Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.Mebroot, GMER scan leads to BSOD


  • This topic is locked This topic is locked
21 replies to this topic

#1 L0v3LESS

L0v3LESS

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:new york
  • Local time:01:18 AM

Posted 24 July 2010 - 09:38 PM

A few days ago, NOD32 would show a Win32.Mebroot infection on startup. I tried to use Malwarebytes Antimalware and CureIt to remove the infection, but neither of them worked. I then turned to this forum. After completion of Defogger and DDS and upon restart, NOD32 no longer gave complaints about the trojan. However, GMER would give me a BSOD during scanning, and I can't boot into SafeMode without a Process Detach error. Please find "attach.txt" attached. I have posted the little error window that pops up upon a restart from a BSOD as a result of trying to scan with GMER:
Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7600.2.0.0.256.1
Locale ID: 1033

Additional information about the problem:
BCCode: 1000008e
BCP1: C0000005
BCP2: 82C95348
BCP3: AB655A44
BCP4: 00000000
OS Version: 6_1_7600
Service Pack: 0_0
Product: 256_1

Files that help describe the problem:
C:\Windows\Minidump\072410-32120-01.dmp
C:\Users\Administrator\AppData\Local\Temp\WER-84942-0.sysdata.xml


Here is the DDS:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 22.21.46.56 on 07/24/2010 Sat
Internet Explorer: 8.0.7600.16385
Microsoft Windows 8 Ultimate 6.1.7600.0.932.81.1033.18.2046.1009 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
svchost.exe 4
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\vsnp2uvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
svchost.exe 4
C:\Windows\system32\wbem\wmiprvse.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\LogonUI.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Users\Administrator\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: DepositFiles IE BHO: {9dfe2fe9-cf99-4adf-a28e-9b5adb8dc74f} - c:\progra~1\deposi~1\dfmana~1\DEPOSI~1.DLL
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Deposit IE Toolbar: {6aa40521-14e7-4b1d-b1b4-98528c1388c9} - c:\progra~1\deposi~1\dfmana~1\DEPOSI~1.DLL
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {D5AD327A-A089-4F04-89FD-4EA9812B3913} - {D5AD327A-A089-4F04-89FD-4EA9812B3913} - c:\progra~1\deposi~1\dfmana~1\DEPOSI~1.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: preto.me
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://systemrequirementslab.com.s3.amazonaws.com/iduu/bin/srldetect_intel.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {C0E130AE-C27F-46FF-A53F-36819FF79C1F} = 208.67.222.222,208.67.220.220
TCP: 2456C6B696E6E253244423 = 208.67.222.222,208.67.220.220
TCP: C61657E6462797261637B65647 = 208.67.222.222,208.67.220.220
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - c:\program files\stardock\object desktop\iconpackager\iprepair.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\2af3vp9q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bakabt.com/
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\2af3vp9q.default\extensions\{e173b749-db5b-4fd2-ba0e-94ecea0ca55b}\components\npAFOM.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\quick time 7\plugins\npqtplugin.dll
FF - plugin: c:\program files\quick time 7\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quick time 7\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quick time 7\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quick time 7\plugins\npqtplugin5.dll
FF - plugin: c:\program files\quick time 7\plugins\npqtplugin6.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\2af3vp9q.default\extensions\{077a24e9-0db5-435f-9010-5261c53e5925}\plugins\npmabiwebframe.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\elrawdsk.sys [2010-2-6 20392]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/02/15 22:44:49];c:\program files\cyberlink\powerdvd9\000.fcl [2009-2-28 87536]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-11-16 735960]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-12-18 95896]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-5-8 1153368]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-8-26 273960]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2009-7-10 25856]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 EMebDrv;EMebDrv;c:\users\admini~1\appdata\local\temp\EMebDrv.sys [2010-7-24 22736]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-6-19 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-1-29 8320]
S3 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-1-12 185640]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-2 1343400]
S4 DeviceMonitorService;DeviceMonitorService;c:\program files\motorola media link\NServiceEntry.exe [2010-5-27 87336]
S4 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-6-26 91456]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-07-25 02:20:30 20 ----a-w- c:\users\administrator\defogger_reenable
2010-07-25 02:01:57 0 d-----w- c:\users\admini~1\appdata\roaming\Malwarebytes
2010-07-25 02:01:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-25 02:01:42 0 d-----w- c:\programdata\Malwarebytes
2010-07-25 02:01:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-25 02:01:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-25 01:01:44 0 d-----w- c:\users\administrator\DoctorWeb
2010-07-25 00:50:41 4 ----a-w- c:\program files\35599.dat
2010-07-20 18:39:22 0 d-sh--w- c:\windows\system32\%APPDATA%
2010-07-17 17:09:25 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-07-17 17:08:18 0 d-----r- c:\program files\Skype
2010-07-17 17:08:14 0 d-----w- c:\programdata\Skype
2010-07-17 04:57:21 0 d-----w- c:\users\administrator\.android
2010-07-17 04:52:35 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motoandroid_01007.Wdf
2010-07-17 04:52:31 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01007.Wdf
2010-07-17 04:52:31 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgp_01007.Wdf
2010-07-17 00:39:20 0 d-----w- c:\program files\MSXML 4.0
2010-06-27 01:09:25 0 d-----w- c:\users\admini~1\appdata\roaming\motorola
2010-06-27 01:09:25 0 d-----w- c:\programdata\motorola
2010-06-27 01:00:25 0 d-----w- c:\programdata\Nero
2010-06-27 01:00:25 0 d-----w- c:\program files\Motorola Media Link
2010-06-27 00:58:31 0 d-----w- c:\program files\common files\MSSoap
2010-06-27 00:58:30 0 d-----w- c:\program files\common files\Motorola Shared

==================== Find3M ====================

2010-07-25 02:19:58 762786 ----a-w- c:\windows\system32\perfh00A.dat
2010-07-25 02:19:58 432022 ----a-w- c:\windows\system32\perfh012.dat
2010-07-25 02:19:58 430304 ----a-w- c:\windows\system32\perfh011.dat
2010-07-25 02:19:58 420736 ----a-w- c:\windows\system32\prfh0404.dat
2010-07-25 02:19:58 403832 ----a-w- c:\windows\system32\prfh0804.dat
2010-07-25 02:19:58 164796 ----a-w- c:\windows\system32\perfc00A.dat
2010-07-25 02:19:58 126336 ----a-w- c:\windows\system32\perfc011.dat
2010-07-25 02:19:58 124446 ----a-w- c:\windows\system32\perfc012.dat
2010-07-25 02:19:58 124018 ----a-w- c:\windows\system32\prfc0804.dat
2010-07-25 02:19:58 119104 ----a-w- c:\windows\system32\prfc0404.dat
2010-06-04 04:19:28 23524 ----a-w- c:\windows\fonts\AstrologyPiLTStd-1.otf
2010-06-03 01:06:00 20722688 ----a-w- c:\windows\system32\imageres.dll
2010-06-03 00:21:10 47864 ----a-w- c:\windows\fonts\BAARS_.TTF
2010-06-03 00:21:10 172656 ----a-w- c:\windows\fonts\euphemia_0.ttf
2010-06-03 00:21:10 157360 ----a-w- c:\windows\fonts\MTCORSVA_0.TTF
2010-06-01 21:42:21 697972 ----a-w- c:\windows\fonts\tahoma_0.ttf
2010-06-01 21:42:21 40728 ----a-w- c:\windows\fonts\Britanic_0.ttf
2010-06-01 21:42:21 34812 ----a-w- c:\windows\fonts\SCR1rahv_RAGER_HEVVY.otf
2010-05-31 02:52:32 43680 ----a-w- c:\windows\fonts\RAINBOW-Italic.ttf
2010-05-31 02:52:32 43160 ----a-w- c:\windows\fonts\RAINBOW.ttf
2010-05-31 02:52:32 29820 ----a-w- c:\windows\fonts\RAINBOWFACILITIES.ttf
2010-05-31 02:52:32 29020 ----a-w- c:\windows\fonts\CandelaBoldItalic.otf
2010-05-31 02:52:32 26392 ----a-w- c:\windows\fonts\CandelaBold.otf
2010-05-31 02:52:32 26232 ----a-w- c:\windows\fonts\CandelaItalic.otf
2010-05-31 02:52:32 25748 ----a-w- c:\windows\fonts\CandelaBook.otf
2010-05-31 02:52:32 210028 ----a-w- c:\windows\fonts\FGIWTML_0.TTF
2010-05-31 02:52:32 209564 ----a-w- c:\windows\fonts\FGCNTKAM_0.ttf
2010-05-31 02:52:32 205984 ----a-w- c:\windows\fonts\FGIWTML.TTF
2010-05-31 02:52:32 205496 ----a-w- c:\windows\fonts\FGCNTKAM.ttf
2010-05-27 07:24:13 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 03:49:37 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-05-25 02:57:51 39804 ----a-w- c:\windows\fonts\SegoeSbI.ttf
2010-05-25 02:42:00 3559960 ----a-w- c:\windows\fonts\KozGoPro-Bold_1.otf
2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-21 05:18:06 977920 ----a-w- c:\windows\system32\wininet.dll
2010-05-14 21:52:51 56116 ----a-w- c:\windows\fonts\orialbd.ttf
2010-05-14 01:26:23 53436 ----a-w- c:\windows\fonts\FrancoisBold.ttf
2010-05-14 01:26:23 31480 ----a-w- c:\windows\fonts\BPreplayBold.otf
2010-05-14 01:26:22 5912024 ----a-w- c:\windows\fonts\DFKATRW6.OTF
2010-05-14 01:26:22 57792 ----a-w- c:\windows\fonts\FrancoisLight.ttf
2010-05-14 01:26:22 30672 ----a-w- c:\windows\fonts\BPreplay.otf
2010-05-14 01:25:06 54908 ----a-w- c:\windows\fonts\Disney_Simple.ttf
2010-05-14 01:25:06 22244 ----a-w- c:\windows\fonts\CREABBRG.TTF
2010-05-14 01:18:58 13684 ----a-w- c:\windows\fonts\Brianne_s_hand.ttf
2010-05-14 01:17:28 22840 ----a-w- c:\windows\fonts\BurstMyBubble.ttf
2010-05-14 01:16:37 99060 ----a-w- c:\windows\fonts\Blokletters-Viltstift-FXD.ttf
2010-05-14 01:16:37 70260 ----a-w- c:\windows\fonts\CosenzaBold.ttf
2010-05-14 01:16:37 47476 ----a-w- c:\windows\fonts\AppleGaramond.TTF
2010-05-14 01:16:37 47264 ----a-w- c:\windows\fonts\AppleGaramond-Bold.TTF
2010-05-14 01:16:36 9792 ----a-w- c:\windows\fonts\Happy_Hell.ttf
2010-05-14 01:16:36 41480 ----a-w- c:\windows\fonts\Elected_Office.ttf
2010-05-14 01:16:36 28104 ----a-w- c:\windows\fonts\gyoshoscript.ttf
2010-05-14 01:13:50 60536 ----a-w- c:\windows\fonts\Another.ttf
2010-05-14 01:13:50 39236 ----a-w- c:\windows\fonts\Essai.ttf
2010-05-14 01:13:50 140760 ----a-w- c:\windows\fonts\OptimaLTStdM.ttf
2010-05-14 01:12:54 50284 ----a-w- c:\windows\fonts\DaemonBold.ttf
2010-05-14 01:10:30 98456 ----a-w- c:\windows\fonts\erasdus0.ttf
2010-05-14 01:10:30 59940 ----a-w- c:\windows\fonts\Emilia.ttf
2010-05-14 01:10:30 52000 ----a-w- c:\windows\fonts\WCManoNegraBta.otf
2010-05-14 01:10:30 50660 ----a-w- c:\windows\fonts\C017000D.TTF
2010-05-14 01:10:30 46020 ----a-w- c:\windows\fonts\Mixage_Bold_Italic_BT.ttf
2010-05-14 01:10:30 25268 ----a-w- c:\windows\fonts\ampersand.ttf
2010-05-14 01:10:30 117948 ----a-w- c:\windows\fonts\WCManoNegraBta.ttf
2010-05-14 01:04:20 67468 ----a-w- c:\windows\fonts\Dupree.ttf
2010-05-14 01:04:20 60444 ----a-w- c:\windows\fonts\mareensprint.TTF
2010-05-14 01:04:20 50696 ----a-w- c:\windows\fonts\curswfte.ttf
2010-05-14 01:04:20 46968 ----a-w- c:\windows\fonts\Mixage_Bold_BT.ttf
2010-05-14 01:04:20 137448 ----a-w- c:\windows\fonts\impact_0.ttf
2010-05-12 02:31:42 101072 ----a-w- c:\windows\UTP.exe
2010-05-09 09:14:55 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-05-09 09:14:50 417792 ----a-w- c:\windows\system32\msdri.dll
2010-05-08 02:45:27 57808 ----a-w- c:\windows\fonts\Folder_Bold.ttf
2010-05-08 02:45:27 57072 ----a-w- c:\windows\fonts\Folder_Bold_Italic.ttf
2010-05-08 02:45:27 3062124 ----a-w- c:\windows\fonts\poo.TTF
2010-05-08 02:45:27 108208 ----a-w- c:\windows\fonts\Doradani_Rg_Bold.ttf
2010-05-08 02:45:27 103412 ----a-w- c:\windows\fonts\Doradani_Rg_Bold_Italic.ttf
2010-05-03 02:09:33 3559960 ----a-w- c:\windows\fonts\KozGoPro-Bold_0.otf
2010-05-01 14:49:25 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-01-30 10:27:35 31548 ----a-w- c:\windows\inf\perflib\0411\perfd.dat
2010-01-30 10:27:35 31548 ----a-w- c:\windows\inf\perflib\0411\perfc.dat
2010-01-30 10:27:35 141988 ----a-w- c:\windows\inf\perflib\0411\perfi.dat
2010-01-30 10:27:35 141988 ----a-w- c:\windows\inf\perflib\0411\perfh.dat
2010-01-30 10:21:32 41390 ----a-w- c:\windows\inf\perflib\0c0a\perfd.dat
2010-01-30 10:21:32 41390 ----a-w- c:\windows\inf\perflib\0c0a\perfc.dat
2010-01-30 10:21:32 341432 ----a-w- c:\windows\inf\perflib\0c0a\perfi.dat
2010-01-30 10:21:32 341432 ----a-w- c:\windows\inf\perflib\0c0a\perfh.dat
2010-01-30 10:15:17 31548 ----a-w- c:\windows\inf\perflib\0404\perfd.dat
2010-01-30 10:15:17 31548 ----a-w- c:\windows\inf\perflib\0404\perfc.dat
2010-01-30 10:15:17 117840 ----a-w- c:\windows\inf\perflib\0404\perfi.dat
2010-01-30 10:15:17 117840 ----a-w- c:\windows\inf\perflib\0404\perfh.dat
2010-01-30 10:10:31 31548 ----a-w- c:\windows\inf\perflib\0412\perfd.dat
2010-01-30 10:10:31 31548 ----a-w- c:\windows\inf\perflib\0412\perfc.dat
2010-01-30 10:10:31 157694 ----a-w- c:\windows\inf\perflib\0412\perfi.dat
2010-01-30 10:10:31 157694 ----a-w- c:\windows\inf\perflib\0412\perfh.dat
2010-01-30 10:06:28 31548 ----a-w- c:\windows\inf\perflib\0804\perfd.dat
2010-01-30 10:06:28 31548 ----a-w- c:\windows\inf\perflib\0804\perfc.dat
2010-01-30 10:06:28 111310 ----a-w- c:\windows\inf\perflib\0804\perfi.dat
2010-01-30 10:06:28 111310 ----a-w- c:\windows\inf\perflib\0804\perfh.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-01-30 16:24:12 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 22.23.31.59 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:18 PM

