Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google/Firefox Redirecting


  • This topic is locked This topic is locked
25 replies to this topic

#1 Nekulturny

Nekulturny

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 24 August 2010 - 10:33 PM

When I click on results from a google/yahoo etc search, I get redirected first to a pleasewaitsearch.com domain, then to a random site. Sometimes the sites are benign sites (like Sears.com) and others are malicious. My computer has also been repeatedly infected with less invasive trojans/backdoors which I have been keeping at bay with regular searches by multiple anti-malware programs.

I have already disabled my CD emulators via Defogger, and my logs are attached. Thanks in advance for any help you can offer me.







DDS (Ver_10-03-17.01) - NTFSx86
Run by Stu at 18:54:57.26 on Tue 08/24/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1177 [GMT -7:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Stu\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
uPolicies-explorer: NoSecurityTab = 1 (0x1)
mPolicies-explorer: NoSecurityTab = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1262508897671
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\stu\applic~1\mozilla\firefox\profiles\8ja3bah2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Adobe Flash Plugin: No Registry Reference - c:\program files\mozilla firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 151216]

=============== Created Last 30 ================

2010-08-25 01:53:32 0 ----a-w- c:\documents and settings\stu\defogger_reenable
2010-08-25 00:58:16 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-25 00:56:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-08-25 00:56:35 0 d-----w- c:\program files\Hitman Pro 3.5
2010-08-23 04:20:26 44544 ----a-w- c:\windows\system32\agremove.exe
2010-08-22 06:26:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-22 06:26:16 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-22 06:26:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-20 19:22:27 32256 ----a-w- c:\windows\system32\instd32.exe
2010-08-15 05:15:33 32768 ------w- c:\windows\SKUNINST.EXE
2010-08-15 05:15:33 31744 ------w- c:\windows\SonicKUS.DLL
2010-08-15 05:15:33 22528 ------w- c:\windows\MsgV2US.DLL
2010-08-15 05:15:15 0 d-----w- C:\SEGA
2010-08-15 05:14:25 536048 ------r- c:\windows\system32\OC25.DLL
2010-08-15 05:13:53 0 d-----w- c:\documents and settings\stu\WINDOWS
2010-07-29 07:23:18 0 d-----w- c:\program files\StarCraft II

==================== Find3M ====================

2010-08-24 23:26:34 52301 ----a-w- c:\windows\system32\nvModes.dat
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-01 17:37:48 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-31 04:29:34 17064 ---ha-w- c:\windows\system32\mlfcache.dat

============= FINISH: 18:55:34.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:31 AM

Posted 30 August 2010 - 10:25 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Nekulturny

Nekulturny
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 30 August 2010 - 01:34 PM

Hi Elise, and thanks for helping. Here are the logs.

OTL:

OTL logfile created on: 8/30/2010 8:50:06 AM - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Stu\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 3069 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 109.73 Gb Total Space | 15.60 Gb Free Space | 14.22% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 375.41 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STUART
Current User Name: Stu
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/08/30 08:49:34 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Stu\desktop\OTL.exe
PRC - [2010/07/24 16:47:43 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/07/24 16:47:41 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/06/01 14:53:46 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2009/03/05 17:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/08/30 08:49:34 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Stu\desktop\OTL.exe
MOD - [2008/04/13 17:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2007/10/19 13:21:16 | 000,141,848 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)


========== Driver Services (SafeList) ==========

DRV - [2010/03/25 21:30:22 | 000,151,216 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2009/10/26 06:47:30 | 004,221,952 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel®
DRV - [2008/04/13 10:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 09:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/22 06:46:00 | 006,658,592 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2007/10/11 19:00:42 | 000,041,752 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2007/10/11 18:59:02 | 002,142,488 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVMVdrv.sys -- (LVMVDrv)
DRV - [2007/10/11 18:55:58 | 001,279,000 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LV302V32.SYS -- (PID_PEPI) Logitech QuickCam IM(PID_PEPI)
DRV - [2007/10/11 18:55:58 | 000,013,848 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lv302af.sys -- (pepifilter)
DRV - [2007/09/26 07:01:32 | 002,236,032 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel®
DRV - [2007/05/10 11:24:34 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/02/23 16:47:34 | 000,056,576 | ---- | M] (O2Micro) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\oz776.sys -- (guardian2)
DRV - [2006/11/15 01:16:24 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006/11/14 20:42:46 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/14 18:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2006/09/24 06:28:46 | 000,005,248 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Boot | Running] -- C:\WINDOWS\system32\speedfan.sys -- (speedfan)
DRV - [2006/03/08 13:35:10 | 000,191,872 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/10/26 11:01:02 | 000,142,720 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2005/07/22 12:02:12 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/07/22 12:01:08 | 000,201,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/07/22 12:01:00 | 000,717,952 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2001/08/22 09:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [1996/04/03 12:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\giveio.sys -- (giveio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-73586283-1409082233-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.2
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {1CE11043-9A15-4207-A565-0C94C42D590D}:11.3.7.0


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/24 16:47:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/24 14:23:53 | 000,000,000 | ---D | M]

[2010/01/03 01:07:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stu\Application Data\Mozilla\Extensions
[2010/08/30 08:07:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\8ja3bah2.default\extensions
[2010/04/26 19:00:09 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\8ja3bah2.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/08/18 20:31:27 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\8ja3bah2.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/08/30 08:07:13 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/26 14:10:23 | 000,000,000 | ---D | M] (Adobe Flash Plugin) -- C:\Program Files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}

