Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Removing Trojan Causing BSOD Immediately on Vista Start Up


  • This topic is locked This topic is locked
15 replies to this topic

#1 nate m

nate m

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 27 October 2010 - 04:24 PM

The other night I was browsing and received a McAfee pop up saying a trojan had been removed. Immediately I received a windows notification asking if I had attempted to open the cmd prompt. I clicked no and the window closed. It reappeared a few times before I received another McAfee pop up which recommended I restart the computer due to the threat. On restart I received a Microsoft Security Essentials Alert stating I have an unknown Win32/trojan with a severe alert level. This window lasts 0.5 seconds and then I am redirected to a BSOD. The BSOD lasts 0.5 seconds before windows shuts down and restarts. The same sequence occurs in normal, safe, and safe with networking modes. Windows appears to start normally in safe with command prompt mode. I have included a few photos to give you an idea of what I am seeing before restart. I appear to be getting varying BSOD errors depending on which mode I attempt to open Windows. I am using the Vista OS. I am assuming I am going to have to perform an external scan off of a cd but don't really know how to go about this. I would really appreciate any assistance you can provide. Please let me know if you require any additional information.

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:03 AM

Posted 28 October 2010 - 04:04 AM

Hello, if you have a vista DVD, try to perform a startup repair.

If you do not have the DVD, tap f8 on boot up and when the advanced boot options menu comes up, see if there is an option to repair windows/recovery environment.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 nate m

nate m
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 30 October 2010 - 06:30 PM

Thanks for your input Elise. I have the vista DVD and have done the start up repair so I can now get into windows. I updated McAfee and performed a scan which did not find anything eventful. I was following the preparation guide before using malware removal tools and I am running into difficulties. The CD emulation software is enabled. However, when I tried running the DDS script it opens in Notepad. I have AutoCAD 2010 on my computer and am not sure if this is interfering with the script or not because the script has an AutoCAD icon associated with it. Any ideas on how to bypass this?

I have also tried to create a GMER log. I have attempted the scan twice. Part way through the scan I get a Microsoft Windows pop up stating that gmer.exe has stopped working and must be shut down. The program was scanning Device/HarddiskVolumeShadowCopy1 in both attempts. I tried reopenning gmer.exe after the first failed attempt and got another BSOD. On tring to reopen on the second attempt the computer simply froze. I am not sure if this information is helpful but if you have any ideas on how I can resolve these issues I would be very grateful.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:03 AM

Posted 31 October 2010 - 02:23 AM

Hi, please run the following scans instead:

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth, and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"



OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 nate m

nate m
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 31 October 2010 - 04:19 PM

I downloaded the Rootkit Unhooker and when I double click I get an error message stating that RKUnhookerLE.EXE is not a valid Win 32 application. I tried opening the file on an alternative system and got the same message.

Fortunately I did have success with the OTL. The reports are as follows:

OTL.txt

OTL logfile created on: 1/11/2010 8:00:53 AM - Run 1
OTL by OldTimer - Version 3.2.17.1 Folder = C:\Users\nathan\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18975)
Locale: 00000c09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

1,022.00 Mb Total Physical Memory | 465.00 Mb Available Physical Memory | 46.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 56.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 167.87 Gb Free Space | 56.32% Space Free | Partition Type: NTFS
Drive D: | 2.84 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 465.64 Gb Total Space | 313.85 Gb Free Space | 67.40% Space Free | Partition Type: FAT32

Computer Name: MYHILL | User Name: nathan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/01 07:23:40 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\nathan\Desktop\OTL.exe
PRC - [2010/10/13 22:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2010/10/13 22:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
PRC - [2010/09/30 13:10:36 | 001,193,848 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2010/08/24 20:38:18 | 000,092,008 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2010/08/24 15:57:38 | 000,171,168 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2010/06/10 22:03:08 | 000,144,176 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/05/20 16:27:24 | 000,762,736 | ---- | M] (Microsoft Corporation) -- C:\Windows\vVX1000.exe
PRC - [2010/05/20 16:27:24 | 000,139,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe
PRC - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2010/02/05 22:14:42 | 000,229,688 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe
PRC - [2009/04/11 17:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/01/12 09:54:02 | 000,669,520 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Epson Software\Event Manager\EEventManager.exe
PRC - [2008/11/20 17:00:00 | 000,199,680 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\spool\drivers\w32x86\3\E_FATIFIP.EXE
PRC - [2008/10/07 19:14:14 | 000,020,480 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2007/05/29 03:57:54 | 000,275,968 | ---- | M] (Rocket Division Software) -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
PRC - [2007/02/20 14:01:12 | 001,125,088 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2006/12/19 18:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
PRC - [2006/11/22 15:56:00 | 000,303,104 | ---- | M] (SigmaTel, Inc.) -- C:\Windows\sttray.exe


