Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

spyware/adware popup


  • This topic is locked This topic is locked
26 replies to this topic

#1 woodman3041

woodman3041

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 12 July 2010 - 07:11 PM

Can't attach the ark.txt. Computer freezes up and reboots before it can finish.

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by woodman at 18:35:36.62 on Sun 07/11/2010
Internet Explorer: 8.0.6001.18928
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.446.115 [GMT -4:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
F:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6253\SiteAdv.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn4\YTSingleInstance.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6253\SiteAdv.dll
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [svchost] c:\users\woodman\appdata\local\temp\y.exy
uRun: [japofoseru] Rundll32.exe "c:\programdata\pasufizi\pasufizi.dll",s
uRun: [tikudikek] Rundll32.exe "c:\progra~2\gitoribo\gitoribo.dll",a
uRun: [iynpsnlx] c:\users\woodman\appdata\local\jctuldtho\sacjxlqtssd.exe
uRun: [yfikkqpm] c:\users\woodman\appdata\local\hjbmncdjo\tieiipctssd.exe
uRun: [riiirdvi] c:\users\woodman\appdata\local\rlqkogfoc\tfynatutssd.exe
uRun: [ngpvrakg] c:\users\woodman\appdata\local\paiiouudg\ttnkgnatssd.exe
uRun: [lpyeuven] c:\users\woodman\appdata\local\cbfhpvvfk\tstvdgotssd.exe
uRun: [iahmwrwv] c:\users\woodman\appdata\local\nbcgpwwgp\trbgaydtssd.exe
uRun: [wmsfqlon] c:\users\woodman\appdata\local\vcofphxru\tikdnxwtssd.exe
uRun: [iewjswxe] c:\users\woodman\appdata\local\opafpilrk\thbimhetssd.exe
uRun: [yhaukuvp] c:\users\woodman\appdata\local\jpqfprlbm\tydtcnjtssd.exe
uRun: [jjngncyn] c:\users\woodman\appdata\local\oeyeptaeg\txbkxpftssd.exe
uRun: [exoywnlt] c:\users\woodman\appdata\local\mqteplmvt\tgpdgsitssd.exe
uRun: [gsvoqxsu] c:\users\woodman\appdata\local\bevdquafk\twiuuiutssd.exe
uRun: [chwhyjeb] c:\users\woodman\appdata\local\yrqdqmnwx\tfvndlwtssd.exe
uRun: [ljktdqiy] c:\users\woodman\appdata\local\efycqocar\tetdynstssd.exe
uRun: [wbowebrp] c:\users\woodman\appdata\local\wskcqppah\tdkixwbtssd.exe
uRun: [pyyxpjwc] c:\users\woodman\appdata\local\ggcbqidta\tlfmdsrtssd.exe
uRun: [cqdcqtht] c:\users\woodman\appdata\local\atnbqjquo\tkvrbcytssd.exe
uRun: [jxjybqcp] c:\users\woodman\appdata\local\qttarbqmr\tsbpiojtssd.exe
uRun: [emkrkdou] c:\users\woodman\appdata\local\nhoarseef\tbojqrltssd.exe
uRun: [lsqntakr] c:\users\woodman\appdata\local\ehuyrlewi\tjthwevtssd.exe
uRun: [wkurulti] c:\users\woodman\appdata\local\xugyrlrxx\tjkmvndtssd.exe
uRun: [qjfsgtyu] c:\users\woodman\appdata\local\hiyxrfgqq\tqfqbjttssd.exe
uRun: [semiadgw] c:\users\woodman\appdata\local\vvaxrotbh\thxipxgtssd.exe
uRun: [jhotrbei] c:\users\woodman\appdata\local\qvqxrxtki\tybtgeltssd.exe
uRun: [akrfkacs] c:\users\woodman\appdata\local\mwgwrhttk\tpdgwkqtssd.exe
uRun: [qnupcxae] c:\users\woodman\appdata\local\iwwwrpudl\tgfsnqvtssd.exe
uRun: [xtbmmvva] c:\users\woodman\appdata\local\ywdwsiuuo\tokqtdftssd.exe
uRun: [nxdxfttl] c:\users\woodman\appdata\roaming\twtvsrueq\tgmdkjktssd.exe
uRun: [lmcdduoc] c:\users\woodman\appdata\local\gmousekrp\tutptkatssd.exe
uRun: [cyljmeog] c:\users\woodman\appdata\local\docrtjnxi\trvghhhtssd.exe
uRun: [jfqgvbjc] c:\users\woodman\appdata\local\toiqtcnql\taaeotrtssd.exe
uRun: [cebghjpo] c:\users\woodman\appdata\local\ddaqtuckd\thvitpitssd.exe
uRun: [sherahma] c:\users\woodman\appdata\local\ydqptecsf\txxtkvntssd.exe
uRun: [fyivbswq] c:\users\woodman\appdata\roaming\rqbpueptt\txoyifutssd.exe
uRun: [vclhsquc] c:\users\woodman\appdata\local\mqrpunpdv\toqlylatssd.exe
uRun: [qqmacdgh] c:\users\woodman\appdata\local\kdmpufduj\txfehoctssd.exe
uRun: [htpltces] c:\users\woodman\appdata\local\gddouodel\tohqxuhtssd.exe
uRun: [ciqednqx] c:\users\woodman\appdata\local\dqxougqvy\twvkgxjtssd.exe
uRun: [xwswmace] c:\users\woodman\appdata\local\betouxdnm\tfjdnbmtssd.exe
uRun: [qvdwxihq] c:\users\woodman\appdata\local\lrlnuqrgf\tnfgswdtssd.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [SiteAdvisor] c:\program files\siteadvisor\6253\SiteAdv.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MRT] "c:\windows\system32\MRT.exe" /R
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Search
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6253\SiteAdv.dll
AppInit_DLLs: c:\progra~1\google\google~1\googledesktopnetwork3.dll c:\progra~1\google\google~1\GOEC62~1.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

S1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-3-13 214664]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-2-11 359952]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-2-11 144704]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-3-13 30192]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-2-11 606736]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-3-13 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-3-13 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-3-13 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-3-13 40552]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-07-11 22:31:53 0 ----a-w- c:\users\woodman\defogger_reenable
2010-07-10 10:36:36 65536 --sha-w- c:\users\woodman\ntuser.dat{cf9ce160-8c0e-11df-9838-00038a000015}.TM.blf
2010-07-10 10:36:36 524288 --sha-w- c:\users\woodman\ntuser.dat{cf9ce160-8c0e-11df-9838-00038a000015}.TMContainer00000000000000000002.regtrans-ms
2010-07-10 10:36:36 524288 --sha-w- c:\users\woodman\ntuser.dat{cf9ce160-8c0e-11df-9838-00038a000015}.TMContainer00000000000000000001.regtrans-ms
2010-07-09 11:53:37 0 d-----w- c:\users\woodman\appdata\roaming\rqbpueptt
2010-07-09 11:52:41 0 d-----w- c:\users\woodman\appdata\roaming\twtvsrueq
2010-06-24 07:08:49 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-24 07:08:49 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-24 07:08:49 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-24 07:08:49 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-24 07:08:49 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 23:36:31 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-23 23:36:28 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

==================== Find3M ====================

2010-05-26 16:16:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:25:15 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-04 05:59:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 13:53:49 2036224 ----a-w- c:\windows\system32\win32k.sys
2010-04-23 13:55:52 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-16 16:10:05 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-02-15 22:03:22 174 --sha-w- c:\program files\desktop.ini
2009-02-15 21:54:27 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-02-15 21:54:27 86016 ----a-w- c:\windows\inf\infstor.dat
2009-02-15 21:54:27 51200 ----a-w- c:\windows\inf\infpub.dat
2009-02-15 21:35:24 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-16 07:35:30 245760 --sha-w- c:\windows\system32\%appdata%\microsoft\windows\ietldcache\index.dat
2009-06-11 07:28:52 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2007-03-13 17:04:49 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 18:36:31.16 ===============

Attached Files


Edited by woodman3041, 12 July 2010 - 07:13 PM.


BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:42 PM

Posted 17 July 2010 - 01:16 AM

Hello, woodman3041.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
(This step may produce a blank log. Let me know if that is the case)
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 woodman3041

woodman3041
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 18 July 2010 - 12:31 PM

Thanks for helping.

The internet refuses to open up, GMER freezes up in regular mode so I ran it in safe mode. All it found was one line. I am including it.

Hope that helps...

Logfile of random's system information tool 1.08 (written by random/random)
Run by woodman at 2010-07-17 12:22:44
Microsoft® Windows Vistaâ„¢ Home Basic Service Pack 1
System drive C: has 30 GB (46%) free of 66 GB
Total RAM: 446 MB (13% free)