O1 HOSTS File: ([2010/08/21 22:47:20 | 000,416,928 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14392 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKU\S-1-5-21-73586283-1409082233-682003330-1004..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSecurityTab = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-73586283-1409082233-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-73586283-1409082233-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSecurityTab = 1
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1262508897671 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 128.197.253.188 128.197.253.126
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Stu\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Stu\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/03 00:20:59 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [1999/02/09 08:32:32 | 000,000,200 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{22f22533-7795-11df-bb4c-001c232ba260}\Shell\AutoRun\command - "" = D:\Setup_FlipShare.exe -- File not found
O33 - MountPoints2\{22f22533-7795-11df-bb4c-001c232ba260}\Shell\Setup FlipShare\command - "" = D:\Setup_FlipShare.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/08/30 08:49:25 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Stu\Desktop\OTL.exe
[2010/08/27 19:12:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Stu\My Documents\Rockstar Games
[2010/08/27 10:10:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2010/08/27 10:08:55 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\SecuROM
[2010/08/27 10:07:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Stu\Local Settings\Application Data\Rockstar Games
[2010/08/27 10:07:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Stu\Application Data\SecuROM
[2010/08/27 10:07:07 | 000,107,888 | ---- | C] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2010/08/27 10:04:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\xlive
[2010/08/27 10:04:52 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Games for Windows - LIVE
[2010/08/24 17:56:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/08/24 17:56:35 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/08/22 21:20:26 | 000,044,544 | ---- | C] (Absolute Software Corp.) -- C:\WINDOWS\System32\agremove.exe
[2010/08/21 23:26:20 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/21 23:26:16 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/08/21 23:26:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/20 12:22:27 | 000,032,256 | ---- | C] (Absolute Software Corp.) -- C:\WINDOWS\System32\instd32.exe
[2010/08/14 22:15:33 | 000,032,768 | ---- | C] (SEGA ENTERPRISES.) -- C:\WINDOWS\SKUNINST.EXE
[2010/08/14 22:15:33 | 000,031,744 | ---- | C] (SEGA ENTERPRISES.) -- C:\WINDOWS\SonicKUS.DLL
[2010/08/14 22:15:33 | 000,022,528 | ---- | C] (SEGA ENTERPRISES.) -- C:\WINDOWS\MsgV2US.DLL
[2010/08/14 22:15:15 | 000,000,000 | ---D | C] -- C:\SEGA
[2010/08/14 22:13:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Stu\WINDOWS
[2010/07/29 00:23:18 | 000,000,000 | ---D | C] -- C:\Program Files\StarCraft II
[2010/07/29 00:23:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Stu\My Documents\StarCraft II
[2010/07/21 00:50:54 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\LogiShrd
[2010/07/08 23:34:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/07/05 13:11:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\UMDF
[2010/07/05 13:10:29 | 000,000,000 | ---D | C] -- C:\Program Files\AGEIA Technologies
[2010/07/05 13:10:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\AGEIA
[2010/06/26 15:59:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2010/06/17 23:32:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Stu\My Documents\My Videos
[2010/06/17 23:32:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Flip Video
[2010/06/16 23:49:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Stu\Local Settings\Application Data\PCHealth
[2010/06/16 23:49:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\PCHealth
[2010/06/14 02:13:46 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/06/06 12:05:46 | 000,000,000 | ---D | C] -- C:\Program Files\Creative Labs
[2010/06/06 12:02:08 | 000,000,000 | ---D | C] -- C:\Program Files\Square Soft, Inc
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/08/30 08:49:34 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Stu\Desktop\OTL.exe
[2010/08/30 08:38:02 | 000,052,301 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2010/08/29 07:23:15 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/08/29 07:18:48 | 000,169,466 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/08/29 07:18:46 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2010/08/29 07:18:02 | 006,815,744 | ---- | M] () -- C:\Documents and Settings\Stu\NTUSER.DAT
[2010/08/29 07:17:55 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/29 07:17:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/28 15:56:51 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Stu\ntuser.ini
[2010/08/28 15:56:46 | 005,332,274 | -H-- | M] () -- C:\Documents and Settings\Stu\Local Settings\Application Data\IconCache.db
[2010/08/28 14:08:31 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/08/27 22:22:35 | 000,052,301 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2010/08/27 10:07:08 | 000,107,888 | ---- | M] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2010/08/24 18:53:32 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Stu\defogger_reenable
[2010/08/24 18:53:13 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Stu\Desktop\Defogger.exe
[2010/08/24 17:57:58 | 000,001,663 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/08/22 21:20:35 | 000,044,544 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\System32\agremove.exe
[2010/08/21 23:26:23 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/21 22:47:20 | 000,416,928 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/08/14 22:13:55 | 000,000,724 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/08/13 03:52:21 | 000,112,584 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/13 03:12:41 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/08/13 03:11:01 | 000,502,240 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/13 03:11:01 | 000,441,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/13 03:11:01 | 000,071,462 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/11 18:00:13 | 000,000,799 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\World of Warcraft.lnk
[2010/08/10 17:36:14 | 000,002,449 | ---- | M] () -- C:\Documents and Settings\Stu\Application Data\Microsoft\Internet Explorer\Quick Launch\DK Optimize.lnk
[2010/07/29 00:48:38 | 000,000,768 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\StarCraft II.lnk
[2010/07/25 17:28:22 | 003,031,397 | ---- | M] () -- C:\Documents and Settings\Stu\My Documents\TheChoirBoats.pdf
[2010/07/21 01:07:18 | 000,009,270 | ---- | M] () -- C:\Documents and Settings\Stu\My Documents\School Schedule BU.gif
[2010/07/21 00:42:58 | 000,000,910 | -H-- | M] () -- C:\IPH.PH
[2010/07/21 00:41:05 | 000,001,592 | ---- | M] () -- C:\Documents and Settings\Stu\Application Data\Microsoft\Internet Explorer\Quick Launch\AIM.lnk
[2010/07/21 00:41:05 | 000,001,574 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AIM.lnk
[2010/07/11 01:20:46 | 000,003,905 | ---- | M] () -- C:\Documents and Settings\Stu\My Documents\Drain.dko
[2010/07/09 16:35:21 | 006,291,456 | ---- | M] () -- C:\Documents and Settings\Stu\NTUSER.DAT.gbck
[2010/07/08 23:47:27 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/08 23:47:27 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/07/05 13:11:36 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2010/06/30 15:08:29 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/06/20 01:18:22 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/17 23:37:03 | 000,005,632 | ---- | M] () -- C:\Documents and Settings\Stu\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/17 23:32:54 | 000,001,015 | R--- | M] () -- C:\logFile.xsl
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/24 18:58:33 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Stu\Desktop\gmer.exe
[2010/08/24 18:53:32 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Stu\defogger_reenable
[2010/08/24 18:53:12 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Stu\Desktop\Defogger.exe
[2010/08/24 17:58:16 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/08/24 17:56:38 | 000,001,663 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/08/21 23:26:23 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/29 00:23:18 | 000,000,768 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\StarCraft II.lnk
[2010/07/25 17:28:08 | 003,031,397 | ---- | C] () -- C:\Documents and Settings\Stu\My Documents\TheChoirBoats.pdf
[2010/07/21 01:07:16 | 000,009,270 | ---- | C] () -- C:\Documents and Settings\Stu\My Documents\School Schedule BU.gif
[2010/07/21 00:51:57 | 000,059,500 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2010/07/21 00:51:57 | 000,021,138 | ---- | C] () -- C:\WINDOWS\System32\Repository.reg
[2010/07/05 13:11:36 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2010/06/30 15:14:26 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/06/24 17:18:42 | 000,067,128 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/06/17 23:32:54 | 000,001,015 | R--- | C] () -- C:\logFile.xsl
[2010/06/14 02:13:47 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/06/12 17:08:31 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\Stu\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/02 17:17:34 | 000,179,091 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2010/02/20 15:04:57 | 000,138,056 | ---- | C] () -- C:\Documents and Settings\Stu\Application Data\PnkBstrK.sys
[2010/02/16 03:01:06 | 000,008,533 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2010/01/03 18:17:42 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2010/01/03 01:18:45 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2010/01/03 01:18:45 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2010/01/03 01:18:45 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2010/01/03 01:18:44 | 001,482,752 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2010/01/03 01:17:07 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2008/10/07 09:13:30 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[1996/04/03 12:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2010/05/20 21:53:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AIM
[2010/01/03 21:45:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DKOptimize
[2010/06/17 23:32:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Flip Video
[2010/08/24 18:03:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/01/03 05:22:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/05/20 21:53:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stu\Application Data\acccore
[2010/01/03 16:39:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stu\Application Data\GlarySoft
[2010/01/03 15:31:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stu\Application Data\OpenOffice.org
[2010/03/26 16:51:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stu\Application Data\runic games
[2010/08/29 07:18:46 | 000,000,308 | ---- | M] () -- C:\WINDOWS\Tasks\GlaryInitialize.job
[2010/08/29 07:23:15 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========