========== Modules (SafeList) ==========

MOD - [2010/11/01 07:23:40 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\nathan\Desktop\OTL.exe
MOD - [2010/09/01 02:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll
MOD - [2010/07/14 14:30:14 | 000,018,688 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/10/13 22:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/10/13 22:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -- (mfevtp)
SRV - [2010/10/07 21:34:28 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/08/24 20:38:18 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2010/08/24 15:57:38 | 000,171,168 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2010/06/10 22:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/05/20 16:27:24 | 000,139,632 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
SRV - [2010/03/21 11:16:43 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/02/05 22:14:42 | 000,229,688 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe -- (MOBKbackup)
SRV - [2010/01/22 03:03:00 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2009/09/25 12:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2008/10/07 19:14:14 | 000,020,480 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2008/01/19 18:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/05/29 03:57:54 | 000,275,968 | ---- | M] (Rocket Division Software) [Auto | Running] -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE)
SRV - [2006/12/19 18:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe -- (EpsonBidirectionalService)
SRV - [2006/10/09 22:01:00 | 000,071,184 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | Boot | Stopped] -- C:\Windows\System32\drivers\McPvDrv.sys -- (McPvDrv)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2010/10/13 22:28:54 | 000,386,840 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/10/13 22:28:54 | 000,313,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/10/13 22:28:54 | 000,164,840 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfewfpk.sys -- (mfewfpk)
DRV - [2010/10/13 22:28:54 | 000,152,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/10/13 22:28:54 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/10/13 22:28:54 | 000,084,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/10/13 22:28:54 | 000,064,304 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfenlfk.sys -- (mfenlfk)
DRV - [2010/10/13 22:28:54 | 000,055,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/10/13 22:28:54 | 000,052,104 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2010/05/20 16:27:26 | 001,961,072 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VX1000.sys -- (VX1000)
DRV - [2010/02/05 22:13:48 | 000,054,776 | ---- | M] (Mozy, Inc.) [File_System | System | Running] -- C:\Windows\System32\drivers\MOBK.sys -- (MOBKFilter)
DRV - [2009/11/27 19:40:21 | 000,685,816 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/04/11 15:42:54 | 000,073,216 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/08/14 08:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\adfs.sys -- (adfs)
DRV - [2007/03/21 12:33:54 | 000,534,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\BCMWL6.SYS -- (BCM43XX)
DRV - [2007/03/21 12:33:54 | 000,534,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BCMWL6.SYS -- (BCM43XV)
DRV - [2007/02/22 06:49:47 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2007/02/22 06:49:47 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2007/02/22 06:49:47 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2007/01/19 01:03:24 | 002,314,752 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2007/01/06 16:59:42 | 000,035,920 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2007/01/06 16:59:34 | 000,086,096 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid) NVIDIA nForce™
DRV - [2006/11/22 15:56:52 | 000,647,680 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2006/11/21 05:25:44 | 000,045,568 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/11/15 01:16:24 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006/11/14 20:42:46 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/14 18:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2006/11/02 20:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 20:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 20:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 20:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 20:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 20:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 20:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 20:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 20:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 20:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 20:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 20:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 20:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 20:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 20:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 20:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 20:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 20:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 20:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 20:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 20:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 20:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 20:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 20:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 20:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 20:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 20:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 20:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 20:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 20:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 19:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 19:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 19:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 19:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 19:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 19:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 18:41:49 | 000,200,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTAZL3.SYS -- (HSFHWAZL)
DRV - [2006/11/02 18:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 18:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2006/10/18 11:09:26 | 000,986,624 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2006/10/18 11:08:14 | 000,206,848 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2006/10/18 11:08:04 | 000,659,968 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2006/08/04 17:39:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.tinit.org/


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



IE - HKU\S-1-5-21-2411549907-539274945-2019882099-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ninemsn.com.au/?ocid=iehp
IE - HKU\S-1-5-21-2411549907-539274945-2019882099-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-au
IE - HKU\S-1-5-21-2411549907-539274945-2019882099-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 8C 3F 89 9B 0A 78 CB 01 [binary data]
IE - HKU\S-1-5-21-2411549907-539274945-2019882099-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2411549907-539274945-2019882099-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2411549907-539274945-2019882099-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/10/23 11:35:38 | 000,000,000 | ---D | M]

