Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Disk Doctor infection, Invisible Audio Ads, Browser Redirections, the works...


  • This topic is locked This topic is locked
10 replies to this topic

#1 KingMorton

KingMorton

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 07 December 2010 - 07:14 PM

Greetings Fellow Security Enthusiasts!

A couple of days ago I (quite clumsily) installed a nasty piece of malware deep within my system's core. It was dressed up as a JRE update - and carried a fake "PC Enhancement Suite" called "Disk Doctor" (among other things). In a panic-induced attempt to fix the problem I ran:
- Malwarebytes
- AVG
- Kaspersky
- MS Malicious Software Tool
- Spybot

and probably a couple of other tools that don't come to mind at the moment. I know it's a poor way to handle the situation, but I wasn't thinking straight. The scans removed Disk Doctor and stopped the browser redirections temporariy. They have since returned.

Current symptoms include:
Invisibe Audio Ads, Opera & IE Redirect (for now I'm using an alternative freeware portable browser, which is unaffected), Windows Kernel Security Update (KB981852) fails to install - Microsoft claims this is due to a hijackware infection.

GMER crashes about a minute into its scan and therefor its log can not be provided. I've also tried running it in safe mode, yielding a similar result.
Here's my DSS log:



DDS (Ver_10-12-05.01) - NTFSx86
Run by user at 3:56:43.57 on Tue 12/07/2010
Internet Explorer: 8.0.6001.18975
Microsoft Windows Vista Home Premium 6.0.6002.2.1255.972.1033.18.2045.1119 [GMT -6:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\emaudsv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\STacSV.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\QtWeb\QtWeb.exe
C:\Windows\system32\wuauclt.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10k_ActiveX.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\user\Desktop\Spyware Battle\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Shareaza Web Download Hook: {0eedb912-c5fa-486f-8334-57288578c627} - c:\program files\shareaza\RazaWebHook32.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [ProfilerU] c:\program files\saitek\sd6\software\ProfilerU.exe
mRun: [SaiMfd] c:\program files\saitek\sd6\software\SaiMfd.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download with &Shareaza - c:\program files\shareaza\RazaWebHook32.dll/3000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-12-5 18816]
R2 emaudsv;E-MU Audio Service;c:\windows\system32\emaudsv.exe [2007-11-26 20992]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-31 136176]
S3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\drivers\emusba10.sys [2007-11-26 163352]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-3-26 21504]
S3 SaiKF620;SaiKF620;c:\windows\system32\drivers\SaiKF620.sys [2008-10-22 106496]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-12-07 08:40:35 -------- d-----w- c:\users\user\appdata\local\QtWeb.NET
2010-12-07 08:40:34 -------- d-----w- c:\program files\QtWeb
2010-12-07 00:44:10 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-12-07 00:44:10 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-12-07 00:44:10 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-12-07 00:44:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-12-07 00:44:10 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-12-06 00:11:07 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-12-05 22:15:41 -------- d-----w- c:\program files\Sophos
2010-12-05 20:44:31 -------- d-----w- c:\users\user\DoctorWeb
2010-12-05 12:40:40 -------- d-----w- c:\progra~2\Alwil Software
2010-12-05 11:10:13 -------- d-sh--w- C:\$RECYCLE.BIN
2010-12-05 10:22:24 98816 ----a-w- c:\windows\sed.exe
2010-12-05 10:22:24 89088 ----a-w- c:\windows\MBR.exe
2010-12-05 10:22:24 256512 ----a-w- c:\windows\PEV.exe
2010-12-05 10:22:24 161792 ----a-w- c:\windows\SWREG.exe
2010-12-05 10:20:54 -------- d-----w- C:\ComboFix
2010-12-05 07:31:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-05 07:31:41 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2010-12-05 05:32:27 -------- d-----w- c:\users\user\appdata\roaming\Reallusion
2010-12-05 05:32:26 -------- d-----w- c:\users\user\appdata\roaming\tmp
2010-12-04 21:04:38 -------- d-----w- c:\users\user\appdata\roaming\AVG10
2010-12-04 21:02:39 -------- d--h--w- c:\progra~2\Common Files
2010-12-04 21:00:35 -------- d-----w- c:\progra~2\AVG10
2010-12-04 20:23:58 -------- d-----w- c:\program files\AVG
2010-12-04 07:39:10 -------- d-----w- c:\users\user\appdata\roaming\Malwarebytes
2010-12-04 07:38:57 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-04 07:38:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-03 09:53:19 -------- d-----w- c:\progra~2\MFAData
2010-12-03 09:06:46 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{ef18cc0a-6b91-47a0-b36c-f23c25ac1831}\mpengine.dll
2010-12-03 09:00:27 867328 ----a-w- c:\windows\system32\wmpmde.dll
2010-12-03 09:00:25 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-12-03 09:00:21 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-12-03 09:00:03 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-12-03 09:00:01 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-12-03 09:00:01 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-12-03 08:59:40 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
2010-12-03 08:59:39 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-12-03 08:59:13 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-12-03 08:59:12 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-12-03 08:58:32 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-12-03 08:58:25 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-12-03 08:58:25 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-12-03 08:58:24 17920 ----a-w- c:\windows\system32\netevent.dll
2010-12-03 08:58:24 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-12-03 08:58:24 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-12-03 08:58:08 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-12-03 08:58:04 10926592 ----a-w- c:\program files\movie maker\MOVIEMK.dll
2010-12-03 08:58:03 150016 ----a-w- c:\program files\movie maker\MOVIEMK.exe
2010-12-03 08:58:01 1616384 ----a-w- c:\program files\windows mail\msoe.dll
2010-12-03 08:49:35 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-12-03 08:35:26 -------- d-----w- c:\windows\pss
2010-12-03 06:19:27 -------- d-----w- c:\users\user\appdata\local\AVERT
2010-12-03 05:42:44 229376 ----a-w- c:\windows\system32\drivers\sst2058.sys
2010-12-03 05:42:44 0 ----a-w- c:\windows\system32\drivers\sst2058.tmp
2010-11-30 01:24:09 -------- d-----w- c:\program files\x264vfw

