32\dmrestat.dll
IAT C:\WINDOWS\Explorer.EXE[1348] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [10001072] C:\WINDOWS\system32\dmrestat.dll
IAT C:\WINDOWS\Explorer.EXE[1348] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [10001000] C:\WINDOWS\system32\dmrestat.dll
IAT C:\WINDOWS\Explorer.EXE[1348] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1348] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [10001000] C:\WINDOWS\system32\dmrestat.dll
IAT C:\WINDOWS\Explorer.EXE[1348] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1348] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [10001000] C:\WINDOWS\system32\dmrestat.dll
IAT C:\WINDOWS\notepad.exe[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\notepad.exe[1596] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\notepad.exe[1596] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\notepad.exe[1596] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\notepad.exe[1596] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\notepad.exe[1596] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\notepad.exe[1596] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\notepad.exe[1596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\notepad.exe[1596] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\notepad.exe[1596] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\notepad.exe[1596] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Documents and Settings\Nate\Desktop\byxjitj6.exe[2548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Nate\Desktop\byxjitj6.exe[2548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Nate\Desktop\byxjitj6.exe[2548] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Nate\Desktop\byxjitj6.exe[2548] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Nate\Desktop\byxjitj6.exe[2548] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Nate\Desktop\byxjitj6.exe[2548] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Nate\Desktop\byxjitj6.exe[2548] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Documents and Settings\Nate\Desktop\byxjitj6.exe[2548] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Documents and Settings\Nate\Desktop\byxjitj6.exe[2548] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Nate\Desktop\byxjitj6.exe[2548] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Documents and Settings\Nate\Desktop\byxjitj6.exe[2548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\QuickTime\qttask.exe[2828] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\QuickTime\qttask.exe[2828] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Program Files\QuickTime\qttask.exe[2828] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\QuickTime\qttask.exe[2828] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\QuickTime\qttask.exe[2828] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\QuickTime\qttask.exe[2828] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\QuickTime\qttask.exe[2828] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\QuickTime\qttask.exe[2828] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Program Files\QuickTime\qttask.exe[2828] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Documents and Settings\Nate\Desktop\OTL.exe[4084] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Nate\Desktop\OTL.exe[4084] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Nate\Desktop\OTL.exe[4084] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Nate\Desktop\OTL.exe[4084] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Nate\Desktop\OTL.exe[4084] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Nate\Desktop\OTL.exe[4084] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Nate\Desktop\OTL.exe[4084] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Documents and Settings\Nate\Desktop\OTL.exe[4084] @ C:\WINDOWS\system32\shell32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Documents and Settings\Nate\Desktop\OTL.exe[4084] @ C:\WINDOWS\system32\shell32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\Nate\Desktop\OTL.exe[4084] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Documents and Settings\Nate\Desktop\OTL.exe[4084] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 84F2AF00

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] gzvofiih <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gzvofiih@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gzvofiih@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\gzvofiih@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\gzvofiih@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\gzvofiih@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gzvofiih@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\gzvofiih@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\gzvofiih@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\gzvofiih@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gzvofiih@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\gzvofiih@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\gzvofiih@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----




#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:11 PM

Posted 03 June 2010 - 03:18 PM

Hello again,
Looks like a rootkit and a lot of vundo, so lets start getting rid of it smile.gif


P2P WARNING
-------------------
Going over your logs I noticed that you have LimeWire installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 ndtokar

ndtokar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 04 June 2010 - 03:27 AM

Thank you for fast response Elise!!

Here is the ComboFix.txt::::

ComboFix 10-06-03.01 - Nate 06/04/2010 4:10.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.197 [GMT -4:00]
Running from: c:\documents and settings\Nate\Desktop\ComboFix.exe
.
The following files were disabled during the run:
c:\windows\system32\dmrestat.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Nate\Local Settings\Application Data\{4EFF20CE-29CF-4FCA-8C43-5EB2BA610CBB}
c:\documents and settings\Nate\Local Settings\Application Data\{4EFF20CE-29CF-4FCA-8C43-5EB2BA610CBB}\chrome.manifest
c:\documents and settings\Nate\Local Settings\Application Data\{4EFF20CE-29CF-4FCA-8C43-5EB2BA610CBB}\chrome\content\_cfg.js
c:\documents and settings\Nate\Local Settings\Application Data\{4EFF20CE-29CF-4FCA-8C43-5EB2BA610CBB}\chrome\content\overlay.xul
c:\documents and settings\Nate\Local Settings\Application Data\{4EFF20CE-29CF-4FCA-8C43-5EB2BA610CBB}\install.rdf
c:\windows\apovehulato.dll
c:\windows\emiyaloqe.dll
c:\windows\eruqehis.dll
c:\windows\udaxehizajifo.dll

Infected copy of c:\windows\system32\drivers\termdd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))
.

