Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Having trouble with the Preparation Guide


  • This topic is locked This topic is locked
50 replies to this topic

#1 WaylonJ

WaylonJ

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 22 October 2010 - 01:05 PM

Hello to the board,

As I'm experiencing a nasty version of the Google Redirect problem, I'm attempting to get through the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help" link, which I found under the Forum Guidelines heading of the forum.

I was able to get to Step 7, but now I'm finding that the D.D.S. diagnostic tool is halting before I get the .txt files described therein. I have turned off the antivirus programs on my machine -- StopZilla and Norton Security Suite -- so I'm only getting the initial security warning from windows asking me if I wish to run dds.scr, to which I respond by pressing the Run control (button).

Specifically, I'm getting the black DOS screen entitled D.D.S., seven separate sentences and a series of colons (resembling a progress bar). After that, unfortunately, I'm getting the old blinking cursor: and nothing more. One of the sentences in the DOS screen states that "This scan should take no longer than three minutes to complete," so I'm pretty sure that something is blocking the progress of the D.D.S. tool...I've waited sigificantly longer than three minutes.

I'm rather anxious to get the diagnosis process under way, so any words of advice would be greatly appreciated.

Thanks for your time,
WaylonJ

Please see a screen shot (below) of what I referred to in the original thread post. Can anyone help me with this?

As I previously mentioned, I turned both StopZilla and Norton Security Suite off before I ran the D.D.S. file. Are there other "script blocking tools" that I may not be aware of? Does Win XP have a script blocking feature somewhere?

Obviously, something on my system is halting the D.D.S. program before I get the text files described in the Forum Guidelines section of the Virus, Trojan, Spyware, and Malware Removal Logs forum board...

Posted Image

EDIT: Posts merged ~BP

Edited by Budapest, 25 October 2010 - 04:12 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:04 AM

Posted 31 October 2010 - 04:38 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 WaylonJ

WaylonJ
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 31 October 2010 - 09:16 PM

Thank you for responding, Elise. When I started up my PC this evening, I was guided through a series of steps by Symantec's Norton Security Suite. Apparently, my home page (Google) was changed by said Norton program for some reason—the prompts were not explicit—so I changed it back to Google. Immediately after doing so, I typed a random search into the Google search field and, much to my surprise, it went right to the desired link. As I haven't been able to perform this very simple task for quite some time now, I tried a second search and, again, it went right to the desired link.

This is not to say that Norton finally found a solution to the issue that's been plaguing us for quite some time now. To the contrary, the machine still freezes up randomly and runs erratically: I simply wanted you to know what the latest news is with our particular PC.

I will still comply with all of your instructions as soon as I get a chance, which will be sometime in the upcoming work week.

Thanks again,
WaylonJ
:)

Edited by WaylonJ, 31 October 2010 - 09:20 PM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:04 AM

Posted 01 November 2010 - 04:26 AM

Okay, I'll wait for your logs.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 WaylonJ

WaylonJ
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 02 November 2010 - 10:58 AM

Thanks once again, Elise. I'll go through your instructions as soon as I get some (real) time to spend on the PC.

Have a good one,
WaylonJ
:)

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:04 AM

Posted 02 November 2010 - 12:17 PM

Thank you for letting me know. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 WaylonJ

WaylonJ
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 02 November 2010 - 09:26 PM

Okay, Elise, I read your instructions thoroughly and it would seem that I'm supposed to start this thing by describing the problem.

The first clear indication that we had a serious problem were the "redirect" and "jump" pages we get when we run normal searches using the Google search engine. At this point, the only use Google serves is to provide us with a URL at the end of the relevant "search hit" summaries. Once Google returns said URLs, the user is forced to copy/paste them into the Internet Explorer URL bar. In fact, this doesn't usually work the first time around, so the user is forced to paste the URL a second time to actually access the desired web page.

Our PC is also running intermittently. I realize that this isn't unusual when one uses a Windows-based PC and Internet Explorer, but this particular machine was recently rebuilt. In our case, the term "rebuilt" means that both HDDs were thoroughly scrubbed, the Windows XP O.S. was loaded from scratch, Norton Security Suite was installed and then the O.S. was updated using the Microsoft Update service. In other words, my experience is that it takes a while for a rebuilt Windows PC—with a security application installed—to run this poorly. Since the last time the HDDs were cleaned and rebuilt, we've been very careful about updating the Norton application and running full scans at the end of every day. Despite our best efforts, this PC is obviously infected with some sort of malicious algorithm of one kind or another.

As for efforts to correct the problems described herein...I've run the file TDSSKiller.exe, which reports that the target infection was "not found." Other than that, we've continued updating our Norton Security Suite application every day and, subsequently, running full scans.


********** OTL.txt Report **********

OTL logfile created on: 11/2/2010 9:12:52 PM - Run 1
OTL by OldTimer - Version 3.2.17.2 Folder = E:\Documents and Settings\JOBIT\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 194.00 Mb Available Physical Memory | 19.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 71.00% Paging File free
Paging file location(s): E:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = E: | %SystemRoot% = E:\WINDOWS | %ProgramFiles% = E:\Program Files
Drive C: | 23.29 Gb Total Space | 21.73 Gb Free Space | 93.31% Space Free | Partition Type: NTFS
Drive D: | 34.92 Gb Total Space | 34.62 Gb Free Space | 99.13% Space Free | Partition Type: NTFS
Drive E: | 24.22 Gb Total Space | 14.43 Gb Free Space | 59.57% Space Free | Partition Type: NTFS
Drive F: | 27.02 Gb Total Space | 27.01 Gb Free Space | 99.98% Space Free | Partition Type: NTFS
Drive G: | 35.11 Gb Total Space | 35.10 Gb Free Space | 99.99% Space Free | Partition Type: NTFS
Drive H: | 35.30 Gb Total Space | 35.29 Gb Free Space | 99.99% Space Free | Partition Type: NTFS
Drive I: | 37.66 Gb Total Space | 37.30 Gb Free Space | 99.04% Space Free | Partition Type: NTFS
Drive J: | 43.32 Gb Total Space | 42.42 Gb Free Space | 97.91% Space Free | Partition Type: NTFS
Drive M: | 37.25 Gb Total Space | 3.97 Gb Free Space | 10.65% Space Free | Partition Type: NTFS

Computer Name: JOBIT-1 | User Name: JOBIT | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/02 21:07:41 | 000,576,000 | ---- | M] (OldTimer Tools) -- E:\Documents and Settings\JOBIT\Desktop\OTL.exe
PRC - [2010/11/02 21:01:23 | 000,507,392 | -HS- | M] () -- E:\WINDOWS\kbddvwow.exe
PRC - [2010/10/14 14:00:02 | 000,177,616 | R--- | M] (iS3, Inc.) -- E:\Program Files\STOPzilla!\STOPzilla.exe
PRC - [2010/10/14 13:59:58 | 000,062,928 | R--- | M] (iS3, Inc.) -- E:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
PRC - [2010/10/13 01:16:06 | 001,313,280 | ---- | M] () -- E:\WINDOWS\system32\csrsrv32.exe
PRC - [2010/10/13 01:16:06 | 001,313,280 | ---- | M] () -- E:\WINDOWS\system32\cryptnet32.exe
PRC - [2010/08/13 12:58:56 | 000,144,672 | ---- | M] (Apple Inc.) -- E:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/02/25 20:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- E:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe
PRC - [2010/02/12 11:02:08 | 000,240,992 | ---- | M] (Microsoft Corp.) -- E:\Program Files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe
PRC - [2010/01/21 16:24:08 | 000,110,592 | ---- | M] (WDC) -- E:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
PRC - [2009/08/07 17:15:06 | 000,311,152 | ---- | M] (Microsoft Corporation) -- E:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
PRC - [2009/08/07 17:15:06 | 000,242,048 | ---- | M] (Microsoft Corporation) -- E:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2008/06/24 20:56:52 | 000,136,472 | ---- | M] (Seagate) -- E:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
PRC - [2008/06/24 20:56:38 | 000,431,384 | ---- | M] (Seagate) -- E:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\explorer.exe
PRC - [2004/06/18 17:31:02 | 000,067,584 | ---- | M] (Realtek Semiconductor Corp.) -- E:\WINDOWS\SOUNDMAN.EXE
PRC - [2004/05/28 05:50:20 | 000,081,920 | ---- | M] (Ulead Systems) -- E:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
PRC - [2004/03/13 04:04:16 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


========== Modules (SafeList) ==========

MOD - [2010/11/02 21:07:41 | 000,576,000 | ---- | M] (OldTimer Tools) -- E:\Documents and Settings\JOBIT\Desktop\OTL.exe
MOD - [2010/09/20 15:26:01 | 000,415,088 | R--- | M] (Symantec Corporation) -- E:\Program Files\Norton Security Suite\Engine\4.3.0.5\asoehook.dll
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2009/07/12 04:02:02 | 000,653,120 | R--- | M] (Microsoft Corporation) -- E:\Program Files\Norton Security Suite\Engine\4.3.0.5\microsoft.vc90.crt\msvcr90.dll
MOD - [2009/07/12 04:02:00 | 000,569,664 | R--- | M] (Microsoft Corporation) -- E:\Program Files\Norton Security Suite\Engine\4.3.0.5\microsoft.vc90.crt\msvcp90.dll
MOD - [2008/04/13 20:11:52 | 000,367,616 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\system32\dsound.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/10/14 13:59:58 | 000,062,928 | R--- | M] (iS3, Inc.) [Auto | Running] -- E:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe -- (szserver)
SRV - [2010/10/13 01:16:06 | 001,313,280 | ---- | M] () [Auto | Running] -- E:\WINDOWS\system32\cryptnet32.exe -- (aspnet_state32)
SRV - [2010/08/13 12:58:56 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- E:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/18 16:47:22 | 000,035,160 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- E:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe -- (aspnet_state)
SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- E:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- E:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/18 13:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- E:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2010/02/25 20:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- E:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe -- (N360)
SRV - [2010/01/21 16:24:08 | 000,110,592 | ---- | M] (WDC) [Auto | Running] -- E:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe -- (WDDMService)
SRV - [2009/08/07 17:15:06 | 000,242,048 | ---- | M] (Microsoft Corporation) [Auto | Running] -- E:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/06/16 08:58:08 | 000,020,480 | ---- | M] (Memeo) [Auto | Stopped] -- E:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe -- (WDSmartWareBackgroundService)
SRV - [2008/06/24 20:56:38 | 000,431,384 | ---- | M] (Seagate) [Auto | Running] -- E:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe -- (SgtSch2Svc)
SRV - [2004/03/13 04:04:16 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2003/10/22 10:19:22 | 000,065,536 | ---- | M] (HP) [On_Demand | Stopped] -- E:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- L:\NTGLM7X.sys -- (SetupNTGLM7X)
DRV - File not found [Kernel | On_Demand | Stopped] -- L:\NTACCESS.sys -- (NTACCESS)
DRV - File not found [Kernel | On_Demand | Stopped] -- L:\INSTALL\GMSIPCI.SYS -- (GMSIPCI)
DRV - [2010/10/19 16:36:22 | 000,341,880 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- E:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20101029.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2010/09/28 22:18:34 | 001,371,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- E:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20101101.054\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/09/28 22:18:33 | 000,086,064 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- E:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20101101.054\NAVENG.SYS -- (NAVENG)
DRV - [2010/08/31 18:57:04 | 000,692,272 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- E:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101029.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2010/08/12 16:09:38 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/08/12 01:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- E:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/08/12 01:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- E:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/05/12 18:01:06 | 000,059,280 | R--- | M] (iS3, Inc.) [Kernel | Boot | Running] -- E:\WINDOWS\system32\drivers\szkgfs.sys -- (szkgfs)
DRV - [2010/05/06 00:01:59 | 000,361,904 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- E:\WINDOWS\System32\Drivers\N360\0403000.005\SYMTDI.SYS -- (SYMTDI)
DRV - [2010/04/29 01:03:51 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- E:\WINDOWS\system32\drivers\N360\0403000.005\Ironx86.SYS -- (SymIRON)
DRV - [2010/04/21 23:02:20 | 000,173,104 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- E:\WINDOWS\system32\drivers\N360\0403000.005\SYMEFA.SYS -- (SymEFA)
DRV - [2010/04/21 22:29:50 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- E:\WINDOWS\System32\Drivers\N360\0403000.005\SRTSP.SYS -- (SRTSP)
DRV - [2010/04/21 22:29:50 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- E:\WINDOWS\system32\drivers\N360\0403000.005\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2010/02/25 20:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- E:\WINDOWS\system32\drivers\N360\0403000.005\ccHPx86.sys -- (ccHP)
DRV - [2009/12/07 17:59:32 | 000,061,328 | R--- | M] (iS3 Inc.) [Kernel | Boot | Running] -- E:\WINDOWS\system32\DRIVERS\szkg.sys -- (szkg5)
DRV - [2009/12/07 17:59:32 | 000,061,328 | R--- | M] (iS3 Inc.) [Kernel | Boot | Stopped] -- E:\WINDOWS\system32\drivers\is3srv.sys -- (is3srv)
DRV - [2009/10/14 23:50:05 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- E:\WINDOWS\system32\drivers\N360\0403000.005\SYMDS.SYS -- (SymDS)
DRV - [2009/02/13 11:02:52 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2007/04/16 21:46:00 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- E:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2006/02/21 20:46:26 | 001,505,792 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/02/01 14:46:00 | 000,056,320 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\atineuxx.sys -- (ATITUNEP)
DRV - [2005/02/01 14:45:12 | 000,074,240 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\atinesxx.sys -- (ATIXSAudio)
DRV - [2005/02/01 14:42:58 | 000,165,888 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\atinevxx.sys -- (atinevxx)
DRV - [2005/02/01 14:41:58 | 000,014,848 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\atinpdxx.sys -- (PCDCODEC)
DRV - [2005/02/01 14:41:40 | 000,015,360 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\atinmdxx.sys -- (MVDCODEC)
DRV - [2005/02/01 14:37:46 | 000,055,296 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\atinraxx.sys -- (ativraxx)
DRV - [2004/12/19 04:27:01 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- E:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2004/12/19 04:27:01 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- E:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2004/12/19 04:26:58 | 000,132,224 | ---- | M] (Acronis) [Kernel | Boot | Running] -- E:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2004/12/19 04:26:56 | 000,368,480 | ---- | M] (Acronis) [Kernel | Boot | Running] -- E:\WINDOWS\system32\DRIVERS\tdrpman.sys -- (tdrpman)
DRV - [2004/08/03 22:08:30 | 000,105,984 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\atinrvxx.sys -- (atinrvxx)
DRV - [2004/06/21 17:53:20 | 000,626,204 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/06/04 10:02:42 | 000,027,232 | ---- | M] (Ulead Systems, Inc.) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\ULCDRHlp.sys -- (ULCDRHlp)
DRV - [2004/06/03 11:40:46 | 000,079,360 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- E:\WINDOWS\system32\drivers\nvatabus.sys -- (nvatabus)
DRV - [2004/05/29 08:30:46 | 000,292,288 | ---- | M] (Ulead Systems, Inc.) [File_System | System | Running] -- E:\WINDOWS\system32\drivers\USIUDF.sys -- (USIUDF)
DRV - [2004/05/17 15:00:54 | 000,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2004/05/17 15:00:52 | 000,033,280 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2004/04/13 08:14:12 | 000,070,144 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2004/02/24 12:08:52 | 000,400,384 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/10/29 14:02:00 | 000,021,120 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- E:\WINDOWS\System32\DRIVERS\nv_agp.sys -- (nv_agp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 9E 9F 5E 16 01 73 B3 4E BB DD 85 0A 59 83 1A 7F [binary data]
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 9E 9F 5E 16 01 73 B3 4E BB DD 85 0A 59 83 1A 7F [binary data]
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 9E 9F 5E 16 01 73 B3 4E BB DD 85 0A 59 83 1A 7F [binary data]
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 9E 9F 5E 16 01 73 B3 4E BB DD 85 0A 59 83 1A 7F [binary data]
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1409082233-813497703-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1409082233-813497703-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 9E 9F 5E 16 01 73 B3 4E BB DD 85 0A 59 83 1A 7F [binary data]
IE - HKU\S-1-5-21-1409082233-813497703-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1409082233-813497703-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: E:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\ [2010/08/12 16:21:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: E:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\ [2010/08/12 16:10:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{27182e60-b5f3-411c-b545-b44205977502}: E:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2010/09/13 11:31:14 | 000,000,000 | ---D | M]