Posted 29 July 2010 - 10:32 PM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.


==============================


Do you still need our help? Please run another DDS scan and post the new report and attach the attach.txt. Thanks.


We're so sorry for the delay.
~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 L0v3LESS

L0v3LESS
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:new york
  • Local time:01:18 AM

Posted 29 July 2010 - 11:47 PM

Yes, please. Don't worry about the delay, I can see how busy you guys are (: NOD32 keeps on giving me these notifications about some website trying to be accessed... and I have around 10 iexplore.exe running all the time. I end one and another one pops up.

DDS:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 0.44.39.84 on 07/30/2010 Fri
Internet Explorer: 8.0.7600.16385
Microsoft Windows 8 Ultimate 6.1.7600.0.932.81.1033.18.2046.740 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\vsnp2uvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2af3vp9q.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\afom.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k secsvcs
svchost.exe 4
C:\Program Files\Trillian\trillian.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
svchost.exe 4
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\MediaMonkey\MediaMonkey.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Administrator\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: DepositFiles IE BHO: {9dfe2fe9-cf99-4adf-a28e-9b5adb8dc74f} - c:\progra~1\deposi~1\dfmana~1\DEPOSI~1.DLL
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Deposit IE Toolbar: {6aa40521-14e7-4b1d-b1b4-98528c1388c9} - c:\progra~1\deposi~1\dfmana~1\DEPOSI~1.DLL
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper_3004.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {D5AD327A-A089-4F04-89FD-4EA9812B3913} - {D5AD327A-A089-4F04-89FD-4EA9812B3913} - c:\progra~1\deposi~1\dfmana~1\DEPOSI~1.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: preto.me
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://systemrequirementslab.com.s3.amazonaws.com/iduu/bin/srldetect_intel.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {C0E130AE-C27F-46FF-A53F-36819FF79C1F} = 208.67.222.222,208.67.220.220
TCP: 2456C6B696E6E253244423 = 208.67.222.222,208.67.220.220
TCP: C61657E6462797261637B65647 = 208.67.222.222,208.67.220.220
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - c:\program files\stardock\object desktop\iconpackager\iprepair.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\2af3vp9q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bakabt.com/
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\2af3vp9q.default\extensions\{e173b749-db5b-4fd2-ba0e-94ecea0ca55b}\components\npAFOM.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\quick time 7\plugins\npqtplugin.dll
FF - plugin: c:\program files\quick time 7\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quick time 7\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quick time 7\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quick time 7\plugins\npqtplugin5.dll
FF - plugin: c:\program files\quick time 7\plugins\npqtplugin6.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\2af3vp9q.default\extensions\{077a24e9-0db5-435f-9010-5261c53e5925}\plugins\npmabiwebframe.dll
FF - plugin: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\2af3vp9q.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\elrawdsk.sys [2010-2-6 20392]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/02/15 22:44:49];c:\program files\cyberlink\powerdvd9\000.fcl [2009-2-28 87536]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-11-16 735960]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-12-18 95896]
R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-7-29 91392]
R3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2009-7-10 25856]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-8-26 273960]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-6-19 19712]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-1-29 8320]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-5-8 1153368]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 EMebDrv;EMebDrv;c:\users\admini~1\appdata\local\temp\EMebDrv.sys [2010-7-24 22736]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2009-7-13 20992]
S3 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-1-12 185640]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-2 1343400]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-07-30 03:31:47 0 d-----w- c:\program files\Motorola
2010-07-30 03:31:47 0 d-----w- c:\program files\common files\MSSoap
2010-07-30 03:29:40 0 d-----w- C:\adb
2010-07-30 03:25:46 5 ----a-w- c:\windows\system32\lMMLDeleteUserData42107612FX.tmp
2010-07-30 02:36:43 0 d-----w- c:\programdata\NOS
2010-07-25 02:01:57 0 d-----w- c:\users\admini~1\appdata\roaming\Malwarebytes
2010-07-25 02:01:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-25 02:01:42 0 d-----w- c:\programdata\Malwarebytes
2010-07-25 02:01:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-25 02:01:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-25 01:01:44 0 d-----w- c:\users\administrator\DoctorWeb
2010-07-25 00:50:41 4 ----a-w- c:\program files\35599.dat
2010-07-20 18:39:22 0 d-sh--w- c:\windows\system32\%APPDATA%
2010-07-17 17:09:25 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-07-17 17:08:18 0 d-----r- c:\program files\Skype
2010-07-17 17:08:14 0 d-----w- c:\programdata\Skype
2010-07-17 04:57:21 0 d-----w- c:\users\administrator\.android
2010-07-17 04:52:35 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motoandroid_01007.Wdf
2010-07-17 04:52:31 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01007.Wdf
2010-07-17 04:52:31 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgp_01007.Wdf
2010-07-17 00:39:20 0 d-----w- c:\program files\MSXML 4.0