==================== Find3M ====================

2010-12-06 00:12:46 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-19 16:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

============= FINISH: 4:03:46.72 ===============


Any help you may be able to provide will be greatly appreciated!

Thanks,
-Wolf

Following some helpful advice from Daniweb, I ran GMER again, this time with a random file name, and while not connected to the internet. This is the resulting log:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-08 19:51:57
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 FUJITSU_MHZ2160BH_G2 rev.00850009
Running: ff8bx2zc.exe; Driver: C:\Users\user\AppData\Local\Temp\pgriypow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\atapi \Device\Ide\IdePort0 85E2C1EB
Device \Driver\atapi \Device\Ide\IdePort1 85E2C1EB
Device \Driver\atapi \Device\Ide\IdePort2 85E2C1EB
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 85E2C1EB

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:232] 85E3158D

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001c26dfc1dc
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001c26dfc1dc@30694be4ce8f 0x88 0x8C 0xA1 0x3A ...
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\001c26dfc1dc (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\001c26dfc1dc@30694be4ce8f 0x88 0x8C 0xA1 0x3A ...

---- Files - GMER 1.0.15 ----

File C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{300B9D87-032A-11E0-921F-001C23A72E57}.dat 4608 bytes
File C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{0489DBE7-032A-11E0-921F-001C23A72E57}.dat 4608 bytes
File C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{300B9D86-032A-11E0-921F-001C23A72E57}.dat 3584 bytes
File C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{0489DBE6-032A-11E0-921F-001C23A72E57}.dat 3584 bytes

---- EOF - GMER 1.0.15 ----


Hope this helps shed some light on the subject. I'd be ever so greatful if one of you tech-wizards could find the time to help this poor tortured soul...

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 09 December 2010 - 04:01 PM.


BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:52 AM

Posted 15 December 2010 - 02:57 AM

As you can see the logs we ask for are very extensive and take a lot of time to investigate.If you haven't already, you can keep the link to this topic in your Favorites. Alternatively, you can click the Options button at the top bar of this topic and Track this Topic, where you can choose email notifications.

Please make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box.
Please do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not, please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Thank you for your patience!!

---------------------------------------------------

Step 1.

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

Step 2.



