Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan infection and reinfections


  • This topic is locked This topic is locked
24 replies to this topic

#1 Captain Nick

Captain Nick

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 19 July 2010 - 11:29 PM

Unfortunately I have been infected with a recurring trojan.

IObit, Mbam, and SuperAntiSpyware (SAS) have all found and cleaned Trojan.Downloader, Trojan.FakeAlert, Trojan.DNSChanger, Malware.trace, rootkit.TDSS, Trojan-Agent/Gen-CDesc[Gen], Misleading.Defence Center, Gq1.exe, Gjyjua.exe, and ernel32.exe/dll....only to have them or others reinfecting!

I have also used MBAM and SAS in Safe Mode, and AVG Antivirus Rescue Disk and Karpersky Rescue Disk from bootable disk.....still with the trojans returning after cleaning and rebooting in normal mode.

I normally run Computer Associates Security Center, with Antivirus, AntiSpyware and Firewall. I got the trojan while using it. I have scanned from CA online with nothing found. When trying to scan from my computer, I get "CA A package failed to download successfully. Please try again later."

MBAM and SAS also failed to update. SAS did update when using TaskBar icon update.

However, as stated before, my computer reinfected after each fix. But that seems to be what happens with this type of infection.

ALSO THE GMER FILE IS INCOMPLETE. I ran it several times and each time it jumped to the BSOD, then rebooted. I tried to save the file as close to the end as I could. Again the GMER file, ark.txt is incomplete.

Thanks for your help.




BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:29 AM

Posted 26 July 2010 - 10:44 PM

Hello, Captain Nick.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.
We need to run Defogger
  1. Please download DeFogger to your desktop.
  2. Double click DeFogger to run the tool.
  3. The application window will appear
  4. Click the Disable button to disable your CD Emulation drivers
  5. Click Yes to continue
  6. A 'Finished!' message will appear
  7. Click OK
  8. DeFogger will now ask to reboot the machine - click OK
Note: If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until the end of the fix.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
We need to run an Anti-Rootkit (ARK) scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

If GMER crashes, hangs or blue-screens, do the following
  1. Please Download Rootkit Unhooker Save it to your desktop.
  2. Now double-click on RKUnhookerLE.exe to run it.
  3. Click the Report tab, then click Scan.
  4. Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  5. Wait till the scanner has finished and then click File, Save Report.
  6. Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.
Note:You may get this warning. If so, please ignore it.
"Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?"


In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log/RKUnhooker log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 Captain Nick

Captain Nick
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 28 July 2010 - 12:54 AM

Thanks for your reply.

I have gotten the computer to check good with my anti-virus', but it doesn't seem right. So if you don't mind, I will continue.


defogger_disable by jpshortstuff (23.02.10.1)
Log created at 23:37 on 27/07/2010 (Nick)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
SPTD -> Already disabled


-=E.O.F=-


Logfile of random's system information tool 1.08 (written by random/random)
Run by Nick at 2010-07-27 23:45:04
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 342 GB (72%) free of 477 GB
Total RAM: 3325 MB (55% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:45:13 PM, on 7/27/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\Explorer.EXE
C:\Windows\ModLEDKey.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\IObit\IObit Security 360\is360tray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.517\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\PSIService.exe
C:\Windows\system32\java.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_6fa9efce\STacSV.exe
C:\Windows\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Nick\Desktop\RSIT.exe
C:\Program Files\trend micro\Nick.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.517\QOELoader.exe"
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\Users\Nick\AppData\Local\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_6fa9efce\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9649 bytes

======Scheduled tasks folder======

C:\Windows\tasks\AWC AutoSweep.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
HP Print Enhancer - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2009-05-21 328248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-06-19 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2010-03-26 321312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-03-26 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}]
HP Smart BHO Class - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2009-05-21 509496]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-20 1008184]
"SigmatelSysTrayApp"=C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe [2008-02-15 405504]
"IObit Security 360"=C:\Program Files\IObit\IObit Security 360\IS360tray.exe [2010-06-11 1280344]
"CAVRID"=C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe [2009-07-16 271600]
"QOELOADER"=C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.517\QOELoader.exe [2010-07-20 14064]
"capfasem"=C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe [2009-07-15 636144]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-20 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="UmxSbxExw.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PFW]
C:\Windows\system32\UmxWnp.Dll [2007-06-06 79368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1

======List of files/folders created in the last 1 months======

2010-07-27 23:40:35 ----D---- C:\rsit
2010-07-27 23:40:35 ----D---- C:\Program Files\trend micro
2010-07-20 22:35:10 ----A---- C:\Windows\system32\vetredir.dll
2010-07-20 22:35:10 ----A---- C:\Windows\system32\isafprod.dll
2010-07-20 22:35:10 ----A---- C:\Windows\system32\isafeif.dll
2010-07-20 22:35:10 ----A---- C:\Windows\system32\drivers\vet-rec.sys
2010-07-20 22:35:10 ----A---- C:\Windows\system32\drivers\vetmonnt.sys
2010-07-20 22:35:10 ----A---- C:\Windows\system32\drivers\vet-filt.sys
2010-07-20 22:35:10 ----A---- C:\Windows\system32\drivers\vetfddnt.sys
2010-07-20 22:35:10 ----A---- C:\Windows\system32\drivers\vetefile.sys
2010-07-20 22:35:10 ----A---- C:\Windows\system32\drivers\veteboot.sys
2010-07-20 22:16:16 ----ASH---- C:\hiberfil.sys
2010-07-19 00:10:59 ----SHD---- C:\$RECYCLE.BIN
2010-07-19 00:10:59 ----D---- C:\Windows\temp
2010-07-19 00:10:56 ----A---- C:\ComboFix.txt
2010-07-18 23:52:58 ----A---- C:\Windows\zip.exe
2010-07-18 23:52:58 ----A---- C:\Windows\SWSC.exe
2010-07-18 23:52:58 ----A---- C:\Windows\SWREG.exe
2010-07-18 23:52:58 ----A---- C:\Windows\sed.exe
2010-07-18 23:52:58 ----A---- C:\Windows\PEV.exe
2010-07-18 23:52:58 ----A---- C:\Windows\NIRCMD.exe
2010-07-18 23:52:58 ----A---- C:\Windows\MBR.exe
2010-07-18 23:52:58 ----A---- C:\Windows\grep.exe
2010-07-18 23:52:03 ----A---- C:\Windows\SWXCACLS.exe
2010-07-18 23:46:00 ----D---- C:\Windows\ERDNT
2010-07-18 23:43:29 ----D---- C:\Config.msi
2010-07-18 23:36:35 ----D---- C:\Qoobox
2010-07-18 14:18:32 ----D---- C:\Program Files\SUPERAntiSpyware
2010-07-18 10:29:40 ----D---- C:\ProgramData\IObit
2010-07-17 22:15:24 ----D---- C:\Users\Nick\AppData\Roaming\SUPERAntiSpyware.com
2010-07-17 22:15:24 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2010-07-17 11:58:43 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-07-17 11:23:21 ----A---- C:\Windows\ntbtlog.txt
2010-07-16 22:58:39 ----A---- C:\TDSSKiller.2.3.2.2_16.07.2010_22.58.39_log.txt
2010-07-16 10:06:37 ----A---- C:\TDSSKiller.2.3.2.2_16.07.2010_10.06.37_log.txt
2010-07-12 23:43:42 ----D---- C:\Program Files\CA(1)
2010-07-12 23:42:11 ----D---- C:\ProgramData\CA(27)
2010-07-12 23:23:17 ----D---- C:\ProgramData\CA-SupportBridge
2010-07-09 17:49:33 ----D---- C:\ProgramData\Kaspersky Lab

======List of files/folders modified in the last 1 months======

2010-07-27 23:40:48 ----D---- C:\Windows\Prefetch
2010-07-27 23:40:35 ----RD---- C:\Program Files
2010-07-27 13:43:05 ----SHD---- C:\System Volume Information
2010-07-27 13:14:24 ----D---- C:\Windows\System32
2010-07-27 13:14:24 ----D---- C:\Windows\inf
2010-07-27 13:14:24 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-07-24 22:40:14 ----D---- C:\Program Files\Mozilla Firefox
2010-07-20 22:41:55 ----D---- C:\Windows
2010-07-20 22:40:31 ----A---- C:\caisslog.txt
2010-07-20 22:38:18 ----D---- C:\Windows\system32\drivers
2010-07-20 22:36:42 ----SHD---- C:\Windows\Installer
2010-07-20 22:36:29 ----D---- C:\Windows\system32\catroot
2010-07-20 22:35:19 ----D---- C:\Program Files\ISSThirdParty
2010-07-20 22:35:11 ----A---- C:\caavsetupLog.txt
2010-07-20 22:30:39 ----D---- C:\Download
2010-07-19 01:31:08 ----D---- C:\Windows\system32\catroot2
2010-07-19 00:10:05 ----D---- C:\Windows\Tasks
2010-07-19 00:07:42 ----A---- C:\Windows\system.ini
2010-07-19 00:07:32 ----D---- C:\Windows\system32\drivers\etc
2010-07-19 00:00:34 ----D---- C:\Windows\AppPatch
2010-07-19 00:00:34 ----D---- C:\Program Files\Common Files
2010-07-18 23:44:19 ----D---- C:\Windows\system32\Tasks
2010-07-18 10:41:58 ----D---- C:\Windows\tracing
2010-07-18 10:29:40 ----D---- C:\ProgramData
2010-07-18 10:29:38 ----D---- C:\Program Files\IObit
2010-07-18 10:14:26 ----D---- C:\Windows\winsxs
2010-07-18 10:03:40 ----D---- C:\Users\Nick\AppData\Roaming\Mozilla
2010-07-18 01:47:13 ----D---- C:\Program Files\Windows Mail
2010-07-18 01:46:54 ----D---- C:\ProgramData\Microsoft Help
2010-07-17 12:06:07 ----D---- C:\Windows\ShellNew
2010-07-17 10:34:00 ----D---- C:\Windows\system32\wbem
2010-07-17 10:33:07 ----D---- C:\Windows\system32\config
2010-07-17 10:32:34 ----D---- C:\Windows\system32\spool
2010-07-17 10:32:34 ----D---- C:\Windows\system32\Msdtc
2010-07-17 10:32:34 ----D---- C:\Windows\system32\CodeIntegrity
2010-07-17 10:32:34 ----D---- C:\Program Files\Windows Sidebar
2010-07-17 10:32:34 ----D---- C:\Program Files\Windows Defender
2010-07-17 10:32:30 ----D---- C:\ProgramData\CA
2010-07-17 10:32:30 ----D---- C:\Program Files\Common Files\Scanner
2010-07-17 10:32:30 ----D---- C:\Program Files\CA
2010-07-17 10:32:27 ----D---- C:\Windows\registration
2010-07-16 23:12:41 ----SD---- C:\Windows\Downloaded Program Files
2010-07-11 10:34:53 ----D---- C:\Windows\LiveKernelReports
2010-07-11 10:12:30 ----D---- C:\Windows\ServiceProfiles
2010-07-10 11:11:07 ----D---- C:\Windows\Downloaded Installations
2010-07-07 11:13:03 ----D---- C:\Windows\system32\NDF
2010-07-06 20:46:15 ----D---- C:\Windows\L2Schemas
2010-07-06 20:30:26 ----D---- C:\Windows\Web
2010-07-02 14:39:05 ----A---- C:\Windows\system32\mrt.exe
2010-07-01 12:35:27 ----A---- C:\caEntitlementLog.txt
2010-07-01 09:33:41 ----A---- C:\Windows\DNAPrinters.ini
2010-07-01 03:33:50 ----D---- C:\Windows\Microsoft.NET
2010-07-01 03:26:50 ----RSD---- C:\Windows\assembly
2010-07-01 03:17:22 ----D---- C:\Windows\ehome