==================== Find3M ====================

2010-07-30 02:42:39 762786 ----a-w- c:\windows\system32\perfh00A.dat
2010-07-30 02:42:39 432022 ----a-w- c:\windows\system32\perfh012.dat
2010-07-30 02:42:39 430304 ----a-w- c:\windows\system32\perfh011.dat
2010-07-30 02:42:39 420736 ----a-w- c:\windows\system32\prfh0404.dat
2010-07-30 02:42:39 403832 ----a-w- c:\windows\system32\prfh0804.dat
2010-07-30 02:42:39 164796 ----a-w- c:\windows\system32\perfc00A.dat
2010-07-30 02:42:39 126336 ----a-w- c:\windows\system32\perfc011.dat
2010-07-30 02:42:39 124446 ----a-w- c:\windows\system32\perfc012.dat
2010-07-30 02:42:39 124018 ----a-w- c:\windows\system32\prfc0804.dat
2010-07-30 02:42:39 119104 ----a-w- c:\windows\system32\prfc0404.dat
2010-06-04 04:19:28 23524 ----a-w- c:\windows\fonts\AstrologyPiLTStd-1.otf
2010-06-03 01:06:00 20722688 ----a-w- c:\windows\system32\imageres.dll
2010-06-03 00:21:10 47864 ----a-w- c:\windows\fonts\BAARS_.TTF
2010-06-03 00:21:10 172656 ----a-w- c:\windows\fonts\euphemia_0.ttf
2010-06-03 00:21:10 157360 ----a-w- c:\windows\fonts\MTCORSVA_0.TTF
2010-06-01 21:42:21 697972 ----a-w- c:\windows\fonts\tahoma_0.ttf
2010-06-01 21:42:21 40728 ----a-w- c:\windows\fonts\Britanic_0.ttf
2010-06-01 21:42:21 34812 ----a-w- c:\windows\fonts\SCR1rahv_RAGER_HEVVY.otf
2010-05-31 02:52:32 43680 ----a-w- c:\windows\fonts\RAINBOW-Italic.ttf
2010-05-31 02:52:32 43160 ----a-w- c:\windows\fonts\RAINBOW.ttf
2010-05-31 02:52:32 29820 ----a-w- c:\windows\fonts\RAINBOWFACILITIES.ttf
2010-05-31 02:52:32 29020 ----a-w- c:\windows\fonts\CandelaBoldItalic.otf
2010-05-31 02:52:32 26392 ----a-w- c:\windows\fonts\CandelaBold.otf
2010-05-31 02:52:32 26232 ----a-w- c:\windows\fonts\CandelaItalic.otf
2010-05-31 02:52:32 25748 ----a-w- c:\windows\fonts\CandelaBook.otf
2010-05-31 02:52:32 210028 ----a-w- c:\windows\fonts\FGIWTML_0.TTF
2010-05-31 02:52:32 209564 ----a-w- c:\windows\fonts\FGCNTKAM_0.ttf
2010-05-31 02:52:32 205984 ----a-w- c:\windows\fonts\FGIWTML.TTF
2010-05-31 02:52:32 205496 ----a-w- c:\windows\fonts\FGCNTKAM.ttf
2010-05-27 07:24:13 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 03:49:37 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-05-25 02:57:51 39804 ----a-w- c:\windows\fonts\SegoeSbI.ttf
2010-05-25 02:42:00 3559960 ----a-w- c:\windows\fonts\KozGoPro-Bold_1.otf
2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-21 05:18:06 977920 ----a-w- c:\windows\system32\wininet.dll
2010-05-14 21:52:51 56116 ----a-w- c:\windows\fonts\orialbd.ttf
2010-05-14 01:26:23 53436 ----a-w- c:\windows\fonts\FrancoisBold.ttf
2010-05-14 01:26:23 31480 ----a-w- c:\windows\fonts\BPreplayBold.otf
2010-05-14 01:26:22 5912024 ----a-w- c:\windows\fonts\DFKATRW6.OTF
2010-05-14 01:26:22 57792 ----a-w- c:\windows\fonts\FrancoisLight.ttf
2010-05-14 01:26:22 30672 ----a-w- c:\windows\fonts\BPreplay.otf
2010-05-14 01:25:06 54908 ----a-w- c:\windows\fonts\Disney_Simple.ttf
2010-05-14 01:25:06 22244 ----a-w- c:\windows\fonts\CREABBRG.TTF
2010-05-14 01:18:58 13684 ----a-w- c:\windows\fonts\Brianne_s_hand.ttf
2010-05-14 01:17:28 22840 ----a-w- c:\windows\fonts\BurstMyBubble.ttf
2010-05-14 01:16:37 99060 ----a-w- c:\windows\fonts\Blokletters-Viltstift-FXD.ttf
2010-05-14 01:16:37 70260 ----a-w- c:\windows\fonts\CosenzaBold.ttf
2010-05-14 01:16:37 47476 ----a-w- c:\windows\fonts\AppleGaramond.TTF
2010-05-14 01:16:37 47264 ----a-w- c:\windows\fonts\AppleGaramond-Bold.TTF
2010-05-14 01:16:36 9792 ----a-w- c:\windows\fonts\Happy_Hell.ttf
2010-05-14 01:16:36 41480 ----a-w- c:\windows\fonts\Elected_Office.ttf
2010-05-14 01:16:36 28104 ----a-w- c:\windows\fonts\gyoshoscript.ttf
2010-05-14 01:13:50 60536 ----a-w- c:\windows\fonts\Another.ttf
2010-05-14 01:13:50 39236 ----a-w- c:\windows\fonts\Essai.ttf
2010-05-14 01:13:50 140760 ----a-w- c:\windows\fonts\OptimaLTStdM.ttf
2010-05-14 01:12:54 50284 ----a-w- c:\windows\fonts\DaemonBold.ttf
2010-05-14 01:10:30 98456 ----a-w- c:\windows\fonts\erasdus0.ttf
2010-05-14 01:10:30 59940 ----a-w- c:\windows\fonts\Emilia.ttf
2010-05-14 01:10:30 52000 ----a-w- c:\windows\fonts\WCManoNegraBta.otf
2010-05-14 01:10:30 50660 ----a-w- c:\windows\fonts\C017000D.TTF
2010-05-14 01:10:30 46020 ----a-w- c:\windows\fonts\Mixage_Bold_Italic_BT.ttf
2010-05-14 01:10:30 25268 ----a-w- c:\windows\fonts\ampersand.ttf
2010-05-14 01:10:30 117948 ----a-w- c:\windows\fonts\WCManoNegraBta.ttf
2010-05-14 01:04:20 67468 ----a-w- c:\windows\fonts\Dupree.ttf
2010-05-14 01:04:20 60444 ----a-w- c:\windows\fonts\mareensprint.TTF
2010-05-14 01:04:20 50696 ----a-w- c:\windows\fonts\curswfte.ttf
2010-05-14 01:04:20 46968 ----a-w- c:\windows\fonts\Mixage_Bold_BT.ttf
2010-05-14 01:04:20 137448 ----a-w- c:\windows\fonts\impact_0.ttf
2010-05-12 02:31:42 101072 ----a-w- c:\windows\UTP.exe
2010-05-09 09:14:55 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-05-09 09:14:50 417792 ----a-w- c:\windows\system32\msdri.dll
2010-05-08 02:45:27 57808 ----a-w- c:\windows\fonts\Folder_Bold.ttf
2010-05-08 02:45:27 57072 ----a-w- c:\windows\fonts\Folder_Bold_Italic.ttf
2010-05-08 02:45:27 3062124 ----a-w- c:\windows\fonts\poo.TTF
2010-05-08 02:45:27 108208 ----a-w- c:\windows\fonts\Doradani_Rg_Bold.ttf
2010-05-08 02:45:27 103412 ----a-w- c:\windows\fonts\Doradani_Rg_Bold_Italic.ttf
2010-05-03 02:09:33 3559960 ----a-w- c:\windows\fonts\KozGoPro-Bold_0.otf
2010-05-01 14:49:25 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-01-30 10:27:35 31548 ----a-w- c:\windows\inf\perflib\0411\perfd.dat
2010-01-30 10:27:35 31548 ----a-w- c:\windows\inf\perflib\0411\perfc.dat
2010-01-30 10:27:35 141988 ----a-w- c:\windows\inf\perflib\0411\perfi.dat
2010-01-30 10:27:35 141988 ----a-w- c:\windows\inf\perflib\0411\perfh.dat
2010-01-30 10:21:32 41390 ----a-w- c:\windows\inf\perflib\0c0a\perfd.dat
2010-01-30 10:21:32 41390 ----a-w- c:\windows\inf\perflib\0c0a\perfc.dat
2010-01-30 10:21:32 341432 ----a-w- c:\windows\inf\perflib\0c0a\perfi.dat
2010-01-30 10:21:32 341432 ----a-w- c:\windows\inf\perflib\0c0a\perfh.dat
2010-01-30 10:15:17 31548 ----a-w- c:\windows\inf\perflib\0404\perfd.dat
2010-01-30 10:15:17 31548 ----a-w- c:\windows\inf\perflib\0404\perfc.dat
2010-01-30 10:15:17 117840 ----a-w- c:\windows\inf\perflib\0404\perfi.dat
2010-01-30 10:15:17 117840 ----a-w- c:\windows\inf\perflib\0404\perfh.dat
2010-01-30 10:10:31 31548 ----a-w- c:\windows\inf\perflib\0412\perfd.dat
2010-01-30 10:10:31 31548 ----a-w- c:\windows\inf\perflib\0412\perfc.dat
2010-01-30 10:10:31 157694 ----a-w- c:\windows\inf\perflib\0412\perfi.dat
2010-01-30 10:10:31 157694 ----a-w- c:\windows\inf\perflib\0412\perfh.dat
2010-01-30 10:06:28 31548 ----a-w- c:\windows\inf\perflib\0804\perfd.dat
2010-01-30 10:06:28 31548 ----a-w- c:\windows\inf\perflib\0804\perfc.dat
2010-01-30 10:06:28 111310 ----a-w- c:\windows\inf\perflib\0804\perfi.dat
2010-01-30 10:06:28 111310 ----a-w- c:\windows\inf\perflib\0804\perfh.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-01-30 16:24:12 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 0.46.37.83 ===============

Attached Files



#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:18 PM

Posted 30 July 2010 - 01:09 AM

Hi,

Thanks for the log. I still need to see some more info, please do the following:


Please run EVEREST Ultimate Edition v4.60 which is already installed on your PC.
  1. Please click the "+" sign beside Computer.
  2. Right click on Summary > Quick Report > Plain text.
  3. It will produce a summary report.
  4. Please click the "Save to file" Tab.
  5. Under file name, type Summary and save it on your desktop.
  6. Please close the report window by clicking the "Close Tab"
.

Next....

Still in EVEREST Ultimate Edition.
  1. Please do the same thing under Operating System.
  2. Please click the "+" sign beside Operating System.
  3. Right click on Operating System > Quick Report > Plain text.
  4. It will produce a Operating System report.
  5. Please click the "Save to file" Tab.
  6. Under file name, type OS and save it on your desktop.
  7. Please close the report window by clicking the "Close Tab".
  8. Exit EVEREST Ultimate Edition.


When you reply... please post the two reports (Summary.txt and OS.txt) both located on your desktop. Thanks.

Edited by sempai, 30 July 2010 - 01:33 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 L0v3LESS

L0v3LESS
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:new york
  • Local time:01:18 AM

Posted 30 July 2010 - 10:53 AM

In case this makes a difference, I just installed an updated intel wireless driver. Was welcomed with a BSOD about netw5v.sys (something along those lines).

I will attach both logs.

Thank you thumbup2.gif

OS.txt
CODE
--------[ EVEREST Ultimate Edition ]------------------------------------------------------------------------------------

    Version                                           EVEREST v4.60.1500
    Benchmark Module                                  2.3.237.0
    Homepage                                          http://www.lavalys.com/
    Report Type                                       Quick Report
    Computer                                          WILL-PC
    Generator                                         Administrator
    Operating System                                  Microsoft Windows Vista Ultimate 6.1.7600
    Date                                              2010-07-30
    Time                                              11:50


--------[ Operating System ]--------------------------------------------------------------------------------------------

    Operating System Properties:
      OS Name                                           Microsoft Windows Vista Ultimate
      OS Language                                       English (United States)
      OS Kernel Type                                    Multiprocessor Free (32-bit)
      OS Version                                        6.1.7600
      OS Service Pack                                   -
      OS Installation Date                              1/28/2010
      OS Root                                           C:\Windows

    License Information:
      Registered Owner                                  Will
      Registered Organization                          
      Product ID                                        00426-OEM-8992662-00006
      Product Key                                       edited by sempai
      Product Activation (WPA)                          Not Required

    Current Session:
      Computer Name                                     WILL-PC
      User Name                                         Administrator
      Logon Domain                                      Will-PC
      UpTime                                            426 sec (0 days, 0 hours, 7 min, 6 sec)

    Components Version:
      Common Controls                                   6.16
      Internet Explorer                                 8.0.7600.16385
      Windows Mail                                      6.1.7600.16385 (win7_rtm.090713-1255)
      Windows Media Player                              12.0.7600.16385 (win7_rtm.090713-1255)
      Windows Messenger                                 -
      MSN Messenger                                     -
      Internet Information Services (IIS)               7.5
      .NET Framework                                    3.5.30729.4926 built by: NetFXw7
      Novell Client                                     -
      DirectX                                           DirectX 10.0
      OpenGL                                            6.1.7600.16385 (win7_rtm.090713-1255)
      ASPI                                              -

    Operating System Features:
      Debug Version                                     No
      DBCS Version                                      Yes
      Domain Controller                                 No
      Security Present                                  No
      Network Present                                   Yes
      Remote Session                                    No
      Safe Mode                                         No
      Slow Processor                                    No
      Terminal Services                                 Yes