< End of report >

Extras:


OTL Extras logfile created on: 8/30/2010 8:50:06 AM - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Stu\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 3069 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 109.73 Gb Total Space | 15.60 Gb Free Space | 14.22% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 375.41 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STUART
Current User Name: Stu
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-73586283-1409082233-682003330-1004\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 1
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"427:TCP" = 427:TCP:LocalSubNet:Enabled:SLP_Port(427)_TCP
"427:UDP" = 427:UDP:LocalSubNet:Enabled:SLP_Port(427)_UDP

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"6112:TCP" = 6112:TCP:*:Enabled:Blizzard Downloader: 6112
"6119:TCP" = 6119:TCP:*:Enabled:Warcraft
"427:TCP" = 427:TCP:LocalSubNet:Enabled:SLP_Port(427)_TCP
"427:UDP" = 427:UDP:LocalSubNet:Enabled:SLP_Port(427)_UDP

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"E:\setup\hpznui01.exe" = E:\setup\hpznui01.exe:*:Enabled:hpznui01.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe:*:Enabled:hpqgplgtupl.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe:*:Enabled:hpqgpc01.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe:*:Enabled:hpqusgm.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe:*:Enabled:hpqusgh.exe -- File not found
"C:\Program Files\HP\HP Software Update\HPWUCli.exe" = C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:hpwucli.exe -- File not found
"C:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\World of Warcraft\Launcher.exe" = C:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher -- (Blizzard Entertainment)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\World of Warcraft\WoW-3.2.0-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\Ventrilo\Ventrilo.exe" = C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- (Flagship Industries, Inc.)
"C:\Documents and Settings\Stu\desktop\WoW_FotLK_ESRB_EN_XVID_F-avi-downloader.exe" = C:\Documents and Settings\Stu\desktop\WoW_FotLK_ESRB_EN_XVID_F-avi-downloader.exe:*:Enabled:Blizzard Downloader -- File not found
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Mozilla Firefox -- (Mozilla Corporation)
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main -- File not found
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD -- File not found
"C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater -- File not found
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server -- File not found
"C:\Program Files\Warcraft III\Frozen Throne.exe" = C:\Program Files\Warcraft III\Frozen Throne.exe:*:Enabled:Warcraft III - The Frozen Throne -- (Blizzard Entertainment)
"C:\Program Files\Warcraft III\Warcraft III.exe" = C:\Program Files\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III -- (Blizzard Entertainment)
"C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Program Files\Steam\steamapps\nekulturny\counter-strike\hl.exe" = C:\Program Files\Steam\steamapps\nekulturny\counter-strike\hl.exe:*:Enabled:Counter-Strike -- (Valve)
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AIM -- (AOL Inc.)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Steam\steamapps\common\prince of persia the sands of time\PrinceOfPersia.EXE" = C:\Program Files\Steam\steamapps\common\prince of persia the sands of time\PrinceOfPersia.EXE:*:Enabled:Prince of Persia: The Sands of Time -- (UBISOFT)
"C:\Program Files\Steam\steamapps\nekulturny\team fortress 2\hl2.exe" = C:\Program Files\Steam\steamapps\nekulturny\team fortress 2\hl2.exe:*:Enabled:hl2 -- File not found
"C:\Program Files\Steam\steamapps\common\trine\trine_launcher.exe" = C:\Program Files\Steam\steamapps\common\trine\trine_launcher.exe:*:Enabled:Trine -- ()
"C:\Documents and Settings\Stu\Local Settings\Apps\2.0\EEBOOJJQ.GWH\9XC2LZTT.VX3\curs..tion_eee711038731a406_0004.0000_172b37d8269e5e48\CurseClient.exe" = C:\Documents and Settings\Stu\Local Settings\Apps\2.0\EEBOOJJQ.GWH\9XC2LZTT.VX3\curs..tion_eee711038731a406_0004.0000_172b37d8269e5e48\CurseClient.exe:*:Enabled:Curse Client 4.0 -- (Curse)
"C:\Program Files\StarCraft II\StarCraft II.exe" = C:\Program Files\StarCraft II\StarCraft II.exe:*:Enabled:Blizzard Launcher -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft Beta\Launcher.exe" = C:\Program Files\World of Warcraft Beta\Launcher.exe:*:Enabled:Blizzard Launcher -- File not found
"C:\Program Files\StarCraft II\Versions\Base15405\SC2.exe" = C:\Program Files\StarCraft II\Versions\Base15405\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment, Inc.)
"C:\Program Files\Steam\steamapps\common\grand theft auto iv\GTAIV\LaunchGTAIV.exe" = C:\Program Files\Steam\steamapps\common\grand theft auto iv\GTAIV\LaunchGTAIV.exe:*:Enabled:Grand Theft Auto IV -- (Sony DADC Austria AG)
"C:\Program Files\Steam\steamapps\common\grand theft auto iv\GTAIV\GTAIV.exe" = C:\Program Files\Steam\steamapps\common\grand theft auto iv\GTAIV\GTAIV.exe:*:Enabled:Grand Theft Auto IV -- (Take-Two Interactive Software, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{07FB17D8-7DB6-4F06-80C4-8BE1719CB6A1}" = hpWLPGInstaller
"{0A042C19-1F48-4952-B3B6-828E8028A187}" = B209a-m
"{0F367CA3-3B2F-43F9-A44A-25A8EE69E45D}" = Scan
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{1C4551A6-4743-4093-91E4-1477CD655043}" = NVIDIA PhysX
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216016F0}" = Java™ 6 Update 16
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{2C9EE786-1DDB-4C98-8FA4-B1B9B5A66B77}" = Microsoft Games for Windows - LIVE
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{343D8DE3-AE1F-431A-830C-B66352E8CA12}" = OZ776 SCR Driver V1.1.3.9
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg
"{5DA8F6CD-C70E-39D8-8430-3D9808D6BD17}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
"{5FE1E412-D114-46E8-A891-5BE087B256A5}" = MVision
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8CBC86E2-6C62-4BCA-A94F-72C0A229A496}" = DK Optimize
"{8FB1B528-E260-451E-9B55-E9152F94B80B}" = Microsoft Games for Windows - LIVE Redistributable
"{92127AF5-FDD8-4ADF-BC40-C356C9EE0B7D}" = 32 Bit HP CIO Components Installer
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9FEF1A18-8F26-4F49-A5A4-956C12210624}" = HP Photosmart Plus B209a-m All-In-One Driver Software 13.0 Rel .6
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AF21F061-F04B-42B4-B6C3-784A080F782A}" = dirLock
"{B2455727-ED8F-4643-8A6E-F4AB8DE3633D}" = Network
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B65759DD-26C6-4EA6-9014-CA798907EBFD}" = PS_AIO_06_B209a-m_SW_Min
"{B7F54262-AB66-44B3-88BF-9FC69941B643}" = Broadcom Gigabit Integrated Controller
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E62A1F01-07B7-4541-A835-EE5B0BF064C2}" = Microsoft Antimalware
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
"4569969E1360D2854474C661EF9B4D54F143EB16" = Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
"7-Zip" = 7-Zip 4.65
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AIM_7" = AIM 7
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"EAX™ Unified (SHELL)" = EAX™ Unified (SHELL)
"Glary Utilities_is1" = Glary Utilities 2.18.0.786
"HitmanPro35" = Hitman Pro 3.5
"ie8" = Windows Internet Explorer 8
"InstallShield_{343D8DE3-AE1F-431A-830C-B66352E8CA12}" = OZ776 SCR Driver V1.1.3.9
"lvdrivers_11.50" = Logitech QuickCam Driver Package
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Essentials" = Microsoft Security Essentials
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"NVIDIA Drivers" = NVIDIA Drivers
"ProInst" = Intel® PROSet/Wireless Software
"SpeedFan" = SpeedFan (remove only)
"Starcraft" = Starcraft
"StarCraft II" = StarCraft II
"Steam App 10" = Counter-Strike
"Steam App 12210" = Grand Theft Auto IV
"Steam App 13600" = Prince of Persia: The Sands of Time
"Steam App 220" = Half-Life 2
"Steam App 340" = Half-Life 2: Lost Coast
"Steam App 35700" = Trine
"Steam App 380" = Half-Life 2: Episode One
"Steam App 400" = Portal
"Steam App 41500" = Torchlight
"Steam App 420" = Half-Life 2: Episode Two
"Steam App 440" = Team Fortress 2
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"World of Warcraft" = World of Warcraft
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-73586283-1409082233-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"090215de958f1060" = Curse Client
"538e2a4af313161a" = FasterPing
"Warcraft III" = Warcraft III: All Products
"World of Logs Client" = World of Logs Client