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 KmxFw;KmxFw; C:\Windows\System32\DRIVERS\kmxfw.sys [2009-06-08 107512]
R0 PxHelp20;PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [2008-04-08 44944]
R1 KmxAgent;KmxAgent; C:\Windows\System32\DRIVERS\kmxagent.sys [2009-06-25 73720]
R1 KmxFile;KmxFile; C:\Windows\System32\DRIVERS\KmxFile.sys [2009-04-28 55288]
R1 KmxFilter;HIPS Core Filter Driver; C:\Windows\system32\DRIVERS\KmxFilter.sys [2009-06-08 58360]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
R1 VETEFILE;VET File Scan Engine; C:\Windows\system32\drivers\VETEFILE.sys [2009-07-16 880512]
R1 VETFDDNT;VET Floppy Boot Sector Monitor; C:\Windows\system32\drivers\VETFDDNT.sys [2009-07-16 21488]
R1 VET-FILT;VET File System Filter; C:\Windows\system32\drivers\VET-FILT.sys [2009-07-16 26352]
R1 VETMONNT;VET File Monitor; C:\Windows\system32\drivers\VETMONNT.sys [2009-07-16 161008]
R1 VET-REC;VET File System Recognizer; C:\Windows\system32\drivers\VET-REC.sys [2009-07-16 21104]
R2 KmxCF;KmxCF; C:\Windows\System32\DRIVERS\KmxCF.sys [2009-06-08 150520]
R2 KmxSbx;KmxSbx; C:\Windows\System32\DRIVERS\KmxSbx.sys [2009-03-27 58872]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 pnarp;Pure Networks Device Discovery Driver; C:\Windows\system32\DRIVERS\pnarp.sys [2008-12-12 24880]
R2 purendis;Pure Networks Wireless Driver; C:\Windows\system32\DRIVERS\purendis.sys [2008-12-12 26416]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2007-06-29 8704]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2007-07-31 2930176]
R3 Dot4;MS IEEE-1284.4 Driver; C:\Windows\system32\DRIVERS\Dot4.sys [2008-01-20 131584]
R3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\Windows\system32\DRIVERS\Dot4Prt.sys [2008-01-20 16384]
R3 dot4usb;MS Dot4USB Filter Dot4USB Filter; C:\Windows\system32\DRIVERS\dot4usb.sys [2008-01-20 36864]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2009-08-28 218616]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2007-06-20 984064]
R3 HSXHWBS2;HSXHWBS2; C:\Windows\system32\DRIVERS\HSXHWBS2.sys [2007-06-20 267264]
R3 KmxCfg;KmxCfg; C:\Windows\System32\DRIVERS\kmxcfg.sys [2009-06-25 205304]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\Windows\system32\drivers\stwrt.sys [2008-06-06 330752]
R3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-20 35328]
R3 VETEBOOT;VET Boot Scan Engine; C:\Windows\system32\drivers\VETEBOOT.sys [2009-07-16 108320]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2007-06-20 660480]
R3 WinUsb;WinUsb Driver; C:\Windows\system32\DRIVERS\WinUSB.SYS [2009-04-10 31616]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328]
S1 OMCI;OMCI; \??\C:\Windows\SYSTEM32\DRIVERS\OMCI.SYS []
S3 AVEO;AVEO USB2.0 PC Camera; C:\Windows\system32\DRIVERS\AVEOdcnt.sys [2008-05-27 171520]
S3 catchme;catchme; \??\C:\Users\Nick\AppData\Local\Temp\catchme.sys []
S3 cpudrv;cpudrv; \??\C:\Program Files\SystemRequirementsLab\cpudrv.sys [2009-12-18 11336]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016]
S3 NAL;Nal Service ; \??\C:\Windows\system32\Drivers\iqvw32.sys [2010-01-12 30880]
S3 usbvideo;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-20 134016]
S3 VST_DPV;VST_DPV; C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2008-01-20 987648]
S3 VSTHWBS2;VSTHWBS2; C:\Windows\system32\DRIVERS\VSTBS23.SYS [2008-01-20 251904]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-20 386616]
S4 sptd;sptd; C:\Windows\System32\Drivers\sptd.sys [2010-05-02 691696]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AMD External Events Utility;AMD External Events Utility; C:\Windows\system32\atiesrxx.exe [2009-04-29 176128]
R2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2007-07-31 610304]
R2 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\Windows\system32\svchost.exe [2008-01-20 21504]
R2 IS360service;IS360service; C:\Program Files\IObit\IObit Security 360\IS360srv.exe [2010-06-11 312152]
R2 LinksysUpdater;Linksys Updater; C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-11-13 204800]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-20 21504]
R2 nmservice;Pure Networks Platform Service; C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe [2008-12-12 642856]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-20 21504]
R2 ProtexisLicensing;ProtexisLicensing; C:\Windows\system32\PSIService.exe [2007-06-05 177704]
R2 STacSV;SigmaTel Audio Service; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_6fa9efce\STacSV.exe [2008-02-15 102400]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2007-06-29 386560]
R3 hpqcxs08;hpqcxs08; C:\Windows\system32\svchost.exe [2008-01-20 21504]
S2 CAISafe;CAISafe; C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe [2007-12-04 144696]
S2 ccSchedulerSVC;CA Common Scheduler Service; C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe [2010-03-26 128240]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 ITMRTSVC;CA Pest Patrol Realtime Protection Service; C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe [2008-09-29 283888]
S2 RoxLiveShare10;LiveShare P2P Server 10; C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2008-05-14 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10; C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2008-05-14 166384]
S2 SessionLauncher;SessionLauncher; C:\Users\Nick\AppData\Local\Temp\DX9\SessionLauncher.exe []
S2 UmxAgent;HIPS Event Manager; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2009-06-25 875000]
S2 UmxCfg;HIPS Configuration Interpreter; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2009-06-25 760664]
S2 UmxFwHlp;HIPS Firewall Helper; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe [2009-06-08 154104]
S2 UmxPol;HIPS Policy Manager; C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2009-06-25 207352]
S2 VETMSGNT;VET Message Service; C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe [2009-07-16 292080]
S3 CaCCProvSP;CaCCProvSP; C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe [2010-03-26 259312]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2010-03-26 654848]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-20 21504]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-07 136120]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 PPCtlPriv;PPCtlPriv; C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2010-05-27 222544]
S3 RoxMediaDB10;RoxMediaDB10; C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-05-14 1120752]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2008-03-24 74384]
S3 WPFFontCache_v0400;@C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100; C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

-----------------EOF-----------------


"and info.txt (<<will be minimized)" did not appear. No info.txt file created.