2010-06-04 08:13 . 2010-06-04 08:13 -------- d-----w- c:\windows\LastGood
2010-06-03 02:25 . 2010-06-03 02:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-03 02:25 . 2010-06-03 02:25 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-02 13:15 . 2010-06-03 02:33 -------- d-----w- c:\documents and settings\Nate\Local Settings\Application Data\jdxcfamye
2010-06-01 22:08 . 2010-06-04 04:48 0 ----a-w- c:\windows\Dwihe.bin
2010-06-01 22:07 . 2010-06-04 06:51 120 ----a-w- c:\windows\Qvuhoge.dat
2010-05-31 16:03 . 2010-05-31 16:03 -------- d-----w- c:\documents and settings\Nate\Local Settings\Application Data\Help
2010-05-31 06:58 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-05-31 06:56 . 2008-08-14 10:04 138496 -c----w- c:\windows\system32\dllcache\afd.sys
2010-05-31 06:56 . 2009-12-31 16:50 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-05-31 06:56 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-05-31 06:55 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-05-31 06:50 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-05-30 07:46 . 2010-05-30 07:46 -------- d-----w- c:\windows\system32\scripting
2010-05-30 07:46 . 2010-05-30 07:46 -------- d-----w- c:\windows\l2schemas
2010-05-30 07:46 . 2010-05-30 07:46 -------- d-----w- c:\windows\system32\en
2010-05-30 07:46 . 2010-05-30 07:46 -------- d-----w- c:\windows\system32\bits
2010-05-30 07:35 . 2010-05-30 07:35 -------- d-----w- c:\windows\EHome
2010-05-29 19:54 . 2010-05-29 19:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-05-29 19:52 . 2010-06-04 08:20 772096 ----a-w- c:\windows\system32\drivers\gzvofiih.sys
2010-05-29 19:51 . 2010-05-29 19:51 40960 ----a-w- c:\windows\system32\dmrestat.dll
2010-05-29 19:51 . 2010-05-29 19:51 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-05-29 19:50 . 2010-05-29 19:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-08 18:23 . 2010-05-08 18:23 -------- d-sh--w- c:\documents and settings\Nate\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-04 07:38 . 2008-04-16 02:26 -------- d-----w- c:\program files\LimeWire
2010-06-04 07:30 . 2009-06-07 00:31 -------- d-----w- c:\program files\Diablo II
2010-06-03 02:26 . 2006-09-30 15:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-31 20:59 . 2006-08-13 19:49 71032 ----a-w- c:\documents and settings\Nate\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-30 07:48 . 2006-03-20 18:08 77607 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-05-29 19:51 . 2010-05-29 19:51 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\vqdlkr.dat
2010-05-07 17:52 . 2010-01-21 02:54 -------- d-----w- c:\program files\MINITAB 14 Student
2010-04-29 19:39 . 2006-09-30 15:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2006-09-30 15:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 01:25 . 2010-04-08 01:06 -------- d-----w- c:\documents and settings\Nate\Application Data\EndNote
2010-04-08 00:59 . 2010-04-08 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Thomson.ResearchSoft.Installers
2010-04-08 00:59 . 2010-04-08 00:59 -------- d-----w- c:\program files\Common Files\Risxtd
2010-04-08 00:59 . 2010-04-08 00:59 -------- d-----w- c:\program files\Common Files\ResearchSoft
2010-04-08 00:59 . 2010-04-08 00:57 -------- d-----w- c:\program files\EndNote X3
2010-03-26 03:04 . 2009-06-07 00:37 43081 ----a-w- c:\windows\DIIUnin.dat
2010-03-10 06:15 . 2006-03-20 16:49 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-11-07 15:29 . 2006-11-07 15:29 50736 c:\program files\AIM6\bak\aim6.exe
2008-10-31 19:22 . 2008-10-31 19:22 50480 c:\program files\AIM6\aim6.exe

2007-02-05 18:26 . 2007-02-05 18:26 171448 c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe

2006-11-02 00:05 . 2006-11-02 00:05 163576 c:\program files\Google\GoogleToolbarNotifier\1.2.908.5008\bak\GoogleToolbarNotifier.exe

2006-03-20 18:46 . 2006-03-04 04:30 184320 c:\program files\ltmoh\bak\Ltmoh.exe

2006-03-20 19:30 . 2006-03-20 19:30 98304 c:\program files\QuickTime\bak\qttask.exe
2009-11-11 04:08 . 2009-11-11 04:08 417792 c:\program files\QuickTime\QTTask.exe

2006-03-20 18:42 . 2006-03-03 00:02 761948 c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe

2006-03-20 18:42 . 2006-03-03 00:03 82012 c:\program files\Synaptics\SynTP\bak\SynTPLpr.exe

2006-03-20 18:57 . 2004-12-30 08:32 65536 c:\program files\TOSHIBA\TOSCDSPD\bak\toscdspd.exe

2006-03-20 18:40 . 2006-03-06 22:03 356352 c:\program files\TOSHIBA\TOSHIBA Applet\bak\thotkey.exe

2006-03-20 19:11 . 2005-04-27 00:13 122880 c:\program files\TOSHIBA\TOSHIBA Zooming Utility\bak\SmoothView.exe

2006-03-20 19:09 . 2005-12-06 06:06 1077322 c:\program files\TOSHIBA\Touch and Launch\bak\PadExe.exe

2006-04-10 18:58 . 2006-02-02 19:11 73728 c:\program files\TOSHIBA\Tvs\bak\TvsTray.exe

2006-03-20 19:08 . 2005-03-18 01:37 151552 c:\toshiba\IVP\ISM\bak\pinger.exe

2006-03-20 16:49 . 2004-08-04 12:00 15360 c:\windows\system32\bak\ctfmon.exe
2006-03-20 16:49 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2007-02-13 02:23 . 2007-09-06 02:50 17474680 c:\windows\system32\bak\MRT.exe
2007-02-13 02:23 . 2010-04-30 18:51 32058312 c:\windows\system32\MRT.exe

2006-03-20 19:19 . 2005-10-06 13:20 122940 c:\windows\system32\DLA\bak\DLACTRLW.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wyuxixe"="c:\windows\emiyaloqe.dll" [N/A]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=c:\windows\pss\RAMASST.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Nate^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Nate\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Nate^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\Nate\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CFSServ.exe]
CFSServ.exe -NoClient [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aeryeqmm]
c:\documents and settings\Nate\Local Settings\Application Data\jdxcfamye\rwqbraetssd.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2006-03-04 04:29 88204 ----a-w- c:\windows\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2008-10-31 19:22 50480 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
c:\program files\America Online 9.0\AOL.EXE [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-08-06 01:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ceedo AutoDetect]
c:\docume~1\Nate\LOCALS~1\Temp\AutoDetect.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
c:\windows\system32\dla\DLACTRLW.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
c:\program files\Common Files\AOL\1142882959\ee\AOLSoftware.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
c:\program files\Common Files\AOL\IPHSend\IPHSend.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
c:\program files\ltmoh\Ltmoh.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\progra~1\mcafee.com\agent\mcagent.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\progra~1\mcafee.com\agent\mcupdate.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 23:16 1121792 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]
NDSTray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
c:\program files\McAfee.com\VSO\oasclnt.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
c:\program files\TOSHIBA\Touch and Launch\PadExe.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
c:\toshiba\ivp\ism\pinger.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qjane]
c:\windows\smsubdla.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2005-12-09 22:49 15691264 ----a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-06-12 18:04 1217784 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 08:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
c:\program files\Synaptics\SynTP\SynTPEnh.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
c:\program files\Synaptics\SynTP\SynTPLpr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TDispVol]
2005-03-11 23:03 73728 ----a-w- c:\windows\system32\TDispVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TempRemove]
1998-12-19 15:06 7680 ----a-w- c:\program files\Crystal Ball\CB Predictor\Terminator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]
TFncKy.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THotkey]
c:\program files\Toshiba\Toshiba Applet\thotkey.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
2005-06-01 05:00 282624 ----a-w- c:\windows\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
c:\program files\Toshiba\Tvs\TvsTray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\progra~1\mcafee.com\vso\mcvsshld.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
c:\progra~1\mcafee.com\vso\mcmnhdlr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wyuxixe]
c:\windows\emiyaloqe.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MskService"=2 (0x2)
"MpfService"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"TAPPSRV"=2 (0x2)
"Swupdtmr"=2 (0x2)
"ose"=3 (0x3)
"DVD-RAM_Service"=2 (0x2)
"CFSvcs"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"ACS"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"SoundMovieServer"=3 (0x3)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"gusvc"=3 (0x3)
"getPlus® Helper"=3 (0x3)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
fastinit REG_SZ c:\windows\system32\dmrestat.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Steam\\steamapps\\voyaging\\counter-strike\\hl.exe"=
"c:\\Program Files\\SAS\\SAS 9.1\\sas.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Nate\\Desktop\\new vex\\RedVex 3.exe"=

