Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antimalware Doctor removed, but rootkit virus remains


  • This topic is locked This topic is locked
18 replies to this topic

#1 unit_g83

unit_g83

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 18 August 2010 - 06:48 AM

Hi there,

as requested, please see below, and thanks once again for your help.

Problem Description: infected with Antimalware Doctor virus, rootkit virus, and additional malware

action taken: used 'rkill' to terminate Antimalware Doctor, and then used MBAM to remove malware. Further scans with Norton completed and no viruses found. However, google searches still redirect and Windows Update can not be accessed. Completed a scan of ComboFix which suggested rootkit virus was present and logs state 3 items have been modified (including main rootkit).

Webpages still redirect, no access to Windows Update, and laptop does not go into hibernation. I noticed that at one point i had three WUAUCLT.exe running, and i am now consistantly out of usable HDD space (its a small HDD anyway, but i usually have 400mb free atleast, i now have about 3mb). windows updates seemd to have instaled themselves and i am now being prompted to restart the aptop, which i won't do for fear of who knows what may be activated should i continue.


LOGS

COMBOFIX

ComboFix 10-08-16.04 - Robert Chohan 17/08/2010 23:31:27.3.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1515 [GMT 1:00]
Running from: c:\documents and settings\Robert Chohan\My Documents\prevent\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\imapi.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))
.

2010-08-17 17:04 . 2008-04-13 18:40 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2010-08-16 16:54 . 2010-08-17 09:31 0 ----a-w- c:\windows\Ftaci.bin
2010-08-16 16:54 . 2010-08-16 16:54 120 ----a-w- c:\windows\Xnitobuzitowaye.dat
2010-08-16 16:53 . 2010-08-16 16:53 -------- d-----w- c:\documents and settings\Robert Chohan\Local Settings\Application Data\yonyfcxym
2010-08-16 16:53 . 2010-08-16 16:53 -------- d-----w- c:\documents and settings\Robert Chohan\Local Settings\Application Data\bbryfklhy
2010-08-16 16:53 . 2010-08-16 16:53 -------- d-----w- c:\documents and settings\Robert Chohan\Local Settings\Application Data\dnwafsxql
2010-08-16 15:18 . 2008-04-13 18:39 206976 ----a-w- c:\windows\system32\drivers\Dot4.sys
2010-08-13 14:29 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-08-13 14:29 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-17 22:39 . 2005-11-04 11:23 12 ----a-w- c:\windows\bthservsdp.dat
2010-06-30 11:51 . 2010-06-30 11:51 -------- d-----w- c:\documents and settings\Robert Chohan\Application Data\Download Manager
2010-06-18 13:12 . 2010-06-18 13:00 110562 ----a-w- c:\windows\hpoins11.dat
2010-06-14 14:31 . 2005-03-28 08:43 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
.

------- Sigcheck -------

[-] 2008-04-14 . E3DB04A711CD8F6BF01298665C232CEA . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\winlogon.exe
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[7] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe

[-] 2008-04-14 . 9A0678E38084F97902ACD6CC5F796D86 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2005-08-29 102400]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-01 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-01 126976]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 61952]
"Wireless Console"="c:\program files\ASUS\Wireless Console\wcourier.exe" [2005-01-24 65536]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-12-22 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-12-22 688218]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2004-09-21 81920]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 385024]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 356352]
"InCD"="d:\ahead\InCD\InCD.exe" [2004-09-13 1450096]
"RemoteControl"="d:\asustek\ASUSDVD\PDVDServ.exe" [2003-10-31 32768]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-11 61440]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-04-09 184320]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 86016]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 2807808]
"vptray"="d:\symant~1\SYMANT~1\vptray.exe" [2002-07-30 77824]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 2658304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-22 45056]
Microsoft Office.lnk - d:\microsoft office\Office10\OSA.EXE [2001-2-13 83360]
EZ-RC System Tray.lnk - d:\ez-rc\ez-rc-tray.exe [2009-9-3 125440]
DynDNS Updater Tray Icon.lnk - d:\dyndns updater\DynTray.exe [2010-4-15 91504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 10:27 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NevoMedia Server.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NevoMedia Server.lnk
backup=c:\windows\pss\NevoMedia Server.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2002-12-10 16:54 127022 ----a-w- c:\program files\Common Files\Logitech\QCDriver3\LVComS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 16:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 03:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-27 20:39 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-10-29 09:29 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"gusvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Microsoft ActiveSync\\wcescomm.exe"=
"d:\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"d:\\Nevo\\NevoStudio\\NevoSL.exe"=
"d:\\Nevo\\NevoStudio\\NevoStudio.exe"=
"c:\\WINDOWS\\System32\\msiexec.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\WINDOWS\\System32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"d:\\Sony Ericsson\\Update Service\\Update Service.exe"=
"d:\microsoft activesync\rapimgr.exe"= d:\microsoft activesync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Sonos\\sonos.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Western Digital\\WD Discovery Software\\WD Discovery.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp color LaserJet 2550 Series\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp color LaserJet 2550 Series\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp color LaserJet 2550 Series\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"d:\\Vuze\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

R0 R592;R592;c:\windows\system32\drivers\R592.sys [20/10/2004 05:49 57088]
R0 risdpntk;risdpntk;c:\windows\system32\drivers\risdpntk.sys [20/10/2004 05:49 27264]
R2 DynDNS Updater;DynDNS Updater;d:\dyndns updater\DynUpSvc.exe [16/04/2010 17:19 103800]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 14:00 135664]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [06/07/2008 17:07 13352]
S3 NevoSLUSB;NevoSLUSB;c:\windows\system32\drivers\NevoSLUSB.sys [28/10/2005 14:32 10752]
S3 Pronto2G;Philips Pronto NG USB Driver;c:\windows\system32\drivers\Pronto2G.sys [02/12/2009 17:10 16384]

--- Other Services/Drivers In Memory ---

*Deregistered* - pzaknhui
.
Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\expressburnSevenDaysInit.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-01-25 09:59]

2010-01-25 c:\windows\Tasks\expressburnShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-01-25 09:59]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 13:00]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 13:00]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.msn.co.uk/
mSearch Bar = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - d:\micros~1\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send To &Bluetooth - d:\sitecom\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Robert Chohan\Application Data\Mozilla\Firefox\Profiles\xlg6516x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.co.uk
FF - component: d:\mozilla firefox\components\gpff.dll
FF - component: d:\nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: d:\canon\ZoomBrowser EX\Program\NPCIG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-17 23:43
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pzaknhui]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(2268)
c:\windows\system32\SynTPFcs.dll
c:\windows\system32\ieframe.dll
d:\microsoft office\Office10\msohev.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
d:\nokia\Nokia PC Suite 7\PhoneBrowser.dll
d:\nokia\Nokia PC Suite 7\NGSCM.DLL
d:\nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
d:\nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\ahead\InCD\InCDsrv.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Bonjour\mDNSResponder.exe
d:\sitecom\Bluetooth Software\bin\btwdins.exe
d:\symantec_client_security\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
d:\symantec_client_security\Symantec AntiVirus\Rtvscan.exe
c:\program files\Intel\Wireless\Bin\OProtSvc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\rundll32.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ATK0100\ATKOSD.exe
d:\micros~2\wcescomm.exe
c:\program files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
c:\windows\system32\spool\drivers\w32x86\3\HPBPRO.EXE
d:\micros~2\rapimgr.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
.
**************************************************************************
.
Completion time: 2010-08-17 23:57:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-17 22:57
ComboFix2.txt 2010-08-17 17:37
ComboFix3.txt 2010-07-16 11:36

Pre-Run: 415,563,776 bytes free
Post-Run: 385,875,968 bytes free

- - End Of File - - 5F29862C0E0AE950C66F23A6DC9AB519







DDS
Attach.txt is attached


DDS (Ver_10-03-17.01) - FAT32x86
Run by Robert Chohan at 12:24:24.10 on 18/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.844 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
D:\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
SVCHOST.EXE
D:\Sitecom\Bluetooth Software\bin\btwdins.exe
D:\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
D:\DynDNS Updater\DynUpSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\ASUS\Wireless Console\wcourier.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
D:\Ahead\InCD\InCD.exe
D:\ASUSTek\ASUSDVD\PDVDServ.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\SYMANT~1\SYMANT~1\vptray.exe
D:\MICROS~2\wcescomm.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
D:\MICROS~2\rapimgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
D:\EZ-RC\ez-rc-tray.exe
D:\DynDNS Updater\DynTray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
D:\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Robert Chohan\My Documents\prevent\Defogger.exe
C:\WINDOWS\SoftwareDistribution\Download\fbadf956b1f29cd6cc8927434ddbc900\update\update.exe
C:\Documents and Settings\Robert Chohan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.msn.co.uk/
mSearch Bar = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [H/PC Connection Agent] "d:\micros~2\wcescomm.exe"
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [HControl] c:\windows\atk0100\HControl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [Wireless Console] c:\program files\asus\wireless console\wcourier.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [EOUApp] c:\program files\intel\wireless\bin\EOUWiz.exe
mRun: [InCD] d:\ahead\incd\InCD.exe
mRun: [RemoteControl] d:\asustek\asusdvd\PDVDServ.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [StatusClient 2.6] c:\program files\hewlett-packard\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup 2.5] c:\program files\hewlett-packard\toolbox\hpbpsttp.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [vptray] d:\symant~1\symant~1\vptray.exe
mRun: [NSLauncher] c:\program files\nokia\nokia software launcher\NSLauncher.exe /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - d:\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ez-rcs~1.lnk - d:\ez-rc\ez-rc-tray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dyndns~1.lnk - d:\dyndns updater\DynTray.exe
IE: E&xport to Microsoft Excel - d:\micros~1\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send To &Bluetooth - d:\sitecom\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - d:\sitecom\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - d:\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - d:\micros~2\INetRepl.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlcdnet.asus.com/pub/ASUS/misc/dlm-activex-2.2.5.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
Notify: igfxcui - igfxsrvc.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robert~1\applic~1\mozilla\firefox\profiles\xlg6516x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.co.uk
FF - component: d:\mozilla firefox\components\gpff.dll
FF - component: d:\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: d:\canon\zoombrowser ex\program\NPCIG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 R592;R592;c:\windows\system32\drivers\R592.sys [2004-10-20 57088]
R0 risdpntk;risdpntk;c:\windows\system32\drivers\risdpntk.sys [2004-10-20 27264]
R2 DynDNS Updater;DynDNS Updater;d:\dyndns updater\DynUpSvc.exe [2010-4-16 103800]
R2 NAVAPEL;NAVAPEL;d:\symantec_client_security\symantec antivirus\Navapel.sys [2002-6-19 29184]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;d:\symantec_client_security\symantec antivirus\Rtvscan.exe [2002-7-30 573440]
R3 NAVAP;NAVAP;d:\symantec_client_security\symantec antivirus\Navap.sys [2002-6-19 218112]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100816.016\NAVENG.sys [2010-8-17 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100816.016\NAVEX15.sys [2010-8-17 1362608]
R3 rt2870;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\Drt2870.sys [2009-8-3 724736]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-7-6 13352]
S3 NevoSLUSB;NevoSLUSB;c:\windows\system32\drivers\NevoSLUSB.sys [2005-10-28 10752]
S3 Pronto2G;Philips Pronto NG USB Driver;c:\windows\system32\drivers\Pronto2G.sys [2009-12-2 16384]

=============== Created Last 30 ================

2010-08-18 11:13:42 0 ----a-w- c:\documents and settings\robert chohan\defogger_reenable
2010-08-17 17:04:54 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2010-08-17 17:00:06 77312 ----a-w- c:\windows\MBR.exe
2010-08-17 17:00:05 98816 ----a-w- c:\windows\sed.exe
2010-08-17 17:00:05 256512 ----a-w- c:\windows\PEV.exe
2010-08-17 17:00:05 161792 ----a-w- c:\windows\SWREG.exe
2010-08-16 16:54:35 120 ----a-w- c:\windows\Xnitobuzitowaye.dat
2010-08-16 16:54:35 0 ----a-w- c:\windows\Ftaci.bin
2010-08-16 16:53:17 785408 ----a-w- c:\windows\system32\drivers\pzaknhui.sys
2010-08-16 15:18:15 206976 ----a-w- c:\windows\system32\drivers\Dot4.sys
2010-08-13 14:29:42 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-08-13 14:29:36 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

==================== Find3M ====================

2010-06-18 13:12:42 110562 ----a-w- c:\windows\hpoins11.dat
2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2008-05-19 16:41:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051920080520\index.dat

============= FINISH: 12:26:27.68 ===============



GMER



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-18 12:36:20
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\kgdyaaow.sys


---- Kernel code sections - GMER 1.0.15 ----

? pzaknhui.sys A device attached to the system is not functioning. !
PAGE Fastfat.sys F796AD56 4 Bytes CALL 8A9D1951

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[2096] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 00B4874A
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3788] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 28003CA0 D:\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3788] ole32.dll!CoInitializeEx 774FEF7B 5 Bytes JMP 28002100 D:\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \FatCdrom 8AA0CD08

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \FileSystem\Fastfat \Fat 8AA0CD08

AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] pzaknhui <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060ac14d9
Reg HKLM\SYSTEM\CurrentControlSet\Services\pzaknhui@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\pzaknhui@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\pzaknhui@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\pzaknhui@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001060ac14d9 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\pzaknhui@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\pzaknhui@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\pzaknhui@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\pzaknhui@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----


that's it. if there is anything you need me to do, please let me know.
thank you again for your help, its really appreciated. look forward to hearing from you!