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/26/2010 6:59:07 PM | Computer Name = STUART | Source = MSSecurityEssentials | ID = 5000
Description =

Error - 6/30/2010 6:08:20 PM | Computer Name = STUART | Source = MSSecurityEssentials | ID = 5000
Description =

Error - 6/30/2010 6:08:58 PM | Computer Name = STUART | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 2147550906, P2 unspecified, P3 scanfile,
P4 2.1.6519.0, P5 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 7/10/2010 1:09:04 AM | Computer Name = STUART | Source = Application Hang | ID = 1002
Description = Hanging application Wow.exe, version 3.3.5.12340, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 7/10/2010 2:50:15 AM | Computer Name = STUART | Source = Application Hang | ID = 1002
Description = Hanging application Wow.exe, version 3.3.5.12340, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 7/10/2010 2:50:24 AM | Computer Name = STUART | Source = Application Hang | ID = 1001
Description = Fault bucket 1937668869.

Error - 7/11/2010 5:35:07 AM | Computer Name = STUART | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 7/11/2010 5:35:07 AM | Computer Name = STUART | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 7/17/2010 10:01:59 PM | Computer Name = STUART | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/29/2010 3:12:16 AM | Computer Name = STUART | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.3855, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 8/27/2010 9:41:46 PM | Computer Name = STUART | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 10.61.254.1 on
the Network Card with network address 001CBF3658EE.

Error - 8/28/2010 2:27:01 AM | Computer Name = STUART | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
ID15109 that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{A8AE100A-803E-42B0-A. The master browser is stopping or an election
is being forced.

Error - 8/28/2010 2:56:18 AM | Computer Name = STUART | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 10.61.254.1 on
the Network Card with network address 001CBF3658EE.

Error - 8/28/2010 5:17:15 PM | Computer Name = STUART | Source = Microsoft Antimalware | ID = 2001
Description = %%861 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.89.438.0 Update Source: %%859 Update Stage:
%%852 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

User:
NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6103.0 Error
code: 0x80072f76 Error description: The requested header was not found

Error - 8/28/2010 6:50:11 PM | Computer Name = STUART | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 10.66.232.73 on
the Network Card with network address 001C232BA260.

Error - 8/29/2010 11:47:22 AM | Computer Name = STUART | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 168.122.232.76
on the Network Card with network address 001C232BA260.

Error - 8/29/2010 3:43:40 PM | Computer Name = STUART | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 168.122.232.76
on the Network Card with network address 001C232BA260.

Error - 8/30/2010 12:53:44 AM | Computer Name = STUART | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 168.122.232.76
on the Network Card with network address 001C232BA260.

Error - 8/30/2010 10:56:34 AM | Computer Name = STUART | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 168.122.232.76
on the Network Card with network address 001C232BA260.

Error - 8/30/2010 11:30:58 AM | Computer Name = STUART | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 168.122.232.76
on the Network Card with network address 001C232BA260.