--------[ Debug - PCI ]-------------------------------------------------------------------------------------------------

    B00 D00 F00:  Intel GL960/GM965/PM965 Chipset - Memory Controller Hub
                  
      Offset 000:  86 80 00 2A  06 01 90 20  0C 00 00 06  00 00 00 00
      Offset 010:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 020:  00 00 00 00  00 00 00 00  00 00 00 00  C0 14 25 00
      Offset 030:  00 00 00 00  E0 00 00 00  00 00 00 00  00 00 00 00
      Offset 040:  01 90 D1 FE  00 00 00 00  01 40 D1 FE  00 00 00 00
      Offset 050:  00 00 02 00  03 00 00 00  00 00 00 00  00 00 00 00
      Offset 060:  01 00 00 E0  00 00 00 00  01 80 D1 FE  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  01 10 00 00  00 00 00 00
      Offset 080:  00 00 00 E0  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 090:  10 11 11 00  10 13 11 00  FF 03 00 00  00 1A 39 00
      Offset 0A0:  10 00 00 08  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0B0:  00 80 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0C0:  00 00 00 00  00 00 00 00  00 22 00 00  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  00 00 00 00  01 01 00 00
      Offset 0E0:  09 00 0A 91  A2 7C 00 30  04 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  00 00 00 00  90 0F 04 00  00 00 00 00

    B00 D01 F00:  Intel GL960/GM965/PM965 Chipset - PCI Express Root Port
                  
      Offset 000:  86 80 01 2A  07 01 10 00  0C 00 04 06  10 00 01 00
      Offset 010:  00 00 00 00  00 00 00 00  00 01 01 00  20 20 00 00
      Offset 020:  00 C4 F0 C6  01 D0 F1 DF  00 00 00 00  00 00 00 00
      Offset 030:  00 00 00 00  88 00 00 00  00 00 00 00  10 01 1A 00
      Offset 040:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 050:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 060:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  01 90 03 C8  00 00 00 00  0D 80 00 00  25 00 25 00
      Offset 090:  05 A0 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0A0:  10 00 41 01  00 80 00 00  00 00 00 00  01 2D 01 02
      Offset 0B0:  43 00 01 11  C0 25 0C 00  C0 01 48 00  00 00 00 00
      Offset 0C0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0E0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0F0:  20 00 01 84  0C 00 00 A0  90 0F 04 00  33 00 00 00

    B00 D1A F00:  Intel 82801HBM ICH8M - USB Universal Host Controller
                  
      Offset 000:  86 80 34 28  05 00 80 02  03 00 03 0C  00 00 80 00
      Offset 010:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 020:  01 18 00 00  00 00 00 00  00 00 00 00  C0 14 25 00
      Offset 030:  00 00 00 00  00 00 00 00  00 00 00 00  10 01 00 00
      Offset 040:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 050:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 060:  10 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 090:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0A0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0C0:  00 2F 00 00  00 00 00 00  00 00 01 00  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0E0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  00 00 00 00  86 0F 05 00  00 00 00 00

    B00 D1A F01:  Intel 82801HBM ICH8M - USB Universal Host Controller
                  
      Offset 000:  86 80 35 28  05 00 80 02  03 00 03 0C  00 00 00 00
      Offset 010:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 020:  21 18 00 00  00 00 00 00  00 00 00 00  C0 14 25 00
      Offset 030:  00 00 00 00  00 00 00 00  00 00 00 00  15 02 00 00
      Offset 040:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 050:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 060:  10 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 090:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0A0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0C0:  00 2F 00 00  00 00 00 00  00 00 01 00  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0E0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  00 00 00 00  86 0F 05 00  00 00 00 00

    B00 D1A F07:  Intel 82801HBM ICH8M - USB2 Enhanced Host Controller
                  
      Offset 000:  86 80 3A 28  06 01 90 02  03 20 03 0C  00 00 00 00
      Offset 010:  00 40 40 F8  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 020:  00 00 00 00  00 00 00 00  00 00 00 00  C0 14 25 00
      Offset 030:  00 00 00 00  50 00 00 00  00 00 00 00  12 03 00 00
      Offset 040:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 050:  01 58 C2 C9  00 00 00 00  0A 00 A0 20  00 00 00 00
      Offset 060:  20 20 FF 00  00 00 00 00  01 00 00 01  00 00 00 C0
      Offset 070:  00 00 DF 03  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  00 00 00 00  01 00 00 00  00 00 00 00  00 00 00 00
      Offset 090:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0A0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0C0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0D0:  00 00 00 00  00 AA FF 00  00 00 00 00  00 00 00 00
      Offset 0E0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  88 85 40 00  86 0F 05 00  06 17 02 20

    B00 D1B F00:  Intel 82801HBM ICH8M - High Definition Audio Controller
                  
      Offset 000:  86 80 4B 28  06 01 10 00  03 00 03 04  10 00 00 00
      Offset 010:  04 00 40 F8  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 020:  00 00 00 00  00 00 00 00  00 00 00 00  C0 14 25 00
      Offset 030:  00 00 00 00  50 00 00 00  00 00 00 00  14 01 00 00
      Offset 040:  01 00 00 03  07 00 00 00  00 00 00 00  00 80 00 00
      Offset 050:  01 60 42 C8  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 060:  05 70 80 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 070:  10 00 91 00  00 00 00 00  00 08 10 00  00 00 00 00
      Offset 080:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 090:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0A0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0C0:  00 00 00 01  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0E0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  00 00 00 00  86 0F 05 00  00 00 00 00

    B00 D1C F00:  Intel 82801HBM ICH8M - PCI Express Root Port 1
                  
      Offset 000:  86 80 3F 28  07 00 10 00  03 00 04 06  10 00 81 00
      Offset 010:  00 00 00 00  00 00 00 00  00 02 02 00  30 30 00 20
      Offset 020:  00 BC F0 BF  01 CC F1 CD  00 00 00 00  00 00 00 00
      Offset 030:  00 00 00 00  40 00 00 00  00 00 00 00  11 01 04 00
      Offset 040:  10 80 41 01  C0 8F 00 00  00 00 10 00  11 4C 11 01
      Offset 050:  00 00 01 10  E0 A0 10 00  08 00 00 00  00 00 00 00
      Offset 060:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  05 90 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 090:  0D A0 00 00  C0 14 25 00  00 00 00 00  00 00 00 00
      Offset 0A0:  01 00 02 C8  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0C0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  80 00 11 C8  00 00 00 00
      Offset 0E0:  00 0F C7 00  06 07 08 00  33 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  00 00 00 00  86 0F 05 00  00 00 00 00

    B00 D1C F01:  Intel 82801HBM ICH8M - PCI Express Root Port 2
                  
      Offset 000:  86 80 41 28  07 01 10 00  03 00 04 06  10 00 81 00
      Offset 010:  00 00 00 00  00 00 00 00  00 04 04 00  40 40 00 00
      Offset 020:  00 F0 F0 F3  01 FA F1 FB  00 00 00 00  00 00 00 00
      Offset 030:  00 00 00 00  40 00 00 00  00 00 00 00  10 02 04 00
      Offset 040:  10 80 41 01  C0 8F 00 00  00 00 10 00  11 2C 11 02
      Offset 050:  43 00 11 30  E0 A0 18 00  08 00 40 00  00 00 00 00
      Offset 060:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  05 90 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 090:  0D A0 00 00  C0 14 25 00  00 00 00 00  00 00 00 00
      Offset 0A0:  01 00 02 C8  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0C0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  80 00 11 C8  00 00 00 00
      Offset 0E0:  00 0F C7 00  06 07 08 00  33 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  00 00 00 00  86 0F 05 00  00 00 00 00

    B00 D1C F02:  Intel 82801HBM ICH8M - PCI Express Root Port 3
                  
      Offset 000:  86 80 43 28  07 01 10 00  03 00 04 06  10 00 81 00
      Offset 010:  00 00 00 00  00 00 00 00  00 06 06 00  50 50 00 20
      Offset 020:  00 F4 F0 F7  01 FC F1 FD  00 00 00 00  00 00 00 00
      Offset 030:  00 00 00 00  40 00 00 00  00 00 00 00  12 03 04 00
      Offset 040:  10 80 41 01  C0 8F 00 00  00 00 10 00  11 4C 11 03
      Offset 050:  00 00 01 10  E0 A0 20 00  08 00 00 00  00 00 00 00
      Offset 060:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  05 90 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 090:  0D A0 00 00  C0 14 25 00  00 00 00 00  00 00 00 00
      Offset 0A0:  01 00 02 C8  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0C0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  80 00 11 C8  00 00 00 00
      Offset 0E0:  00 0F C7 00  06 07 08 00  33 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  00 00 00 00  86 0F 05 00  00 00 00 00

    B00 D1C F03:  Intel 82801HBM ICH8M - PCI Express Root Port 4
                  
      Offset 000:  86 80 45 28  07 01 10 00  03 00 04 06  10 00 81 00
      Offset 010:  00 00 00 00  00 00 00 00  00 08 08 00  60 60 00 20
      Offset 020:  00 B4 F0 B7  01 C8 F1 C9  00 00 00 00  00 00 00 00
      Offset 030:  00 00 00 00  40 00 00 00  00 00 00 00  13 04 04 00
      Offset 040:  10 80 41 01  C0 8F 00 00  00 00 10 00  11 4C 11 04
      Offset 050:  00 00 01 10  E0 A0 28 00  08 00 00 00  00 00 00 00
      Offset 060:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  05 90 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 090:  0D A0 00 00  C0 14 25 00  00 00 00 00  00 00 00 00
      Offset 0A0:  01 00 02 C8  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0C0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  80 00 11 C8  00 00 00 00
      Offset 0E0:  00 0F C7 00  06 07 08 00  33 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  00 00 00 00  86 0F 05 00  00 00 00 00

    B00 D1C F04:  Intel 82801HBM ICH8M - PCI Express Root Port 5
                  
      Offset 000:  86 80 47 28  04 01 10 00  03 00 04 06  10 00 81 00
      Offset 010:  00 00 00 00  00 00 00 00  00 0A 0A 00  F0 00 00 20
      Offset 020:  F0 FF 00 00  F1 FF 01 00  00 00 00 00  00 00 00 00
      Offset 030:  00 00 00 00  40 00 00 00  00 00 00 00  11 01 04 00
      Offset 040:  10 80 41 01  C0 8F 00 00  00 00 10 00  11 4C 11 05
      Offset 050:  00 00 01 10  E0 A0 10 00  08 00 00 00  00 00 00 00
      Offset 060:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  05 90 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 090:  0D A0 00 00  C0 14 25 00  00 00 00 00  00 00 00 00
      Offset 0A0:  01 00 02 C8  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0C0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  80 00 11 C8  00 00 00 00
      Offset 0E0:  00 0F C7 00  06 07 08 00  33 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  00 00 00 00  86 0F 05 00  00 00 00 00

    B00 D1C F05:  Intel 82801HBM ICH8M - PCI Express Root Port 6
                  
      Offset 000:  86 80 49 28  06 01 10 00  03 00 04 06  10 00 81 00
      Offset 010:  00 00 00 00  00 00 00 00  00 0C 0C 00  F0 00 00 00
      Offset 020:  00 F8 00 F8  F1 FF 01 00  00 00 00 00  00 00 00 00
      Offset 030:  00 00 00 00  40 00 00 00  00 00 00 00  10 02 04 00
      Offset 040:  10 80 41 01  C0 8F 00 00  00 00 10 00  11 2C 11 06
      Offset 050:  43 00 11 30  E0 A0 18 00  08 00 40 00  00 00 00 00
      Offset 060:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  05 90 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 090:  0D A0 00 00  C0 14 25 00  00 00 00 00  00 00 00 00
      Offset 0A0:  01 00 02 C8  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0C0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  80 00 11 C8  00 00 00 00
      Offset 0E0:  00 0F C7 00  06 07 08 00  33 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  00 00 00 00  86 0F 05 00  00 00 00 00