HijackThis download failed

======Scheduled tasks folder======

C:\Windows\tasks\agixhspd.job
C:\Windows\tasks\cowtvfyh.job
C:\Windows\tasks\hncpohru.job
C:\Windows\tasks\McDefragTask.job
C:\Windows\tasks\McQcTask.job
C:\Windows\tasks\User_Feed_Synchronization-{689F87F7-7B7B-4D94-9A81-C499F095905A}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll [2009-07-30 909040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{089FD14D-132B-48FC-8861-0048AE113215}]
C:\Program Files\SiteAdvisor\6253\SiteAdv.dll [2007-12-04 927008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27B4851A-3207-45A2-B947-BE8AFE6163AB}]
McAfee Phishing Filter - c:\PROGRA~1\mcafee\msk\mskapbho.dll [2009-07-08 246800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
Yahoo! IE Services Button - C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 198136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2009-09-16 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2007-03-13 2193280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - C:\Program Files\BAE\BAE.dll [2006-11-17 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-12-02 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn4\YTSingleInstance.dll [2009-07-30 159472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2007-03-13 2193280]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll [2009-07-30 909040]
{0BF43445-2F28-4351-9252-17FE6E806AA0} - McAfee SiteAdvisor - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll [2007-12-04 927008]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"Google Desktop Search"=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2009-12-12 30192]
"SiteAdvisor"=C:\Program Files\SiteAdvisor\6253\SiteAdv.exe [2007-03-30 36904]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-10-29 1218008]
"NvSvc"=C:\Windows\system32\nvsvc.dll [2006-12-08 90191]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2006-12-08 7766016]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2006-12-08 81920]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-12-02 149280]
"MRT"=C:\Windows\system32\MRT.exe [2010-05-28 32472008]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"=oobefldr.dll,ShowWelcomeCenter []
"svchost"=C:\Users\woodman\AppData\Local\Temp\y.exy []
"japofoseru"=C:\ProgramData\pasufizi\pasufizi.dll,s []
"tikudikek"=c:\PROGRA~2\gitoribo\gitoribo.dll,a []
"iynpsnlx"=C:\Users\woodman\AppData\Local\jctuldtho\sacjxlqtssd.exe []
"yfikkqpm"=C:\Users\woodman\AppData\Local\hjbmncdjo\tieiipctssd.exe []
"riiirdvi"=C:\Users\woodman\AppData\Local\rlqkogfoc\tfynatutssd.exe []
"ngpvrakg"=C:\Users\woodman\AppData\Local\paiiouudg\ttnkgnatssd.exe []
"lpyeuven"=C:\Users\woodman\AppData\Local\cbfhpvvfk\tstvdgotssd.exe []
"iahmwrwv"=C:\Users\woodman\AppData\Local\nbcgpwwgp\trbgaydtssd.exe []
"wmsfqlon"=C:\Users\woodman\AppData\Local\vcofphxru\tikdnxwtssd.exe []
"iewjswxe"=C:\Users\woodman\AppData\Local\opafpilrk\thbimhetssd.exe []
"yhaukuvp"=C:\Users\woodman\AppData\Local\jpqfprlbm\tydtcnjtssd.exe []
"jjngncyn"=C:\Users\woodman\AppData\Local\oeyeptaeg\txbkxpftssd.exe []
"exoywnlt"=C:\Users\woodman\AppData\Local\mqteplmvt\tgpdgsitssd.exe []
"gsvoqxsu"=C:\Users\woodman\AppData\Local\bevdquafk\twiuuiutssd.exe []
"chwhyjeb"=C:\Users\woodman\AppData\Local\yrqdqmnwx\tfvndlwtssd.exe []
"ljktdqiy"=C:\Users\woodman\AppData\Local\efycqocar\tetdynstssd.exe []
"wbowebrp"=C:\Users\woodman\AppData\Local\wskcqppah\tdkixwbtssd.exe []
"pyyxpjwc"=C:\Users\woodman\AppData\Local\ggcbqidta\tlfmdsrtssd.exe []
"cqdcqtht"=C:\Users\woodman\AppData\Local\atnbqjquo\tkvrbcytssd.exe []
"jxjybqcp"=C:\Users\woodman\AppData\Local\qttarbqmr\tsbpiojtssd.exe []
"emkrkdou"=C:\Users\woodman\AppData\Local\nhoarseef\tbojqrltssd.exe []
"lsqntakr"=C:\Users\woodman\AppData\Local\ehuyrlewi\tjthwevtssd.exe []
"wkurulti"=C:\Users\woodman\AppData\Local\xugyrlrxx\tjkmvndtssd.exe []
"qjfsgtyu"=C:\Users\woodman\AppData\Local\hiyxrfgqq\tqfqbjttssd.exe []
"semiadgw"=C:\Users\woodman\AppData\Local\vvaxrotbh\thxipxgtssd.exe []
"jhotrbei"=C:\Users\woodman\AppData\Local\qvqxrxtki\tybtgeltssd.exe []
"akrfkacs"=C:\Users\woodman\AppData\Local\mwgwrhttk\tpdgwkqtssd.exe []
"qnupcxae"=C:\Users\woodman\AppData\Local\iwwwrpudl\tgfsnqvtssd.exe []
"xtbmmvva"=C:\Users\woodman\AppData\Local\ywdwsiuuo\tokqtdftssd.exe []
"nxdxfttl"=C:\Users\woodman\AppData\Roaming\twtvsrueq\tgmdkjktssd.exe [2010-07-09 288000]
"lmcdduoc"=C:\Users\woodman\AppData\Local\gmousekrp\tutptkatssd.exe []
"cyljmeog"=C:\Users\woodman\AppData\Local\docrtjnxi\trvghhhtssd.exe []
"jfqgvbjc"=C:\Users\woodman\AppData\Local\toiqtcnql\taaeotrtssd.exe []
"cebghjpo"=C:\Users\woodman\AppData\Local\ddaqtuckd\thvitpitssd.exe []
"sherahma"=C:\Users\woodman\AppData\Local\ydqptecsf\txxtkvntssd.exe []
"fyivbswq"=C:\Users\woodman\AppData\Roaming\rqbpueptt\txoyifutssd.exe [2010-07-09 288000]
"vclhsquc"=C:\Users\woodman\AppData\Local\mqrpunpdv\toqlylatssd.exe []
"qqmacdgh"=C:\Users\woodman\AppData\Local\kdmpufduj\txfehoctssd.exe []
"htpltces"=C:\Users\woodman\AppData\Local\gddouodel\tohqxuhtssd.exe []
"ciqednqx"=C:\Users\woodman\AppData\Local\dqxougqvy\twvkgxjtssd.exe []
"xwswmace"=C:\Users\woodman\AppData\Local\betouxdnm\tfjdnbmtssd.exe []
"qvdwxihq"=C:\Users\woodman\AppData\Local\lrlnuqrgf\tnfgswdtssd.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Snapfire Plus\PhotoDownloader.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\DellSupport\DSAgnt.exe [2006-11-12 446976]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2009-05-21 206064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [2007-11-15 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
c:\dell\E-Center\EULALauncher.exe [2006-11-17 17920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1175753636\ee\AOLSoftware.exe [2006-09-25 50736]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2006-12-10 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\Program Files\IncrediMail\bin\IncMail.exe /c []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe [2007-02-08 488984]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe [2007-02-08 774168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2009-05-26 4351216]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe [2008-12-12 9555968]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [2006-10-20 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2007-12-26 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2009-02-03 111856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
C:\Windows\sttray.exe [2007-02-08 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2009-02-03 111856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
C:\PROGRA~1\DIGITA~1\DLG.exe [2006-09-22 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [2007-01-02 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
C:\PROGRA~1\Nikon\PICTUR~1\NKBMON~1.EXE [2006-10-16 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^StupAssist.lnk]
C:\PROGRA~1\COMMON~1\Nikon\UTILIT~1\STUPAS~1.EXE [2004-04-29 31744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\rootrepeal.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1

======List of files/folders created in the last 1 months======

2010-07-17 12:18:40 ----D---- C:\rsit
2010-07-11 19:20:16 ----D---- C:\Windows\Minidump
2010-07-11 18:39:51 ----A---- C:\fwddyfob.sys
2010-07-11 18:39:09 ----D---- C:\gmer
2010-07-09 07:53:37 ----D---- C:\Users\woodman\AppData\Roaming\rqbpueptt
2010-07-09 07:52:41 ----D---- C:\Users\woodman\AppData\Roaming\twtvsrueq
2010-06-25 03:05:38 ----D---- C:\Program Files\Microsoft.NET
2010-06-24 03:08:49 ----A---- C:\Windows\system32\PresentationHostProxy.dll
2010-06-24 03:08:49 ----A---- C:\Windows\system32\PresentationHost.exe
2010-06-24 03:08:49 ----A---- C:\Windows\system32\netfxperf.dll
2010-06-24 03:08:49 ----A---- C:\Windows\system32\mscoree.dll
2010-06-24 03:08:49 ----A---- C:\Windows\system32\dfshim.dll
2010-06-23 19:36:31 ----A---- C:\Windows\system32\Apphlpdm.dll
2010-06-23 19:36:28 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll

======List of files/folders modified in the last 1 months======

2010-07-17 12:23:24 ----D---- C:\Windows\Temp
2010-07-17 12:23:00 ----SHD---- C:\Windows\Installer
2010-07-17 12:22:51 ----A---- C:\Windows\win.ini
2010-07-17 12:22:37 ----D---- C:\Windows\Prefetch
2010-07-17 12:12:58 ----D---- C:\Windows\system32\catroot
2010-07-17 12:12:51 ----D---- C:\Windows\winsxs
2010-07-17 12:05:09 ----SHD---- C:\System Volume Information
2010-07-17 11:44:48 ----A---- C:\Windows\ntbtlog.txt
2010-07-12 14:33:06 ----D---- C:\Windows\System32
2010-07-12 14:33:06 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-07-12 14:32:58 ----D---- C:\Windows\inf
2010-07-11 19:26:06 ----D---- C:\Windows\system32\drivers
2010-07-11 19:25:51 ----D---- C:\Windows\system32\drivers\UMDF
2010-07-11 19:20:16 ----D---- C:\Windows
2010-07-09 03:01:09 ----D---- C:\Config.Msi
2010-07-02 03:03:11 ----D---- C:\Windows\system32\catroot2
2010-06-25 03:45:12 ----D---- C:\Windows\Microsoft.NET
2010-06-25 03:45:09 ----RSD---- C:\Windows\assembly
2010-06-25 03:05:53 ----D---- C:\Windows\system32\en-US
2010-06-25 03:05:38 ----RD---- C:\Program Files
2010-06-24 03:26:06 ----D---- C:\Windows\AppPatch
2010-06-20 11:16:11 ----D---- C:\Program Files\McAfee

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 PxHelp20;PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [2006-11-30 36528]
R1 mfehidk;McAfee Inc. mfehidk; C:\Windows\system32\drivers\mfehidk.sys [2009-09-16 214664]
R1 MPFP;MPFP; C:\Windows\System32\Drivers\Mpfp.sys [2009-07-16 130424]
R2 dsunidrv;dsunidrv; \??\C:\Program Files\DellSupport\Drivers\dsunidrv.sys [2006-08-17 7424]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 8192]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\Windows\system32\DRIVERS\bcm4sbxp.sys [2006-11-02 45056]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-10-18 986624]
R3 HSXHWBS2;HSXHWBS2; C:\Windows\system32\DRIVERS\HSXHWBS2.sys [2006-10-18 258048]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\Windows\system32\drivers\mfeavfk.sys [2009-09-16 79816]
R3 mfebopk;McAfee Inc. mfebopk; C:\Windows\system32\drivers\mfebopk.sys [2009-09-16 35272]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\Windows\system32\drivers\mfesmfk.sys [2009-09-16 40552]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2006-12-08 4456416]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\Windows\system32\drivers\stwrt.sys [2007-02-08 647680]
R3 wanatw;WAN Miniport (ATW); C:\Windows\system32\DRIVERS\wanatw4.sys [2006-11-01 33588]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-10-18 659968]
S3 catchme;catchme; \??\C:\Users\woodman\AppData\Local\Temp\catchme.sys []
S3 Dot4;MS IEEE-1284.4 Driver; C:\Windows\system32\DRIVERS\Dot4.sys [2008-01-19 131584]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\Windows\system32\DRIVERS\Dot4Prt.sys [2008-01-19 16384]
S3 dot4usb;MS Dot4USB Filter Dot4USB Filter; C:\Windows\system32\DRIVERS\dot4usb.sys [2008-01-19 36864]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 DSproct;DSproct; \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys [2006-10-05 4736]
S3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2006-11-02 200704]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 LVcKap;Logitech AEC Driver; C:\Windows\system32\DRIVERS\LVcKap.sys [2007-02-06 1691808]
S3 LVMVDrv;Logitech Machine Vision Engine Loader; C:\Windows\system32\DRIVERS\LVMVDrv.sys [2007-02-06 1964064]
S3 LVPr2Mon;Logitech LVPr2Mon Driver; C:\Windows\system32\DRIVERS\LVPr2Mon.sys [2007-02-06 25632]
S3 LVUSBSta;Logitech USB Monitor Filter; C:\Windows\system32\drivers\LVUSBSta.sys [2007-02-03 41504]
S3 mferkdk;McAfee Inc. mferkdk; C:\Windows\system32\drivers\mferkdk.sys [2009-09-16 34248]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 PID_0928;Logitech QuickCam Express(PID_0928); C:\Windows\system32\DRIVERS\LV561AV.SYS [2007-02-03 490784]
S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 2028032]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-19 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2010-06-10 865832]
R2 McNASvc;McAfee Network Agent; c:\program files\common files\mcafee\mna\mcnasvc.exe [2009-07-07 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-07-08 359952]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-09-16 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-10-27 895696]
R2 MSK80Service;McAfee SpamKiller Service; C:\Program Files\McAfee\MSK\MskSrver.exe [2009-07-08 26640]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-08-04 386560]
R3 hpqcxs08;hpqcxs08; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-09-16 365072]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-09-16 606736]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2009-12-12 30192]
S3 WPFFontCache_v0400;@C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100; C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S4 AOL ACS;AOL Connectivity Service; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [2006-10-23 46640]
S4 DSBrokerService;DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [2006-11-07 70656]
S4 GameConsoleService;GameConsoleService; C:\Program Files\Dell Games\Dell Game Console\GameConsoleService.exe [2009-11-09 238328]
S4 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S4 LVPrcSrv;Process Monitor; c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe [2007-02-06 109344]
S4 LVSrvLauncher;LVSrvLauncher; C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe [2007-02-06 105248]
S4 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter); C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2008-08-13 201968]
S4 YahooAUService;Yahoo! Updater; C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.08 2010-07-17 12:19:26

