Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a Rootkit (Redirects - Shutdowns - Blocked Programs)


  • This topic is locked This topic is locked
23 replies to this topic

#1 LadyNakedneSS

LadyNakedneSS

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT
  • Local time:08:21 AM

Posted 05 November 2010 - 06:43 AM

I have been fighting a nasty virus on this custom built computer for months now. I'm pretty sure at this point that it's one or more Rootkit infections. I have run many programs, and found many infections, but they just keep coming back immediately. The computer will be fine for a part of the day, and then the browsers (both IE and Firefox) won't open, or they open and constantly redirect. Every couple of minutes a new mhsta.exe process starts. At times, there will be 50 or more mhsta.exe processes running in the task manager. There are also multiple (usually almost 10) svchost.exe processes running. In addition, I'm not sure if it's related, but the DVD drive only works sporadically, even after replacing it. Finally, although I have no idea what it means, I did notice a file named VolSnap.sys in an RKU scan that carried a WARNING. I have the scan if you would like to see it.

I run MBAM and SAS on the system daily, and they almost always find more infections every time they scan, including trojans. The names of the files are different every time, so I cannot pin down exactly what the infection is, but I have definitely removed TDSS files more than once. I also use RKill constantly. This is my employee's computer, so it is imperative that I get it cleaned as soon as possible. I really appreciate your assistance with this.

Thanks so much,

~Lady

P.S. - The ark.txt file was too big to upload, so I had to zip it first.


Following is the DDS log:


DDS (Ver_10-11-03.01) - NTFSx86
Run by ct at 19:07:35.53 on Thu 11/04/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1889 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\ct\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [vlhwosyr] c:\documents and settings\networkservice\local settings\application data\viavwlwvt\nowhwkftssd.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: ketsujin.com\fighterace
Trusted Zone: ketsujin.com\primary
Trusted Zone: ketsujin.com\update
Trusted Zone: ketsujin.com\www
Trusted Zone: stormofaces.com\www
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233425472496
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 212.117.178.25 www.google.com
Hosts: 212.117.163.43 search.yahoo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ct\applic~1\mozilla\firefox\profiles\svhouktl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aolTB50CL-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101063100&s=
FF - plugin: c:\documents and settings\ct\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\ct\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\ct\application data\move networks\plugins\npqmp071706000001.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {A6E10517-3359-4A36-9A57-E33EA08744C3} - c:\documents and settings\ct\local settings\application data\{A6E10517-3359-4A36-9A57-E33EA08744C3}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101063100&s=);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S0 fwstt;fwstt; [x]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2010-9-1 50704]
S3 SASENUM;SASENUM;\??\c:\docume~1\ct\locals~1\temp\sas_selfextract\sasenum.sys --> c:\docume~1\ct\locals~1\temp\sas_selfextract\SASENUM.SYS [?]

=============== Created Last 30 ================

2010-11-04 02:49:15 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-11-04 01:06:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-11-03 15:58:14 0 ----a-w- c:\windows\Ezizob.bin
2010-11-03 15:58:13 -------- d-----w- c:\docume~1\ct\locals~1\applic~1\{A6E10517-3359-4A36-9A57-E33EA08744C3}
2010-11-03 15:52:10 51712 ---ha-w- c:\windows\system32\rsmonce.dll
2010-11-03 15:01:30 -------- d-----w- c:\program files\common files\Software Update Utility
2010-11-03 15:00:28 -------- d-----w- c:\program files\AOL 9.5b
2010-10-23 00:04:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-16 20:26:41 -------- d-----w- c:\docume~1\ct\locals~1\applic~1\Roblox
2010-10-16 20:26:27 -------- d-----w- c:\docume~1\ct\locals~1\applic~1\RobloxVersions
2010-10-16 20:26:27 -------- d-----w- c:\docume~1\ct\locals~1\applic~1\RobloxDownloads
2010-10-16 18:36:14 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\DSS
2010-10-16 02:30:52 2601752 ----a-w- c:\windows\system32\pbsvc_moh.exe
2010-10-16 01:59:13 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-10-16 01:59:13 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-10-16 01:59:13 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-10-16 01:59:12 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-10-15 00:34:49 -------- d--h--w- c:\windows\system32\GroupPolicy

==================== Find3M ====================

2010-11-03 02:28:56 218496 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-11-03 02:28:56 218496 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-10-16 02:31:22 138056 ----a-w- c:\docume~1\ct\applic~1\PnkBstrK.sys
2010-10-16 02:30:53 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-10-04 23:37:45 67072 --sha-r- c:\windows\system32\hpboidpsb.dll
2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38:01 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 15:57:57 389120 ----a-w- c:\windows\system32\html.iec
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 22:12:03 281104 ----a-w- c:\windows\system32\wpcap.dll
2010-09-01 22:12:03 100880 ----a-w- c:\windows\system32\Packet.dll
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 19:15:37.50 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:21 AM

Posted 13 November 2010 - 08:58 AM

Hello LadyNakedneSS

Welcome to BleepingComputer :)
==========================
  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
====================
Download This file. Note its name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 LadyNakedneSS

LadyNakedneSS
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT
  • Local time:08:21 AM

Posted 13 November 2010 - 03:57 PM

Thank you so much for responding kahdah. I appreciate your help. Sorry it took so long, but the GMER scan took almost 5 hours...lol

Following is the information you requested:

OTL logfile created on: 11/13/2010 10:45:21 AM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\ct\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 82.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 249.81 Gb Free Space | 53.64% Space Free | Partition Type: NTFS
Drive D: | 7.39 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 1.86 Gb Total Space | 1.23 Gb Free Space | 65.86% Space Free | Partition Type: FAT
Drive F: | 931.28 Gb Total Space | 484.98 Gb Free Space | 52.08% Space Free | Partition Type: FAT32

Computer Name: CRAIG | User Name: ct | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/13 10:38:40 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ct\Desktop\OTL.exe
PRC - [2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/11/13 10:38:40 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ct\Desktop\OTL.exe
MOD - [2010/11/03 10:52:10 | 000,051,712 | -H-- | M] () -- C:\WINDOWS\system32\rsmonce.dll
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/01/14 16:53:02 | 000,226,656 | ---- | M] (Microsoft Corp.) [Disabled | Stopped] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2006/10/23 07:50:35 | 000,046,640 | R--- | M] (AOL LLC) [Disabled | Stopped] -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ct\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS -- (SASENUM)
DRV - [2010/09/01 17:12:03 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF) WinPcap Packet Driver (NPF)
DRV - [2010/05/10 13:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 13:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/03/27 23:03:00 | 006,280,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/07/24 05:02:44 | 004,749,824 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/14 00:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 23:11:02 | 000,052,352 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\volsnap.sys -- (VolSnap)
DRV - [2008/04/13 21:06:06 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/11/22 14:55:52 | 000,105,088 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2003/01/10 16:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AOL Search"
FF - prefs.js..browser.search.defaulturl: "http://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aolTB50CL-chromesbox-en-us"
FF - prefs.js..browser.search.order.1: "Google"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..keyword.URL: "http://search.fast-find.net/?sid=10101063100&s="

FF - user.js..browser.search.selectedEngine: "Google"
FF - user.js..browser.search.order.1: "Google"
FF - user.js..keyword.URL: "http://search.fast-find.net/?sid=10101063100&s=");user_pref("network.protocol-handler.warn-external.dnupdate", false

FF - HKLM\software\mozilla\Firefox\extensions\\{A6E10517-3359-4A36-9A57-E33EA08744C3}: C:\Documents and Settings\ct\Local Settings\Application Data\{A6E10517-3359-4A36-9A57-E33EA08744C3} [2010/11/03 10:58:13 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/11/05 13:39:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/05 12:44:38 | 000,000,000 | ---D | M]

[2009/01/31 13:04:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ct\Application Data\Mozilla\Extensions
[2010/11/12 16:28:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ct\Application Data\Mozilla\Firefox\Profiles\svhouktl.default\extensions
[2010/06/24 21:51:39 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\ct\Application Data\Mozilla\Firefox\Profiles\svhouktl.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/06/01 11:21:15 | 000,002,277 | ---- | M] () -- C:\Documents and Settings\ct\Application Data\Mozilla\Firefox\Profiles\svhouktl.default\searchplugins\aol-search.xml
[2010/11/12 16:28:23 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/05 12:44:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/11/05 12:44:26 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/09/12 20:37:04 | 000,238,776 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll
[2010/10/01 18:51:32 | 000,002,074 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml

O1 HOSTS File: ([2004/08/04 07:00:00 | 000,000,800 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 212.117.178.25 www.google.com
O1 - Hosts: 212.117.163.43 search.yahoo.com
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll File not found
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll File not found
O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoMovingBands = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCloseDragDropBands = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetTaskbar = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarsOnTaskbar = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClassicShell = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\DisableRegistryTools: = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\DisableRegistryTools\ShowInfoTip: = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKCU\..Trusted Domains: ketsujin.com ([fighterace] https in Trusted sites)
O15 - HKCU\..Trusted Domains: ketsujin.com ([primary] https in Trusted sites)
O15 - HKCU\..Trusted Domains: ketsujin.com ([update] https in Trusted sites)
O15 - HKCU\..Trusted Domains: ketsujin.com ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: stormofaces.com ([www] https in Trusted sites)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233425472496 (WUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.71.230 68.87.73.246
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (EXPLORER.EXE) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\ct\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\ct\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/27 18:10:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/09/23 14:32:44 | 000,000,133 | R--- | M] () - D:\autorun.inf -- [ UDF ]
O32 - AutoRun File - [2010/01/19 23:14:00 | 000,000,030 | ---- | M] () - F:\autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: blastify - (C:\WINDOWS\system32\rsmonce.dll) - C:\WINDOWS\system32\rsmonce.dll ()
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/13 10:40:59 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\ct\Desktop\OTL.exe
[2010/11/12 21:49:08 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2010/11/09 10:23:57 | 002,106,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_43.dll
[2010/11/09 10:23:57 | 000,527,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_7.dll
[2010/11/09 10:23:57 | 000,239,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_7.dll
[2010/11/09 10:23:57 | 000,074,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_5.dll
[2010/11/09 10:23:56 | 001,998,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_43.dll
[2010/11/09 10:23:56 | 001,868,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dcsx_43.dll
[2010/11/09 10:23:56 | 000,470,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_43.dll
[2010/11/09 10:23:56 | 000,248,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx11_43.dll
[2010/11/05 12:45:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/11/05 12:45:00 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/11/05 12:44:38 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/11/05 12:44:38 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/11/05 12:44:38 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/11/05 12:44:38 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/11/05 12:44:38 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/11/03 20:06:04 | 000,000,000 | ---D | C] -- C:\Program Files\RegCure
[2010/11/03 20:06:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\RegCure
[2010/11/03 19:17:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ct\Desktop\tdsskiller
[2010/11/03 10:58:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ct\Local Settings\Application Data\{A6E10517-3359-4A36-9A57-E33EA08744C3}
[2010/11/03 10:01:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Software Update Utility
[2010/11/03 10:00:28 | 000,000,000 | ---D | C] -- C:\Program Files\AOL 9.5b
[2010/11/02 17:49:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ct\Desktop\halloween 2010
[2010/10/22 19:04:12 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/10/22 16:40:27 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\ct\Desktop\ATF-Cleaner.exe
[2010/10/22 08:49:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ct\My Documents\New Folder (2)
[2010/10/16 15:26:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ct\Local Settings\Application Data\Roblox
[2010/10/16 15:26:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ct\Local Settings\Application Data\RobloxVersions
[2010/10/16 15:26:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ct\Local Settings\Application Data\RobloxDownloads
[2010/10/16 13:36:14 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\DSS
[2010/10/16 10:26:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ct\My Documents\EA Games
[2010/10/15 20:59:13 | 000,528,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_6.dll
[2010/10/15 20:59:13 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_6.dll
[2010/10/15 20:59:13 | 000,074,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_4.dll
[2010/10/15 20:59:12 | 000,022,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_7.dll
[2010/10/14 19:34:49 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\Documents and Settings\ct\Desktop\*.tmp files -> C:\Documents and Settings\ct\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/13 10:38:40 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ct\Desktop\OTL.exe
[2010/11/13 10:38:18 | 000,296,448 | ---- | M] () -- C:\Documents and Settings\ct\Desktop\q3zo02ds.exe
[2010/11/13 10:38:00 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\Updater.job
[2010/11/13 10:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
[2010/11/13 09:58:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2010/11/13 09:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
[2010/11/13 08:58:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2010/11/13 08:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At33.job
[2010/11/13 07:58:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2010/11/13 07:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At32.job
[2010/11/13 06:58:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2010/11/13 06:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At31.job
[2010/11/13 05:58:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2010/11/13 05:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At30.job
[2010/11/13 04:58:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2010/11/13 04:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At29.job
[2010/11/13 03:58:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2010/11/13 03:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At28.job
[2010/11/13 02:58:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2010/11/13 02:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
[2010/11/13 01:58:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/11/13 01:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
[2010/11/13 00:58:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2010/11/13 00:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2010/11/13 00:09:50 | 000,218,496 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.xtr
[2010/11/13 00:00:04 | 000,139,832 | ---- | M] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2010/11/12 23:58:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2010/11/12 23:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At48.job
[2010/11/12 23:33:41 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2010/11/12 23:33:16 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2010/11/12 23:33:09 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At47.job
[2010/11/12 23:05:16 | 000,002,155 | ---- | M] () -- C:\Documents and Settings\ct\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2010/11/12 21:56:48 | 000,019,060 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/11/12 21:55:09 | 000,002,149 | ---- | M] () -- C:\Documents and Settings\ct\Desktop\iTunes.lnk
[2010/11/12 21:46:24 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2010/11/12 21:46:21 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
[2010/11/12 21:46:14 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
[2010/11/12 21:46:12 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2010/11/12 21:46:08 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2010/11/12 21:46:04 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
[2010/11/12 21:00:50 | 000,033,176 | ---- | M] () -- C:\Documents and Settings\ct\Desktop\15586_normal.jpg
[2010/11/12 20:14:59 | 000,455,743 | ---- | M] () -- C:\Documents and Settings\ct\Desktop\Alien transformer.jpg
[2010/11/12 18:52:50 | 000,207,299 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/11/12 18:52:48 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/12 18:52:37 | 000,000,300 | -HS- | M] () -- C:\WINDOWS\tasks\SJDRISQBCJ.job
[2010/11/12 18:52:30 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
[2010/11/12 18:52:30 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
[2010/11/12 18:52:30 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2010/11/12 18:52:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/12 18:49:56 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/11/12 17:32:06 | 000,092,672 | ---- | M] () -- C:\Documents and Settings\ct\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/12 17:02:59 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2010/11/12 17:02:54 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
[2010/11/12 16:46:38 | 000,002,501 | ---- | M] () -- C:\Documents and Settings\ct\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Word.lnk
[2010/11/12 16:05:48 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2010/11/12 15:48:11 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
[2010/11/12 15:01:59 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2010/11/12 14:43:49 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2010/11/12 14:43:44 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
[2010/11/12 14:43:41 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
[2010/11/12 12:58:08 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2010/11/12 12:50:34 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
[2010/11/12 12:24:23 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2010/11/12 11:47:24 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
[2010/11/12 11:11:13 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2010/11/09 23:11:07 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\ct\Desktop\blackops.doc
[2010/11/09 21:03:20 | 000,094,937 | ---- | M] () -- C:\Documents and Settings\ct\Desktop\BattlefieldBadCompany2-Logo.jpg
[2010/11/08 10:54:42 | 000,441,454 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/08 10:54:42 | 000,071,264 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/11/05 19:49:59 | 000,000,068 | ---- | M] () -- C:\Documents and Settings\ct\Desktop\YouTube - Cee Lo Green - bleep YOU (Official Video).URL
[2010/11/05 12:44:25 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/11/05 12:44:25 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/11/05 12:44:25 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/11/05 12:44:25 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/11/05 12:44:25 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/11/05 12:36:47 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/11/04 17:27:49 | 000,037,096 | ---- | M] () -- C:\Documents and Settings\ct\Desktop\RKU Report
[2010/11/03 21:58:42 | 000,121,336 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/11/03 21:49:56 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/11/03 21:02:34 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\ct\defogger_reenable
[2010/11/03 19:26:07 | 000,000,120 | ---- | M] () -- C:\WINDOWS\BADIjehevinuyozew.dat
[2010/11/03 19:16:55 | 001,213,675 | ---- | M] () -- C:\Documents and Settings\ct\Desktop\tdsskiller.zip
[2010/11/03 10:58:14 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Ezizob.bin
[2010/11/03 10:52:10 | 000,051,712 | -H-- | M] () -- C:\WINDOWS\System32\rsmonce.dll