EDIT:
after running the above scans, i now have access to Windows Update. However, as some updates have apparently been installed and now require the laptop to be restarted, i am not able to see what other updates there may be until i do so. I'm hesitant to restart incase the rootkit (which may be temporarily disabled?) becomes active.



EDIT:
laptop auto restarted after going into standby and not being able to come out of it. Latest updates have been applied except for one for internet explorer 8 which will not install. I've now downloaded opera as mozilla had some issues. Mozilla has been uninstalled.

Attached Files


Edited by unit_g83, 19 August 2010 - 02:18 AM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:10 AM

Posted 26 August 2010 - 02:50 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 unit_g83

unit_g83
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 02 September 2010 - 08:20 AM

Hi Myrti,

Firstly, my apologies for the delayed response. I have carried out the same scans as before so we have somewhere fresh to start.

Scans include ComboFix, DDS, GMER and OTL. Please see below for the logs:


ComboFix

ComboFix 10-09-01.04 - Robert Chohan 02/09/2010 13:39:23.4.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1293 [GMT 1:00]
Running from: c:\documents and settings\Robert Chohan\My Documents\prevent\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-08-02 to 2010-09-02 )))))))))))))))))))))))))))))))
.

2010-09-02 12:36 . 2010-09-02 12:36 -------- d-----w- c:\windows\LastGood
2010-08-18 16:31 . 2010-08-18 16:31 -------- d-----w- c:\documents and settings\Robert Chohan\Application Data\Jasc
2010-08-18 15:47 . 2010-08-18 15:47 -------- d-----w- c:\documents and settings\Robert Chohan\Local Settings\Application Data\Opera
2010-08-18 15:45 . 2010-08-18 15:45 -------- d-sh--w- c:\documents and settings\Robert Chohan\IECompatCache
2010-08-17 17:04 . 2008-04-13 18:40 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2010-08-16 16:54 . 2010-08-17 09:31 0 ----a-w- c:\windows\Ftaci.bin
2010-08-16 16:54 . 2010-08-16 16:54 120 ----a-w- c:\windows\Xnitobuzitowaye.dat
2010-08-16 16:53 . 2010-08-16 16:53 -------- d-----w- c:\documents and settings\Robert Chohan\Local Settings\Application Data\yonyfcxym
2010-08-16 16:53 . 2010-08-16 16:53 -------- d-----w- c:\documents and settings\Robert Chohan\Local Settings\Application Data\bbryfklhy
2010-08-16 16:53 . 2010-08-16 16:53 -------- d-----w- c:\documents and settings\Robert Chohan\Local Settings\Application Data\dnwafsxql
2010-08-16 15:18 . 2008-04-13 18:39 206976 ----a-w- c:\windows\system32\drivers\Dot4.sys
2010-08-13 14:29 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-08-13 14:29 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-02 12:35 . 2010-09-02 12:36 1033728 ----a-w- c:\windows\OLD2C.tmp
2010-09-02 12:21 . 2005-11-04 11:23 12 ----a-w- c:\windows\bthservsdp.dat
2010-09-02 11:51 . 2004-08-19 09:07 507904 ----a-w- c:\windows\system32\winlogon.exe
2010-07-16 11:43 . 2010-07-16 11:43 388096 ----a-r- c:\documents and settings\Robert Chohan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-07 22:10 . 2010-07-07 22:10 6123008 ----a-w- c:\documents and settings\Robert Chohan\Application Data\Azureus\plugins\azemp\vuzeplayer.exe
2010-06-30 12:31 . 2004-08-19 09:07 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-23 13:44 . 2004-08-19 09:07 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 09:59 . 2010-06-23 09:59 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb3A.tmp.exe
2010-06-21 15:27 . 2004-08-19 09:07 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-18 13:12 . 2010-06-18 13:00 110562 ----a-w- c:\windows\hpoins11.dat
2010-06-17 14:03 . 2004-08-19 09:06 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2005-03-28 08:43 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2010-06-14 07:41 . 2004-08-19 09:07 1172480 ----a-w- c:\windows\system32\msxml3.dll
.

------- Sigcheck -------

[-] 2010-09-02 . E5350AD782BBDA8745E6C5438C369B5D . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\winlogon.exe
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[7] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2005-08-29 102400]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-01 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-01 126976]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 61952]
"Wireless Console"="c:\program files\ASUS\Wireless Console\wcourier.exe" [2005-01-24 65536]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-12-22 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-12-22 688218]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2004-09-21 81920]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 385024]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 356352]
"InCD"="d:\ahead\InCD\InCD.exe" [2004-09-13 1450096]
"RemoteControl"="d:\asustek\ASUSDVD\PDVDServ.exe" [2003-10-31 32768]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-11 61440]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-04-09 184320]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 86016]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 2807808]
"vptray"="d:\symant~1\SYMANT~1\vptray.exe" [2002-07-30 77824]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 2658304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-22 45056]
Microsoft Office.lnk - d:\microsoft office\Office10\OSA.EXE [2001-2-13 83360]
EZ-RC System Tray.lnk - d:\ez-rc\ez-rc-tray.exe [2009-9-3 125440]
DynDNS Updater Tray Icon.lnk - d:\dyndns updater\DynTray.exe [2010-4-15 91504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 10:27 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NevoMedia Server.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NevoMedia Server.lnk
backup=c:\windows\pss\NevoMedia Server.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2002-12-10 16:54 127022 ----a-w- c:\program files\Common Files\Logitech\QCDriver3\LVComS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 16:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 03:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-27 20:39 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-10-29 09:29 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"gusvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Microsoft ActiveSync\\wcescomm.exe"=
"d:\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"d:\\Nevo\\NevoStudio\\NevoSL.exe"=
"d:\\Nevo\\NevoStudio\\NevoStudio.exe"=
"c:\\WINDOWS\\System32\\msiexec.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\WINDOWS\\System32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"d:\\Sony Ericsson\\Update Service\\Update Service.exe"=
"d:\microsoft activesync\rapimgr.exe"= d:\microsoft activesync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Sonos\\sonos.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Western Digital\\WD Discovery Software\\WD Discovery.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp color LaserJet 2550 Series\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp color LaserJet 2550 Series\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp color LaserJet 2550 Series\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"d:\\Vuze\\Azureus.exe"=
"d:\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

R0 R592;R592;c:\windows\system32\drivers\R592.sys [20/10/2004 05:49 57088]
R0 risdpntk;risdpntk;c:\windows\system32\drivers\risdpntk.sys [20/10/2004 05:49 27264]
S2 DynDNS Updater;DynDNS Updater;d:\dyndns updater\DynUpSvc.exe [16/04/2010 17:19 103800]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 14:00 135664]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [06/07/2008 17:07 13352]
S3 NevoSLUSB;NevoSLUSB;c:\windows\system32\drivers\NevoSLUSB.sys [28/10/2005 14:32 10752]
S3 Pronto2G;Philips Pronto NG USB Driver;c:\windows\system32\drivers\Pronto2G.sys [02/12/2009 17:10 16384]

--- Other Services/Drivers In Memory ---

*Deregistered* - pzaknhui
.
Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\expressburnSevenDaysInit.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-01-25 09:59]

2010-01-25 c:\windows\Tasks\expressburnShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-01-25 09:59]

2010-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 13:00]

2010-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 13:00]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.msn.co.uk/
mSearch Bar = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - d:\micros~1\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send To &Bluetooth - d:\sitecom\Bluetooth Software\btsendto_ie_ctx.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-02 13:45
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pzaknhui]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(1660)
c:\windows\system32\SynTPFcs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2010-09-02 13:47:43
ComboFix-quarantined-files.txt 2010-09-02 12:47
ComboFix2.txt 2010-08-17 22:57
ComboFix3.txt 2010-08-17 17:37
ComboFix4.txt 2010-07-16 11:36

Pre-Run: 520,339,456 bytes free
Post-Run: 525,369,344 bytes free

- - End Of File - - E3C6E414F6AAD5D257477CD96CC154B4



DDS

Main Log - Attach.txt is attached


DDS (Ver_10-03-17.01) - FAT32x86
Run by Robert Chohan at 13:57:31.40 on 02/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1293 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
D:\Ahead\InCD\InCDsrv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
SVCHOST.EXE
D:\Sitecom\Bluetooth Software\bin\btwdins.exe
D:\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\ASUS\Wireless Console\wcourier.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
D:\Ahead\InCD\InCD.exe
D:\ASUSTek\ASUSDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\SYMANT~1\SYMANT~1\vptray.exe
D:\MICROS~2\wcescomm.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
D:\MICROS~2\rapimgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
D:\EZ-RC\ez-rc-tray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Robert Chohan\My Documents\prevent\gmer\gmer.exe
C:\Documents and Settings\Robert Chohan\My Documents\prevent\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.msn.co.uk/
mSearch Bar = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [H/PC Connection Agent] "d:\micros~2\wcescomm.exe"
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [HControl] c:\windows\atk0100\HControl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [Wireless Console] c:\program files\asus\wireless console\wcourier.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [EOUApp] c:\program files\intel\wireless\bin\EOUWiz.exe
mRun: [InCD] d:\ahead\incd\InCD.exe
mRun: [RemoteControl] d:\asustek\asusdvd\PDVDServ.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [StatusClient 2.6] c:\program files\hewlett-packard\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup 2.5] c:\program files\hewlett-packard\toolbox\hpbpsttp.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [vptray] d:\symant~1\symant~1\vptray.exe
mRun: [NSLauncher] c:\program files\nokia\nokia software launcher\NSLauncher.exe /startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - d:\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ez-rcs~1.lnk - d:\ez-rc\ez-rc-tray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dyndns~1.lnk - d:\dyndns updater\DynTray.exe
IE: E&xport to Microsoft Excel - d:\micros~1\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send To &Bluetooth - d:\sitecom\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - d:\sitecom\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - d:\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - d:\micros~2\INetRepl.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlcdnet.asus.com/pub/ASUS/misc/dlm-activex-2.2.5.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
Notify: igfxcui - igfxsrvc.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 R592;R592;c:\windows\system32\drivers\R592.sys [2004-10-20 57088]
R0 risdpntk;risdpntk;c:\windows\system32\drivers\risdpntk.sys [2004-10-20 27264]
R2 NAVAPEL;NAVAPEL;d:\symantec_client_security\symantec antivirus\Navapel.sys [2002-6-19 29184]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;d:\symantec_client_security\symantec antivirus\Rtvscan.exe [2002-7-30 573440]
R3 NAVAP;NAVAP;d:\symantec_client_security\symantec antivirus\Navap.sys [2002-6-19 218112]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100901.053\NAVENG.sys [2010-9-2 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100901.053\NAVEX15.sys [2010-9-2 1362608]
S2 DynDNS Updater;DynDNS Updater;d:\dyndns updater\DynUpSvc.exe [2010-4-16 103800]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-7-6 13352]
S3 NevoSLUSB;NevoSLUSB;c:\windows\system32\drivers\NevoSLUSB.sys [2005-10-28 10752]
S3 Pronto2G;Philips Pronto NG USB Driver;c:\windows\system32\drivers\Pronto2G.sys [2009-12-2 16384]
S3 rt2870;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\Drt2870.sys [2009-8-3 724736]

=============== Created Last 30 ================

2010-09-02 12:55:51 0 d-sh--w- C:\Recycled
2010-09-02 12:55:29 0 d-----w- C:\logs
2010-09-02 12:36:32 1033728 ----a-w- c:\windows\OLD2C.tmp
2010-09-02 12:34:38 77312 ----a-w- c:\windows\MBR.exe
2010-09-02 12:34:37 98816 ----a-w- c:\windows\sed.exe
2010-09-02 12:34:37 256512 ----a-w- c:\windows\PEV.exe
2010-09-02 12:34:37 161792 ----a-w- c:\windows\SWREG.exe
2010-08-18 16:31:29 0 d-----w- c:\docume~1\robert~1\applic~1\Jasc
2010-08-18 15:45:19 0 d-sh--w- c:\documents and settings\robert chohan\IECompatCache
2010-08-18 11:13:42 0 ----a-w- c:\documents and settings\robert chohan\defogger_reenable
2010-08-17 17:04:54 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2010-08-16 16:54:35 120 ----a-w- c:\windows\Xnitobuzitowaye.dat
2010-08-16 16:54:35 0 ----a-w- c:\windows\Ftaci.bin
2010-08-16 16:53:17 785408 ----a-w- c:\windows\system32\drivers\pzaknhui.sys
2010-08-16 15:18:15 206976 ----a-w- c:\windows\system32\drivers\Dot4.sys
2010-08-13 14:29:42 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-08-13 14:29:36 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

==================== Find3M ====================

2010-09-02 11:51:44 507904 ----a-w- c:\windows\system32\winlogon.exe
2010-07-27 06:30:36 8462336 ----a-w- c:\windows\system32\dllcache\shell32.dll
2010-06-30 12:31:36 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:36 149504 ----a-w- c:\windows\system32\dllcache\schannel.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\dllcache\win32k.sys
2010-06-21 15:27:12 354304 ------w- c:\windows\system32\dllcache\srv.sys
2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-06-18 13:12:42 110562 ----a-w- c:\windows\hpoins11.dat
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-14 07:41:46 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-14 07:41:46 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2008-05-19 16:41:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051920080520\index.dat

============= FINISH: 13:57:44.21 ===============




GMER

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-02 14:06:13
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\kgdyaaow.sys