======Uninstall list======

-->"C:\Program Files\Dell Games\Bejeweled 2 Deluxe\Uninstall.exe"
-->"C:\Program Files\Dell Games\Blackhawk Striker 2\Uninstall.exe"
-->"C:\Program Files\Dell Games\Blasterball 3\Uninstall.exe"
-->"C:\Program Files\Dell Games\Chuzzle Deluxe\Uninstall.exe"
-->"C:\Program Files\Dell Games\Dell Game Console\Uninstall.exe"
-->"C:\Program Files\Dell Games\Dell Media Center Game Console\Uninstall.exe"
-->"C:\Program Files\Dell Games\FATE\Uninstall.exe"
-->"C:\Program Files\Dell Games\JEOPARDY\Uninstall.exe"
-->"C:\Program Files\Dell Games\Penguins!\Uninstall.exe"
-->"C:\Program Files\Dell Games\Polar Bowler\Uninstall.exe"
-->"C:\Program Files\Dell Games\Polar Golfer\Uninstall.exe"
-->"C:\Program Files\Dell Games\SCRABBLE\Uninstall.exe"
-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
32 Bit HP CIO Components Installer-->MsiExec.exe /I{2614F54E-A828-49FA-93BA-45A3F756BFAA}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
ArcSoft Panorama Maker 3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5F68DC8-0278-4AD8-B413-861509B5F25B}\Setup.exe" -l0x9
Conexant D850 PCI V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -IDel200fz.inf
Corel Paint Shop Pro Photo XI-->MsiExec.exe /I{93A1B09E-BAFA-4628-A5B6-921CB026955A}
Corel Snapfire Plus-->MsiExec.exe /I{7ADE3A47-B425-45E9-8FF6-11BE2B775645}
Dell Games-->"C:\Program Files\Dell Games\Uninstall.exe"
Dell Support Center (Support Software)-->MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
Dell System Customization Wizard-->MsiExec.exe /I{13BA7B44-B712-4DEE-A7B8-1DD564F37AE5}
DellSupport-->MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Digital Line Detect-->C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\Setup.exe -runfromtemp -l0x0009 -removeonly
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Documentation & Support Launcher-->MsiExec.exe /I{89CEAE14-DD0F-448E-9554-15781EC9DB24}
EarthLink Setup Files-->MsiExec.exe /X{5E68BB65-4059-4FE5-AAC4-0CD1D79BBDE2}
ESET Online Scanner v3-->C:\Program Files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
Games, Music, & Photos Launcher-->MsiExec.exe /I{3E25E350-949F-4DB7-8288-2A60E018B4C1}
Google Desktop-->C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
HP Customer Participation Program 8.0-->C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Deskjet All-In-One Software 8.0-->C:\Program Files\HP\Digital Imaging\{24557DC0-0839-496f-82F9-C4EB72EFE4FA}\setup\hpzscr01.exe -datfile hposcr12.dat
HP Imaging Device Functions 8.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Essential-->MsiExec.exe /X{EB21A812-671B-4D08-B974-2A347F0D8F70}
HP Product Assistant-->MsiExec.exe /I{36FDBE6E-6684-462B-AE98-9A39A1B200CC}
HP Solution Center 8.0-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update-->MsiExec.exe /X{FE57DE70-95DE-4B64-9266-84DA811053DB}
HPSSupply-->MsiExec.exe /X{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}
Internet Service Offers Launcher-->MsiExec.exe /I{CCFF1E13-77A2-4032-8B12-7566982A27DF}
Java™ 6 Update 17-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216017FF}
Logitech Audio Echo Cancellation Component-->MsiExec.exe /X{BEF726DD-4037-4214-8C6A-E625C02D2870}
Logitech QuickCam-->MsiExec.exe /X{7D2370AC-D8E6-4996-986A-19824F8A167C}
Logitech Video Enumerator-->MsiExec.exe /X{EA516024-D84D-41F1-814F-83175A6188F2}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft .NET Framework 4 Client Profile-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\Setup.exe /repair /x86 /parameterfolder Client
Microsoft .NET Framework 4 Client Profile-->MsiExec.exe /X{3C3901C5-3455-3E0A-A214-0B093A5070A6}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Modem Diagnostic Tool-->MsiExec.exe /I{F63A3748-B93D-4360-9AD4-B064481A5C7B}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
MVision-->MsiExec.exe /I{35725FBC-A136-4A46-9F29-091759D9BB93}
MySpaceIM-->C:\Program Files\MySpace\IM\Uninstall.exe
NetWaiting-->C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
Nikon Message Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\Setup.exe" -l0x9 UNINSTALL
PictureProject In Touch Downloader 1.0-->C:\Program Files\PictureProject In Touch Downloader\uninst.exe
PictureProject-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF3999BE-1A7B-4738-88AA-97BF14094A4A}\Setup.exe" -l0x9 UNINSTALL
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{281ECE39-F043-492B-8337-F2E546B5604A}\Setup.exe" -l0x9 -cluninstall
QuickTime-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
URL Assistant-->regsvr32 /u /s "C:\Program Files\BAE\BAE.dll"
User's Guides-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}\setup.exe"
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
Yahoo! Browser Services-->C:\PROGRA~1\Yahoo!\Comm

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-18 09:01:10
Windows 6.0.6001 Service Pack 1
Running: yb65epe7.exe; Driver: C:\Users\woodman\AppData\Local\Temp\fwddyfob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by aommaster, 18 July 2010 - 12:49 PM.


#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:42 PM

Posted 18 July 2010 - 12:52 PM

Hello, woodman3041.
Please copy and paste logs directly into your reply as they make it easier for me to read. I noticed the info.txt file is incomplete too. Was that how it came out from RSIT? (You can find the info.txt file from C:\rsit)

We need to download and run ComboFix (by sUBs)
  1. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  2. Please download ComboFix from one of these locations:
    Link 1
    Link 2
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  3. Double click on ComboFix.exe & follow the prompts.
  4. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 woodman3041

woodman3041
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 18 July 2010 - 06:28 PM

Yes, that was how it came out. I copied and pasted exactly (I hope).
Here is the combofix file. I think it ran successfully.
Thanks!

ComboFix 10-07-16.02 - woodman 07/18/2010 18:09:23.2.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.446.126 [GMT -4:00]
Running from: c:\users\woodman\Desktop\ComboFix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\woodman\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.dll
c:\users\woodman\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.exe
c:\users\woodman\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.tmp
c:\users\woodman\AppData\Roaming\Microsoft\Windows\Recent\CLSV.exe
c:\users\woodman\AppData\Roaming\Microsoft\Windows\Recent\DBOLE.dll
c:\users\woodman\AppData\Roaming\Microsoft\Windows\Recent\energy.drv
c:\users\woodman\AppData\Roaming\Microsoft\Windows\Recent\fan.dll
c:\users\woodman\AppData\Roaming\Microsoft\Windows\Recent\fix.dll
c:\users\woodman\AppData\Roaming\Microsoft\Windows\Recent\fix.drv
c:\users\woodman\AppData\Roaming\Microsoft\Windows\Recent\FW.tmp
c:\users\woodman\AppData\Roaming\Microsoft\Windows\Recent\kernel32.exe
c:\users\woodman\AppData\Roaming\Microsoft\Windows\Recent\PE.tmp
c:\users\woodman\AppData\Roaming\Microsoft\Windows\Recent\runddl.sys
c:\users\woodman\AppData\Roaming\Microsoft\Windows\Recent\snl2w.exe
c:\users\woodman\AppData\Roaming\Microsoft\Windows\Recent\tempdoc.drv
c:\users\woodman\AppData\Roaming\Microsoft\Windows\Recent\tjd.exe
c:\users\woodman\AppData\Roaming\Microsoft\Windows\Recent\tjd.sys
c:\users\woodman\AppData\Roaming\My Security Engine
c:\users\woodman\AppData\Roaming\My Security Engine\Instructions.ini
c:\windows\system32\%appdata%
c:\windows\Tasks\agixhspd.job
c:\windows\Tasks\cowtvfyh.job
c:\windows\Tasks\hncpohru.job

.
((((((((((((((((((((((((( Files Created from 2010-06-18 to 2010-07-18 )))))))))))))))))))))))))))))))
.

2010-07-09 11:53 . 2010-07-18 19:29 -------- d-----w- c:\users\woodman\AppData\Roaming\rqbpueptt
2010-07-09 11:52 . 2010-07-18 19:29 -------- d-----w- c:\users\woodman\AppData\Roaming\twtvsrueq

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 17:56 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-11 23:26 . 2010-07-11 23:26 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-07-11 22:39 . 2010-07-11 22:39 93056 ----a-w- C:\fwddyfob.sys
2010-06-25 07:05 . 2010-06-25 07:05 -------- d-----w- c:\program files\Microsoft.NET
2010-06-20 15:16 . 2007-03-13 09:30 -------- d-----w- c:\program files\McAfee
2010-06-11 07:36 . 2010-05-11 15:09 -------- d-sh--w- c:\programdata\7f358bc
2010-05-26 16:16 . 2010-06-11 05:12 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:25 . 2010-06-11 05:12 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-23 00:20 . 2007-04-29 20:52 -------- d-----w- c:\users\woodman\AppData\Roaming\SiteAdvisor
2010-05-04 05:59 . 2010-06-11 05:11 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-11 05:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 05:55 . 2010-06-11 05:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 04:31 . 2010-06-11 05:11 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 13:53 . 2010-06-11 05:11 2036224 ----a-w- c:\windows\system32\win32k.sys
2010-04-23 13:55 . 2010-05-25 17:33 2048 ----a-w- c:\windows\system32\tzres.dll
2007-03-13 17:04 . 2007-03-13 17:04 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 2153472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-12 30192]
"SiteAdvisor"="c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2007-03-30 36904]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-12-08 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-08 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-08 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-03 149280]
"MRT"="c:\windows\system32\MRT.exe" [2010-07-02 34045896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^StupAssist.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\StupAssist.lnk
backup=c:\windows\pss\StupAssist.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2006-11-12 06:19 446976 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 14:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2006-11-17 21:19 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-09-26 00:52 50736 ----a-w- c:\program files\Common Files\AOL\1175753636\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 02:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-02-08 06:12 488984 ----a-w- c:\program files\Common Files\logishrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-02-08 06:13 774168 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-09-10 19:53 1312080 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 01:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2008-12-12 18:46 9555968 ----a-w- c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 21:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-12-27 00:18 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-02-08 05:16 303104 ----a-w- c:\windows\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1875913452-3315754926-3748723504-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-12-12 30192]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-10-21 16:22]

2010-06-14 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-10-21 16:22]