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-28 00:50:43
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Nick\AppData\Local\Temp\kxldqpoc.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\taskeng.exe[544] ntdll.dll!NtCreateKey 76E74414 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[544] ntdll.dll!NtCreateKey + 4 76E74418 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\taskeng.exe[544] ntdll.dll!NtSetValueKey 76E75454 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskeng.exe[544] ntdll.dll!NtSetValueKey + 4 76E75458 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\taskeng.exe[544] kernel32.dll!CreateProcessW 769E1BF3 6 Bytes JMP 5F0D0F5A
.text C:\Windows\system32\taskeng.exe[544] kernel32.dll!CreateProcessA 769E1C28 6 Bytes JMP 5F0A0F5A
.text C:\Windows\system32\taskeng.exe[544] kernel32.dll!LoadLibraryExW 76A09109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\taskeng.exe[544] ADVAPI32.dll!CreateProcessAsUserW 76931EE9 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\taskeng.exe[544] ADVAPI32.dll!CreateServiceW 76959EB4 6 Bytes JMP 5F1C0F5A
.text C:\Windows\system32\taskeng.exe[544] ADVAPI32.dll!CreateProcessWithLogonW 769780C1 6 Bytes JMP 5F040F5A
.text C:\Windows\system32\taskeng.exe[544] ADVAPI32.dll!CreateServiceA 769972A1 6 Bytes JMP 5F190F5A
.text C:\Windows\ModLEDKey.exe[624] ntdll.dll!NtCreateKey 76E74414 3 Bytes [FF, 25, 1E]
.text C:\Windows\ModLEDKey.exe[624] ntdll.dll!NtCreateKey + 4 76E74418 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\ModLEDKey.exe[624] ntdll.dll!NtSetValueKey 76E75454 3 Bytes [FF, 25, 1E]
.text C:\Windows\ModLEDKey.exe[624] ntdll.dll!NtSetValueKey + 4 76E75458 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\ModLEDKey.exe[624] kernel32.dll!CreateProcessW 769E1BF3 6 Bytes JMP 5F0D0F5A
.text C:\Windows\ModLEDKey.exe[624] kernel32.dll!CreateProcessA 769E1C28 6 Bytes JMP 5F0A0F5A
.text C:\Windows\ModLEDKey.exe[624] kernel32.dll!LoadLibraryExW 76A09109 6 Bytes JMP 5F070F5A
.text C:\Windows\ModLEDKey.exe[624] ADVAPI32.dll!CreateProcessAsUserW 76931EE9 6 Bytes JMP 5F100F5A
.text C:\Windows\ModLEDKey.exe[624] ADVAPI32.dll!CreateServiceW 76959EB4 6 Bytes JMP 5F1C0F5A
.text C:\Windows\ModLEDKey.exe[624] ADVAPI32.dll!CreateProcessWithLogonW 769780C1 6 Bytes JMP 5F040F5A
.text C:\Windows\ModLEDKey.exe[624] ADVAPI32.dll!CreateServiceA 769972A1 6 Bytes JMP 5F190F5A
.text C:\Windows\system32\Dwm.exe[1104] ntdll.dll!NtCreateKey 76E74414 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1104] ntdll.dll!NtCreateKey + 4 76E74418 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\system32\Dwm.exe[1104] ntdll.dll!NtSetValueKey 76E75454 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[1104] ntdll.dll!NtSetValueKey + 4 76E75458 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\system32\Dwm.exe[1104] kernel32.dll!CreateProcessW 769E1BF3 6 Bytes JMP 5F0D0F5A
.text C:\Windows\system32\Dwm.exe[1104] kernel32.dll!CreateProcessA 769E1C28 6 Bytes JMP 5F0A0F5A
.text C:\Windows\system32\Dwm.exe[1104] kernel32.dll!LoadLibraryExW 76A09109 6 Bytes JMP 5F070F5A
.text C:\Windows\system32\Dwm.exe[1104] ADVAPI32.dll!CreateProcessAsUserW 76931EE9 6 Bytes JMP 5F100F5A
.text C:\Windows\system32\Dwm.exe[1104] ADVAPI32.dll!CreateServiceW 76959EB4 6 Bytes JMP 5F1C0F5A
.text C:\Windows\system32\Dwm.exe[1104] ADVAPI32.dll!CreateProcessWithLogonW 769780C1 6 Bytes JMP 5F040F5A
.text C:\Windows\system32\Dwm.exe[1104] ADVAPI32.dll!CreateServiceA 769972A1 6 Bytes JMP 5F190F5A
.text C:\Windows\Explorer.EXE[1192] kernel32.dll!CreateProcessW 769E1BF3 6 Bytes JMP 5F0D0F5A
.text C:\Windows\Explorer.EXE[1192] kernel32.dll!CreateProcessA 769E1C28 6 Bytes JMP 5F0A0F5A
.text C:\Windows\Explorer.EXE[1192] kernel32.dll!LoadLibraryExW 76A09109 6 Bytes JMP 5F070F5A
.text C:\Windows\Explorer.EXE[1192] ADVAPI32.dll!CreateProcessAsUserW 76931EE9 6 Bytes JMP 5F100F5A
.text C:\Windows\Explorer.EXE[1192] ADVAPI32.dll!CreateProcessWithLogonW 769780C1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2552] ntdll.dll!NtCreateKey 76E74414 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2552] ntdll.dll!NtCreateKey + 4 76E74418 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2552] ntdll.dll!NtSetValueKey 76E75454 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2552] ntdll.dll!NtSetValueKey + 4 76E75458 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2552] kernel32.dll!CreateProcessW 769E1BF3 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2552] kernel32.dll!CreateProcessA 769E1C28 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2552] kernel32.dll!LoadLibraryExW 76A09109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2552] ADVAPI32.dll!CreateProcessAsUserW 76931EE9 6 Bytes JMP 5F100F5A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2552] ADVAPI32.dll!CreateServiceW 76959EB4 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2552] ADVAPI32.dll!CreateProcessWithLogonW 769780C1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2552] ADVAPI32.dll!CreateServiceA 769972A1 6 Bytes JMP 5F190F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe[2636] ntdll.dll!NtCreateKey 76E74414 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe[2636] ntdll.dll!NtCreateKey + 4 76E74418 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe[2636] ntdll.dll!NtSetValueKey 76E75454 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe[2636] ntdll.dll!NtSetValueKey + 4 76E75458 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe[2636] kernel32.dll!CreateProcessW 769E1BF3 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe[2636] kernel32.dll!CreateProcessA 769E1C28 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe[2636] kernel32.dll!LoadLibraryExW 76A09109 6 Bytes JMP 5F070F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe[2636] ADVAPI32.dll!CreateProcessAsUserW 76931EE9 6 Bytes JMP 5F100F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe[2636] ADVAPI32.dll!CreateServiceW 76959EB4 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe[2636] ADVAPI32.dll!CreateProcessWithLogonW 769780C1 6 Bytes JMP 5F040F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe[2636] ADVAPI32.dll!CreateServiceA 769972A1 6 Bytes JMP 5F190F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] USER32.dll!SetWindowsHookExW 75C987AD 5 Bytes JMP 71AD9AC9 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] USER32.dll!CallNextHookEx 75C98E3B 5 Bytes JMP 71ACD0ED C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] USER32.dll!UnhookWindowsHookEx 75C998DB 5 Bytes JMP 71A4467C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] USER32.dll!CreateWindowExW 75CA1305 5 Bytes JMP 71ADDB1C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] USER32.dll!DialogBoxParamW 75CC10B0 5 Bytes JMP 71A054C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] USER32.dll!DialogBoxIndirectParamW 75CC2EF5 5 Bytes JMP 71BD480F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] USER32.dll!DialogBoxParamA 75CD8152 5 Bytes JMP 71BD47AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] USER32.dll!DialogBoxIndirectParamA 75CD847D 5 Bytes JMP 71BD4872 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] USER32.dll!MessageBoxIndirectA 75CED4D9 5 Bytes JMP 71BD4741 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] USER32.dll!MessageBoxIndirectW 75CED5D3 5 Bytes JMP 71BD46D6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] USER32.dll!MessageBoxExA 75CED639 5 Bytes JMP 71BD4674 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] USER32.dll!MessageBoxExW 75CED65D 5 Bytes JMP 71BD4612 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] ole32.dll!OleLoadFromStream 758A1E12 5 Bytes JMP 71BD4B77 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] ole32.dll!CoCreateInstance 758D9EA6 5 Bytes JMP 71ADDB78 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Windows\ehome\ehtray.exe[3020] ntdll.dll!NtCreateKey 76E74414 3 Bytes [FF, 25, 1E]
.text C:\Windows\ehome\ehtray.exe[3020] ntdll.dll!NtCreateKey + 4 76E74418 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\ehome\ehtray.exe[3020] ntdll.dll!NtSetValueKey 76E75454 3 Bytes [FF, 25, 1E]
.text C:\Windows\ehome\ehtray.exe[3020] ntdll.dll!NtSetValueKey + 4 76E75458 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\ehome\ehtray.exe[3020] kernel32.dll!CreateProcessW 769E1BF3 6 Bytes JMP 5F0D0F5A
.text C:\Windows\ehome\ehtray.exe[3020] kernel32.dll!CreateProcessA 769E1C28 6 Bytes JMP 5F0A0F5A
.text C:\Windows\ehome\ehtray.exe[3020] kernel32.dll!LoadLibraryExW 76A09109 6 Bytes JMP 5F070F5A
.text C:\Windows\ehome\ehtray.exe[3020] ADVAPI32.dll!CreateProcessAsUserW 76931EE9 6 Bytes JMP 5F100F5A
.text C:\Windows\ehome\ehtray.exe[3020] ADVAPI32.dll!CreateServiceW 76959EB4 6 Bytes JMP 5F1C0F5A
.text C:\Windows\ehome\ehtray.exe[3020] ADVAPI32.dll!CreateProcessWithLogonW 769780C1 6 Bytes JMP 5F040F5A
.text C:\Windows\ehome\ehtray.exe[3020] ADVAPI32.dll!CreateServiceA 769972A1 6 Bytes JMP 5F190F5A
.text C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe[3048] ntdll.dll!NtCreateKey 76E74414 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe[3048] ntdll.dll!NtCreateKey + 4 76E74418 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe[3048] ntdll.dll!NtSetValueKey 76E75454 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe[3048] ntdll.dll!NtSetValueKey + 4 76E75458 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe[3048] kernel32.dll!CreateProcessW 769E1BF3 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe[3048] kernel32.dll!CreateProcessA 769E1C28 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe[3048] kernel32.dll!LoadLibraryExW 76A09109 6 Bytes JMP 5F070F5A
.text C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe[3048] ADVAPI32.dll!CreateProcessAsUserW 76931EE9 6 Bytes JMP 5F100F5A
.text C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe[3048] ADVAPI32.dll!CreateServiceW 76959EB4 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe[3048] ADVAPI32.dll!CreateProcessWithLogonW 769780C1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe[3048] ADVAPI32.dll!CreateServiceA 769972A1 6 Bytes JMP 5F190F5A
.text C:\Windows\ehome\ehmsas.exe[3148] ntdll.dll!NtCreateKey 76E74414 3 Bytes [FF, 25, 1E]
.text C:\Windows\ehome\ehmsas.exe[3148] ntdll.dll!NtCreateKey + 4 76E74418 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\ehome\ehmsas.exe[3148] ntdll.dll!NtSetValueKey 76E75454 3 Bytes [FF, 25, 1E]
.text C:\Windows\ehome\ehmsas.exe[3148] ntdll.dll!NtSetValueKey + 4 76E75458 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\ehome\ehmsas.exe[3148] kernel32.dll!CreateProcessW 769E1BF3 6 Bytes JMP 5F0D0F5A
.text C:\Windows\ehome\ehmsas.exe[3148] kernel32.dll!CreateProcessA 769E1C28 6 Bytes JMP 5F0A0F5A
.text C:\Windows\ehome\ehmsas.exe[3148] kernel32.dll!LoadLibraryExW 76A09109 6 Bytes JMP 5F070F5A
.text C:\Windows\ehome\ehmsas.exe[3148] ADVAPI32.dll!CreateProcessAsUserW 76931EE9 6 Bytes JMP 5F100F5A
.text C:\Windows\ehome\ehmsas.exe[3148] ADVAPI32.dll!CreateServiceW 76959EB4 6 Bytes JMP 5F1C0F5A
.text C:\Windows\ehome\ehmsas.exe[3148] ADVAPI32.dll!CreateProcessWithLogonW 769780C1 6 Bytes JMP 5F040F5A
.text C:\Windows\ehome\ehmsas.exe[3148] ADVAPI32.dll!CreateServiceA 769972A1 6 Bytes JMP 5F190F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe[3516] ntdll.dll!NtCreateKey 76E74414 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe[3516] ntdll.dll!NtCreateKey + 4 76E74418 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe[3516] ntdll.dll!NtSetValueKey 76E75454 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe[3516] ntdll.dll!NtSetValueKey + 4 76E75458 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe[3516] kernel32.dll!CreateProcessW 769E1BF3 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe[3516] kernel32.dll!CreateProcessA 769E1C28 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe[3516] kernel32.dll!LoadLibraryExW 76A09109 6 Bytes JMP 5F070F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe[3516] ADVAPI32.dll!CreateProcessAsUserW 76931EE9 6 Bytes JMP 5F100F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe[3516] ADVAPI32.dll!CreateServiceW 76959EB4 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe[3516] ADVAPI32.dll!CreateProcessWithLogonW 769780C1 6 Bytes JMP 5F040F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe[3516] ADVAPI32.dll!CreateServiceA 769972A1 6 Bytes JMP 5F190F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe[3772] ntdll.dll!NtCreateKey 76E74414 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe[3772] ntdll.dll!NtCreateKey + 4 76E74418 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe[3772] ntdll.dll!NtSetValueKey 76E75454 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe[3772] ntdll.dll!NtSetValueKey + 4 76E75458 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe[3772] kernel32.dll!CreateProcessW 769E1BF3 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe[3772] kernel32.dll!CreateProcessA 769E1C28 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe[3772] kernel32.dll!LoadLibraryExW 76A09109 6 Bytes JMP 5F070F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe[3772] ADVAPI32.dll!CreateProcessAsUserW 76931EE9 6 Bytes JMP 5F100F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe[3772] ADVAPI32.dll!CreateServiceW 76959EB4 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe[3772] ADVAPI32.dll!CreateProcessWithLogonW 769780C1 6 Bytes JMP 5F040F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe[3772] ADVAPI32.dll!CreateServiceA 769972A1 6 Bytes JMP 5F190F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.517\QOELoader.exe[3988] ntdll.dll!NtCreateKey 76E74414 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.517\QOELoader.exe[3988] ntdll.dll!NtCreateKey + 4 76E74418 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.517\QOELoader.exe[3988] ntdll.dll!NtSetValueKey 76E75454 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.517\QOELoader.exe[3988] ntdll.dll!NtSetValueKey + 4 76E75458 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.517\QOELoader.exe[3988] kernel32.dll!CreateProcessW 769E1BF3 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.517\QOELoader.exe[3988] kernel32.dll!CreateProcessA 769E1C28 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.517\QOELoader.exe[3988] kernel32.dll!LoadLibraryExW 76A09109 6 Bytes JMP 5F070F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.517\QOELoader.exe[3988] ADVAPI32.dll!CreateProcessAsUserW 76931EE9 6 Bytes JMP 5F100F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.517\QOELoader.exe[3988] ADVAPI32.dll!CreateServiceW 76959EB4 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.517\QOELoader.exe[3988] ADVAPI32.dll!CreateProcessWithLogonW 769780C1 6 Bytes JMP 5F040F5A
.text C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.517\QOELoader.exe[3988] ADVAPI32.dll!CreateServiceA 769972A1 6 Bytes JMP 5F190F5A
.text C:\Windows\System32\notepad.exe[13896] ntdll.dll!NtCreateKey 76E74414 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\notepad.exe[13896] ntdll.dll!NtCreateKey + 4 76E74418 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Windows\System32\notepad.exe[13896] ntdll.dll!NtSetValueKey 76E75454 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\notepad.exe[13896] ntdll.dll!NtSetValueKey + 4 76E75458 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Windows\System32\notepad.exe[13896] kernel32.dll!CreateProcessW 769E1BF3 6 Bytes JMP 5F0D0F5A
.text C:\Windows\System32\notepad.exe[13896] kernel32.dll!CreateProcessA 769E1C28 6 Bytes JMP 5F0A0F5A
.text C:\Windows\System32\notepad.exe[13896] kernel32.dll!LoadLibraryExW 76A09109 6 Bytes JMP 5F070F5A
.text C:\Windows\System32\notepad.exe[13896] ADVAPI32.dll!CreateProcessAsUserW 76931EE9 6 Bytes JMP 5F100F5A
.text C:\Windows\System32\notepad.exe[13896] ADVAPI32.dll!CreateServiceW 76959EB4 6 Bytes JMP 5F1C0F5A
.text C:\Windows\System32\notepad.exe[13896] ADVAPI32.dll!CreateProcessWithLogonW 769780C1 6 Bytes JMP 5F040F5A
.text C:\Windows\System32\notepad.exe[13896] ADVAPI32.dll!CreateServiceA 769972A1 6 Bytes JMP 5F190F5A
.text C:\Users\Nick\Desktop\gmer.exe[51228] ntdll.dll!NtCreateKey 76E74414 3 Bytes [FF, 25, 1E]
.text C:\Users\Nick\Desktop\gmer.exe[51228] ntdll.dll!NtCreateKey + 4 76E74418 2 Bytes [1C, 5F] {SBB AL, 0x5f}
.text C:\Users\Nick\Desktop\gmer.exe[51228] ntdll.dll!NtSetValueKey 76E75454 3 Bytes [FF, 25, 1E]
.text C:\Users\Nick\Desktop\gmer.exe[51228] ntdll.dll!NtSetValueKey + 4 76E75458 2 Bytes [19, 5F]
.text C:\Users\Nick\Desktop\gmer.exe[51228] kernel32.dll!TerminateProcess 769E18EF 9 Bytes JMP 5FF38D5B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] kernel32.dll!CreateProcessW 769E1BF3 7 Bytes JMP 5FF386AF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] kernel32.dll!CreateProcessA 769E1C28 7 Bytes JMP 5FF38593 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] kernel32.dll!WriteProcessMemory 769E1CB8 6 Bytes JMP 5FF3CED7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] kernel32.dll!VirtualProtect 769E1DC3 8 Bytes JMP 5FF3D347 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] kernel32.dll!LoadLibraryExW 76A09109 7 Bytes JMP 5FF38007 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] kernel32.dll!OpenThread 76A0C874 8 Bytes JMP 5FF3D8D3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] kernel32.dll!VirtualProtectEx 76A0DBDA 6 Bytes JMP 5FF3D22B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] kernel32.dll!FreeLibrary 76A23DB4 6 Bytes JMP 5FF3835B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] kernel32.dll!ExitProcess 76A241D8 7 Bytes JMP 5FF3823F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] kernel32.dll!TerminateThread 76A241F7 8 Bytes JMP 5FF38E77 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] kernel32.dll!GetProcAddress 76A2903B 6 Bytes JMP 5FF38123 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] kernel32.dll!VirtualAllocEx 76A2ACFC 6 Bytes JMP 5FF3D10F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] kernel32.dll!CreateRemoteThread 76A2C935 10 Bytes JMP 5FF3CFF3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] kernel32.dll!DebugActiveProcess 76A69A61 10 Bytes JMP 5FF3D9EF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ole32.dll!CoGetClassObject 758BFABC 10 Bytes JMP 5FF36447 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ole32.dll!CoCreateInstance 758D9EA6 8 Bytes JMP 5FF3620F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ole32.dll!CoCreateInstanceEx 758D9EE9 6 Bytes JMP 5FF3632B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ole32.dll!CoInitializeEx 758DAD63 6 Bytes JMP 5FF360F3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ole32.dll!CoGetInstanceFromFile 7592C3FC 10 Bytes JMP 5FF36563 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ole32.dll!CoGetInstanceFromIStorage 75948605 10 Bytes JMP 5FF3667F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!SetUserObjectSecurity 75C9280F 8 Bytes JMP 5FF3CDBB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!SetWindowsHookExA 75C96322 7 Bytes JMP 5FF3D463 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!BroadcastSystemMessageW 75C9813F 7 Bytes JMP 5FF3A153 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!SetWindowsHookExW 75C987AD 7 Bytes JMP 5FF3D57F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!SendNotifyMessageW 75C993D6 8 Bytes JMP 5FF39CE3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!BroadcastSystemMessageExW 75C99419 7 Bytes JMP 5FF3A38B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!PostThreadMessageA 75C9BD34 7 Bytes JMP 5FF3951F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!PostThreadMessageA + 8 75C9BD3C 2 Bytes [90, 90] {NOP ; NOP }
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!PostMessageA 75C9F8F8 6 Bytes JMP 5FF392E7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!SendMessageA 75C9F956 6 Bytes JMP 5FF390AF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!SendMessageTimeoutW 75CA352D 7 Bytes JMP 5FF39AAB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!SendMessageCallbackW 75CA4570 6 Bytes JMP 5FF39873 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!PostThreadMessageW 75CA7C8E 6 Bytes JMP 5FF3963B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!PostMessageW 75CAA175 8 Bytes JMP 5FF39403 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!SendMessageW 75CB0AED 6 Bytes JMP 5FF391CB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!SendDlgItemMessageA 75CB275B 9 Bytes JMP 5FF39DFF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!OpenClipboard 75CBC31D 6 Bytes JMP 5FF368BB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!SendNotifyMessageA 75CBDFCF 8 Bytes JMP 5FF39BC7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!SendMessageTimeoutA 75CC0006 7 Bytes JMP 5FF3998F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!SendDlgItemMessageW 75CC0E38 9 Bytes JMP 5FF39F1B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!SetWindowsHookA 75CD6249 7 Bytes JMP 5FF3D69B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!SetWindowsHookW 75CD6264 7 Bytes JMP 5FF3D7B7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!EndTask 75CDAD32 8 Bytes JMP 5FF38F93 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!ExitWindowsEx 75CDB7C3 8 Bytes JMP 5FF3E2D3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!BroadcastSystemMessageExA 75CF28E3 7 Bytes JMP 5FF3A26F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!BroadcastSystemMessage 75CF290A 7 Bytes JMP 5FF3A037 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] USER32.dll!SendMessageCallbackA 75CF2CA7 6 Bytes JMP 5FF39757 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!StartServiceA 7691A24D 7 Bytes JMP 5FF3AEA7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!CreateProcessAsUserA 7691CEB9 6 Bytes JMP 5FF38A03 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!SetFileSecurityW 7691EBFE 8 Bytes JMP 5FF3C713 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!SetSecurityInfo 76925894 8 Bytes JMP 5FF3CA67 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!SetNamedSecurityInfoW 76925956 8 Bytes JMP 5FF3CC9F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!CreateProcessAsUserW 76931EE9 8 Bytes JMP 5FF388E7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!OpenSCManagerA 76932D93 7 Bytes JMP 5FF3A6E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!OpenServiceA 76932EBD 7 Bytes JMP 5FF3AB53 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!StartServiceW 76933E0B 7 Bytes JMP 5FF3AFC3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!SetKernelObjectSecurity 76933ECE 8 Bytes JMP 5FF3C82F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!QueryServiceStatusEx 76934FFE 7 Bytes JMP 5FF3B1FB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!QueryServiceConfigW 769350A4 7 Bytes JMP 5FF3B54F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!QueryServiceConfigA 769351AD 7 Bytes JMP 5FF3B433 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!OpenSCManagerW 76937137 7 Bytes JMP 5FF3A7FF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!OpenServiceW 76938354 7 Bytes JMP 5FF3AC6F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!QueryServiceStatus 7693842C 7 Bytes JMP 5FF3B0DF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!AdjustTokenPrivileges 769399CD 6 Bytes JMP 5FF3C4DB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!CreateServiceW 76959EB4 7 Bytes JMP 5FF3AA37 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!ControlService 76959FB8 7 Bytes JMP 5FF3B317 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!DeleteService 7695A07E 7 Bytes JMP 5FF3AD8B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!EnumServicesStatusExA 7695B31B 7 Bytes JMP 5FF3C183 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!CreateProcessWithLogonW 769780C1 8 Bytes JMP 5FF387CB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!InitiateSystemShutdownW 76991829 8 Bytes JMP 5FF3DD47 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!InitiateSystemShutdownExW 769918F1 8 Bytes JMP 5FF3DF7F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!AbortSystemShutdownW 76991B12 6 Bytes JMP 5FF3E1B7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!EnumServicesStatusExW 76996909 7 Bytes JMP 5FF3C29F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!EnumServicesStatusA 76996B47 7 Bytes JMP 5FF3BF4B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!SetServiceObjectSecurity 76996CD9 7 Bytes JMP 5FF3C94B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!ChangeServiceConfigA 76996DD9 7 Bytes JMP 5FF3BADB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!ChangeServiceConfigW 76996F81 7 Bytes JMP 5FF3BBF7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!ChangeServiceConfig2A 76997099 7 Bytes JMP 5FF3BD13 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!ChangeServiceConfig2W 769971E1 7 Bytes JMP 5FF3BE2F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!CreateServiceA 769972A1 7 Bytes JMP 5FF3A91B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!EnumDependentServicesA 76997505 7 Bytes JMP 5FF3B8A3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!EnumDependentServicesW 769975D9 7 Bytes JMP 5FF3B9BF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!QueryServiceConfig2A 76997891 7 Bytes JMP 5FF3B66B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!QueryServiceConfig2W 76997A19 7 Bytes JMP 5FF3B787 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Users\Nick\Desktop\gmer.exe[51228] ADVAPI32.dll!EnumServicesStatusW 76997F61 7 Bytes JMP 5FF3C067 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
.text C:\Program Files\Internet Explorer\iexplore.exe[51384] USER32.dll!CreateWindowExW 75CA1305 5 Bytes JMP 71ADDB1C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[51384] USER32.dll!DialogBoxParamW 75CC10B0 5 Bytes JMP 71A054C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[51384] USER32.dll!DialogBoxIndirectParamW 75CC2EF5 5 Bytes JMP 71BD480F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[51384] USER32.dll!DialogBoxParamA 75CD8152 5 Bytes JMP 71BD47AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[51384] USER32.dll!DialogBoxIndirectParamA 75CD847D 5 Bytes JMP 71BD4872 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[51384] USER32.dll!MessageBoxIndirectA 75CED4D9 5 Bytes JMP 71BD4741 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[51384] USER32.dll!MessageBoxIndirectW 75CED5D3 5 Bytes JMP 71BD46D6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[51384] USER32.dll!MessageBoxExA 75CED639 5 Bytes JMP 71BD4674 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[51384] USER32.dll!MessageBoxExW 75CED65D 5 Bytes JMP 71BD4612 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs VET-FILT.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)