---- Kernel code sections - GMER 1.0.15 ----

? pzaknhui.sys A device attached to the system is not functioning. !
PAGE Fastfat.sys F796AD56 4 Bytes CALL 8A9F89F1
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] pzaknhui <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060ac14d9
Reg HKLM\SYSTEM\CurrentControlSet\Services\pzaknhui@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\pzaknhui@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\pzaknhui@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\pzaknhui@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001060ac14d9 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\pzaknhui@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\pzaknhui@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\pzaknhui@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\pzaknhui@Group Boot Bus Extender
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\3814\Shell@MinPos1280x768(1).x -1
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\3814\Shell@MinPos1280x768(1).y -1
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\3911\Shell@MinPos1280x768(1).x -1
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\3911\Shell@MinPos1280x768(1).y -1
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\3914\Shell@MinPos1280x768(1).x -1
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\3914\Shell@MinPos1280x768(1).y -1
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\3915\Shell@MinPos1280x768(1).x -1
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\3915\Shell@MinPos1280x768(1).y -1

---- EOF - GMER 1.0.15 ----



OTL

OTL logfile created on: 02/09/2010 14:09:29 - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Robert Chohan\My Documents\prevent
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 61.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 21.25 Gb Total Space | 0.52 Gb Free Space | 2.45% Space Free | Partition Type: FAT32
Drive D: | 14.12 Gb Total Space | 0.93 Gb Free Space | 6.60% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ROBERTJAMES
Current User Name: Robert Chohan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/02 14:08:46 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Robert Chohan\My Documents\prevent\OTL.exe
PRC - [2010/08/09 15:27:06 | 000,836,464 | ---- | M] (Opera Software) -- D:\Opera\opera.exe
PRC - [2009/09/03 02:36:16 | 000,125,440 | ---- | M] () -- D:\EZ-RC\ez-rc-tray.exe
PRC - [2008/12/08 15:50:04 | 000,054,576 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Software Update\hpwuschd2.exe
PRC - [2008/04/14 01:12:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/09 08:27:52 | 000,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2007/06/27 21:39:54 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2006/11/13 13:39:52 | 001,289,000 | ---- | M] (Microsoft Corporation) -- D:\Microsoft ActiveSync\wcescomm.exe
PRC - [2006/11/13 13:39:34 | 000,199,464 | ---- | M] (Microsoft Corporation) -- D:\Microsoft ActiveSync\rapimgr.exe
PRC - [2005/09/21 10:24:02 | 000,086,016 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SoundMan.exe
PRC - [2005/08/29 11:30:02 | 000,102,400 | ---- | M] () -- C:\WINDOWS\ATK0100\HControl.exe
PRC - [2005/08/22 20:50:08 | 001,986,560 | ---- | M] () -- C:\WINDOWS\ATK0100\ATKOSD.exe
PRC - [2005/01/24 21:12:42 | 000,065,536 | ---- | M] () -- C:\Program Files\ASUS\Wireless Console\wcourier.exe
PRC - [2005/01/14 19:54:48 | 000,479,232 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
PRC - [2004/12/22 01:23:00 | 000,098,394 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2004/11/30 19:09:34 | 000,253,952 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
PRC - [2004/10/15 11:31:32 | 000,356,352 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
PRC - [2004/10/15 11:30:52 | 000,098,304 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
PRC - [2004/10/15 11:27:56 | 000,385,024 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PRC - [2004/10/15 11:27:38 | 000,389,120 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2004/10/15 11:24:48 | 000,360,521 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2004/10/15 11:23:12 | 000,245,760 | ---- | M] (Intel) -- C:\Program Files\Intel\Wireless\Bin\1XConfig.exe
PRC - [2004/10/15 11:22:14 | 000,086,016 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2004/10/15 11:21:38 | 000,139,264 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2004/10/14 04:13:58 | 000,450,560 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
PRC - [2004/09/21 16:55:40 | 000,081,920 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
PRC - [2004/09/13 11:49:42 | 001,192,050 | ---- | M] (Ahead Software AG) -- D:\Ahead\InCD\InCDsrv.exe
PRC - [2004/09/13 10:51:06 | 001,450,096 | ---- | M] (Ahead Software AG) -- D:\Ahead\InCD\InCD.exe
PRC - [2004/08/16 19:46:06 | 000,163,840 | ---- | M] (Broadcom Corporation) -- D:\Sitecom\Bluetooth Software\bin\btwdins.exe
PRC - [2004/02/11 22:08:12 | 000,061,440 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
PRC - [2003/10/31 19:42:40 | 000,032,768 | ---- | M] (Cyberlink Corp.) -- D:\ASUSTek\ASUSDVD\PDVDServ.exe
PRC - [2002/07/30 11:40:44 | 000,573,440 | ---- | M] (Symantec Corporation) -- D:\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
PRC - [2002/07/30 11:36:00 | 000,032,768 | ---- | M] (Symantec Corporation) -- D:\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
PRC - [2002/07/30 11:35:04 | 000,077,824 | ---- | M] (Symantec Corporation) -- D:\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe


========== Modules (SafeList) ==========

MOD - [2010/09/02 14:08:46 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Robert Chohan\My Documents\prevent\OTL.exe
MOD - [2008/04/14 01:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2004/12/22 01:23:00 | 000,069,722 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\SynTPFcs.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/04/16 17:19:28 | 000,103,800 | ---- | M] (Dynamic Network Services, Inc.) [Auto | Stopped] -- D:\DynDNS Updater\DynUpSvc.exe -- (DynDNS Updater)
SRV - [2009/10/27 09:26:36 | 000,657,408 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2007/08/09 08:27:52 | 000,073,728 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2005/11/14 01:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/10/15 11:30:52 | 000,098,304 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe -- (OwnershipProtocol)
SRV - [2004/10/15 11:24:48 | 000,360,521 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor)
SRV - [2004/10/15 11:22:14 | 000,086,016 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng)
SRV - [2004/10/15 11:21:38 | 000,139,264 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc)
SRV - [2004/09/13 11:49:42 | 001,192,050 | ---- | M] (Ahead Software AG) [Auto | Running] -- D:\Ahead\InCD\InCDsrv.exe -- (InCDsrv)
SRV - [2004/09/13 10:49:42 | 001,192,050 | ---- | M] (Ahead Software AG) [Auto | Stopped] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrvR) InCD Helper (read only)
SRV - [2004/08/16 19:46:06 | 000,163,840 | ---- | M] (Broadcom Corporation) [Auto | Running] -- D:\Sitecom\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2002/07/30 11:40:44 | 000,573,440 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe -- (Norton AntiVirus Server)
SRV - [2002/07/30 11:36:00 | 000,032,768 | ---- | M] (Symantec Corporation) [Auto | Running] -- D:\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe -- (DefWatch)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/09/01 09:00:00 | 001,362,608 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100901.053\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/09/01 09:00:00 | 000,085,424 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100901.053\NAVENG.SYS -- (NAVENG)
DRV - [2009/10/06 11:52:50 | 000,007,936 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2009/10/06 11:52:34 | 000,022,016 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2009/10/06 11:52:34 | 000,017,664 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2009/10/06 11:52:34 | 000,007,936 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys -- (upperdev)
DRV - [2009/08/03 17:57:00 | 000,724,736 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Drt2870.sys -- (rt2870)
DRV - [2008/08/26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2008/07/06 17:07:08 | 000,021,672 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ggsemc.sys -- (ggsemc)
DRV - [2008/07/06 17:07:08 | 000,013,352 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ggflt.sys -- (ggflt)
DRV - [2008/04/13 19:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 17:36:06 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2007/12/06 09:51:00 | 000,285,952 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2007/08/28 05:58:00 | 000,005,760 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ATKACPI.sys -- (MTsensor)
DRV - [2007/06/25 11:43:38 | 000,098,344 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s117obex.sys -- (s117obex)
DRV - [2007/06/25 11:43:36 | 000,108,456 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s117mdm.sys -- (s117mdm)
DRV - [2007/06/25 11:43:36 | 000,100,264 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s117mgmt.sys -- (s117mgmt) Sony Ericsson Device 117 USB WMC Device Management Drivers (WDM)
DRV - [2007/06/25 11:43:36 | 000,098,856 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s117unic.sys -- (s117unic) Sony Ericsson Device 117 USB Ethernet Emulation SEMC117 (WDM)
DRV - [2007/06/25 11:43:36 | 000,022,952 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s117nd5.sys -- (s117nd5) Sony Ericsson Device 117 USB Ethernet Emulation SEMC117 (NDIS)
DRV - [2007/06/25 11:43:26 | 000,014,888 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s117mdfl.sys -- (s117mdfl)
DRV - [2007/06/25 11:43:22 | 000,082,984 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s117bus.sys -- (s117bus) Sony Ericsson Device 117 driver (WDM)
DRV - [2007/02/12 11:39:32 | 000,073,224 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2005/12/19 15:02:36 | 000,060,572 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftser2k.sys -- (FTSER2K)
DRV - [2005/12/19 15:02:36 | 000,028,449 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftdibus.sys -- (FTDIBUS)
DRV - [2005/10/28 14:32:04 | 000,010,752 | ---- | M] (Universal Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NevoSLUSB.sys -- (NevoSLUSB)
DRV - [2005/09/23 18:56:28 | 003,966,976 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/07/25 10:04:08 | 000,048,640 | ---- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ser2pl.sys -- (Ser2pl)
DRV - [2005/01/17 13:13:28 | 000,098,304 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TosRfbd.sys -- (Tosrfbd)
DRV - [2005/01/17 09:48:00 | 001,036,928 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2005/01/17 09:48:00 | 000,702,592 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/01/17 09:48:00 | 000,163,328 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/01/08 18:15:40 | 000,051,582 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Tosporte.sys -- (tosporte)
DRV - [2005/01/07 06:42:42 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfnds.sys -- (tosrfnds)
DRV - [2004/12/22 04:38:12 | 000,034,816 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfusb.sys -- (Tosrfusb)
DRV - [2004/12/22 01:23:00 | 000,186,240 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2004/12/16 10:30:14 | 000,050,048 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TosRfSnd.sys -- (TosRfSnd) Bluetooth Audio Device (WDM)
DRV - [2004/12/09 14:54:12 | 000,046,592 | ---- | M] (SMSC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)
DRV - [2004/11/16 15:51:54 | 000,050,048 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TosRfhid.sys -- (Tosrfhid)
DRV - [2004/10/29 18:48:10 | 003,222,784 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2004/10/15 11:20:04 | 000,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2004/10/05 03:33:02 | 000,062,799 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom)
DRV - [2004/09/17 00:42:54 | 000,027,264 | ---- | M] (REDC) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\risdpntk.sys -- (risdpntk)
DRV - [2004/09/13 11:54:46 | 000,028,672 | ---- | M] (Ahead Software AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDpass.sys -- (InCDPass)
DRV - [2004/09/13 11:54:06 | 000,093,440 | ---- | M] (Ahead Software AG) [File_System | Disabled | Running] -- C:\WINDOWS\System32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2004/09/13 10:54:54 | 000,027,648 | ---- | M] (Ahead Software AG) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\InCDrm.sys -- (incdrm)
DRV - [2004/08/18 10:44:52 | 000,054,328 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2004/08/16 19:35:54 | 000,017,024 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2004/08/16 19:35:22 | 000,147,896 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2004/08/16 19:34:56 | 000,023,271 | ---- | M] (Broadcom Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\btserial.sys -- (BTSERIAL)
DRV - [2004/08/16 19:34:50 | 000,222,876 | ---- | M] (Broadcom Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\btslbcsp.sys -- (BTSLBCSP)
DRV - [2004/08/16 19:33:34 | 001,241,034 | ---- | M] (Broadcom Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2004/08/16 19:31:24 | 000,030,267 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2004/08/12 17:45:52 | 000,113,664 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService)
DRV - [2004/08/12 08:44:04 | 000,234,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\iwca.sys -- (IWCA)
DRV - [2004/07/09 10:07:34 | 000,036,531 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbnp.sys -- (Tosrfbnp)
DRV - [2004/07/05 16:14:58 | 000,057,088 | ---- | M] (REDC) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\R592.sys -- (R592)
DRV - [2003/12/08 11:53:48 | 000,053,600 | ---- | M] (THOMSON) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\alcan5wn.sys -- (alcan5wn) SpeedTouch USB ADSL PPP Networking Driver (NDISWAN)
DRV - [2003/12/08 11:53:46 | 000,070,688 | ---- | M] (THOMSON) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\alcaudsl.sys -- (alcaudsl)
DRV - [2003/09/19 09:05:24 | 000,016,384 | ---- | M] (Philips Electronics) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Pronto2G.sys -- (Pronto2G)
DRV - [2003/07/01 18:47:08 | 000,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2002/06/19 20:57:14 | 000,029,184 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- D:\Symantec_Client_Security\Symantec AntiVirus\Navapel.sys -- (NAVAPEL)
DRV - [2002/06/19 20:57:12 | 000,218,112 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- D:\Symantec_Client_Security\Symantec AntiVirus\Navap.sys -- (NAVAP)
DRV - [2002/06/10 14:16:34 | 000,371,766 | ---- | M] (Philips Semiconductors) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CamDrL21.sys -- (PhilCam8116) Logitech QuickCam Pro 3000(PID_08B0)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.asus.com

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.asus.com

IE - HKU\S-1-5-21-446183623-1050593537-2473299980-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-446183623-1050593537-2473299980-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-446183623-1050593537-2473299980-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
IE - HKU\S-1-5-21-446183623-1050593537-2473299980-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKU\S-1-5-21-446183623-1050593537-2473299980-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = E3 C3 D1 67 6F 39 CB 01 [binary data]
IE - HKU\S-1-5-21-446183623-1050593537-2473299980-1005\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-446183623-1050593537-2473299980-1005\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-446183623-1050593537-2473299980-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\bkmrksync@nokia.com: D:\Nokia\Nokia PC Suite 7\bkmrksync\ [2010/05/19 16:32:02 | 000,000,000 | ---D | M]