[2010/11/03 10:02:20 | 000,000,617 | ---- | M] () -- C:\Documents and Settings\ct\Application Data\Microsoft\Internet Explorer\Quick Launch\AOL 9.5.lnk
[2010/11/03 10:02:20 | 000,000,617 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AOL 9.5.lnk
[2010/11/01 19:43:31 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/10/25 12:06:41 | 000,398,129 | ---- | M] () -- C:\Documents and Settings\ct\My Documents\Incerto Receipts.pdf
[2010/10/24 18:40:32 | 000,026,701 | ---- | M] () -- C:\Documents and Settings\ct\My Documents\edison.jpg
[2010/10/24 18:38:05 | 000,026,701 | ---- | M] () -- C:\Documents and Settings\ct\Desktop\edison.jpg
[2010/10/23 22:03:46 | 001,629,057 | ---- | M] () -- C:\Documents and Settings\ct\Desktop\fallout3_destroyed_city_bus.png
[2010/10/23 20:10:41 | 000,059,419 | ---- | M] () -- C:\Documents and Settings\ct\Desktop\66991_634946794374_301582_36058221_7745359_n.jpg
[2010/10/23 19:46:56 | 053,021,976 | ---- | M] () -- C:\Documents and Settings\ct\Desktop\boys_goodbadugly.mov
[2010/10/22 16:40:27 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\ct\Desktop\ATF-Cleaner.exe
[2010/10/15 21:31:22 | 000,138,056 | ---- | M] () -- C:\Documents and Settings\ct\Application Data\PnkBstrK.sys
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\Documents and Settings\ct\Desktop\*.tmp files -> C:\Documents and Settings\ct\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/13 10:40:45 | 000,296,448 | ---- | C] () -- C:\Documents and Settings\ct\Desktop\q3zo02ds.exe
[2010/11/12 22:09:39 | 000,002,155 | ---- | C] () -- C:\Documents and Settings\ct\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2010/11/12 21:00:50 | 000,033,176 | ---- | C] () -- C:\Documents and Settings\ct\Desktop\15586_normal.jpg
[2010/11/12 20:14:59 | 000,455,743 | ---- | C] () -- C:\Documents and Settings\ct\Desktop\Alien transformer.jpg
[2010/11/12 17:42:32 | 000,042,710 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\WFC-Uni.jpg
[2010/11/09 22:47:54 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\ct\Desktop\blackops.doc
[2010/11/09 21:03:19 | 000,094,937 | ---- | C] () -- C:\Documents and Settings\ct\Desktop\BattlefieldBadCompany2-Logo.jpg
[2010/11/05 19:49:59 | 000,000,068 | ---- | C] () -- C:\Documents and Settings\ct\Desktop\YouTube - Cee Lo Green - bleep YOU (Official Video).URL
[2010/11/05 12:36:47 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/11/04 17:27:30 | 000,037,096 | ---- | C] () -- C:\Documents and Settings\ct\Desktop\RKU Report
[2010/11/03 21:02:34 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\ct\defogger_reenable
[2010/11/03 19:16:53 | 001,213,675 | ---- | C] () -- C:\Documents and Settings\ct\Desktop\tdsskiller.zip
[2010/11/03 10:58:14 | 000,000,120 | ---- | C] () -- C:\WINDOWS\BADIjehevinuyozew.dat
[2010/11/03 10:58:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Ezizob.bin
[2010/11/03 10:52:10 | 000,051,712 | -H-- | C] () -- C:\WINDOWS\System32\rsmonce.dll
[2010/11/01 19:43:31 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/10/25 12:04:27 | 000,398,129 | ---- | C] () -- C:\Documents and Settings\ct\My Documents\Incerto Receipts.pdf
[2010/10/24 18:40:32 | 000,026,701 | ---- | C] () -- C:\Documents and Settings\ct\My Documents\edison.jpg
[2010/10/24 18:38:05 | 000,026,701 | ---- | C] () -- C:\Documents and Settings\ct\Desktop\edison.jpg
[2010/10/23 22:03:46 | 001,629,057 | ---- | C] () -- C:\Documents and Settings\ct\Desktop\fallout3_destroyed_city_bus.png
[2010/10/23 20:10:41 | 000,059,419 | ---- | C] () -- C:\Documents and Settings\ct\Desktop\66991_634946794374_301582_36058221_7745359_n.jpg
[2010/10/23 19:40:27 | 053,021,976 | ---- | C] () -- C:\Documents and Settings\ct\Desktop\boys_goodbadugly.mov
[2010/10/15 21:30:52 | 002,601,752 | ---- | C] () -- C:\WINDOWS\System32\pbsvc_moh.exe
[2010/10/04 18:37:45 | 000,067,072 | RHS- | C] () -- C:\WINDOWS\System32\hpboidpsb.dll
[2010/07/09 14:04:40 | 000,041,872 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2010/04/02 20:23:34 | 000,001,282 | -HS- | C] () -- C:\Documents and Settings\ct\Local Settings\Application Data\Wv7V1mEL4UH
[2010/04/02 20:23:34 | 000,001,282 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\Wv7V1mEL4UH
[2010/02/23 19:16:40 | 000,016,958 | -HS- | C] () -- C:\Documents and Settings\ct\Local Settings\Application Data\Xi7h20PI0
[2009/12/23 21:15:51 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/10/17 10:16:09 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009/10/17 09:45:56 | 000,000,347 | ---- | C] () -- C:\WINDOWS\CoDUO.INI
[2009/10/17 09:13:06 | 000,000,745 | ---- | C] () -- C:\WINDOWS\CoD.INI
[2009/03/27 22:16:24 | 000,092,672 | ---- | C] () -- C:\Documents and Settings\ct\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/16 17:28:17 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\psfind.dll
[2009/03/07 17:39:54 | 000,000,319 | ---- | C] () -- C:\WINDOWS\game.ini
[2009/03/05 16:49:16 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/03/05 12:27:26 | 000,020,886 | ---- | C] () -- C:\WINDOWS\System32\ddmon.dll
[2009/03/04 19:34:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2009/03/04 19:26:25 | 000,016,459 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/02/08 12:15:40 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/01/31 11:50:15 | 000,000,125 | ---- | C] () -- C:\Documents and Settings\ct\Local Settings\Application Data\fusioncache.dat
[2009/01/30 19:51:50 | 000,139,832 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009/01/30 19:51:50 | 000,138,056 | ---- | C] () -- C:\Documents and Settings\ct\Application Data\PnkBstrK.sys
[2009/01/27 12:45:40 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/10/07 08:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 08:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/07/25 23:48:00 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/07/25 23:48:00 | 001,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/07/25 23:48:00 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/07/25 23:48:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/07/25 23:48:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2008/06/05 08:58:26 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/04/13 23:11:02 | 000,052,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\volsnap.sys
[2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2010/04/07 20:33:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\com.comcast.access
[2010/10/16 13:36:14 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\DSS
[2009/12/23 21:25:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iPodtoComputer
[2009/09/12 20:37:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2010/11/03 20:31:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RegCure
[2009/03/12 20:38:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/10/04 22:24:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Update
[2009/03/05 10:59:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/10/01 19:06:55 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{0691F710-1ECA-4B5A-9727-25554F1BFDC6}
[2010/09/25 17:19:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/09/10 21:40:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/08/08 20:28:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/04/07 20:30:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ct\Application Data\com.comcast.access.13A1FA90F0FC9DC009FB0956ADD0F13F8608561B.1
[2009/03/05 12:28:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ct\Application Data\deskPDF
[2010/07/11 20:53:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ct\Application Data\ElevatedDiagnostics
[2010/02/26 21:03:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ct\Application Data\Facebook
[2010/10/04 18:38:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ct\Application Data\Genieo
[2010/02/10 20:07:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ct\Application Data\SecondLife
[2009/02/03 13:46:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ct\Application Data\ViquaSoft
[2010/11/13 01:58:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2010/11/12 14:43:49 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At10.job
[2010/11/12 21:46:08 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At11.job
[2010/11/12 18:52:30 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At12.job
[2010/11/12 15:01:59 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At13.job
[2010/11/12 23:33:16 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At14.job
[2010/11/12 11:11:13 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At15.job
[2010/11/12 23:33:41 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At16.job
[2010/11/12 23:58:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At17.job
[2010/11/12 16:05:48 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At18.job
[2010/11/12 12:58:08 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At19.job
[2010/11/13 02:58:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
[2010/11/12 21:46:24 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At20.job
[2010/11/13 07:58:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At21.job
[2010/11/13 08:58:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At22.job
[2010/11/12 12:24:23 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At23.job
[2010/11/12 17:02:59 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At24.job
[2010/11/13 00:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At25.job
[2010/11/13 01:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At26.job
[2010/11/13 02:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At27.job
[2010/11/13 03:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At28.job
[2010/11/13 04:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At29.job
[2010/11/13 00:58:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At3.job
[2010/11/13 05:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At30.job
[2010/11/13 06:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At31.job
[2010/11/13 07:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At32.job
[2010/11/13 08:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At33.job
[2010/11/13 09:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At34.job
[2010/11/13 10:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At35.job
[2010/11/12 11:47:24 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At36.job
[2010/11/12 12:50:34 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At37.job
[2010/11/12 14:43:44 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At38.job
[2010/11/12 14:43:41 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At39.job
[2010/11/13 03:58:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At4.job
[2010/11/12 15:48:11 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At40.job
[2010/11/12 17:02:54 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At41.job
[2010/11/12 18:52:30 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At42.job
[2010/11/12 18:52:30 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At43.job
[2010/11/12 21:46:21 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At44.job
[2010/11/12 21:46:04 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At45.job
[2010/11/12 21:46:14 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At46.job
[2010/11/12 23:33:09 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At47.job
[2010/11/12 23:34:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At48.job
[2010/11/13 04:58:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At5.job
[2010/11/13 05:58:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At6.job
[2010/11/13 09:58:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At7.job
[2010/11/12 21:46:12 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At8.job
[2010/11/13 06:58:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\Tasks\At9.job
[2010/11/12 18:52:37 | 000,000,300 | -HS- | M] () -- C:\WINDOWS\Tasks\SJDRISQBCJ.job
[2010/11/13 10:38:00 | 000,000,408 | ---- | M] () -- C:\WINDOWS\Tasks\Updater.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A18D1A5B
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DF0BC727