2010-07-18 c:\windows\Tasks\User_Feed_Synchronization-{689F87F7-7B7B-4D94-9A81-C499F095905A}.job
- c:\windows\system32\msfeedssync.exe [2010-06-11 04:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-japofoseru - c:\programdata\pasufizi\pasufizi.dll
HKCU-Run-tikudikek - c:\progra~2\gitoribo\gitoribo.dll
HKCU-Run-iynpsnlx - c:\users\woodman\AppData\Local\jctuldtho\sacjxlqtssd.exe
HKCU-Run-yfikkqpm - c:\users\woodman\AppData\Local\hjbmncdjo\tieiipctssd.exe
HKCU-Run-riiirdvi - c:\users\woodman\AppData\Local\rlqkogfoc\tfynatutssd.exe
HKCU-Run-ngpvrakg - c:\users\woodman\AppData\Local\paiiouudg\ttnkgnatssd.exe
HKCU-Run-lpyeuven - c:\users\woodman\AppData\Local\cbfhpvvfk\tstvdgotssd.exe
HKCU-Run-iahmwrwv - c:\users\woodman\AppData\Local\nbcgpwwgp\trbgaydtssd.exe
HKCU-Run-wmsfqlon - c:\users\woodman\AppData\Local\vcofphxru\tikdnxwtssd.exe
HKCU-Run-iewjswxe - c:\users\woodman\AppData\Local\opafpilrk\thbimhetssd.exe
HKCU-Run-yhaukuvp - c:\users\woodman\AppData\Local\jpqfprlbm\tydtcnjtssd.exe
HKCU-Run-jjngncyn - c:\users\woodman\AppData\Local\oeyeptaeg\txbkxpftssd.exe
HKCU-Run-exoywnlt - c:\users\woodman\AppData\Local\mqteplmvt\tgpdgsitssd.exe
HKCU-Run-gsvoqxsu - c:\users\woodman\AppData\Local\bevdquafk\twiuuiutssd.exe
HKCU-Run-chwhyjeb - c:\users\woodman\AppData\Local\yrqdqmnwx\tfvndlwtssd.exe
HKCU-Run-ljktdqiy - c:\users\woodman\AppData\Local\efycqocar\tetdynstssd.exe
HKCU-Run-wbowebrp - c:\users\woodman\AppData\Local\wskcqppah\tdkixwbtssd.exe
HKCU-Run-pyyxpjwc - c:\users\woodman\AppData\Local\ggcbqidta\tlfmdsrtssd.exe
HKCU-Run-cqdcqtht - c:\users\woodman\AppData\Local\atnbqjquo\tkvrbcytssd.exe
HKCU-Run-jxjybqcp - c:\users\woodman\AppData\Local\qttarbqmr\tsbpiojtssd.exe
HKCU-Run-emkrkdou - c:\users\woodman\AppData\Local\nhoarseef\tbojqrltssd.exe
HKCU-Run-lsqntakr - c:\users\woodman\AppData\Local\ehuyrlewi\tjthwevtssd.exe
HKCU-Run-wkurulti - c:\users\woodman\AppData\Local\xugyrlrxx\tjkmvndtssd.exe
HKCU-Run-qjfsgtyu - c:\users\woodman\AppData\Local\hiyxrfgqq\tqfqbjttssd.exe
HKCU-Run-semiadgw - c:\users\woodman\AppData\Local\vvaxrotbh\thxipxgtssd.exe
HKCU-Run-jhotrbei - c:\users\woodman\AppData\Local\qvqxrxtki\tybtgeltssd.exe
HKCU-Run-akrfkacs - c:\users\woodman\AppData\Local\mwgwrhttk\tpdgwkqtssd.exe
HKCU-Run-qnupcxae - c:\users\woodman\AppData\Local\iwwwrpudl\tgfsnqvtssd.exe
HKCU-Run-xtbmmvva - c:\users\woodman\AppData\Local\ywdwsiuuo\tokqtdftssd.exe
HKCU-Run-nxdxfttl - c:\users\woodman\AppData\Roaming\twtvsrueq\tgmdkjktssd.exe
HKCU-Run-lmcdduoc - c:\users\woodman\AppData\Local\gmousekrp\tutptkatssd.exe
HKCU-Run-cyljmeog - c:\users\woodman\AppData\Local\docrtjnxi\trvghhhtssd.exe
HKCU-Run-jfqgvbjc - c:\users\woodman\AppData\Local\toiqtcnql\taaeotrtssd.exe
HKCU-Run-cebghjpo - c:\users\woodman\AppData\Local\ddaqtuckd\thvitpitssd.exe
HKCU-Run-sherahma - c:\users\woodman\AppData\Local\ydqptecsf\txxtkvntssd.exe
HKCU-Run-fyivbswq - c:\users\woodman\AppData\Roaming\rqbpueptt\txoyifutssd.exe
HKCU-Run-vclhsquc - c:\users\woodman\AppData\Local\mqrpunpdv\toqlylatssd.exe
HKCU-Run-qqmacdgh - c:\users\woodman\AppData\Local\kdmpufduj\txfehoctssd.exe
HKCU-Run-htpltces - c:\users\woodman\AppData\Local\gddouodel\tohqxuhtssd.exe
HKCU-Run-ciqednqx - c:\users\woodman\AppData\Local\dqxougqvy\twvkgxjtssd.exe
HKCU-Run-xwswmace - c:\users\woodman\AppData\Local\betouxdnm\tfjdnbmtssd.exe
HKCU-Run-qvdwxihq - c:\users\woodman\AppData\Local\lrlnuqrgf\tnfgswdtssd.exe
MSConfigStartUp-Corel Photo Downloader - c:\program files\Corel\Corel Snapfire Plus\PhotoDownloader.exe
MSConfigStartUp-IncrediMail - c:\program files\IncrediMail\bin\IncMail.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-18 18:37
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\mcafee_cMJgTYXghOxUlWx 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3224)
c:\program files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\System32\rundll32.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-07-18 19:01:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-18 23:00
ComboFix2.txt 2009-12-01 01:30

Pre-Run: 41,175,994,368 bytes free
Post-Run: 41,381,605,376 bytes free

- - End Of File - - 3D89E626E02BC837D1FDA535A844E7A8


#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:42 PM

Posted 18 July 2010 - 06:59 PM

Hello, woodman3041.
It's fine. Just a bit odd tongue.gif

We'll use another scanner after this. Mind you, Combofix may ask to upload a sample for analysis, please allow it to do so.
We need to run a Combofix script
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    CODE
    http://www.bleepingcomputer.com/forums/t/331150/spywareadware-popup/

    Collect::
    c:\users\woodman\AppData\Roaming\rqbpueptt
    c:\users\woodman\AppData\Roaming\twtvsrueq
  4. Save this as CFScript.txt, in the same location as ComboFix.exe
  5. Now, drag and drop CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

NEXT:

We need to run OTL
  1. Please download OTL
  2. Save it to your desktop.
  3. Double click on the OTL icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Change the "Extra Registry" option to "SafeList"
  6. Push the Run Scan button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In your next reply, please include the following:
  • ComboFix.txt
  • OTL Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 woodman3041

woodman3041
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 19 July 2010 - 11:54 AM

ComboFix 10-07-18.03 - woodman 07/19/2010 10:12:50.3.1 - x86 MINIMAL
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.446.120 [GMT -4:00]
Here are the two files...

Running from: c:\users\woodman\Desktop\ComboFix.exe
Command switches used :: c:\users\woodman\Desktop\cfscript.txt
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-19 14:27 . 2010-07-19 14:27 -------- d-----w- c:\users\woodman\AppData\Local\temp
2010-07-19 14:27 . 2010-07-19 14:27 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-07-19 14:27 . 2010-07-19 14:27 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-19 14:27 . 2010-07-19 14:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-19 14:09 . 2010-07-19 14:09 -------- d-----w- C:\32788R22FWJFW
2010-07-18 13:17 . 2010-07-18 13:17 -------- d-----w- C:\0aab9d54591cc73ea11188
2010-07-17 16:18 . 2010-07-17 16:19 -------- d-----w- C:\rsit
2010-07-11 22:39 . 2010-07-11 22:39 93056 ----a-w- C:\fwddyfob.sys
2010-07-11 22:39 . 2010-07-11 22:39 -------- d-----w- C:\gmer
2010-07-09 11:53 . 2010-07-09 11:53 -------- d-----w- c:\users\woodman\AppData\Local\lrlnuqrgf
2010-07-09 11:53 . 2010-07-09 11:53 -------- d-----w- c:\users\woodman\AppData\Local\dqxougqvy
2010-07-09 11:53 . 2010-07-09 11:53 -------- d-----w- c:\users\woodman\AppData\Local\betouxdnm
2010-07-09 11:53 . 2010-07-09 11:53 -------- d-----w- c:\users\woodman\AppData\Local\gddouodel
2010-07-09 11:53 . 2010-07-09 11:53 -------- d-----w- c:\users\woodman\AppData\Local\kdmpufduj
2010-07-09 11:53 . 2010-07-09 11:53 -------- d-----w- c:\users\woodman\AppData\Local\mqrpunpdv
2010-07-09 11:53 . 2010-07-18 19:29 -------- d-----w- c:\users\woodman\AppData\Roaming\rqbpueptt
2010-07-09 11:53 . 2010-07-09 11:53 -------- d-----w- c:\users\woodman\AppData\Local\rqbpueptt
2010-07-09 11:53 . 2010-07-09 11:53 -------- d-----w- c:\users\woodman\AppData\Local\ydqptecsf
2010-07-09 11:53 . 2010-07-09 11:53 -------- d-----w- c:\users\woodman\AppData\Local\ddaqtuckd
2010-07-09 11:53 . 2010-07-09 11:53 -------- d-----w- c:\users\woodman\AppData\Local\toiqtcnql
2010-07-09 11:53 . 2010-07-09 11:53 -------- d-----w- c:\users\woodman\AppData\Local\docrtjnxi
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\wskcqppah
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\efycqocar
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\yrqdqmnwx
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\bevdquafk
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\mqteplmvt
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\oeyeptaeg
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\jpqfprlbm
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\opafpilrk
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\vcofphxru
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\nbcgpwwgp
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\cbfhpvvfk
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\paiiouudg
2010-07-09 11:50 . 2010-07-09 11:50 -------- d-----w- c:\users\woodman\AppData\Local\rlqkogfoc
2010-07-09 11:50 . 2010-07-09 11:50 -------- d-----w- c:\users\woodman\AppData\Local\hjbmncdjo
2010-07-09 11:49 . 2010-07-09 11:50 -------- d-----w- c:\users\woodman\AppData\Local\jctuldtho
2010-06-25 07:05 . 2010-06-25 07:05 -------- d-----w- c:\program files\Microsoft.NET
2010-06-24 07:08 . 2009-11-08 14:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-24 07:08 . 2009-11-08 14:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-24 07:08 . 2009-11-08 14:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-24 07:08 . 2009-11-08 14:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-24 07:08 . 2009-11-08 14:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 23:36 . 2010-04-16 16:05 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-23 23:36 . 2010-04-16 14:17 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 19:29 . 2010-07-09 11:52 -------- d-----w- c:\users\woodman\AppData\Roaming\twtvsrueq
2010-07-18 17:56 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-11 23:26 . 2010-07-11 23:26 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-06-20 15:16 . 2007-03-13 09:30 -------- d-----w- c:\program files\McAfee
2010-06-11 07:36 . 2010-05-11 15:09 -------- d-sh--w- c:\programdata\7f358bc
2010-05-26 16:16 . 2010-06-11 05:12 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:25 . 2010-06-11 05:12 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-23 00:20 . 2007-04-29 20:52 -------- d-----w- c:\users\woodman\AppData\Roaming\SiteAdvisor
2010-05-04 05:59 . 2010-06-11 05:11 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-11 05:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 05:55 . 2010-06-11 05:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 04:31 . 2010-06-11 05:11 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 13:53 . 2010-06-11 05:11 2036224 ----a-w- c:\windows\system32\win32k.sys
2010-04-23 13:55 . 2010-05-25 17:33 2048 ----a-w- c:\windows\system32\tzres.dll
2007-03-13 17:04 . 2007-03-13 17:04 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 2153472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-12 30192]
"SiteAdvisor"="c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2007-03-30 36904]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-12-08 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-08 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-08 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-03 149280]
"MRT"="c:\windows\system32\MRT.exe" [2010-07-02 34045896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^StupAssist.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\StupAssist.lnk
backup=c:\windows\pss\StupAssist.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2006-11-12 06:19 446976 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 14:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2006-11-17 21:19 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-09-26 00:52 50736 ----a-w- c:\program files\Common Files\AOL\1175753636\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 02:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-02-08 06:12 488984 ----a-w- c:\program files\Common Files\logishrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-02-08 06:13 774168 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-09-10 19:53 1312080 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 01:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2008-12-12 18:46 9555968 ----a-w- c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 21:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-12-27 00:18 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-02-08 05:16 303104 ----a-w- c:\windows\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1875913452-3315754926-3748723504-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-12-12 30192]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-10-21 16:22]