S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [8/9/2008 9:39 PM 3768]

--- Other Services/Drivers In Memory ---

*Deregistered* - gzvofiih
.
Contents of the 'Scheduled Tasks' folder

2010-06-04 c:\windows\Tasks\User_Feed_Synchronization-{3BA7B010-1B73-448B-B453-88D416BAADA2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
FF - ProfilePath - c:\documents and settings\Nate\Application Data\Mozilla\Firefox\Profiles\etwl49t0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Notify-WgaLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-04 04:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gzvofiih]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-06-04 04:23:20
ComboFix-quarantined-files.txt 2010-06-04 08:23

Pre-Run: 42,414,047,232 bytes free
Post-Run: 42,626,506,752 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 12739E48717B48C970E56BA009C7371C


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:11 PM

Posted 04 June 2010 - 04:05 AM

That took care of a lot of stuff. Please consider the following information first.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
AWF::
c:\program files\AIM6\bak\aim6.exe
c:\program files\QuickTime\bak\qttask.exe
c:\windows\system32\bak\MRT.exe

Folder::
c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak
c:\program files\Google\GoogleToolbarNotifier\1.2.908.5008\bak
c:\program files\ltmoh\bak
c:\program files\Synaptics\SynTP\bak
c:\program files\TOSHIBA\TOSCDSPD\bak
c:\program files\TOSHIBA\TOSHIBA Applet\bak
c:\program files\TOSHIBA\TOSHIBA Zooming Utility\bak
c:\program files\TOSHIBA\Touch and Launch\bak
c:\program files\TOSHIBA\Tvs\bak
c:\toshiba\IVP\ISM\bak

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wyuxixe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aeryeqmm]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wyuxixe"=-

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 ndtokar

ndtokar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 04 June 2010 - 04:36 AM

Hi Elise thank you for assistance. I have decided to go through with the clean up and ran the new script.



ComboFix 10-06-03.01 - Nate 06/04/2010 5:17.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.202 [GMT -4:00]
Running from: c:\documents and settings\Nate\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nate\Desktop\CFScript.txt
.
The following files were disabled during the run:
c:\windows\system32\dmrestat.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak
c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe
c:\program files\Google\GoogleToolbarNotifier\1.2.908.5008\bak
c:\program files\Google\GoogleToolbarNotifier\1.2.908.5008\bak\GoogleToolbarNotifier.exe
c:\program files\ltmoh\bak
c:\program files\ltmoh\bak\Ltmoh.exe
c:\program files\Synaptics\SynTP\bak
c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe
c:\program files\Synaptics\SynTP\bak\SynTPLpr.exe
c:\program files\TOSHIBA\TOSCDSPD\bak
c:\program files\TOSHIBA\TOSCDSPD\bak\toscdspd.exe
c:\program files\TOSHIBA\TOSHIBA Applet\bak
c:\program files\TOSHIBA\TOSHIBA Applet\bak\thotkey.exe
c:\program files\TOSHIBA\TOSHIBA Zooming Utility\bak
c:\program files\TOSHIBA\TOSHIBA Zooming Utility\bak\SmoothView.exe
c:\program files\TOSHIBA\Touch and Launch\bak
c:\program files\TOSHIBA\Touch and Launch\bak\PadExe.exe
c:\program files\TOSHIBA\Tvs\bak
c:\program files\TOSHIBA\Tvs\bak\TvsTray.exe
c:\toshiba\IVP\ISM\bak
c:\toshiba\IVP\ISM\bak\pinger.exe

.
((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))
.