    B00 D1D F00:  Intel 82801HBM ICH8M - USB Universal Host Controller
                  
      Offset 000:  86 80 30 28  05 00 80 02  03 00 03 0C  00 00 80 00
      Offset 010:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 020:  41 18 00 00  00 00 00 00  00 00 00 00  C0 14 25 00
      Offset 030:  00 00 00 00  00 00 00 00  00 00 00 00  17 01 00 00
      Offset 040:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 050:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 060:  10 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 090:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0A0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0C0:  00 2F 00 00  00 00 00 00  00 00 01 00  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0E0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  00 00 00 00  86 0F 05 00  00 00 00 00

    B00 D1D F01:  Intel 82801HBM ICH8M - USB Universal Host Controller
                  
      Offset 000:  86 80 31 28  05 00 80 02  03 00 03 0C  00 00 00 00
      Offset 010:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 020:  61 18 00 00  00 00 00 00  00 00 00 00  C0 14 25 00
      Offset 030:  00 00 00 00  00 00 00 00  00 00 00 00  13 02 00 00
      Offset 040:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 050:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 060:  10 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 090:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0A0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0C0:  00 2F 00 00  00 00 00 00  00 00 01 00  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0E0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  00 00 00 00  86 0F 05 00  00 00 00 00

    B00 D1D F02:  Intel 82801HBM ICH8M - USB Universal Host Controller
                  
      Offset 000:  86 80 32 28  05 00 80 02  03 00 03 0C  00 00 00 00
      Offset 010:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 020:  81 18 00 00  00 00 00 00  00 00 00 00  C0 14 25 00
      Offset 030:  00 00 00 00  00 00 00 00  00 00 00 00  12 03 00 00
      Offset 040:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 050:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 060:  10 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 090:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0A0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0C0:  00 2F 00 00  00 00 00 00  00 00 01 00  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0E0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  00 00 00 00  86 0F 05 00  00 00 00 00

    B00 D1D F07:  Intel 82801HBM ICH8M - USB2 Enhanced Host Controller
                  
      Offset 000:  86 80 36 28  06 01 90 02  03 20 03 0C  00 00 00 00
      Offset 010:  00 44 40 F8  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 020:  00 00 00 00  00 00 00 00  00 00 00 00  C0 14 25 00
      Offset 030:  00 00 00 00  50 00 00 00  00 00 00 00  17 01 00 00
      Offset 040:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 050:  01 58 C2 C9  00 00 00 00  0A 00 A0 20  00 00 00 00
      Offset 060:  20 20 FF 00  00 00 00 00  01 00 00 01  00 00 00 C0
      Offset 070:  00 00 DF 3F  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  00 00 00 00  01 00 00 00  00 00 00 00  00 00 00 00
      Offset 090:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0A0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0C0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0D0:  00 00 00 00  00 AA FF 00  00 00 00 00  00 00 00 00
      Offset 0E0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  88 85 40 00  86 0F 05 00  06 17 02 20

    B00 D1E F00:  Intel 82801HBM I/O Controller Hub 8 (ICH8M)
                  
      Offset 000:  86 80 48 24  07 01 10 00  F3 01 04 06  00 00 01 00
      Offset 010:  00 00 00 00  00 00 00 00  00 0E 0E 20  F0 00 80 22
      Offset 020:  10 F8 10 F8  F1 FF 01 00  00 00 00 00  00 00 00 00
      Offset 030:  00 00 00 00  50 00 00 00  00 00 00 00  FF 00 04 00
      Offset 040:  00 00 00 00  00 00 00 00  00 00 00 00  00 12 00 00
      Offset 050:  0D 00 00 00  C0 14 25 00  00 00 00 00  00 00 00 00
      Offset 060:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 090:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0A0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0C0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0E0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  00 00 00 00  86 0F 05 00  00 00 00 00

    B00 D1F F00:  Intel 82801HBM ICH8M-DO - LPC Bridge
                  
      Offset 000:  86 80 15 28  07 01 10 02  03 00 01 06  00 00 80 00
      Offset 010:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 020:  00 00 00 00  00 00 00 00  00 00 00 00  C0 14 25 00
      Offset 030:  00 00 00 00  E0 00 00 00  00 00 00 00  00 00 00 00
      Offset 040:  01 10 00 00  80 00 00 00  81 11 00 00  10 00 00 00
      Offset 050:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 060:  80 80 80 80  D0 00 00 00  80 80 80 80  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  10 00 00 3F  81 06 7C 00  00 00 00 00  69 00 04 00
      Offset 090:  41 16 7C 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0A0:  20 0E 00 00  39 00 80 00  15 1C 4A 00  00 03 00 00
      Offset 0B0:  00 12 F0 00  00 00 00 00  00 00 01 02  00 00 00 00
      Offset 0C0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0D0:  33 22 11 00  67 45 00 00  CF FF 00 00  00 00 00 00
      Offset 0E0:  09 00 0C 10  20 02 4C C3  60 00 00 00  00 00 00 00
      Offset 0F0:  01 C0 D1 FE  45 E3 34 00  86 0F 05 00  00 00 00 00

    B00 D1F F01:  Intel 82801HBM ICH8M - PATA Controller
                  
      Offset 000:  86 80 50 28  05 00 80 02  03 8A 01 01  00 00 00 00
      Offset 010:  01 00 00 00  01 00 00 00  01 00 00 00  01 00 00 00
      Offset 020:  A1 18 00 00  00 00 00 00  00 00 00 00  C0 14 25 00
      Offset 030:  00 00 00 00  00 00 00 00  00 00 00 00  FF 01 00 00
      Offset 040:  C7 E3 00 80  00 00 00 00  01 00 02 00  00 00 00 00
      Offset 050:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 060:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 090:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0A0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0C0:  00 00 00 00  03 00 00 00  00 00 00 00  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0E0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  00 00 00 00  86 0F 05 00  00 00 00 00

    B00 D1F F02:  Intel 82801HBM ICH8M - 3-port SATA Controller
                  
      Offset 000:  86 80 28 28  05 00 B0 02  03 8F 01 01  00 00 00 00
      Offset 010:  F9 18 00 00  CD 18 00 00  F1 18 00 00  C9 18 00 00
      Offset 020:  E1 18 00 00  D1 18 00 00  00 00 00 00  C0 14 25 00
      Offset 030:  00 00 00 00  70 00 00 00  00 00 00 00  13 02 00 00
      Offset 040:  C7 E3 77 F3  F0 00 00 00  00 00 00 00  00 00 00 00
      Offset 050:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 060:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 070:  01 00 03 40  08 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  05 70 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 090:  00 00 01 81  80 01 00 78  00 00 00 00  00 00 00 00
      Offset 0A0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0C0:  00 00 00 00  05 00 00 00  00 00 00 00  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0E0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  00 00 00 00  86 0F 05 00  00 00 00 00

    B00 D1F F03:  Intel 82801HBM ICH8M - SMBus Controller
                  
      Offset 000:  86 80 3E 28  03 01 80 02  03 00 05 0C  00 00 00 00
      Offset 010:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 020:  01 1C 00 00  00 00 00 00  00 00 00 00  C0 14 25 00
      Offset 030:  00 00 00 00  00 00 00 00  00 00 00 00  0A 03 00 00
      Offset 040:  01 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 050:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 060:  03 04 04 00  00 00 08 08  00 00 00 00  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  04 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 090:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0A0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0C0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0E0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  00 00 00 00  86 0F 05 00  00 00 00 00

    B01 D00 F00:  nVIDIA GeForce 8600M GT (Compal) Video Adapter
                  
      Offset 000:  DE 10 07 04  07 01 10 00  A1 00 00 03  10 00 00 00
      Offset 010:  00 00 00 C6  0C 00 00 D0  00 00 00 00  04 00 00 C4
      Offset 020:  00 00 00 00  01 20 00 00  00 00 00 00  C0 14 25 00
      Offset 030:  00 00 00 00  60 00 00 00  00 00 00 00  10 01 00 00
      Offset 040:  C0 14 25 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 050:  01 00 00 00  01 00 00 00  CE D6 23 00  00 00 00 00
      Offset 060:  01 68 02 00  00 00 00 00  05 78 80 00  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  10 00 01 00  E0 84 2C 01
      Offset 080:  10 29 00 00  01 3D 01 00  0B 00 01 01  00 00 00 00
      Offset 090:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0A0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0C0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0E0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00

    B04 D00 F00:  Broadcom NetLink BCM5787M PCI-E Gigabit Ethernet Controller
                  
      Offset 000:  E4 14 93 16  06 05 10 00  02 00 00 02  10 00 00 00
      Offset 010:  04 00 00 F0  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 020:  00 00 00 00  00 00 00 00  00 00 00 00  C0 14 25 00
      Offset 030:  00 00 00 00  48 00 00 00  00 00 00 00  00 01 00 00
      Offset 040:  00 00 00 00  00 00 00 00  01 50 03 C0  08 20 00 64
      Offset 050:  03 58 00 00  16 EF B0 F1  09 E8 78 00  64 CA 99 49
      Offset 060:  00 00 00 00  00 00 00 00  98 02 02 B0  00 00 1B 76
      Offset 070:  92 10 00 00  C0 00 00 00  2C 00 00 00  F0 0D 00 00
      Offset 080:  C0 14 25 00  00 00 00 00  34 00 13 04  82 40 08 04
      Offset 090:  29 4A 00 01  00 00 00 00  00 00 00 00  C8 00 00 00
      Offset 0A0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0B0:  00 00 00 00  00 00 00 01  00 00 00 00  00 00 00 00
      Offset 0C0:  00 00 00 00  00 80 00 00  0E 00 00 00  00 00 00 00
      Offset 0D0:  10 00 01 00  A0 8F 04 05  00 50 11 00  11 6C 07 00
      Offset 0E0:  43 01 11 10  00 00 00 00  05 D0 81 00  0C 30 E0 FE
      Offset 0F0:  00 00 00 00  B0 49 00 00  00 00 00 00  00 00 00 00

    B0C D00 F00:  Intel Wireless WiFi Link 4965AGN Network Adapter
                  
      Offset 000:  86 80 29 42  06 05 10 00  61 00 80 02  10 00 00 00
      Offset 010:  04 00 00 F8  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 020:  00 00 00 00  00 00 00 00  00 00 00 00  86 80 00 11
      Offset 030:  00 00 00 00  C8 00 00 00  00 00 00 00  00 01 00 00
      Offset 040:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 050:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 060:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 090:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0A0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0C0:  00 00 00 00  00 00 00 00  01 D0 23 C8  00 00 00 0D
      Offset 0D0:  05 E0 81 00  0C 30 E0 FE  00 00 00 00  A0 49 00 00
      Offset 0E0:  10 00 01 00  C0 8E 00 00  10 08 1B 00  11 1C 07 00
      Offset 0F0:  43 01 11 10  00 00 00 00  00 00 00 00  00 00 00 00