---- EOF - GMER 1.0.15 ----



Thanks,

Nick

#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:29 AM

Posted 28 July 2010 - 02:26 AM

Hello, Captain Nick.
Could you please elaborate on what problems you seem to be having?

It appears that you have previous run Combofix. Please post up the results of the combofix log located at c:\Combofix.txt

Also, I would like to bring to your attention Combofix's disclaimer:
QUOTE
You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Running Combofix without a helper's instructions can render your computer unbootable. See this topic for more information on Combofix. If you are getting help elsewhere, let me know so we can avoid confusion.


In your next reply, please include the following:
  • Combofix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 Captain Nick

Captain Nick
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 28 July 2010 - 10:04 AM

Thanks aommaster,

I am having problems running Ca Internet Security Suite 2009, antivirus. It will not run from the icon, taskbar or programs list. I had also been using the bubbles screensaver and once or twice a day it will increase speed. i have not found a pattern to it yet. Also occasionally firefox will not work from the icon or taskbar. I can get it to run through programs.

(I used two security boot programs prior to posting. These were KAV Rescue Disk and AVG AntiVirus Rescue Disk. They would find and "fix" the problems, but the trojans, etc. would still be there after I rebooted and rescanned.)

As I stated in the first post, I had continued trying to resolve the problems (trojans, etc.) myself. Somehow, nothing I really did "fixed" the trojans, etc. It could have been an update to the security programs I was running. I ran CA Online (no fix), Superantispyware, MBAM, and Security 360. I think one of the last three "fixed" it without my being aware of it??

I also continued to monitor Bleeping Computer for others with the same problem. I found out about Combofix, Norman TDSS Cleaner and Blacklight this way. I read all the information about the programs, including the warnings. I ran them, but did nothing but look at the outputs of the programs. I made no changes to my system.