[2008/10/11 15:32:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robert Chohan\Application Data\Mozilla\Extensions
[2008/12/27 19:02:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robert Chohan\Application Data\Mozilla\Extensions\home2@tomtom.com
[2010/07/15 14:16:44 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/08/17 23:42:12 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-446183623-1050593537-2473299980-1005\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-446183623-1050593537-2473299980-1005\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [AlcWzrd] C:\WINDOWS\ALCWZRD.EXE (RealTek Semicoductor Corp.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe (Intel Corporation)
O4 - HKLM..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe ()
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\Hdaudpropshortcut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\hpwuschd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [InCD] D:\Ahead\InCD\InCD.exe (Ahead Software AG)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe ()
O4 - HKLM..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [RemoteControl] D:\ASUSTek\ASUSDVD\PDVDServ.exe (Cyberlink Corp.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SoundMan.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe (Hewlett-Packard)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe (Hewlett-Packard)
O4 - HKLM..\Run: [vptray] D:\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [Wireless Console] C:\Program Files\ASUS\Wireless Console\wcourier.exe ()
O4 - HKU\S-1-5-21-446183623-1050593537-2473299980-1005..\Run: [H/PC Connection Agent] D:\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-446183623-1050593537-2473299980-1005..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk = C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EZ-RC System Tray.lnk = D:\EZ-RC\ez-rc-tray.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DynDNS Updater Tray Icon.lnk = D:\DynDNS Updater\DynTray.exe (Dynamic Network Services, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-446183623-1050593537-2473299980-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-446183623-1050593537-2473299980-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-446183623-1050593537-2473299980-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-446183623-1050593537-2473299980-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - D:\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)
O8 - Extra context menu item: Send To &Bluetooth - D:\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Sitecom\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Sitecom\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/9/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlcdnet.asus.com/pub/ASUS/misc/dlm-...vex-2.2.5.0.cab (DLM Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\mctp {d7b95390-b1c5-11d0-b111-0080c712fe82} - D:\Microsoft ActiveSync\aatp.dll File not found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\widimg {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\BTXPPanel.dll (Broadcom Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\IntelWireless: DllName - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\Robert Chohan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Robert Chohan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/03/28 09:45:38 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

MsConfig - Services: "iPodService"
MsConfig - Services: "gusvc"
MsConfig - Services: "Apple Mobile Device"
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk - D:\Sitecom\Bluetooth Software\BTTray.exe - (Broadcom Corporation)
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk - C:\PROGRA~1\Logitech\DESKTO~1\8876480\Program\LDMConf.exe - File not found
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NevoMedia Server.lnk - D:\Nevo\NEVOME~2\NEVOME~1.EXE - File not found
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk - C:\PROGRA~1\WI459E~1\WINDOW~1.EXE - File not found
MsConfig - StartUpReg: LVCOMS - hkey= - key= - C:\Program Files\Common Files\Logitech\QCDriver3\LVComS.exe (Logitech Inc.)
MsConfig - StartUpReg: NeroFilterCheck - hkey= - key= - File not found
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe (Sun Microsystems, Inc.)
MsConfig - StartUpReg: swg - hkey= - key= - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
MsConfig - StartUpReg: TkBellExe - hkey= - key= - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 2

SafeBootMin: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {05466845-FF44-4671-92C1-A5FD0F9EEE1C} - Microsoft Reader
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {166B1BCA-3F9C-11CF-8075-444553540000} - Macromedia Shockwave Director 10.1
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Macromedia Shockwave Director 10.1
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.ac3acm - C:\WINDOWS\System32\AC3ACM.acm (fccHandler)
Drivers32: MSACM.CEGSM - mobilev.acm File not found
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: msacm.voxacm160 - C:\WINDOWS\System32\vct3216.acm (Voxware, Inc.)
Drivers32: MSVideo - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivXNetworks)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.MP42 - C:\WINDOWS\System32\MPG4C32.DLL (Microsoft Corporation)
Drivers32: VIDC.MPG4 - C:\WINDOWS\System32\MPG4C32.DLL (Microsoft Corporation)
Drivers32: vidc.tscc - C:\WINDOWS\System32\tsccvid.dll (TechSmith Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivXNetworks)

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/09/02 13:55:51 | 000,000,000 | -HSD | C] -- C:\Recycled
[2010/09/02 13:55:29 | 000,000,000 | ---D | C] -- C:\logs
[2010/09/02 13:47:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/09/02 13:36:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/09/02 13:34:38 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/09/02 13:34:37 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/09/02 13:34:37 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/09/02 13:34:37 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/08/18 17:31:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Robert Chohan\Application Data\Jasc
[2010/08/18 16:47:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Robert Chohan\Local Settings\Application Data\Opera
[2010/08/18 16:47:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Robert Chohan\Application Data\Opera
[2010/08/18 16:45:19 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Robert Chohan\IECompatCache
[2010/08/17 12:38:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Robert Chohan\Desktop\TM-6800 SUPER
[2010/08/17 12:27:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Robert Chohan\Desktop\TM-6800 HD
[2010/08/16 17:53:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Robert Chohan\Local Settings\Application Data\yonyfcxym
[2010/08/16 17:53:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Robert Chohan\Local Settings\Application Data\bbryfklhy
[2010/08/16 17:53:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Robert Chohan\Local Settings\Application Data\dnwafsxql
[2010/08/06 16:46:51 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Robert Chohan\Recent
[2010/08/04 12:28:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Robert Chohan\My Documents\asusworld79
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/09/02 14:12:04 | 000,785,408 | ---- | M] () -- C:\WINDOWS\System32\drivers\pzaknhui.sys
[2010/09/02 14:10:10 | 015,466,496 | ---- | M] () -- C:\Documents and Settings\Robert Chohan\ntuser.dat
[2010/09/02 13:47:46 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/02 13:45:28 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/09/02 13:24:06 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/02 13:24:02 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/09/02 13:23:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/02 13:23:42 | 2138,296,320 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/02 13:21:42 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/09/02 13:21:38 | 000,000,012 | ---- | M] () -- C:\WINDOWS\bthservsdp.dat
[2010/09/02 13:21:26 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Robert Chohan\ntuser.ini
[2010/08/26 15:30:22 | 000,027,136 | ---- | M] () -- C:\Documents and Settings\Robert Chohan\My Documents\dental.doc
[2010/08/25 12:31:34 | 000,001,633 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/08/25 09:22:22 | 000,000,266 | ---- | M] () -- C:\Documents and Settings\Robert Chohan\Desktop\RJ Quotations.lnk
[2010/08/21 13:41:14 | 000,000,452 | ---- | M] () -- C:\Documents and Settings\Robert Chohan\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Outlook.lnk
[2010/08/18 17:15:16 | 000,662,932 | ---- | M] () -- C:\Documents and Settings\Robert Chohan\Desktop\Uninstall.reg
[2010/08/18 16:40:22 | 000,521,766 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/18 16:40:22 | 000,441,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/18 16:40:22 | 000,071,462 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/18 16:16:50 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/08/18 16:08:18 | 000,222,432 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/18 15:34:40 | 000,001,407 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk
[2010/08/18 14:43:56 | 000,109,056 | ---- | M] () -- C:\Documents and Settings\Robert Chohan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/18 14:43:56 | 000,000,202 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/08/18 14:33:58 | 000,204,763 | ---- | M] () -- C:\Documents and Settings\Robert Chohan\My Documents\shinobu.png
[2010/08/18 12:23:22 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Robert Chohan\Desktop\dds.scr
[2010/08/18 12:13:44 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Robert Chohan\defogger_reenable
[2010/08/18 12:11:56 | 000,000,624 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/08/17 17:39:14 | 000,000,521 | ---- | M] () -- C:\Documents and Settings\Robert Chohan\Desktop\fixme.bat
[2010/08/17 13:30:40 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Robert Chohan\My Documents\PDVD_MediaDisc.PlayList
[2010/08/17 10:31:16 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Ftaci.bin
[2010/08/16 18:36:02 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\Robert Chohan\Desktop\rkill.com
[2010/08/16 17:54:36 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Xnitobuzitowaye.dat
[2010/08/12 12:28:38 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Robert Chohan\My Documents\Games to Buy.doc
[2010/08/10 22:52:14 | 000,041,472 | ---- | M] () -- C:\Documents and Settings\Robert Chohan\My Documents\KEVIN JOSEPH CHOHAN v3.doc
[2010/08/10 22:25:42 | 000,039,424 | ---- | M] () -- C:\Documents and Settings\Robert Chohan\My Documents\KEVIN JOSEPH CHOHAN v2.doc
[2010/08/10 15:00:20 | 000,034,304 | ---- | M] () -- C:\Documents and Settings\Robert Chohan\My Documents\KEVIN JOSEPH CHOHAN.doc
[2010/08/06 15:38:26 | 001,588,564 | ---- | M] () -- C:\Documents and Settings\Robert Chohan\My Documents\iap.flv
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/02 13:34:38 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/02 13:34:37 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/02 13:34:37 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/02 13:34:37 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/02 13:34:37 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/08/26 15:27:24 | 000,027,136 | ---- | C] () -- C:\Documents and Settings\Robert Chohan\My Documents\dental.doc
[2010/08/25 12:31:33 | 000,001,633 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/08/18 17:15:14 | 000,662,932 | ---- | C] () -- C:\Documents and Settings\Robert Chohan\Desktop\Uninstall.reg
[2010/08/18 15:34:38 | 000,001,407 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk
[2010/08/18 14:30:49 | 000,204,763 | ---- | C] () -- C:\Documents and Settings\Robert Chohan\My Documents\shinobu.png
[2010/08/18 12:23:21 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Robert Chohan\Desktop\dds.scr
[2010/08/18 12:13:42 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Robert Chohan\defogger_reenable
[2010/08/17 17:38:47 | 000,000,521 | ---- | C] () -- C:\Documents and Settings\Robert Chohan\Desktop\fixme.bat
[2010/08/16 18:38:16 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\Robert Chohan\Desktop\rkill.com
[2010/08/16 17:54:35 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Xnitobuzitowaye.dat
[2010/08/16 17:54:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Ftaci.bin
[2010/08/16 17:53:17 | 000,785,408 | ---- | C] () -- C:\WINDOWS\System32\drivers\pzaknhui.sys
[2010/08/12 12:28:36 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Robert Chohan\My Documents\Games to Buy.doc
[2010/08/10 22:27:40 | 000,041,472 | ---- | C] () -- C:\Documents and Settings\Robert Chohan\My Documents\KEVIN JOSEPH CHOHAN v3.doc
[2010/08/10 21:08:53 | 000,039,424 | ---- | C] () -- C:\Documents and Settings\Robert Chohan\My Documents\KEVIN JOSEPH CHOHAN v2.doc
[2010/08/10 14:36:12 | 000,034,304 | ---- | C] () -- C:\Documents and Settings\Robert Chohan\My Documents\KEVIN JOSEPH CHOHAN.doc
[2010/08/06 15:38:21 | 001,588,564 | ---- | C] () -- C:\Documents and Settings\Robert Chohan\My Documents\iap.flv
[2010/08/04 17:05:29 | 000,973,632 | ---- | C] () -- C:\Documents and Settings\Robert Chohan\ErrorLog.txt
[2010/06/18 14:04:56 | 000,000,813 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
[2010/06/18 14:00:47 | 000,000,673 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2010/06/18 14:00:30 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2009/07/09 14:30:52 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/07/21 16:29:10 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\$_hpcst$.hpc
[2008/07/18 12:17:54 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Robert Chohan\Application Data\$_hpcst$.hpc
[2007/12/09 22:03:44 | 000,000,033 | ---- | C] () -- C:\WINDOWS\LVMMail.INI
[2007/03/28 16:22:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\webica.ini
[2007/02/12 12:37:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2006/05/02 13:57:28 | 000,005,489 | ---- | C] () -- C:\Documents and Settings\Robert Chohan\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log
[2006/05/02 13:57:28 | 000,000,206 | ---- | C] () -- C:\WINDOWS\HPGdiPlus.ini
[2006/04/26 14:17:47 | 000,001,359 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/01/27 16:51:07 | 000,074,752 | ---- | C] () -- C:\WINDOWS\System32\jst.dll
[2006/01/27 16:51:06 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\PMLJNI.dll
[2006/01/27 16:45:48 | 000,000,160 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
[2006/01/27 16:45:47 | 000,003,399 | R--- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[2006/01/27 16:43:39 | 000,000,103 | ---- | C] () -- C:\WINDOWS\System32\hptrace.ini
[2006/01/27 16:42:17 | 000,020,392 | ---- | C] () -- C:\WINDOWS\hpclj2550.ini
[2005/12/02 12:12:56 | 000,000,110 | ---- | C] () -- C:\WINDOWS\System32\ftdiun2k.ini
[2005/10/15 22:30:40 | 000,000,075 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/08/26 00:32:48 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\fusioncache.dat
[2005/08/25 20:31:16 | 000,000,241 | ---- | C] () -- C:\WINDOWS\QSync.INI
[2005/08/25 20:29:39 | 000,005,187 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2005/08/17 16:28:41 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Robert Chohan\Local Settings\Application Data\fusioncache.dat
[2005/08/17 15:12:43 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2005/08/17 12:29:32 | 000,069,632 | R--- | C] () -- C:\WINDOWS\System32\xmltok.dll
[2005/08/17 12:29:32 | 000,036,864 | R--- | C] () -- C:\WINDOWS\System32\xmlparse.dll
[2005/08/17 07:10:01 | 000,000,630 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/08/17 06:41:33 | 000,109,056 | ---- | C] () -- C:\Documents and Settings\Robert Chohan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/08/17 06:40:09 | 000,000,202 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/08/16 15:23:13 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2005/08/16 14:31:39 | 000,005,606 | ---- | C] () -- C:\WINDOWS\System32\stci.dll
[2005/08/13 17:21:21 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2005/08/09 23:13:31 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/08/09 23:13:31 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/08/09 23:12:28 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/03/28 09:54:48 | 000,006,272 | ---- | C] () -- C:\WINDOWS\System32\ASLM75.SYS
[2005/03/28 09:54:47 | 000,006,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASLM75.SYS
[2005/03/28 09:54:33 | 000,000,042 | ---- | C] () -- C:\WINDOWS\AcrobatSetupStatus.ini
[2005/03/28 09:50:08 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2005/03/27 18:10:28 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/02/04 21:34:00 | 000,005,760 | ---- | C] () -- C:\WINDOWS\System32\drivers\ATKACPI.sys
[2004/12/03 08:20:12 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2004/09/23 03:09:06 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2004/08/19 10:07:40 | 000,007,424 | R--- | C] () -- C:\WINDOWS\System32\drivers\MMIOPORT.SYS
[2004/08/19 10:07:40 | 000,002,524 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/16 19:42:38 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2004/08/12 08:44:10 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\iwca.dll
[2004/07/21 10:04:02 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
[2004/05/04 15:29:54 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\HPB2550V.DLL
[2004/01/16 07:43:28 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll
[2003/07/30 08:33:26 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\TosHidAPI.dll
[2002/07/30 11:33:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\NavLogon.dll
[2002/06/10 10:53:42 | 000,000,160 | R--- | C] () -- C:\WINDOWS\pronto.ini
[2002/05/15 23:29:04 | 000,000,607 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2001/11/23 18:18:00 | 000,000,597 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
[2001/07/31 10:17:12 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[1999/01/27 13:39:06 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 07:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 20:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/05/19 17:21:20 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2004/08/04 20:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:AGP440.sys
[2008/05/19 17:21:20 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 20:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/05/19 17:21:20 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/08/04 20:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:atapi.sys
[2008/05/19 17:21:20 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 01:11:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 01:11:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 01:11:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 20:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 01:12:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 01:12:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 01:12:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 20:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 20:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 01:12:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 01:12:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 01:12:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2010/09/02 14:16:16 | 000,785,408 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\System32\drivers\pzaknhui.sys