[2009/10/15 21:06:56 | 000,000,000 | ---D | M] -- C:\Users\nathan\AppData\Roaming\Mozilla\Extensions
[2009/10/15 21:06:56 | 000,000,000 | ---D | M] -- C:\Users\nathan\AppData\Roaming\Mozilla\Extensions\home2@tomtom.com
[2009/08/11 17:38:32 | 000,000,000 | ---D | M] -- C:\Users\nathan\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: ([2006/09/19 08:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20101030192445.dll (McAfee, Inc.)
O2 - BHO: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [EEventManager] C:\Program Files\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [LifeCam] C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Windows\sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [VX1000] C:\Windows\vVX1000.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-2411549907-539274945-2019882099-1000..\Run: [adaushtv] C:\Users\nathan\AppData\Local\aioustyvl\eofixtutssd.exe File not found
O4 - HKU\S-1-5-21-2411549907-539274945-2019882099-1000..\Run: [Epson Stylus TX550W(Network)] C:\Windows\System32\spool\DRIVERS\W32X86\3\E_FATIFIP.EXE (SEIKO EPSON CORPORATION)
O4 - HKU\S-1-5-21-2411549907-539274945-2019882099-1000..\Run: [EPSON TX550W Series] C:\Windows\System32\spool\DRIVERS\W32X86\3\E_FATIFIP.EXE (SEIKO EPSON CORPORATION)
O4 - HKU\S-1-5-21-2411549907-539274945-2019882099-1000..\Run: [pbwbvgeu] C:\Users\nathan\AppData\Local\jjqjfmyar\erpryaetssd.exe File not found
O4 - HKU\S-1-5-21-2411549907-539274945-2019882099-1000..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-2411549907-539274945-2019882099-1000\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-2411549907-539274945-2019882099-1000\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-2411549907-539274945-2019882099-1000\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} http://support.dell.com/systemprofiler/DellSystemLite.CAB (DellSystemLite.Scanner)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab (EPUImageControl Class)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-ca.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.1.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll File not found
O24 - Desktop WallPaper: C:\Users\nathan\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\nathan\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/11/27 20:36:53 | 000,000,000 | ---D | M] - C:\Autodesk -- [ NTFS ]
O32 - AutoRun File - [2006/09/19 08:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/11/03 07:00:00 | 000,000,043 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2009/01/29 11:05:06 | 000,000,000 | ---D | M] - E:\autorun -- [ FAT32 ]
O32 - AutoRun File - [2008/02/25 10:30:42 | 000,000,054 | RHS- | M] () - E:\autorun.in_2.org -- [ FAT32 ]
O32 - AutoRun File - [2010/07/09 11:36:34 | 000,000,055 | RHS- | M] () - E:\autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{34abf2d1-d7d2-11df-bf0e-0019b974b324}\Shell\AutoRun\command - "" = E:\WDSetup.exe -- [2008/11/25 11:03:44 | 002,325,721 | ---- | M] (Western Digital Corporation )
O33 - MountPoints2\{3c9b4941-9be4-11de-8b08-0019b974b324}\Shell\AutoRun\command - "" = OokMAG\OokMAG.exe
O33 - MountPoints2\{3e714c3f-7b61-11de-8a65-0019b974b324}\Shell\AutoRun\command - "" = x3xh.exe
O33 - MountPoints2\{3e714c3f-7b61-11de-8a65-0019b974b324}\Shell\open\Command - "" = x3xh.exe
O33 - MountPoints2\{8506417d-b833-11de-9c15-0019b974b324}\Shell\AutoRun\command - "" = E:\InstallTomTomHOME.exe -- File not found
O33 - MountPoints2\{a2c6bd64-966e-11de-8683-0019b974b324}\Shell\AutoRun\command - "" = F:\driver\S-1-4-89-654352344-54323413-6452342-4545\service.exe -- File not found
O33 - MountPoints2\{a2c6bd64-966e-11de-8683-0019b974b324}\Shell\open\command - "" = F:\driver\S-1-4-89-654352344-54323413-6452342-4545\service.exe -- File not found
O33 - MountPoints2\E\Shell\AutoRun\command - "" = x3xh.exe
O33 - MountPoints2\E\Shell\open\Command - "" = x3xh.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/01 07:58:43 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Users\nathan\Desktop\OTL.exe
[2010/10/31 09:24:36 | 000,000,000 | ---D | C] -- C:\Users\nathan\Desktop\Anti Virus
[2010/10/22 08:08:49 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2010/10/22 07:35:01 | 000,000,000 | ---D | C] -- C:\Users\nathan\AppData\Local\Windows Live
[2010/10/16 16:13:23 | 000,000,000 | ---D | C] -- C:\Program Files\MSECache
[2010/10/07 20:15:03 | 000,000,000 | ---D | C] -- C:\Users\nathan\Desktop\111_1007
[2010/10/05 16:28:05 | 000,000,000 | ---D | C] -- C:\Users\nathan\Desktop\Sales for Greg
[2010/10/03 12:50:44 | 000,000,000 | ---D | C] -- C:\Program Files\IP Australia
[2009/09/05 11:04:12 | 000,047,360 | ---- | C] (VSO Software) -- C:\Users\nathan\AppData\Roaming\pcouffin.sys
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Users\nathan\Documents\*.tmp files -> C:\Users\nathan\Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/01 07:54:24 | 000,001,735 | ---- | M] () -- C:\Users\Public\Desktop\McAfee Total Protection.lnk
[2010/11/01 07:54:12 | 000,003,664 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/11/01 07:54:12 | 000,003,664 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/11/01 07:53:50 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/11/01 07:53:46 | 1072,107,520 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/01 07:53:41 | 163,003,304 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/11/01 07:23:40 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\nathan\Desktop\OTL.exe
[2010/11/01 07:22:44 | 000,088,111 | ---- | M] () -- C:\Users\nathan\Desktop\RKUnhookerLE.EXE
[2010/10/31 09:26:36 | 000,000,020 | ---- | M] () -- C:\Users\nathan\defogger_reenable