2010-06-03 02:25 . 2010-06-03 02:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-03 02:25 . 2010-06-03 02:25 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-02 13:15 . 2010-06-03 02:33 -------- d-----w- c:\documents and settings\Nate\Local Settings\Application Data\jdxcfamye
2010-06-01 22:08 . 2010-06-04 04:48 0 ----a-w- c:\windows\Dwihe.bin
2010-06-01 22:07 . 2010-06-04 06:51 120 ----a-w- c:\windows\Qvuhoge.dat
2010-05-31 16:03 . 2010-05-31 16:03 -------- d-----w- c:\documents and settings\Nate\Local Settings\Application Data\Help
2010-05-31 06:58 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-05-31 06:56 . 2008-08-14 10:04 138496 -c----w- c:\windows\system32\dllcache\afd.sys
2010-05-31 06:56 . 2009-12-31 16:50 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-05-31 06:56 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-05-31 06:55 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-05-31 06:50 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-05-30 07:46 . 2010-05-30 07:46 -------- d-----w- c:\windows\system32\scripting
2010-05-30 07:46 . 2010-05-30 07:46 -------- d-----w- c:\windows\l2schemas
2010-05-30 07:46 . 2010-05-30 07:46 -------- d-----w- c:\windows\system32\en
2010-05-30 07:46 . 2010-05-30 07:46 -------- d-----w- c:\windows\system32\bits
2010-05-30 07:35 . 2010-05-30 07:35 -------- d-----w- c:\windows\EHome
2010-05-29 19:54 . 2010-05-29 19:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-05-29 19:52 . 2010-06-04 09:26 772096 ----a-w- c:\windows\system32\drivers\gzvofiih.sys
2010-05-29 19:51 . 2010-05-29 19:51 40960 ----a-w- c:\windows\system32\dmrestat.dll
2010-05-29 19:51 . 2010-05-29 19:51 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-05-29 19:50 . 2010-05-29 19:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-08 18:23 . 2010-05-08 18:23 -------- d-sh--w- c:\documents and settings\Nate\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-04 09:23 . 2006-03-20 18:46 -------- d-----w- c:\program files\ltmoh
2010-06-04 09:01 . 2009-06-07 00:31 -------- d-----w- c:\program files\Diablo II
2010-06-04 07:38 . 2008-04-16 02:26 -------- d-----w- c:\program files\LimeWire
2010-06-03 02:26 . 2006-09-30 15:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-31 20:59 . 2006-08-13 19:49 71032 ----a-w- c:\documents and settings\Nate\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-30 07:48 . 2006-03-20 18:08 77607 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-05-29 19:51 . 2010-05-29 19:51 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\vqdlkr.dat
2010-05-07 17:52 . 2010-01-21 02:54 -------- d-----w- c:\program files\MINITAB 14 Student
2010-04-29 19:39 . 2006-09-30 15:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2006-09-30 15:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 01:25 . 2010-04-08 01:06 -------- d-----w- c:\documents and settings\Nate\Application Data\EndNote
2010-04-08 00:59 . 2010-04-08 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Thomson.ResearchSoft.Installers
2010-04-08 00:59 . 2010-04-08 00:59 -------- d-----w- c:\program files\Common Files\Risxtd
2010-04-08 00:59 . 2010-04-08 00:59 -------- d-----w- c:\program files\Common Files\ResearchSoft
2010-04-08 00:59 . 2010-04-08 00:57 -------- d-----w- c:\program files\EndNote X3
2010-03-26 03:04 . 2009-06-07 00:37 43081 ----a-w- c:\windows\DIIUnin.dat
2010-03-10 06:15 . 2006-03-20 16:49 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-11-07 15:29 . 2006-11-07 15:29 50736 c:\program files\AIM6\bak\aim6.exe
2008-10-31 19:22 . 2008-10-31 19:22 50480 c:\program files\AIM6\aim6.exe

2006-03-20 19:30 . 2006-03-20 19:30 98304 c:\program files\QuickTime\bak\qttask.exe
2009-11-11 04:08 . 2009-11-11 04:08 417792 c:\program files\QuickTime\QTTask.exe

2007-02-05 18:26 . 2007-02-05 18:26 171448 c:\qoobox\Quarantine\C\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe.vir

2006-11-02 00:05 . 2006-11-02 00:05 163576 c:\qoobox\Quarantine\C\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\bak\GoogleToolbarNotifier.exe.vir

2006-03-20 18:46 . 2006-03-04 04:30 184320 c:\qoobox\Quarantine\C\Program Files\ltmoh\bak\Ltmoh.exe.vir

2006-03-20 18:42 . 2006-03-03 00:02 761948 c:\qoobox\Quarantine\C\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe.vir

2006-03-20 18:42 . 2006-03-03 00:03 82012 c:\qoobox\Quarantine\C\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe.vir

2006-03-20 18:57 . 2004-12-30 08:32 65536 c:\qoobox\Quarantine\C\Program Files\TOSHIBA\TOSCDSPD\bak\toscdspd.exe.vir

2006-03-20 18:40 . 2006-03-06 22:03 356352 c:\qoobox\Quarantine\C\Program Files\TOSHIBA\TOSHIBA Applet\bak\thotkey.exe.vir

2006-03-20 19:11 . 2005-04-27 00:13 122880 c:\qoobox\Quarantine\C\Program Files\TOSHIBA\TOSHIBA Zooming Utility\bak\SmoothView.exe.vir

2006-03-20 19:09 . 2005-12-06 06:06 1077322 c:\qoobox\Quarantine\C\Program Files\TOSHIBA\Touch and Launch\bak\PadExe.exe.vir

2006-04-10 18:58 . 2006-02-02 19:11 73728 c:\qoobox\Quarantine\C\Program Files\TOSHIBA\Tvs\bak\TvsTray.exe.vir

2006-03-20 19:08 . 2005-03-18 01:37 151552 c:\qoobox\Quarantine\C\TOSHIBA\IVP\ISM\bak\pinger.exe.vir

2006-03-20 16:49 . 2004-08-04 12:00 15360 c:\windows\system32\bak\ctfmon.exe
2006-03-20 16:49 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2007-02-13 02:23 . 2007-09-06 02:50 17474680 c:\windows\system32\bak\MRT.exe
2007-02-13 02:23 . 2010-04-30 18:51 32058312 c:\windows\system32\MRT.exe