< %systemroot%\System32\config\*.sav >
[2005/03/28 09:34:28 | 000,897,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
[2005/03/28 09:34:28 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2005/03/28 09:34:28 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/06/21 16:27:12 | 000,354,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\srv.sys
[2010/09/02 14:16:16 | 000,785,408 | ---- | M] () -- C:\WINDOWS\System32\drivers\pzaknhui.sys
< End of report >


OTL EXTRAS


OTL Extras logfile created on: 02/09/2010 14:09:30 - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Robert Chohan\My Documents\prevent
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 61.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 21.25 Gb Total Space | 0.52 Gb Free Space | 2.45% Space Free | Partition Type: FAT32
Drive D: | 14.12 Gb Total Space | 0.93 Gb Free Space | 6.60% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ROBERTJAMES
Current User Name: Robert Chohan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- D:\Opera\opera.exe (Opera Software)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "D:\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
http [open] -- "D:\Opera\opera.exe" "%1" (Opera Software)
https [open] -- "D:\Opera\opera.exe" "%1" (Opera Software)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Digital Photo Professional] -- D:\Canon\Digital Photo Professional\DPPViewer.exe /path "%1" (CANON INC.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1700:TCP" = 1700:TCP:*:Enabled:MioNet Remote Drive Access
"1641:TCP" = 1641:TCP:*:Enabled:MioNet Remote Drive Verification
"1647:TCP" = 1647:TCP:*:Enabled:MioNet Storage Device Configuration
"5432:UDP" = 5432:UDP:*:Enabled:MioNet Storage Device Discovery

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"D:\Microsoft ActiveSync\rapimgr.exe" = D:\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"D:\Microsoft ActiveSync\wcescomm.exe" = D:\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"D:\Microsoft ActiveSync\WCESMgr.exe" = D:\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"D:\Microsoft ActiveSync\wcescomm.exe" = D:\Microsoft ActiveSync\wcescomm.exe:*:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"D:\Microsoft ActiveSync\WCESMgr.exe" = D:\Microsoft ActiveSync\WCESMgr.exe:*:Enabled:ActiveSync Application -- (Microsoft Corporation)
"D:\Nevo\NevoStudio\NevoSL.exe" = D:\Nevo\NevoStudio\NevoSL.exe:*:Enabled:NevoSL Emulator -- (Universal Electronics Inc.)
"D:\Nevo\NevoStudio\NevoStudio.exe" = D:\Nevo\NevoStudio\NevoStudio.exe:*:Enabled:NevoStudio 1.0 -- (Universal Electronics Inc)
"C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe" = C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe:*:Enabled:javaw -- ()
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWUCli.exe" = C:\Program Files\Hewlett-Packard\HP Software Update\HPWUCli.exe:*:Enabled:HP Software Update Client -- (Hewlett-Packard)
"C:\WINDOWS\System32\rtcshare.exe" = C:\WINDOWS\System32\rtcshare.exe:*:Enabled:RTC App Sharing -- (Microsoft Corporation)
"C:\Program Files\NetMeeting\conf.exe" = C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting® -- (Microsoft Corporation)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)
"C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe" = C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe:*:Enabled:Nokia Software Updater -- (Nokia Corporation)
"C:\Program Files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe" = C:\Program Files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process -- (Nokia Corporation)
"D:\Sony Ericsson\Update Service\Update Service.exe" = D:\Sony Ericsson\Update Service\Update Service.exe:*:Enabled:Update Service -- ()
"D:\Microsoft ActiveSync\rapimgr.exe" = D:\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"D:\Sonos\sonos.exe" = D:\Sonos\sonos.exe:*:Enabled:Sonos Desktop Controller -- (Sonos, Inc.)
"C:\Program Files\Western Digital\WD Discovery Software\WD Discovery.exe" = C:\Program Files\Western Digital\WD Discovery Software\WD Discovery.exe:*:Enabled:WD Discovery Application -- ()
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()
"C:\Program Files\Hewlett-Packard\hp color LaserJet 2550 Series\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\Hewlett-Packard\hp color LaserJet 2550 Series\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe -- ()
"C:\Program Files\Hewlett-Packard\hp color LaserJet 2550 Series\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\Hewlett-Packard\hp color LaserJet 2550 Series\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe -- (Hewlett-Packard)
"C:\Program Files\Hewlett-Packard\hp color LaserJet 2550 Series\Digital Imaging\bin\hpqnrs08.exe" = C:\Program Files\Hewlett-Packard\hp color LaserJet 2550 Series\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\HelpCtr.exe" = C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice -- (Microsoft Corporation)
"D:\Vuze\Azureus.exe" = D:\Vuze\Azureus.exe:*:Enabled:Azureus -- (Vuze Inc.)
"D:\Opera\opera.exe" = D:\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{0E94871C-623C-464F-A117-B8474BFF84E1}" = Nokia MTP driver
"{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}" = Symantec AntiVirus Client
"{1401311D-3960-4CEB-AC0B-4214F069E5B9}" = Sonos Desktop Controller
"{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{19DC9559-9C20-4A46-A67D-7ECBA52A2788}" = Nokia PC Suite
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{28DA872A-0848-48CF-B749-19A198157A2A}" = mDriver
"{2C7F7830-E66E-40D8-8E26-28FAFF288A29}" = ProntoEdit 4
"{2D985966-C788-4BA7-AC6E-223C865A23EC}" = Xantech Universal Dragon Prerequisites
"{2FFE93F0-BB72-4E52-8761-354D1AAA9387}" = Sony Ericsson PC Suite 3.209.00
"{30C6798C-2BA6-47AC-AD99-F60F0EBF665D}" = MX-900 Editor
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3A316611-45D1-429C-AA26-B71259C44689}" = HP Photosmart, Officejet and Deskjet 7.0.A
"{3B314E7F-FAB2-4872-9A4E-8D148A3CAF67}" = NevoStudio
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{4462AD13-F2AA-4CBD-9F95-293C38EED870}" = Power4 Gear
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4CFB3821-1582-4F3B-BF8D-30986923B36B}" = Nokia Multimedia Factory
"{5421155F-B033-49DB-9B33-8F80F233D4D5}" = GdiplusUpgrade
"{54BB0384-1C33-488F-A95B-877E480D3EDC}" = MSXML 4.0
"{57C7C46A-D35D-492d-A328-4F8C9B5B4B52}" = PrintScreen
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{5C6F884D-680C-448B-B4C9-22296EE1B206}" = Logitech Harmony Remote Software 7
"{5CCABD37-479D-4304-B1A5-67952C25F8F2}" = Nokia Software Launcher
"{5E7AA513-869A-433C-AEFC-08A7CFD3A385}" = Xantech Universal Dragon v2.3
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = ASUSDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}" = mCore
"{6E0352EE-6F0D-4FBC-B1B8-4FF032C78BE0}" = PC Connectivity Solution
"{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}" = mIWCA
"{71B10662-27AA-4FB8-A3A2-275E6DF6656C}" = Xantech Universal Dragon Graphics
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7ABD6243-A825-46AE-B1B4-B5AE845AA7A9}" = hp color LaserJet 2550 series
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{818ABC3C-635C-4651-8183-D0E9640B7DD1}" = HP Update
"{8267D976-C14B-11D5-9B29-00B0D03AE649}" = Touch Screen Setup
"{83F73CB1-7705-49D1-9852-84D839CA2A45}" = Wireless Console
"{8471021C-F529-43DE-84DF-3612E10F58C4}" = Remote Control USB Driver
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{885F5AC6-4413-4D30-99A9-F4494BFA4923}" = Logitech Harmony Remote Software 7
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver for Mobile
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
"{900A92BA-19EF-4A34-86CF-7B6C85BDD971}" = VC_MergeModuleToMSI
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{90535871-81B9-4D99-8A13-A7EE97F2D7FE}" = Sitecom Bluetooth Software
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{91F34319-08DE-457a-99C0-0BCDFAC145B9}" = CuteFTP 8 Professional
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A207FCD6-D718-409D-AEA1-381F3AC60B50}" = Tango
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92A4DB0-CD37-42D1-BE1D-603D53C24328}" = Intel® Processor ID Utility
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AC96CC23-66D0-469E-A8DC-D8B12F54C56F}" = Loewe TV-Flasher
"{B252ADE8-8F39-4CBD-89CB-5919008754FE}" = VC User CRT71 RTL X86 ---
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B502B428-3386-40A9-98DB-079AAB72E64F}" = mEoU.msi
"{B6F7DBE7-2FE2-458F-A738-B10832746036}" = Microsoft Reader
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C50EF365-2898-489A-B6C7-30DAA466E9A2}" = Nokia Connectivity Cable Driver
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7
"{DA2DEF22-8E99-449E-95BE-B6BA4BB50D66}" = ProntoProEdit NG Setup Support
"{DE10AB76-4756-4913-BE25-55D1C1051F9A}" = WinFlash
"{E4EB48BE-C5FF-48B3-923A-CEC2B33FB9E0}" = Marantz Wizz.it
"{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}" = PL-2303 USB-to-Serial
"{EE565795-2776-415A-B31C-EB3A8D7C6FA4}" = Nokia Lifeblog 2.1
"{EF4F620F-F295-41D7-92C0-6B635709C850}" = Nokia Software Updater
"{F07737AC-C218-4272-A678-26CA5F6CD8DF}" = Opera 10.61
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1B8DB67-D30E-4FF9-A85F-3CEE51825AA2}" = SMSC IrCC V5.1.3600.7
"{F2E6EB42-B04D-4F63-853F-8016BF71B25A}" = VC User MFC71 RTL X86 ---
"{F3760724-B29D-465B-BC53-E5D72095BCC4}" = Scan
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"05B59228C7E1C21DFBE89260F879BD95880548D8" = Windows Driver Package - Nokia Modem (10/05/2009 4.2)
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"8461-7759-5462-8226" = Vuze
"8CDCFB95BB84DD9C0F88F22266A0CA86035E55BA" = Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.4)
"AC3ACM" = AC-3 ACM Codec
"AC3Filter" = AC3Filter (remove only)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"AnalogX SayIt" = AnalogX SayIt
"Applian FLV Player2.0.24" = Applian FLV Player
"ASUS Probe V2.11" = ASUS Probe V2.11
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"Canon MOV Decoder" = Canon MOV Decoder
"Canon MOV Encoder" = Canon MOV Encoder
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"CSCLIB" = Canon Camera Support Core Library
"DPP" = Canon Utilities Digital Photo Professional 3.7
"DynDNSUpdater" = DynDNS Updater
"Easy Video Joiner_is1" = Easy Video Joiner 5.21
"EOS Utility" = Canon Utilities EOS Utility
"ExpressBurn" = Express Burn
"ExpressRip" = Express Rip
"EZ-RC" = EZ-RC
"FTDICOMM" = FTDI USB Serial Converter Drivers
"GSpot" = GSpot Codec Information Appliance
"Hazard Perception 2005/6_is1" = Hazard Perception 2005/6
"HControl" = ATK0100 ACPI UTILITY
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{3B314E7F-FAB2-4872-9A4E-8D148A3CAF67}" = NevoStudio 2.0.1
"InstallShield_{E4EB48BE-C5FF-48B3-923A-CEC2B33FB9E0}" = Marantz Wizz.it
"LiveUpdate1.7" = LiveUpdate 1.7 (Symantec Corporation)
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MediaShow" = Medi@Show
"Messenger Plus! Live" = Messenger Plus! Live
"MetaFrame Presentation Server Web Client for Win32" = MetaFrame Presentation Server Web Client for Win32
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"MPEG Encoder 3" = MPEG Encoder 3
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyCamera" = Canon Utilities MyCamera
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NevoStudio Pro" = NevoStudio Pro
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Nokia PC Suite" = Nokia PC Suite
"Original Data Security Tools" = Canon Utilities Original Data Security Tools
"PhotoStitch" = Canon Utilities PhotoStitch
"Picture Style Editor" = Canon Utilities Picture Style Editor
"ProInst" = Intel® PROSet/Wireless Software
"ProntoProEdit NG" = ProntoProEdit NG
"RealPlayer 6.0" = RealPlayer
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"ST6UNST #1" = ExpoQual
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Update Service" = Update Service
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WFTK" = Canon Utilities WFT-E1/E2/E3/E4/E5 Utility
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01007" = Microsoft User-Mode Driver Framework Feature Pack 1.7
"Yahoo! Messenger" = Yahoo! Messenger
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 02/09/2010 08:34:26 | Computer Name = ROBERTJAMES | Source = Norton AntiVirus | ID = 16711685
Description = Virus Found!Virus name: Trojan.Bamital!inf in File: C:\WINDOWS\explorer.exe
by: Realtime Protection scan. Action: Clean failed : Quarantine failed : Access
denied