Nick



ComboFix 10-07-16.02 - Nick 07/18/2010 23:55:42.1.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.2567 [GMT -5:00]
Running from: c:\users\Nick\Desktop\Combo-Fix.exe
SP: CA Anti-Spyware *disabled* (Outdated) {6B98D35F-BB76-41C0-876B-A50645ED099A}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat
to: http://www.bleepingcomputer.com/submit-malware.php?channel=4

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\system volume information\SystemRestore
c:\users\Nick\AppData\Roaming\549a1cee.exe
c:\windows\system32\ernel32.dll
c:\windows\system32\spool\prtprocs\w32x86\17kUOC.dll
c:\windows\system32\spool\prtprocs\w32x86\55a55.dll
c:\windows\system32\spool\prtprocs\w32x86\7i3qG9i.dll
c:\windows\system32\spool\prtprocs\w32x86\9q17931i9.dll
c:\windows\system32\spool\prtprocs\w32x86\a793sK.dll
c:\windows\system32\spool\prtprocs\w32x86\a7k31g.dll
c:\windows\system32\spool\prtprocs\w32x86\C3s793uO9.dll
c:\windows\system32\spool\prtprocs\w32x86\CE31kU3.dll
c:\windows\system32\spool\prtprocs\w32x86\cEIQ793.dll
c:\windows\system32\spool\prtprocs\w32x86\e9317sK.dll
c:\windows\system32\spool\prtprocs\w32x86\gM179c1s9.dll
c:\windows\system32\spool\prtprocs\w32x86\i179qGM9.dll
c:\windows\system32\spool\prtprocs\w32x86\IQG179k.dll
c:\windows\system32\spool\prtprocs\w32x86\M31w9uO7o.dll
c:\windows\system32\spool\prtprocs\w32x86\m9gMY93.dll
c:\windows\system32\spool\prtprocs\w32x86\mYW17y3.dll
c:\windows\system32\spool\prtprocs\w32x86\qG7iQG79.dll
c:\windows\system32\spool\prtprocs\w32x86\SKU3m7.dll
c:\windows\system32\spool\prtprocs\w32x86\UO9oC7.dll
c:\windows\system32\spool\prtprocs\w32x86\YW31y93.dll
c:\windows\system32\spool\prtprocs\w32x86\yW9uOC.dll
c:\windows\system32\st325866.dll
c:\windows\xpsp1hfm.log

----- File Replicators -----

c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\documents and settings\All Users\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\documents and settings\All Users\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\documents and settings\All Users\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\documents and settings\All Users\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\documents and settings\All Users\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\documents and settings\All Users\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\All Users\HP\Installer\Temp\hpzmsi01.exe
c:\documents and settings\All Users\HP\Installer\Temp\hpzscr01.EXE
c:\documents and settings\All Users\NOS\Adobe_Downloads\arh.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Google\Google Talk Plugin\reporter.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\documents and settings\Nick\AppData\Local\Application Data\Google\Update\GoogleUpdate.exe
c:\documents and settings\Nick\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
c:\documents and settings\Nick\AppData\Local\Google\Google Talk Plugin\reporter.exe
c:\documents and settings\Nick\AppData\Local\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\documents and settings\Nick\AppData\Local\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\documents and settings\Nick\AppData\Local\Google\Update\GoogleUpdate.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\documents and settings\Nick\Local Settings\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\documents and settings\Nick\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\documents and settings\Nick\Local Settings\Application Data\Google\Google Talk Plugin\reporter.exe
c:\documents and settings\Nick\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\documents and settings\Nick\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\documents and settings\Nick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
c:\documents and settings\Nick\Local Settings\Google\Google Talk Plugin\googletalkplugin.exe
c:\documents and settings\Nick\Local Settings\Google\Google Talk Plugin\reporter.exe
c:\documents and settings\Nick\Local Settings\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\documents and settings\Nick\Local Settings\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\documents and settings\Nick\Local Settings\Google\Update\GoogleUpdate.exe
c:\program files\HP\Digital Imaging\{44C81D1A-0520-49BB-B510-98B8DD414EA1}\setup\hpzmsi01.exe
c:\program files\HP\Digital Imaging\{44C81D1A-0520-49BB-B510-98B8DD414EA1}\setup\hpzscr01.exe
c:\program files\HP\Digital Imaging\devicemanagement\hpzmsi01.exe
c:\program files\HP\Digital Imaging\devicemanagement\hpzscr01.exe
c:\program files\HP\Digital Imaging\esupport\hpzmsi01.exe
c:\program files\HP\Digital Imaging\esupport\hpzscr01.exe
c:\program files\HP\Digital Imaging\extcapuninstall\hpzmsi01.exe
c:\program files\HP\Digital Imaging\extcapuninstall\hpzscr01.exe
c:\program files\HP\Digital Imaging\hpprintprojects\hpzmsi01.exe
c:\program files\HP\Digital Imaging\hpprintprojects\hpzscr01.exe
c:\program files\HP\Digital Imaging\smart web printing\hpzmsi01.exe
c:\program files\HP\Digital Imaging\smart web printing\hpzscr01.exe
c:\program files\HP\Temp\{44C81D1A-0520-49BB-B510-98B8DD414EA1}\setup\hpzmsi01.exe
c:\program files\HP\Temp\{44C81D1A-0520-49BB-B510-98B8DD414EA1}\setup\hpzscr01.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\programdata\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\programdata\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\programdata\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\programdata\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\programdata\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\programdata\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\programdata\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\programdata\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\programdata\Application Data\NOS\Adobe_Downloads\arh.exe
c:\programdata\HP\Installer\Temp\hpzmsi01.exe
c:\programdata\HP\Installer\Temp\hpzscr01.EXE
c:\programdata\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\users\All Users\Application Data\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\users\All Users\Application Data\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\users\All Users\Application Data\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\users\All Users\Application Data\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\users\All Users\Application Data\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\All Users\Application Data\HP\Installer\Temp\hpzmsi01.exe
c:\users\All Users\Application Data\HP\Installer\Temp\hpzscr01.EXE
c:\users\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\users\Nick\AppData\Local\Application Data\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\AppData\Local\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\users\Nick\AppData\Local\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Application Data\Google\Update\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
c:\users\Nick\AppData\Local\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\AppData\Local\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\users\Nick\AppData\Local\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\Local Settings\Application Data\Application Data\Google\Update\GoogleUpdate.exe
c:\users\Nick\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
c:\users\Nick\Local Settings\Application Data\Google\Google Talk Plugin\reporter.exe
c:\users\Nick\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\users\Nick\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
c:\users\Nick\Local Settings\Google\Update\1.2.183.29\GoogleUpdate.exe
c:\users\Nick\Local Settings\Google\Update\GoogleUpdate.exe
.
.
((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-18 19:18 . 2010-07-18 19:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-18 15:29 . 2010-07-18 15:29 -------- d-----w- c:\programdata\IObit
2010-07-18 03:15 . 2010-07-18 03:48 63488 ----a-w- c:\users\Nick\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-18 03:15 . 2010-07-18 03:15 52224 ----a-w- c:\users\Nick\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-18 03:15 . 2010-07-18 03:48 117760 ----a-w- c:\users\Nick\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-18 03:15 . 2010-07-18 03:15 -------- d-----w- c:\users\Nick\AppData\Roaming\SUPERAntiSpyware.com
2010-07-18 03:15 . 2010-07-18 03:15 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-07-17 16:58 . 2010-07-18 03:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-13 04:43 . 2010-07-13 04:44 -------- d-----w- c:\program files\CA(1)
2010-07-13 04:42 . 2010-07-17 04:12 -------- d-----w- c:\programdata\CA(27)
2010-07-13 04:23 . 2010-07-13 04:24 -------- d-----w- c:\programdata\CA-SupportBridge
2010-07-09 22:49 . 2010-07-09 22:49 -------- d-----w- c:\programdata\Kaspersky Lab
2010-07-06 16:16 . 2010-07-07 01:29 -------- d-----w- c:\users\Nick\AppData\Local\mvbhpytsm
2010-06-23 08:00 . 2009-11-08 15:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-23 08:00 . 2009-11-08 15:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-23 08:00 . 2009-11-08 15:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-23 08:00 . 2009-11-08 15:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-23 08:00 . 2009-11-08 15:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-22 21:27 . 2010-04-16 16:43 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-22 21:27 . 2010-04-16 14:39 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-19 05:04 . 2010-07-19 05:04 50373 ----a-w- C:\ComboFix_error.dat
2010-07-18 19:29 . 2010-03-26 21:22 1356 ----a-w- c:\users\Nick\AppData\Local\d3d9caps.dat
2010-07-18 15:29 . 2010-03-26 22:20 -------- d-----w- c:\program files\IObit
2010-07-18 06:47 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-18 06:46 . 2010-03-27 01:10 -------- d-----w- c:\programdata\Microsoft Help
2010-07-17 15:32 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-07-17 15:32 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-07-17 15:32 . 2010-03-27 02:22 -------- d-----w- c:\program files\ISSThirdParty
2010-07-17 15:32 . 2010-03-27 02:22 -------- d-----w- c:\program files\Common Files\Scanner
2010-07-17 15:32 . 2010-03-27 02:22 -------- d-----w- c:\program files\CA
2010-07-17 15:32 . 2010-03-27 02:21 -------- d-----w- c:\programdata\CA
2010-06-26 21:20 . 2010-03-27 18:51 -------- d-----w- c:\programdata\NOS
2010-06-25 08:02 . 2010-03-27 01:14 -------- d-----w- c:\program files\Microsoft.NET
2010-06-11 21:51 . 2010-06-11 21:51 3055600 ----a-w- c:\users\Nick\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 21:36 . 2010-06-11 21:36 275952 ----a-w- c:\users\Nick\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-05-26 17:06 . 2010-06-11 04:01 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 15:00 . 2010-05-03 20:27 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-05-26 14:47 . 2010-06-11 04:01 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-26 14:02 . 2010-05-03 20:03 -------- d-----w- c:\programdata\Corel
2010-05-21 19:14 . 2010-03-26 22:29 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 05:59 . 2010-06-11 04:01 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-11 04:01 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-11 04:01 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-11 04:01 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-02 17:16 . 2010-05-02 17:16 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-01 14:13 . 2010-06-11 04:01 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-05-01 03:51 . 2010-03-26 21:23 122480 ----a-w- c:\users\Nick\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-29 20:39 . 2010-05-08 14:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2010-05-08 14:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 14:13 . 2010-05-26 01:53 2048 ----a-w- c:\windows\system32\tzres.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-02-15 405504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-06-06 21:46 79368 ----a-w- c:\windows\System32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:2f,64,98,b7,eb,cd,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3277951652-14363616-1188037149-1000]
"EnableNotificationsRef"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-11-13 204800]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2008-05-14 309744]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2008-05-14 166384]
R2 SessionLauncher;SessionLauncher;c:\users\Nick\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
R3 AVEO;AVEO USB2.0 PC Camera;c:\windows\system32\DRIVERS\AVEOdcnt.sys [2008-05-27 171520]
R3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [2009-12-18 11336]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2010-05-27 222544]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-05-14 1120752]
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2008-01-21 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2008-01-21 251904]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-05-02 691696]
S1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys [2009-06-25 73720]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-04-29 176128]
S2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [2010-03-27 128240]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\IS360srv.exe [2010-06-11 312152]
S2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2009-06-25 875000]
S2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2009-06-25 760664]
S2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2009-06-25 207352]
S3 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.sys [2009-06-25 205304]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-07-05 c:\windows\Tasks\AWC AutoCare.job
- c:\program files\IObit\Advanced SystemCare 3\AutoCare.exe [2010-03-26 19:10]

2010-07-19 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2010-03-26 19:11]

2010-07-18 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2010-03-26 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\6394zmcu.default\
FF - prefs.js: browser.search.selectedEngine - isoHunt - BT search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Nick\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\Nick\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\Nick\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HP Imaging Device Functions - c:\program files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe
AddRemove-HP Print Projects - c:\program files\HP\Digital Imaging\HPPrintProjects\hpzscr01.exe
AddRemove-HP Smart Web Printing - c:\program files\HP\Digital Imaging\Smart Web Printing\hpzscr01.exe
AddRemove-HP Solution Center & Imaging Support Tools - c:\program files\HP\Digital Imaging\eSupport\hpzscr01.exe
AddRemove-HPExtendedCapabilities - c:\program files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe
AddRemove-{44C81D1A-0520-49BB-B510-98B8DD414EA1} - c:\program files\HP\Digital Imaging\{44C81D1A-0520-49BB-B510-98B8DD414EA1}\setup\hpzscr01.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-19 00:07
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
.
Completion time: 2010-07-19 00:10:53
ComboFix-quarantined-files.txt 2010-07-19 05:10

Pre-Run: 402,324,922,368 bytes free
Post-Run: 402,281,680,896 bytes free

- - End Of File - - D36FEACDB51C214544C0963FD966543D


#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:29 AM

Posted 28 July 2010 - 01:56 PM

Hi!