2010-07-19 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-10-21 16:22]

2010-07-19 c:\windows\Tasks\User_Feed_Synchronization-{689F87F7-7B7B-4D94-9A81-C499F095905A}.job
- c:\windows\system32\msfeedssync.exe [2010-06-11 04:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-19 10:27
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-07-19 10:39:47
ComboFix-quarantined-files.txt 2010-07-19 14:39
ComboFix2.txt 2010-07-18 23:01
ComboFix3.txt 2009-12-01 01:30

Pre-Run: 39,341,592,576 bytes free
Post-Run: 39,211,134,976 bytes free

- - End Of File - - C534BA2FB49477D64D25428906C34CB9

OTL logfile created on: 7/19/2010 12:17:42 PM - Run 2
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\woodman\Desktop
Windows Vista Home Basic Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

446.00 Mb Total Physical Memory | 134.00 Mb Available Physical Memory | 30.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 64.46 Gb Total Space | 36.55 Gb Free Space | 56.70% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.65 Gb Free Space | 66.52% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 247.22 Mb Total Space | 240.44 Mb Free Space | 97.26% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WOODMAN-PC
Current User Name: woodman
Logged in as Administrator.

Current Boot Mode: SafeMode
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/18 20:49:42 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\woodman\Desktop\OTL.exe
PRC - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2008/10/29 02:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/07/18 20:49:42 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\woodman\Desktop\OTL.exe
MOD - [2008/01/19 03:33:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2008/01/19 03:26:34 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/12/12 09:40:32 | 000,030,192 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-110309-193829)
SRV - [2009/11/09 18:56:20 | 000,238,328 | ---- | M] (WildTangent, Inc.) [Disabled | Stopped] -- C:\Program Files\Dell Games\Dell Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Stopped] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/08 14:48:48 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- c:\program files\common files\mcafee\mna\mcnasvc.exe -- (McNASvc)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Disabled | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/08/13 18:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Disabled | Stopped] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2008/01/19 03:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/02/06 18:47:12 | 000,105,248 | ---- | M] (Logitech Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\logishrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)
SRV - [2007/02/06 18:45:26 | 000,109,344 | ---- | M] (Logitech Inc.) [Disabled | Stopped] -- c:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2006/11/07 13:27:02 | 000,070,656 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2006/10/23 08:50:35 | 000,046,640 | R--- | M] (AOL LLC) [Disabled | Stopped] -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Running] -- C:\Users\woodman\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2009/09/16 10:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 10:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 12:32:26 | 000,130,424 | ---- | M] (McAfee, Inc.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\Mpfp.sys -- (MPFP)
DRV - [2007/03/13 13:04:48 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2007/03/13 13:04:48 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2007/03/13 13:04:48 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2007/02/08 01:16:26 | 000,647,680 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/02/06 18:45:04 | 000,025,632 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2007/02/06 18:44:36 | 001,964,064 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LVMVdrv.sys -- (LVMVDrv)
DRV - [2007/02/06 18:42:40 | 001,691,808 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Lvckap.sys -- (LVcKap)
DRV - [2007/02/03 11:32:36 | 000,041,504 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2007/02/03 11:27:56 | 000,490,784 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LV561AV.SYS -- (PID_0928) Logitech QuickCam Express(PID_0928)
DRV - [2007/01/06 01:59:42 | 000,035,920 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/12/08 00:25:00 | 004,456,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2006/11/02 05:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 05:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 05:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 05:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 05:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 05:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 05:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 05:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 05:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 05:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 05:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 05:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 05:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 05:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 05:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 05:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 05:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 05:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 05:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 05:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 05:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 05:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 05:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 05:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 05:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 05:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 05:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 05:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 05:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 04:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 04:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 04:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 04:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 04:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 04:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 03:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 03:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2006/11/02 03:30:55 | 000,200,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2006/11/02 03:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2006/11/02 03:30:53 | 000,045,056 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/11/01 16:18:15 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2006/10/18 14:09:26 | 000,986,624 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2006/10/18 14:08:18 | 000,258,048 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2006/10/18 14:08:04 | 000,659,968 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2006/10/05 16:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/08/17 15:43:52 | 000,007,424 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Stopped] -- C:\Program Files\DellSupport\Drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/08/04 20:39:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577



IE - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
IE - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577



O1 HOSTS File: ([2010/07/18 18:34:03 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll ()
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll ()
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe (McAfee, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe ()
O4 - HKU\S-1-5-18..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe ()
O4 - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKLM..\RunOnce: [] File not found
O4 - HKLM..\RunOnce: [GrpConv] C:\Windows\System32\grpconv.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Yahoo! Search - C:\Program Files\Yahoo!\Common [2008/10/22 05:43:27 | 000,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &Dictionary - C:\Program Files\Yahoo!\Common [2008/10/22 05:43:27 | 000,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &Maps - C:\Program Files\Yahoo!\Common [2008/10/22 05:43:27 | 000,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &SMS - C:\Program Files\Yahoo!\Common [2008/10/22 05:43:27 | 000,000,000 | ---D | M]
O9 - Extra Button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe File not found
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O15 - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 66.76.227.40 208.180.42.68
O18 - Protocol\Handler\siteadvisor {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll ()
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\dellwall1.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\dellwall1.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/07/19 10:39:50 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\temp
[2010/07/19 10:38:46 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/07/19 10:09:26 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/07/19 10:09:04 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/07/19 10:09:02 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/07/19 09:53:17 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\woodman\Desktop\OTL.exe
[2010/07/18 09:17:14 | 000,000,000 | ---D | C] -- C:\0aab9d54591cc73ea11188
[2010/07/17 12:18:40 | 000,000,000 | ---D | C] -- C:\rsit
[2010/07/11 19:20:16 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/07/11 18:39:51 | 000,093,056 | ---- | C] (GMER) -- C:\fwddyfob.sys
[2010/07/11 18:39:09 | 000,000,000 | ---D | C] -- C:\gmer
[2010/07/09 07:53:51 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\lrlnuqrgf
[2010/07/09 07:53:44 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\dqxougqvy
[2010/07/09 07:53:44 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\betouxdnm
[2010/07/09 07:53:42 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\gddouodel
[2010/07/09 07:53:40 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\kdmpufduj
[2010/07/09 07:53:39 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\mqrpunpdv
[2010/07/09 07:53:37 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Roaming\rqbpueptt
[2010/07/09 07:53:37 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\rqbpueptt
[2010/07/09 07:53:34 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\ydqptecsf
[2010/07/09 07:53:32 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\ddaqtuckd
[2010/07/09 07:53:25 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\toiqtcnql
[2010/07/09 07:53:21 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\docrtjnxi
[2010/07/09 07:52:57 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\gmousekrp
[2010/07/09 07:52:41 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Roaming\twtvsrueq
[2010/07/09 07:52:40 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\twtvsrueq
[2010/07/09 07:52:38 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\ywdwsiuuo
[2010/07/09 07:52:34 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\iwwwrpudl
[2010/07/09 07:52:32 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\mwgwrhttk
[2010/07/09 07:52:30 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\qvqxrxtki
[2010/07/09 07:52:28 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\vvaxrotbh
[2010/07/09 07:52:24 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\hiyxrfgqq
[2010/07/09 07:52:16 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\xugyrlrxx
[2010/07/09 07:52:13 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\ehuyrlewi
[2010/07/09 07:52:09 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\nhoarseef
[2010/07/09 07:52:08 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\qttarbqmr
[2010/07/09 07:52:04 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\atnbqjquo
[2010/07/09 07:52:01 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\ggcbqidta
[2010/07/09 07:51:54 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\wskcqppah
[2010/07/09 07:51:51 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\efycqocar
[2010/07/09 07:51:47 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\yrqdqmnwx
[2010/07/09 07:51:41 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\bevdquafk
[2010/07/09 07:51:36 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\mqteplmvt
[2010/07/09 07:51:35 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\oeyeptaeg
[2010/07/09 07:51:26 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\jpqfprlbm
[2010/07/09 07:51:24 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\opafpilrk
[2010/07/09 07:51:21 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\vcofphxru
[2010/07/09 07:51:13 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\nbcgpwwgp
[2010/07/09 07:51:07 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\cbfhpvvfk
[2010/07/09 07:51:01 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\paiiouudg
[2010/07/09 07:50:38 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\rlqkogfoc
[2010/07/09 07:50:20 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\hjbmncdjo
[2010/07/09 07:49:12 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\jctuldtho
[2010/06/25 03:05:38 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2010/06/24 03:08:49 | 000,295,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHost.exe
[2010/06/24 03:08:49 | 000,099,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHostProxy.dll
[2010/06/24 03:08:49 | 000,049,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netfxperf.dll
[2010/06/23 19:36:31 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll
[2010/06/23 19:36:28 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/19 12:17:38 | 003,670,016 | -HS- | M] () -- C:\Users\woodman\ntuser.dat
[2010/07/19 10:27:48 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/07/19 10:10:08 | 003,738,520 | R--- | M] () -- C:\Users\woodman\Desktop\ComboFix.exe
[2010/07/19 09:49:30 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/07/19 09:47:01 | 000,000,426 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{689F87F7-7B7B-4D94-9A81-C499F095905A}.job
[2010/07/19 09:45:19 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/07/19 09:45:19 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/07/19 09:44:53 | 000,005,457 | ---- | M] () -- C:\Windows\System32\Config.MPF
[2010/07/19 09:43:05 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/07/19 09:40:48 | 000,524,288 | -HS- | M] () -- C:\Users\woodman\ntuser.dat{cf9ce160-8c0e-11df-9838-00038a000015}.TMContainer00000000000000000001.regtrans-ms
[2010/07/19 09:40:48 | 000,065,536 | -HS- | M] () -- C:\Users\woodman\ntuser.dat{cf9ce160-8c0e-11df-9838-00038a000015}.TM.blf
[2010/07/19 09:40:29 | 001,644,902 | -H-- | M] () -- C:\Users\woodman\AppData\Local\IconCache.db
[2010/07/19 09:38:03 | 000,000,179 | ---- | M] () -- C:\Windows\win.ini
[2010/07/19 01:00:11 | 000,000,356 | ---- | M] () -- C:\Windows\tasks\McQcTask.job
[2010/07/18 20:49:42 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\woodman\Desktop\OTL.exe
[2010/07/18 18:34:03 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/07/18 13:13:50 | 187,589,473 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/07/17 12:17:14 | 000,293,376 | ---- | M] () -- C:\Users\woodman\Desktop\yb65epe7.exe
[2010/07/17 12:16:04 | 000,339,991 | ---- | M] () -- C:\Users\woodman\Desktop\RSIT.exe
[2010/07/12 14:33:06 | 000,703,388 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/07/12 14:33:06 | 000,604,264 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/07/12 14:33:06 | 000,103,964 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/07/11 19:26:06 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
[2010/07/11 18:39:51 | 000,093,056 | ---- | M] (GMER) -- C:\fwddyfob.sys
[2010/07/11 18:31:53 | 000,000,000 | ---- | M] () -- C:\Users\woodman\defogger_reenable
[2010/07/10 13:16:03 | 000,524,288 | -HS- | M] () -- C:\Users\woodman\ntuser.dat{cf9ce160-8c0e-11df-9838-00038a000015}.TMContainer00000000000000000002.regtrans-ms
[2010/06/24 03:25:38 | 000,524,288 | -HS- | M] () -- C:\Users\woodman\ntuser.dat{4ea5518f-64cb-11df-ae5a-00038a000015}.TMContainer00000000000000000001.regtrans-ms
[2010/06/24 03:25:38 | 000,065,536 | -HS- | M] () -- C:\Users\woodman\ntuser.dat{4ea5518f-64cb-11df-ae5a-00038a000015}.TM.blf
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\ProgramData\pupimapu
[2010/07/19 10:07:39 | 003,738,520 | R--- | C] () -- C:\Users\woodman\Desktop\ComboFix.exe
[2010/07/17 12:34:07 | 000,293,376 | ---- | C] () -- C:\Users\woodman\Desktop\yb65epe7.exe
[2010/07/17 12:20:42 | 000,339,991 | ---- | C] () -- C:\Users\woodman\Desktop\RSIT.exe
[2010/07/11 19:26:06 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
[2010/07/11 19:19:57 | 187,589,473 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/07/11 18:31:53 | 000,000,000 | ---- | C] () -- C:\Users\woodman\defogger_reenable
[2010/07/10 06:36:36 | 000,524,288 | -HS- | C] () -- C:\Users\woodman\ntuser.dat{cf9ce160-8c0e-11df-9838-00038a000015}.TMContainer00000000000000000002.regtrans-ms
[2010/07/10 06:36:36 | 000,524,288 | -HS- | C] () -- C:\Users\woodman\ntuser.dat{cf9ce160-8c0e-11df-9838-00038a000015}.TMContainer00000000000000000001.regtrans-ms
[2010/07/10 06:36:36 | 000,065,536 | -HS- | C] () -- C:\Users\woodman\ntuser.dat{cf9ce160-8c0e-11df-9838-00038a000015}.TM.blf
[2010/06/11 03:36:15 | 000,000,118 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2007/02/06 18:45:04 | 000,025,632 | ---- | C] () -- C:\Windows\System32\drivers\LVPr2Mon.sys
[2007/02/06 18:42:40 | 001,691,808 | ---- | C] () -- C:\Windows\System32\drivers\Lvckap.sys
[2007/02/03 09:59:04 | 000,050,127 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
[2006/11/02 06:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
< End of report >