Error - 02/09/2010 08:34:31 | Computer Name = ROBERTJAMES | Source = Norton AntiVirus | ID = 16711685
Description = Virus Found!Virus name: Trojan.Bamital!inf in File: C:\WINDOWS\explorer.exe
by: Realtime Protection scan. Action: Clean failed : Quarantine failed : Access
denied

Error - 02/09/2010 08:34:34 | Computer Name = ROBERTJAMES | Source = Norton AntiVirus | ID = 16711685
Description = Virus Found!Virus name: Trojan.Bamital!inf in File: C:\WINDOWS\explorer.exe
by: Realtime Protection scan. Action: Clean failed : Quarantine failed : Access
denied

Error - 02/09/2010 08:34:45 | Computer Name = ROBERTJAMES | Source = Norton AntiVirus | ID = 16711685
Description = Virus Found!Virus name: Trojan.Bamital!inf in File: C:\WINDOWS\explorer.exe
by: Realtime Protection scan. Action: Clean failed : Quarantine failed : Access
denied

Error - 02/09/2010 08:34:58 | Computer Name = ROBERTJAMES | Source = Norton AntiVirus | ID = 16711685
Description = Virus Found!Virus name: Trojan.Bamital!inf in File: C:\WINDOWS\explorer.exe
by: Realtime Protection scan. Action: Clean failed : Quarantine failed : Access
denied

Error - 02/09/2010 08:35:13 | Computer Name = ROBERTJAMES | Source = Norton AntiVirus | ID = 16711685
Description = Virus Found!Virus name: Trojan.Bamital!inf in File: C:\WINDOWS\explorer.exe
by: Realtime Protection scan. Action: Clean failed : Quarantine failed : Access
denied

Error - 02/09/2010 08:35:17 | Computer Name = ROBERTJAMES | Source = Norton AntiVirus | ID = 16711685
Description = Virus Found!Virus name: Trojan.Bamital!inf in File: C:\WINDOWS\explorer.exe
by: Realtime Protection scan. Action: Clean failed : Quarantine failed : Access
denied

Error - 02/09/2010 08:35:22 | Computer Name = ROBERTJAMES | Source = Norton AntiVirus | ID = 16711685
Description = Virus Found!Virus name: Trojan.Bamital!inf in File: C:\WINDOWS\explorer.exe
by: Realtime Protection scan. Action: Clean failed : Quarantine failed : Access
denied

Error - 02/09/2010 08:35:28 | Computer Name = ROBERTJAMES | Source = Norton AntiVirus | ID = 16711685
Description = Virus Found!Virus name: Trojan.Bamital!inf in File: C:\WINDOWS\explorer.exe
by: Realtime Protection scan. Action: Clean succeeded : Access allowed

Error - 02/09/2010 08:35:28 | Computer Name = ROBERTJAMES | Source = Norton AntiVirus | ID = 16711685
Description = Virus Found!Virus name: Trojan.Bamital in File: C:\WINDOWS\SYSTEM32\HLP.DAT
by: Realtime Protection scan. Action: Clean failed : Quarantine succeeded : Access
denied

[ System Events ]
Error - 02/09/2010 09:08:02 | Computer Name = ROBERTJAMES | Source = DCOM | ID = 10009
Description = DCOM was unable to communicate with the computer S577030 using any
of the configured protocols.

Error - 02/09/2010 09:08:54 | Computer Name = ROBERTJAMES | Source = DCOM | ID = 10009
Description = DCOM was unable to communicate with the computer S577030 using any
of the configured protocols.

Error - 02/09/2010 09:09:45 | Computer Name = ROBERTJAMES | Source = DCOM | ID = 10009
Description = DCOM was unable to communicate with the computer S577030 using any
of the configured protocols.

Error - 02/09/2010 09:10:36 | Computer Name = ROBERTJAMES | Source = DCOM | ID = 10009
Description = DCOM was unable to communicate with the computer S577030 using any
of the configured protocols.

Error - 02/09/2010 09:11:27 | Computer Name = ROBERTJAMES | Source = DCOM | ID = 10009
Description = DCOM was unable to communicate with the computer S577030 using any
of the configured protocols.

Error - 02/09/2010 09:12:21 | Computer Name = ROBERTJAMES | Source = DCOM | ID = 10009
Description = DCOM was unable to communicate with the computer S577030 using any
of the configured protocols.

Error - 02/09/2010 09:13:12 | Computer Name = ROBERTJAMES | Source = DCOM | ID = 10009
Description = DCOM was unable to communicate with the computer S577030 using any
of the configured protocols.

Error - 02/09/2010 09:14:05 | Computer Name = ROBERTJAMES | Source = DCOM | ID = 10009
Description = DCOM was unable to communicate with the computer S577030 using any
of the configured protocols.

Error - 02/09/2010 09:14:59 | Computer Name = ROBERTJAMES | Source = DCOM | ID = 10009
Description = DCOM was unable to communicate with the computer S577030 using any
of the configured protocols.

Error - 02/09/2010 09:15:51 | Computer Name = ROBERTJAMES | Source = DCOM | ID = 10009
Description = DCOM was unable to communicate with the computer S577030 using any
of the configured protocols.


< End of report >






END

I hope that the above provides you with the info you need, but do please let me know if you need anything further. Many thanks.

Unit_g83

Attached Files



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:10 AM

Posted 03 September 2010 - 04:02 AM

Hi,

please run a scan with ComboFix next:

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 unit_g83

unit_g83
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 07 September 2010 - 05:42 AM

Hi myrti,

As requested, I have re-run a ComboFix scan. I have posted the log below, and attached the original file to this post. I have noticed that 'pzaknhui' is apparently de-registered, though there is another file shown along side it which may be new as I do not remember seeing it before.

This is now the 4th ComboFix scan I have run in total, but this time I have not run a Gmer scan which previously used to say the pzaknhui rootkit was present even when ComboFix said it had been fixed (if i understood it correctly).

Thanks in advance and do let me know if you need any further info.

Unit_g83

ComboFix 10-09-06.04 - Robert Chohan 07/09/2010 11:23:24.5.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1387 [GMT 1:00]
Running from: c:\documents and settings\Robert Chohan\My Documents\prevent\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-08-07 to 2010-09-07 )))))))))))))))))))))))))))))))
.

2010-09-02 12:55 . 2010-09-02 12:55 -------- d-----w- C:\logs
2010-09-02 12:36 . 2010-09-02 12:36 -------- d-----w- c:\windows\LastGood
2010-08-18 16:31 . 2010-08-18 16:31 -------- d-----w- c:\documents and settings\Robert Chohan\Application Data\Jasc
2010-08-18 15:47 . 2010-08-18 15:47 -------- d-----w- c:\documents and settings\Robert Chohan\Local Settings\Application Data\Opera
2010-08-18 15:45 . 2010-08-18 15:45 -------- d-sh--w- c:\documents and settings\Robert Chohan\IECompatCache
2010-08-17 17:04 . 2008-04-13 18:40 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2010-08-16 16:54 . 2010-08-17 09:31 0 ----a-w- c:\windows\Ftaci.bin
2010-08-16 16:54 . 2010-08-16 16:54 120 ----a-w- c:\windows\Xnitobuzitowaye.dat
2010-08-16 16:53 . 2010-08-16 16:53 -------- d-----w- c:\documents and settings\Robert Chohan\Local Settings\Application Data\yonyfcxym
2010-08-16 16:53 . 2010-08-16 16:53 -------- d-----w- c:\documents and settings\Robert Chohan\Local Settings\Application Data\bbryfklhy
2010-08-16 16:53 . 2010-08-16 16:53 -------- d-----w- c:\documents and settings\Robert Chohan\Local Settings\Application Data\dnwafsxql
2010-08-16 15:18 . 2008-04-13 18:39 206976 ----a-w- c:\windows\system32\drivers\Dot4.sys
2010-08-13 14:29 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-08-13 14:29 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-02 12:35 . 2010-09-02 12:36 1033728 ----a-w- c:\windows\OLD2C.tmp
2010-09-02 12:21 . 2005-11-04 11:23 12 ----a-w- c:\windows\bthservsdp.dat
2010-09-02 11:51 . 2004-08-19 09:07 507904 ----a-w- c:\windows\system32\winlogon.exe
2010-07-16 11:43 . 2010-07-16 11:43 388096 ----a-r- c:\documents and settings\Robert Chohan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-07 22:10 . 2010-07-07 22:10 6123008 ----a-w- c:\documents and settings\Robert Chohan\Application Data\Azureus\plugins\azemp\vuzeplayer.exe
2010-06-30 12:31 . 2004-08-19 09:07 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-23 13:44 . 2004-08-19 09:07 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 09:59 . 2010-06-23 09:59 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb3A.tmp.exe
2010-06-21 15:27 . 2004-08-19 09:07 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-18 13:12 . 2010-06-18 13:00 110562 ----a-w- c:\windows\hpoins11.dat
2010-06-17 14:03 . 2004-08-19 09:06 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2005-03-28 08:43 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2010-06-14 07:41 . 2004-08-19 09:07 1172480 ----a-w- c:\windows\system32\msxml3.dll
.

------- Sigcheck -------

[-] 2010-09-02 . E5350AD782BBDA8745E6C5438C369B5D . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\winlogon.exe
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[7] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 68856]
"BrowserChoice"="c:\windows\system32\browserchoice.exe" [2010-02-12 293376]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2005-08-29 102400]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-01 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-01 126976]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 61952]
"Wireless Console"="c:\program files\ASUS\Wireless Console\wcourier.exe" [2005-01-24 65536]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-12-22 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-12-22 688218]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2004-09-21 81920]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 385024]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 356352]
"InCD"="d:\ahead\InCD\InCD.exe" [2004-09-13 1450096]
"RemoteControl"="d:\asustek\ASUSDVD\PDVDServ.exe" [2003-10-31 32768]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-11 61440]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-04-09 184320]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 86016]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 2807808]
"vptray"="d:\symant~1\SYMANT~1\vptray.exe" [2002-07-30 77824]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 2658304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-22 45056]
Microsoft Office.lnk - d:\microsoft office\Office10\OSA.EXE [2001-2-13 83360]
EZ-RC System Tray.lnk - d:\ez-rc\ez-rc-tray.exe [2009-9-3 125440]
DynDNS Updater Tray Icon.lnk - d:\dyndns updater\DynTray.exe [2010-4-15 91504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 10:27 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NevoMedia Server.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NevoMedia Server.lnk
backup=c:\windows\pss\NevoMedia Server.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2002-12-10 16:54 127022 ----a-w- c:\program files\Common Files\Logitech\QCDriver3\LVComS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 16:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 03:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-27 20:39 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-10-29 09:29 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"gusvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Microsoft ActiveSync\\wcescomm.exe"=
"d:\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"d:\\Nevo\\NevoStudio\\NevoSL.exe"=
"d:\\Nevo\\NevoStudio\\NevoStudio.exe"=
"c:\\WINDOWS\\System32\\msiexec.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\WINDOWS\\System32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"d:\\Sony Ericsson\\Update Service\\Update Service.exe"=
"d:\microsoft activesync\rapimgr.exe"= d:\microsoft activesync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Sonos\\sonos.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Western Digital\\WD Discovery Software\\WD Discovery.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp color LaserJet 2550 Series\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp color LaserJet 2550 Series\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp color LaserJet 2550 Series\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"d:\\Vuze\\Azureus.exe"=
"d:\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