[2010/10/31 09:15:30 | 000,545,280 | ---- | M] () -- C:\Users\nathan\Desktop\dds.scr
[2010/10/30 19:12:59 | 000,642,924 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/10/30 19:12:59 | 000,123,690 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/10/23 15:56:08 | 000,000,242 | ---- | M] () -- C:\Windows\tasks\Epson Printer Software Downloader.job
[2010/10/23 08:23:29 | 002,391,400 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/10/20 12:10:46 | 000,024,576 | ---- | M] () -- C:\Users\nathan\Documents\Rack Equipment.doc
[2010/10/20 11:22:58 | 000,002,609 | ---- | M] () -- C:\Users\nathan\Desktop\Microsoft Office Word 2003.lnk
[2010/10/19 16:00:08 | 000,294,912 | ---- | M] () -- C:\Users\nathan\Desktop\gmer.exe
[2010/10/16 16:10:40 | 000,036,352 | ---- | M] () -- C:\Users\nathan\Documents\inventory ovt 9 10.xlsx
[2010/10/15 19:43:53 | 000,026,624 | ---- | M] () -- C:\Users\nathan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/13 22:28:54 | 000,386,840 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfehidk.sys
[2010/10/13 22:28:54 | 000,313,288 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfefirek.sys
[2010/10/13 22:28:54 | 000,164,840 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfewfpk.sys
[2010/10/13 22:28:54 | 000,152,960 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfeavfk.sys
[2010/10/13 22:28:54 | 000,095,600 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfeapfk.sys
[2010/10/13 22:28:54 | 000,084,264 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mferkdet.sys
[2010/10/13 22:28:54 | 000,064,304 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfenlfk.sys
[2010/10/13 22:28:54 | 000,055,840 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\cfwids.sys
[2010/10/13 22:28:54 | 000,052,104 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfebopk.sys
[2010/10/13 22:28:54 | 000,009,344 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfeclnk.sys
[2010/10/09 19:18:29 | 000,094,208 | ---- | M] () -- C:\Users\nathan\Documents\NGM Exotics Sales.doc
[2010/10/09 18:59:18 | 000,030,720 | ---- | M] () -- C:\Users\nathan\Documents\NGM Costs.xls
[2010/10/08 07:45:23 | 000,026,624 | ---- | M] () -- C:\Users\nathan\Documents\GP Letter.doc
[2010/10/06 07:04:46 | 000,000,371 | ---- | M] () -- C:\Users\nathan\Documents\Pictures - Shortcut.lnk
[2010/10/04 20:34:45 | 000,032,256 | ---- | M] () -- C:\Users\nathan\Documents\Speed Limits.doc
[2010/10/04 09:22:46 | 000,001,887 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Users\nathan\Documents\*.tmp files -> C:\Users\nathan\Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/01 07:58:43 | 000,088,111 | ---- | C] () -- C:\Users\nathan\Desktop\RKUnhookerLE.EXE
[2010/10/31 10:06:55 | 1072,107,520 | -HS- | C] () -- C:\hiberfil.sys
[2010/10/31 09:43:09 | 000,294,912 | ---- | C] () -- C:\Users\nathan\Desktop\gmer.exe
[2010/10/31 09:26:10 | 000,000,020 | ---- | C] () -- C:\Users\nathan\defogger_reenable
[2010/10/31 09:24:52 | 000,545,280 | ---- | C] () -- C:\Users\nathan\Desktop\dds.scr
[2010/10/20 11:42:23 | 000,024,576 | ---- | C] () -- C:\Users\nathan\Documents\Rack Equipment.doc
[2010/10/16 16:10:37 | 000,036,352 | ---- | C] () -- C:\Users\nathan\Documents\inventory ovt 9 10.xlsx
[2010/10/08 15:19:20 | 000,030,720 | ---- | C] () -- C:\Users\nathan\Documents\NGM Costs.xls
[2010/10/07 20:46:23 | 000,026,624 | ---- | C] () -- C:\Users\nathan\Documents\GP Letter.doc
[2010/10/06 07:04:46 | 000,000,371 | ---- | C] () -- C:\Users\nathan\Documents\Pictures - Shortcut.lnk
[2010/02/28 13:54:37 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini
[2009/12/31 16:04:20 | 000,815,104 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/12/31 16:04:20 | 000,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/11/23 22:13:48 | 000,004,096 | -H-- | C] () -- C:\Users\nathan\AppData\Local\keyfile3.drm
[2009/10/21 07:46:02 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/09/14 19:27:41 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/09/05 19:03:40 | 000,000,040 | -HS- | C] () -- C:\ProgramData\.zreglib
[2009/09/05 11:05:50 | 000,000,033 | ---- | C] () -- C:\Users\nathan\AppData\Roaming\pcouffin.log
[2009/09/05 11:04:12 | 000,087,608 | ---- | C] () -- C:\Users\nathan\AppData\Roaming\inst.exe
[2009/09/05 11:04:12 | 000,007,887 | ---- | C] () -- C:\Users\nathan\AppData\Roaming\pcouffin.cat
[2009/09/05 11:04:12 | 000,001,144 | ---- | C] () -- C:\Users\nathan\AppData\Roaming\pcouffin.inf
[2009/09/05 10:33:07 | 000,323,584 | ---- | C] () -- C:\Windows\System32\FoxImager.dll
[2009/08/09 21:59:57 | 000,000,680 | ---- | C] () -- C:\Users\nathan\AppData\Local\d3d9caps.dat
[2009/08/09 21:34:03 | 000,019,934 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2009/08/09 00:33:07 | 000,000,094 | ---- | C] () -- C:\Users\nathan\AppData\Local\fusioncache.dat
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/29 14:08:00 | 000,065,536 | ---- | C] () -- C:\Windows\System32\bcmwlrmt.dll
[2009/07/28 22:22:12 | 000,026,624 | ---- | C] () -- C:\Users\nathan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/10 14:50:24 | 000,015,498 | ---- | C] () -- C:\Windows\VX1000.ini
[2006/11/02 23:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 21:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 18:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2005/05/06 20:06:00 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI
[2002/10/28 17:31:42 | 000,033,280 | ---- | C] () -- C:\Windows\System32\cursor.dll
[2001/05/07 15:57:20 | 000,137,728 | ---- | C] () -- C:\Windows\System32\ssleay32.dll
[2001/05/07 15:56:30 | 000,660,480 | ---- | C] () -- C:\Windows\System32\libeay32.dll