< End of report >


OTL Extras logfile created on: 11/13/2010 10:45:21 AM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\ct\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 82.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 249.81 Gb Free Space | 53.64% Space Free | Partition Type: NTFS
Drive D: | 7.39 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 1.86 Gb Total Space | 1.23 Gb Free Space | 65.86% Space Free | Partition Type: FAT
Drive F: | 931.28 Gb Total Space | 484.98 Gb Free Space | 52.08% Space Free | Partition Type: FAT32

Computer Name: CRAIG | User Name: ct | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"56134:TCP" = 56134:TCP:*:Enabled:Pando Media Booster
"56134:UDP" = 56134:UDP:*:Enabled:Pando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"56134:TCP" = 56134:TCP:*:Enabled:Pando Media Booster
"56134:UDP" = 56134:UDP:*:Enabled:Pando Media Booster

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Electronic Arts\EADM\Core.exe" = C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager -- File not found
"C:\Program Files\THQ\Company of Heroes\RelicCOH.exe" = C:\Program Files\THQ\Company of Heroes\RelicCOH.exe:*:Disabled:RelicCOH -- (THQ Canada Inc.)
"C:\Program Files\THQ\Company of Heroes\BugReport\BugReport.exe" = C:\Program Files\THQ\Company of Heroes\BugReport\BugReport.exe:*:Disabled:BugReport -- ()
"C:\Program Files\Ventrilo\Ventrilo.exe" = C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- ()
"C:\Program Files\GameSpy\Comrade\Comrade.exe" = C:\Program Files\GameSpy\Comrade\Comrade.exe:*:Enabled:Comrade -- (IGN Entertainment Inc.)
"C:\Program Files\Electronic Arts\Crytek\Crysis Wars\Bin32\crysis.exe" = C:\Program Files\Electronic Arts\Crytek\Crysis Wars\Bin32\crysis.exe:*:Enabled:crysis -- File not found
"C:\Program Files\Common Files\aol\acs\AOLDial.exe" = C:\Program Files\Common Files\aol\acs\AOLDial.exe:*:Enabled:AOL Connectivity Service Dialer -- (AOL LLC)
"C:\Program Files\Common Files\aol\acs\AOLacsd.exe" = C:\Program Files\Common Files\aol\acs\AOLacsd.exe:*:Enabled:AOL Connectivity Service -- (AOL LLC)
"C:\Program Files\Common Files\aol\1236268728\ee\aolsoftware.exe" = C:\Program Files\Common Files\aol\1236268728\ee\aolsoftware.exe:*:Enabled:AOL Shared Components -- (AOL Inc.)
"C:\Program Files\AOL 9.5\waol.exe" = C:\Program Files\AOL 9.5\waol.exe:*:Enabled:AOL -- (AOL, LLC.)
"C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe" = C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:*:Enabled:AOL TopSpeed -- (AOL LLC)
"C:\Program Files\Common Files\aol\Loader\aolload.exe" = C:\Program Files\Common Files\aol\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\Common Files\aol\System Information\sinf.exe" = C:\Program Files\Common Files\aol\System Information\sinf.exe:*:Enabled:AOL System Information -- (AOL LLC)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01 -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe" = C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™ -- ()
"C:\Program Files\Xfire\Xfire.exe" = C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire -- (Xfire Inc.)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\Steam\steam.exe" = C:\Program Files\Steam\steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Program Files\CallWave\IAM.exe" = C:\Program Files\CallWave\IAM.exe:*:Enabled:CallWave -- (CallWave, Inc.)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Program Files\Call of Duty\CoDUOMP.exe" = C:\Program Files\Call of Duty\CoDUOMP.exe:*:Enabled:CoDUOMP -- ()
"C:\Program Files\Call of Duty\CoDMP.exe" = C:\Program Files\Call of Duty\CoDMP.exe:*:Enabled:CoDMP -- ()
"C:\Program Files\Activision\Call of Duty - World at War\CoDWaW.exe" = C:\Program Files\Activision\Call of Duty - World at War\CoDWaW.exe:*:Enabled:Call of Duty® - World at War™ -- (Activision Blizzard, Inc.)
"C:\Program Files\Activision\Call of Duty - World at War\CoDWaWmp.exe" = C:\Program Files\Activision\Call of Duty - World at War\CoDWaWmp.exe:*:Enabled:Call of Duty® - World at War™ -- (Activision Blizzard, Inc.)
"C:\Program Files\Steam\steamapps\common\aliens vs predator demo\AvP.exe" = C:\Program Files\Steam\steamapps\common\aliens vs predator demo\AvP.exe:*:Enabled:Aliens vs Predator Demo -- (Sega Europe Limited)
"C:\Program Files\SecondLife\SLVoice.exe" = C:\Program Files\SecondLife\SLVoice.exe:*:Disabled:SLVoice -- ()
"C:\Program Files\Steam\steamapps\wfcxladynakedness\garrysmod\hl2.exe" = C:\Program Files\Steam\steamapps\wfcxladynakedness\garrysmod\hl2.exe:*:Enabled:Garry's Mod -- File not found
"C:\Program Files\Steam\steamapps\common\call of duty modern warfare 2\iw4sp.exe" = C:\Program Files\Steam\steamapps\common\call of duty modern warfare 2\iw4sp.exe:*:Enabled:Call of Duty: Modern Warfare 2 -- ()
"C:\Program Files\Steam\steamapps\common\call of duty modern warfare 2\iw4mp.exe" = C:\Program Files\Steam\steamapps\common\call of duty modern warfare 2\iw4mp.exe:*:Enabled:Call of Duty: Modern Warfare 2 - Multiplayer -- ()
"C:\Program Files\Steam\steamapps\wfcxladynakedness\counter-strike source\hl2.exe" = C:\Program Files\Steam\steamapps\wfcxladynakedness\counter-strike source\hl2.exe:*:Enabled:Counter-Strike: Source -- File not found
"C:\Program Files\Steam\steamapps\common\all points bulletin\Launcher\APBLauncher.exe" = C:\Program Files\Steam\steamapps\common\all points bulletin\Launcher\APBLauncher.exe:*:Enabled:All Points Bulletin -- (Realtime Worlds, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Steam\steamapps\wfcxslickwilly\garrysmod\hl2.exe" = C:\Program Files\Steam\steamapps\wfcxslickwilly\garrysmod\hl2.exe:*:Enabled:Garry's Mod -- File not found
"C:\Program Files\AOL 9.5b\waol.exe" = C:\Program Files\AOL 9.5b\waol.exe:*:Enabled:AOL -- (AOL Inc.)
"C:\Program Files\Steam\steamapps\wfcxslickwilly\counter-strike source\hl2.exe" = C:\Program Files\Steam\steamapps\wfcxslickwilly\counter-strike source\hl2.exe:*:Enabled:Counter-Strike: Source -- ()
"C:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe" = C:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe:*:Enabled:Left 4 Dead -- ()
"C:\Program Files\Steam\steamapps\common\america's army 3\Binaries\AA3Game.exe" = C:\Program Files\Steam\steamapps\common\america's army 3\Binaries\AA3Game.exe:*:Enabled:America's Army 3 -- ()
"C:\Program Files\Steam\steamapps\common\call of duty black ops\BlackOpsMP.exe" = C:\Program Files\Steam\steamapps\common\call of duty black ops\BlackOpsMP.exe:*:Enabled:Call of Duty: Black Ops - Multiplayer -- ()
"C:\Program Files\Steam\steamapps\common\call of duty black ops\BlackOps.exe" = C:\Program Files\Steam\steamapps\common\call of duty black ops\BlackOps.exe:*:Enabled:Call of Duty: Black Ops -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02F6993D-B763-4F40-8F93-2A9CD97586E3}" = Microsoft IntelliType Pro 6.3
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{050C1C8E-4A4D-4C2F-B9AE-67E60EE91B7F}" = Call of Duty® 4 - Modern Warfare™ 1.3 Patch
"{064DC64E-7A2F-4FDF-B598-E3C0747BBB9C}" = Call of Duty® - World at War™ 1.6 Patch
"{087A66B8-1F0F-4a8d-A649-0CFE276AA7C0}" = WebReg
"{0A55CDBB-0566-4AA2-A15B-24C7F27C6FF4}" = BPD_Scan
"{102CBC47-7FDE-4E6C-8A3A-67B79833FAC8}" = BPDSoftware_Ini
"{138BD312-3557-40F8-BC5E-6DFF00A6880D}" = BPDSoftware_Ini
"{149464D9-B06F-4505-9968-FD1206F67AD3}" = Call of Duty® - World at War™ 1.3 Patch
"{17E81C48-407E-499f-A105-1B49ACDB9BA4}" = ProductContext
"{1C4551A6-4743-4093-91E4-1477CD655043}" = NVIDIA PhysX
"{20ACB2F8-3BCA-45A8-80A2-9D3CB5C25F43}" = Safari
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{25724802-CC14-4B90-9F3B-3D6955EE27B1}" = Company of Heroes
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java™ 6 Update 22
"{2BF0AE92-C3BC-4112-9066-1546342B1FAE}" = Call of Duty® - World at War™ 1.2 Patch
"{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}" = iTunes
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{385B9EE4-D4AC-40f7-AE10-94973A58A57E}" = 8500A909_BasicWeb
"{3AC8457C-0385-4BEA-A959-E095F05D6D67}" = Battlefield: Bad Company™ 2
"{3BD633E0-4BF8-4499-9149-88F0767D449C}" = Call of Duty® 4 - Modern Warfare™ 1.4 Patch
"{40A24C8A-9C6D-4E8A-A41E-ADF995EFD848}" = 8500A909_Help_BasicWeb
"{412B69AF-C352-4F6F-A318-B92B3CB9ACC6}" = Titan Quest