[2010/10/13 01:00:49 | 000,000,000 | ---D | M] -- E:\Documents and Settings\JOBIT\Application Data\Mozilla\Extensions
[2010/10/13 01:00:49 | 000,000,000 | ---D | M] -- E:\Documents and Settings\JOBIT\Application Data\Mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: ([2001/08/23 08:00:00 | 000,000,734 | ---- | M]) - E:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {165E9F9E-7301-4EB3-BBDD-850A59831A7f} - E:\WINDOWS\system32\atioglx132.dll (Inprise Corporation)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - E:\Program Files\Norton Security Suite\Engine\4.3.0.5\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - E:\Program Files\Norton Security Suite\Engine\4.3.0.5\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - E:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (MSN Toolbar BHO) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - E:\Program Files\MSN Toolbar\Platform\4.0.0401.0\npwinext.dll (Microsoft Corporation)
O2 - BHO: (STOPzilla Browser Helper Object) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - E:\Program Files\STOPzilla!\SZIEBHO.dll (iS3, Inc.)
O2 - BHO: (46d002f5) - {FC608F9F-FC2D-1E18-2D0C-F8861725655B} - E:\WINDOWS\system32\cscdll32.dll (Inprise Corporation)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - E:\Program Files\Norton Security Suite\Engine\4.3.0.5\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - E:\Program Files\MSN Toolbar\Platform\4.0.0401.0\npwinext.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-1409082233-813497703-839522115-1003\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - E:\Program Files\Norton Security Suite\Engine\4.3.0.5\coieplg.dll (Symantec Corporation)
O4 - HKLM..\Run: [kbddvwow.exe] E:\WINDOWS\kbddvwow.exe ()
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [Seagate Scheduler2 Service] E:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe (Seagate)
O4 - HKLM..\Run: [SoundMan] E:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [USIUDF_Eject_Monitor] E:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe (Ulead Systems)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1409082233-813497703-839522115-1003\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-1409082233-813497703-839522115-1003\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-1409082233-813497703-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - E:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB (Hewlett-Packard Printer Diagnostics)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135556958781 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab (HPSDDX Class)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.71.230 68.87.73.246
O20 - AppInit_DLLs: (E:\WINDOWS\system32\cscdll32.dll) - E:\WINDOWS\system32\cscdll32.dll (Inprise Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - E:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - E:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\TPSvc: DllName - TPSvc.dll - File not found
O24 - Desktop WallPaper: E:\Documents and Settings\JOBIT\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: E:\Documents and Settings\JOBIT\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - E:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (relog_ap) - E:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/12/09 10:24:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{e23e9610-c58c-11df-b016-0011098b35eb}\Shell - "" = AutoRun
O33 - MountPoints2\{e23e9610-c58c-11df-b016-0011098b35eb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e23e9610-c58c-11df-b016-0011098b35eb}\Shell\AutoRun\command - "" = N:\WD SmartWare.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-1409082233-813497703-839522115-1003\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/11/02 21:07:38 | 000,576,000 | ---- | C] (OldTimer Tools) -- E:\Documents and Settings\JOBIT\Desktop\OTL.exe
[2010/11/02 11:48:21 | 000,000,000 | -HSD | C] -- E:\WINDOWS\System32\977B6387C1D33DF47C6F6FCC16953410
[2010/11/01 12:52:26 | 000,000,000 | ---D | C] -- E:\Documents and Settings\JOBIT\My Documents\Construction Drawings
[2010/10/28 12:09:51 | 000,000,000 | ---D | C] -- E:\Documents and Settings\JOBIT\My Documents\Music I Want 2010
[2010/10/22 13:21:29 | 001,325,656 | ---- | C] (Kaspersky Lab ZAO) -- E:\Documents and Settings\JOBIT\Desktop\TDSSKiller.exe
[2010/10/22 12:49:11 | 000,000,000 | ---D | C] -- E:\WINDOWS\Minidump
[2010/10/22 12:32:41 | 000,000,000 | ---D | C] -- E:\WINDOWS\System32\windows media
[2010/10/22 12:32:25 | 000,000,000 | ---D | C] -- E:\WINDOWS\RegisteredPackages
[2010/10/22 12:32:13 | 000,000,000 | ---D | C] -- E:\Program Files\Windows Media Components
[2010/10/22 12:31:34 | 000,027,232 | ---- | C] (Ulead Systems, Inc.) -- E:\WINDOWS\System32\drivers\ULCDRHlp.sys
[2010/10/22 12:31:32 | 000,292,288 | ---- | C] (Ulead Systems, Inc.) -- E:\WINDOWS\System32\drivers\USIUDF.sys
[2010/10/22 12:26:06 | 000,000,000 | ---D | C] -- E:\Program Files\Ulead Systems
[2010/10/22 12:26:05 | 000,000,000 | ---D | C] -- E:\Program Files\Common Files\Ulead Systems
[2010/10/22 12:26:02 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\Ulead Systems
[2010/10/18 12:06:58 | 000,000,000 | ---D | C] -- E:\Documents and Settings\JOBIT\My Documents\Virus Notes
[2010/10/15 16:14:54 | 000,000,000 | ---D | C] -- E:\Program Files\STOPzilla!
[2010/10/15 16:14:51 | 000,000,000 | ---D | C] -- E:\Program Files\Common Files\iS3
[2010/10/15 16:14:49 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\STOPzilla!
[2010/10/14 13:59:54 | 000,132,560 | R--- | C] (iS3, Inc.) -- E:\WINDOWS\System32\IS3HTUI5.dll
[2010/10/14 13:59:52 | 000,546,256 | R--- | C] (iS3, Inc.) -- E:\WINDOWS\System32\SZComp5.dll
[2010/10/14 13:59:52 | 000,452,048 | R--- | C] (iS3, Inc.) -- E:\WINDOWS\System32\SZBase5.dll
[2010/10/14 13:59:52 | 000,398,800 | R--- | C] (iS3, Inc.) -- E:\WINDOWS\System32\IS3DBA5.dll
[2010/10/14 13:59:52 | 000,099,792 | R--- | C] (iS3, Inc.) -- E:\WINDOWS\System32\IS3Svc5.dll
[2010/10/14 13:59:52 | 000,067,024 | R--- | C] (iS3, Inc.) -- E:\WINDOWS\System32\IS3Hks5.dll
[2010/10/14 13:59:52 | 000,028,624 | R--- | C] (iS3, Inc.) -- E:\WINDOWS\System32\IS3XDat5.dll
[2010/10/14 13:59:52 | 000,022,992 | R--- | C] (iS3, Inc.) -- E:\WINDOWS\System32\SZIO5.dll
[2010/10/14 13:59:50 | 000,738,768 | R--- | C] (iS3, Inc.) -- E:\WINDOWS\System32\IS3Base5.dll
[2010/10/14 13:59:50 | 000,390,608 | R--- | C] (iS3, Inc.) -- E:\WINDOWS\System32\IS3UI5.dll
[2010/10/14 13:59:50 | 000,230,864 | R--- | C] (iS3, Inc.) -- E:\WINDOWS\System32\IS3Win325.dll
[2010/10/14 13:59:50 | 000,099,792 | R--- | C] (iS3, Inc.) -- E:\WINDOWS\System32\IS3Inet5.dll
[2010/10/14 11:55:54 | 000,000,000 | RH-D | C] -- E:\Documents and Settings\JOBIT\Recent
[2010/10/13 11:56:38 | 000,000,000 | ---D | C] -- E:\Documents and Settings\JOBIT\My Documents\Sullivan Metals Folder
[2010/10/13 01:17:19 | 000,000,000 | ---D | C] -- E:\Documents and Settings\LocalService\Application Data\WinRAR
[2010/10/13 01:16:59 | 000,000,000 | -HSD | C] -- E:\WINDOWS\System32\SysWoW32
[2010/10/13 01:16:39 | 000,000,000 | ---D | C] -- E:\WINDOWS\System32\76625351
[2010/10/13 01:14:48 | 000,000,000 | ---D | C] -- E:\Documents and Settings\JOBIT\Application Data\Apple Computer
[2010/10/13 01:13:47 | 000,000,000 | ---D | C] -- E:\Program Files\iPod
[2010/10/13 01:13:39 | 000,000,000 | ---D | C] -- E:\Program Files\iTunes
[2010/10/13 01:13:39 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/10/13 01:12:31 | 000,000,000 | ---D | C] -- E:\Program Files\QuickTime
[2010/10/13 01:12:30 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\Apple Computer
[2010/10/13 01:12:19 | 000,000,000 | ---D | C] -- E:\Documents and Settings\JOBIT\Local Settings\Application Data\Apple
[2010/10/13 01:12:14 | 000,000,000 | ---D | C] -- E:\Program Files\Apple Software Update
[2010/10/13 01:11:42 | 000,000,000 | ---D | C] -- E:\Program Files\Bonjour
[2010/10/13 01:11:31 | 000,000,000 | ---D | C] -- E:\Program Files\Common Files\Apple
[2010/10/13 01:11:31 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\Apple
[2010/10/13 01:11:01 | 000,000,000 | ---D | C] -- E:\Documents and Settings\JOBIT\Local Settings\Application Data\Apple Computer
[2010/10/13 01:01:02 | 000,000,000 | ---D | C] -- E:\Documents and Settings\JOBIT\My Documents\LimeWire
[2010/10/13 01:00:49 | 000,000,000 | ---D | C] -- E:\Documents and Settings\JOBIT\Application Data\Mozilla
[2010/10/13 01:00:25 | 000,000,000 | ---D | C] -- E:\Documents and Settings\JOBIT\Application Data\LimeWire
[2010/10/13 00:59:39 | 000,000,000 | ---D | C] -- E:\Program Files\LimeWire
[2010/10/08 11:50:45 | 000,000,000 | ---D | C] -- E:\Documents and Settings\JOBIT\My Documents\Words in Word
[2010/10/08 10:22:38 | 000,000,000 | ---D | C] -- E:\Program Files\Common Files\Adobe
[9 E:\WINDOWS\System32\*.tmp files -> E:\WINDOWS\System32\*.tmp -> ]
[4 E:\WINDOWS\*.tmp files -> E:\WINDOWS\*.tmp -> ]
[2 E:\WINDOWS\System32\dllcache\*.tmp files -> E:\WINDOWS\System32\dllcache\*.tmp -> ]
[1 E:\Documents and Settings\JOBIT\Desktop\*.tmp files -> E:\Documents and Settings\JOBIT\Desktop\*.tmp -> ]
[1 E:\Documents and Settings\JOBIT\*.tmp files -> E:\Documents and Settings\JOBIT\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/02 21:16:03 | 000,001,185 | ---- | M] () -- E:\WINDOWS\System32\1188637148
[2010/11/02 21:10:51 | 000,133,632 | ---- | M] () -- E:\Documents and Settings\JOBIT\Desktop\RKUnhookerLE.EXE
[2010/11/02 21:09:32 | 000,002,533 | ---- | M] () -- E:\Documents and Settings\JOBIT\Application Data\Microsoft\Internet Explorer\Quick Launch\Word 2007 Pro.lnk
[2010/11/02 21:07:41 | 000,576,000 | ---- | M] (OldTimer Tools) -- E:\Documents and Settings\JOBIT\Desktop\OTL.exe
[2010/11/02 21:03:07 | 000,001,024 | ---- | M] () -- E:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/11/02 21:01:23 | 000,507,392 | -HS- | M] () -- E:\WINDOWS\kbddvwow.exe
[2010/11/02 21:01:18 | 000,000,208 | -HS- | M] () -- E:\WINDOWS\System32\1727202032
[2010/11/02 21:01:16 | 000,002,206 | ---- | M] () -- E:\WINDOWS\System32\wpa.dbl
[2010/11/02 20:59:29 | 000,000,880 | ---- | M] () -- E:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/02 20:59:16 | 000,002,048 | --S- | M] () -- E:\WINDOWS\bootstat.dat
[2010/11/02 14:44:03 | 000,000,884 | ---- | M] () -- E:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/02 13:52:56 | 000,000,154 | ---- | M] () -- E:\WINDOWS\System32\662355a7
[2010/11/02 11:56:05 | 000,005,738 | ---- | M] () -- E:\WINDOWS\System32\GnuHashes.ini
[2010/11/02 11:48:38 | 000,000,208 | ---- | M] () -- E:\WINDOWS\System32\sl118657122
[2010/10/31 21:28:26 | 000,000,234 | ---- | M] () -- E:\WINDOWS\System32\d148139
[2010/10/29 11:22:30 | 000,002,028 | ---- | M] () -- E:\Documents and Settings\All Users\Desktop\Norton Security Suite.LNK
[2010/10/29 11:21:37 | 000,638,162 | ---- | M] () -- E:\WINDOWS\System32\drivers\N360\0403000.005\Cat.DB
[2010/10/27 14:40:45 | 000,154,624 | ---- | M] () -- E:\WINDOWS\System32\419626247c4
[2010/10/27 14:40:41 | 000,145,408 | ---- | M] () -- E:\WINDOWS\System32\419626247c2
[2010/10/27 14:40:39 | 000,153,088 | ---- | M] () -- E:\WINDOWS\System32\419626247c1
[2010/10/25 12:20:10 | 000,001,393 | ---- | M] () -- E:\WINDOWS\imsins.BAK
[2010/10/23 13:52:38 | 000,050,773 | ---- | M] () -- E:\Documents and Settings\JOBIT\Desktop\5108103112_49f924fd1a_z.jpg
[2010/10/23 13:36:02 | 000,051,289 | ---- | M] () -- E:\Documents and Settings\JOBIT\Desktop\DDS Screen Shot 102310.JPG
[2010/10/23 08:47:02 | 000,000,284 | ---- | M] () -- E:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/10/23 03:01:29 | 000,527,112 | ---- | M] () -- E:\WINDOWS\System32\perfh009.dat
[2010/10/23 03:01:29 | 000,095,916 | ---- | M] () -- E:\WINDOWS\System32\perfc009.dat
[2010/10/22 13:22:29 | 000,000,000 | ---- | M] () -- E:\Documents and Settings\JOBIT\defogger_reenable
[2010/10/22 12:35:09 | 000,351,384 | ---- | M] () -- E:\WINDOWS\System32\FNTCACHE.DAT
[2010/10/22 12:28:09 | 000,001,958 | ---- | M] () -- E:\Documents and Settings\All Users\Desktop\Ulead DVD MovieFactory 3.5 Suite.lnk
[2010/10/21 17:26:14 | 000,000,664 | ---- | M] () -- E:\WINDOWS\System32\d3d9caps.dat
[2010/10/18 12:23:27 | 001,325,656 | ---- | M] (Kaspersky Lab ZAO) -- E:\Documents and Settings\JOBIT\Desktop\TDSSKiller.exe
[2010/10/17 13:49:37 | 000,167,424 | ---- | M] () -- E:\WINDOWS\System32\cryptnet32.dll.exe
[2010/10/14 13:59:54 | 000,132,560 | R--- | M] (iS3, Inc.) -- E:\WINDOWS\System32\IS3HTUI5.dll
[2010/10/14 13:59:52 | 000,546,256 | R--- | M] (iS3, Inc.) -- E:\WINDOWS\System32\SZComp5.dll
[2010/10/14 13:59:52 | 000,452,048 | R--- | M] (iS3, Inc.) -- E:\WINDOWS\System32\SZBase5.dll
[2010/10/14 13:59:52 | 000,398,800 | R--- | M] (iS3, Inc.) -- E:\WINDOWS\System32\IS3DBA5.dll
[2010/10/14 13:59:52 | 000,099,792 | R--- | M] (iS3, Inc.) -- E:\WINDOWS\System32\IS3Svc5.dll
[2010/10/14 13:59:52 | 000,067,024 | R--- | M] (iS3, Inc.) -- E:\WINDOWS\System32\IS3Hks5.dll
[2010/10/14 13:59:52 | 000,028,624 | R--- | M] (iS3, Inc.) -- E:\WINDOWS\System32\IS3XDat5.dll
[2010/10/14 13:59:52 | 000,022,992 | R--- | M] (iS3, Inc.) -- E:\WINDOWS\System32\SZIO5.dll
[2010/10/14 13:59:50 | 000,738,768 | R--- | M] (iS3, Inc.) -- E:\WINDOWS\System32\IS3Base5.dll
[2010/10/14 13:59:50 | 000,390,608 | R--- | M] (iS3, Inc.) -- E:\WINDOWS\System32\IS3UI5.dll
[2010/10/14 13:59:50 | 000,230,864 | R--- | M] (iS3, Inc.) -- E:\WINDOWS\System32\IS3Win325.dll
[2010/10/14 13:59:50 | 000,099,792 | R--- | M] (iS3, Inc.) -- E:\WINDOWS\System32\IS3Inet5.dll
[2010/10/14 12:00:26 | 000,001,747 | ---- | M] () -- E:\Documents and Settings\JOBIT\Application Data\Microsoft\Internet Explorer\Quick Launch\Adobe Reader 9.4.0.lnk
[2010/10/14 12:00:02 | 000,001,933 | ---- | M] () -- E:\Documents and Settings\JOBIT\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Earth.lnk
[2010/10/14 02:27:30 | 000,011,776 | ---- | M] () -- E:\Documents and Settings\JOBIT\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/13 15:16:39 | 000,167,424 | ---- | M] () -- E:\WINDOWS\System32\dmocx32.dll.exe
[2010/10/13 01:16:39 | 000,203,776 | -HS- | M] () -- E:\WINDOWS\System32\unrar.exe
[2010/10/13 01:16:29 | 000,168,960 | -HS- | M] () -- E:\WINDOWS\lsass.exe
[2010/10/13 01:16:19 | 000,000,094 | ---- | M] () -- E:\WINDOWS\System32\1275938263
[2010/10/13 01:16:06 | 001,313,280 | ---- | M] () -- E:\WINDOWS\System32\csrsrv32.exe
[2010/10/13 01:16:06 | 001,313,280 | ---- | M] () -- E:\WINDOWS\System32\cryptnet32.exe
[2010/10/13 01:14:29 | 000,001,804 | ---- | M] () -- E:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/10/13 01:12:47 | 000,001,622 | ---- | M] () -- E:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/10/13 01:00:00 | 000,001,598 | ---- | M] () -- E:\Documents and Settings\JOBIT\Desktop\LimeWire 5.5.16.lnk
[2010/10/08 10:23:20 | 000,001,747 | ---- | M] () -- E:\Documents and Settings\All Users\Desktop\Adobe Reader 9.4.0.lnk
[9 E:\WINDOWS\System32\*.tmp files -> E:\WINDOWS\System32\*.tmp -> ]
[4 E:\WINDOWS\*.tmp files -> E:\WINDOWS\*.tmp -> ]
[2 E:\WINDOWS\System32\dllcache\*.tmp files -> E:\WINDOWS\System32\dllcache\*.tmp -> ]
[1 E:\Documents and Settings\JOBIT\Desktop\*.tmp files -> E:\Documents and Settings\JOBIT\Desktop\*.tmp -> ]
[1 E:\Documents and Settings\JOBIT\*.tmp files -> E:\Documents and Settings\JOBIT\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/02 21:10:50 | 000,133,632 | ---- | C] () -- E:\Documents and Settings\JOBIT\Desktop\RKUnhookerLE.EXE
[2010/11/02 21:02:10 | 000,001,024 | ---- | C] () -- E:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/11/02 21:01:32 | 000,507,392 | -HS- | C] () -- E:\WINDOWS\kbddvwow.exe
[2010/10/31 21:26:51 | 000,154,624 | ---- | C] () -- E:\WINDOWS\System32\419626247c4
[2010/10/31 21:26:51 | 000,153,088 | ---- | C] () -- E:\WINDOWS\System32\419626247c1
[2010/10/31 21:26:51 | 000,145,408 | ---- | C] () -- E:\WINDOWS\System32\419626247c2
[2010/10/31 21:25:26 | 000,000,234 | ---- | C] () -- E:\WINDOWS\System32\d148139
[2010/10/29 11:22:29 | 000,002,028 | ---- | C] () -- E:\Documents and Settings\All Users\Desktop\Norton Security Suite.LNK
[2010/10/23 13:52:34 | 000,050,773 | ---- | C] () -- E:\Documents and Settings\JOBIT\Desktop\5108103112_49f924fd1a_z.jpg
[2010/10/23 13:06:39 | 000,051,289 | ---- | C] () -- E:\Documents and Settings\JOBIT\Desktop\DDS Screen Shot 102310.JPG
[2010/10/22 13:22:29 | 000,000,000 | ---- | C] () -- E:\Documents and Settings\JOBIT\defogger_reenable
[2010/10/22 12:28:09 | 000,001,958 | ---- | C] () -- E:\Documents and Settings\All Users\Desktop\Ulead DVD MovieFactory 3.5 Suite.lnk
[2010/10/17 13:49:37 | 000,167,424 | ---- | C] () -- E:\WINDOWS\System32\cryptnet32.dll.exe
[2010/10/14 12:00:26 | 000,001,747 | ---- | C] () -- E:\Documents and Settings\JOBIT\Application Data\Microsoft\Internet Explorer\Quick Launch\Adobe Reader 9.4.0.lnk
[2010/10/14 12:00:02 | 000,001,933 | ---- | C] () -- E:\Documents and Settings\JOBIT\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Earth.lnk
[2010/10/14 11:49:28 | 000,000,208 | ---- | C] () -- E:\WINDOWS\System32\sl118657122
[2010/10/13 15:16:39 | 000,167,424 | ---- | C] () -- E:\WINDOWS\System32\dmocx32.dll.exe
[2010/10/13 11:19:33 | 000,000,154 | ---- | C] () -- E:\WINDOWS\System32\662355a7
[2010/10/13 01:23:13 | 000,005,738 | ---- | C] () -- E:\WINDOWS\System32\GnuHashes.ini
[2010/10/13 01:18:10 | 000,001,185 | ---- | C] () -- E:\WINDOWS\System32\1188637148
[2010/10/13 01:18:10 | 000,000,208 | -HS- | C] () -- E:\WINDOWS\System32\1727202032
[2010/10/13 01:17:18 | 000,168,960 | -HS- | C] () -- E:\WINDOWS\lsass.exe
[2010/10/13 01:16:39 | 000,203,776 | -HS- | C] () -- E:\WINDOWS\System32\unrar.exe
[2010/10/13 01:16:19 | 001,313,280 | ---- | C] () -- E:\WINDOWS\System32\csrsrv32.exe
[2010/10/13 01:16:17 | 001,313,280 | ---- | C] () -- E:\WINDOWS\System32\cryptnet32.exe
[2010/10/13 01:16:17 | 000,000,094 | ---- | C] () -- E:\WINDOWS\System32\1275938263
[2010/10/13 01:14:29 | 000,001,804 | ---- | C] () -- E:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/10/13 01:12:47 | 000,001,622 | ---- | C] () -- E:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/10/13 01:12:19 | 000,000,284 | ---- | C] () -- E:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/10/13 00:59:59 | 000,001,598 | ---- | C] () -- E:\Documents and Settings\JOBIT\Desktop\LimeWire 5.5.16.lnk
[2010/10/08 10:23:19 | 000,001,747 | ---- | C] () -- E:\Documents and Settings\All Users\Desktop\Adobe Reader 9.4.0.lnk
[2010/08/29 20:30:42 | 000,000,048 | ---- | C] () -- E:\WINDOWS\TaxACT09.ini
[2010/08/17 13:42:16 | 000,074,752 | ---- | C] () -- E:\WINDOWS\System32\jst.dll
[2010/08/17 13:42:16 | 000,061,440 | ---- | C] () -- E:\WINDOWS\System32\PMLJNI.dll
[2010/08/12 20:59:12 | 000,013,192 | ---- | C] () -- E:\WINDOWS\hplj3380.ini
[2010/08/12 18:07:43 | 000,000,477 | ---- | C] () -- E:\WINDOWS\hpbvspst.ini
[2010/08/12 18:07:22 | 000,001,896 | ---- | C] () -- E:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2010/08/12 18:07:21 | 000,001,209 | ---- | C] () -- E:\WINDOWS\hpbvnstp.ini
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- E:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- E:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- E:\WINDOWS\System32\gthrctr.ini
[2005/02/22 17:46:07 | 000,001,793 | ---- | C] () -- E:\WINDOWS\System32\fxsperf.ini
[2004/12/21 09:35:36 | 000,011,776 | ---- | C] () -- E:\Documents and Settings\JOBIT\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/12/09 19:40:18 | 000,155,648 | ---- | C] () -- E:\WINDOWS\System32\RTLCPAPI.dll
[2004/12/09 05:19:34 | 000,004,161 | ---- | C] () -- E:\WINDOWS\ODBCINST.INI
[2004/03/03 05:06:00 | 000,221,184 | ---- | C] () -- E:\WINDOWS\System32\HP3AIOZ6.dll
[2003/09/26 06:42:46 | 000,002,421 | ---- | C] () -- E:\WINDOWS\System32\scrubber.ini
[2002/05/03 15:40:32 | 000,094,274 | ---- | C] () -- E:\WINDOWS\System32\HPBHEALR.DLL
[2001/03/28 12:37:14 | 000,000,033 | ---- | C] () -- E:\WINDOWS\System32\hppcap.ini
[2001/03/28 12:37:14 | 000,000,033 | ---- | C] () -- E:\WINDOWS\hppcap.ini