========== LOP Check ==========

[2009/12/08 20:05:00 | 000,000,000 | ---D | M] -- C:\Users\nathan\AppData\Roaming\Autodesk
[2010/04/24 23:04:02 | 000,000,000 | ---D | M] -- C:\Users\nathan\AppData\Roaming\BitTorrent
[2010/02/17 06:20:42 | 000,000,000 | ---D | M] -- C:\Users\nathan\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/03/01 06:38:50 | 000,000,000 | ---D | M] -- C:\Users\nathan\AppData\Roaming\Epson
[2010/10/25 19:50:01 | 000,000,000 | ---D | M] -- C:\Users\nathan\AppData\Roaming\Fiun
[2009/07/28 20:17:20 | 000,000,000 | ---D | M] -- C:\Users\nathan\AppData\Roaming\GetRightToGo
[2009/12/30 16:57:36 | 000,000,000 | ---D | M] -- C:\Users\nathan\AppData\Roaming\HDRsoft
[2009/10/17 10:28:49 | 000,000,000 | ---D | M] -- C:\Users\nathan\AppData\Roaming\Image Zone Express
[2010/10/12 15:51:47 | 000,000,000 | ---D | M] -- C:\Users\nathan\AppData\Roaming\LimeWire
[2010/06/19 17:45:23 | 000,000,000 | ---D | M] -- C:\Users\nathan\AppData\Roaming\Medical Imaging
[2009/08/09 22:03:34 | 000,000,000 | ---D | M] -- C:\Users\nathan\AppData\Roaming\Printer Info Cache
[2009/10/15 21:06:47 | 000,000,000 | ---D | M] -- C:\Users\nathan\AppData\Roaming\TomTom
[2009/09/12 08:52:34 | 000,000,000 | ---D | M] -- C:\Users\nathan\AppData\Roaming\Vso
[2010/10/23 15:56:08 | 000,000,242 | ---- | M] () -- C:\Windows\Tasks\Epson Printer Software Downloader.job
[2010/10/31 10:20:31 | 000,032,540 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 24 bytes -> C:\Windows:51C05002A159D4F7