We need to create an OTL Report
  • Please download OTL from the following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized



OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized


Thanks!!

Edited by pwgib, 15 December 2010 - 03:03 AM.

PW

#3 KingMorton

KingMorton
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 15 December 2010 - 05:21 AM

RKU's "Report.txt":


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6002 (Service Pack 2)
Number of processors #2
==============================================
>Drivers
==============================================
0x8BE0D000 C:\Windows\system32\DRIVERS\nvlddmkm.sys 9547776 bytes (NVIDIA Corporation, NVIDIA Windows Kernel Mode Driver, Version 190.62 )
0x82250000 C:\Windows\system32\ntkrnlpa.exe 3903488 bytes (Microsoft Corporation, NT Kernel & System)
0x82250000 PnpManager 3903488 bytes
0x82250000 RAW 3903488 bytes
0x82250000 WMIxWDM 3903488 bytes
0x93C30000 Win32k 2109440 bytes
0x93C30000 C:\Windows\System32\win32k.sys 2109440 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x88202000 C:\Windows\System32\Drivers\Ntfs.sys 1114112 bytes (Microsoft Corporation, NT File System Driver)
0x83076000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x8D092000 C:\Windows\system32\DRIVERS\VSTDPV3.SYS 1064960 bytes (Conexant Systems, Inc., HSF_DP driver)
0x8320E000 C:\Windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver)
0x804D5000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
0x9F207000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x8D203000 C:\Windows\system32\DRIVERS\VSTCNXT3.SYS 733184 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0x9ECCB000 C:\Windows\system32\drivers\spsys.sys 720896 bytes (Microsoft Corporation, security processor)
0x8C72A000 C:\Windows\System32\drivers\dxgkrnl.sys 659456 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x8C806000 C:\Windows\system32\DRIVERS\HDAudBus.sys 577536 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x80601000 C:\Windows\system32\drivers\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0x8C893000 C:\Windows\system32\DRIVERS\bcmwl6.sys 479232 bytes (Broadcom Corporation, BCM 802.11g Network Adapter wireless driver)
0x83005000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x8040B000 C:\Windows\system32\mcupdate_GenuineIntel.dll 458752 bytes (Microsoft Corporation, Intel Microcode Update Library)
0x8D90A000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x8D003000 C:\Windows\system32\drivers\stwrt.sys 339968 bytes (SigmaTel, Inc., NDRC)
0x8C973000 C:\Windows\system32\DRIVERS\rixdptsk.sys 331776 bytes (REDC, RICOH XD SM Driver)
0x9EC7D000 C:\Windows\System32\DRIVERS\srv.sys 319488 bytes (Microsoft Corporation, Server driver)
0x80733000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x8D39E000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x8068A000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
0x80494000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
0x8CA98000 C:\Windows\system32\DRIVERS\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x8339E000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x8D1BF000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x8D056000 C:\Windows\system32\DRIVERS\VSTAZL3.SYS 245760 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0x831AC000 C:\Windows\system32\drivers\NETIO.SYS 241664 bytes (Microsoft Corporation, Network I/O Subsystem)
0x8D803000 C:\Windows\system32\DRIVERS\OEM02Dev.sys 237568 bytes (Creative Technology Ltd., Video Capture Device Driver)
0x9EC04000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x88312000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x8CBB0000 C:\Windows\system32\DRIVERS\usbhub.sys 217088 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x8221D000 ACPI_HAL 208896 bytes
0x8221D000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x805B5000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x8D36C000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8CA69000 C:\Windows\system32\DRIVERS\msiscsi.sys 192512 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x83313000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x83181000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x8CA01000 C:\Windows\system32\DRIVERS\SynTP.sys 176128 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0x83365000 C:\Windows\system32\drivers\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0x8D8C3000 C:\Windows\system32\DRIVERS\nwifi.sys 172032 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x9F2FB000 C:\Windows\System32\Drivers\fastfat.SYS 163840 bytes (Microsoft Corporation, Fast FAT File System Driver)