2006-03-20 19:19 . 2005-10-06 13:20 122940 c:\windows\system32\DLA\bak\DLACTRLW.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=c:\windows\pss\RAMASST.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Nate^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Nate\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Nate^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\Nate\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CFSServ.exe]
CFSServ.exe -NoClient [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2006-03-04 04:29 88204 ----a-w- c:\windows\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2008-10-31 19:22 50480 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
c:\program files\America Online 9.0\AOL.EXE [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-08-06 01:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ceedo AutoDetect]
c:\docume~1\Nate\LOCALS~1\Temp\AutoDetect.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
c:\windows\system32\dla\DLACTRLW.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
c:\program files\Common Files\AOL\1142882959\ee\AOLSoftware.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
c:\program files\Common Files\AOL\IPHSend\IPHSend.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
c:\program files\ltmoh\Ltmoh.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\progra~1\mcafee.com\agent\mcagent.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\progra~1\mcafee.com\agent\mcupdate.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 23:16 1121792 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]
NDSTray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
c:\program files\McAfee.com\VSO\oasclnt.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
c:\program files\TOSHIBA\Touch and Launch\PadExe.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
c:\toshiba\ivp\ism\pinger.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qjane]
c:\windows\smsubdla.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2005-12-09 22:49 15691264 ----a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-06-12 18:04 1217784 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 08:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
c:\program files\Synaptics\SynTP\SynTPEnh.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
c:\program files\Synaptics\SynTP\SynTPLpr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TDispVol]
2005-03-11 23:03 73728 ----a-w- c:\windows\system32\TDispVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TempRemove]
1998-12-19 15:06 7680 ----a-w- c:\program files\Crystal Ball\CB Predictor\Terminator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]
TFncKy.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THotkey]
c:\program files\Toshiba\Toshiba Applet\thotkey.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
2005-06-01 05:00 282624 ----a-w- c:\windows\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
c:\program files\Toshiba\Tvs\TvsTray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\progra~1\mcafee.com\vso\mcvsshld.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
c:\progra~1\mcafee.com\vso\mcmnhdlr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MskService"=2 (0x2)
"MpfService"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"TAPPSRV"=2 (0x2)
"Swupdtmr"=2 (0x2)
"ose"=3 (0x3)
"DVD-RAM_Service"=2 (0x2)
"CFSvcs"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"ACS"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"SoundMovieServer"=3 (0x3)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"gusvc"=3 (0x3)
"getPlus® Helper"=3 (0x3)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
fastinit REG_SZ c:\windows\system32\dmrestat.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Steam\\steamapps\\voyaging\\counter-strike\\hl.exe"=
"c:\\Program Files\\SAS\\SAS 9.1\\sas.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Nate\\Desktop\\new vex\\RedVex 3.exe"=

S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [8/9/2008 9:39 PM 3768]

--- Other Services/Drivers In Memory ---

*Deregistered* - gzvofiih
.
Contents of the 'Scheduled Tasks' folder

2010-06-04 c:\windows\Tasks\User_Feed_Synchronization-{3BA7B010-1B73-448B-B453-88D416BAADA2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
FF - ProfilePath - c:\documents and settings\Nate\Application Data\Mozilla\Firefox\Profiles\etwl49t0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-04 05:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gzvofiih]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2916)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\dmrestat.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-06-04 05:31:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-04 09:31
ComboFix2.txt 2010-06-04 08:23

Pre-Run: 42,581,983,232 bytes free
Post-Run: 42,597,986,304 bytes free

- - End Of File - - 000C1EA99CD851B9BC5D2EF54D58B664


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:11 PM

Posted 04 June 2010 - 04:49 AM

Hi, please run the following script also and let me know how things are running now.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
Folder::
c:\windows\system32\DLA\bak

FCopy::
c:\program files\AIM6\bak\aim6.exe | c:\program files\AIM6\aim6.exe
c:\program files\QuickTime\bak\qttask.exe | c:\program files\QuickTime\QTTask.exe
c:\windows\system32\bak\MRT.exe | c:\windows\system32\MRT.exe

Driver::
gzvofiih

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 ndtokar

ndtokar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 04 June 2010 - 03:11 PM

Thanks Elise, here's the combofix.txt log

ComboFix 10-06-03.01 - Nate 06/04/2010 15:48:44.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.98 [GMT -4:00]
Running from: c:\documents and settings\Nate\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nate\Desktop\CFScript.txt.txt
.
The following files were disabled during the run:
c:\windows\system32\dmrestat.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\DLA\bak
c:\windows\system32\DLA\bak\DLACTRLW.exe

.
--------------- FCopy ---------------

c:\program files\AIM6\bak\aim6.exe --> c:\program files\AIM6\aim6.exe
c:\program files\QuickTime\bak\qttask.exe --> c:\program files\QuickTime\QTTask.exe
c:\windows\system32\bak\MRT.exe --> c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GZVOFIIH
-------\Service_gzvofiih


((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))
.

2010-06-03 02:25 . 2010-06-03 02:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-03 02:25 . 2010-06-03 02:25 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-02 13:15 . 2010-06-03 02:33 -------- d-----w- c:\documents and settings\Nate\Local Settings\Application Data\jdxcfamye
2010-06-01 22:08 . 2010-06-04 04:48 0 ----a-w- c:\windows\Dwihe.bin
2010-06-01 22:07 . 2010-06-04 06:51 120 ----a-w- c:\windows\Qvuhoge.dat
2010-05-31 16:03 . 2010-05-31 16:03 -------- d-----w- c:\documents and settings\Nate\Local Settings\Application Data\Help
2010-05-31 06:58 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-05-31 06:56 . 2008-08-14 10:04 138496 -c----w- c:\windows\system32\dllcache\afd.sys
2010-05-31 06:56 . 2009-12-31 16:50 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-05-31 06:56 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-05-31 06:55 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-05-31 06:50 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-05-30 07:46 . 2010-05-30 07:46 -------- d-----w- c:\windows\system32\scripting
2010-05-30 07:46 . 2010-05-30 07:46 -------- d-----w- c:\windows\l2schemas
2010-05-30 07:46 . 2010-05-30 07:46 -------- d-----w- c:\windows\system32\en
2010-05-30 07:46 . 2010-05-30 07:46 -------- d-----w- c:\windows\system32\bits
2010-05-30 07:35 . 2010-05-30 07:35 -------- d-----w- c:\windows\EHome
2010-05-29 19:54 . 2010-05-29 19:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-05-29 19:52 . 2010-06-04 19:56 772096 ----a-w- c:\windows\system32\drivers\gzvofiih.sys
2010-05-29 19:51 . 2010-05-29 19:51 40960 ----a-w- c:\windows\system32\dmrestat.dll
2010-05-29 19:51 . 2010-05-29 19:51 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-05-29 19:50 . 2010-05-29 19:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-08 18:23 . 2010-05-08 18:23 -------- d-sh--w- c:\documents and settings\Nate\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-04 19:48 . 2006-03-20 19:30 -------- d-----w- c:\program files\QuickTime
2010-06-04 19:48 . 2007-02-05 20:08 -------- d-----w- c:\program files\AIM6
2010-06-04 09:38 . 2009-06-07 00:31 -------- d-----w- c:\program files\Diablo II
2010-06-04 09:23 . 2006-03-20 18:46 -------- d-----w- c:\program files\ltmoh
2010-06-04 07:38 . 2008-04-16 02:26 -------- d-----w- c:\program files\LimeWire
2010-06-03 02:26 . 2006-09-30 15:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-31 20:59 . 2006-08-13 19:49 71032 ----a-w- c:\documents and settings\Nate\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-30 07:48 . 2006-03-20 18:08 77607 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-05-29 19:51 . 2010-05-29 19:51 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\vqdlkr.dat
2010-05-07 17:52 . 2010-01-21 02:54 -------- d-----w- c:\program files\MINITAB 14 Student
2010-04-29 19:39 . 2006-09-30 15:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2006-09-30 15:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 01:25 . 2010-04-08 01:06 -------- d-----w- c:\documents and settings\Nate\Application Data\EndNote
2010-04-08 00:59 . 2010-04-08 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Thomson.ResearchSoft.Installers
2010-04-08 00:59 . 2010-04-08 00:59 -------- d-----w- c:\program files\Common Files\Risxtd
2010-04-08 00:59 . 2010-04-08 00:59 -------- d-----w- c:\program files\Common Files\ResearchSoft
2010-04-08 00:59 . 2010-04-08 00:57 -------- d-----w- c:\program files\EndNote X3
2010-03-26 03:04 . 2009-06-07 00:37 43081 ----a-w- c:\windows\DIIUnin.dat
2010-03-10 06:15 . 2006-03-20 16:49 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-11-07 15:29 . 2006-11-07 15:29 50736 c:\program files\AIM6\bak\aim6.exe
2008-10-31 19:22 . 2006-11-07 15:29 50736 c:\program files\AIM6\aim6.exe