< End of report >

RKU:


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB9109000 C:\WINDOWS\System32\DRIVERS\nv4_mini.sys 6660096 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 174.31 )
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 5971968 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 174.31 )
0xB8CC6000 C:\WINDOWS\system32\DRIVERS\NETw5x32.sys 4222976 bytes (Intel Corporation, Intel® Wireless WiFi Link Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB61FA000 C:\WINDOWS\system32\DRIVERS\LV302V32.SYS 1273856 bytes (Logitech Inc., Logitech QuickCam Driver)
0xB69E8000 C:\WINDOWS\system32\drivers\sthda.sys 1171456 bytes (SigmaTel, Inc., NDRC)
0xB6895000 C:\WINDOWS\System32\DRIVERS\HSF_DPV.sys 1036288 bytes (Conexant Systems, Inc., HSF_DP driver)
0xB67E5000 C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys 720896 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xB9E5B000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB6603000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB8B2E000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB670E000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB58E9000 C:\WINDOWS\System32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xB8C06000 C:\WINDOWS\System32\DRIVERS\rixdptsk.sys 331776 bytes (REDC, RICOH XD SM Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB5275000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB6992000 C:\WINDOWS\System32\DRIVERS\HSFHWAZL.sys 204800 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0xB8BD7000 C:\WINDOWS\System32\DRIVERS\SynTP.sys 192512 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB5A08000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9E2E000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB6673000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB90CD000 C:\WINDOWS\System32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB66E6000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB66C0000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB69C4000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB8C7F000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB8CA3000 C:\WINDOWS\System32\DRIVERS\b57xp32.sys 143360 bytes (Broadcom Corporation, Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver.)
0xB8BB4000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB679A000 C:\WINDOWS\system32\DRIVERS\MpFilter.sys 143360 bytes (Microsoft Corporation, Microsoft antimalware file system filter driver)
0xB669E000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9F11000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9E14000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9F31000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB61E2000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9EE8000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB8B9D000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB558C000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB8C57000 C:\WINDOWS\System32\DRIVERS\rimsptsk.sys 81920 bytes (REDC, RICOH MS Driver)
0xB8C6B000 C:\WINDOWS\System32\DRIVERS\sdbus.sys 81920 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0xB90F5000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB6767000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9EFF000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB8B8C000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA1D8000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA2C8000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA0B8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xB9783000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA2D8000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB9793000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA218000 C:\WINDOWS\system32\drivers\usbaudio.sys 61440 bytes (Microsoft Corporation, USB Audio Class Driver)
0xB9763000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0C8000 C:\WINDOWS\System32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBA1E8000 C:\WINDOWS\System32\Drivers\oz776.sys 57344 bytes (O2Micro, O2Micro USB CCID SmartCard Reader)
0xBA298000 C:\WINDOWS\System32\DRIVERS\rimmptsk.sys 57344 bytes (REDC, RICOH MMC Driver)
0xB5A85000 C:\WINDOWS\System32\Drivers\usbaapl.sys 57344 bytes (Apple, Inc., Apple Mobile Device USB Driver)
0xBA108000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA2A8000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xB97F3000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0E8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xB97D3000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA188000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA2B8000 C:\WINDOWS\System32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0D8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xB97E3000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB97A3000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB97B3000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA0F8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA1C8000 C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA288000 C:\WINDOWS\System32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA208000 C:\WINDOWS\system32\drivers\LVUSBSta.sys 36864 bytes (Logitech Inc., USB Statistic Driver)
0xB97C3000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA148000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB5529000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA158000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA420000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xBA468000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA498000 C:\WINDOWS\System32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA3E0000 C:\WINDOWS\System32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA470000 C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA328000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA3F8000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xBA3F0000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA3E8000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA3D8000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA458000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA460000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA410000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA418000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA400000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA4A8000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA4C0000 C:\WINDOWS\System32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xBA598000 C:\WINDOWS\System32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xB9DDC000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB5CE5000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB8B22000 C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS 16384 bytes (Dell Computer Corporation, OMCI Device Driver)
0xB67CD000 C:\WINDOWS\System32\Drivers\SMCLIB.SYS 16384 bytes (Microsoft Corporation, Smard Card Driver Library)
0xB5609000 C:\WINDOWS\system32\DRIVERS\usbscan.sys 16384 bytes (Microsoft Corporation, USB Scanner Driver)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBA4BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xBA568000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB67DD000 C:\WINDOWS\System32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB5C21000 C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xB67D9000 C:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9DEC000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA588000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA594000 C:\WINDOWS\System32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xBA61E000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA642000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA61C000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA62C000 C:\WINDOWS\system32\DRIVERS\lv302af.sys 8192 bytes (Logitech Inc., Audio filter for Express Plus)
0xBA620000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA622000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5AC000 speedfan.sys 8192 bytes
0xBA5DE000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5DA000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA7E6000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA7D5000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA671000 giveio.sys 4096 bytes
0xBA78E000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================

End of logs.



Thanks again Elise. I hope to hear back soon


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:31 AM

Posted 30 August 2010 - 01:43 PM

Hello again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Nekulturny

Nekulturny
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 30 August 2010 - 05:49 PM

Here's the ComboFix log:

ComboFix

ComboFix 10-08-29.04 - Stu 08/30/2010 15:41:12.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1611 [GMT -7:00]
Running from: c:\documents and settings\Stu\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Install.exe
c:\windows\system32\drivers\1028_DELL_XPS_MXG061 .MRK
c:\windows\system32\drivers\DELL_XPS_MXG061 .MRK

.
((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-30 )))))))))))))))))))))))))))))))
.