< End of report >


Extra.txt

OTL Extras logfile created on: 1/11/2010 8:00:53 AM - Run 1
OTL by OldTimer - Version 3.2.17.1 Folder = C:\Users\nathan\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18975)
Locale: 00000c09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

1,022.00 Mb Total Physical Memory | 465.00 Mb Available Physical Memory | 46.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 56.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 167.87 Gb Free Space | 56.32% Space Free | Partition Type: NTFS
Drive D: | 2.84 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 465.64 Gb Total Space | 313.85 Gb Free Space | 67.40% Space Free | Partition Type: FAT32

Computer Name: MYHILL | User Name: nathan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{53DD6BFB-425F-436B-918B-7A99119F66A8}" = lport=2869 | protocol=6 | dir=in | app=system |
"{A904529D-4D10-4593-B928-78450A9AE6F1}" = lport=5353 | protocol=6 | dir=in | name=adobe csi cs4 |
"{B220B27F-437F-465F-947B-BB9D062C0EDD}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{DD25567A-F0E8-4D3F-BB2C-7D1F494BC2A8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{ED172314-0860-4C6E-811E-D2FC4F23A41D}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01855C68-8220-4CEA-B856-625EC50CB5C0}" = protocol=6 | dir=in | app=c:\program files\microsoft lifecam\lifecam.exe |
"{07490FFB-E372-474C-88A0-03461BA23025}" = protocol=17 | dir=in | app=c:\program files\samsung\samsung pc share manager\http_ss_win_pro.exe |
"{158E1D6D-DB4F-4A69-85C9-C4A01CED2B32}" = protocol=17 | dir=in | app=c:\program files\samsung\samsung pc share manager\wiselinkpro.exe |
"{2BA0A739-5D99-4BD3-A122-66AFFEAEDFFE}" = protocol=6 | dir=in | app=c:\program files\microsoft lifecam\lifetray.exe |
"{38DB89E6-CCBB-412D-9776-29FEE0DD3867}" = protocol=6 | dir=in | app=c:\program files\samsung\samsung pc share manager\http_ss_win_pro.exe |
"{404B2696-26EB-4E8F-80EF-29A70FE03428}" = protocol=6 | dir=in | app=c:\program files\microsoft lifecam\lifeexp.exe |
"{572F43D1-B264-4E63-B9E8-3F908F6E70DD}" = protocol=6 | dir=in | app=c:\program files\samsung\samsung pc share manager\wiselinkpro.exe |
"{6D8CD960-0A39-46C2-A712-3FE311DC1D89}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{7CAD1916-6AD6-4EDA-8D67-F3CC935492D0}" = dir=in | app=c:\program files\windows live\contacts\wlcomm.exe |
"{854F5B69-532F-4E45-9FCA-C8C4FF670F5B}" = protocol=6 | dir=in | app=c:\program files\microsoft lifecam\lifeenc2.exe |
"{8595F619-A803-4D90-9722-3B49814A6141}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{8C35CF3A-2A3C-4A6E-9FC8-E169F116B4C8}" = dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{8F9E6C4F-9D64-45AD-8916-C694B4BC4655}" = protocol=17 | dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |
"{962C6711-5095-4733-998F-EF3F01564662}" = protocol=17 | dir=in | app=c:\program files\microsoft lifecam\lifeenc2.exe |
"{ADC700A1-3D12-4BC3-B899-9DFB05804110}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |
"{B7D8433B-BEFB-417C-A946-806AD372F3A6}" = protocol=17 | dir=in | app=c:\program files\microsoft lifecam\lifeexp.exe |
"{C37D12FD-E5F8-45B1-815B-BC740F9C99BE}" = protocol=6 | dir=in | app=c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe |
"{CE335458-FB24-4D95-85C7-F6C01FEFB48A}" = protocol=17 | dir=in | app=c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe |
"{D0E1D53C-41A7-45B7-B1EE-3F3B5A9EE92D}" = protocol=17 | dir=in | app=c:\program files\microsoft lifecam\lifecam.exe |
"{DEE095CF-C4D3-473A-9E60-19AE1FB2F935}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{F695E6A3-44C8-427E-84EB-513DB63CE4BB}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{FC07D822-AD03-4A8E-9BC4-14277ADA9997}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{FEDEA801-EF21-4228-B3B7-589201BC22AC}" = protocol=17 | dir=in | app=c:\program files\microsoft lifecam\lifetray.exe |
"TCP Query User{D08E3D22-B0CE-4611-B8A1-35115D0DC395}C:\program files\epson software\event manager\eeventmanager.exe" = protocol=6 | dir=in | app=c:\program files\epson software\event manager\eeventmanager.exe |
"UDP Query User{A9BC7C48-E270-4508-BF61-EEBC3A739341}C:\program files\epson software\event manager\eeventmanager.exe" = protocol=17 | dir=in | app=c:\program files\epson software\event manager\eeventmanager.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}" = Adobe Setup
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{111EBC34-C377-4d78-AD0A-FB04B62E89D3}" = QuickBooks Enterprise Solutions: Retail Edition 8.0
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{14AFE241-FC6E-4FDB-BCA0-7AD6F4974171}" = Adobe Setup
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{23DD8A17-65DB-4D49-A2E0-164C6F460E3F}" = Adobe Photoshop Lightroom 3
"{2614F54E-A828-49FA-93BA-45A3F756BFAA}" = 32 Bit HP CIO Components Installer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 17
"{2764CA82-DFB9-4498-AF85-719340BF5305}" = Dell Resource CD
"{27C467F8-F8EF-4f68-BD72-D63632B2096C}" = McAfee Online Backup
"{2A2E822B-3B0E-46C1-9E3B-ACD7D1E95139}" = SAMSUNG PC Share Manager
"{30C8AA56-4088-426F-91D1-0EDFD3A25678}" = Adobe Dreamweaver CS4
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{3E31400D-274E-4647-916C-2CACC3741799}" = EpsonNet Print
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{48F22622-1CC2-4A83-9C1E-644DD96F832D}" = Epson Event Manager
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform
"{50A0893D-47D8-48E0-A7E8-44BCD7E4422E}" = Microsoft SQL Server Native Client
"{51F96AEC-D902-4434-A0DC-B9692A21AE7C}" = MobileMe Control Panel
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{5783F2D7-8001-0409-0002-0060B0CE6BBA}" = AutoCAD 2010 - English
"{5783F2D7-8001-0409-1002-0060B0CE6BBA}" = AutoCAD 2010 Language Pack - English
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{5DD4FCBD-A3C1-4155-9E17-4161C70AAABA}" = Segoe UI
"{5FC7AB5C-61FC-42DF-A923-5139BCF10D42}" = Microsoft LifeCam
"{612B9183-67A9-4B44-9877-2F059E35B86A}" = Broadcom 440x 10/100 Integrated Controller
"{61AD15B2-50DB-4686-A739-14FE180D4429}" = Windows Live ID Sign-in Assistant
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6A05FEDF-662E-46BF-8A25-010E3F1C9C69}" = Windows Live UX Platform Language Pack
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{72B688ED-88AC-43D5-8A7A-A88D67CBA762}" = Catella4
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B08D306-7266-4647-A926-2F78817ED1E0}" = Microsoft Corporation
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7C515D87-2DCD-422B-B993-3FE8A71B3DDB}" = Noiseware Professional Plug-in
"{7F0C4457-8E64-491B-8D7B-991504365D1E}" = QuickSet
"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{87C2248A-C7DD-49ED-9BCD-B312A9D0819E}" = Epson Easy Photo Print 2
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{91F7F3F3-CE80-48C3-8327-7D24A0A5716A}" = iTunes
"{929C8800-72DF-44B4-B091-1906BC319C86}" = QuickBooks
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A93944F2-D2D4-4750-BFE7-9A288FEAF2CF}" = Apple Application Support
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B3BC9DB1-0B0A-48B0-B86B-EA77CAA7F800}" = Microsoft Corporation
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{B6A98E5F-D6A7-46FB-9E9D-1F7BF4434001}" = Epson Printer Software Downloader
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{C0D2F614-5CE5-4DCB-8678-E5C9AF7044F8}" = Microsoft SQL Server VSS Writer
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{CFF4500E-C5D6-695D-A027-B3D4DDED2CC3}" = McAfee Online Backup
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E4848436-0345-47E2-B648-8B522FCDA623}" = Adobe Photoshop CS4
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{EB900AF8-CC61-4E15-871B-98D1EA3E8025}" = QuickTime
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"{FBE569CA-BFEB-4E57-A674-F94D938E1AEF}" = e-tax 2010
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"{FFFAE01B-466F-4C07-9821-A94FD753BDDA}" = EpsonNet Setup
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe_acce07fd2c8fe7f9e3f26243e626578" = Adobe Dreamweaver CS4
"Adobe_faf656ef605427ee2f42989c3ad31b8" = Adobe Photoshop CS4
"AutoCAD 2010 - English" = AutoCAD 2010 - English
"Autodesk DWF Viewer" = Autodesk DWF Viewer
"BitTorrent" = BitTorrent
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"Epson Printer Software Downloader" = Epson Printer Software Downloader
"EPSON Scanner" = EPSON Scan
"Epson Stylus SX510W_TX550W User’s Guide" = Epson Stylus SX510W_TX550W Manual
"EPSON TX550W Series" = EPSON TX550W Series Printer Uninstall
"GoToAssist" = GoToAssist 8.0.0.514
"ImagenomicNoisewareProPlugin" = Imagenomic Noiseware 4.2 Professional Plug-in (build 4205)
"InstallShield_{2A2E822B-3B0E-46C1-9E3B-ACD7D1E95139}" = SAMSUNG PC Share Manager
"IP Confidentiality Agreement Generator" = IP Confidentiality Agreement Generator
"LimeWire" = LimeWire 5.2.13
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"MSC" = McAfee Total Protection
"PhotomatixPro3Betax32_is1" = Photomatix Pro version 3.2.4
"TomTom HOME" = TomTom HOME 2.7.6.2056
"WinLiveSuite" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"Xvid_is1" = Xvid 1.2.1 final uninstall

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2411549907-539274945-2019882099-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"UnityWebPlayer" = Unity Web Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/05/2010 7:19:17 AM | Computer Name = Myhill | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 984506

Error - 12/05/2010 7:19:17 AM | Computer Name = Myhill | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 984506