2006-03-20 19:30 . 2006-03-20 19:30 98304 c:\program files\QuickTime\bak\qttask.exe
2009-11-11 04:08 . 2006-03-20 19:30 98304 c:\program files\QuickTime\QTTask.exe

2007-02-05 18:26 . 2007-02-05 18:26 171448 c:\qoobox\Quarantine\C\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe.vir

2006-11-02 00:05 . 2006-11-02 00:05 163576 c:\qoobox\Quarantine\C\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\bak\GoogleToolbarNotifier.exe.vir

2006-03-20 18:46 . 2006-03-04 04:30 184320 c:\qoobox\Quarantine\C\Program Files\ltmoh\bak\Ltmoh.exe.vir

2006-03-20 18:42 . 2006-03-03 00:02 761948 c:\qoobox\Quarantine\C\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe.vir

2006-03-20 18:42 . 2006-03-03 00:03 82012 c:\qoobox\Quarantine\C\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe.vir

2006-03-20 18:57 . 2004-12-30 08:32 65536 c:\qoobox\Quarantine\C\Program Files\TOSHIBA\TOSCDSPD\bak\toscdspd.exe.vir

2006-03-20 18:40 . 2006-03-06 22:03 356352 c:\qoobox\Quarantine\C\Program Files\TOSHIBA\TOSHIBA Applet\bak\thotkey.exe.vir

2006-03-20 19:11 . 2005-04-27 00:13 122880 c:\qoobox\Quarantine\C\Program Files\TOSHIBA\TOSHIBA Zooming Utility\bak\SmoothView.exe.vir

2006-03-20 19:09 . 2005-12-06 06:06 1077322 c:\qoobox\Quarantine\C\Program Files\TOSHIBA\Touch and Launch\bak\PadExe.exe.vir

2006-04-10 18:58 . 2006-02-02 19:11 73728 c:\qoobox\Quarantine\C\Program Files\TOSHIBA\Tvs\bak\TvsTray.exe.vir

2006-03-20 19:08 . 2005-03-18 01:37 151552 c:\qoobox\Quarantine\C\TOSHIBA\IVP\ISM\bak\pinger.exe.vir

2006-03-20 19:19 . 2005-10-06 13:20 122940 c:\qoobox\Quarantine\C\WINDOWS\system32\DLA\bak\DLACTRLW.exe.vir

2006-03-20 16:49 . 2004-08-04 12:00 15360 c:\windows\system32\bak\ctfmon.exe
2006-03-20 16:49 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2007-02-13 02:23 . 2007-09-06 02:50 17474680 c:\windows\system32\bak\MRT.exe
2007-02-13 02:23 . 2007-09-06 02:50 17474680 c:\windows\system32\MRT.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-20 98304]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=c:\windows\pss\RAMASST.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Nate^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Nate\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Nate^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\Nate\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CFSServ.exe]
CFSServ.exe -NoClient [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2006-03-04 04:29 88204 ----a-w- c:\windows\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2006-11-07 15:29 50736 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
c:\program files\America Online 9.0\AOL.EXE [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-08-06 01:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ceedo AutoDetect]
c:\docume~1\Nate\LOCALS~1\Temp\AutoDetect.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
c:\windows\system32\dla\DLACTRLW.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
c:\program files\Common Files\AOL\1142882959\ee\AOLSoftware.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
c:\program files\Common Files\AOL\IPHSend\IPHSend.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
c:\program files\ltmoh\Ltmoh.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\progra~1\mcafee.com\agent\mcagent.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\progra~1\mcafee.com\agent\mcupdate.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 23:16 1121792 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]
NDSTray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
c:\program files\McAfee.com\VSO\oasclnt.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
c:\program files\TOSHIBA\Touch and Launch\PadExe.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
c:\toshiba\ivp\ism\pinger.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qjane]
c:\windows\smsubdla.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-03-20 19:30 98304 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2005-12-09 22:49 15691264 ----a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-06-12 18:04 1217784 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 08:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
c:\program files\Synaptics\SynTP\SynTPEnh.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
c:\program files\Synaptics\SynTP\SynTPLpr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TDispVol]
2005-03-11 23:03 73728 ----a-w- c:\windows\system32\TDispVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TempRemove]
1998-12-19 15:06 7680 ----a-w- c:\program files\Crystal Ball\CB Predictor\Terminator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]
TFncKy.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THotkey]
c:\program files\Toshiba\Toshiba Applet\thotkey.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
2005-06-01 05:00 282624 ----a-w- c:\windows\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
c:\program files\Toshiba\Tvs\TvsTray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\progra~1\mcafee.com\vso\mcvsshld.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
c:\progra~1\mcafee.com\vso\mcmnhdlr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MskService"=2 (0x2)
"MpfService"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"TAPPSRV"=2 (0x2)
"Swupdtmr"=2 (0x2)
"ose"=3 (0x3)
"DVD-RAM_Service"=2 (0x2)
"CFSvcs"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"ACS"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"SoundMovieServer"=3 (0x3)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"gusvc"=3 (0x3)
"getPlus® Helper"=3 (0x3)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
fastinit REG_SZ c:\windows\system32\dmrestat.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Steam\\steamapps\\voyaging\\counter-strike\\hl.exe"=
"c:\\Program Files\\SAS\\SAS 9.1\\sas.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Nate\\Desktop\\new vex\\RedVex 3.exe"=