It appears that combofix encountered an error during its run. I'd like to have the author of combofix look at a log it produced to ensure everything's okay before we proceed.

Please go here and upload a file located at C:\ComboFix_error.dat

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 Captain Nick

Captain Nick
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 28 July 2010 - 09:33 PM

Hello,

i have upload the file as requested.

Thanks,
Nick

#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:29 AM

Posted 29 July 2010 - 01:33 AM

Hello, Captain Nick.
Okay, everything looks fine. Please delete the copy of combofix you currently have and perform the following.
  1. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  2. Please download ComboFix from one of these locations:
    Link 1
    Link 2
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  3. Double click on ComboFix.exe & follow the prompts.
  4. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 Captain Nick

Captain Nick
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 29 July 2010 - 11:18 AM

Hi aommaster,

I had a problem with CA realtime running and no icon showing on the taskbar. I have not used it since all this started so I uninstalled it for now. No CA processes are running.

I have included the new C:\ComboFix.txt for you.


Adding to the list of problems, Firefox locks up and when I close it to restart firefox, I am told that it is already running. I than have to open the Task Manager and end the process, Firefox, before I can restart it.

Again, thanks for the help.

Nick


C:\ComboFix.txt

ComboFix 10-07-28.04 - Nick 07/29/2010 10:58:45.2.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.2215 [GMT -5:00]
Running from: c:\users\Nick\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-29 )))))))))))))))))))))))))))))))
.

2010-07-29 16:03 . 2010-07-29 16:03 -------- d-----w- c:\users\Nick\AppData\Local\temp
2010-07-29 16:03 . 2010-07-29 16:03 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-29 16:03 . 2010-07-29 16:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-28 04:40 . 2010-07-28 04:46 -------- d-----w- c:\program files\trend micro
2010-07-28 04:40 . 2010-07-28 04:40 -------- d-----w- C:\rsit
2010-07-20 04:42 . 2010-07-20 15:42 -------- d-----w- c:\users\Nick\AppData\Local\Adobe
2010-07-18 19:18 . 2010-07-18 19:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-18 15:29 . 2010-07-18 15:29 -------- d-----w- c:\programdata\IObit
2010-07-18 03:15 . 2010-07-22 18:50 63488 ----a-w- c:\users\Nick\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-18 03:15 . 2010-07-18 03:15 52224 ----a-w- c:\users\Nick\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-18 03:15 . 2010-07-22 18:50 117760 ----a-w- c:\users\Nick\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-18 03:15 . 2010-07-18 03:15 -------- d-----w- c:\users\Nick\AppData\Roaming\SUPERAntiSpyware.com
2010-07-18 03:15 . 2010-07-18 03:15 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-07-17 16:58 . 2010-07-18 03:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-13 04:43 . 2010-07-13 04:44 -------- d-----w- c:\program files\CA(1)
2010-07-13 04:42 . 2010-07-17 04:12 -------- d-----w- c:\programdata\CA(27)
2010-07-13 04:23 . 2010-07-13 04:24 -------- d-----w- c:\programdata\CA-SupportBridge
2010-07-09 22:49 . 2010-07-09 22:49 -------- d-----w- c:\programdata\Kaspersky Lab
2010-07-06 16:16 . 2010-07-07 01:29 -------- d-----w- c:\users\Nick\AppData\Local\mvbhpytsm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-29 15:48 . 2010-03-27 02:21 -------- d-----w- c:\programdata\CA
2010-07-21 01:02 . 2010-03-26 21:22 1356 ----a-w- c:\users\Nick\AppData\Local\d3d9caps.dat
2010-07-18 15:29 . 2010-03-26 22:20 -------- d-----w- c:\program files\IObit
2010-07-18 06:47 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-18 06:46 . 2010-03-27 01:10 -------- d-----w- c:\programdata\Microsoft Help
2010-07-17 15:32 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-07-17 15:32 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-07-17 15:32 . 2010-03-27 02:22 -------- d-----w- c:\program files\CA
2010-06-26 21:20 . 2010-03-27 18:51 -------- d-----w- c:\programdata\NOS
2010-06-25 08:02 . 2010-03-27 01:14 -------- d-----w- c:\program files\Microsoft.NET
2010-06-11 21:51 . 2010-06-11 21:51 3055600 ----a-w- c:\users\Nick\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 21:36 . 2010-06-11 21:36 275952 ----a-w- c:\users\Nick\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-05-26 17:06 . 2010-06-11 04:01 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 15:00 . 2010-05-03 20:27 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-05-26 14:47 . 2010-06-11 04:01 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 19:14 . 2010-03-26 22:29 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 05:59 . 2010-06-11 04:01 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-11 04:01 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-11 04:01 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-11 04:01 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-02 17:16 . 2010-05-02 17:16 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-01 14:13 . 2010-06-11 04:01 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-05-01 03:51 . 2010-03-26 21:23 122480 ----a-w- c:\users\Nick\AppData\Local\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2010-07-19_05.07.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2010-07-29 15:53 48200 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-07-29 15:53 72790 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-06-08 16:02 . 2009-06-08 16:02 58360 c:\windows\System32\DriverStore\FileRepository\kmxfilter.inf_fabed1d4\KmxFilter.sys
- 2010-03-26 21:20 . 2010-07-19 04:49 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-03-26 21:20 . 2010-07-28 04:32 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-03-26 21:20 . 2010-07-28 04:32 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-03-26 21:20 . 2010-07-19 04:49 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-03-26 21:20 . 2010-07-19 04:49 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-03-26 21:20 . 2010-07-28 04:32 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-03-28 05:00 . 2010-07-20 15:20 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-03-28 05:00 . 2010-07-18 05:06 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-03-28 05:00 . 2010-07-20 15:20 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-03-28 05:00 . 2010-07-18 05:06 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-03-28 05:00 . 2010-07-18 05:06 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-03-28 05:00 . 2010-07-20 15:20 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-03-27 02:19 . 2010-07-19 04:49 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-03-27 02:19 . 2010-07-29 15:51 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-03-27 02:19 . 2010-07-19 04:49 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-03-27 02:19 . 2010-07-29 15:51 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-03-27 02:19 . 2010-07-29 15:51 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-03-27 02:19 . 2010-07-19 04:49 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 10:25 . 2010-03-28 08:30 86016 c:\windows\inf\infstor.dat
+ 2006-11-02 10:25 . 2010-07-21 03:36 86016 c:\windows\inf\infstor.dat
+ 2006-11-02 10:25 . 2010-07-21 03:36 51200 c:\windows\inf\infpub.dat
- 2006-11-02 10:25 . 2010-03-28 08:30 51200 c:\windows\inf\infpub.dat
+ 2010-03-26 21:25 . 2010-07-29 15:53 9718 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3277951652-14363616-1188037149-1000_UserData.bin
+ 2010-07-29 15:51 . 2010-07-29 15:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-07-19 04:49 . 2010-07-19 04:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-07-29 15:51 . 2010-07-29 15:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-07-19 04:49 . 2010-07-19 04:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2006-11-02 10:33 . 2010-07-19 04:54 620130 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-07-29 15:56 620130 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-07-19 04:54 109204 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2010-07-29 15:56 109204 c:\windows\System32\perfc009.dat
- 2006-11-02 12:47 . 2010-07-17 15:34 433984 c:\windows\System32\FNTCACHE.DAT
+ 2006-11-02 12:47 . 2010-07-21 03:17 433984 c:\windows\System32\FNTCACHE.DAT
- 2010-03-27 00:26 . 2010-07-17 15:59 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2010-03-27 00:26 . 2010-07-28 04:32 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2006-11-02 10:25 . 2010-07-21 03:36 143360 c:\windows\inf\infstrng.dat
- 2006-11-02 10:25 . 2010-03-28 08:30 143360 c:\windows\inf\infstrng.dat
+ 2010-07-21 03:35 . 2010-07-21 03:35 6225920 c:\windows\Installer\{BDBAAB1B-B364-465E-931D-4E2E2F0E609A}\{8A048BD9-B29E-4A5A-AE68-ABBE635E5A9D}\CAPF.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-02-15 405504]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-06-06 21:46 79368 ----a-w- c:\windows\System32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:2f,64,98,b7,eb,cd,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3277951652-14363616-1188037149-1000]
"EnableNotificationsRef"=dword:00000001

R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [2010-03-27 128240]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\IS360srv.exe [2010-06-11 312152]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-11-13 204800]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2008-05-14 309744]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2008-05-14 166384]
R2 SessionLauncher;SessionLauncher;c:\users\Nick\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
R3 AVEO;AVEO USB2.0 PC Camera;c:\windows\system32\DRIVERS\AVEOdcnt.sys [2008-05-27 171520]
R3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [2009-12-18 11336]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-05-14 1120752]
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2008-01-21 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2008-01-21 251904]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-05-02 691696]
S1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys [2009-06-25 73720]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-04-29 176128]
S2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2009-06-25 875000]
S2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2009-06-25 760664]
S2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2009-06-25 207352]
S3 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.sys [2009-06-25 205304]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-07-29 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2010-03-26 19:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\6394zmcu.default\
FF - prefs.js: browser.search.selectedEngine - isoHunt - BT search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Nick\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\Nick\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\Nick\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-VETWIN32Vp5 - c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\unvet32.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-29 11:03
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-07-29 11:05:01
ComboFix-quarantined-files.txt 2010-07-29 16:04

Pre-Run: 358,683,439,104 bytes free
Post-Run: 359,031,545,856 bytes free

- - End Of File - - F66C80C7B7C0D08710ED8CA1046CEFF8


#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:29 AM

Posted 29 July 2010 - 01:02 PM

Hello, Captain Nick.
You're welcome smile.gif

I don't believe the problems are malware related. I'll have you run a more in-depth scanner, just to make sure.
We need to check the integrity of system files
  1. Click Start > Run
  2. Type: sfc /scannow
  3. Press Enter
  4. You will see a progress bar but you get no confirmation messages and it just ends. Insert your Windows installation CD when/if requested.


NEXT:

We need to run a custom OTL scan
  1. Please download OTL
  2. Save it to your desktop.
  3. Please run OTL on your desktop.
  4. Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not copy the word "code".
    CODE
    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  5. Click the Run Scan button
  6. A report will open. Copy and Paste that report in your next reply.

In your next reply, please include the following:
  • OTL Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 Captain Nick

Captain Nick
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 30 July 2010 - 12:53 AM

Hi aommaster,

System files scan completed. There were no fixes.

Here also is the OTL log.