========== LOP Check ==========

[2004/12/19 04:27:02 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users\Application Data\Seagate
[2010/11/02 21:14:49 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users\Application Data\STOPzilla!
[2010/10/22 12:36:30 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users\Application Data\Ulead Systems
[2010/09/21 10:33:12 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users\Application Data\Western Digital
[2010/10/13 01:14:25 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/09/13 11:42:56 | 000,000,000 | ---D | M] -- E:\Documents and Settings\JOBIT\Application Data\ISIS Drivers
[2010/09/10 10:15:17 | 000,000,000 | ---D | M] -- E:\Documents and Settings\JOBIT\Application Data\Leadertech
[2010/10/14 11:47:44 | 000,000,000 | ---D | M] -- E:\Documents and Settings\JOBIT\Application Data\LimeWire
[2010/09/08 13:16:47 | 000,000,000 | ---D | M] -- E:\Documents and Settings\JOBIT\Application Data\QMC
[2010/09/21 10:33:18 | 000,000,000 | ---D | M] -- E:\Documents and Settings\JOBIT\Application Data\Western Digital
[2010/08/12 15:09:12 | 000,000,000 | ---D | M] -- E:\Documents and Settings\JOBIT\Application Data\Windows Desktop Search
[2010/08/12 20:24:18 | 000,000,000 | ---D | M] -- E:\Documents and Settings\JOBIT\Application Data\Windows Search