S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [8/9/2008 9:39 PM 3768]
.
Contents of the 'Scheduled Tasks' folder

2010-06-04 c:\windows\Tasks\User_Feed_Synchronization-{3BA7B010-1B73-448B-B453-88D416BAADA2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
FF - ProfilePath - c:\documents and settings\Nate\Application Data\Mozilla\Firefox\Profiles\etwl49t0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-04 15:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1848)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\dmrestat.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-06-04 16:01:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-04 20:01
ComboFix2.txt 2010-06-04 09:31
ComboFix3.txt 2010-06-04 08:23

Pre-Run: 42,592,112,640 bytes free
Post-Run: 42,434,818,048 bytes free

- - End Of File - - 3A70E98B3736496ECDAA669F2FBF76C4


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:11 PM

Posted 05 June 2010 - 02:09 AM

That looks better smile.gif Please run the following script as a CFScript (instructions for running CFscript see my last post).

Please let me know how things are running now.

CODE
Folder::
c:\windows\system32\bak
c:\program files\AIM6\bak
c:\program files\QuickTime\bak

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 ndtokar

ndtokar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 05 June 2010 - 12:40 PM

Things are running MUCH BETTER!! THANK YOU!!!!

ComboFix 10-06-03.01 - Nate 06/05/2010 12:59:24.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.257 [GMT -4:00]
Running from: c:\documents and settings\Nate\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nate\Desktop\CFScript.txt.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AIM6\bak
c:\program files\AIM6\bak\aim6.exe
c:\program files\QuickTime\bak
c:\program files\QuickTime\bak\qttask.exe
c:\windows\system32\bak
c:\windows\system32\bak\ctfmon.exe
c:\windows\system32\bak\MRT.exe

.
((((((((((((((((((((((((( Files Created from 2010-05-05 to 2010-06-05 )))))))))))))))))))))))))))))))
.