2010-08-27 17:08 . 2010-08-27 17:08 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SecuROM
2010-08-27 17:07 . 2010-08-27 17:07 -------- d-----w- c:\documents and settings\Stu\Local Settings\Application Data\Rockstar Games
2010-08-27 17:07 . 2010-08-27 17:07 -------- d--h--r- c:\documents and settings\Stu\Application Data\SecuROM
2010-08-27 17:07 . 2010-08-27 17:07 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-08-27 17:04 . 2010-08-27 17:04 -------- d-----w- c:\windows\system32\xlive
2010-08-27 17:04 . 2010-08-27 17:05 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-08-25 00:58 . 2010-08-30 22:36 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-25 00:56 . 2010-08-25 01:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-08-25 00:56 . 2010-08-25 00:56 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-08-23 04:20 . 2010-08-23 04:20 44544 ----a-w- c:\windows\system32\agremove.exe
2010-08-22 06:26 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-22 06:26 . 2010-08-22 06:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-22 06:26 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-20 19:22 . 2007-03-15 00:30 32256 ----a-w- c:\windows\system32\instd32.exe
2010-08-15 05:15 . 1996-12-26 02:00 31744 ------w- c:\windows\SonicKUS.DLL
2010-08-15 05:15 . 1996-12-11 02:00 32768 ------w- c:\windows\SKUNINST.EXE
2010-08-15 05:15 . 1996-12-11 02:00 22528 ------w- c:\windows\MsgV2US.DLL
2010-08-15 05:15 . 2010-08-15 06:05 -------- d-----w- C:\SEGA
2010-08-15 05:14 . 1995-08-15 07:00 536048 ------r- c:\windows\system32\OC25.DLL
2010-08-15 05:13 . 2010-08-15 05:13 -------- d-----w- c:\documents and settings\Stu\WINDOWS
2010-08-05 23:10 . 2010-08-05 23:10 47364 ----a-w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-28 05:22 . 2010-02-14 06:46 -------- d-----w- c:\program files\Steam
2010-08-28 05:22 . 2010-01-03 08:20 52301 ----a-w- c:\windows\system32\nvModes.dat
2010-08-27 06:34 . 2010-02-13 01:25 -------- d-----w- c:\program files\Warcraft III
2010-08-25 19:32 . 2010-01-03 10:50 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-08-24 21:27 . 2010-02-16 10:02 -------- d-----w- c:\program files\HP
2010-08-24 21:23 . 2010-01-03 07:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-18 00:20 . 2010-07-29 07:23 -------- d-----w- c:\program files\StarCraft II
2010-08-12 00:14 . 2010-01-03 10:58 -------- d-----w- c:\documents and settings\Stu\Application Data\Ventrilo
2010-08-11 00:42 . 2010-01-03 10:57 -------- d-----w- c:\program files\World of Warcraft
2010-07-30 06:51 . 2010-06-25 00:18 67128 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-29 07:48 . 2010-01-03 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-07-21 07:53 . 2010-07-21 07:50 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-07-21 07:51 . 2010-07-21 07:51 10134 ----a-r- c:\documents and settings\Stu\Application Data\Microsoft\Installer\{5FE1E412-D114-46E8-A891-5BE087B256A5}\ARPPRODUCTICON.exe
2010-07-21 07:41 . 2010-05-21 04:53 -------- d-----w- c:\program files\AIM
2010-07-05 20:10 . 2010-07-05 20:10 -------- d-----w- c:\program files\AGEIA Technologies
2010-07-05 20:09 . 2010-01-04 01:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-30 22:09 . 2010-06-30 22:09 17280 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-30 12:31 . 2003-07-16 20:43 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2003-07-16 20:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2003-07-16 20:51 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2003-07-16 20:46 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2003-07-16 20:29 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2010-01-03 07:18 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-14 07:41 . 2003-07-16 20:37 1172480 ----a-w- c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-22 13508608]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-08-30 6293312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSecurityTab"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSecurityTab"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2010-05-21 15:36 3824472 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-02-22 13:46 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\nekulturny\\counter-strike\\hl.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\prince of persia the sands of time\\PrinceOfPersia.EXE"=
"c:\\Program Files\\Steam\\steamapps\\common\\trine\\trine_launcher.exe"=
"c:\\Documents and Settings\\Stu\\Local Settings\\Apps\\2.0\\EEBOOJJQ.GWH\\9XC2LZTT.VX3\\curs..tion_eee711038731a406_0004.0000_172b37d8269e5e48\\CurseClient.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\grand theft auto iv\\GTAIV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\grand theft auto iv\\GTAIV\\GTAIV.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112
"6119:TCP"= 6119:TCP:Warcraft


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-08-30 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-01-03 20:09]

2010-08-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 04:40]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Stu\Application Data\Mozilla\Firefox\Profiles\8ja3bah2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-30 15:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-73586283-1409082233-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:7f,80,d0,61,63,c4,91,86,42,dc,a1,48,15,46,88,94,cf,de,4c,87,8d,
60,33,ae,91,6c,84,8b,a1,42,ba,88,bf,6a,07,c6,47,dd,5f,73,eb,56,82,85,89,de,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
Completion time: 2010-08-30 15:46:23
ComboFix-quarantined-files.txt 2010-08-30 22:46

Pre-Run: 16,719,691,776 bytes free
Post-Run: 16,760,279,040 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 8CB64429EFEA662DD257C4E00E6B0513

Thanks for your time

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:31 AM

Posted 31 August 2010 - 09:15 AM

Are you still getting redirected at this point? If so, how are you connected to the internet? If you use a router, please reset it and let me know if that fixes the issue.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Nekulturny

Nekulturny
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 31 August 2010 - 12:14 PM

I am still getting redirected. I'm connected to the internet directly through a cable at my university, so there's probably a router down the line somewhere but I don't have access to it. The problem was happening before I moved in though, at my own home as well.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:31 AM

Posted 31 August 2010 - 12:20 PM

Lets do some port testing here to see how well you are protected on the network you connect to.

Please go here and click Proceed. Run both tests for Port checking and post the summary of the results here.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Nekulturny

Nekulturny
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 31 August 2010 - 12:27 PM

Common Ports:

GRC Port Authority Report created on UTC: 2010-08-31 at 17:25:47

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000

0 Ports Open
0 Ports Closed
26 Ports Stealth
---------------------
26 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: FAILED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

----------------------------------------------------------------------

Service Ports

----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2010-08-31 at 17:27:44

Results from scan of ports: 0-1055

0 Ports Open
0 Ports Closed
1056 Ports Stealth
---------------------
1056 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: FAILED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

----------------------------------------------------------------------

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:31 AM

Posted 31 August 2010 - 12:45 PM

Please click Start > Run, type cmd in the runbox and press enter.

Type the following two lines and press enter after each one.

ipconfig /flushdns

netsh reset firewall


Then Exit the command window, restart your computer and let me know if you still are having redirects.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Nekulturny

Nekulturny
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 02 September 2010 - 10:11 AM

Still having redirects sadly sad.gif

Also, the command was netsh firewall reset, but I figured it out smile.gif

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:31 AM

Posted 02 September 2010 - 12:55 PM

I'm sorry, I only now saw I had the wrong command there. ohmy.gif

Can you please rerun an OTL quick scan and post me the log?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Nekulturny

Nekulturny
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 04 September 2010 - 10:52 AM