"{415030B8-3E8B-462A-8C03-41D95AA3AB3B}" = Medal of Honor ™
"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm
"{47ECCB1F-2811-49C0-B6A7-26778639ABA0}" = 32 Bit HP CIO Components Installer
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AE80E7B-6633-4046-9C15-D3B281C4F73D}" = BPDSoftware
"{4DBDBBE4-723A-4AA2-9A27-17F5DD716206}" = FRED.Net
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant
"{57F60D52-630B-43C5-BD20-176F5CD4EED6}" = bpd_scan
"{5BFE01FF-189F-4b75-8FA8-9B7CD7F9C529}" = L7500
"{5D7767FA-7FE8-4627-9F09-AEF7A25F1E07}" = Call of Duty® 4 - Modern Warfare™ 1.1 Patch
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{5F4C776F-8CBD-4C4F-892F-B568ABDD70C8}" = GameSpy Comrade
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6994491D-D491-48F1-AE1F-E179C1FFFC2F}" = HP Photosmart Essential
"{6DE9751D-3FFE-400E-8761-26A92DB734DE}" = BPD_HPSU
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7353BAE6-5E49-46C4-A9B5-8A269A313789}" = Crysis WARHEAD®
"{750C87B8-AF19-4C3C-B791-50D9C83AE572}" = Call of Duty® - World at War™ 1.7 Patch
"{7729A02E-D1AD-4830-8FC5-11853500D90D}" = HP Officejet Pro All-In-One Series
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{78B51FD5-DA3F-4B48-8F3F-4E4068F25D89}_is1" = Conquer Online 2.0
"{797EE0CA-8165-405C-B5CE-F11EC20F1BB0}" = Microsoft VC9 runtime libraries
"{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8503C901-85D7-4262-88D2-8D8B2A7B08B8}" = Call of Duty® 4 - Modern Warfare™ 1.5 Patch
"{87A9A9A9-FAB7-4224-9328-0FA2058C0FD5}" = Network
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}" = Call of Duty® 4 - Modern Warfare™ 1.6 Patch
"{8A4CE7FD-9657-4B06-9943-E1819F3D5D67}" = DocProc
"{8C045626-4496-4238-B3B8-394CC6D46427}" = 7500_7600_7700_Help
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{90110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{931C37FC-594D-43A9-B10F-A2F2B1F03498}" = Call of Duty® 4 - Modern Warfare™ 1.7 Patch
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9527A496-5DF9-412A-ADC7-168BA5379CA6}" = Microsoft Flight Simulator X
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{98177940-C048-4831-A279-F3888B1E2C7F}" = InstallMgr
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C9CEB9D-53FD-49A7-85D2-FE674F72F24E}" = Microsoft Search Enhancement Pack
"{9CCCFD9C-248F-47FE-9496-1680E3E5C163}" = Scan
"{9F01A67B-7D67-482F-9D4F-D5980A440FD4}" = Call of Duty® - World at War™ 1.4 Patch
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A662E280-64A8-4CF5-8407-13D0808602B3}" = Call of Duty - United Offensive
"{A8AC89BA-D8CB-4372-9743-1C54D23286B0}" = MSN Toolbar
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC13BA3A-336B-45a4-B3FE-2D3058A7B533}" = Toolbox
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.0
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AFAE2B15-89A0-4215-A030-F7B5B478886B}" = Call of Duty® - World at War™ 1.1 Patch
"{B6EF6DCE-078E-4952-A7FA-352A9C349EB0}" = MSN Toolbar
"{B7148D71-0A8F-4501-96B4-4E1CC67F874E}" = Microsoft Default Manager
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C3DC2DF5-EFAC-4055-9010-31F7C545DD9E}" = Call of Duty® - World at War™ 1.5 Patch
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}" = Apple Mobile Device Support
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE24344F-DFD8-40C8-8FD8-C9740B5F25AC}" = BPDfax
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEA4C985-9C4E-440c-8C3A-9208E18CC4F9}" = HP Officejet Pro 8500 A909 Series
"{D48AD533-BAD5-469B-A9AA-272C6D80E70B}" = MPM
"{D80A6A73-E58A-4673-AFF5-F12D7110661F}" = Call of Duty® - World at War™
"{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp
"{DBEA1034-5882-4A88-8033-81C4EF0CFA29}" = Google Toolbar for Internet Explorer
"{E1B80DEE-A795-4258-8445-074C06AE3AB8}" = MarketResearch
"{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty® 4 - Modern Warfare™
"{E5141379-B2D9-4BBC-BB2A-5805541571DD}" = Call of Duty® 4 - Modern Warfare™ 1.2 Patch
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC
"{F324D324-6531-33DC-F5BA-CD360B156275}" = Comcast Access
"{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations
"{FE57DE70-95DE-4B64-9266-84DA811053DB}" = HP Update
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AOL Emergency Connect Utility 1.0" = Uninstall AOL Emergency Connect Utility 1.0
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"BFGC" = Big Fish Games Client
"BFG-Fish Tycoon" = Fish Tycoon
"Bryce 5" = Bryce® 5
"Call of Duty" = Call of Duty
"CallWave" = CallWave
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"com.comcast.access.13A1FA90F0FC9DC009FB0956ADD0F13F8608561B.1" = Comcast Access
"Crysis WARHEAD®" = Crysis WARHEAD®
"Cucusoft iPhone/iTouch/iPod to Computer Transfer_is1" = iPhone/iTouch/iPod to Computer Transfer 5.8.2
"deskPDF 2.5 Professional_is1" = deskPDF 2.5 Professional Edition
"Disney Toontown Online" = Disney Toontown Online
"DivX Setup.divx.com" = DivX Setup
"EASEUS Data Recovery Wizard Professional 5.0.1_is1" = EASEUS Data Recovery Wizard Professional 5.0.1
"GPL Ghostscript_is1" = Docudesk GPL Ghostscript 8.15
"Gratuitous Space Battles_is1" = Gratuitous Space Battles (Collectors Edition)
"HP Imaging Device Functions" = HP Imaging Device Functions 7.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0
"HPExtendedCapabilities" = HP Customer Participation Program 7.0
"HPOCR" = OCR Software by I.R.I.S 7.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{050C1C8E-4A4D-4C2F-B9AE-67E60EE91B7F}" = Call of Duty® 4 - Modern Warfare™ 1.3 Patch
"InstallShield_{064DC64E-7A2F-4FDF-B598-E3C0747BBB9C}" = Call of Duty® - World at War™ 1.6 Patch
"InstallShield_{149464D9-B06F-4505-9968-FD1206F67AD3}" = Call of Duty® - World at War™ 1.3 Patch
"InstallShield_{2BF0AE92-C3BC-4112-9066-1546342B1FAE}" = Call of Duty® - World at War™ 1.2 Patch
"InstallShield_{3BD633E0-4BF8-4499-9149-88F0767D449C}" = Call of Duty® 4 - Modern Warfare™ 1.4 Patch
"InstallShield_{5D7767FA-7FE8-4627-9F09-AEF7A25F1E07}" = Call of Duty® 4 - Modern Warfare™ 1.1 Patch
"InstallShield_{750C87B8-AF19-4C3C-B791-50D9C83AE572}" = Call of Duty® - World at War™ 1.7 Patch
"InstallShield_{8503C901-85D7-4262-88D2-8D8B2A7B08B8}" = Call of Duty® 4 - Modern Warfare™ 1.5 Multiplayer Patch
"InstallShield_{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}" = Call of Duty® 4 - Modern Warfare™ 1.6 Patch
"InstallShield_{931C37FC-594D-43A9-B10F-A2F2B1F03498}" = Call of Duty® 4 - Modern Warfare™ 1.7 Patch
"InstallShield_{9527A496-5DF9-412A-ADC7-168BA5379CA6}" = Microsoft Flight Simulator X
"InstallShield_{9F01A67B-7D67-482F-9D4F-D5980A440FD4}" = Call of Duty® - World at War™ 1.4 Patch
"InstallShield_{A662E280-64A8-4CF5-8407-13D0808602B3}" = Call of Duty - United Offensive
"InstallShield_{AFAE2B15-89A0-4215-A030-F7B5B478886B}" = Call of Duty® - World at War™ 1.1 Patch
"InstallShield_{C3DC2DF5-EFAC-4055-9010-31F7C545DD9E}" = Call of Duty® - World at War™ 1.5 Patch
"InstallShield_{D80A6A73-E58A-4673-AFF5-F12D7110661F}" = Call of Duty® - World at War™
"InstallShield_{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty® 4 - Modern Warfare™
"InstallShield_{E5141379-B2D9-4BBC-BB2A-5805541571DD}" = Call of Duty® 4 - Modern Warfare™ 1.2 Patch
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PunkBusterSvc" = PunkBuster Services
"SecondLife" = SecondLife (remove only)
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"Steam App 10180" = Call of Duty: Modern Warfare 2
"Steam App 10190" = Call of Duty: Modern Warfare 2 - Multiplayer
"Steam App 13140" = America's Army 3
"Steam App 240" = Counter-Strike: Source
"Steam App 34200" = Aliens vs Predator Demo
"Steam App 4000" = Garry's Mod
"Steam App 500" = Left 4 Dead
"Steam App 57500" = All Points Bulletin
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xfire" = Xfire (remove only)

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{373B1718-8CC5-4567-8EE2-9033AD08A680}" = Roblox for ct
"Facebook Plug-In" = Facebook Plug-In
"Move Media Player" = Move Media Player
"SCA Bell/Textron 430" = SCA Bell/Textron 430

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/10/2010 10:54:06 AM | Computer Name = CRAIG | Source = Application Error | ID = 1000
Description = Faulting application deskutil.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x0022fdea.