#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:42 PM

Posted 19 July 2010 - 01:07 PM

Hello, woodman3041.
Looks like we got a bit more to clean.

We need to run a Combofix script
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    CODE
    http://www.bleepingcomputer.com/forums/t/331150/spywareadware-popup/

    Collect::
    c:\users\woodman\AppData\Local\lrlnuqrgf
    c:\users\woodman\AppData\Local\dqxougqvy
    c:\users\woodman\AppData\Local\betouxdnm
    c:\users\woodman\AppData\Local\gddouodel
    c:\users\woodman\AppData\Local\kdmpufduj
    c:\users\woodman\AppData\Local\mqrpunpdv
    c:\users\woodman\AppData\Roaming\rqbpueptt
    c:\users\woodman\AppData\Local\rqbpueptt
    c:\users\woodman\AppData\Local\ydqptecsf
    c:\users\woodman\AppData\Local\ddaqtuckd
    c:\users\woodman\AppData\Local\toiqtcnql
    c:\users\woodman\AppData\Local\docrtjnxi
    c:\users\woodman\AppData\Local\wskcqppah
    c:\users\woodman\AppData\Local\efycqocar
    c:\users\woodman\AppData\Local\yrqdqmnwx
    c:\users\woodman\AppData\Local\bevdquafk
    c:\users\woodman\AppData\Local\mqteplmvt
    c:\users\woodman\AppData\Local\oeyeptaeg
    c:\users\woodman\AppData\Local\jpqfprlbm
    c:\users\woodman\AppData\Local\opafpilrk
    c:\users\woodman\AppData\Local\vcofphxru
    c:\users\woodman\AppData\Local\nbcgpwwgp
    c:\users\woodman\AppData\Local\cbfhpvvfk
    c:\users\woodman\AppData\Local\paiiouudg
    c:\users\woodman\AppData\Local\rlqkogfoc
    c:\users\woodman\AppData\Local\hjbmncdjo
    c:\users\woodman\AppData\Local\jctuldtho

    DirLook::
    c:\programdata\7f358bc
  4. Save this as CFScript.txt, in the same location as ComboFix.exe
  5. Now, drag and drop CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 woodman3041

woodman3041
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 19 July 2010 - 03:00 PM

Can't load directly on... says the file is too big.

Just FYI... computer still running and loading slow, can't get on internet, McAfee turns itself off.

Have to run everything from safe mode

Thanks....

Attached Files

  • Attached File  log3.txt   242.3KB   2 downloads


#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:42 PM

Posted 19 July 2010 - 03:12 PM

Hi!

That's odd. Doesn't appear that the combofix script ran through fine. Could you try running it again please?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 woodman3041

woodman3041
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 19 July 2010 - 03:55 PM

ComboFix 10-07-18.03 - woodman 07/19/2010 16:20:53.3.1 - x86 MINIMAL
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.446.177 [GMT -4:00]
Running from: c:\users\woodman\Desktop\ComboFix.exe
Command switches used :: c:\users\woodman\Desktop\CFScript.txt
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-19 20:35 . 2010-07-19 20:36 -------- d-----w- c:\users\woodman\AppData\Local\temp
2010-07-19 20:35 . 2010-07-19 20:35 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-07-19 20:35 . 2010-07-19 20:35 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-19 20:35 . 2010-07-19 20:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-19 20:16 . 2010-07-19 20:17 -------- d-----w- C:\32788R22FWJFW
2010-07-18 13:17 . 2010-07-18 13:17 -------- d-----w- C:\0aab9d54591cc73ea11188
2010-07-17 16:18 . 2010-07-17 16:19 -------- d-----w- C:\rsit
2010-07-11 22:39 . 2010-07-11 22:39 93056 ----a-w- C:\fwddyfob.sys
2010-07-11 22:39 . 2010-07-11 22:39 -------- d-----w- C:\gmer
2010-07-09 11:53 . 2010-07-09 11:53 -------- d-----w- c:\users\woodman\AppData\Local\lrlnuqrgf
2010-07-09 11:53 . 2010-07-09 11:53 -------- d-----w- c:\users\woodman\AppData\Local\dqxougqvy
2010-07-09 11:53 . 2010-07-09 11:53 -------- d-----w- c:\users\woodman\AppData\Local\betouxdnm
2010-07-09 11:53 . 2010-07-09 11:53 -------- d-----w- c:\users\woodman\AppData\Local\gddouodel
2010-07-09 11:53 . 2010-07-09 11:53 -------- d-----w- c:\users\woodman\AppData\Local\kdmpufduj
2010-07-09 11:53 . 2010-07-09 11:53 -------- d-----w- c:\users\woodman\AppData\Local\mqrpunpdv
2010-07-09 11:53 . 2010-07-18 19:29 -------- d-----w- c:\users\woodman\AppData\Roaming\rqbpueptt
2010-07-09 11:53 . 2010-07-09 11:53 -------- d-----w- c:\users\woodman\AppData\Local\rqbpueptt
2010-07-09 11:53 . 2010-07-09 11:53 -------- d-----w- c:\users\woodman\AppData\Local\ydqptecsf
2010-07-09 11:53 . 2010-07-09 11:53 -------- d-----w- c:\users\woodman\AppData\Local\ddaqtuckd
2010-07-09 11:53 . 2010-07-09 11:53 -------- d-----w- c:\users\woodman\AppData\Local\toiqtcnql
2010-07-09 11:53 . 2010-07-09 11:53 -------- d-----w- c:\users\woodman\AppData\Local\docrtjnxi
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\wskcqppah
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\efycqocar
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\yrqdqmnwx
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\bevdquafk
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\mqteplmvt
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\oeyeptaeg
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\jpqfprlbm
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\opafpilrk
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\vcofphxru
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\nbcgpwwgp
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\cbfhpvvfk
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- c:\users\woodman\AppData\Local\paiiouudg
2010-07-09 11:50 . 2010-07-09 11:50 -------- d-----w- c:\users\woodman\AppData\Local\rlqkogfoc
2010-07-09 11:50 . 2010-07-09 11:50 -------- d-----w- c:\users\woodman\AppData\Local\hjbmncdjo
2010-07-09 11:49 . 2010-07-09 11:50 -------- d-----w- c:\users\woodman\AppData\Local\jctuldtho
2010-06-25 07:05 . 2010-06-25 07:05 -------- d-----w- c:\program files\Microsoft.NET
2010-06-24 07:08 . 2009-11-08 14:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-24 07:08 . 2009-11-08 14:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-24 07:08 . 2009-11-08 14:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-24 07:08 . 2009-11-08 14:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-24 07:08 . 2009-11-08 14:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 23:36 . 2010-04-16 16:05 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-23 23:36 . 2010-04-16 14:17 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-18 19:29 . 2010-07-09 11:52 -------- d-----w- c:\users\woodman\AppData\Roaming\twtvsrueq
2010-07-18 17:56 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-11 23:26 . 2010-07-11 23:26 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-06-20 15:16 . 2007-03-13 09:30 -------- d-----w- c:\program files\McAfee
2010-06-11 07:36 . 2010-05-11 15:09 -------- d-sh--w- c:\programdata\7f358bc
2010-05-26 16:16 . 2010-06-11 05:12 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:25 . 2010-06-11 05:12 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-23 00:20 . 2007-04-29 20:52 -------- d-----w- c:\users\woodman\AppData\Roaming\SiteAdvisor
2010-05-04 05:59 . 2010-06-11 05:11 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-11 05:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 05:55 . 2010-06-11 05:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 04:31 . 2010-06-11 05:11 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 13:53 . 2010-06-11 05:11 2036224 ----a-w- c:\windows\system32\win32k.sys
2010-04-23 13:55 . 2010-05-25 17:33 2048 ----a-w- c:\windows\system32\tzres.dll
2007-03-13 17:04 . 2007-03-13 17:04 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\programdata\7f358bc ----

2010-05-11 15:11 . 2010-05-11 15:11 4286 ----a-w- c:\programdata\7f358bc\mcp.ico
2010-05-11 15:11 . 2010-05-11 15:11 288 ----a-w- c:\programdata\7f358bc\026642.reg
2010-05-11 15:11 . 2010-05-11 15:11 4286 ----a-w- c:\programdata\7f358bc\MSE.ico
2010-05-11 15:11 . 2010-05-11 15:11 12294 ----a-w- c:\programdata\7f358bc\MSESys\vd952342.bd


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 2153472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-12 30192]
"SiteAdvisor"="c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2007-03-30 36904]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-12-08 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-08 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-08 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-03 149280]
"MRT"="c:\windows\system32\MRT.exe" [2010-07-02 34045896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^StupAssist.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\StupAssist.lnk
backup=c:\windows\pss\StupAssist.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2006-11-12 06:19 446976 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 14:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2006-11-17 21:19 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-09-26 00:52 50736 ----a-w- c:\program files\Common Files\AOL\1175753636\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 02:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-02-08 06:12 488984 ----a-w- c:\program files\Common Files\logishrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-02-08 06:13 774168 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-09-10 19:53 1312080 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 01:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2008-12-12 18:46 9555968 ----a-w- c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 21:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-12-27 00:18 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-02-08 05:16 303104 ----a-w- c:\windows\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2009-02-03 13:15 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1875913452-3315754926-3748723504-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-12-12 30192]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-10-21 16:22]

2010-07-19 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-10-21 16:22]

2010-07-19 c:\windows\Tasks\User_Feed_Synchronization-{689F87F7-7B7B-4D94-9A81-C499F095905A}.job
- c:\windows\system32\msfeedssync.exe [2010-06-11 04:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-19 16:36
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-07-19 16:47:57
ComboFix-quarantined-files.txt 2010-07-19 20:47
ComboFix2.txt 2010-07-19 18:51
ComboFix3.txt 2010-07-19 14:39
ComboFix4.txt 2010-07-18 23:01
ComboFix5.txt 2010-07-19 20:17

Pre-Run: 39,323,557,888 bytes free
Post-Run: 39,298,490,368 bytes free

- - End Of File - - 86FA89A451A898ECFA9DAC8042074E72


#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:42 PM

Posted 19 July 2010 - 04:16 PM

Hello, woodman3041.
Okay, let's run a more in-depth scanner.