Error - 12/05/2010 7:19:18 AM | Computer Name = Myhill | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 12/05/2010 7:19:18 AM | Computer Name = Myhill | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 985505

Error - 12/05/2010 7:19:18 AM | Computer Name = Myhill | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 985505

Error - 12/05/2010 7:19:19 AM | Computer Name = Myhill | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 12/05/2010 7:19:19 AM | Computer Name = Myhill | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 986503

Error - 12/05/2010 7:19:19 AM | Computer Name = Myhill | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 986503

Error - 12/05/2010 8:40:50 AM | Computer Name = Myhill | Source = EventSystem | ID = 4621
Description =

Error - 12/05/2010 4:10:04 PM | Computer Name = Myhill | Source = VSS | ID = 8194
Description =

[ Broadcom Wireless LAN Events ]
Error - 10/09/2010 5:07:10 PM | Computer Name = Myhill | Source = WLAN-Tray | ID = 0
Description = 07:07:10, Sat, Sep 11, 10 Error - Unable to gain access to user store


Error - 13/09/2010 4:42:48 PM | Computer Name = Myhill | Source = WLAN-Tray | ID = 0
Description = 06:42:48, Tue, Sep 14, 10 Error - Unable to decrypt string

Error - 23/09/2010 4:41:00 PM | Computer Name = Myhill | Source = WLAN-Tray | ID = 0
Description = 06:41:00, Fri, Sep 24, 10 Error - Unable to decrypt string

[ System Events ]
Error - 30/10/2010 6:30:11 PM | Computer Name = Myhill | Source = Service Control Manager | ID = 7026
Description =

Error - 30/10/2010 6:49:45 PM | Computer Name = Myhill | Source = EventLog | ID = 6008
Description = The previous system shutdown at 9:44:57 AM on 31/10/2010 was unexpected.

Error - 30/10/2010 6:51:22 PM | Computer Name = Myhill | Source = Service Control Manager | ID = 7026
Description =

Error - 30/10/2010 7:00:06 PM | Computer Name = Myhill | Source = EventLog | ID = 6008
Description = The previous system shutdown at 9:58:33 AM on 31/10/2010 was unexpected.

Error - 30/10/2010 7:07:01 PM | Computer Name = Myhill | Source = EventLog | ID = 6008
Description = The previous system shutdown at 10:01:36 AM on 31/10/2010 was unexpected.

Error - 30/10/2010 7:07:42 PM | Computer Name = Myhill | Source = netbt | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the interface
with IP address 10.1.1.5. The computer with the IP address 10.1.1.4 did not allow
the name to be claimed by this computer.

Error - 30/10/2010 7:08:08 PM | Computer Name = Myhill | Source = Service Control Manager | ID = 7026
Description =

Error - 31/10/2010 4:46:57 PM | Computer Name = Myhill | Source = EventLog | ID = 6008
Description = The previous system shutdown at 10:27:50 AM on 31/10/2010 was unexpected.

Error - 31/10/2010 4:53:53 PM | Computer Name = Myhill | Source = EventLog | ID = 6008
Description = The previous system shutdown at 7:46:57 AM on 1/11/2010 was unexpected.

Error - 31/10/2010 4:55:27 PM | Computer Name = Myhill | Source = Service Control Manager | ID = 7026
Description =


< End of report >

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:03 AM

Posted 01 November 2010 - 02:20 AM

Hello again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 nate m

nate m
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 01 November 2010 - 04:28 AM

Thanks again for your input Elise. Here is the Combofix log:

ComboFix 10-10-31.03 - nathan 01/11/2010 19:59:43.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.1022.468 [GMT 11:00]
Running from: c:\users\nathan\Desktop\ComboFix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
ADS - Windows: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\nathan\AppData\Local\Microsoft\Windows\Temporary Internet Files\udRemove.exe
c:\users\nathan\AppData\Roaming\inst.exe
c:\users\nathan\GoToAssistDownloadHelper.exe
E:\autorun.inf

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-10-01 to 2010-11-01 )))))))))))))))))))))))))))))))
.