R0 R592;R592;c:\windows\system32\drivers\R592.sys [20/10/2004 05:49 57088]
R0 risdpntk;risdpntk;c:\windows\system32\drivers\risdpntk.sys [20/10/2004 05:49 27264]
S2 DynDNS Updater;DynDNS Updater;d:\dyndns updater\DynUpSvc.exe [16/04/2010 17:19 103800]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 14:00 135664]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [06/07/2008 17:07 13352]
S3 NevoSLUSB;NevoSLUSB;c:\windows\system32\drivers\NevoSLUSB.sys [28/10/2005 14:32 10752]
S3 Pronto2G;Philips Pronto NG USB Driver;c:\windows\system32\drivers\Pronto2G.sys [02/12/2009 17:10 16384]

--- Other Services/Drivers In Memory ---

*Deregistered* - kgdyaaow
*Deregistered* - pzaknhui
.
Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\expressburnSevenDaysInit.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-01-25 09:59]

2010-01-25 c:\windows\Tasks\expressburnShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-01-25 09:59]

2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 13:00]

2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 13:00]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.msn.co.uk/
mSearch Bar = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - d:\micros~1\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send To &Bluetooth - d:\sitecom\Bluetooth Software\btsendto_ie_ctx.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-07 11:29
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pzaknhui]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL

- - - - - - - > 'explorer.exe'(30948)
c:\windows\system32\SynTPFcs.dll
d:\microsoft office\Office10\msohev.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2010-09-07 11:31:56
ComboFix-quarantined-files.txt 2010-09-07 10:31
ComboFix2.txt 2010-08-17 22:57
ComboFix3.txt 2010-08-17 17:37
ComboFix4.txt 2010-07-16 11:36

Pre-Run: 382,861,312 bytes free
Post-Run: 371,834,880 bytes free

- - End Of File - - BD9781FB99BC5E3365F5FEE717207E8F

Attached Files



#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:10 AM

Posted 07 September 2010 - 07:47 AM

Hi,

no ComboFix only alerts to the problem, but didn't fix it. There is also much more that is wrong with the log.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\windows\Ftaci.bin
c:\windows\Xnitobuzitowaye.dat
Folder::
c:\documents and settings\Robert Chohan\Local Settings\Application Data\yonyfcxym
c:\documents and settings\Robert Chohan\Local Settings\Application Data\bbryfklhy
c:\documents and settings\Robert Chohan\Local Settings\Application Data\dnwafsxql
FCopy::
c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\system32\winlogon.exe
driver::
kgdyaaow
pzaknhui


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 unit_g83

unit_g83
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 07 September 2010 - 11:46 AM

Hi Myrti,

As requested, please find the ComboFix log below, using the additional CFScript.txt.

Just to bring your attention, after this scan, Norton is now finding a Hacktool.Rootkit virus at C:\WINDOWS\SYSTEM32\DRIVERS\PZAKNHUI.SYS

Norton was not able to clean it, but has been able to Quarantine it. Should I force a fix, or delete? or neither?

Also, after the ComboFix scans, my default browser always resets to IE, rather than Opera. Is ComboFix resetting the system back to defaults as a precaution?

Thanks,

Unit_g83



ComboFix 10-09-06.04 - Robert Chohan 07/09/2010 17:10:01.6.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1349 [GMT 1:00]
Running from: c:\documents and settings\Robert Chohan\My Documents\prevent\ComboFix.exe
Command switches used :: c:\documents and settings\Robert Chohan\My Documents\prevent\CFScript.txt

FILE ::
"c:\windows\Ftaci.bin"
"c:\windows\Xnitobuzitowaye.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Robert Chohan\Local Settings\Application Data\bbryfklhy
c:\documents and settings\Robert Chohan\Local Settings\Application Data\dnwafsxql
c:\documents and settings\Robert Chohan\Local Settings\Application Data\yonyfcxym
c:\windows\Ftaci.bin
c:\windows\Xnitobuzitowaye.dat

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\winlogon.exe --> c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KGDYAAOW
-------\Legacy_PZAKNHUI
-------\Service_kgdyaaow
-------\Service_pzaknhui


((((((((((((((((((((((((( Files Created from 2010-08-07 to 2010-09-07 )))))))))))))))))))))))))))))))
.

2010-09-02 12:55 . 2010-09-02 12:55 -------- d-----w- C:\logs
2010-08-18 16:31 . 2010-08-18 16:31 -------- d-----w- c:\documents and settings\Robert Chohan\Application Data\Jasc
2010-08-18 15:47 . 2010-08-18 15:47 -------- d-----w- c:\documents and settings\Robert Chohan\Local Settings\Application Data\Opera
2010-08-18 15:45 . 2010-08-18 15:45 -------- d-sh--w- c:\documents and settings\Robert Chohan\IECompatCache
2010-08-17 17:04 . 2008-04-13 18:40 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2010-08-16 16:53 . 2010-09-07 16:19 785408 ----a-w- c:\windows\system32\drivers\pzaknhui.sys
2010-08-16 15:18 . 2008-04-13 18:39 206976 ----a-w- c:\windows\system32\drivers\Dot4.sys
2010-08-13 14:29 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-08-13 14:29 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-07 16:19 . 2005-11-04 11:23 12 ----a-w- c:\windows\bthservsdp.dat
2010-07-16 11:43 . 2010-07-16 11:43 388096 ----a-r- c:\documents and settings\Robert Chohan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-07 22:10 . 2010-07-07 22:10 6123008 ----a-w- c:\documents and settings\Robert Chohan\Application Data\Azureus\plugins\azemp\vuzeplayer.exe
2010-06-30 12:31 . 2004-08-19 09:07 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-23 13:44 . 2004-08-19 09:07 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 09:59 . 2010-06-23 09:59 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb3A.tmp.exe
2010-06-21 15:27 . 2004-08-19 09:07 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-18 13:12 . 2010-06-18 13:00 110562 ----a-w- c:\windows\hpoins11.dat
2010-06-17 14:03 . 2004-08-19 09:06 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2005-03-28 08:43 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2010-06-14 07:41 . 2004-08-19 09:07 1172480 ----a-w- c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-08-17_17.27.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-19 09:07 . 2008-04-14 00:12 75776 c:\windows\system32\strmfilt.dll
+ 2004-08-19 09:07 . 2009-10-21 05:38 75776 c:\windows\system32\strmfilt.dll
- 2004-08-19 09:07 . 2010-07-28 10:06 71462 c:\windows\system32\perfc009.dat
+ 2004-08-19 09:07 . 2010-08-18 15:40 71462 c:\windows\system32\perfc009.dat
+ 2004-08-19 09:06 . 2009-10-21 05:38 25088 c:\windows\system32\httpapi.dll
+ 2009-10-21 05:38 . 2009-10-21 05:38 75776 c:\windows\system32\dllcache\strmfilt.dll
+ 2009-10-21 05:38 . 2009-10-21 05:38 25088 c:\windows\system32\dllcache\httpapi.dll
+ 2010-04-01 10:42 . 2010-04-01 10:42 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2010-03-31 13:51 . 2010-03-31 13:51 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2008-05-27 23:49 . 2008-05-27 23:49 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2008-05-27 23:49 . 2008-05-27 23:49 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2010-03-31 13:51 . 2010-03-31 13:51 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2008-05-27 23:49 . 2008-05-27 23:49 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2010-03-31 13:51 . 2010-03-31 13:51 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2010-03-31 14:32 . 2010-03-31 14:32 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2008-05-28 00:30 . 2008-05-28 00:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2003-02-20 18:19 . 2003-02-20 18:19 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2010-03-31 14:32 . 2010-03-31 14:32 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2010-08-18 11:21 . 2010-08-18 11:21 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
- 2005-08-17 06:09 . 2008-12-11 09:44 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2010-08-18 11:27 . 2010-08-18 11:27 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2005-08-17 06:09 . 2008-12-11 09:44 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2010-08-18 11:27 . 2010-08-18 11:27 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2005-08-17 06:09 . 2008-12-11 09:44 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2010-08-18 11:27 . 2010-08-18 11:27 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2005-08-17 06:09 . 2008-12-11 09:44 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2010-08-18 11:27 . 2010-08-18 11:27 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2010-08-18 11:27 . 2010-08-18 11:27 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2005-08-17 06:09 . 2008-12-11 09:44 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2005-08-17 06:09 . 2008-12-11 09:44 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2010-08-18 11:27 . 2010-08-18 11:27 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2005-08-17 06:09 . 2008-12-11 09:44 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2010-08-18 11:27 . 2010-08-18 11:27 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2010-08-18 11:22 . 2010-08-18 11:22 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2008-12-11 09:45 . 2008-12-11 09:45 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2006-10-26 20:13 . 2006-10-26 20:13 72472 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\XL12CNVP.DLL
+ 2010-08-18 14:56 . 2010-08-18 14:56 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_cb525c47\System.Drawing.Design.dll
+ 2010-08-18 14:56 . 2010-08-18 14:56 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_a7dc54ca\CustomMarshalers.dll
+ 2010-08-18 14:56 . 2010-08-18 14:56 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
+ 2010-08-18 11:27 . 2010-08-18 11:27 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2005-08-17 06:09 . 2008-12-11 09:44 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2010-08-18 11:27 . 2010-08-18 11:27 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2005-08-17 06:09 . 2008-12-11 09:44 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2010-08-18 11:27 . 2010-08-18 11:27 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2005-08-17 06:09 . 2008-12-11 09:44 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2004-08-19 09:07 . 2009-08-25 09:17 354816 c:\windows\system32\winhttp.dll
+ 2004-08-19 09:07 . 2010-03-10 06:15 420352 c:\windows\system32\vbscript.dll
- 2004-08-19 09:07 . 2009-03-08 03:33 420352 c:\windows\system32\vbscript.dll
- 2004-08-19 09:07 . 2010-07-28 10:06 441692 c:\windows\system32\perfh009.dat
+ 2004-08-19 09:07 . 2010-08-18 15:40 441692 c:\windows\system32\perfh009.dat
+ 2004-08-19 09:07 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
- 2004-08-19 09:07 . 2009-03-08 03:33 726528 c:\windows\system32\jscript.dll
- 2005-03-28 08:34 . 2010-07-16 12:30 222432 c:\windows\system32\FNTCACHE.DAT
+ 2005-03-28 08:34 . 2010-08-18 15:08 222432 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-03 22:00 . 2009-10-20 16:20 265728 c:\windows\system32\drivers\http.sys
+ 2008-12-16 12:30 . 2009-08-25 09:17 354816 c:\windows\system32\dllcache\winhttp.dll
- 2008-05-09 10:53 . 2009-03-08 03:33 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2008-05-09 10:53 . 2010-03-10 06:15 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2008-10-15 09:28 . 2010-06-21 15:27 354304 c:\windows\system32\dllcache\srv.sys
+ 2004-08-19 09:07 . 2010-06-30 12:31 149504 c:\windows\system32\dllcache\schannel.dll
+ 2008-05-09 10:53 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
- 2008-05-09 10:53 . 2009-03-08 03:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-10-20 16:20 . 2009-10-20 16:20 265728 c:\windows\system32\dllcache\http.sys
+ 2010-07-16 11:45 . 2010-02-12 10:03 293376 c:\windows\system32\browserchoice.exe
+ 2010-03-31 13:51 . 2010-03-31 13:51 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2008-05-27 23:49 . 2008-05-27 23:49 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2010-03-31 13:49 . 2010-03-31 13:49 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2008-05-27 23:48 . 2008-05-27 23:48 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2008-05-28 00:30 . 2008-05-28 00:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2010-03-31 14:32 . 2010-03-31 14:32 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2010-08-25 11:31 . 2010-08-25 11:31 802304 c:\windows\Installer\b53011.msi
+ 2010-08-18 11:21 . 2010-08-18 11:21 429568 c:\windows\Installer\7314d.msi
+ 2010-08-18 11:09 . 2010-08-18 11:09 248832 c:\windows\Installer\73115.msi
+ 2010-08-25 11:31 . 2010-08-25 11:31 295606 c:\windows\Installer\{AC76BA86-7AD7-5464-3428-900000000004}\ARPPRODUCTICON.exe
+ 2010-08-18 11:27 . 2010-08-18 11:27 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2005-08-17 06:09 . 2008-12-11 09:44 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2010-08-18 11:27 . 2010-08-18 11:27 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2005-08-17 06:09 . 2008-12-11 09:44 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2010-08-18 11:27 . 2009-03-08 03:33 420352 c:\windows\ie8updates\KB981332-IE8\vbscript.dll
+ 2010-08-18 11:27 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB981332-IE8\spuninst\updspapi.dll
+ 2010-08-18 11:27 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB981332-IE8\spuninst\spuninst.exe
+ 2010-08-18 15:16 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2010-08-18 15:16 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2010-08-18 15:16 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
+ 2010-08-18 11:25 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2010-08-18 11:25 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2010-08-18 11:25 . 2009-03-08 03:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2009-10-20 16:20 . 2009-10-20 16:20 265728 c:\windows\Driver Cache\i386\http.sys
+ 2010-08-18 14:57 . 2010-08-18 14:57 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_35000716\System.Drawing.dll
+ 2010-08-18 14:57 . 2010-08-18 14:57 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_4654097d\System.Drawing.Design.dll
+ 2010-08-18 14:57 . 2010-08-18 14:57 118784 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_f1b76454\CustomMarshalers.dll
+ 2009-07-20 23:03 . 2009-07-20 23:03 1348432 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d5\msxml4.dll
+ 2004-08-19 09:07 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll
- 2004-08-19 09:07 . 2010-02-17 08:10 2189952 c:\windows\system32\ntoskrnl.exe
+ 2004-08-19 09:07 . 2010-04-28 02:25 2189952 c:\windows\system32\ntoskrnl.exe
+ 2004-08-03 21:59 . 2010-04-27 13:05 2066816 c:\windows\system32\ntkrnlpa.exe
- 2004-08-03 21:59 . 2010-02-16 13:25 2066816 c:\windows\system32\ntkrnlpa.exe
+ 2009-07-20 23:05 . 2009-07-20 23:05 1348432 c:\windows\system32\msxml4.dll
+ 2009-08-20 14:09 . 2009-08-20 14:09 1193832 c:\windows\system32\FM20.DLL
+ 2004-08-19 09:07 . 2010-06-23 13:44 1851904 c:\windows\system32\dllcache\win32k.sys
+ 2004-08-19 09:07 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll
- 2008-10-15 09:41 . 2010-02-17 08:10 2189952 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-10-15 09:41 . 2010-04-28 02:25 2189952 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-10-15 09:41 . 2010-04-27 13:05 2024448 c:\windows\system32\dllcache\ntkrpamp.exe
- 2008-10-15 09:41 . 2010-02-16 13:25 2024448 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-15 09:41 . 2010-04-27 13:05 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2008-10-15 09:41 . 2010-02-16 13:25 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-15 09:41 . 2010-04-27 13:59 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2008-10-15 09:41 . 2010-02-16 14:08 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2008-11-12 09:34 . 2009-07-31 04:35 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2008-11-12 09:34 . 2010-06-14 07:41 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2010-07-16 11:39 . 2010-06-18 13:36 3558912 c:\windows\system32\dllcache\moviemk.exe
- 2010-07-16 11:39 . 2009-10-23 15:28 3558912 c:\windows\system32\dllcache\moviemk.exe
- 2008-05-28 00:35 . 2008-05-28 00:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2010-04-01 10:42 . 2010-04-01 10:42 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2008-05-28 00:35 . 2008-05-28 00:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2010-04-01 10:42 . 2010-04-01 10:42 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2008-05-27 23:48 . 2008-05-27 23:48 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2010-03-31 13:50 . 2010-03-31 13:50 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2010-03-31 13:50 . 2010-03-31 13:50 2527232 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2008-05-27 23:43 . 2008-05-27 23:43 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2010-04-01 10:42 . 2010-04-01 10:42 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2010-08-25 11:31 . 2010-08-25 11:31 3940352 c:\windows\Installer\b5300b.msi
+ 2009-07-27 03:31 . 2009-07-27 03:31 3738624 c:\windows\Installer\731ab.msp
+ 2010-02-26 05:09 . 2010-02-26 05:09 8300544 c:\windows\Installer\73195.msp
+ 2009-08-20 14:27 . 2009-08-20 14:27 3622400 c:\windows\Installer\73181.msp
+ 2010-04-24 16:10 . 2010-04-24 16:10 8486400 c:\windows\Installer\73156.msp
+ 2010-05-24 12:54 . 2010-05-24 12:54 6704640 c:\windows\Installer\7312e.msp
+ 2010-08-18 15:47 . 2010-08-18 15:47 2636288 c:\windows\Installer\1ac99d.msi
- 2008-10-15 09:41 . 2010-02-17 08:10 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-15 09:41 . 2010-04-28 02:25 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2008-10-15 09:41 . 2010-02-16 13:25 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-15 09:41 . 2010-04-27 13:05 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-15 09:41 . 2010-04-27 13:05 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-15 09:41 . 2010-02-16 13:25 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-15 09:41 . 2010-02-16 14:08 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-10-15 09:41 . 2010-04-27 13:59 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2010-08-18 14:57 . 2010-08-18 14:57 4792320 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_894fba78\System.dll
+ 2010-08-18 14:56 . 2010-08-18 14:56 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_57ed20e2\System.dll
+ 2010-08-18 14:57 . 2010-08-18 14:57 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_8a6b348c\System.Xml.dll
+ 2010-08-18 14:57 . 2010-08-18 14:57 5513216 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_4cdf7860\System.Xml.dll
+ 2010-08-18 14:56 . 2010-08-18 14:56 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_c58fbfb9\System.Windows.Forms.dll
+ 2010-08-18 14:57 . 2010-08-18 14:57 7884800 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_c473bf75\System.Windows.Forms.dll
+ 2010-08-18 14:57 . 2010-08-18 14:57 2244608 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_2ec2fc1c\System.Drawing.dll
+ 2010-08-18 14:57 . 2010-08-18 14:57 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_7d24ad49\System.Design.dll
+ 2010-08-18 14:57 . 2010-08-18 14:57 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_06e4aa1c\System.Design.dll
+ 2010-08-18 14:57 . 2010-08-18 14:57 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_c2042d34\mscorlib.dll
+ 2010-08-18 14:57 . 2010-08-18 14:57 8908800 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_a3f12d16\mscorlib.dll
- 2010-07-16 12:17 . 2010-07-16 12:17 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2010-08-18 14:56 . 2010-08-18 14:56 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2010-08-18 14:56 . 2010-08-18 14:56 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2010-07-16 12:16 . 2010-07-16 12:17 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2005-08-22 21:01 . 2010-08-03 18:09 35962312 c:\windows\system32\MRT.exe
+ 2010-04-02 18:29 . 2010-04-02 18:29 11413504 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M979906\M979906Uninstall.msp
+ 2009-07-20 11:03 . 2009-07-20 11:03 16465408 c:\windows\Installer\7316c.msp
+ 2010-04-15 20:34 . 2010-04-15 20:34 17510912 c:\windows\Installer\73143.msp
+ 2010-04-02 11:30 . 2010-04-02 11:30 17456640 c:\windows\Installer\147dd1.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2005-08-29 102400]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-01 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-01 126976]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 61952]
"Wireless Console"="c:\program files\ASUS\Wireless Console\wcourier.exe" [2005-01-24 65536]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-12-22 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-12-22 688218]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2004-09-21 81920]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 385024]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 356352]
"InCD"="d:\ahead\InCD\InCD.exe" [2004-09-13 1450096]
"RemoteControl"="d:\asustek\ASUSDVD\PDVDServ.exe" [2003-10-31 32768]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-11 61440]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-04-09 184320]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 86016]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 2807808]
"vptray"="d:\symant~1\SYMANT~1\vptray.exe" [2002-07-30 77824]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 2658304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-22 45056]
Microsoft Office.lnk - d:\microsoft office\Office10\OSA.EXE [2001-2-13 83360]
EZ-RC System Tray.lnk - d:\ez-rc\ez-rc-tray.exe [2009-9-3 125440]
DynDNS Updater Tray Icon.lnk - d:\dyndns updater\DynTray.exe [2010-4-15 91504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 10:27 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NevoMedia Server.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NevoMedia Server.lnk
backup=c:\windows\pss\NevoMedia Server.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2002-12-10 16:54 127022 ----a-w- c:\program files\Common Files\Logitech\QCDriver3\LVComS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 16:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 03:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-27 20:39 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-10-29 09:29 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"gusvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Microsoft ActiveSync\\wcescomm.exe"=
"d:\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"d:\\Nevo\\NevoStudio\\NevoSL.exe"=
"d:\\Nevo\\NevoStudio\\NevoStudio.exe"=
"c:\\WINDOWS\\System32\\msiexec.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\WINDOWS\\System32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"d:\\Sony Ericsson\\Update Service\\Update Service.exe"=
"d:\microsoft activesync\rapimgr.exe"= d:\microsoft activesync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Sonos\\sonos.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Western Digital\\WD Discovery Software\\WD Discovery.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp color LaserJet 2550 Series\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp color LaserJet 2550 Series\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\hp color LaserJet 2550 Series\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"d:\\Vuze\\Azureus.exe"=
"d:\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