0x9EC55000 C:\Windows\System32\DRIVERS\srv2.sys 163840 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x88362000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
0x806E1000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x83340000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x8CB1B000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x8839A000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0x8D9C2000 C:\Windows\system32\drivers\mrxdav.sys 135168 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0x8D2EF000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x883C4000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x807AA000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x807E2000 C:\Windows\System32\Drivers\TPkd.sys 122880 bytes (PACE Anti-Piracy, Inc., InterLok system file)
0x8D977000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)
0x832F8000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x8D890000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x8C937000 C:\Windows\system32\DRIVERS\sdbus.sys 106496 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0x8D994000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x8CA44000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x9EC3D000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x833DC000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x8CAF9000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x831E7000 C:\Windows\system32\DRIVERS\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0x8D83F000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x8D196000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x8D342000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
0x8D9AD000 C:\Windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x8CB61000 C:\Windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x8CB4D000 C:\Windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x8C95F000 C:\Windows\system32\DRIVERS\rimsptsk.sys 81920 bytes (REDC, RICOH MS Driver)
0x8D358000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x8C9C4000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
0x8D8F7000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x8D1AC000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x8C908000 C:\Windows\system32\DRIVERS\bcm4sbxp.sys 69632 bytes (Broadcom Corporation, Broadcom Corporation NDIS 5.1 ethernet driver)
0x88389000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x8CBE5000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x8047B000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x807D2000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x8C9D7000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 65536 bytes (Microsoft Corporation, Hid Class Library)
0x8D8B3000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x80792000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x8C919000 C:\Windows\system32\DRIVERS\ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0x8CB7D000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
0x8338F000 C:\Windows\system32\DRIVERS\intelppm.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)
0x8D881000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x88353000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x80708000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x8CB3E000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x8C7E2000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x80724000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0x8C929000 C:\Windows\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0x93E70000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x8D3EF000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8D32B000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x80784000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x8C951000 C:\Windows\system32\DRIVERS\rimmptsk.sys 57344 bytes (REDC, RICOH MMC Driver)
0x8D855000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x8CAEC000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
0x8CBA3000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x8067D000 C:\Windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0x9F2EF000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x8D2E3000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x8C7CB000 C:\Windows\System32\drivers\watchdog.sys 49152 bytes (Microsoft Corporation, Watchdog Driver)
0x8D862000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
0x8CA39000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x8CA2E000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x8D320000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x8CB10000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8CAD9000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x883E6000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x8C7D7000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x8071A000 C:\Windows\system32\DRIVERS\BATTC.SYS 40960 bytes (Microsoft Corporation, Battery Class Driver)