We need to run a custom OTL scan
  1. Please download OTL
  2. Save it to your desktop.
  3. Please run OTL on your desktop.
  4. Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not copy the word "code".
    CODE
    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  5. Click the Run Scan button
  6. A report will open. Copy and Paste that report in your next reply.

In your next reply, please include the following:
  • OTL Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#13 woodman3041

woodman3041
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 19 July 2010 - 05:05 PM

Here is the OTL log... I will attach the extras log

OTL logfile created on: 7/19/2010 5:44:56 PM - Run 3
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\woodman\Desktop
Windows Vista Home Basic Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

446.00 Mb Total Physical Memory | 134.00 Mb Available Physical Memory | 30.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 64.46 Gb Total Space | 36.63 Gb Free Space | 56.83% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.65 Gb Free Space | 66.52% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 247.22 Mb Total Space | 240.10 Mb Free Space | 97.12% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WOODMAN-PC
Current User Name: woodman
Logged in as Administrator.

Current Boot Mode: SafeMode
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/18 20:49:42 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\woodman\Desktop\OTL.exe
PRC - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2008/10/29 02:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/07/18 20:49:42 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\woodman\Desktop\OTL.exe
MOD - [2008/01/19 03:33:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2008/01/19 03:26:34 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/12/12 09:40:32 | 000,030,192 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-110309-193829)
SRV - [2009/11/09 18:56:20 | 000,238,328 | ---- | M] (WildTangent, Inc.) [Disabled | Stopped] -- C:\Program Files\Dell Games\Dell Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Stopped] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/08 14:48:48 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- c:\program files\common files\mcafee\mna\mcnasvc.exe -- (McNASvc)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Disabled | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/08/13 18:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Disabled | Stopped] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2008/01/19 03:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/02/06 18:47:12 | 000,105,248 | ---- | M] (Logitech Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\logishrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)
SRV - [2007/02/06 18:45:26 | 000,109,344 | ---- | M] (Logitech Inc.) [Disabled | Stopped] -- c:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2006/11/07 13:27:02 | 000,070,656 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2006/10/23 08:50:35 | 000,046,640 | R--- | M] (AOL LLC) [Disabled | Stopped] -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Running] -- C:\Users\woodman\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2009/09/16 10:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 10:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 12:32:26 | 000,130,424 | ---- | M] (McAfee, Inc.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\Mpfp.sys -- (MPFP)
DRV - [2007/03/13 13:04:48 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2007/03/13 13:04:48 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2007/03/13 13:04:48 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2007/02/08 01:16:26 | 000,647,680 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/02/06 18:45:04 | 000,025,632 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2007/02/06 18:44:36 | 001,964,064 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LVMVdrv.sys -- (LVMVDrv)
DRV - [2007/02/06 18:42:40 | 001,691,808 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Lvckap.sys -- (LVcKap)
DRV - [2007/02/03 11:32:36 | 000,041,504 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2007/02/03 11:27:56 | 000,490,784 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LV561AV.SYS -- (PID_0928) Logitech QuickCam Express(PID_0928)
DRV - [2007/01/06 01:59:42 | 000,035,920 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/12/08 00:25:00 | 004,456,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2006/11/02 05:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 05:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 05:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 05:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 05:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 05:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 05:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 05:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 05:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 05:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 05:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 05:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 05:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 05:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 05:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 05:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 05:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 05:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 05:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 05:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 05:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 05:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 05:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 05:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 05:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 05:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 05:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 05:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 05:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 04:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 04:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 04:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 04:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 04:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 04:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 03:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 03:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2006/11/02 03:30:55 | 000,200,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2006/11/02 03:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2006/11/02 03:30:53 | 000,045,056 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/11/01 16:18:15 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2006/10/18 14:09:26 | 000,986,624 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2006/10/18 14:08:18 | 000,258,048 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2006/10/18 14:08:04 | 000,659,968 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2006/10/05 16:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/08/17 15:43:52 | 000,007,424 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Stopped] -- C:\Program Files\DellSupport\Drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/08/04 20:39:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577



IE - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
IE - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577



O1 HOSTS File: ([2010/07/18 18:34:03 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll ()
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll ()
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe (McAfee, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe ()
O4 - HKU\S-1-5-18..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe ()
O4 - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKLM..\RunOnce: [] File not found
O4 - HKLM..\RunOnce: [GrpConv] C:\Windows\System32\grpconv.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Yahoo! Search - C:\Program Files\Yahoo!\Common [2008/10/22 05:43:27 | 000,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &Dictionary - C:\Program Files\Yahoo!\Common [2008/10/22 05:43:27 | 000,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &Maps - C:\Program Files\Yahoo!\Common [2008/10/22 05:43:27 | 000,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &SMS - C:\Program Files\Yahoo!\Common [2008/10/22 05:43:27 | 000,000,000 | ---D | M]
O9 - Extra Button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe File not found
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O15 - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 66.76.227.40 208.180.42.68
O18 - Protocol\Handler\siteadvisor {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll ()
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\dellwall1.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\dellwall1.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/07/19 16:48:00 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\temp
[2010/07/19 16:46:57 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/07/19 16:16:40 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/07/19 16:16:38 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/07/19 10:09:26 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/07/19 09:53:17 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\woodman\Desktop\OTL.exe
[2010/07/18 09:17:14 | 000,000,000 | ---D | C] -- C:\0aab9d54591cc73ea11188
[2010/07/17 12:18:40 | 000,000,000 | ---D | C] -- C:\rsit
[2010/07/11 19:20:16 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/07/11 18:39:51 | 000,093,056 | ---- | C] (GMER) -- C:\fwddyfob.sys
[2010/07/11 18:39:09 | 000,000,000 | ---D | C] -- C:\gmer
[2010/07/09 07:53:51 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\lrlnuqrgf
[2010/07/09 07:53:44 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\dqxougqvy
[2010/07/09 07:53:44 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\betouxdnm
[2010/07/09 07:53:42 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\gddouodel
[2010/07/09 07:53:40 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\kdmpufduj
[2010/07/09 07:53:39 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\mqrpunpdv
[2010/07/09 07:53:37 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Roaming\rqbpueptt
[2010/07/09 07:53:37 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\rqbpueptt
[2010/07/09 07:53:34 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\ydqptecsf
[2010/07/09 07:53:32 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\ddaqtuckd
[2010/07/09 07:53:25 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\toiqtcnql
[2010/07/09 07:53:21 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\docrtjnxi
[2010/07/09 07:52:57 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\gmousekrp
[2010/07/09 07:52:41 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Roaming\twtvsrueq
[2010/07/09 07:52:40 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\twtvsrueq
[2010/07/09 07:52:38 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\ywdwsiuuo
[2010/07/09 07:52:34 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\iwwwrpudl
[2010/07/09 07:52:32 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\mwgwrhttk
[2010/07/09 07:52:30 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\qvqxrxtki
[2010/07/09 07:52:28 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\vvaxrotbh
[2010/07/09 07:52:24 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\hiyxrfgqq
[2010/07/09 07:52:16 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\xugyrlrxx
[2010/07/09 07:52:13 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\ehuyrlewi
[2010/07/09 07:52:09 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\nhoarseef
[2010/07/09 07:52:08 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\qttarbqmr
[2010/07/09 07:52:04 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\atnbqjquo
[2010/07/09 07:52:01 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\ggcbqidta
[2010/07/09 07:51:54 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\wskcqppah
[2010/07/09 07:51:51 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\efycqocar
[2010/07/09 07:51:47 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\yrqdqmnwx
[2010/07/09 07:51:41 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\bevdquafk
[2010/07/09 07:51:36 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\mqteplmvt
[2010/07/09 07:51:35 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\oeyeptaeg
[2010/07/09 07:51:26 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\jpqfprlbm
[2010/07/09 07:51:24 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\opafpilrk
[2010/07/09 07:51:21 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\vcofphxru
[2010/07/09 07:51:13 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\nbcgpwwgp
[2010/07/09 07:51:07 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\cbfhpvvfk
[2010/07/09 07:51:01 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\paiiouudg
[2010/07/09 07:50:38 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\rlqkogfoc
[2010/07/09 07:50:20 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\hjbmncdjo
[2010/07/09 07:49:12 | 000,000,000 | ---D | C] -- C:\Users\woodman\AppData\Local\jctuldtho
[2010/06/25 03:05:38 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2010/06/24 03:08:49 | 000,295,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHost.exe
[2010/06/24 03:08:49 | 000,099,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHostProxy.dll
[2010/06/24 03:08:49 | 000,049,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netfxperf.dll
[2010/06/23 19:36:31 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll
[2010/06/23 19:36:28 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/19 17:44:25 | 003,670,016 | -HS- | M] () -- C:\Users\woodman\ntuser.dat
[2010/07/19 16:36:04 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/07/19 15:47:38 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/07/19 15:45:05 | 000,000,179 | ---- | M] () -- C:\Windows\win.ini
[2010/07/19 15:42:01 | 000,000,426 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{689F87F7-7B7B-4D94-9A81-C499F095905A}.job
[2010/07/19 15:41:24 | 000,005,457 | ---- | M] () -- C:\Windows\System32\Config.MPF
[2010/07/19 15:39:47 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/07/19 15:39:47 | 000,003,552 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/07/19 15:39:40 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/07/19 15:39:37 | 000,289,504 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/07/19 15:37:47 | 000,524,288 | -HS- | M] () -- C:\Users\woodman\ntuser.dat{cf9ce160-8c0e-11df-9838-00038a000015}.TMContainer00000000000000000001.regtrans-ms
[2010/07/19 15:37:47 | 000,065,536 | -HS- | M] () -- C:\Users\woodman\ntuser.dat{cf9ce160-8c0e-11df-9838-00038a000015}.TM.blf
[2010/07/19 10:10:08 | 003,738,520 | R--- | M] () -- C:\Users\woodman\Desktop\ComboFix.exe
[2010/07/19 01:00:11 | 000,000,356 | ---- | M] () -- C:\Windows\tasks\McQcTask.job
[2010/07/18 20:49:42 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\woodman\Desktop\OTL.exe
[2010/07/18 18:34:03 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/07/18 13:13:50 | 187,589,473 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/07/17 12:17:14 | 000,293,376 | ---- | M] () -- C:\Users\woodman\Desktop\yb65epe7.exe
[2010/07/17 12:16:04 | 000,339,991 | ---- | M] () -- C:\Users\woodman\Desktop\RSIT.exe
[2010/07/12 14:33:06 | 000,703,388 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/07/12 14:33:06 | 000,604,264 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/07/12 14:33:06 | 000,103,964 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/07/11 19:26:06 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
[2010/07/11 18:39:51 | 000,093,056 | ---- | M] (GMER) -- C:\fwddyfob.sys
[2010/07/11 18:31:53 | 000,000,000 | ---- | M] () -- C:\Users\woodman\defogger_reenable
[2010/07/10 13:16:03 | 000,524,288 | -HS- | M] () -- C:\Users\woodman\ntuser.dat{cf9ce160-8c0e-11df-9838-00038a000015}.TMContainer00000000000000000002.regtrans-ms
[2010/06/24 03:25:38 | 000,524,288 | -HS- | M] () -- C:\Users\woodman\ntuser.dat{4ea5518f-64cb-11df-ae5a-00038a000015}.TMContainer00000000000000000001.regtrans-ms
[2010/06/24 03:25:38 | 000,065,536 | -HS- | M] () -- C:\Users\woodman\ntuser.dat{4ea5518f-64cb-11df-ae5a-00038a000015}.TM.blf
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\ProgramData\pupimapu
[2010/07/19 10:07:39 | 003,738,520 | R--- | C] () -- C:\Users\woodman\Desktop\ComboFix.exe
[2010/07/17 12:34:07 | 000,293,376 | ---- | C] () -- C:\Users\woodman\Desktop\yb65epe7.exe
[2010/07/17 12:20:42 | 000,339,991 | ---- | C] () -- C:\Users\woodman\Desktop\RSIT.exe
[2010/07/11 19:26:06 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
[2010/07/11 19:19:57 | 187,589,473 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/07/11 18:31:53 | 000,000,000 | ---- | C] () -- C:\Users\woodman\defogger_reenable
[2010/07/10 06:36:36 | 000,524,288 | -HS- | C] () -- C:\Users\woodman\ntuser.dat{cf9ce160-8c0e-11df-9838-00038a000015}.TMContainer00000000000000000002.regtrans-ms
[2010/07/10 06:36:36 | 000,524,288 | -HS- | C] () -- C:\Users\woodman\ntuser.dat{cf9ce160-8c0e-11df-9838-00038a000015}.TMContainer00000000000000000001.regtrans-ms
[2010/07/10 06:36:36 | 000,065,536 | -HS- | C] () -- C:\Users\woodman\ntuser.dat{cf9ce160-8c0e-11df-9838-00038a000015}.TM.blf
[2010/06/11 03:36:15 | 000,000,118 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2007/02/06 18:45:04 | 000,025,632 | ---- | C] () -- C:\Windows\System32\drivers\LVPr2Mon.sys
[2007/02/06 18:42:40 | 001,691,808 | ---- | C] () -- C:\Windows\System32\drivers\Lvckap.sys
[2007/02/03 09:59:04 | 000,050,127 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
[2006/11/02 06:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2006/09/18 17:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2008/01/19 03:45:45 | 000,333,203 | RHS- | M] () -- C:\bootmgr
[2006/11/10 17:59:07 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2010/07/19 16:47:58 | 000,019,136 | ---- | M] () -- C:\ComboFix.txt
[2006/09/18 17:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2007/03/13 13:05:06 | 000,004,628 | RH-- | M] () -- C:\dell.sdr
[2010/07/11 18:39:51 | 000,093,056 | ---- | M] (GMER) -- C:\fwddyfob.sys
[2007/04/08 08:37:26 | 000,002,638 | -H-- | M] () -- C:\IPH.PH
[2010/07/19 15:47:20 | 1073,741,824 | -HS- | M] () -- C:\pagefile.sys
[2007/03/24 19:32:09 | 000,000,000 | ---- | M] () -- C:\palsound.txt
[2009/11/16 20:08:13 | 000,018,616 | ---- | M] () -- C:\RootRepeal report 11-16-09 (19-08-13).txt
[2007/03/13 05:38:40 | 000,000,070 | ---- | M] () -- C:\SystemInfo.ini
[2007/04/08 08:37:28 | 000,000,108 | -H-- | M] () -- C:\T4Metrics.log
[2009/04/19 08:50:50 | 000,000,594 | ---- | M] () -- C:\updatedatfix.log
[2007/04/07 08:01:40 | 000,000,158 | ---- | M] () -- C:\YServer.txt