========== Purity Check ==========

< End of report >

********** Extras.txt Report **********

OTL Extras logfile created on: 11/2/2010 9:12:52 PM - Run 1
OTL by OldTimer - Version 3.2.17.2 Folder = E:\Documents and Settings\JOBIT\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 194.00 Mb Available Physical Memory | 19.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 71.00% Paging File free
Paging file location(s): E:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = E: | %SystemRoot% = E:\WINDOWS | %ProgramFiles% = E:\Program Files
Drive C: | 23.29 Gb Total Space | 21.73 Gb Free Space | 93.31% Space Free | Partition Type: NTFS
Drive D: | 34.92 Gb Total Space | 34.62 Gb Free Space | 99.13% Space Free | Partition Type: NTFS
Drive E: | 24.22 Gb Total Space | 14.43 Gb Free Space | 59.57% Space Free | Partition Type: NTFS
Drive F: | 27.02 Gb Total Space | 27.01 Gb Free Space | 99.98% Space Free | Partition Type: NTFS
Drive G: | 35.11 Gb Total Space | 35.10 Gb Free Space | 99.99% Space Free | Partition Type: NTFS
Drive H: | 35.30 Gb Total Space | 35.29 Gb Free Space | 99.99% Space Free | Partition Type: NTFS
Drive I: | 37.66 Gb Total Space | 37.30 Gb Free Space | 99.04% Space Free | Partition Type: NTFS
Drive J: | 43.32 Gb Total Space | 42.42 Gb Free Space | 97.91% Space Free | Partition Type: NTFS
Drive M: | 37.25 Gb Total Space | 3.97 Gb Free Space | 10.65% Space Free | Partition Type: NTFS

Computer Name: JOBIT-1 | User Name: JOBIT | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1409082233-813497703-839522115-1003\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management
"80:TCP" = 80:TCP:*:Disabled:Windows Remote Management - Compatibility Mode (HTTP-In)

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"E:\WINDOWS\system32\cryptnet32.exe" = E:\WINDOWS\system32\cryptnet32.exe:*:Enabled:Windows Update Service -- ()
"E:\WINDOWS\explorer.exe" = E:\WINDOWS\explorer.exe:*:Enabled:Windows Shell -- (Microsoft Corporation)
"E:\WINDOWS\wevtfwdwow.exe" = E:\WINDOWS\wevtfwdwow.exe:*:Enabled:Windows Update Service -- File not found
"E:\WINDOWS\kbddvwow.exe" = E:\WINDOWS\kbddvwow.exe:*:Enabled:Windows Update Service -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"E:\Program Files\iTunes\iTunes.exe" = E:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"E:\WINDOWS\system32\cryptnet32.exe" = E:\WINDOWS\system32\cryptnet32.exe:*:Enabled:Windows Update Service -- ()
"E:\WINDOWS\explorer.exe" = E:\WINDOWS\explorer.exe:*:Enabled:Windows Shell -- (Microsoft Corporation)
"E:\WINDOWS\wevtfwdwow.exe" = E:\WINDOWS\wevtfwdwow.exe:*:Enabled:Windows Update Service -- File not found
"E:\WINDOWS\kbddvwow.exe" = E:\WINDOWS\kbddvwow.exe:*:Enabled:Windows Update Service -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{08234a0d-cf39-4dca-99f0-0c5cb496da81}" = MSN Toolbar
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{232DB76D-4751-41A9-9EC2-CDC0DAC1FAB6}" = WD SmartWare
"{257EC58E-03FD-472B-A9B6-93F23A3C4CB0}" = Scan
"{2656D0AB-9EA4-4C58-A117-635F3CED8B93}" = Microsoft UI Engine
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java™ 6 Update 21
"{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}" = iTunes
"{304B576D-A16E-4983-A5E5-53E40806DFB5}" = STOPzilla
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{61BEA823-ECAF-49F1-8378-A59B3B8AD247}" = Microsoft Default Manager
"{66468F4D-BC4E-470C-9093-B3B6A1BB378C}" = MSN Toolbar Platform
"{67B9AF41-C0B9-4960-84D9-A61D23DE85D8}" = Garmin Trip and Waypoint Manager v4
"{68658FCB-01BB-4980-A7C3-6ADB1E4E0C66}" = Browntech Image Plugin 2.02
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00B2-0409-0000-0000000FF1CE}" = Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{91120000-0014-0000-0000-0000000FF1CE}" = Microsoft Office Professional 2007
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.0
"{AD8E6D29-95EC-494E-8AF5-566E784819A6}" = Ulead Data-Add 2.0
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C43E4B9C-14C8-4EB0-998B-85211B6EDD61}" = Seagate DiscWizard
"{C7D89BBE-D4B3-49E8-B185-7966B5345866}" = Ulead DVD MovieFactory 3.5 Suite
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}" = Apple Mobile Device Support
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
"{DD23CAA4-8872-4B95-B263-EA46FD82CF19}" = LaserAIO
"{DDA2B32F-EB16-4C96-A130-4E4A4C1E6B12}" = HP Software Update
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{F8A3C1B6-D2E0-4CE1-80A2-555D6F71C639}" = Microsoft Search Enhancement Pack
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"hp LaserJet-all-in-one" = hp LaserJet-all-in-one
"ie8" = Windows Internet Explorer 8
"LimeWire" = LimeWire 5.5.16
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"N360" = Norton Security Suite
"NVIDIA Drivers" = NVIDIA Drivers
"PROR" = Microsoft Office Professional 2007
"QuickMonth Calendar_is1" = QuickMonth Calendar 2.1
"TaxACT 2009" = TaxACT 2009
"TaxACT 2009 Massachusetts" = TaxACT 2009 Massachusetts
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/31/2010 9:54:12 PM | Computer Name = JOBIT-1 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/1/2010 12:36:45 AM | Computer Name = JOBIT-1 | Source = Application Error | ID = 1000
Description = Faulting application WDSmartWareBackgroundService.exe, version 2.0.0.1,
faulting module kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

Error - 11/1/2010 10:28:25 AM | Computer Name = JOBIT-1 | Source = Application Error | ID = 1000
Description = Faulting application WDSmartWareBackgroundService.exe, version 2.0.0.1,
faulting module kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

Error - 11/1/2010 12:44:16 PM | Computer Name = JOBIT-1 | Source = Application Error | ID = 1000
Description = Faulting application asoelnch.exe, version 17.8.0.5, faulting module
kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

Error - 11/1/2010 1:30:20 PM | Computer Name = JOBIT-1 | Source = Application Error | ID = 1000
Description = Faulting application 1B.tmp, version 1.2.1.0, faulting module 1B.tmp,
version 1.2.1.0, fault address 0x000030ff.

Error - 11/2/2010 11:47:21 AM | Computer Name = JOBIT-1 | Source = Application Error | ID = 1000
Description = Faulting application WDSmartWareBackgroundService.exe, version 2.0.0.1,
faulting module kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

Error - 11/2/2010 11:59:28 AM | Computer Name = JOBIT-1 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.18975, fault address 0x00029e0f.

Error - 11/2/2010 12:00:27 PM | Computer Name = JOBIT-1 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/2/2010 1:04:36 PM | Computer Name = JOBIT-1 | Source = Application Error | ID = 1000
Description = Faulting application asoelnch.exe, version 17.8.0.5, faulting module
kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

Error - 11/2/2010 9:00:29 PM | Computer Name = JOBIT-1 | Source = Application Error | ID = 1000
Description = Faulting application WDSmartWareBackgroundService.exe, version 2.0.0.1,
faulting module kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

[ System Events ]
Error - 10/27/2010 1:02:51 PM | Computer Name = JOBIT-1 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the WD SmartWare Background
Service service to connect.

Error - 10/28/2010 11:57:36 AM | Computer Name = JOBIT-1 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the WD SmartWare Background
Service service to connect.

Error - 10/28/2010 11:58:17 PM | Computer Name = JOBIT-1 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the WD SmartWare Background
Service service to connect.

Error - 10/29/2010 11:23:10 AM | Computer Name = JOBIT-1 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the WD SmartWare Background
Service service to connect.

Error - 10/31/2010 9:24:55 PM | Computer Name = JOBIT-1 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the WD SmartWare Background
Service service to connect.

Error - 10/31/2010 9:42:18 PM | Computer Name = JOBIT-1 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the WD SmartWare Background
Service service to connect.

Error - 11/1/2010 12:36:50 AM | Computer Name = JOBIT-1 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the WD SmartWare Background
Service service to connect.

Error - 11/1/2010 10:28:42 AM | Computer Name = JOBIT-1 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the WD SmartWare Background
Service service to connect.

Error - 11/2/2010 11:47:40 AM | Computer Name = JOBIT-1 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the WD SmartWare Background
Service service to connect.

Error - 11/2/2010 9:00:47 PM | Computer Name = JOBIT-1 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the WD SmartWare Background
Service service to connect.