0x8D86D000 C:\Windows\System32\Drivers\dump_msahci.sys 40960 bytes
0x8D877000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x807C8000 C:\Windows\system32\drivers\msahci.sys 40960 bytes (Microsoft Corporation, MS AHCI 1.0 Standard Driver)
0x8CB99000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x8D8ED000 C:\Windows\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x8C9EE000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x8CB8D000 C:\Windows\system32\drivers\SaiBus.sys 40960 bytes (Saitek, Saitek Magic Bus)
0x9F2E5000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x883BB000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x8D2CC000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x8D2B6000 C:\Windows\system32\DRIVERS\kbdhid.sys 36864 bytes (Microsoft Corporation, HID Keyboard Filter Driver)
0x9F323000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x8D339000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x93E50000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x883F4000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x8CA60000 C:\Windows\system32\DRIVERS\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0x806D0000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x8D3E6000 C:\Windows\system32\drivers\ws2ifsl.sys 36864 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0x807A2000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x8048C000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x8D8AB000 C:\Windows\system32\drivers\drmkaud.sys 32768 bytes (Microsoft Corporation, Microsoft Kernel DRM Audio Descrambler Filter)
0x8D2BF000 C:\Windows\system32\DRIVERS\mouhid.sys 32768 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0x806D9000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x8D310000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8D318000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8CAE4000 C:\Windows\System32\Drivers\RootMdm.sys 32768 bytes (Microsoft Corporation, Legacy Non-Pnp Modem Device Driver)
0x8834B000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x8D2DC000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x8C9E7000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x8077D000 C:\Windows\system32\drivers\intelide.sys 28672 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0x80404000 C:\Windows\system32\kdcom.dll 28672 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x8D2D5000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x8CB76000 C:\Windows\system32\DRIVERS\RimSerial.sys 28672 bytes (Research in Motion Ltd, RIM Virtual Serial Driver)
0x8D2C7000 C:\Windows\system32\SAVRKBootTasks.sys 20480 bytes (Sophos Plc, Sophos boot tasks for Windows 2000)
0x8CA5C000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0x8CBF6000 C:\Windows\system32\DRIVERS\SaiMini.sys 16384 bytes (Saitek, Saitek Magic Mini Driver)
0x80717000 C:\Windows\system32\DRIVERS\compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0x883F1000 C:\Windows\system32\drivers\loopbe1.sys 12288 bytes (nerds.de, nerds.de LoopBe1 Internal MIDI Device)
0x8C728000 C:\Windows\system32\DRIVERS\nvBridge.kmd 8192 bytes (NVIDIA Corporation, NVIDIA Compatible Windows Vista Kernel Mode Driver, Version 190.62 )
0x8D83D000 C:\Windows\system32\DRIVERS\OEM02Vfx.sys 8192 bytes (EyePower Games Pte. Ltd., Advanced Video FX Filter
Driver (Win2K based))
0x8CB97000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x8CA2C000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0x85F0D1EB unknown_irp_handler 3605 bytes
==============================================
>Stealth
==============================================
0x85F10BB7 Unknown page with executable code, 1097 bytes
0x85F0F710 Unknown page with executable code, 2288 bytes
0x85F1270F Unknown page with executable code, 2289 bytes
0x88312000 WARNING: Virus alike driver modification [volsnap.sys], 233472 bytes
0x85F116C6 Unknown page with executable code, 2362 bytes
0x85F11316 Unknown page with executable code, 3306 bytes
0x85F11237 Unknown page with executable code, 3529 bytes
0x85F130D8 Unknown page with executable code, 3880 bytes
0x85F12E5C Unknown page with executable code, 420 bytes
0x85F1258D Unknown thread object [ ETHREAD 0x860B7B38 ] TID: 252, 600 bytes
0x85F13876 Unknown thread object [ ETHREAD 0x860B8D78 ] , 600 bytes
0x85F115FB Unknown thread object [ ETHREAD 0x860B8AD0 ] , 600 bytes
0x85F12FBC Unknown page with executable code, 68 bytes