Error - 11/10/2010 10:56:02 AM | Computer Name = CRAIG | Source = Application Error | ID = 1000
Description = Faulting application deskutil.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00e11010.

Error - 11/11/2010 1:27:30 PM | Computer Name = CRAIG | Source = Application Error | ID = 1000
Description = Faulting application winword.exe, version 10.0.2627.0, faulting module
unknown, version 0.0.0.0, fault address 0x001402b9.

Error - 11/12/2010 11:56:38 AM | Computer Name = CRAIG | Source = Application Error | ID = 1000
Description = Faulting application deskutil.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x0022fdea.

Error - 11/12/2010 12:05:10 PM | Computer Name = CRAIG | Source = Application Error | ID = 1000
Description = Faulting application deskutil.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00e11010.

Error - 11/12/2010 1:26:23 PM | Computer Name = CRAIG | Source = Application Error | ID = 1000
Description = Faulting application deskutil.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x0022fdea.

Error - 11/12/2010 10:09:40 PM | Computer Name = CRAIG | Source = Application Error | ID = 1000
Description = Faulting application photoshop.exe, version 8.0.0.0, faulting module
ntdll.dll, version 5.1.2600.5755, fault address 0x00010cbd.

Error - 11/12/2010 10:09:44 PM | Computer Name = CRAIG | Source = Application Error | ID = 1001
Description = Fault bucket 1231252179.

Error - 11/13/2010 12:29:14 AM | Computer Name = CRAIG | Source = Application Error | ID = 1000
Description = Faulting application photoshop.exe, version 8.0.0.0, faulting module
ntdll.dll, version 5.1.2600.5755, fault address 0x0000120e.

Error - 11/13/2010 12:29:18 AM | Computer Name = CRAIG | Source = Application Error | ID = 1001
Description = Fault bucket 1230313006.

[ System Events ]
Error - 11/11/2010 3:55:16 PM | Computer Name = CRAIG | Source = Service Control Manager | ID = 7034
Description = The PnkBstrB service terminated unexpectedly. It has done this 1
time(s).

Error - 11/12/2010 10:49:00 AM | Computer Name = CRAIG | Source = Service Control Manager | ID = 7034
Description = The Application Layer Gateway Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 11/12/2010 10:49:04 AM | Computer Name = CRAIG | Source = Service Control Manager | ID = 7034
Description = The PnkBstrB service terminated unexpectedly. It has done this 1
time(s).

Error - 11/12/2010 10:49:07 AM | Computer Name = CRAIG | Source = Service Control Manager | ID = 7034
Description = The PnkBstrA service terminated unexpectedly. It has done this 1
time(s).

Error - 11/12/2010 1:25:08 PM | Computer Name = CRAIG | Source = Service Control Manager | ID = 7034
Description = The PnkBstrB service terminated unexpectedly. It has done this 1
time(s).

Error - 11/12/2010 1:25:11 PM | Computer Name = CRAIG | Source = Service Control Manager | ID = 7034
Description = The PnkBstrA service terminated unexpectedly. It has done this 1
time(s).

Error - 11/12/2010 1:25:15 PM | Computer Name = CRAIG | Source = Service Control Manager | ID = 7034
Description = The Application Layer Gateway Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 11/12/2010 7:55:20 PM | Computer Name = CRAIG | Source = Service Control Manager | ID = 7034
Description = The Application Layer Gateway Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 11/12/2010 10:55:14 PM | Computer Name = CRAIG | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service iPod Service
with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Error - 11/13/2010 12:33:45 AM | Computer Name = CRAIG | Source = Service Control Manager | ID = 7034
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).


< End of report >


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-13 15:52:05
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-10 WDC_WD5000AAKS-22A7B0 rev.01.03B01
Running: q3zo02ds.exe; Driver: C:\DOCUME~1\ct\LOCALS~1\Temp\fxtdqpod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB86B4380, 0x34C81F, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1652] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 00B3874A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Documents and Settings\ct\Desktop\q3zo02ds.exe[1020] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\ct\Desktop\q3zo02ds.exe[1020] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\ct\Desktop\q3zo02ds.exe[1020] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\ct\Desktop\q3zo02ds.exe[1020] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\ct\Desktop\q3zo02ds.exe[1020] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\ct\Desktop\q3zo02ds.exe[1020] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\Documents and Settings\ct\Desktop\q3zo02ds.exe[1020] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\Documents and Settings\ct\Desktop\q3zo02ds.exe[1020] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1652] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1652] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1652] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1652] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1652] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1652] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessA] [7C884205] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1652] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1652] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!CreateProcessAsUserA] [77E45605] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1652] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1652] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1652] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [77E45600] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation)
IAT C:\WINDOWS\Explorer.EXE[1652] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!CreateProcessW] [7C884200] C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:21 AM

Posted 13 November 2010 - 04:00 PM

No problem I really don't see any rootkit activity.

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 LadyNakedneSS

LadyNakedneSS
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT
  • Local time:08:21 AM

Posted 13 November 2010 - 04:12 PM

Running the scan now, and will post as soon as it's done. Just wanted to mention that in between finishing the scan and going back to the computer just now to do the new one, there are 36 instances of mshta.exe running in the task manager under system.

#6 LadyNakedneSS

LadyNakedneSS
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT
  • Local time:08:21 AM

Posted 13 November 2010 - 05:18 PM

One other thing with regard to my post about the mshta.exe processes...they only come up, one every few minutes, while connected to the internet. Not sure if that makes a difference with the scans seeing what's causing it, since the internet is not running when they scan.

Following is the ComboFix info:

ComboFix 10-11-12.06 - ct 11/13/2010 16:24:43.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2037 [GMT -5:00]
Running from: c:\documents and settings\ct\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\searchplugins\google_search.xml
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\rsmonce.dll
c:\windows\system32\wpcap.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2010-10-13 to 2010-11-13 )))))))))))))))))))))))))))))))
.