< End of report >

********** Rootkit Unhooker Report **********

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xBF0C9000 E:\WINDOWS\System32\ati3duag.dll 2637824 bytes (ATI Technologies Inc. , ati3duag.dll)
0x804D7000 E:\WINDOWS\system32\ntkrnlpa.exe 2066816 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2066816 bytes
0x804D7000 RAW 2066816 bytes
0x804D7000 WMIxWDM 2066816 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 E:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF5D3E000 E:\WINDOWS\System32\DRIVERS\ati2mtag.sys 1564672 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xAFCF2000 E:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20101102.038\NAVEX15.SYS 1368064 bytes (Symantec Corporation, AV Engine)
0xBF34D000 E:\WINDOWS\System32\ativvaxx.dll 864256 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xB3F80000 E:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101029.001\BHDrvx86.sys 704512 bytes (Symantec Corporation, BASH Driver)
0xF5F65000 E:\WINDOWS\system32\drivers\ALCXWDM.SYS 618496 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))
0xF72AA000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB402C000 E:\WINDOWS\system32\drivers\N360\0403000.005\ccHPx86.sys 520192 bytes (Symantec Corporation, Common Client Hash Provider Driver)
0xB4126000 E:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF7212000 timntr.sys 438272 bytes (Acronis, Acronis True Image Backup Archive Explorer)
0xF5EBC000 E:\WINDOWS\system32\drivers\ALCXSENS.SYS 401408 bytes (Sensaura, Sensaura WDM 3D Audio Driver)
0xB40C8000 E:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xF5C4E000 E:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB42E0000 E:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xF71B9000 tdrpman.sys 364544 bytes (Acronis, Acronis Try&Decide and Restore Points Volume Filter Driver)
0xAFC86000 E:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20101102.001\IDSxpx86.sys 360448 bytes (Symantec Corporation, IDS Core Driver)
0xB17E3000 E:\WINDOWS\System32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBA3A7000 E:\WINDOWS\System32\Drivers\N360\0403000.005\SRTSP.SYS 356352 bytes (Symantec Corporation, Symantec AutoProtect)
0xB4289000 E:\WINDOWS\System32\Drivers\N360\0403000.005\SYMTDI.SYS 356352 bytes (Symantec Corporation, Network Dispatch Driver)
0xF738D000 SYMDS.SYS 352256 bytes
0xB434C000 E:\WINDOWS\System32\Drivers\USIUDF.sys 294912 bytes (Ulead Systems, Inc., Ulead UDF Driver for Windows XP)
0xBFFA0000 E:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xBF012000 E:\WINDOWS\System32\ati2dvag.dll 270336 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xB0689000 E:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF054000 E:\WINDOWS\System32\ati2cqag.dll 258048 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF093000 E:\WINDOWS\System32\atikvmag.dll 221184 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xB8D4D000 E:\WINDOWS\system32\DRIVERS\Dot4.sys 208896 bytes (Microsoft Corporation, One Cool Transport)
0xF5CAC000 E:\WINDOWS\System32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF5FFC000 E:\WINDOWS\System32\DRIVERS\NVSNPU.SYS 192512 bytes (NVIDIA Corporation, NVIDIA Networking Soft-NPU Driver.)
0xF746D000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB1B38000 E:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF727D000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF734E000 SYMEFA.SYS 184320 bytes
0xAFC5B000 E:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB4196000 E:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB41E3000 E:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF7417000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB4263000 E:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB8DE4000 E:\WINDOWS\system32\Drivers\SYMEVENT.SYS 151552 bytes (Symantec Corporation, Symantec Event Library)
0xF5F41000 E:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF602B000 E:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF5F1E000 E:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB41C1000 E:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806D0000 ACPI_HAL 131840 bytes
0x806D0000 E:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF73E3000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF743D000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xBA388000 E:\WINDOWS\system32\drivers\N360\0403000.005\Ironx86.SYS 126976 bytes (Symantec Corporation, Iron Driver)
0xF719A000 snapman.sys 126976 bytes (Acronis, Acronis Snapshot API)
0xB40AB000 E:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0xF7180000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF7337000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF5CED000 E:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB1DEF000 E:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB3F6C000 E:\WINDOWS\System32\Drivers\dump_nvatabus.sys 81920 bytes
0xAFCDE000 E:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20101102.038\NAVENG.SYS 81920 bytes (Symantec Corporation, AV Engine)
0xF7403000 nvatabus.sys 81920 bytes (NVIDIA Corporation, NVIDIA® nForce™ IDE Performance Driver)
0xF5D04000 E:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF5D2A000 E:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB4339000 E:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 E:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF5D18000 E:\WINDOWS\System32\DRIVERS\Rtlnicxp.sys 73728 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )
0xF737B000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF745C000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF5CDC000 E:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB4394000 E:\WINDOWS\System32\Drivers\Udfs.SYS 69632 bytes (Microsoft Corporation, UDF File System Driver)
0xB8185000 E:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF6C5D000 E:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF6C2D000 E:\WINDOWS\System32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF75DC000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF6251000 E:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xB4DC8000 E:\WINDOWS\System32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF6C6D000 E:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF6C4D000 E:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB8778000 E:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF61F1000 E:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF75EC000 E:\WINDOWS\System32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF6C7D000 E:\WINDOWS\System32\DRIVERS\NVNRM.SYS 57344 bytes (NVIDIA Corporation, NVIDIA Network Resource Manager.)
0xF759C000 szkg.sys 57344 bytes (iS3 Inc., szkg Device Driver)
0xF6C8D000 E:\WINDOWS\system32\DRIVERS\AmdPPM.sys 53248 bytes (Advanced Micro Devices, AMD Processor Driver)
0xF762C000 E:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF6241000 E:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF75AC000 szkgfs.sys 53248 bytes (iS3, Inc., STOPzilla Kernel Guard File System, x86-32 )
0xF760C000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF6221000 E:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB898B000 E:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF6C3D000 E:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF75FC000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF6231000 E:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF763C000 sbp2port.sys 45056 bytes (Microsoft Corporation, SBP-2 Protocol Driver)
0xF75CC000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF771C000 E:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF767C000 E:\WINDOWS\system32\drivers\N360\0403000.005\SRTSPX.SYS 40960 bytes (Symantec Corporation, Symantec AutoProtect)
0xF6201000 E:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xB8758000 E:\WINDOWS\system32\DRIVERS\tifsfilt.sys 40960 bytes (Acronis, Acronis True Image File System Filter)
0xF761C000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF772C000 E:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF6211000 E:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xB89AB000 E:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB0341000 E:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF778C000 E:\WINDOWS\System32\DRIVERS\NVENETFD.sys 36864 bytes (NVIDIA Corporation, NVIDIA Networking Function Driver.)
0xB4DD8000 E:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xB4478000 E:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7864000 E:\WINDOWS\System32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF790C000 E:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF791C000 E:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF78F4000 E:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF793C000 E:\WINDOWS\System32\Drivers\ULCDRHlp.sys 28672 bytes (Ulead Systems, Inc., ULCDRHlp driver)
0xF786C000 E:\WINDOWS\system32\DRIVERS\dot4usb.sys 24576 bytes (Microsoft Corporation, DOT4USB filter driver)
0xF7914000 E:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF7944000 E:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF794C000 E:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7824000 nv_agp.sys 24576 bytes (NVIDIA Corporation, NVIDIA nForce AGP Filter)
0xB4488000 E:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF79A4000 E:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xB4480000 E:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF781C000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF792C000 E:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7934000 E:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7924000 E:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7904000 E:\WINDOWS\System32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xF784C000 E:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB151F000 E:\WINDOWS\System32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xF6FF8000 E:\WINDOWS\system32\DRIVERS\Dot4Prt.sys 16384 bytes (Microsoft Corporation, Dot4 Printer Driver)
0xF7094000 E:\WINDOWS\System32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF703C000 E:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB1ED4000 E:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7078000 E:\WINDOWS\System32\DRIVERS\nvnetbus.sys 16384 bytes (NVIDIA Corporation, NVIDIA Networking Bus Driver.)
0xF7074000 E:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF79AC000 E:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB50F9000 E:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7004000 E:\WINDOWS\System32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF6FFC000 E:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7070000 E:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF5BBC000 E:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7B24000 E:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7AA0000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xB5422000 E:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7B02000 E:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7A9C000 E:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7B26000 E:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7AF2000 E:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7B28000 E:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7B4C000 E:\WINDOWS\system32\DRIVERS\serscan.sys 8192 bytes (Microsoft Corporation, Serial Imaging Device Driver)
0xF7B20000 E:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7B22000 E:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7A9E000 E:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7B65000 E:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xB4405000 E:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7CF0000 E:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
==============================================
>Stealth
==============================================
WARNING: Virus alike driver modification [ndistapi.sys]
WARNING: Virus alike driver modification [bthpan.sys]
WARNING: Virus alike driver modification [sffp_mmc.sys]
WARNING: Virus alike driver modification [hidusb.sys]
WARNING: Virus alike driver modification [hsfdpsp2.sys]
WARNING: Virus alike driver modification [dxapi.sys]
WARNING: Virus alike driver modification [mup.sys]
WARNING: Virus alike driver modification [atinrvxx.sys]
0x03DF0000 Hidden Image-->System.Windows.dll [ EPROCESS 0x84948830 ] PID: 1056, 1069056 bytes
WARNING: Virus alike driver modification [ndisip.sys]
WARNING: Virus alike driver modification [sffp_sd.sys]
WARNING: Virus alike driver modification [slip.sys]
WARNING: Virus alike driver modification [irenum.sys]
WARNING: Virus alike driver modification [wadv08nt.sys]
WARNING: Virus alike driver modification [sfloppy.sys]
WARNING: Virus alike driver modification [wdcsam.sys]
WARNING: Virus alike driver modification [ati1mdxx.sys]
WARNING: Virus alike driver modification [acpiec.sys]
WARNING: Virus alike driver modification [cpqdap01.sys]
WARNING: Virus alike driver modification [grmn1200.sys]
WARNING: Virus alike driver modification [wadv07nt.sys]
WARNING: Virus alike driver modification [mdmxsdk.sys]
WARNING: Virus alike driver modification [wadv09nt.sys]
WARNING: Virus alike driver modification [sffdisk.sys]
WARNING: Virus alike driver modification [wadv11nt.sys]
WARNING: Virus alike driver modification [pcmcia.sys]
WARNING: Virus alike driver modification [nikedrv.sys]
WARNING: Virus alike driver modification [rio8drv.sys]
WARNING: Virus alike driver modification [riodrv.sys]
WARNING: Virus alike driver modification [ws2ifsl.sys]
WARNING: Virus alike driver modification [tdpipe.sys]
WARNING: Virus alike driver modification [ati1pdxx.sys]
WARNING: Virus alike driver modification [fsvga.sys]
WARNING: Virus alike driver modification [mouhid.sys]
WARNING: Virus alike driver modification [usbvideo.sys]
WARNING: Virus alike driver modification [tunmp.sys]
WARNING: Virus alike driver modification [nwlnkflt.sys]
WARNING: Virus alike driver modification [SYMEVENT.SYS]
WARNING: Virus alike driver modification [ftdisk.sys]
WARNING: Virus alike driver modification [mtlmnt5.sys]
WARNING: Virus alike driver modification [mutohpen.sys]
WARNING: Virus alike driver modification [usb8023.sys]
WARNING: Virus alike driver modification [usb8023x.sys]
WARNING: Virus alike driver modification [Dot4Prt.sys]
WARNING: Virus alike driver modification [nvnetbus.sys]
WARNING: Virus alike driver modification [slnt7554.sys]
WARNING: Virus alike driver modification [fltmgr.sys]
WARNING: Virus alike driver modification [mtlstrm.sys]
WARNING: Virus alike driver modification [snapman.sys]
WARNING: Virus alike driver modification [slwdmsup.sys]
WARNING: Virus alike driver modification [recagent.sys]
WARNING: Virus alike driver modification [atinttxx.sys]
WARNING: Virus alike driver modification [afd.sys]
WARNING: Virus alike driver modification [cbidf2k.sys]
WARNING: Virus alike driver modification [rdpwd.sys]
WARNING: Virus alike driver modification [ks.sys]
WARNING: Virus alike driver modification [diskdump.sys]
WARNING: Virus alike driver modification [wacompen.sys]
WARNING: Virus alike driver modification [asyncmac.sys]
0x03DC0000 Hidden Image-->System.Windows.Browser.dll [ EPROCESS 0x84948830 ] PID: 1056, 143360 bytes
WARNING: Virus alike driver modification [fastfat.sys]
WARNING: Virus alike driver modification [usbport.sys]
WARNING: Virus alike driver modification [hdaudbus.sys]
WARNING: Virus alike driver modification [kbdhid.sys]
WARNING: Virus alike driver modification [ndisuio.sys]
WARNING: Virus alike driver modification [smclib.sys]
WARNING: Virus alike driver modification [portcls.sys]
WARNING: Virus alike driver modification [atinpdxx.sys]
WARNING: Virus alike driver modification [tape.sys]
WARNING: Virus alike driver modification [ati2mtag.sys]
WARNING: Virus alike driver modification [streamip.sys]
WARNING: Virus alike driver modification [ipnat.sys]
WARNING: Virus alike driver modification [dmio.sys]
WARNING: Virus alike driver modification [atinmdxx.sys]
WARNING: Virus alike driver modification [mssmbios.sys]
WARNING: Virus alike driver modification [serenum.sys]
WARNING: Virus alike driver modification [usbintel.sys]
WARNING: Virus alike driver modification [netbt.sys]
WARNING: Virus alike driver modification [nwrdr.sys]
WARNING: Virus alike driver modification [grmn0400.sys]
WARNING: Virus alike driver modification [raspti.sys]
WARNING: Virus alike driver modification [atinevxx.sys]
WARNING: Virus alike driver modification [s3gnbm.sys]
WARNING: Virus alike driver modification [bthenum.sys]
WARNING: Virus alike driver modification [ccdecode.sys]
WARNING: Virus alike driver modification [usbohci.sys]
WARNING: Virus alike driver modification [kmixer.sys]
WARNING: Virus alike driver modification [grmn0200.sys]
WARNING: Virus alike driver modification [rdbss.sys]
WARNING: Virus alike driver modification [ptilink.sys]
WARNING: Virus alike driver modification [ntmtlfax.sys]
WARNING: Virus alike driver modification [mrxdav.sys]
WARNING: Virus alike driver modification [ndis.sys]
WARNING: Virus alike driver modification [grmngen.sys]
WARNING: Virus alike driver modification [cdaudio.sys]
WARNING: Virus alike driver modification [acpi.sys]
WARNING: Virus alike driver modification [bthusb.sys]
WARNING: Virus alike driver modification [nv4_mini.sys]
WARNING: Virus alike driver modification [msfs.sys]
WARNING: Virus alike driver modification [tdi.sys]
WARNING: Virus alike driver modification [nvsnpu.sys]
WARNING: Virus alike driver modification [hidir.sys]
WARNING: Virus alike driver modification [wstcodec.sys]
WARNING: Virus alike driver modification [rdpdr.sys]
WARNING: Virus alike driver modification [partmgr.sys]
0x7BF20000 Hidden Image-->System.Net.dll [ EPROCESS 0x84948830 ] PID: 1056, 200704 bytes
WARNING: Virus alike driver modification [rmcast.sys]
WARNING: Virus alike driver modification [flpydisk.sys]
WARNING: Virus alike driver modification [secdrv.sys]
WARNING: Virus alike driver modification [Dot4.sys]
WARNING: Virus alike driver modification [ipinip.sys]
WARNING: Virus alike driver modification [vga.sys]
WARNING: Virus alike driver modification [nv_agp.SYS]
WARNING: Virus alike driver modification [ati1ttxx.sys]
WARNING: Virus alike driver modification [tsbvcap.sys]
WARNING: Virus alike driver modification [tdtcp.sys]
WARNING: Virus alike driver modification [hsfbs2s2.sys]
WARNING: Virus alike driver modification [watv06nt.sys]
WARNING: Virus alike driver modification [tcpip6.sys]
WARNING: Virus alike driver modification [mouclass.sys]
WARNING: Virus alike driver modification [Dot4usb.sys]
0x79000000 Hidden Image-->system.dll [ EPROCESS 0x84948830 ] PID: 1056, 241664 bytes
WARNING: Virus alike driver modification [kbdclass.sys]
WARNING: Virus alike driver modification [hidparse.sys]
WARNING: Virus alike driver modification [pciidex.sys]
WARNING: Virus alike driver modification [sonydcam.sys]
WARNING: Virus alike driver modification [watv10nt.sys]
WARNING: Virus alike driver modification [hidbth.sys]
WARNING: Virus alike driver modification [usbcamd.sys]
WARNING: Virus alike driver modification [usbcamd2.sys]
WARNING: Virus alike driver modification [cinemst2.sys]
WARNING: Virus alike driver modification [ati1snxx.sys]
WARNING: Virus alike driver modification [usbstor.sys]
WARNING: Virus alike driver modification [http.sys]
WARNING: Virus alike driver modification [GEARAspiWDM.sys]
WARNING: Virus alike driver modification [bthport.sys]
WARNING: Virus alike driver modification [ULCDRHlp.sys]
WARNING: Virus alike driver modification [fdc.sys]
WARNING: Virus alike driver modification [atinsnxx.sys]
0x6C3A0000 Hidden Image-->System.Core.dll [ EPROCESS 0x84948830 ] PID: 1056, 290816 bytes
WARNING: Virus alike driver modification [USIUDF.sys]
WARNING: Virus alike driver modification [ati1xbxx.sys]
WARNING: Virus alike driver modification [modem.sys]
WARNING: Virus alike driver modification [usbehci.sys]
WARNING: Virus alike driver modification [rndismp.sys]
WARNING: Virus alike driver modification [rndismpx.sys]
WARNING: Virus alike driver modification [ati1raxx.sys]
WARNING: Virus alike driver modification [npfs.sys]
WARNING: Virus alike driver modification [atmepvc.sys]
WARNING: Virus alike driver modification [atinxbxx.sys]
WARNING: Virus alike driver modification [usbccgp.sys]
WARNING: Virus alike driver modification [nwlnkfwd.sys]
WARNING: Virus alike driver modification [ati2mtaa.sys]
WARNING: Virus alike driver modification [ipfltdrv.sys]
0x6C6D0000 Hidden Image-->System.Xml.dll [ EPROCESS 0x84948830 ] PID: 1056, 331776 bytes
WARNING: Virus alike driver modification [NVENETFD.sys]
WARNING: Virus alike driver modification [AmdPPM.sys]
WARNING: Virus alike driver modification [rawwan.sys]
WARNING: Virus alike driver modification [wanarp.sys]
WARNING: Virus alike driver modification [netbios.sys]
WARNING: Virus alike driver modification [ati1xsxx.sys]
WARNING: Virus alike driver modification [msgpc.sys]
WARNING: Virus alike driver modification [atmuni.sys]
WARNING: Virus alike driver modification [srv.sys]
WARNING: Virus alike driver modification [processr.sys]
WARNING: Virus alike driver modification [tcpip.sys]
WARNING: Virus alike driver modification [disk.sys]
WARNING: Virus alike driver modification [intelppm.sys]
WARNING: Virus alike driver modification [ati1tuxx.sys]
WARNING: Virus alike driver modification [bthprint.sys]
WARNING: Virus alike driver modification [ip6fw.sys]
WARNING: Virus alike driver modification [crusoe.sys]
WARNING: Virus alike driver modification [tdrpman.sys]
WARNING: Virus alike driver modification [hidclass.sys]
WARNING: Virus alike driver modification [isapnp.sys]
WARNING: Virus alike driver modification [amdk6.sys]
WARNING: Virus alike driver modification [amdk7.sys]
WARNING: Virus alike driver modification [bthmodem.sys]
WARNING: Virus alike driver modification [update.sys]
WARNING: Virus alike driver modification [wpdusb.sys]
WARNING: Virus alike driver modification [ALCXSENS.SYS]
WARNING: Virus alike driver modification [nmnt.sys]
WARNING: Virus alike driver modification [slntamr.sys]
WARNING: Virus alike driver modification [ndproxy.sys]
WARNING: Virus alike driver modification [termdd.sys]
WARNING: Virus alike driver modification [sisagp.sys]
WARNING: Virus alike driver modification [raspppoe.sys]
WARNING: Virus alike driver modification [imapi.sys]
0x03F00000 Hidden Image-->System.Runtime.Serialization.dll [ EPROCESS 0x84948830 ] PID: 1056, 421888 bytes
WARNING: Virus alike driver modification [beep.sys]
WARNING: Virus alike driver modification [mnmdd.sys]
WARNING: Virus alike driver modification [rdpcdd.sys]
WARNING: Virus alike driver modification [viaagp.sys]
WARNING: Virus alike driver modification [agp440.sys]
WARNING: Virus alike driver modification [mountmgr.sys]
WARNING: Virus alike driver modification [alim1541.sys]
WARNING: Virus alike driver modification [p3.sys]
WARNING: Virus alike driver modification [amdagp.sys]
WARNING: Virus alike driver modification [swenum.sys]
WARNING: Virus alike driver modification [wmilib.sys]
WARNING: Virus alike driver modification [sbp2port.sys]
WARNING: Virus alike driver modification [timntr.sys]
WARNING: Virus alike driver modification [tifsfilt.sys]
WARNING: Virus alike driver modification [fips.sys]
WARNING: Virus alike driver modification [uagp35.sys]
WARNING: Virus alike driver modification [agpcpq.sys]
WARNING: Virus alike driver modification [mtxparhm.sys]
WARNING: Virus alike driver modification [mrxsmb.sys]
WARNING: Virus alike driver modification [gagp30kx.sys]
WARNING: Virus alike driver modification [irbus.sys]
WARNING: Virus alike driver modification [usbd.sys]
WARNING: Virus alike driver modification [raspptp.sys]
WARNING: Virus alike driver modification [stream.sys]
WARNING: Virus alike driver modification [classpnp.sys]
WARNING: Virus alike driver modification [mspqm.sys]
WARNING: Virus alike driver modification [rasl2tp.sys]
WARNING: Virus alike driver modification [tosdvd.sys]
WARNING: Virus alike driver modification [volsnap.sys]
WARNING: Virus alike driver modification [i8042prt.sys]
WARNING: Virus alike driver modification [dmusic.sys]
WARNING: Virus alike driver modification [1394bus.sys]
WARNING: Virus alike driver modification [mspclock.sys]
WARNING: Virus alike driver modification [mstee.sys]
WARNING: Virus alike driver modification [atinraxx.sys]
WARNING: Virus alike driver modification [atmlane.sys]
WARNING: Virus alike driver modification [nwlnkspx.sys]
WARNING: Virus alike driver modification [atineuxx.sys]
WARNING: Virus alike driver modification [swmidi.sys]
WARNING: Virus alike driver modification [ati1btxx.sys]
WARNING: Virus alike driver modification [nvnrm.sys]
WARNING: Virus alike driver modification [ntfs.sys]
WARNING: Virus alike driver modification [redbook.sys]
WARNING: Virus alike driver modification [atinbtxx.sys]
WARNING: Virus alike driver modification [vdmindvd.sys]
WARNING: Virus alike driver modification [dmload.sys]
WARNING: Virus alike driver modification [rootmdm.sys]
WARNING: Virus alike driver modification [smbali.sys]
WARNING: Virus alike driver modification [rfcomm.sys]
WARNING: Virus alike driver modification [SZKGFS.sys]
WARNING: Virus alike driver modification [usbhub.sys]
WARNING: Virus alike driver modification [atmarpc.sys]
WARNING: Virus alike driver modification [drmk.sys]
WARNING: Virus alike driver modification [arp1394.sys]
WARNING: Virus alike driver modification [sysaudio.sys]
WARNING: Virus alike driver modification [is3srv.sys]
WARNING: Virus alike driver modification [SZKG.sys]
WARNING: Virus alike driver modification [ohci1394.sys]
WARNING: Virus alike driver modification [nic1394.sys]
WARNING: Virus alike driver modification [ALCXWDM.SYS]
WARNING: Virus alike driver modification [splitter.sys]
WARNING: Virus alike driver modification [cdrom.sys]
WARNING: Virus alike driver modification [nwlnknb.sys]
WARNING: Virus alike driver modification [ati1rvxx.sys]
WARNING: Virus alike driver modification [cdfs.sys]
WARNING: Virus alike driver modification [mf.sys]
WARNING: Virus alike driver modification [enum1394.sys]
WARNING: Virus alike driver modification [atinxsxx.sys]
WARNING: Virus alike driver modification [serial.sys]
WARNING: Virus alike driver modification [udfs.sys]
WARNING: Virus alike driver modification [parvdm.sys]
WARNING: Virus alike driver modification [serscan.sys]
WARNING: Virus alike driver modification [pci.sys]
WARNING: Virus alike driver modification [hsfcxts2.sys]
WARNING: Virus alike driver modification [psched.sys]
WARNING: Virus alike driver modification [Rtlnicxp.sys]
WARNING: Virus alike driver modification [dxg.sys]
WARNING: Virus alike driver modification [bridge.sys]
WARNING: Virus alike driver modification [sr.sys]
WARNING: Virus alike driver modification [atinesxx.sys]
WARNING: Virus alike driver modification [ipsec.sys]
WARNING: Virus alike driver modification [mskssrv.sys]
WARNING: Virus alike driver modification [mcd.sys]
WARNING: Virus alike driver modification [WudfPf.sys]
0x6C680000 Hidden Image-->System.ServiceModel.Web.dll [ EPROCESS 0x84948830 ] PID: 1056, 77824 bytes
WARNING: Virus alike driver modification [atintuxx.sys]
WARNING: Virus alike driver modification [sdbus.sys]
WARNING: Virus alike driver modification [fs_rec.sys]
WARNING: Virus alike driver modification [nvatabus.sys]
WARNING: Virus alike driver modification [dmboot.sys]
WARNING: Virus alike driver modification [parport.sys]
WARNING: Virus alike driver modification [videoprt.sys]
WARNING: Virus alike driver modification [WudfRd.sys]
WARNING: Virus alike driver modification [wdmaud.sys]
WARNING: Virus alike driver modification [nabtsfec.sys]
WARNING: Virus alike driver modification [rasacd.sys]
WARNING: Virus alike driver modification [nwlnkipx.sys]
WARNING: Virus alike driver modification [ndiswan.sys]
WARNING: Virus alike driver modification [mqac.sys]
WARNING: Virus alike driver modification [ksecdd.sys]
WARNING: Virus alike driver modification [grmnusb.sys]
WARNING: Virus alike driver modification [slnthal.sys]
WARNING: Virus alike driver modification [scsiport.sys]
WARNING: Virus alike driver modification [atapi.sys]