2010-06-03 02:25 . 2010-06-03 02:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-03 02:25 . 2010-06-03 02:25 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-02 13:15 . 2010-06-03 02:33 -------- d-----w- c:\documents and settings\Nate\Local Settings\Application Data\jdxcfamye
2010-06-01 22:08 . 2010-06-04 04:48 0 ----a-w- c:\windows\Dwihe.bin
2010-06-01 22:07 . 2010-06-04 06:51 120 ----a-w- c:\windows\Qvuhoge.dat
2010-05-31 16:03 . 2010-05-31 16:03 -------- d-----w- c:\documents and settings\Nate\Local Settings\Application Data\Help
2010-05-31 06:58 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-05-31 06:56 . 2008-08-14 10:04 138496 -c----w- c:\windows\system32\dllcache\afd.sys
2010-05-31 06:56 . 2009-12-31 16:50 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-05-31 06:56 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-05-31 06:55 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-05-31 06:50 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-05-30 07:46 . 2010-05-30 07:46 -------- d-----w- c:\windows\system32\scripting
2010-05-30 07:46 . 2010-05-30 07:46 -------- d-----w- c:\windows\l2schemas
2010-05-30 07:46 . 2010-05-30 07:46 -------- d-----w- c:\windows\system32\en
2010-05-30 07:46 . 2010-05-30 07:46 -------- d-----w- c:\windows\system32\bits
2010-05-30 07:35 . 2010-05-30 07:35 -------- d-----w- c:\windows\EHome
2010-05-29 19:54 . 2010-05-29 19:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-05-29 19:52 . 2010-06-04 19:56 772096 ----a-w- c:\windows\system32\drivers\gzvofiih.sys
2010-05-29 19:51 . 2010-05-29 19:51 40960 ----a-w- c:\windows\system32\dmrestat.dll.vir
2010-05-29 19:51 . 2010-05-29 19:51 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-05-29 19:50 . 2010-05-29 19:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-08 18:23 . 2010-05-08 18:23 -------- d-sh--w- c:\documents and settings\Nate\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-05 17:05 . 2007-02-05 20:08 -------- d-----w- c:\program files\AIM6
2010-06-05 17:05 . 2006-03-20 19:30 -------- d-----w- c:\program files\QuickTime
2010-06-05 16:27 . 2009-06-07 00:31 -------- d-----w- c:\program files\Diablo II
2010-06-04 09:23 . 2006-03-20 18:46 -------- d-----w- c:\program files\ltmoh
2010-06-04 07:38 . 2008-04-16 02:26 -------- d-----w- c:\program files\LimeWire
2010-06-03 02:26 . 2006-09-30 15:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-31 20:59 . 2006-08-13 19:49 71032 ----a-w- c:\documents and settings\Nate\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-30 07:48 . 2006-03-20 18:08 77607 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-05-29 19:51 . 2010-05-29 19:51 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\vqdlkr.dat
2010-05-07 17:52 . 2010-01-21 02:54 -------- d-----w- c:\program files\MINITAB 14 Student
2010-04-29 19:39 . 2006-09-30 15:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2006-09-30 15:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 01:25 . 2010-04-08 01:06 -------- d-----w- c:\documents and settings\Nate\Application Data\EndNote
2010-04-08 00:59 . 2010-04-08 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Thomson.ResearchSoft.Installers
2010-04-08 00:59 . 2010-04-08 00:59 -------- d-----w- c:\program files\Common Files\Risxtd
2010-04-08 00:59 . 2010-04-08 00:59 -------- d-----w- c:\program files\Common Files\ResearchSoft
2010-04-08 00:59 . 2010-04-08 00:57 -------- d-----w- c:\program files\EndNote X3
2010-03-26 03:04 . 2009-06-07 00:37 43081 ----a-w- c:\windows\DIIUnin.dat
2010-03-10 06:15 . 2006-03-20 16:49 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-06-04_08.19.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-03-20 16:49 . 2009-06-25 08:25 54272 c:\windows\system32\wdigest.dll
- 2006-03-20 16:49 . 2009-02-03 19:59 56832 c:\windows\system32\secur32.dll
+ 2006-03-20 16:49 . 2009-06-25 08:25 56832 c:\windows\system32\secur32.dll
+ 2006-03-20 16:48 . 2009-06-24 11:18 92928 c:\windows\system32\drivers\ksecdd.sys
+ 2009-06-25 08:25 . 2009-06-25 08:25 54272 c:\windows\system32\dllcache\wdigest.dll
+ 2009-02-03 19:59 . 2009-06-25 08:25 56832 c:\windows\system32\dllcache\secur32.dll
- 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll
+ 2009-06-24 11:18 . 2009-06-24 11:18 92928 c:\windows\system32\dllcache\ksecdd.sys
+ 2006-03-20 16:49 . 2009-06-25 08:25 147456 c:\windows\system32\schannel.dll
+ 2006-03-20 16:48 . 2009-06-25 08:25 730112 c:\windows\system32\lsasrv.dll
+ 2006-03-20 16:48 . 2009-06-25 08:25 301568 c:\windows\system32\kerberos.dll
+ 2008-12-05 06:54 . 2009-06-25 08:25 147456 c:\windows\system32\dllcache\schannel.dll
+ 2010-05-31 06:54 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll
+ 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll
+ 2007-02-13 02:23 . 2007-09-06 02:50 17474680 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-20 98304]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=c:\windows\pss\RAMASST.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Nate^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Nate\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Nate^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\Nate\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CFSServ.exe]
CFSServ.exe -NoClient [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2006-03-04 04:29 88204 ----a-w- c:\windows\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2006-11-07 15:29 50736 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-08-06 01:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 23:16 1121792 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-03-20 19:30 98304 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2005-12-09 22:49 15691264 ----a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-06-12 18:04 1217784 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 08:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TDispVol]
2005-03-11 23:03 73728 ----a-w- c:\windows\system32\TDispVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TempRemove]
1998-12-19 15:06 7680 ----a-w- c:\program files\Crystal Ball\CB Predictor\Terminator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
2005-06-01 05:00 282624 ----a-w- c:\windows\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MskService"=2 (0x2)
"MpfService"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"TAPPSRV"=2 (0x2)
"Swupdtmr"=2 (0x2)
"ose"=3 (0x3)
"DVD-RAM_Service"=2 (0x2)
"CFSvcs"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"ACS"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"SoundMovieServer"=3 (0x3)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"gusvc"=3 (0x3)
"getPlus® Helper"=3 (0x3)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
fastinit REG_SZ c:\windows\system32\dmrestat.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Steam\\steamapps\\voyaging\\counter-strike\\hl.exe"=
"c:\\Program Files\\SAS\\SAS 9.1\\sas.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Nate\\Desktop\\new vex\\RedVex 3.exe"=

S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [8/9/2008 9:39 PM 3768]
.
Contents of the 'Scheduled Tasks' folder

2010-06-05 c:\windows\Tasks\User_Feed_Synchronization-{3BA7B010-1B73-448B-B453-88D416BAADA2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
FF - ProfilePath - c:\documents and settings\Nate\Application Data\Mozilla\Firefox\Profiles\etwl49t0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AOL Fast Start - c:\program files\America Online 9.0\AOL.EXE
MSConfigStartUp-Ceedo AutoDetect - c:\docume~1\Nate\LOCALS~1\Temp\AutoDetect.exe
MSConfigStartUp-dla - c:\windows\system32\dla\DLACTRLW.exe
MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1142882959\ee\AOLSoftware.exe
MSConfigStartUp-IPHSend - c:\program files\Common Files\AOL\IPHSend\IPHSend.exe
MSConfigStartUp-LtMoh - c:\program files\ltmoh\Ltmoh.exe
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe
MSConfigStartUp-NDSTray - NDSTray.exe
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-PadTouch - c:\program files\TOSHIBA\Touch and Launch\PadExe.exe
MSConfigStartUp-Pinger - c:\toshiba\ivp\ism\pinger.exe
MSConfigStartUp-Qjane - c:\windows\smsubdla.dll
MSConfigStartUp-SmoothView - c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-SynTPEnh - c:\program files\Synaptics\SynTP\SynTPEnh.exe
MSConfigStartUp-SynTPLpr - c:\program files\Synaptics\SynTP\SynTPLpr.exe
MSConfigStartUp-TFncKy - TFncKy.exe
MSConfigStartUp-THotkey - c:\program files\Toshiba\Toshiba Applet\thotkey.exe
MSConfigStartUp-TOSCDSPD - c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe
MSConfigStartUp-Tvs - c:\program files\Toshiba\Tvs\TvsTray.exe
MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\mcafee.com\vso\mcmnhdlr.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-05 13:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-06-05 13:09:47
ComboFix-quarantined-files.txt 2010-06-05 17:09
ComboFix2.txt 2010-06-04 20:01
ComboFix3.txt 2010-06-04 09:31
ComboFix4.txt 2010-06-04 08:23

Pre-Run: 42,389,970,944 bytes free
Post-Run: 42,398,949,376 bytes free

- - End Of File - - 925D00D10DD3A801A2731841F5940BD4


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:11 PM

Posted 05 June 2010 - 01:59 PM

Goot to hear that! All active malware is also gone, so lets do some updating and double checking.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM and update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


UPDATE JAVA
------------------
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:11 PM

Posted 10 June 2010 - 06:19 AM

Hello, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users