2010-11-13 21:13 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-11-13 21:13 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-11-13 02:49 . 2010-11-13 02:49 -------- d-----w- c:\program files\Microsoft Silverlight
2010-11-09 15:23 . 2010-06-02 09:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-11-09 15:23 . 2010-06-02 09:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-11-09 15:23 . 2010-06-02 09:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-11-09 15:23 . 2010-05-26 16:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-11-09 15:23 . 2010-05-26 16:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-11-09 15:23 . 2010-05-26 16:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-11-09 15:23 . 2010-05-26 16:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-11-09 15:23 . 2010-05-26 16:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-11-05 17:45 . 2010-11-05 17:45 -------- d-----w- c:\program files\Common Files\Java
2010-11-05 17:44 . 2010-11-05 17:44 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-11-05 17:44 . 2010-11-05 17:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-05 17:44 . 2010-11-05 17:44 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-04 02:49 . 2008-04-14 09:42 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-11-04 01:06 . 2010-11-04 02:02 -------- d-----w- c:\program files\RegCure
2010-11-04 01:06 . 2010-11-04 01:31 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-11-03 15:58 . 2010-11-03 15:58 0 ----a-w- c:\windows\Ezizob.bin
2010-11-03 15:58 . 2010-11-03 15:58 -------- d-----w- c:\documents and settings\ct\Local Settings\Application Data\{A6E10517-3359-4A36-9A57-E33EA08744C3}
2010-11-03 15:01 . 2010-11-03 15:01 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-11-03 15:00 . 2010-11-03 15:55 -------- d-----w- c:\program files\AOL 9.5b
2010-10-23 00:04 . 2010-10-23 00:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-16 20:26 . 2010-10-16 20:28 -------- d-----w- c:\documents and settings\ct\Local Settings\Application Data\Roblox
2010-10-16 18:36 . 2010-10-16 18:36 -------- d-sh--w- c:\documents and settings\All Users\Application Data\DSS
2010-10-16 02:30 . 2010-09-16 07:13 2601752 ----a-w- c:\windows\system32\pbsvc_moh.exe
2010-10-16 01:59 . 2010-02-04 15:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-10-16 01:59 . 2010-02-04 15:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-10-16 01:59 . 2010-02-04 15:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-10-16 01:59 . 2010-02-04 15:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-10-15 00:34 . 2010-10-15 00:34 -------- d--h--w- c:\windows\system32\GroupPolicy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-13 05:09 . 2009-02-25 21:23 218496 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-11-13 05:09 . 2009-01-31 00:51 218496 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-11-13 05:00 . 2009-01-31 00:51 139832 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-11-04 00:21 . 2008-04-14 04:11 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2010-10-16 02:31 . 2009-01-31 00:51 138056 ----a-w- c:\documents and settings\ct\Application Data\PnkBstrK.sys
2010-10-16 02:30 . 2009-01-31 00:51 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-09-18 16:23 . 2007-04-03 12:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 09:41 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 09:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-09 13:38 . 2008-04-14 09:42 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2008-04-14 09:42 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2008-04-14 09:41 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2008-04-14 09:41 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 15:57 . 2008-04-14 04:07 389120 ----a-w- c:\windows\system32\html.iec
2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2008-04-14 09:39 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2008-04-14 05:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2008-04-14 09:42 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2008-04-14 09:42 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2008-04-14 04:45 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-16 08:00 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2008-04-14 09:41 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2008-04-14 09:42 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2008-04-14 09:42 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 17202B73EC51AE531D8B123A1309B1DA . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . A7E56FB67BBF0A2FA321492634477AD4 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13684736]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Call of Duty® 4 - Modern Warfare™ Multiplayer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Call of Duty® 4 - Modern Warfare™ Multiplayer.lnk
backup=c:\windows\pss\Call of Duty® 4 - Modern Warfare™ Multiplayer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Call of Duty® 4 - Modern Warfare™ Singleplayer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Call of Duty® 4 - Modern Warfare™ Singleplayer.lnk
backup=c:\windows\pss\Call of Duty® 4 - Modern Warfare™ Singleplayer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CallWave.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CallWave.lnk
backup=c:\windows\pss\CallWave.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Uninstall Call of Duty® 4 - Modern Warfare™.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Uninstall Call of Duty® 4 - Modern Warfare™.lnk
backup=c:\windows\pss\Uninstall Call of Duty® 4 - Modern Warfare™.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^ct^Start Menu^Programs^Startup^Antimalware Doctor.lnk]
path=c:\documents and settings\ct\Start Menu\Programs\Startup\Antimalware Doctor.lnk
backup=c:\windows\pss\Antimalware Doctor.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ct^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\ct\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]
2009-01-08 11:36 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 ----a-r- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2008-06-19 08:42 2808832 ----a-r- c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2010-03-23 14:54 29520 ----a-w- c:\progra~1\AOL9~1.5B\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comrade.exe]
2007-06-29 20:03 36864 ----a-w- c:\program files\GameSpy\Comrade\Comrade.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2010-02-10 13:19 41800 ----a-w- c:\program files\Common Files\aol\1236268728\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-24 06:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2008-06-10 17:56 1442888 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-02-03 17:05 233304 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-03-28 04:03 13684736 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-03-28 04:03 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-03-28 04:03 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-07-23 08:51 16804864 ----a-r- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2008-06-18 10:01 77824 ----a-r- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-08-24 00:54 1242448 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-09-28 14:04 2424560 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec AntiVirus"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=3 (0x3)
"SeaPort"=2 (0x2)
"SavRoam"=3 (0x3)
"RSVP"=3 (0x3)
"LiveUpdate"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AOL ACS"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=2 (0x2)
"RasAuto"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\BugReport\\BugReport.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\GameSpy\\Comrade\\Comrade.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1236268728\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\CallWave\\IAM.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Call of Duty\\CoDUOMP.exe"=
"c:\\Program Files\\Call of Duty\\CoDMP.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator demo\\AvP.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4sp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\all points bulletin\\Launcher\\APBLauncher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AOL 9.5b\\waol.exe"=
"c:\\Program Files\\Steam\\steamapps\\wfcxslickwilly\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\america's army 3\\Binaries\\AA3Game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty black ops\\BlackOpsMP.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty black ops\\BlackOps.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56134:TCP"= 56134:TCP:Pando Media Booster
"56134:UDP"= 56134:UDP:Pando Media Booster

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
S0 fwstt;fwstt; [x]
S3 Normandy;Normandy SR2; [x]
S3 SASENUM;SASENUM;\??\c:\docume~1\ct\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\docume~1\ct\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: ketsujin.com\fighterace
Trusted Zone: ketsujin.com\primary
Trusted Zone: ketsujin.com\update
Trusted Zone: ketsujin.com\www
Trusted Zone: stormofaces.com\www
FF - ProfilePath - c:\documents and settings\ct\Application Data\Mozilla\Firefox\Profiles\svhouktl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aolTB50CL-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101063100&s=
FF - plugin: c:\documents and settings\ct\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\ct\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\ct\Application Data\Move Networks\plugins\npqmp071706000001.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {A6E10517-3359-4A36-9A57-E33EA08744C3} - c:\documents and settings\ct\Local Settings\Application Data\{A6E10517-3359-4A36-9A57-E33EA08744C3}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101063100&s=);user_pref(network.protocol-handler.warn-external.dnupdate, false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
Notify-NavLogon - (no file)
SafeBoot-klmdb.sys
MSConfigStartUp-AdVantage - c:\documents and settings\ct\Application Data\advantage\AdVantage.exe
MSConfigStartUp-arcnsewomx - c:\docume~1\ct\LOCALS~1\Temp\arcnsewomx.tmp
MSConfigStartUp-Awonucej - c:\windows\gnv87e40.dll
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-coreappsetup700 - c:\documents and settings\ct\Application Data\030C91E22CB622A375CE7CB17E6362F5\coreappsetup700.exe
MSConfigStartUp-corxanemsw - c:\docume~1\ct\LOCALS~1\Temp\corxanemsw.tmp
MSConfigStartUp-Dfutuladolequf - c:\windows\eyoxutux.dll
MSConfigStartUp-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
MSConfigStartUp-KOO9RV9K4Z - c:\docume~1\ct\LOCALS~1\Temp\Bv0.exe
MSConfigStartUp-SMH2B46TDP - c:\windows\Bnojea.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-vptray - c:\progra~1\SYMANT~1\VPTray.exe
MSConfigStartUp-wupdate - c:\windows\system32\wupdate.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-13 16:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-57989841-706699826-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-57989841-706699826-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:ee,0b,92,57,0e,31,aa,4d,60,b5,56,f4,36,12,88,0c,28,dd,7a,14,f0,
ed,48,a0,0e,94,c3,07,47,20,57,05,6a,6c,f8,d0,9c,66,ad,d4,73,c8,f5,10,ca,67,\
"rkeysecu"=hex:1e,d3,75,c1,f5,fc,34,18,77,22,f7,6b,ea,cb,40,03

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3408)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
.
**************************************************************************
.
Completion time: 2010-11-13 16:50:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-13 21:50

Pre-Run: 268,133,203,968 bytes free
Post-Run: 274,701,365,248 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 33AE7B6696D7E7321F2E86B418E59B50

#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:21 AM

Posted 13 November 2010 - 05:36 PM

That process should no longer be present now.
It is legitimate but it is called upon by those many at.job files Combofix deleted.
==========================
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

MIA::
c:\windows\system32\winlogon.exe
c:\windows\explorer.exe

SRPeek::
c:\windows\system32\winlogon.exe
c:\windows\explorer.exe


DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = *.local

Driver::
fwstt
Normandy


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt
=============
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#8 LadyNakedneSS

LadyNakedneSS
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT
  • Local time:08:21 AM

Posted 13 November 2010 - 09:48 PM

Yes, I see that they are not there now. Awesome. Thanks again for the help.

Following is the new ComboFix info:

ComboFix 10-11-12.06 - ct 11/13/2010 21:32:23.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2106 [GMT -5:00]
Running from: c:\documents and settings\ct\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ct\Desktop\craig\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Autorun.inf

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FWSTT
-------\Legacy_NORMANDY
-------\Service_fwstt
-------\Service_Normandy


((((((((((((((((((((((((( Files Created from 2010-10-14 to 2010-11-14 )))))))))))))))))))))))))))))))
.