2010-11-01 09:14 . 2010-11-01 09:15 -------- d-----w- c:\users\nathan\AppData\Local\temp
2010-11-01 09:14 . 2010-11-01 09:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-21 21:08 . 2010-10-31 03:05 -------- d-----w- c:\program files\Microsoft Silverlight
2010-10-21 20:42 . 2010-10-21 20:42 469256 ----a-w- c:\program files\Common Files\Windows Live\.cache\78dde2961cb71602d\InstallManager_WLE_WLE.exe
2010-10-21 20:40 . 2010-10-21 20:40 15712 ----a-w- c:\program files\Common Files\Windows Live\.cache\3c3ddd961cb716021\MeshBetaRemover.exe
2010-10-21 20:39 . 2010-10-21 20:39 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\77942761cb71601a\DSETUP.dll
2010-10-21 20:39 . 2010-10-21 20:39 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\77942761cb71601a\DXSETUP.exe
2010-10-21 20:39 . 2010-10-21 20:39 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\77942761cb71601a\dsetup32.dll
2010-10-21 20:39 . 2010-10-21 20:39 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\5be82b61cb716019\DSETUP.dll
2010-10-21 20:39 . 2010-10-21 20:39 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\5be82b61cb716019\DXSETUP.exe
2010-10-21 20:39 . 2010-10-21 20:39 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\5be82b61cb716019\dsetup32.dll
2010-10-21 20:36 . 2010-10-21 20:36 6260088 ----a-w- c:\program files\Common Files\Windows Live\.cache\af6662761cb715f0d\Silverlight.4.0.exe
2010-10-21 20:35 . 2010-10-31 20:58 -------- d-----w- c:\users\nathan\AppData\Local\Windows Live
2010-10-21 20:32 . 2009-08-04 08:02 754688 ----a-w- c:\windows\system32\webservices.dll
2010-10-16 05:13 . 2010-10-16 05:13 -------- d-----w- c:\program files\MSECache
2010-10-12 21:47 . 2010-09-13 13:56 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2010-10-12 21:47 . 2010-09-13 13:56 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-10-12 21:45 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-10-12 21:45 . 2010-09-06 13:45 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-10-12 21:45 . 2010-09-06 13:45 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-10-12 21:45 . 2010-09-06 13:45 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-10-12 21:45 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll
2010-10-12 21:43 . 2010-08-26 16:37 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-10-12 21:43 . 2010-06-28 17:00 1316864 ----a-w- c:\windows\system32\ole32.dll
2010-10-12 21:43 . 2010-06-28 14:54 339968 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2010-10-12 21:43 . 2010-08-10 15:53 274944 ----a-w- c:\windows\system32\schannel.dll
2010-10-12 21:43 . 2010-08-31 15:46 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-10-12 21:43 . 2010-08-31 15:46 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-10-12 21:42 . 2010-09-08 05:57 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-10-12 21:42 . 2010-09-08 05:04 385024 ----a-w- c:\windows\system32\html.iec
2010-10-12 21:40 . 2010-08-31 13:27 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-10-12 21:40 . 2010-05-04 19:13 231424 ----a-w- c:\windows\system32\msshsq.dll
2010-10-12 21:37 . 2010-08-20 16:05 867328 ----a-w- c:\windows\system32\wmpmde.dll
2010-10-12 21:37 . 2010-08-31 15:44 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-10-03 01:50 . 2010-10-03 01:50 -------- d-----w- c:\program files\IP Australia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-13 11:28 . 2010-04-20 05:15 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-10-13 11:28 . 2010-04-20 05:14 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-10-13 11:28 . 2010-04-20 05:14 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2010-10-13 11:28 . 2010-04-20 05:14 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-10-13 11:28 . 2010-04-20 05:14 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-10-13 11:28 . 2010-04-20 05:14 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-10-13 11:28 . 2010-04-20 05:14 164840 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-10-13 11:28 . 2010-04-20 05:14 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-10-13 11:28 . 2010-01-05 08:04 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-10-13 11:28 . 2010-01-05 08:04 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-09-22 13:47 . 2010-09-22 13:47 49016 ----a-w- c:\windows\system32\sirenacm.dll
2010-08-17 14:11 . 2010-09-15 11:43 128000 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-09 19:15 . 2010-08-09 19:15 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-08-09 19:15 . 2010-08-09 19:15 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-02-05 11:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-02-05 11:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-02-05 11:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-09-22 4240760]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-16 47392]
"SigmatelSysTrayApp"="sttray.exe" [2006-11-22 303104]
"VX1000"="c:\windows\vVX1000.exe" [2010-05-20 762736]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-01-11 669520]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2010-03-31 611712]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-05-20 119152]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-09 421888]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-10-7 967960]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2009-7-29 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-13 84264]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-11-27 685816]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-10-13 64304]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-13 164840]
S1 MOBKFilter;MOBKFilter;c:\windows\system32\DRIVERS\MOBK.sys [2010-02-05 54776]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-10-13 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-10-13 141792]
S2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [2010-02-05 229688]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-13 55840]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-13 313288]


--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-10-23 c:\windows\Tasks\Epson Printer Software Downloader.job
- c:\program files\EPSON\EPAPDL\E_SAPDL2.EXE [2009-01-23 04:03]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.tinit.org/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-adaushtv - c:\users\nathan\AppData\Local\aioustyvl\eofixtutssd.exe
HKCU-Run-pbwbvgeu - c:\users\nathan\AppData\Local\jjqjfmyar\erpryaetssd.exe
Notify-GoToAssist - c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-01 20:15
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\nathan\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-11-01 20:20:00
ComboFix-quarantined-files.txt 2010-11-01 09:19

Pre-Run: 189,271,310,336 bytes free
Post-Run: 194,931,130,368 bytes free

- - End Of File - - 16E6F797273B0884A0251368328E641D

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:03 AM

Posted 01 November 2010 - 04:41 AM

Unfortunately you had a nasty rootkit on board.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


Please run Rootkit Unhooker and post me the new log. Sometimes this infection is not successfully cleaned.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 nate m

nate m
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 01 November 2010 - 06:19 AM

Jeez... Ok well I have never experienced anything like this before. Is it safe to copy my documents, pictures, etc to an external hard drive or are these compromised as well? I do not have any passwords saved on my computer. Is there still a possibility that they may be compromised? Do you know how long I have had the virus and is there a way I can check to see if my other computer is secure? I would prefer to reinstall the OS. If I do this will it definitely remove the trojan?

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:03 AM

Posted 01 November 2010 - 06:27 AM

The infection is removed, however the backdoor, a security vulnerability, remains. Only a reinstall can make sure the vulnerability is gone.

You can backup data as you suggested without problems, please let me know if you need any more help with this.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 nate m

nate m
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 01 November 2010 - 06:42 AM

I would like to confirm that my alternate computer on Windows 7 platform is safe as well. Should I do a combofix scan again and post the log?

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:03 AM

Posted 01 November 2010 - 06:43 AM

Better run Rootkit Unhooker there and post the log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 nate m

nate m
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 01 November 2010 - 08:11 AM

When I open Rootkit Unhooker on Win 7 (much like Vista) I get an error message stating that it is not a valid win32 application and I cannot open the file.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:03 AM

Posted 01 November 2010 - 08:49 AM

Do you happen to have a 64 bit version of Windows 7?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:03 AM

Posted 06 November 2010 - 05:47 AM

Hi, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users