R0 R592;R592;c:\windows\system32\drivers\R592.sys [20/10/2004 05:49 57088]
R0 risdpntk;risdpntk;c:\windows\system32\drivers\risdpntk.sys [20/10/2004 05:49 27264]
R2 DynDNS Updater;DynDNS Updater;d:\dyndns updater\DynUpSvc.exe [16/04/2010 17:19 103800]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 14:00 135664]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [06/07/2008 17:07 13352]
S3 NevoSLUSB;NevoSLUSB;c:\windows\system32\drivers\NevoSLUSB.sys [28/10/2005 14:32 10752]
S3 Pronto2G;Philips Pronto NG USB Driver;c:\windows\system32\drivers\Pronto2G.sys [02/12/2009 17:10 16384]
.
Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\expressburnSevenDaysInit.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-01-25 09:59]

2010-01-25 c:\windows\Tasks\expressburnShakeIcon.job
- c:\program files\NCH Swift Sound\ExpressBurn\expressburn.exe [2010-01-25 09:59]

2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 13:00]

2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 13:00]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.msn.co.uk/
mSearch Bar = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - d:\micros~1\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send To &Bluetooth - d:\sitecom\Bluetooth Software\btsendto_ie_ctx.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-07 17:22
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(3892)
c:\windows\system32\SynTPFcs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
d:\nokia\Nokia PC Suite 7\PhoneBrowser.dll
d:\nokia\Nokia PC Suite 7\NGSCM.DLL
d:\nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
d:\nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
d:\ahead\InCD\InCDsrv.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Bonjour\mDNSResponder.exe
d:\sitecom\Bluetooth Software\bin\btwdins.exe
d:\symantec_client_security\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
d:\symantec_client_security\Symantec AntiVirus\Rtvscan.exe
c:\program files\Intel\Wireless\Bin\OProtSvc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\rundll32.exe
c:\windows\ATK0100\ATKOSD.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
c:\windows\system32\spool\drivers\w32x86\3\HPBPRO.EXE
d:\micros~2\wcescomm.exe
d:\micros~2\rapimgr.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
.
**************************************************************************
.
Completion time: 2010-09-07 17:27:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-07 16:27
ComboFix2.txt 2010-09-07 10:31
ComboFix3.txt 2010-08-17 22:57
ComboFix4.txt 2010-08-17 17:37
ComboFix5.txt 2010-09-07 16:07

Pre-Run: 377,815,040 bytes free
Post-Run: 431,259,648 bytes free

- - End Of File - - 8E63BFAA88F2EFB3A0D5A1AF180A7032


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:10 AM

Posted 07 September 2010 - 02:56 PM

Hi,

let Norton quarantine the file, I would have asked you to delete it as a next step anyways. ComboFix resets the PC to default, once we are done and uninstall combofix your settings should be restored.

Please go to: C:\Qoobox\Quarantine\C\WINDOWS\system32 and check for the file winlogon.exe.vir. Once you have found it, please go to this site and follow the instructions for uploading the file.

Let me know how the PC is doing and if you could upload the file.

regards myrti

Edited by myrti, 07 September 2010 - 04:51 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 unit_g83

unit_g83
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 08 September 2010 - 04:48 AM

Hi Myrti,

I've done as requested and uploaded the specified file. Norton is still holding the other file in quarantine, and I'll wait on your instruction to delete. Thank you once again

unit_g83

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:10 AM

Posted 10 September 2010 - 04:42 AM

Hi,

how is the PC doing ? The file in quarantine can be deleted, it is not needed by the operating system.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 unit_g83

unit_g83
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 10 September 2010 - 05:52 AM

Hi Myrti,

Thank you for your reply. I've deleted the file as requested. The laptop has been behaving for a little while now, though I am concerned that there is a program installed sending out spam email. I recently emailed a company and the email was refused, reason stated as spam from my specific I.P.

I'll update malwayre bytes and norton and run new scans.

besides this, would you say everything regarding the initial problems are resolved? Thank you once again.

unit_g83

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:10 AM

Posted 10 September 2010 - 12:00 PM

Hi,

I would like you to run a scan with Eset to check for leftovers:
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push


Do you know if you have a static IP? Many ISPs will dynamically distribute IP's when you log onto the web. Some will do an automatical reconnect and give you a new IP every 24hours. So it might not have been you that sent the spam.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 unit_g83

unit_g83
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 10 September 2010 - 05:33 PM

Hi Myrti,

Scan has been completed as requested, and the folowing found:

D:\Mozilla Firefox\components\gpff.dll probably a variant of Win32/Adware.GabPath.A application


Mozilla was uninstalled about two weeks ago, but the basic system folder remains. I scanded the folder with Norton after seeing the above, and Norton failed to identify any viruses there.

Also.. Norton has since quarantined two further files, both from Qoobox/ComboFix. they are 'radget.dll.vir' and obubamomigobaba.dll.vir', found in the usual location on C:\ , and bot identified as Trojan.Zefarch!gen virus types. Should I manually delete?

I've noticed that since the previous ComboFix scan (the one where you requested I drag a .txt file into ComboFix) my sound card no longer works, it seems all the software is missing.. Any ideas what could have happened?

Thank you in advance!

Unit_g83

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:10 AM

Posted 11 September 2010 - 06:43 AM

Hi,

are you sure that it disappeared with ComboFix or was it just about the same time? Do you have a CD or anything from which you could reinstall the sound drivers?

Firefox, when uninstalled, removes only the program but not your personalised settings, so that you can recover those when you reinstall it. If you do not wish this, you can just delete the folders relating to Firefox.
The files in C:\qoobox are backups made of files deleted by ComboFix. They pose no danger, even if they are malicious. We will delete the backup folder, once we have made sure everything is running nicely.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 unit_g83

unit_g83
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 11 September 2010 - 12:54 PM

Hi myrti,

Yes, definitely the after combofix. As soon as combofix rebooted my laptop, sound was gone. Now, I only get the odd beep such as when closing a non saved word document.

I am sure I have a cd somewhere, but will look to download some drivers. Is it ok to re-enable cd emulation?

Thank you,

Unit_g83




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users