OTL logfile created on: 9/4/2010 8:48:39 AM - Run 2
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Stu\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 3069 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 109.73 Gb Total Space | 15.49 Gb Free Space | 14.12% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 375.41 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STUART
Current User Name: Stu
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/08/30 08:49:34 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Stu\desktop\OTL.exe
PRC - [2010/07/24 16:47:43 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/07/24 16:47:41 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/06/01 14:53:46 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2009/03/05 17:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/08/30 08:49:34 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Stu\desktop\OTL.exe
MOD - [2008/04/13 17:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2007/10/19 13:21:16 | 000,141,848 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Stu\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/03/25 21:30:22 | 000,151,216 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2009/10/26 06:47:30 | 004,221,952 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel®
DRV - [2008/04/13 10:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 09:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/22 06:46:00 | 006,658,592 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2007/10/11 19:00:42 | 000,041,752 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2007/10/11 18:59:02 | 002,142,488 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVMVdrv.sys -- (LVMVDrv)
DRV - [2007/10/11 18:55:58 | 001,279,000 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LV302V32.SYS -- (PID_PEPI) Logitech QuickCam IM(PID_PEPI)
DRV - [2007/10/11 18:55:58 | 000,013,848 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lv302af.sys -- (pepifilter)
DRV - [2007/09/26 07:01:32 | 002,236,032 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel®
DRV - [2007/05/10 11:24:34 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/02/23 16:47:34 | 000,056,576 | ---- | M] (O2Micro) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\oz776.sys -- (guardian2)
DRV - [2006/11/15 01:16:24 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006/11/14 20:42:46 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/14 18:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2006/09/24 06:28:46 | 000,005,248 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Boot | Running] -- C:\WINDOWS\system32\speedfan.sys -- (speedfan)
DRV - [2006/03/08 13:35:10 | 000,191,872 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/10/26 11:01:02 | 000,142,720 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2005/07/22 12:02:12 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/07/22 12:01:08 | 000,201,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/07/22 12:01:00 | 000,717,952 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2001/08/22 09:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [1996/04/03 12:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\giveio.sys -- (giveio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.2
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {1CE11043-9A15-4207-A565-0C94C42D590D}:11.3.7.0


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/24 16:47:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/24 14:23:53 | 000,000,000 | ---D | M]

[2010/01/03 01:07:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stu\Application Data\Mozilla\Extensions
[2010/09/03 08:31:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\8ja3bah2.default\extensions
[2010/04/26 19:00:09 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\8ja3bah2.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/08/18 20:31:27 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\8ja3bah2.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/09/03 08:31:42 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/26 14:10:23 | 000,000,000 | ---D | M] (Adobe Flash Plugin) -- C:\Program Files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}