Thanks, Nick


OTL logfile created on: 7/30/2010 12:41:42 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\Nick\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 71.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 337.14 Gb Free Space | 72.39% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NICK-PC
Current User Name: Nick
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/30 00:40:01 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Nick\Desktop\OTL.exe
PRC - [2010/07/24 22:40:05 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/06/25 14:10:10 | 000,875,000 | ---- | M] (CA) -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
PRC - [2009/06/25 14:10:10 | 000,760,664 | ---- | M] (CA) -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
PRC - [2009/06/25 14:10:10 | 000,207,352 | ---- | M] (CA) -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
PRC - [2009/04/29 02:08:02 | 000,303,104 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2009/04/29 02:07:34 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/12/12 18:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
PRC - [2008/02/15 17:25:34 | 000,102,400 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_6fa9efce\stacsv.exe
PRC - [2008/02/15 17:23:20 | 000,405,504 | ---- | M] (IDT, Inc.) -- C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
PRC - [2007/06/05 13:20:32 | 000,177,704 | ---- | M] () -- C:\Windows\System32\PSIService.exe
PRC - [2007/01/08 14:51:56 | 000,053,248 | ---- | M] (Chicony) -- C:\Windows\ModLEDKey.exe


========== Modules (SafeList) ==========

MOD - [2010/07/30 00:40:01 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Nick\Desktop\OTL.exe
MOD - [2009/04/11 01:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2008/01/20 21:24:37 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Users\Nick\AppData\Local\Temp\DX9\SessionLauncher.exe -- (SessionLauncher)
SRV - [2010/06/11 18:14:22 | 000,312,152 | ---- | M] (IObit) [Auto | Stopped] -- C:\Program Files\IObit\IObit Security 360\is360srv.exe -- (IS360service)
SRV - [2010/03/26 21:31:36 | 000,259,312 | ---- | M] (CA, Inc.) [On_Demand | Stopped] -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe -- (CaCCProvSP)
SRV - [2010/03/26 21:31:34 | 000,128,240 | ---- | M] (Computer Associates International, Inc.) [Auto | Stopped] -- C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe -- (ccSchedulerSVC)
SRV - [2010/03/26 20:46:22 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/09/24 20:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/06/25 14:10:10 | 000,875,000 | ---- | M] (CA) [Auto | Running] -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe -- (UmxAgent)
SRV - [2009/06/25 14:10:10 | 000,760,664 | ---- | M] (CA) [Auto | Running] -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe -- (UmxCfg)
SRV - [2009/06/25 14:10:10 | 000,207,352 | ---- | M] (CA) [Auto | Running] -- C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe -- (UmxPol)
SRV - [2009/04/29 02:07:34 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2008/12/12 18:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice)
SRV - [2008/11/13 14:43:49 | 000,204,800 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe -- (LinksysUpdater)
SRV - [2008/05/14 10:32:18 | 000,309,744 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe -- (RoxLiveShare10)
SRV - [2008/05/14 10:32:10 | 000,166,384 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe -- (RoxWatch10)
SRV - [2008/05/14 10:31:38 | 001,120,752 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)
SRV - [2008/02/15 17:25:34 | 000,102,400 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_6fa9efce\stacsv.exe -- (STacSV)
SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/06/05 13:20:32 | 000,177,704 | ---- | M] () [Auto | Start_Pending] -- C:\Windows\System32\PSIService.exe -- (ProtexisLicensing)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\Windows\System32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Running] -- C:\Users\Nick\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2010/05/10 13:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/05/02 12:16:39 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/02/17 13:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/01/12 16:24:00 | 000,030,880 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\iqvw32.sys -- (NAL)
DRV - [2009/12/18 10:58:52 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)
DRV - [2009/08/28 15:16:18 | 000,218,616 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2009/06/25 14:10:10 | 000,205,304 | ---- | M] (CA) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\KmxCfg.sys -- (KmxCfg)
DRV - [2009/06/25 14:10:10 | 000,073,720 | ---- | M] (CA) [File_System | System | Running] -- C:\Windows\System32\drivers\KmxAgent.sys -- (KmxAgent)
DRV - [2009/04/10 23:42:52 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2008/12/12 18:05:18 | 000,026,416 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\purendis.sys -- (purendis)
DRV - [2008/12/12 18:05:18 | 000,024,880 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\pnarp.sys -- (pnarp)
DRV - [2008/06/06 15:04:40 | 000,330,752 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2008/05/27 15:35:20 | 000,171,520 | ---- | M] (AVEO Corp) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\aveodcnt.sys -- (AVEO)
DRV - [2008/01/20 21:23:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/20 21:23:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/20 21:23:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/20 21:23:26 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/20 21:23:26 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/20 21:23:26 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/20 21:23:25 | 000,987,648 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTDPV3.SYS -- (VST_DPV)
DRV - [2008/01/20 21:23:25 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/20 21:23:25 | 000,251,904 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTBS23.SYS -- (VSTHWBS2)
DRV - [2008/01/20 21:23:25 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/20 21:23:24 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/20 21:23:24 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2008/01/20 21:23:24 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/20 21:23:23 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/20 21:23:23 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/20 21:23:23 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/20 21:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/20 21:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/20 21:23:23 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/20 21:23:22 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/20 21:23:21 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/20 21:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/20 21:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/20 21:23:20 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/20 21:23:00 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/20 21:23:00 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/20 21:23:00 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2007/07/31 23:07:34 | 002,930,176 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2007/06/29 17:11:02 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/06/20 11:29:56 | 000,984,064 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2007/06/20 11:28:38 | 000,267,264 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2007/06/20 11:28:22 | 000,660,480 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2006/11/02 04:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 04:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 04:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 04:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 04:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 04:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 04:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 04:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 04:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 04:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 04:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 03:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 03:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 03:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 03:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 03:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 03:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 02:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "isoHunt - BT search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.4
FF - prefs.js..extensions.enabledItems: {DCBD1271-D228-4082-9FBC-36D9B7660B03}:1.1.9.1
FF - prefs.js..extensions.enabledItems: ebayquicksearch@upaaya:1.0.4
FF - prefs.js..extensions.enabledItems: {bee6eb20-01e0-ebd1-da83-080329fb9a3a}:0.1

FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/03/27 00:00:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/24 22:40:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/24 22:40:07 | 000,000,000 | ---D | M]