********** END OF 11/02/10 POST **********

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:04 AM

Posted 03 November 2010 - 08:04 AM

Hello again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 WaylonJ

WaylonJ
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 03 November 2010 - 10:56 AM

************ ComboFix log.txt Report Follows ************

ComboFix 10-11-02.06 - JOBIT 11/03/2010 11:35:21.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.209 [GMT -4:00]
Running from: e:\documents and settings\JOBIT\Desktop\ComboFix.exe
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\documents and settings\LocalService\Application Data\0200000064ba99b71041C.manifest
e:\documents and settings\LocalService\Application Data\0200000064ba99b71041O.manifest
e:\documents and settings\LocalService\Application Data\0200000064ba99b71041P.manifest
e:\documents and settings\LocalService\Application Data\0200000064ba99b71041S.manifest
e:\windows\lsass.exe
e:\windows\system32\76625351
e:\windows\system32\ddraw32.dll
e:\windows\system32\DINPUT832.DLL
e:\windows\system32\DSKQUOTA32.DLL
e:\windows\system32\dskquota3232.dll
e:\windows\system32\dsquery32.dll
e:\windows\system32\SysWoW32
e:\windows\system32\SysWoW32\@u1828260090v0
e:\windows\system32\SysWoW32\@u1828260090v1
e:\windows\system32\SysWoW32\@u1828260090v2
e:\windows\system32\SysWoW32\@u1828260090v3
e:\windows\system32\SysWoW32\@u1828260090v4
e:\windows\system32\SysWoW32\@u1828260090v5
e:\windows\system32\SysWoW32\@u1828260090v6
e:\windows\system32\SysWoW32\@u1828260090v7
e:\windows\system32\SysWoW32\_u1828260090v0
e:\windows\system32\SysWoW32\_u1828260090v1
e:\windows\system32\SysWoW32\_u1828260090v2
e:\windows\system32\SysWoW32\_u1828260090v3
e:\windows\system32\SysWoW32\_u1828260090v4
e:\windows\system32\SysWoW32\_u1828260090v5
e:\windows\system32\SysWoW32\_u1828260090v6
e:\windows\system32\SysWoW32\_u1828260090v7
e:\windows\system32\SysWoW32\mu1828260090v0
e:\windows\system32\SysWoW32\mu1828260090v0.kwd
e:\windows\system32\SysWoW32\mu1828260090v1
e:\windows\system32\SysWoW32\mu1828260090v1.kwd
e:\windows\system32\SysWoW32\mu1828260090v2
e:\windows\system32\SysWoW32\mu1828260090v2.kwd
e:\windows\system32\SysWoW32\mu1828260090v3
e:\windows\system32\SysWoW32\mu1828260090v3.kwd
e:\windows\system32\SysWoW32\mu1828260090v4
e:\windows\system32\SysWoW32\mu1828260090v4.kwd
e:\windows\system32\SysWoW32\mu1828260090v5
e:\windows\system32\SysWoW32\mu1828260090v5.kwd
e:\windows\system32\SysWoW32\mu1828260090v6
e:\windows\system32\SysWoW32\mu1828260090v6.kwd
e:\windows\system32\SysWoW32\mu1828260090v7
e:\windows\system32\SysWoW32\mu1828260090v7.kwd

.
((((((((((((((((((((((((( Files Created from 2010-10-03 to 2010-11-03 )))))))))))))))))))))))))))))))
.