    B0E D06 F00:  Ricoh RL5C832 IEEE1394 Controller
                  
      Offset 000:  80 11 32 08  06 01 10 02  05 10 00 0C  10 40 80 00
      Offset 010:  00 00 10 F8  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 020:  00 00 00 00  00 00 00 00  00 00 00 00  C0 14 25 00
      Offset 030:  00 00 00 00  DC 00 00 00  00 00 00 00  16 01 02 04
      Offset 040:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 050:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 060:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  00 00 80 16  00 00 00 00  00 20 00 00  66 66 32 12
      Offset 090:  48 60 66 10  00 00 02 00  77 80 00 00  00 01 18 00
      Offset 0A0:  00 00 00 00  00 00 00 00  30 00 00 00  C0 14 25 00
      Offset 0B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 02 04
      Offset 0C0:  00 30 00 00  00 00 00 00  00 00 80 80  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  00 00 00 00  01 00 02 FE
      Offset 0E0:  00 C0 00 48  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00

    B0E D06 F01:  Ricoh RL5C822 SD Bus Host Adapter
                  
      Offset 000:  80 11 22 08  06 01 10 02  22 00 05 08  10 40 80 00
      Offset 010:  00 08 10 F8  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 020:  00 00 00 00  00 00 00 00  00 00 00 00  C0 14 25 00
      Offset 030:  00 00 00 00  80 00 00 00  00 00 00 00  17 02 00 00
      Offset 040:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 050:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 060:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  01 00 02 FE  00 40 00 48  00 00 00 00  00 00 00 00
      Offset 090:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0A0:  00 00 00 00  00 00 00 00  00 00 00 00  C0 14 25 00
      Offset 0B0:  04 00 02 00  00 00 00 00  00 00 00 00  A0 00 00 00
      Offset 0C0:  00 30 00 00  00 00 00 00  00 00 80 80  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0E0:  A1 21 E0 01  00 00 00 00  40 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  00 00 00 00  C0 00 20 00  00 00 00 00

    B0E D06 F02:  Ricoh RL5C843 MMC Host Controller
                  
      Offset 000:  80 11 43 08  02 01 10 02  12 00 80 08  10 40 80 00
      Offset 010:  00 0C 10 F8  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 020:  00 00 00 00  00 00 00 00  00 00 00 00  C0 14 25 00
      Offset 030:  00 00 00 00  80 00 00 00  00 00 00 00  0A 02 00 00
      Offset 040:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 050:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 060:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  01 00 02 FE  00 40 00 48  00 00 00 00  00 00 00 00
      Offset 090:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0A0:  00 00 00 00  00 00 00 00  00 00 00 00  C0 14 25 00
      Offset 0B0:  00 00 02 00  00 00 00 00  00 00 00 00  A0 00 00 00
      Offset 0C0:  00 30 00 00  00 00 00 00  00 00 80 80  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0E0:  84 02 04 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  00 00 00 00  C0 00 20 00  00 00 00 00

    B0E D06 F03:  Ricoh RL5C592 Memory Stick Bus Host Adapter
                  
      Offset 000:  80 11 92 05  06 01 10 02  12 00 80 08  10 40 80 00
      Offset 010:  00 10 10 F8  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 020:  00 00 00 00  00 00 00 00  00 00 00 00  C0 14 25 00
      Offset 030:  00 00 00 00  80 00 00 00  00 00 00 00  17 02 00 00
      Offset 040:  00 00 02 00  00 00 00 00  00 00 02 00  00 00 00 00
      Offset 050:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 060:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 070:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 080:  01 00 02 FE  00 40 00 48  00 00 00 00  00 00 00 00
      Offset 090:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0A0:  00 00 00 00  00 00 00 00  00 00 00 00  C0 14 25 00
      Offset 0B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0C0:  00 30 00 00  00 00 00 00  00 00 80 80  00 00 00 00
      Offset 0D0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0E0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 0F0:  00 00 00 00  00 00 00 00  C0 00 00 00  00 00 00 00

    PCI-8086-2A00:  Intel i965M/ME MCHBAR
                  
      Offset C00:  42 43 00 00  01 01 01 01  00 80 00 00  00 00 00 01
      Offset C10:  00 00 00 00  10 00 90 34  00 00 00 00  00 00 00 00
      Offset C20:  01 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset C30:  00 00 00 00  00 00 00 00  94 11 5C 12  00 00 00 00
      Offset C40:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset C50:  01 01 01 01  00 00 00 00  00 00 00 00  00 00 00 00
      Offset C60:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset C70:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset C80:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset C90:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset CA0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset CB0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset CC0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset CD0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset CE0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset CF0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00

    PCI-8086-2A00:  Intel i965M/ME MCHBAR
                  
      Offset 1000:  74 00 93 00  00 04 71 00  71 00 00 00  00 71 71 00
      Offset 1010:  17 22 00 80  00 00 00 00  83 00 00 00  99 83 00 00
      Offset 1020:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 1030:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 1040:  7F 00 01 00  00 00 FF 00  FF 00 00 40  40 00 00 00
      Offset 1050:  00 00 00 80  00 00 00 00  80 00 00 00  99 80 00 00
      Offset 1060:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 1070:  01 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 1080:  0E 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 1090:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 10A0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 10B0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 10C0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 10D0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 10E0:  01 01 01 01  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 10F0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00

    PCI-8086-2A00:  Intel i965M/ME MCHBAR
                  
      Offset 1200:  20 00 40 00  40 00 40 00  33 00 09 00  03 00 00 00
      Offset 1210:  41 08 B1 34  63 84 E0 11  50 10 22 22  82 62 05 01
      Offset 1220:  64 30 4E 41  42 40 C6 62  00 68 00 00  00 00 00 00
      Offset 1230:  0A 02 00 40  00 18 0C 91  00 10 00 0C  00 00 00 00

    PCI-8086-2A00:  Intel i965M/ME MCHBAR
                  
      Offset 1300:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
      Offset 1310:  41 08 B1 34  63 84 E0 11  50 10 22 22  02 61 05 01
      Offset 1320:  64 30 4E 41  22 40 C6 62  00 68 00 00  00 00 00 00
      Offset 1330:  0A 02 00 40  00 18 0F 00  00 10 00 0F  00 00 00 00


--------[ Debug - Video BIOS ]------------------------------------------------------------------------------------------

    C000:0000  U.f.K7400.L.w.VIDEO ......e...IBM VGA Compatible........06/04/07
    C000:0040  .................@9...b8.............."....[..b.PMIDl.o.......
    C000:0080  .....3Fo....@...........1T...........@......j!...........J!....
    C000:00C0  ............HWEAPCIR............f.......G84 e416 SKU 0010 VGA BI
    C000:0100  OS.......................................................Version
    C000:0140   60.84.42.00.23 ...Copyright (C) 1996-2006 NVIDIA Corp.........
    C000:0180  G84 Board - e416h10 ...............Chip Rev   ..................
    C000:01C0  ........................................BIT......F2...X.B...\.C.
    C000:0200  ..t.D.....A.....I.....L.....M.....N.....P.....S.....T.....U.....
    C000:0240  V.....c.....x.....i.&........B.`#s................\\.........Ol3
    C000:0280  ..bdn.O..P.P.P.Q.Q.Q.P.....Q..O..<.........................B...
    C000:02C0  ...P9..S.(!3.53#..#...t.@+..8.8......B.`#..R.......04/03/07.....
    C000:0300  ................7.7..x................... .....7.7..x.........
    C000:0340  ,.......1...L...5...........G.7.7.J.q...O.....Q..........E...d.
    C000:0380  ..............a.......f...............n...".q.....t...y...x.x.z.
    C000:03C0  ..!.!.!.Q.{.{.{...........................2....u......j!P.\.....


------------------------------------------------------------------------------------------------------------------------

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.


Edit - Removed product key. ~Semp

Attached Files


Edited by sempai, 30 July 2010 - 11:52 AM.


#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:18 PM

Posted 30 July 2010 - 11:50 AM

Please do not make any changes or run any update until we remove all the infections. Thanks.

Can you please tell me what version of Windows do you have... Windows 7? Vista?


Please download MBRCheck to your desktop.
  1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
  2. It will open a black window, please do not fix anything (if it gives you an option).
  3. Exit that window and it will produce a log (MBRCheck_date_time).
  4. Please post that log when you reply.

Edited by sempai, 30 July 2010 - 12:17 PM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 L0v3LESS

L0v3LESS
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:new york
  • Local time:01:18 AM

Posted 30 July 2010 - 12:28 PM

Windows 7 32-bit.
Just an edit: I have four partitions in my drive, and I'm not sure if MBR includes this, but the other two are linux and one is a swap. My computer boots to my fourth partition loader which then chainlinks to Windows 7, and I'm pretty sure my MBR is basically shot; it messed up ever since a failed Fedora installation..

MBR (G: is my external hard drive):
CODE
MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0

\\.\G: --> \\.\PhysicalDrive1



       Size  Device Name          MBR Status

   --------------------------------------------

     186 GB  \\.\PhysicalDrive0   Known-bad MBR code detected (Whistler / Black Internet)!

    1397 GB  \\.\PhysicalDrive1   Error reading raw MBR!





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:



Done!  Press ENTER to exit...

Edited by L0v3LESS, 30 July 2010 - 12:34 PM.


#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:18 PM

Posted 30 July 2010 - 11:11 PM

Hi,

Is this reading correct?
QUOTE
Partitions:
C: (NTFS) 100.0 GB (23.1 GB free)
G: (NTFS) 1397.3 GB (311.2 GB free)
Total Size 1497.3 GB (334.3 GB free)




Edited by sempai, 30 July 2010 - 11:22 PM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 L0v3LESS

L0v3LESS
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:new york
  • Local time:01:18 AM

Posted 31 July 2010 - 12:14 PM

Yes. That is a 1.5TB external hard drive.

#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:18 PM

Posted 31 July 2010 - 12:22 PM

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.





~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 L0v3LESS

L0v3LESS
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:new york
  • Local time:01:18 AM

Posted 31 July 2010 - 01:01 PM

Combofix:

CODE
ComboFix 10-07-31.01 - Administrator 1/2010 Sat  13.38.08.1.2 - x86
Microsoft Windows 8 Ultimate   6.1.7600.0.932.81.1033.18.2046.846 [GMT -4:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\system.txt
c:\users\Administrator\AppData\Roaming\inst.exe
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\system32\%appdata%
c:\windows\system32\imageres.dll.old2
c:\windows\system32\shell32.dll.old2
c:\windows\system32\shell32.dll.old3
G:\autorun.inf

.
MBR is infected with the Whistler Bootkit !!

(((((((((((((((((((((((((   Files Created from 2010-06-28 to 2010-07-31  )))))))))))))))))))))))))))))))
.