[2010/03/26 20:50:02 | 000,000,000 | ---D | M] -- C:\Users\Nick\AppData\Roaming\Mozilla\Extensions
[2010/07/30 00:38:07 | 000,000,000 | ---D | M] -- C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\6394zmcu.default\extensions
[2010/04/28 12:48:19 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\6394zmcu.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/08 23:15:46 | 000,000,000 | ---D | M] (Flash and Video Download) -- C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\6394zmcu.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}
[2010/06/19 23:15:54 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\6394zmcu.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2010/03/26 20:55:52 | 000,000,000 | ---D | M] () -- C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\6394zmcu.default\extensions\{DCBD1271-D228-4082-9FBC-36D9B7660B03}
[2010/03/26 20:55:51 | 000,000,000 | ---D | M] -- C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\6394zmcu.default\extensions\ebayquicksearch@upaaya
[2010/04/16 09:26:44 | 000,000,000 | ---D | M] -- C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\6394zmcu.default\extensions\YoutubeDownloader@PeterOlayev.com
[2010/07/27 21:55:09 | 000,004,859 | ---- | M] () -- C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\6394zmcu.default\searchplugins\isohunt---bt-search.xml
[2010/07/30 00:38:07 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/07/19 00:07:32 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O4 - HKLM..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe (IObit)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 71.15.32.8 71.15.32.9
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\PFW: DllName - UmxWnp.Dll - C:\Windows\System32\UmxWNP.dll (CA)
O24 - Desktop WallPaper: C:\Personal Files\Nick\Cathy & Nick, BVI.JPG
O24 - Desktop BackupWallPaper: C:\Personal Files\Nick\Cathy & Nick, BVI.JPG
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/07/30 00:40:01 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\Nick\Desktop\OTL.exe
[2010/07/29 11:05:02 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/07/29 11:05:02 | 000,000,000 | ---D | C] -- C:\Users\Nick\AppData\Local\temp
[2010/07/29 11:04:15 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/07/29 10:56:42 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/07/27 23:40:35 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro
[2010/07/27 23:40:35 | 000,000,000 | ---D | C] -- C:\rsit
[2010/07/22 11:15:29 | 000,000,000 | ---D | C] -- C:\Users\Nick\Desktop\AntiVirus
[2010/07/19 23:42:21 | 000,000,000 | ---D | C] -- C:\Users\Nick\AppData\Local\Adobe
[2010/07/18 23:52:58 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/07/18 23:52:58 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/07/18 23:52:58 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/07/18 23:46:00 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/07/18 23:43:29 | 000,000,000 | ---D | C] -- C:\Config.msi
[2010/07/18 23:36:35 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/07/18 14:18:32 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/07/18 14:17:50 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Nick\Desktop\mbam-setup-1.46.exe
[2010/07/18 14:17:44 | 009,070,816 | ---- | C] (SUPERAntiSpyware.com) -- C:\Users\Nick\Desktop\nickss.exe
[2010/07/18 14:17:32 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Users\Nick\Desktop\ATF-Cleaner.exe
[2010/07/18 10:29:40 | 000,000,000 | ---D | C] -- C:\ProgramData\IObit
[2010/07/17 22:15:24 | 000,000,000 | ---D | C] -- C:\Users\Nick\AppData\Roaming\SUPERAntiSpyware.com
[2010/07/17 22:15:24 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/07/17 11:58:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/12 23:43:42 | 000,000,000 | ---D | C] -- C:\Program Files\CA(1)
[2010/07/12 23:42:11 | 000,000,000 | ---D | C] -- C:\ProgramData\CA(27)
[2010/07/12 23:23:17 | 000,000,000 | ---D | C] -- C:\ProgramData\CA-SupportBridge
[2010/07/09 17:49:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2010/07/06 11:16:45 | 000,000,000 | ---D | C] -- C:\Users\Nick\AppData\Local\mvbhpytsm
[3 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/30 00:40:11 | 002,621,440 | -HS- | M] () -- C:\Users\Nick\ntuser.dat
[2010/07/30 00:40:01 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Nick\Desktop\OTL.exe
[2010/07/29 22:51:40 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/07/29 22:51:40 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/07/29 11:03:13 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/07/29 10:56:25 | 000,725,118 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/07/29 10:56:25 | 000,620,130 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/07/29 10:56:25 | 000,109,204 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/07/29 10:56:15 | 003,746,860 | R--- | M] () -- C:\Users\Nick\Desktop\ComboFix.exe
[2010/07/29 10:51:53 | 000,000,374 | ---- | M] () -- C:\Windows\tasks\AWC AutoSweep.job
[2010/07/29 10:51:43 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/07/29 10:51:40 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/07/29 10:51:36 | 3487,502,336 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/29 10:50:49 | 000,790,152 | ---- | M] () -- C:\Windows\System32\drivers\kmxcfg.u2k0
[2010/07/29 10:50:49 | 000,000,272 | ---- | M] () -- C:\Windows\System32\drivers\kmxcfg.u2k1
[2010/07/29 10:50:49 | 000,000,128 | ---- | M] () -- C:\Windows\System32\drivers\kmxzone.u2k1
[2010/07/29 10:50:49 | 000,000,128 | ---- | M] () -- C:\Windows\System32\drivers\kmxzone.u2k0
[2010/07/29 10:50:49 | 000,000,064 | ---- | M] () -- C:\Windows\System32\drivers\kmxcfg.u2k7
[2010/07/29 10:50:49 | 000,000,064 | ---- | M] () -- C:\Windows\System32\drivers\kmxcfg.u2k6
[2010/07/29 10:50:49 | 000,000,064 | ---- | M] () -- C:\Windows\System32\drivers\kmxcfg.u2k5
[2010/07/29 10:50:49 | 000,000,064 | ---- | M] () -- C:\Windows\System32\drivers\kmxcfg.u2k4
[2010/07/29 10:50:49 | 000,000,064 | ---- | M] () -- C:\Windows\System32\drivers\kmxcfg.u2k3
[2010/07/29 10:50:49 | 000,000,064 | ---- | M] () -- C:\Windows\System32\drivers\kmxcfg.u2k2
[2010/07/29 10:50:49 | 000,000,028 | ---- | M] () -- C:\Windows\System32\drivers\kmxzone.u2k7
[2010/07/29 10:50:49 | 000,000,028 | ---- | M] () -- C:\Windows\System32\drivers\kmxzone.u2k6
[2010/07/29 10:50:49 | 000,000,028 | ---- | M] () -- C:\Windows\System32\drivers\kmxzone.u2k5
[2010/07/29 10:50:49 | 000,000,028 | ---- | M] () -- C:\Windows\System32\drivers\kmxzone.u2k4
[2010/07/29 10:50:49 | 000,000,028 | ---- | M] () -- C:\Windows\System32\drivers\kmxzone.u2k3
[2010/07/29 10:50:49 | 000,000,028 | ---- | M] () -- C:\Windows\System32\drivers\kmxzone.u2k2
[2010/07/29 10:50:19 | 000,524,288 | -HS- | M] () -- C:\Users\Nick\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/07/29 10:50:19 | 000,065,536 | -HS- | M] () -- C:\Users\Nick\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/07/29 10:50:16 | 002,195,431 | -H-- | M] () -- C:\Users\Nick\AppData\Local\IconCache.db
[2010/07/28 21:24:49 | 000,008,704 | ---- | M] () -- C:\Users\Nick\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/27 21:50:04 | 000,133,632 | ---- | M] () -- C:\Users\Nick\Desktop\RKUnhookerLE.EXE
[2010/07/27 21:48:43 | 000,339,991 | ---- | M] () -- C:\Users\Nick\Desktop\RSIT.exe
[2010/07/23 10:06:40 | 000,002,627 | ---- | M] () -- C:\Users\Nick\Desktop\Word.lnk
[2010/07/20 22:44:11 | 000,001,205 | ---- | M] () -- C:\Users\Nick\Desktop\CA Anti-Virus.lnk
[2010/07/20 22:17:38 | 000,433,984 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/07/20 20:02:25 | 000,001,356 | ---- | M] () -- C:\Users\Nick\AppData\Local\d3d9caps.dat
[2010/07/20 10:19:12 | 023,346,319 | ---- | M] () -- C:\Users\Nick\Desktop\swanlake_0001.swf
[2010/07/19 01:24:48 | 000,293,376 | ---- | M] () -- C:\Users\Nick\Desktop\gmer.exe
[2010/07/19 01:14:35 | 000,000,020 | ---- | M] () -- C:\Users\Nick\defogger_reenable
[2010/07/19 01:13:41 | 000,050,477 | ---- | M] () -- C:\Users\Nick\Desktop\Defogger.exe
[2010/07/19 00:07:42 | 000,000,215 | ---- | M] () -- C:\Windows\SYSTEM.UNV
[2010/07/19 00:07:32 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/07/18 14:18:36 | 000,001,800 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/07/18 14:01:42 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Users\Nick\Desktop\ATF-Cleaner.exe
[2010/07/18 10:29:43 | 000,000,873 | ---- | M] () -- C:\Users\Public\Desktop\IObit Security 360.lnk
[2010/07/17 12:26:59 | 000,000,818 | ---- | M] () -- C:\Users\Public\Desktop\MBAM.lnk
[2010/07/17 11:57:00 | 009,070,816 | ---- | M] (SUPERAntiSpyware.com) -- C:\Users\Nick\Desktop\nickss.exe
[2010/07/17 11:53:44 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Nick\Desktop\mbam-setup-1.46.exe
[2010/07/04 20:17:22 | 000,002,651 | ---- | M] () -- C:\Users\Nick\Application Data\Microsoft\Internet Explorer\Quick Launch\Word - Copy.lnk
[2010/07/01 09:33:41 | 000,001,801 | ---- | M] () -- C:\Windows\DNAPrinters.ini
[3 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/29 10:56:14 | 003,746,860 | R--- | C] () -- C:\Users\Nick\Desktop\ComboFix.exe
[2010/07/27 21:50:04 | 000,133,632 | ---- | C] () -- C:\Users\Nick\Desktop\RKUnhookerLE.EXE
[2010/07/27 21:48:42 | 000,339,991 | ---- | C] () -- C:\Users\Nick\Desktop\RSIT.exe
[2010/07/20 22:44:11 | 000,001,205 | ---- | C] () -- C:\Users\Nick\Desktop\CA Anti-Virus.lnk
[2010/07/20 22:38:18 | 000,790,152 | ---- | C] () -- C:\Windows\System32\drivers\kmxcfg.u2k0
[2010/07/20 22:38:18 | 000,000,272 | ---- | C] () -- C:\Windows\System32\drivers\kmxcfg.u2k1
[2010/07/20 22:38:18 | 000,000,064 | ---- | C] () -- C:\Windows\System32\drivers\kmxcfg.u2k7
[2010/07/20 22:38:18 | 000,000,064 | ---- | C] () -- C:\Windows\System32\drivers\kmxcfg.u2k6
[2010/07/20 22:38:18 | 000,000,064 | ---- | C] () -- C:\Windows\System32\drivers\kmxcfg.u2k5
[2010/07/20 22:38:18 | 000,000,064 | ---- | C] () -- C:\Windows\System32\drivers\kmxcfg.u2k4
[2010/07/20 22:38:18 | 000,000,064 | ---- | C] () -- C:\Windows\System32\drivers\kmxcfg.u2k3
[2010/07/20 22:38:18 | 000,000,064 | ---- | C] () -- C:\Windows\System32\drivers\kmxcfg.u2k2
[2010/07/20 22:16:16 | 3487,502,336 | -HS- | C] () -- C:\hiberfil.sys
[2010/07/20 10:04:30 | 023,346,319 | ---- | C] () -- C:\Users\Nick\Desktop\swanlake_0001.swf
[2010/07/19 01:14:23 | 000,000,020 | ---- | C] () -- C:\Users\Nick\defogger_reenable
[2010/07/19 01:13:41 | 000,050,477 | ---- | C] () -- C:\Users\Nick\Desktop\Defogger.exe
[2010/07/18 23:52:58 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/07/18 23:52:58 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/07/18 23:52:58 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/07/18 23:52:58 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/07/18 23:52:58 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/07/18 14:18:36 | 000,001,800 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/07/18 10:29:43 | 000,000,873 | ---- | C] () -- C:\Users\Public\Desktop\IObit Security 360.lnk
[2010/07/17 11:58:46 | 000,000,818 | ---- | C] () -- C:\Users\Public\Desktop\MBAM.lnk
[2010/05/03 15:27:45 | 000,000,848 | -HS- | C] () -- C:\Windows\System32\KGyGaAvL.sys
[2010/04/30 00:23:52 | 000,001,801 | ---- | C] () -- C:\Windows\DNAPrinters.ini
[2010/03/27 12:09:55 | 000,049,152 | ---- | C] () -- C:\Windows\CNYUSB.dll
[2010/03/27 12:09:55 | 000,000,360 | ---- | C] () -- C:\Windows\CNYHKey.ini
[2010/03/26 23:49:58 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2010/03/26 22:19:35 | 000,028,672 | ---- | C] () -- C:\Windows\System32\MFC_InstDrvDLL.dll
[2010/03/26 16:36:30 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2006/09/18 16:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2009/04/11 01:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
[2010/03/26 19:10:29 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2010/07/20 22:35:11 | 000,055,462 | ---- | M] () -- C:\caavsetupLog.txt
[2010/07/01 12:35:27 | 000,000,282 | ---- | M] () -- C:\caEntitlementLog.txt
[2010/07/29 10:51:51 | 006,838,395 | ---- | M] () -- C:\caisslog.txt
[2010/07/29 11:05:01 | 000,019,675 | ---- | M] () -- C:\ComboFix.txt
[2006/09/18 16:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2008/05/14 11:21:26 | 000,088,560 | ---- | M] (Sonic Solutions) -- C:\DC_ShellExt.dll
[2010/07/29 10:51:36 | 3487,502,336 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/29 10:51:34 | 3801,120,768 | -HS- | M] () -- C:\pagefile.sys
[2010/07/16 10:07:02 | 000,056,900 | ---- | M] () -- C:\TDSSKiller.2.3.2.2_16.07.2010_10.06.37_log.txt
[2010/07/16 22:58:48 | 000,056,900 | ---- | M] () -- C:\TDSSKiller.2.3.2.2_16.07.2010_22.58.39_log.txt

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/04/11 01:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2009/04/11 01:28:23 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll
[3 C:\Windows\system32\*.tmp files -> C:\Windows\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/01/20 22:14:18 | 016,846,848 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2008/01/20 22:14:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2008/01/20 22:14:18 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 05:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 05:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemroot%\system32\drivers\*.sys /90 >
[2010/05/02 12:16:39 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) -- C:\Windows\System32\drivers\sptd.sys
< End of report >


#12 Captain Nick

Captain Nick
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 30 July 2010 - 01:03 AM

Hello again,

Just noticed that OTL made another file, extra.txt. I haven't included it because it was not asked for, but thought you should know,

Nick

#13 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:29 AM

Posted 30 July 2010 - 03:14 AM

Hello, Captain Nick.
Yes, that's fine. You don't need to post the extras log.

We need to run a Jotti scan

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
  1. Go to the Jotti website
  2. When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

    C:\Windows\System32\drivers\kmxzone.u2k5

  3. Please post back the results of the scan in your next post.
**Note:If Jotti is busy, try the same at Virustotal
**Note: No logs will be produced. You can either copy/paste the results into your reply, or you can state the infection found (if any) and the scanner that found it


In your next reply, please include the following:
  • Jotti Log(s)

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#14 Captain Nick

Captain Nick
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 30 July 2010 - 08:51 AM

Good Morning aommaster,

No rest for the weary burning the midnight oil (3:14am).

Ran the joti scan. Nothing found. No log was made so I copied the contents below.

Nick



Jotti's malware scan
Filename: kmxzone.u2k5
Status:
Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Fri 30 Jul 2010 15:46:13 (CET) Permalink

Additional info
File size: 28 bytes
Filetype: lif file
MD5: 1cd0eecfe733e704401e3316e80a8ffa
SHA1: 46c806dfef85665116d1be237e9e9625007e404f




Scanners
[ArcaVir]
2010-07-30 Found nothing
[G DATA]
2010-07-30 Found nothing
[Avast! antivirus]
2010-07-30 Found nothing
[Ikarus]
2010-07-30 Found nothing
[Grisoft AVG Anti-Virus]
2010-07-30 Found nothing
[Kaspersky Anti-Virus]
2010-07-30 Found nothing
[Avira AntiVir]
2010-07-30 Found nothing
[ESET NOD32]
2010-07-30 Found nothing
[Softwin BitDefender]
2010-07-30 Found nothing
[Panda Antivirus]
2010-07-30 Found nothing
[ClamAV]
2010-07-30 Found nothing
[Quick Heal]
2010-07-30 Found nothing
[CPsecure]
2010-07-30 Found nothing
[Sophos]
2010-07-30 Found nothing
[Dr.Web]
2010-07-30 Found nothing
[VirusBlokAda VBA32]
2010-07-30 Found nothing
[Frisk F-Prot Antivirus]
2010-07-29 Found nothing
[VirusBuster]
2010-07-29 Found nothing
[F-Secure Anti-Virus]
2010-07-30 Found nothing


#15 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:29 AM

Posted 30 July 2010 - 12:22 PM

Hello, Captain Nick.
We need to run a custom OTL fix
  1. Please run OTL on your desktop.
  2. Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not copy the word "code".
    CODE
    :Files
    C:\Windows\System32\*.tmp
    C:\Users\Nick\AppData\Local\mvbhpytsm
  3. Click the Run Fix button
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click OK
  6. A report will open. Copy and Paste that report in your next reply.

NEXT:

We need to run a Panda Active Scan
(Note that this step may take a while to complete and will have to be done to each partition you have)
  1. Please go here to run Panda's ActiveScan
  2. Once you are on the Panda site click the Scan your PC button
  3. Click the big Other Scans button
  4. If it wants to install an ActiveX component allow it
  5. Select the partition you want to scan
  6. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  7. When download is complete, click on My Computer to start the scan
  8. When the scan completes, if anything malicious is detected, click the Export to button, Post the contents of the ActiveScan report

In your next reply, please include the following:
  • OTL Log
  • ActiveScan Report

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users