2010-11-13 21:13 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-11-13 21:13 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-11-13 02:49 . 2010-11-13 02:49 -------- d-----w- c:\program files\Microsoft Silverlight
2010-11-09 15:23 . 2010-06-02 09:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-11-09 15:23 . 2010-06-02 09:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-11-09 15:23 . 2010-06-02 09:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-11-09 15:23 . 2010-05-26 16:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-11-09 15:23 . 2010-05-26 16:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-11-09 15:23 . 2010-05-26 16:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-11-09 15:23 . 2010-05-26 16:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-11-09 15:23 . 2010-05-26 16:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-11-05 17:45 . 2010-11-05 17:45 -------- d-----w- c:\program files\Common Files\Java
2010-11-05 17:44 . 2010-11-05 17:44 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-11-05 17:44 . 2010-11-05 17:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-05 17:44 . 2010-11-05 17:44 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-04 02:49 . 2008-04-14 09:42 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-11-04 01:06 . 2010-11-04 02:02 -------- d-----w- c:\program files\RegCure
2010-11-04 01:06 . 2010-11-04 01:31 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-11-03 15:58 . 2010-11-03 15:58 0 ----a-w- c:\windows\Ezizob.bin
2010-11-03 15:58 . 2010-11-03 15:58 -------- d-----w- c:\documents and settings\ct\Local Settings\Application Data\{A6E10517-3359-4A36-9A57-E33EA08744C3}
2010-11-03 15:01 . 2010-11-03 15:01 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-11-03 15:00 . 2010-11-03 15:55 -------- d-----w- c:\program files\AOL 9.5b
2010-10-23 00:04 . 2010-10-23 00:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-16 20:26 . 2010-10-16 20:28 -------- d-----w- c:\documents and settings\ct\Local Settings\Application Data\Roblox
2010-10-16 18:36 . 2010-10-16 18:36 -------- d-sh--w- c:\documents and settings\All Users\Application Data\DSS
2010-10-16 02:30 . 2010-09-16 07:13 2601752 ----a-w- c:\windows\system32\pbsvc_moh.exe
2010-10-16 01:59 . 2010-02-04 15:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-10-16 01:59 . 2010-02-04 15:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-10-16 01:59 . 2010-02-04 15:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-10-16 01:59 . 2010-02-04 15:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-14 02:21 . 2009-02-25 21:23 218496 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-11-14 02:21 . 2009-01-31 00:51 218496 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-11-13 22:37 . 2009-01-31 00:51 139832 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-11-04 00:21 . 2008-04-14 04:11 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2010-10-16 02:31 . 2009-01-31 00:51 138056 ----a-w- c:\documents and settings\ct\Application Data\PnkBstrK.sys
2010-10-16 02:30 . 2009-01-31 00:51 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-09-18 16:23 . 2007-04-03 12:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 09:41 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 09:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-09 13:38 . 2008-04-14 09:42 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2008-04-14 09:42 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2008-04-14 09:41 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2008-04-14 09:41 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 15:57 . 2008-04-14 04:07 389120 ----a-w- c:\windows\system32\html.iec
2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2008-04-14 09:39 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2008-04-14 05:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2008-04-14 09:42 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2008-04-14 09:42 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2008-04-14 04:45 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-16 08:00 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2008-04-14 09:41 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2008-04-14 09:42 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2008-04-14 09:42 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------- Sigcheck -------

[-] 2008-04-14 . 17202B73EC51AE531D8B123A1309B1DA . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . A7E56FB67BBF0A2FA321492634477AD4 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13684736]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Call of Duty® 4 - Modern Warfare™ Multiplayer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Call of Duty® 4 - Modern Warfare™ Multiplayer.lnk
backup=c:\windows\pss\Call of Duty® 4 - Modern Warfare™ Multiplayer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Call of Duty® 4 - Modern Warfare™ Singleplayer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Call of Duty® 4 - Modern Warfare™ Singleplayer.lnk
backup=c:\windows\pss\Call of Duty® 4 - Modern Warfare™ Singleplayer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CallWave.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CallWave.lnk
backup=c:\windows\pss\CallWave.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Uninstall Call of Duty® 4 - Modern Warfare™.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Uninstall Call of Duty® 4 - Modern Warfare™.lnk
backup=c:\windows\pss\Uninstall Call of Duty® 4 - Modern Warfare™.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^ct^Start Menu^Programs^Startup^Antimalware Doctor.lnk]
path=c:\documents and settings\ct\Start Menu\Programs\Startup\Antimalware Doctor.lnk
backup=c:\windows\pss\Antimalware Doctor.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ct^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\ct\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]
2009-01-08 11:36 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 ----a-r- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2008-06-19 08:42 2808832 ----a-r- c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2010-03-23 14:54 29520 ----a-w- c:\progra~1\AOL9~1.5B\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Comrade.exe]
2007-06-29 20:03 36864 ----a-w- c:\program files\GameSpy\Comrade\Comrade.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2010-02-10 13:19 41800 ----a-w- c:\program files\Common Files\aol\1236268728\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-24 06:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2008-06-10 17:56 1442888 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-02-03 17:05 233304 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-03-28 04:03 13684736 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-03-28 04:03 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-03-28 04:03 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-07-23 08:51 16804864 ----a-r- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2008-06-18 10:01 77824 ----a-r- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-08-24 00:54 1242448 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-09-28 14:04 2424560 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec AntiVirus"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=3 (0x3)
"SeaPort"=2 (0x2)
"SavRoam"=3 (0x3)
"RSVP"=3 (0x3)
"LiveUpdate"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AOL ACS"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=2 (0x2)
"RasAuto"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\BugReport\\BugReport.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\GameSpy\\Comrade\\Comrade.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1236268728\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\CallWave\\IAM.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Call of Duty\\CoDUOMP.exe"=
"c:\\Program Files\\Call of Duty\\CoDMP.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator demo\\AvP.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4sp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\all points bulletin\\Launcher\\APBLauncher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AOL 9.5b\\waol.exe"=
"c:\\Program Files\\Steam\\steamapps\\wfcxslickwilly\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\america's army 3\\Binaries\\AA3Game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty black ops\\BlackOpsMP.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty black ops\\BlackOps.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56134:TCP"= 56134:TCP:Pando Media Booster
"56134:UDP"= 56134:UDP:Pando Media Booster

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
S3 SASENUM;SASENUM;\??\c:\docume~1\ct\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\docume~1\ct\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: ketsujin.com\fighterace
Trusted Zone: ketsujin.com\primary
Trusted Zone: ketsujin.com\update
Trusted Zone: ketsujin.com\www
Trusted Zone: stormofaces.com\www
FF - ProfilePath - c:\documents and settings\ct\Application Data\Mozilla\Firefox\Profiles\svhouktl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aolTB50CL-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101063100&s=
FF - plugin: c:\documents and settings\ct\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\ct\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\ct\Application Data\Move Networks\plugins\npqmp071706000001.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {A6E10517-3359-4A36-9A57-E33EA08744C3} - c:\documents and settings\ct\Local Settings\Application Data\{A6E10517-3359-4A36-9A57-E33EA08744C3}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101063100&s=);user_pref(network.protocol-handler.warn-external.dnupdate, false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-13 21:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-57989841-706699826-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-57989841-706699826-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:ee,0b,92,57,0e,31,aa,4d,60,b5,56,f4,36,12,88,0c,28,dd,7a,14,f0,
ed,48,a0,0e,94,c3,07,47,20,57,05,6a,6c,f8,d0,9c,66,ad,d4,73,c8,f5,10,ca,67,\
"rkeysecu"=hex:1e,d3,75,c1,f5,fc,34,18,77,22,f7,6b,ea,cb,40,03

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2588)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
.
**************************************************************************
.
Completion time: 2010-11-13 21:45:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-14 02:45
ComboFix2.txt 2010-11-13 21:50

Pre-Run: 274,599,497,728 bytes free
Post-Run: 274,665,431,040 bytes free

- - End Of File - - 7C7FFB1BF48067389C55998EC3871654

#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:21 AM

Posted 14 November 2010 - 08:04 AM

Please download the standalone windows XP SP3 package from here:
http://www.microsoft.com/downloads/details...;displaylang=en
and save it to your desktop.

Then extract the files from the package by going to Start -> Run and entering:
"%userprofile%\Desktop\WindowsXP-KB936929-SP3-x86-ENU.exe" -x:C:\xpsp3

This will place the service pack 3 updates to the i386 folder into your C drive under the folder "xpsp3"
Let me know if that folder is created.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#10 LadyNakedneSS

LadyNakedneSS
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT
  • Local time:08:21 AM

Posted 14 November 2010 - 10:33 AM

It says the page cannot be found, and brings up a list of a bunch of different downloads. I tried searching for "standalone xpsp3" and got too many hits to decide which one you want me to download. Sorry about that, I just don't want to download the wrong thing. Any chance you can send the link again, please?

#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:21 AM

Posted 14 November 2010 - 10:39 AM

Try this one please.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=5b33b5a8-5e76-401f-be08-1e1555d4f3d4&displaylang=en
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#12 LadyNakedneSS

LadyNakedneSS
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT
  • Local time:08:21 AM

Posted 14 November 2010 - 11:16 AM

OK, downloaded and extracted. The folder xpsp3 has been created on the C drive.

Edited by LadyNakedneSS, 14 November 2010 - 11:25 AM.


#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:21 AM

Posted 14 November 2010 - 03:11 PM

Ok great please do the following.
Go to start then run then type in cmd then hit ok.
In the black box that opens type in the following.

expand C:\xpsp3\I386\winlogon.ex_ C:\Winlogon.exe then hit Enter.
expand C:\xpsp3\I386\explorer.ex_ C:\explorer.exe then hit Enter.

Then let me know if there are these files in the C:\drive > C:\Winlogon.exe and C:\explorer.exe

Edited by kahdah, 14 November 2010 - 03:11 PM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#14 LadyNakedneSS

LadyNakedneSS
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT
  • Local time:08:21 AM

Posted 14 November 2010 - 03:45 PM

Thank you again for all of your help.

Directions have been followed, and the requested files are present on the C:\ drive.

#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:21 AM

Posted 14 November 2010 - 04:15 PM

You are welcome :)
====================
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

FCopy::
C:\Winlogon.exe|C:\Windows\system32\winlogon.exe
C:\explorer.exe|C:\Windows\explorer.exe


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt
=============
Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
===========
* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users