2010-07-31 17:35 . 2010-07-31 17:36    --------    d-----w-    C:\32788R22FWJFW
2010-07-31 17:33 . 2010-07-31 17:33    --------    d-----w-    c:\users\Downloads\WirelessDriver11.1.1.13
2010-07-31 17:33 . 2010-07-31 17:33    --------    d-----w-    c:\users\Downloads
2010-07-30 15:47 . 2010-07-30 15:47    --------    d-----w-    c:\windows\LastGood.Tmp
2010-07-30 03:31 . 2010-07-30 03:31    --------    d-----w-    c:\program files\Motorola
2010-07-30 03:29 . 2010-07-30 03:29    --------    d-----w-    C:\adb
2010-07-25 02:01 . 2010-07-25 02:01    --------    d-----w-    c:\users\Administrator\AppData\Roaming\Malwarebytes
2010-07-25 02:01 . 2010-04-29 19:39    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-25 02:01 . 2010-07-25 02:01    --------    d-----w-    c:\programdata\Malwarebytes
2010-07-25 02:01 . 2010-04-29 19:39    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-07-25 02:01 . 2010-07-25 02:01    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-07-25 01:01 . 2010-07-25 01:01    --------    d-----w-    c:\users\Administrator\DoctorWeb
2010-07-25 00:50 . 2010-07-25 00:50    4    ----a-w-    c:\program files\35599.dat
2010-07-17 17:09 . 2010-07-17 17:09    56    ---ha-w-    c:\windows\system32\ezsidmv.dat
2010-07-17 17:09 . 2010-07-31 01:27    --------    d-----w-    c:\users\Administrator\AppData\Roaming\skypePM
2010-07-17 17:08 . 2010-07-31 03:11    --------    d-----w-    c:\users\Administrator\AppData\Roaming\Skype
2010-07-17 17:08 . 2010-07-17 17:08    --------    d-----w-    c:\program files\Common Files\Skype
2010-07-17 17:08 . 2010-07-17 17:08    --------    d-----r-    c:\program files\Skype
2010-07-17 17:08 . 2010-07-17 17:08    --------    d-----w-    c:\programdata\Skype
2010-07-17 04:57 . 2010-07-17 05:03    --------    d-----w-    c:\users\Administrator\.android
2010-07-17 00:39 . 2010-07-17 00:39    --------    d-----w-    c:\program files\MSXML 4.0

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-31 17:51 . 2010-01-28 06:55    --------    d-----w-    c:\users\Administrator\AppData\Roaming\uTorrent
2010-07-31 17:08 . 2010-02-02 05:55    --------    d-----w-    c:\program files\Trillian
2010-07-30 17:32 . 2010-01-30 16:23    762786    ----a-w-    c:\windows\system32\perfh00A.dat
2010-07-30 17:32 . 2010-01-30 16:23    430304    ----a-w-    c:\windows\system32\perfh011.dat
2010-07-30 17:32 . 2010-01-30 16:23    164796    ----a-w-    c:\windows\system32\perfc00A.dat
2010-07-30 17:32 . 2010-01-30 16:23    126336    ----a-w-    c:\windows\system32\perfc011.dat
2010-07-30 17:32 . 2010-01-30 10:16    420736    ----a-w-    c:\windows\system32\prfh0404.dat
2010-07-30 17:32 . 2010-01-30 10:16    119104    ----a-w-    c:\windows\system32\prfc0404.dat
2010-07-30 17:32 . 2010-01-30 10:11    432022    ----a-w-    c:\windows\system32\perfh012.dat
2010-07-30 17:32 . 2010-01-30 10:11    124446    ----a-w-    c:\windows\system32\perfc012.dat
2010-07-30 17:32 . 2010-01-30 10:07    403832    ----a-w-    c:\windows\system32\prfh0804.dat
2010-07-30 17:32 . 2010-01-30 10:07    124018    ----a-w-    c:\windows\system32\prfc0804.dat
2010-07-30 03:26 . 2010-06-27 01:00    --------    d-----w-    c:\programdata\Nero
2010-07-30 03:26 . 2010-07-30 03:25    5    ----a-w-    c:\windows\system32\lMMLDeleteUserData42107612FX.tmp
2010-07-30 02:53 . 2010-06-24 00:45    765952    ----a-w-    c:\programdata\NexonUS\NGM\NGMDll.dll
2010-07-28 13:35 . 2010-04-22 00:53    --------    d-----w-    c:\program files\MeGUI
2010-07-28 13:13 . 2010-02-08 04:23    --------    d-----w-    c:\program files\MediaCoder
2010-07-26 04:45 . 2010-06-03 11:12    --------    d-----w-    c:\program files\Avidemux 2.5
2010-07-21 22:19 . 2010-01-28 03:49    --------    d-----w-    c:\program files\SystemRequirementsLab
2010-07-21 22:19 . 2010-07-21 22:19    84480    ----a-w-    c:\users\Administrator\AppData\Roaming\SystemRequirementsLab\srlproxy_intel_4.1.66.0A.dll
2010-07-21 22:19 . 2010-02-07 20:13    --------    d-----w-    c:\users\Administrator\AppData\Roaming\SystemRequirementsLab
2010-07-17 21:32 . 2010-02-02 05:17    --------    d-----w-    c:\users\Administrator\AppData\Roaming\foobar2000
2010-07-17 20:19 . 2010-03-13 04:34    --------    d-----w-    c:\users\Administrator\AppData\Roaming\AccurateRip
2010-07-17 05:48 . 2010-05-27 01:17    --------    d-----w-    c:\program files\SFO
2010-07-17 05:48 . 2010-01-28 03:58    --------    d--h--w-    c:\program files\InstallShield Installation Information
2010-07-17 04:54 . 2010-07-17 04:53    35692902    ----a-w-    c:\programdata\motorola\motorola media link\UpDate\Download\Motorola Media Link\1.02.0901.1\patch\patch.exe
2010-07-17 04:52 . 2010-07-17 04:52    0    ---ha-w-    c:\windows\system32\drivers\Msft_Kernel_motoandroid_01007.Wdf
2010-07-17 04:52 . 2010-07-17 04:52    0    ---ha-w-    c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01007.Wdf
2010-07-17 04:52 . 2010-07-17 04:52    0    ---ha-w-    c:\windows\system32\drivers\Msft_Kernel_motccgp_01007.Wdf
2010-07-17 00:39 . 2010-02-11 18:57    --------    d-----w-    c:\programdata\Microsoft Help
2010-06-27 01:09 . 2010-06-27 01:09    --------    d-----w-    c:\users\Administrator\AppData\Roaming\motorola
2010-06-27 01:09 . 2010-06-27 01:09    --------    d-----w-    c:\programdata\motorola
2010-06-27 01:00 . 2010-06-27 01:00    --------    d-----w-    c:\program files\Common Files\Nero
2010-06-27 00:58 . 2010-06-27 00:58    --------    d-----w-    c:\program files\Common Files\Motorola Shared
2010-06-24 05:52 . 2010-03-09 05:35    --------    d-----w-    c:\program files\Common Files\Adobe AIR
2010-06-24 05:52 . 2010-06-24 05:52    53632    ----a-w-    c:\users\Administrator\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-24 05:52 . 2010-03-09 05:35    53632    ----a-w-    c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-24 05:31 . 2010-06-24 05:30    --------    d-----w-    c:\program files\BannedStory
2010-06-24 00:45 . 2010-06-24 00:45    98304    ----a-w-    c:\programdata\NexonUS\NGM\npNxGameUS.dll
2010-06-24 00:45 . 2010-06-24 00:45    401408    ----a-w-    c:\programdata\NexonUS\NGM\NGMResource.dll
2010-06-24 00:45 . 2010-06-24 00:45    258352    ----a-w-    c:\programdata\NexonUS\NGM\unicows.dll
2010-06-24 00:45 . 2010-06-24 00:45    172032    ----a-w-    c:\programdata\NexonUS\NGM\NGM.exe
2010-06-24 00:45 . 2010-06-24 00:45    126976    ----a-w-    c:\programdata\NexonUS\NGM\nxgameus.dll
2010-06-24 00:45 . 2010-06-24 00:45    --------    d-----w-    c:\programdata\NexonUS
2010-06-23 23:30 . 2010-04-03 17:00    --------    d-----w-    c:\programdata\PMB Files
2010-06-23 05:26 . 2010-02-11 18:59    --------    d-----w-    c:\program files\Microsoft.NET
2010-06-14 22:35 . 2010-02-10 07:33    --------    d-----w-    c:\users\Administrator\AppData\Roaming\mIRC
2010-06-14 22:33 . 2010-02-10 07:33    --------    d-----w-    c:\program files\mIRC
2010-06-11 05:26 . 2010-01-28 03:33    129888    ----a-w-    c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-11 00:45 . 2010-06-11 00:45    0    ----a-w-    c:\windows\nsreg.dat
2010-06-10 22:32 . 2010-02-16 01:50    --------    d-----w-    c:\program files\Microsoft Silverlight
2010-06-10 22:29 . 2010-05-23 20:44    --------    d-----w-    c:\program files\Combined Community Codec Pack
2010-06-07 00:20 . 2010-06-07 00:20    --------    d-----w-    c:\users\Administrator\AppData\Roaming\IrfanView
2010-06-07 00:20 . 2010-06-07 00:20    --------    d-----w-    c:\program files\IrfanView
2010-06-03 21:20 . 2010-06-03 21:19    --------    d-----w-    c:\users\Administrator\AppData\Roaming\avidemux
2010-06-03 11:00 . 2010-06-03 11:00    --------    d-----w-    c:\users\Administrator\AppData\Roaming\SpiritON TV Software
2010-06-03 10:52 . 2010-06-03 10:52    --------    d-----w-    c:\programdata\SlySoft
2010-06-03 01:06 . 2010-03-05 05:11    20722688    ----a-w-    c:\windows\system32\imageres.dll
2010-06-02 01:32 . 2010-06-11 00:54    655360    ----a-w-    c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2af3vp9q.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\afom.exe
2010-05-30 19:04 . 2010-05-30 19:04    128682    ----a-w-    c:\users\Administrator\AppData\Roaming\Yamb\Uninstall.exe
2010-05-27 20:26 . 2010-05-27 20:26    29926    ----a-r-    c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{394BE3D9-7F57-4638-A8D1-1D88671913B7}\_18be6784.exe
2010-05-27 20:26 . 2010-05-27 20:26    29422    ----a-r-    c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{394BE3D9-7F57-4638-A8D1-1D88671913B7}\_294823.exe
2010-05-27 07:24 . 2010-06-08 21:41    34304    ----a-w-    c:\windows\system32\atmlib.dll
2010-05-27 03:49 . 2010-06-08 21:41    293888    ----a-w-    c:\windows\system32\atmfd.dll
2010-05-26 21:22 . 2010-07-22 07:04    176128    ----a-w-    c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2af3vp9q.default\extensions\{077a24e9-0db5-435f-9010-5261c53e5925}\plugins\npmabiwebframe.dll
2010-05-21 18:14 . 2010-01-28 03:43    221568    ------w-    c:\windows\system32\MpSigStub.exe
2010-05-21 05:18 . 2010-06-08 21:41    977920    ----a-w-    c:\windows\system32\wininet.dll
2010-05-16 19:26 . 2010-05-16 19:26    894    ----a-r-    c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{56507F25-41BE-4E18-BA87-0476417BBBDF}\avdump_gui_1.exe
2010-05-12 02:31 . 2010-05-12 01:53    101072    ----a-w-    c:\windows\UTP.exe
2010-05-09 09:14 . 2010-06-23 05:23    641536    ----a-w-    c:\windows\system32\CPFilters.dll
2010-05-09 09:14 . 2010-06-23 05:23    417792    ----a-w-    c:\windows\system32\msdri.dll
2009-06-10 21:26 . 2009-07-14 02:04    9633792    --sha-r-    c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42    396800    --sha-w-    c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

------- Sigcheck -------

[-] 2010-03-26 . 686632D0C158E2FB8DCC4CA839510748 . 2614272 . . [6.1.7600.16385] . . c:\windows\explorer.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9DFE2FE9-CF99-4ADF-A28E-9B5ADB8DC74F}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-05-15 322352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2006-12-29 569344]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-01-20 8452640]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-3-29 719664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk /p \??\G:\0autocheck