2010-11-03 06:01 . 2010-11-03 06:01 507392 -csh--w- e:\windows\mtxexwow.exe
2010-11-02 15:48 . 2010-11-03 06:01 -------- dcsh--w- e:\windows\system32\977B6387C1D33DF47C6F6FCC16953410
2010-11-01 01:26 . 2010-10-27 18:40 154624 -c--a-w- e:\windows\system32\419626247c4
2010-11-01 01:26 . 2010-10-27 18:40 145408 -c--a-w- e:\windows\system32\419626247c2
2010-11-01 01:26 . 2010-10-27 18:40 153088 -c--a-w- e:\windows\system32\419626247c1
2010-11-01 01:25 . 2010-11-01 01:25 1121280 -csha-w- e:\windows\system32\3.tmp
2010-10-29 15:23 . 2010-10-29 15:23 2178048 -csha-w- e:\windows\system32\A.tmp
2010-10-29 04:08 . 2010-10-29 15:21 -------- dc----w- e:\windows\system32\drivers\N360\0403000.005
2010-10-23 12:49 . 2010-10-23 12:49 1137152 -csha-w- e:\windows\system32\24C.tmp
2010-10-22 16:32 . 2010-10-22 16:32 -------- dc----w- e:\windows\system32\windows media
2010-10-22 16:32 . 2010-10-22 16:32 -------- dc----w- e:\program files\Windows Media Components
2010-10-22 16:31 . 2004-06-04 14:02 27232 -c--a-w- e:\windows\system32\drivers\ULCDRHlp.sys
2010-10-22 16:31 . 2004-05-29 12:30 292288 -c--a-w- e:\windows\system32\drivers\USIUDF.sys
2010-10-22 16:26 . 2010-10-22 16:31 -------- dc----w- e:\program files\Ulead Systems
2010-10-22 16:26 . 2010-10-22 16:26 -------- dc----w- e:\program files\Common Files\Ulead Systems
2010-10-22 16:26 . 2010-10-22 16:36 -------- dc----w- e:\documents and settings\All Users\Application Data\Ulead Systems
2010-10-22 16:24 . 2002-12-05 18:10 155648 -c--a-w- e:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
2010-10-22 16:24 . 2002-12-02 19:22 5632 -c--a-w- e:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2010-10-22 16:24 . 2002-12-02 17:33 57344 -c--a-w- e:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
2010-10-22 16:24 . 2002-12-02 17:33 237568 -c--a-w- e:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
2010-10-22 16:24 . 2003-02-27 20:12 696320 -c--a-w- e:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
2010-10-22 16:24 . 2010-10-22 16:24 282756 -c--a-w- e:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2010-10-22 16:24 . 2010-10-22 16:24 163972 -c--a-w- e:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
2010-10-22 15:12 . 2010-10-22 15:12 372736 -c--a-w- e:\windows\system32\atioglx132.dll
2010-10-21 17:03 . 2010-10-21 17:03 372736 -c--a-w- e:\windows\system32\atioglxx32.dll
2010-10-18 01:33 . 2010-10-18 01:33 1144832 -csha-w- e:\windows\system32\B3.tmp
2010-10-17 17:49 . 2010-10-17 17:49 167424 -c--a-w- e:\windows\system32\cryptnet32.dll.exe
2010-10-15 20:14 . 2010-10-15 20:15 -------- dc----w- e:\program files\STOPzilla!
2010-10-15 20:14 . 2010-10-15 20:14 -------- dc----w- e:\program files\Common Files\iS3
2010-10-15 20:14 . 2010-11-03 15:43 -------- dc----w- e:\documents and settings\All Users\Application Data\STOPzilla!
2010-10-15 07:05 . 2008-04-14 00:12 221184 -c--a-w- e:\windows\system32\wmpns.dll
2010-10-15 06:57 . 2010-10-15 06:57 -------- dcsh--w- e:\documents and settings\LocalService\IETldCache
2010-10-15 06:57 . 2010-10-15 06:57 359936 -c--a-w- e:\windows\system32\dnssdX32.dll
2010-10-15 06:49 . 2010-10-15 06:49 359936 -c--a-w- e:\windows\system32\fxsevent32.dll
2010-10-15 01:15 . 2010-09-18 06:53 974848 -c----w- e:\windows\system32\dllcache\mfc42.dll
2010-10-15 01:15 . 2010-09-18 06:53 953856 -c----w- e:\windows\system32\dllcache\mfc40u.dll
2010-10-15 01:14 . 2010-08-23 16:12 617472 -c----w- e:\windows\system32\dllcache\comctl32.dll
2010-10-14 17:59 . 2010-10-14 17:59 132560 -c--a-r- e:\windows\system32\IS3HTUI5.dll
2010-10-14 17:59 . 2010-10-14 17:59 99792 -c--a-r- e:\windows\system32\IS3Svc5.dll
2010-10-14 17:59 . 2010-10-14 17:59 67024 -c--a-r- e:\windows\system32\IS3Hks5.dll
2010-10-14 17:59 . 2010-10-14 17:59 546256 -c--a-r- e:\windows\system32\SZComp5.dll
2010-10-14 17:59 . 2010-10-14 17:59 452048 -c--a-r- e:\windows\system32\SZBase5.dll
2010-10-14 17:59 . 2010-10-14 17:59 398800 -c--a-r- e:\windows\system32\IS3DBA5.dll
2010-10-14 17:59 . 2010-10-14 17:59 28624 -c--a-r- e:\windows\system32\IS3XDat5.dll
2010-10-14 17:59 . 2010-10-14 17:59 22992 -c--a-r- e:\windows\system32\SZIO5.dll
2010-10-14 17:59 . 2010-10-14 17:59 99792 -c--a-r- e:\windows\system32\IS3Inet5.dll
2010-10-14 17:59 . 2010-10-14 17:59 738768 -c--a-r- e:\windows\system32\IS3Base5.dll
2010-10-14 17:59 . 2010-10-14 17:59 390608 -c--a-r- e:\windows\system32\IS3UI5.dll
2010-10-14 17:59 . 2010-10-14 17:59 230864 -c--a-r- e:\windows\system32\IS3Win325.dll
2010-10-13 19:16 . 2010-10-13 19:16 167424 -c--a-w- e:\windows\system32\dmocx32.dll.exe
2010-10-13 05:19 . 2010-10-13 05:19 0 -c-ha-w- e:\documents and settings\JOBIT\ifryqnsweh.tmp
2010-10-13 05:16 . 2010-10-13 05:16 203776 -csh--w- e:\windows\system32\unrar.exe
2010-10-13 05:16 . 2010-10-13 05:16 1141760 -csha-w- e:\windows\system32\AF.tmp
2010-10-13 05:16 . 2010-10-13 05:16 1313280 -c--a-w- e:\windows\system32\csrsrv32.exe
2010-10-13 05:16 . 2010-10-13 05:16 242688 -c--a-w- e:\windows\system32\cscdll32.dll
2010-10-13 05:16 . 2010-10-13 05:16 1313280 -c--a-w- e:\windows\system32\cryptnet32.exe
2010-10-13 05:16 . 2010-10-13 05:16 363008 -c--a-w- e:\windows\system32\cryptdll32.dll
2010-10-13 05:14 . 2010-10-13 05:16 -------- dc----w- e:\documents and settings\JOBIT\Application Data\Apple Computer
2010-10-13 05:13 . 2010-10-13 05:13 -------- dc----w- e:\program files\iPod
2010-10-13 05:13 . 2010-10-13 05:14 -------- dc----w- e:\program files\iTunes
2010-10-13 05:13 . 2010-10-13 05:14 -------- dc----w- e:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-10-13 05:11 . 2010-10-13 05:11 -------- dc----w- e:\documents and settings\All Users\Application Data\Apple
2010-10-13 05:11 . 2010-10-13 05:14 -------- dc----w- e:\documents and settings\JOBIT\Local Settings\Application Data\Apple Computer
2010-10-13 05:00 . 2010-10-14 15:47 -------- dc----w- e:\documents and settings\JOBIT\Application Data\LimeWire
2010-10-13 04:59 . 2010-10-13 05:00 -------- dc----w- e:\program files\LimeWire
2010-10-08 14:22 . 2010-10-08 14:23 -------- dc----w- e:\program files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2001-08-23 12:00 974848 -c--a-w- e:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-23 12:00 974848 -c--a-w- e:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-23 12:00 954368 -c--a-w- e:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-23 12:00 953856 -c--a-w- e:\windows\system32\mfc40u.dll
2010-09-13 15:29 . 2010-09-13 15:30 73728 -c--a-w- e:\windows\system32\javacpl.cpl
2010-09-13 15:29 . 2010-09-13 15:30 423656 -c--a-w- e:\windows\system32\deployJava1.dll
2010-09-10 14:14 . 2010-09-10 14:14 1409 -c--a-w- e:\windows\system32\tmp997D2.FOT
2010-09-10 14:14 . 2010-09-10 14:14 1409 -c--a-w- e:\windows\system32\tmp538D2.FOT
2010-09-10 05:58 . 2001-08-23 12:00 916480 -c--a-w- e:\windows\system32\wininet.dll
2010-09-10 05:58 . 2001-08-23 12:00 43520 -c--a-w- e:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2001-08-23 12:00 1469440 -c----w- e:\windows\system32\inetcpl.cpl
2010-09-08 15:17 . 2010-09-08 15:17 94208 -c--a-w- e:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 -c--a-w- e:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2001-08-23 12:00 285824 -c--a-w- e:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2001-08-23 12:00 1852800 -c--a-w- e:\windows\system32\win32k.sys
2010-08-27 08:02 . 2001-08-23 12:00 119808 -c--a-w- e:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2001-08-23 12:00 99840 -c--a-w- e:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2001-08-23 12:00 357248 -c--a-w- e:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-08-12 18:41 5120 -c--a-w- e:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2001-08-23 12:00 617472 -c--a-w- e:\windows\system32\comctl32.dll
2010-08-17 17:44 . 2010-08-17 17:44 45056 -c--a-r- e:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{DDA2B32F-EB16-4C96-A130-4E4A4C1E6B12}\NewShortcut1_5B69D3033CA54B39B5ECE7D051297E77.exe
2010-08-17 13:17 . 2001-08-23 12:00 58880 -c--a-w- e:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2001-08-23 12:00 590848 -c--a-w- e:\windows\system32\rpcrt4.dll
2010-08-12 20:09 . 2010-08-12 20:09 60808 -c--a-w- e:\windows\system32\S32EVNT1.DLL
2010-08-12 20:09 . 2010-08-12 20:09 124976 -c--a-w- e:\windows\system32\drivers\SYMEVENT.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{165E9F9E-7301-4EB3-BBDD-850A59831A7f}]
2010-10-22 15:12 372736 -c--a-w- e:\windows\system32\atioglx132.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC608F9F-FC2D-1E18-2D0C-F8861725655B}]
2010-10-13 05:16 242688 -c--a-w- e:\windows\system32\cscdll32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 67584]
"ATIPTA"="e:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-29 344064]
"Seagate Scheduler2 Service"="e:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2008-06-25 136472]
"SunJavaUpdateSched"="e:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="e:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"USIUDF_Eject_Monitor"="e:\program files\Common Files\Ulead Systems\DVD\USISrv.exe" [2004-05-28 81920]
"mtxexwow.exe"="e:\windows\mtxexwow.exe" [2010-11-03 507392]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "e:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=e:\windows\system32\cscdll32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\WINDOWS\\system32\\cryptnet32.exe"=
"e:\\WINDOWS\\mtxexwow.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 SymDS;Symantec Data Store;e:\windows\system32\drivers\N360\0403000.005\symds.sys [10/29/2010 12:11 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;e:\windows\system32\drivers\N360\0403000.005\symefa.sys [10/29/2010 12:11 AM 173104]
R0 szkg5;szkg5;e:\windows\system32\drivers\SZKG.sys [12/7/2009 5:59 PM 61328]
R0 szkgfs;szkgfs;e:\windows\system32\drivers\SZKGFS.sys [5/12/2010 6:01 PM 59280]
R1 BHDrvx86;BHDrvx86;e:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101029.001\BHDrvx86.sys [11/2/2010 11:58 AM 692272]
R1 ccHP;Symantec Hash Provider;e:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [10/29/2010 12:11 AM 501888]
R1 SymIRON;Symantec Iron Driver;e:\windows\system32\drivers\N360\0403000.005\ironx86.sys [10/29/2010 12:11 AM 116784]
R2 aspnet_state32;ASP.NET State Service ;e:\windows\system32\cryptnet32.exe [10/13/2010 1:16 AM 1313280]
R2 N360;Norton Security Suite;e:\program files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe [10/29/2010 12:09 AM 126392]
R2 SgtSch2Svc;Seagate Scheduler2 Service;e:\program files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 8:56 PM 431384]
R2 WDDMService;WD SmartWare Drive Manager;e:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 4:24 PM 110592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;e:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/16/2010 11:48 AM 102448]
R3 IDSxpx86;IDSxpx86;e:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20101102.001\IDSXpx86.sys [11/2/2010 9:43 PM 341880]
S0 is3srv;is3srv;e:\windows\system32\drivers\is3srv.sys [12/7/2009 5:59 PM 61328]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;e:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);e:\program files\Google\Update\GoogleUpdate.exe [8/19/2010 12:34 PM 136176]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;e:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\l:\ntglm7x.sys --> l:\NTGLM7X.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;e:\windows\system32\drivers\wdcsam.sys [9/21/2010 10:32 AM 11520]
S3 WinRM;Windows Remote Management (WS-Management);e:\windows\system32\svchost.exe -k WINRM [8/23/2001 8:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;e:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NORMANDY
*Deregistered* - klmd25
*Deregistered* - Normandy

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-10-23 e:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-11-03 e:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- e:\program files\Google\Update\GoogleUpdate.exe [2010-08-19 16:34]

2010-11-03 e:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- e:\program files\Google\Update\GoogleUpdate.exe [2010-08-19 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

Notify-TPSvc - TPSvc.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-03 11:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"e:\program files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"e:\program files\Norton Security Suite\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@e:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="e:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1336)
e:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1400)
e:\windows\system32\relog_ap.dll
.
Completion time: 2010-11-03 11:47:09
ComboFix-quarantined-files.txt 2010-11-03 15:47

Pre-Run: 15,435,767,808 bytes free
Post-Run: 15,423,279,104 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 8AEB6C28788EB50C43A173B62820195E

************ ComboFix log.txt End of Report ************

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:04 AM

Posted 03 November 2010 - 11:22 AM

Hi again,

CF-SCRIPT
-------------
Open notepad and copy/paste the text in the quotebox below into it:

<http://www.bleepingcomputer.com/forums/topic355557.html/page__view__findpost__p__2001852>

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{165E9F9E-7301-4EB3-BBDD-850A59831A7f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC608F9F-FC2D-1E18-2D0C-F8861725655B}]

Collect::
e:\windows\system32\atioglx132.dll
e:\windows\system32\cscdll32.dll

Save this as CFScript.txt


Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 WaylonJ

WaylonJ
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 04 November 2010 - 01:02 PM

Okay, Elise. I followed the instructions in the last post you made, but I may have messed up one thing: I did not copy/drag the URL that you included in the "quote box" into ComboFix before the following report was generated. At first, I thought the URL was included by accident and that the Registry and Collect keys were the only text elements that you wanted me to drag into the ComboFix.exe icon...but now I'm scratching my head about this decision. If the results you received today are less than expected, it's probably because I didn't include the URL that appears in the quote box (which appears in your last post).

By the way, our PC is running significantly slower now...

Have a good one wherever you are -- WaylonJ
:)

************** ComboFix Report (CFScript.txt included) 110410 **************

ComboFix 10-11-02.06 - JOBIT 11/04/2010 12:43:26.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.281 [GMT -4:00]
Running from: e:\documents and settings\JOBIT\Desktop\ComboFix.exe
Command switches used :: e:\documents and settings\JOBIT\Desktop\CFScript.txt
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point

file zipped: e:\windows\system32\atioglx132.dll
file zipped: e:\windows\system32\cscdll32.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\documents and settings\LocalService\Application Data\0200000064ba99b71041C.manifest
e:\documents and settings\LocalService\Application Data\0200000064ba99b71041O.manifest
e:\documents and settings\LocalService\Application Data\0200000064ba99b71041P.manifest
e:\documents and settings\LocalService\Application Data\0200000064ba99b71041S.manifest
e:\windows\lsass.exe
e:\windows\system32\76625351
e:\windows\system32\76625351\new.i0

.
((((((((((((((((((((((((( Files Created from 2010-10-04 to 2010-11-04 )))))))))))))))))))))))))))))))
.