O1 HOSTS File: ([2010/08/30 15:44:12 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSecurityTab = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSecurityTab = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1262508897671 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 128.197.253.188 128.197.253.126
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Stu\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Stu\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/03 00:20:59 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [1999/02/09 08:32:32 | 000,000,200 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/08/31 10:54:03 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/08/30 15:39:05 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/08/30 15:37:10 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/08/30 15:37:10 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/08/30 15:37:10 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/08/30 15:37:10 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/08/30 15:37:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/08/30 15:36:42 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/08/30 08:49:25 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Stu\Desktop\OTL.exe
[2010/08/27 19:12:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Stu\My Documents\Rockstar Games
[2010/08/27 10:10:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2010/08/27 10:08:55 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\SecuROM
[2010/08/27 10:07:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Stu\Local Settings\Application Data\Rockstar Games
[2010/08/27 10:07:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Stu\Application Data\SecuROM
[2010/08/27 10:07:07 | 000,107,888 | ---- | C] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2010/08/27 10:04:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\xlive
[2010/08/27 10:04:52 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Games for Windows - LIVE
[2010/08/24 17:56:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/08/24 17:56:35 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/08/22 21:20:26 | 000,044,544 | ---- | C] (Absolute Software Corp.) -- C:\WINDOWS\System32\agremove.exe
[2010/08/21 23:26:20 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/21 23:26:16 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/08/21 23:26:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/20 12:22:27 | 000,032,256 | ---- | C] (Absolute Software Corp.) -- C:\WINDOWS\System32\instd32.exe
[2010/08/14 22:15:33 | 000,032,768 | ---- | C] (SEGA ENTERPRISES.) -- C:\WINDOWS\SKUNINST.EXE
[2010/08/14 22:15:33 | 000,031,744 | ---- | C] (SEGA ENTERPRISES.) -- C:\WINDOWS\SonicKUS.DLL
[2010/08/14 22:15:33 | 000,022,528 | ---- | C] (SEGA ENTERPRISES.) -- C:\WINDOWS\MsgV2US.DLL
[2010/08/14 22:15:15 | 000,000,000 | ---D | C] -- C:\SEGA
[2010/08/14 22:13:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Stu\WINDOWS
[2010/07/29 00:23:18 | 000,000,000 | ---D | C] -- C:\Program Files\StarCraft II
[2010/07/29 00:23:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Stu\My Documents\StarCraft II
[2010/07/21 00:50:54 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\LogiShrd
[2010/07/08 23:34:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/07/05 13:11:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\UMDF
[2010/07/05 13:10:29 | 000,000,000 | ---D | C] -- C:\Program Files\AGEIA Technologies
[2010/07/05 13:10:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\AGEIA
[2010/06/26 15:59:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2010/06/17 23:32:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Stu\My Documents\My Videos
[2010/06/17 23:32:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Flip Video
[2010/06/16 23:49:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Stu\Local Settings\Application Data\PCHealth
[2010/06/16 23:49:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\PCHealth
[2010/06/14 02:13:46 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/06/06 12:05:46 | 000,000,000 | ---D | C] -- C:\Program Files\Creative Labs
[2010/06/06 12:02:08 | 000,000,000 | ---D | C] -- C:\Program Files\Square Soft, Inc
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/09/04 08:47:57 | 000,239,359 | ---- | M] () -- C:\Documents and Settings\Stu\My Documents\mr5Bv.jpg
[2010/09/04 08:43:00 | 000,052,301 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2010/09/02 08:13:53 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/09/02 08:10:48 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/09/02 08:08:41 | 000,169,466 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/09/02 08:08:37 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2010/09/02 08:08:19 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/02 08:08:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/02 08:07:15 | 006,815,744 | ---- | M] () -- C:\Documents and Settings\Stu\NTUSER.DAT
[2010/09/02 08:07:15 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Stu\ntuser.ini
[2010/09/02 08:07:08 | 005,322,906 | -H-- | M] () -- C:\Documents and Settings\Stu\Local Settings\Application Data\IconCache.db
[2010/08/30 15:44:18 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/30 15:44:12 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/08/30 15:39:15 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/08/30 15:19:30 | 003,831,151 | R--- | M] () -- C:\Documents and Settings\Stu\Desktop\ComboFix.exe
[2010/08/30 11:45:53 | 000,040,235 | ---- | M] () -- C:\Documents and Settings\Stu\My Documents\link_ikea_beads_pattern.jpg
[2010/08/30 11:23:24 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Stu\Desktop\RKUnhookerLE.EXE
[2010/08/30 08:49:34 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Stu\Desktop\OTL.exe
[2010/08/27 22:22:35 | 000,052,301 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2010/08/27 10:07:08 | 000,107,888 | ---- | M] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2010/08/24 18:53:32 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Stu\defogger_reenable
[2010/08/24 18:53:13 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Stu\Desktop\Defogger.exe
[2010/08/24 17:57:58 | 000,001,663 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/08/22 21:20:35 | 000,044,544 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\System32\agremove.exe
[2010/08/21 23:26:23 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/14 22:13:55 | 000,000,724 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/08/13 03:52:21 | 000,112,584 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/13 03:12:41 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/08/13 03:11:01 | 000,502,240 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/13 03:11:01 | 000,441,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/13 03:11:01 | 000,071,462 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/11 18:00:13 | 000,000,799 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\World of Warcraft.lnk
[2010/08/10 17:36:14 | 000,002,449 | ---- | M] () -- C:\Documents and Settings\Stu\Application Data\Microsoft\Internet Explorer\Quick Launch\DK Optimize.lnk
[2010/07/29 00:48:38 | 000,000,768 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\StarCraft II.lnk
[2010/07/25 17:28:22 | 003,031,397 | ---- | M] () -- C:\Documents and Settings\Stu\My Documents\TheChoirBoats.pdf
[2010/07/21 01:07:18 | 000,009,270 | ---- | M] () -- C:\Documents and Settings\Stu\My Documents\School Schedule BU.gif
[2010/07/21 00:42:58 | 000,000,910 | -H-- | M] () -- C:\IPH.PH
[2010/07/21 00:41:05 | 000,001,592 | ---- | M] () -- C:\Documents and Settings\Stu\Application Data\Microsoft\Internet Explorer\Quick Launch\AIM.lnk
[2010/07/21 00:41:05 | 000,001,574 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AIM.lnk
[2010/07/11 01:20:46 | 000,003,905 | ---- | M] () -- C:\Documents and Settings\Stu\My Documents\Drain.dko
[2010/07/09 16:35:21 | 006,291,456 | ---- | M] () -- C:\Documents and Settings\Stu\NTUSER.DAT.gbck
[2010/07/08 23:47:27 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/07/05 13:11:36 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2010/06/30 15:08:29 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/06/20 01:18:22 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/17 23:37:03 | 000,005,632 | ---- | M] () -- C:\Documents and Settings\Stu\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/17 23:32:54 | 000,001,015 | R--- | M] () -- C:\logFile.xsl
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/04 08:47:56 | 000,239,359 | ---- | C] () -- C:\Documents and Settings\Stu\My Documents\mr5Bv.jpg
[2010/08/30 15:39:15 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/08/30 15:39:10 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/08/30 15:37:10 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/08/30 15:37:10 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/08/30 15:37:10 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/08/30 15:37:10 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/08/30 15:37:10 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/08/30 15:19:22 | 003,831,151 | R--- | C] () -- C:\Documents and Settings\Stu\Desktop\ComboFix.exe
[2010/08/30 11:45:52 | 000,040,235 | ---- | C] () -- C:\Documents and Settings\Stu\My Documents\link_ikea_beads_pattern.jpg
[2010/08/30 11:23:23 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Stu\Desktop\RKUnhookerLE.EXE
[2010/08/24 18:58:33 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Stu\Desktop\gmer.exe
[2010/08/24 18:53:32 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Stu\defogger_reenable
[2010/08/24 18:53:12 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Stu\Desktop\Defogger.exe
[2010/08/24 17:58:16 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/08/24 17:56:38 | 000,001,663 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/08/21 23:26:23 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/29 00:23:18 | 000,000,768 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\StarCraft II.lnk
[2010/07/25 17:28:08 | 003,031,397 | ---- | C] () -- C:\Documents and Settings\Stu\My Documents\TheChoirBoats.pdf
[2010/07/21 01:07:16 | 000,009,270 | ---- | C] () -- C:\Documents and Settings\Stu\My Documents\School Schedule BU.gif
[2010/07/21 00:51:57 | 000,059,500 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2010/07/21 00:51:57 | 000,021,138 | ---- | C] () -- C:\WINDOWS\System32\Repository.reg
[2010/07/05 13:11:36 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2010/06/30 15:14:26 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/06/24 17:18:42 | 000,067,128 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/06/17 23:32:54 | 000,001,015 | R--- | C] () -- C:\logFile.xsl
[2010/06/14 02:13:47 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/06/12 17:08:31 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\Stu\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/02 17:17:34 | 000,179,091 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2010/02/20 15:04:57 | 000,138,056 | ---- | C] () -- C:\Documents and Settings\Stu\Application Data\PnkBstrK.sys
[2010/02/16 03:01:06 | 000,008,533 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2010/01/03 18:17:42 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2010/01/03 01:18:45 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2010/01/03 01:18:45 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2010/01/03 01:18:45 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2010/01/03 01:18:44 | 001,482,752 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2010/01/03 01:17:07 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2008/10/07 09:13:30 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[1996/04/03 12:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2010/05/20 21:53:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AIM
[2010/01/03 21:45:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DKOptimize
[2010/06/17 23:32:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Flip Video
[2010/08/24 18:03:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/01/03 05:22:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/05/20 21:53:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stu\Application Data\acccore
[2010/01/03 16:39:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stu\Application Data\GlarySoft
[2010/01/03 15:31:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stu\Application Data\OpenOffice.org
[2010/03/26 16:51:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stu\Application Data\runic games
[2010/09/02 08:08:37 | 000,000,308 | ---- | M] () -- C:\WINDOWS\Tasks\GlaryInitialize.job
[2010/09/02 08:13:53 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========


< End of report >


Thanks for sticking with me smile.gif

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:31 AM

Posted 04 September 2010 - 11:29 AM

Hi, lets see if this will make a difference:

INSTALL FIREWALL
--------------------------
Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Outpost Firewall Free, Sygate Personal Firewall Free or Zonealarm
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
Note - If you connect to the internet using a router, you are already behind a hardware firewall.

Note: You should only have one firewall installed at a time. Having more than one firewall program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Nekulturny

Nekulturny
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 07 September 2010 - 03:16 PM

I got ZoneAlarm up and running.

I also detected some super malicious viruses and a hat-full of trojans downloaded right as I logged on (unsure how). They were shutting down my ability to run anything, saying the processes were corrupt and running a fake virus scanner program. It also deactivated all my malware protection and prevented them from opening. However, I managed to get rid of it with a quick-start of Hitman Pro, and all 5 of the anti-malware programs say I'm clean again. I suspect that it was the work of the rootkit or w/e, and hopefully the firewall can help.


EDIT: And it's still redirecting sad.gif

Edited by Nekulturny, 07 September 2010 - 03:26 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users