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages    REG_MULTI_SZ       kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^GamersFirst LIVE!.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\GamersFirst LIVE!.lnk
backup=c:\windows\pss\GamersFirst LIVE!.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Rainmeter.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk
backup=c:\windows\pss\Rainmeter.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Administrator^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^BumpTop.lnk]
backup=c:\windows\pss\BumpTop.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 07:44    500208    ------w-    c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-22 08:57    406992    ----a-w-    c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2009-04-24 03:21    203928    ----a-w-    c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bamboo Dock]
2010-03-09 05:35    178176    ----a-w-    c:\program files\Bamboo Dock\Bamboo Dock\Bamboo Dock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BambooCore]
2009-12-14 10:04    606296    ----a-w-    c:\program files\Bamboo Dock\BambooCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
2009-03-01 00:40    75048    ----a-w-    c:\program files\CyberLink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2010-04-03 16:58    323392    ----a-w-    c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44    31072    ----a-w-    c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ooVoo.exe]
2010-02-10 17:27    18784440    ----a-w-    c:\program files\ooVoo\ooVoo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2010-04-03 17:00    2937528    ----a-w-    c:\program files\Pando Networks\Media Booster\PMB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD9LanguageShortcut]
2008-10-14 01:41    50472    ------w-    c:\program files\CyberLink\PowerDVD9\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53    421888    ----a-w-    c:\program files\Quick Time 7\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl9]
2009-02-16 14:55    87336    ------w-    c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start Killer]
2009-07-10 00:47    90112    ----a-w-    c:\program files\StartKiller\StartKiller.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 17:37    517096    ----a-w-    c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe"  -osboot

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\motoandroid.sys [2009-07-10 25856]
R3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [2009-12-18 11336]
R3 EMebDrv;EMebDrv;c:\users\ADMINI~1\AppData\Local\Temp\EMebDrv.sys [x]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2009-06-19 19712]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2009-01-29 8320]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-01-12 185640]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-02 1343400]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-02-03 721904]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-11-16 108792]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\elrawdsk.sys [2008-12-09 20392]
S2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/02/15 22:44];c:\program files\CyberLink\PowerDVD9\000.fcl [2009-03-01 00:40 87536]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-11-16 735960]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2009-12-18 95896]
S2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [2010-01-27 91392]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
iissvcs    REG_MULTI_SZ       w3svc was
apphost    REG_MULTI_SZ       apphostsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: preto.me
TCP: {C0E130AE-C27F-46FF-A53F-36819FF79C1F} = 208.67.222.222,208.67.220.220
TCP: 2456C6B696E6E253244423 = 208.67.222.222,208.67.220.220
TCP: C61657E6462797261637B65647 = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2af3vp9q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bakabt.com/
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2af3vp9q.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\npAFOM.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Quick Time 7\Plugins\npqtplugin.dll
FF - plugin: c:\program files\Quick Time 7\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\Quick Time 7\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\Quick Time 7\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\Quick Time 7\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\Quick Time 7\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2af3vp9q.default\extensions\{077a24e9-0db5-435f-9010-5261c53e5925}\plugins\npmabiwebframe.dll
FF - plugin: c:\windows\system32\Wat\npWatWeb.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size",  4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)
MSConfigStartUp-SMSERIAL - c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,74,31,83,e0,55,b6,ee,45,bd,d5,05,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,74,31,83,e0,55,b6,ee,45,bd,d5,05,\

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,dc,c6,fa,14,8a,19,6a,42,ae,ea,c1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,dc,c6,fa,14,8a,19,6a,42,ae,ea,c1,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,00,13,dc,a4,b7,94,1f,4c,82,69,a9,\

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\mpc-hc.exe"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.3gp"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\mpc-hc.exe"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\mpc-hc.exe"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.7z\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\7zFM.exe"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AAC\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ac3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\mpc-hc.exe"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADT\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADTS\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.amv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.amv"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ass\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Aegisub.ASSA.1"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="CCCP.MPC.AVI.1"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bik\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.bik"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.CDA"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cdda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.cdda"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.d2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.d2v"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.divx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.divx"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.drc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.drc"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dsa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.dsa"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dsm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.dsm"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dss\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.dss"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dsv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.dsv"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.evo\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.evo"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fla\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Flash.Document11"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.FLAC\UserChoice]
@Denied: (2) (Administrator)
"Progid"="foobar2000.FLAC"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.flc"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fli\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.fli"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flic\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.flic"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.flv"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdmov\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.hdmov"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iflv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.iflv"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.IFO\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.ifo"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipa"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipg"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipsw\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipsw"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itdb\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itdb"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ite\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ite"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itl"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itlp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itlp"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itms"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itpc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itpc"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ivf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.ivf"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.m1v"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2p\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.m2p"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2t\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.m2t"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2ts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.m2ts"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.m2v"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.m3u"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u8\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m3u8"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M4A"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4b\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4b"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4p\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4p"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4r\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4r"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.m4v"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Opera.HTML"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Opera.HTML"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mks\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Aegisub.MKS.1"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mkv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="CCCP.MPC.Matroska.1"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mod\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.mov"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.mp2v"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (Administrator)
"Progid"="CCCP.MPC.MP4.1"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.mp4v"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.mpe"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.mpeg"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\mpc-hc.exe"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.mpv2"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv4\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.mpv4"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.mts"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="CCCP.MPC.OGM.1"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.ogv"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcast\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.pcast"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.pls"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pva\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.pva"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ram\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.ram"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\UserChoice]
@Denied: (2) (Administrator)
"Progid"="7-Zip.rar"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ratdvd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.ratdvd"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.reg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\regedt32.exe"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.rm"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.rmm"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmvb\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.rmvb"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.roq\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.roq"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.rp"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rpm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.rpm"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rt\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.rt"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.smi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.smi"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.smil\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.smil"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.smk\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.smk"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srt\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Aegisub.SRT.1"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ssa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Aegisub.SSA.1"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.swf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.swf"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.torrent\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Opera.HTML"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.tp"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tpr\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.tpr"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.ts"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.TTS"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttxt\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Aegisub.TTXT.1"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.URL"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vob\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.vob"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vp6\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.vp6"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAV"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wave\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.wave"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAX"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wgt\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Opera.Widget"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.wm"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMA"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="mplayerc.wmp"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMV"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WVX"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Opera.HTML"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Opera.HTML"

[HKEY_USERS\S-1-5-21-3643238694-1608844555-440513881-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\UserChoice]
@Denied: (2) (Administrator)
"Progid"="7-Zip.zip"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10g_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10g_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1076)
c:\windows\system32\btmmhook.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\taskhost.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\conhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Motorola\MotoConnectService\MotoConnect.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2010-07-31  13:59:04 - machine was rebooted
ComboFix-quarantined-files.txt  2010-07-31 17:59

Pre-Run: 23,684,321,280 bytes free
Post-Run: 30,170,832,896 bytes free

- - End Of File - - F24FC2009F653088C013C4AD397D210A


#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:18 PM

Posted 31 July 2010 - 01:47 PM

Hi,

No need to put the logs in code tags. smile.gif

Your situation or your systems current set-up is unusual for me and our next step is to fix the MBR. Please make sure that you have the Windows 7 installation disk before proceeding with the instructions below, if you don't have a windows 7 disk... please make sure to Create a System Repair Disc in Windows 7. This is to make sure that we have a back-up plan just in case something goes wrong during the fix.

I will also recommend that you make a back-up of your important data.

Do not backup any programs/applications/installers like .exe, .scr, .htm, .html, .xml, .zip/.rar files...
The reason for this is because these files may be infected also.


==================================


Please carefully follow this instructions.
  1. Please run MBRCheck again
  2. If you receive the message "Found non-standard or infected MBR".
  3. Please type Y and hit ENTER key for more options.
  4. When prompted to "Enter your choice:" Type 2 and hit the enter key.
  5. When prompted to "Enter the physical disk number to fix (0-99, -1 to cancel):" Type 0 and hit the enter key.
  6. When prompted to "Please select the MBR code to write to this drive:" Type 5 and hit the enter key.
  7. When you receive the message "Do you want to fix the MBR code?" Type YES and hit ENTER key.
  8. You will see the message "Successfully wrote new MBR code!" if successful.
    • Right click on the screen and choose Select All.
    • Press Control+C (to copy the data).
    • Open a notepad, Click on Edit tab > paste.
    • Save that notepad on your desktop as MBRfix.txt
  9. Press ENTER to exit
  10. Please post the contents of MBRfix.txt when you reply.


Now, please restart your PC, wait for about 5 minutes after the restart and do the following.
  1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
  2. It will open a black window, please do not fix anything (if it gives you an option).
  3. Exit that window and it will produce a log (MBRCheck_date_time).
  4. Please post that log when you reply.

Note: If instruction is unclear, please stop and ask me the part that you don't understand.

Edited by sempai, 31 July 2010 - 01:52 PM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 L0v3LESS

L0v3LESS
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:new york
  • Local time:01:18 AM

Posted 31 July 2010 - 06:22 PM

Ran MBRCheck. Completed succesfully, and now I can't boot. Will boot to Linux LiveCD and fix GRUB, and post results after the boot record has been rescued.

EDIT: Bootloader installed from Linux Mint 9 onto MBR.

Newest MBRCheck scan log:

MBRCheck, version 1.1.1

© 2010, AD



\\.\C: --> \\.\PhysicalDrive0

\\.\G: --> \\.\PhysicalDrive1



Size Device Name MBR Status

--------------------------------------------

186 GB \\.\PhysicalDrive0 Unknown MBR code

1397 GB \\.\PhysicalDrive1 Error reading raw MBR!





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:



Done! Press ENTER to exit...


Edited by L0v3LESS, 31 July 2010 - 07:25 PM.


#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:18 PM

Posted 31 July 2010 - 10:50 PM

Hi,

Sorry to find out that it became unbootable, but the situation requires us to fix the MBR because it is infected.
  1. Do you have the MBRfix.txt report? Can you post it please.
  2. Is there something that you don't want to share like a tweaked OS?
  3. Do you really have a Windows 7 OS and not a tweaked Vista that will look like a windows 7?
  4. Did you manage to have the Windows 7 installation disk or the System repair disk?



~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 L0v3LESS

L0v3LESS
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:new york
  • Local time:01:18 AM

Posted 31 July 2010 - 10:57 PM

Okay.
In terms of a tweaked OS, the farthest I've gone on 7 is to disable services and change the theme by replacing shell32.dll, explorer.exe, etc. Otherwise, nothing has been edited.
I have a real Windows 7 OS, but it did not come with the computer. I manually installed it after deleting my old partition table and creating a new one. I have resintalled several times: the first time I wiped my disk clean again and installed linux, then installed windows in another partition. This wiped out my MBR so I could not access linux. I fixed the MBR by installing linux in a third partition, which is why I have four partitions: two for linux and one for swap.
The CURRENT MBR is the one installed by Mint Linux.

I do have a Windows 7 installation disk.

MBR:
MBRCheck, version 1.1.1

© 2010, AD



\\.\C: --> \\.\PhysicalDrive0

\\.\G: --> \\.\PhysicalDrive1



Size Device Name MBR Status

--------------------------------------------

186 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!

1397 GB \\.\PhysicalDrive1 Error reading raw MBR!





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Options:

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.



Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): Available MBR codes:

[ 0] Default (Windows 7)

[ 1] Windows XP

[ 2] Windows Server 2003

[ 3] Windows Vista

[ 4] Windows 2008

[ 5] Windows 7

[-1] Cancel



Please select the MBR code to write to this drive:

Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!

Please reboot your computer to complete the fix.





Done! Press ENTER to exit...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users