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/11/02 06:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 06:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 06:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 06:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 06:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemroot%\system32\drivers\*.sys /90 >
< End of report >

Attached Files



#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:42 PM

Posted 19 July 2010 - 05:17 PM

Hello, woodman3041.
We need to run a custom OTL fix
  1. Please run OTL on your desktop.
  2. Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not copy the word "code".
    CODE
    :OTL
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577
    IE - HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577
    O4 - HKLM..\RunOnce: [] File not found

    :files
    C:\Users\woodman\AppData\Local\lrlnuqrgf
    C:\Users\woodman\AppData\Local\dqxougqvy
    C:\Users\woodman\AppData\Local\betouxdnm
    C:\Users\woodman\AppData\Local\gddouodel
    C:\Users\woodman\AppData\Local\kdmpufduj
    C:\Users\woodman\AppData\Local\mqrpunpdv
    C:\Users\woodman\AppData\Roaming\rqbpueptt
    C:\Users\woodman\AppData\Local\rqbpueptt
    C:\Users\woodman\AppData\Local\ydqptecsf
    C:\Users\woodman\AppData\Local\ddaqtuckd
    C:\Users\woodman\AppData\Local\toiqtcnql
    C:\Users\woodman\AppData\Local\docrtjnxi
    C:\Users\woodman\AppData\Local\gmousekrp
    C:\Users\woodman\AppData\Roaming\twtvsrueq
    C:\Users\woodman\AppData\Local\twtvsrueq
    C:\Users\woodman\AppData\Local\ywdwsiuuo
    C:\Users\woodman\AppData\Local\iwwwrpudl
    C:\Users\woodman\AppData\Local\mwgwrhttk
    C:\Users\woodman\AppData\Local\qvqxrxtki
    C:\Users\woodman\AppData\Local\vvaxrotbh
    C:\Users\woodman\AppData\Local\hiyxrfgqq
    C:\Users\woodman\AppData\Local\xugyrlrxx
    C:\Users\woodman\AppData\Local\ehuyrlewi
    C:\Users\woodman\AppData\Local\nhoarseef
    C:\Users\woodman\AppData\Local\qttarbqmr
    C:\Users\woodman\AppData\Local\atnbqjquo
    C:\Users\woodman\AppData\Local\ggcbqidta
    C:\Users\woodman\AppData\Local\wskcqppah
    C:\Users\woodman\AppData\Local\efycqocar
    C:\Users\woodman\AppData\Local\yrqdqmnwx
    C:\Users\woodman\AppData\Local\bevdquafk
    C:\Users\woodman\AppData\Local\mqteplmvt
    C:\Users\woodman\AppData\Local\oeyeptaeg
    C:\Users\woodman\AppData\Local\jpqfprlbm
    C:\Users\woodman\AppData\Local\opafpilrk
    C:\Users\woodman\AppData\Local\vcofphxru
    C:\Users\woodman\AppData\Local\nbcgpwwgp
    C:\Users\woodman\AppData\Local\cbfhpvvfk
    C:\Users\woodman\AppData\Local\paiiouudg
    C:\Users\woodman\AppData\Local\rlqkogfoc
    C:\Users\woodman\AppData\Local\hjbmncdjo
    C:\Users\woodman\AppData\Local\jctuldtho
  3. Click the Run Fix button
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click OK
  6. A report will open. Copy and Paste that report in your next reply.

In your next reply, please include the following:
  • OTL Log
  • Fresh OTL.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#15 woodman3041

woodman3041
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 19 July 2010 - 05:34 PM

========== OTL ==========
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKU\S-1-5-21-1875913452-3315754926-3748723504-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\ deleted successfully.
========== FILES ==========
C:\Users\woodman\AppData\Local\lrlnuqrgf folder moved successfully.
C:\Users\woodman\AppData\Local\dqxougqvy folder moved successfully.
C:\Users\woodman\AppData\Local\betouxdnm folder moved successfully.
C:\Users\woodman\AppData\Local\gddouodel folder moved successfully.
C:\Users\woodman\AppData\Local\kdmpufduj folder moved successfully.
C:\Users\woodman\AppData\Local\mqrpunpdv folder moved successfully.
C:\Users\woodman\AppData\Roaming\rqbpueptt folder moved successfully.
C:\Users\woodman\AppData\Local\rqbpueptt folder moved successfully.
C:\Users\woodman\AppData\Local\ydqptecsf folder moved successfully.
C:\Users\woodman\AppData\Local\ddaqtuckd folder moved successfully.
C:\Users\woodman\AppData\Local\toiqtcnql folder moved successfully.
C:\Users\woodman\AppData\Local\docrtjnxi folder moved successfully.
C:\Users\woodman\AppData\Local\gmousekrp folder moved successfully.
C:\Users\woodman\AppData\Roaming\twtvsrueq folder moved successfully.
C:\Users\woodman\AppData\Local\twtvsrueq folder moved successfully.
C:\Users\woodman\AppData\Local\ywdwsiuuo folder moved successfully.
C:\Users\woodman\AppData\Local\iwwwrpudl folder moved successfully.
C:\Users\woodman\AppData\Local\mwgwrhttk folder moved successfully.
C:\Users\woodman\AppData\Local\qvqxrxtki folder moved successfully.
C:\Users\woodman\AppData\Local\vvaxrotbh folder moved successfully.
C:\Users\woodman\AppData\Local\hiyxrfgqq folder moved successfully.
C:\Users\woodman\AppData\Local\xugyrlrxx folder moved successfully.
C:\Users\woodman\AppData\Local\ehuyrlewi folder moved successfully.
C:\Users\woodman\AppData\Local\nhoarseef folder moved successfully.
C:\Users\woodman\AppData\Local\qttarbqmr folder moved successfully.
C:\Users\woodman\AppData\Local\atnbqjquo folder moved successfully.
C:\Users\woodman\AppData\Local\ggcbqidta folder moved successfully.
C:\Users\woodman\AppData\Local\wskcqppah folder moved successfully.
C:\Users\woodman\AppData\Local\efycqocar folder moved successfully.
C:\Users\woodman\AppData\Local\yrqdqmnwx folder moved successfully.
C:\Users\woodman\AppData\Local\bevdquafk folder moved successfully.
C:\Users\woodman\AppData\Local\mqteplmvt folder moved successfully.
C:\Users\woodman\AppData\Local\oeyeptaeg folder moved successfully.
C:\Users\woodman\AppData\Local\jpqfprlbm folder moved successfully.
C:\Users\woodman\AppData\Local\opafpilrk folder moved successfully.
C:\Users\woodman\AppData\Local\vcofphxru folder moved successfully.
C:\Users\woodman\AppData\Local\nbcgpwwgp folder moved successfully.
C:\Users\woodman\AppData\Local\cbfhpvvfk folder moved successfully.
C:\Users\woodman\AppData\Local\paiiouudg folder moved successfully.
C:\Users\woodman\AppData\Local\rlqkogfoc folder moved successfully.
C:\Users\woodman\AppData\Local\hjbmncdjo folder moved successfully.
C:\Users\woodman\AppData\Local\jctuldtho folder moved successfully.

OTL by OldTimer - Version 3.2.9.1 log created on 07192010_182917





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users