2010-11-04 16:23 . 2010-11-04 16:23 498688 -csh--w- e:\windows\PresentationCFFRasterizerNative_v0300wow.exe
2010-11-02 15:48 . 2010-11-04 16:23 -------- dcsh--w- e:\windows\system32\977B6387C1D33DF47C6F6FCC16953410
2010-11-01 01:26 . 2010-10-27 18:40 154624 -c--a-w- e:\windows\system32\419626247c4
2010-11-01 01:26 . 2010-10-27 18:40 145408 -c--a-w- e:\windows\system32\419626247c2
2010-11-01 01:26 . 2010-10-27 18:40 153088 -c--a-w- e:\windows\system32\419626247c1
2010-11-01 01:25 . 2010-11-01 01:25 1121280 -csha-w- e:\windows\system32\3.tmp
2010-10-29 15:23 . 2010-10-29 15:23 2178048 -csha-w- e:\windows\system32\A.tmp
2010-10-29 04:08 . 2010-10-29 15:21 -------- dc----w- e:\windows\system32\drivers\N360\0403000.005
2010-10-23 12:49 . 2010-10-23 12:49 1137152 -csha-w- e:\windows\system32\24C.tmp
2010-10-22 16:32 . 2010-10-22 16:32 -------- dc----w- e:\windows\system32\windows media
2010-10-22 16:32 . 2010-10-22 16:32 -------- dc----w- e:\program files\Windows Media Components
2010-10-22 16:31 . 2004-06-04 14:02 27232 -c--a-w- e:\windows\system32\drivers\ULCDRHlp.sys
2010-10-22 16:31 . 2004-05-29 12:30 292288 -c--a-w- e:\windows\system32\drivers\USIUDF.sys
2010-10-22 16:26 . 2010-10-22 16:31 -------- dc----w- e:\program files\Ulead Systems
2010-10-22 16:26 . 2010-10-22 16:26 -------- dc----w- e:\program files\Common Files\Ulead Systems
2010-10-22 16:26 . 2010-10-22 16:36 -------- dc----w- e:\documents and settings\All Users\Application Data\Ulead Systems
2010-10-22 16:24 . 2002-12-05 18:10 155648 -c--a-w- e:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
2010-10-22 16:24 . 2002-12-02 19:22 5632 -c--a-w- e:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2010-10-22 16:24 . 2002-12-02 17:33 57344 -c--a-w- e:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
2010-10-22 16:24 . 2002-12-02 17:33 237568 -c--a-w- e:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
2010-10-22 16:24 . 2003-02-27 20:12 696320 -c--a-w- e:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
2010-10-22 16:24 . 2010-10-22 16:24 282756 -c--a-w- e:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2010-10-22 16:24 . 2010-10-22 16:24 163972 -c--a-w- e:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
2010-10-22 15:12 . 2010-11-04 16:42 372736 -c--a-w- e:\windows\system32\atioglx132.dll
2010-10-21 17:03 . 2010-10-21 17:03 372736 -c--a-w- e:\windows\system32\atioglxx32.dll
2010-10-18 01:33 . 2010-10-18 01:33 1144832 -csha-w- e:\windows\system32\B3.tmp
2010-10-17 17:49 . 2010-10-17 17:49 167424 -c--a-w- e:\windows\system32\cryptnet32.dll.exe
2010-10-15 20:14 . 2010-10-15 20:15 -------- dc----w- e:\program files\STOPzilla!
2010-10-15 20:14 . 2010-10-15 20:14 -------- dc----w- e:\program files\Common Files\iS3
2010-10-15 20:14 . 2010-11-04 17:15 -------- dc----w- e:\documents and settings\All Users\Application Data\STOPzilla!
2010-10-15 07:05 . 2008-04-14 00:12 221184 -c--a-w- e:\windows\system32\wmpns.dll
2010-10-15 06:57 . 2010-10-15 06:57 -------- dcsh--w- e:\documents and settings\LocalService\IETldCache
2010-10-15 06:57 . 2010-10-15 06:57 359936 -c--a-w- e:\windows\system32\dnssdX32.dll
2010-10-15 06:49 . 2010-10-15 06:49 359936 -c--a-w- e:\windows\system32\fxsevent32.dll
2010-10-15 01:15 . 2010-09-18 06:53 974848 -c----w- e:\windows\system32\dllcache\mfc42.dll
2010-10-15 01:15 . 2010-09-18 06:53 953856 -c----w- e:\windows\system32\dllcache\mfc40u.dll
2010-10-15 01:14 . 2010-08-23 16:12 617472 -c----w- e:\windows\system32\dllcache\comctl32.dll
2010-10-14 17:59 . 2010-10-14 17:59 132560 -c--a-r- e:\windows\system32\IS3HTUI5.dll
2010-10-14 17:59 . 2010-10-14 17:59 99792 -c--a-r- e:\windows\system32\IS3Svc5.dll
2010-10-14 17:59 . 2010-10-14 17:59 67024 -c--a-r- e:\windows\system32\IS3Hks5.dll
2010-10-14 17:59 . 2010-10-14 17:59 546256 -c--a-r- e:\windows\system32\SZComp5.dll
2010-10-14 17:59 . 2010-10-14 17:59 452048 -c--a-r- e:\windows\system32\SZBase5.dll
2010-10-14 17:59 . 2010-10-14 17:59 398800 -c--a-r- e:\windows\system32\IS3DBA5.dll
2010-10-14 17:59 . 2010-10-14 17:59 28624 -c--a-r- e:\windows\system32\IS3XDat5.dll
2010-10-14 17:59 . 2010-10-14 17:59 22992 -c--a-r- e:\windows\system32\SZIO5.dll
2010-10-14 17:59 . 2010-10-14 17:59 99792 -c--a-r- e:\windows\system32\IS3Inet5.dll
2010-10-14 17:59 . 2010-10-14 17:59 738768 -c--a-r- e:\windows\system32\IS3Base5.dll
2010-10-14 17:59 . 2010-10-14 17:59 390608 -c--a-r- e:\windows\system32\IS3UI5.dll
2010-10-14 17:59 . 2010-10-14 17:59 230864 -c--a-r- e:\windows\system32\IS3Win325.dll
2010-10-13 19:16 . 2010-10-13 19:16 167424 -c--a-w- e:\windows\system32\dmocx32.dll.exe
2010-10-13 05:19 . 2010-10-13 05:19 0 -c-ha-w- e:\documents and settings\JOBIT\ifryqnsweh.tmp
2010-10-13 05:16 . 2010-10-13 05:16 203776 -csh--w- e:\windows\system32\unrar.exe
2010-10-13 05:16 . 2010-10-13 05:16 1141760 -csha-w- e:\windows\system32\AF.tmp
2010-10-13 05:16 . 2010-10-13 05:16 1313280 -c--a-w- e:\windows\system32\csrsrv32.exe
2010-10-13 05:16 . 2010-11-04 16:42 242688 -c--a-w- e:\windows\system32\cscdll32.dll
2010-10-13 05:16 . 2010-10-13 05:16 1313280 -c--a-w- e:\windows\system32\cryptnet32.exe
2010-10-13 05:16 . 2010-10-13 05:16 363008 -c--a-w- e:\windows\system32\cryptdll32.dll
2010-10-13 05:14 . 2010-10-13 05:16 -------- dc----w- e:\documents and settings\JOBIT\Application Data\Apple Computer
2010-10-13 05:13 . 2010-10-13 05:13 -------- dc----w- e:\program files\iPod
2010-10-13 05:13 . 2010-10-13 05:14 -------- dc----w- e:\program files\iTunes
2010-10-13 05:13 . 2010-10-13 05:14 -------- dc----w- e:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-10-13 05:11 . 2010-10-13 05:11 -------- dc----w- e:\documents and settings\All Users\Application Data\Apple
2010-10-13 05:11 . 2010-10-13 05:14 -------- dc----w- e:\documents and settings\JOBIT\Local Settings\Application Data\Apple Computer
2010-10-13 05:00 . 2010-10-14 15:47 -------- dc----w- e:\documents and settings\JOBIT\Application Data\LimeWire
2010-10-13 04:59 . 2010-10-13 05:00 -------- dc----w- e:\program files\LimeWire
2010-10-08 14:22 . 2010-10-08 14:23 -------- dc----w- e:\program files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2001-08-23 12:00 974848 -c--a-w- e:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-23 12:00 974848 -c--a-w- e:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-23 12:00 954368 -c--a-w- e:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-23 12:00 953856 -c--a-w- e:\windows\system32\mfc40u.dll
2010-09-13 15:29 . 2010-09-13 15:30 73728 -c--a-w- e:\windows\system32\javacpl.cpl
2010-09-13 15:29 . 2010-09-13 15:30 423656 -c--a-w- e:\windows\system32\deployJava1.dll
2010-09-10 14:14 . 2010-09-10 14:14 1409 -c--a-w- e:\windows\system32\tmp997D2.FOT
2010-09-10 14:14 . 2010-09-10 14:14 1409 -c--a-w- e:\windows\system32\tmp538D2.FOT
2010-09-10 05:58 . 2001-08-23 12:00 916480 -c--a-w- e:\windows\system32\wininet.dll
2010-09-10 05:58 . 2001-08-23 12:00 43520 -c--a-w- e:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2001-08-23 12:00 1469440 -c----w- e:\windows\system32\inetcpl.cpl
2010-09-08 15:17 . 2010-09-08 15:17 94208 -c--a-w- e:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 -c--a-w- e:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2001-08-23 12:00 285824 -c--a-w- e:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2001-08-23 12:00 1852800 -c--a-w- e:\windows\system32\win32k.sys
2010-08-27 08:02 . 2001-08-23 12:00 119808 -c--a-w- e:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2001-08-23 12:00 99840 -c--a-w- e:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2001-08-23 12:00 357248 -c--a-w- e:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-08-12 18:41 5120 -c--a-w- e:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2001-08-23 12:00 617472 -c--a-w- e:\windows\system32\comctl32.dll
2010-08-17 17:44 . 2010-08-17 17:44 45056 -c--a-r- e:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{DDA2B32F-EB16-4C96-A130-4E4A4C1E6B12}\NewShortcut1_5B69D3033CA54B39B5ECE7D051297E77.exe
2010-08-17 13:17 . 2001-08-23 12:00 58880 -c--a-w- e:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2001-08-23 12:00 590848 -c--a-w- e:\windows\system32\rpcrt4.dll
2010-08-12 20:09 . 2010-08-12 20:09 60808 -c--a-w- e:\windows\system32\S32EVNT1.DLL
2010-08-12 20:09 . 2010-08-12 20:09 124976 -c--a-w- e:\windows\system32\drivers\SYMEVENT.SYS
.

((((((((((((((((((((((((((((( SnapShot@2010-11-03_15.44.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-04 16:22 . 2010-11-04 16:22 16384 e:\windows\Temp\Perflib_Perfdata_89c.dat
+ 2010-11-04 16:21 . 2010-11-04 16:21 16384 e:\windows\Temp\Perflib_Perfdata_824.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 67584]
"ATIPTA"="e:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-29 344064]
"Seagate Scheduler2 Service"="e:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2008-06-25 136472]
"SunJavaUpdateSched"="e:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="e:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"USIUDF_Eject_Monitor"="e:\program files\Common Files\Ulead Systems\DVD\USISrv.exe" [2004-05-28 81920]
"PresentationCFFRasterizerNative_v0300wow.exe"="e:\windows\PresentationCFFRasterizerNative_v0300wow.exe" [2010-11-04 498688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "e:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
TPSvc.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=e:\windows\system32\cscdll32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\WINDOWS\\system32\\cryptnet32.exe"=
"e:\\WINDOWS\\PresentationCFFRasterizerNative_v0300wow.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 is3srv;is3srv;e:\windows\system32\drivers\is3srv.sys [2009-12-07 61328]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;e:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);e:\program files\Google\Update\GoogleUpdate.exe [2010-08-19 136176]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;e:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
R3 SetupNTGLM7X;SetupNTGLM7X;L:\NTGLM7X.sys [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;e:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
R3 WinRM;Windows Remote Management (WS-Management);e:\windows\system32\svchost.exe [2008-04-14 14336]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;e:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 SymDS;Symantec Data Store;e:\windows\system32\drivers\N360\0403000.005\SYMDS.SYS [2009-10-15 328752]
S0 SymEFA;Symantec Extended File Attributes;e:\windows\system32\drivers\N360\0403000.005\SYMEFA.SYS [2010-04-22 173104]
S0 szkg5;szkg5;e:\windows\system32\DRIVERS\szkg.sys [2009-12-07 61328]
S0 szkgfs;szkgfs;e:\windows\system32\drivers\szkgfs.sys [2010-05-12 59280]
S1 BHDrvx86;BHDrvx86;e:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101029.001\BHDrvx86.sys [2010-08-31 692272]
S1 ccHP;Symantec Hash Provider;e:\windows\system32\drivers\N360\0403000.005\ccHPx86.sys [2010-02-26 501888]
S1 SymIRON;Symantec Iron Driver;e:\windows\system32\drivers\N360\0403000.005\Ironx86.SYS [2010-04-29 116784]
S2 aspnet_state32;ASP.NET State Service ;e:\windows\system32\cryptnet32.exe [2010-10-13 1313280]
S2 N360;Norton Security Suite;e:\program files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe [2010-02-26 126392]
S2 SgtSch2Svc;Seagate Scheduler2 Service;e:\program files\Common Files\Seagate\Schedule2\schedul2.exe [2008-06-25 431384]
S2 WDDMService;WD SmartWare Drive Manager;e:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2010-01-21 110592]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;e:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-08-12 102448]
S3 IDSxpx86;IDSxpx86;e:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20101103.001\IDSxpx86.sys [2010-10-19 341880]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-10-23 e:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-11-04 e:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- e:\program files\Google\Update\GoogleUpdate.exe [2010-08-19 16:34]

2010-11-03 e:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- e:\program files\Google\Update\GoogleUpdate.exe [2010-08-19 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-04 13:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


e:\windows\system32\76625351

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"e:\program files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"e:\program files\Norton Security Suite\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@e:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="e:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1336)
e:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1404)
e:\windows\system32\relog_ap.dll
.
Completion time: 2010-11-04 13:29:30
ComboFix-quarantined-files.txt 2010-11-04 17:29
ComboFix2.txt 2010-11-03 15:47

Pre-Run: 15,132,397,568 bytes free
Post-Run: 15,296,147,456 bytes free

- - End Of File - - 8BB6687D00C958E63B56FF65FA632DF9
Upload was successful


************** End ComboFix Report (CFScript.txt included) 110410 **************

#12 WaylonJ

WaylonJ
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 04 November 2010 - 01:58 PM

!!!!!!!!!!!!!!!!!!!!!!!!!!!! IMPORTANT UPDATE !!!!!!!!!!!!!!!!!!!!!!!!!!!!

Elise,

After I posted the ComboFix report generated on 11/04/10 -- the report just prior to this entry -- I restarted our PC and the image linked below is popping up repeatedly ... and by "repeatedly," I mean to say that the user is forced to press the "OK" control/button many times before Windows will operate normally. To clarify, the dialog box will (seemingly) appear every time a process is started.

If one is to access the MS program Paint, for example, the title on the dialog box changes to a Paint reference, but the dialog message remains the same. In short, the only thing that changes is the title of the dialog box -- not the message itself; hence, the reason one is forced to press the "OK" button/control over and over again.


Link to dialog box:
Posted Image[/IMG]

Edited by WaylonJ, 04 November 2010 - 02:17 PM.


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:04 AM

Posted 04 November 2010 - 03:06 PM

Hi, I see why that is. I forgot to script out a related entry.

OTL FIX
------------
We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    :otl
    O20 - AppInit_DLLs: (E:\WINDOWS\system32\cscdll32.dll) - E:\WINDOWS\system32\cscdll32.dll (Inprise Corporation)
    
    :commands
    [emptytemp]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 WaylonJ

WaylonJ
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 04 November 2010 - 06:00 PM

Okay, Elise, I copied/pasted the code you posted (above). I didn't see the word "code," however, so that had me wondering a bit...

So here's the report returned by OTL.exe:


******************** OTL.exe Report 110410 1850ET ********************

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:E:\WINDOWS\system32\cscdll32.dll deleted successfully.
E:\WINDOWS\system32\cscdll32.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56504 bytes

User: JOBIT
->Temp folder emptied: 115333 bytes
->Temporary Internet Files folder emptied: 7501129 bytes
->Java cache emptied: 2027 bytes
->Flash cache emptied: 2836784 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49286 bytes
->Flash cache emptied: 343 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1138618 bytes
%systemroot%\System32 .tmp files removed: 7577617 bytes
%systemroot%\System32\dllcache .tmp files removed: 240640 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16867 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 19.00 mb


OTL by OldTimer - Version 3.2.17.2 log created on 11042010_184613

Files\Folders moved on Reboot...
File\Folder E:\Documents and Settings\JOBIT\Local Settings\Temp\~DF88E1.tmp not found!
File\Folder E:\Documents and Settings\JOBIT\Local Settings\Temp\~DF88FB.tmp not found!
File\Folder E:\Documents and Settings\JOBIT\Local Settings\Temp\~DF8962.tmp not found!
File\Folder E:\Documents and Settings\JOBIT\Local Settings\Temp\~DF897C.tmp not found!
File\Folder E:\Documents and Settings\JOBIT\Local Settings\Temp\~DF89BB.tmp not found!
File\Folder E:\Documents and Settings\JOBIT\Local Settings\Temp\~DF89D5.tmp not found!
E:\Documents and Settings\JOBIT\Local Settings\Temporary Internet Files\Content.IE5\RGR5ONQJ\page__p__2000457__hl__waylonj__fromsearch__1[1].htm moved successfully.
E:\Documents and Settings\JOBIT\Local Settings\Temporary Internet Files\Content.IE5\NRN16V0O\c[1].htm moved successfully.
E:\Documents and Settings\JOBIT\Local Settings\Temporary Internet Files\Content.IE5\3FCQVAZ4\zz-V2-popup[1].htm moved successfully.
File\Folder E:\WINDOWS\temp\Perflib_Perfdata_5a8.dat not found!

Registry entries deleted on Reboot...

******************** END REPORT OTL.exe 110410 1850ET ********************

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:04 AM

Posted 05 November 2010 - 04:28 AM

Hi, how are things running now?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users