OTL's "OTL.txt":


OTL logfile created on: 15/12/2010 04:11:08 - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\user\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18999)
Locale: 0000040d | Country: ישראל | Language: HEB | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 61.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 146.00 Gb Total Space | 18.47 Gb Free Space | 12.65% Space Free | Partition Type: NTFS

Computer Name: MORTIMER | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/15 04:09:52 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\user\Desktop\OTL.exe
PRC - [2010/12/01 17:45:46 | 007,105,992 | ---- | M] () -- C:\Program Files\QtWeb\QtWeb.exe
PRC - [2009/06/03 01:49:18 | 000,131,072 | ---- | M] (Saitek) -- C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
PRC - [2009/06/03 01:49:00 | 000,237,568 | ---- | M] (Saitek) -- C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
PRC - [2009/04/11 00:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007/11/26 07:10:08 | 000,020,992 | ---- | M] (E-MU Systems) -- C:\Windows\System32\emaudsv.exe
PRC - [2007/05/06 09:11:36 | 000,094,208 | ---- | M] (SigmaTel, Inc.) -- C:\Windows\System32\stacsv.exe
PRC - [2007/05/06 09:10:44 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
PRC - [2007/02/01 17:00:00 | 000,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\OEM02Mon.exe


========== Modules (SafeList) ==========

MOD - [2010/12/15 04:09:52 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\user\Desktop\OTL.exe
MOD - [2010/08/31 09:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/05/11 16:24:00 | 000,867,080 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/11/01 05:29:08 | 000,320,760 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/09/24 19:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2008/01/19 01:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/11/26 07:10:08 | 000,020,992 | ---- | M] (E-MU Systems) [Auto | Running] -- C:\Windows\System32\emaudsv.exe -- (emaudsv)
SRV - [2007/05/06 09:11:36 | 000,094,208 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\Windows\System32\stacsv.exe -- (STacSV)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\453A.tmp -- (MEMSWEEP2)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ivusb.sys -- (ivusb)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\user\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2010/05/26 10:45:04 | 000,018,816 | ---- | M] (Sophos Plc) [Kernel | System | Running] -- C:\Windows\System32\SAVRKBootTasks.sys -- (SAVRKBootTasks)
DRV - [2009/08/16 06:57:00 | 009,545,152 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2009/06/10 02:23:04 | 000,036,992 | ---- | M] (Saitek) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SaiBus.sys -- (SaiNtBus)
DRV - [2009/06/10 02:23:04 | 000,014,080 | ---- | M] (Saitek) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SaiMini.sys -- (SaiMini)
DRV - [2008/10/22 06:06:44 | 000,106,496 | ---- | M] (Saitek) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SaiKF620.sys -- (SaiKF620)
DRV - [2008/09/08 05:04:46 | 000,093,232 | ---- | M] (PACE Anti-Piracy, Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\TPkd.sys -- (TPkd)
DRV - [2008/05/06 07:06:00 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/05/02 02:58:28 | 000,008,064 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2008/05/02 02:58:14 | 000,020,864 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2008/05/02 02:58:14 | 000,008,064 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbser_lowerflt.sys -- (upperdev)
DRV - [2008/05/02 02:58:12 | 000,017,536 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2008/01/27 11:29:36 | 000,010,880 | ---- | M] (nerds.de) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\loopbe1.sys -- (LoopBeMidi1) nerds.de LoopBe1 - Internal Midi Port SvcDesc(WDM)
DRV - [2007/11/26 07:14:54 | 000,163,352 | ---- | M] (E-MU Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\emusba10.sys -- (emusba10)
DRV - [2007/05/06 09:12:02 | 000,326,656 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/04/27 08:35:56 | 000,182,456 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/03/19 17:00:00 | 000,234,496 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Dev.sys -- (OEM02Dev)
DRV - [2007/03/05 10:45:00 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Vfx.sys -- (OEM02Vfx)
DRV - [2007/02/21 13:49:47 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2007/02/21 13:49:47 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2007/02/21 13:49:47 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2007/01/22 00:11:00 | 000,056,832 | ---- | M] (Roland Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Rdwm1027.sys -- (RDID1027)
DRV - [2007/01/05 23:59:42 | 000,035,920 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2007/01/05 23:59:34 | 000,086,096 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid) NVIDIA nForce™
DRV - [2006/11/14 16:16:24 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006/11/14 11:42:46 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/14 09:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2006/11/02 03:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 03:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 03:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 03:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 03:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 03:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 03:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 03:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 03:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 03:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 03:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 03:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 03:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 03:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 03:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 03:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 03:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 03:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 03:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 03:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 03:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 03:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 03:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 03:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 03:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 03:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 03:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 03:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 03:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 03:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 02:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 02:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 02:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 02:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 02:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 02:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 01:41:50 | 000,987,648 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VSTDPV3.SYS -- (HSF_DPV)
DRV - [2006/11/02 01:41:49 | 000,200,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VSTAZL3.SYS -- (HSFHWAZL)
DRV - [2006/11/02 01:41:48 | 000,654,336 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VSTCNXT3.SYS -- (winachsf)
DRV - [2006/11/02 01:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 01:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2006/11/02 01:30:53 | 000,464,384 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\BCMWL6.SYS -- (BCM43XV)
DRV - [2006/11/02 01:30:53 | 000,045,056 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\bcm4sbxp.sys -- (bcm4sbxp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-984060213-3574103687-2901243566-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://il.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-984060213-3574103687-2901243566-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = he
IE - HKU\S-1-5-21-984060213-3574103687-2901243566-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BD E8 0B 21 B4 94 CB 01 [binary data]
IE - HKU\S-1-5-21-984060213-3574103687-2901243566-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-984060213-3574103687-2901243566-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-984060213-3574103687-2901243566-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



O1 HOSTS File: ([2010/12/03 02:37:56 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Shareaza Web Download Hook) - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Program Files\Shareaza\RazaWebHook32.dll (Shareaza Development Team)
O4 - HKLM..\Run: [DELL Webcam Manager] C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe (Saitek)
O4 - HKLM..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe (Saitek)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe (SigmaTel, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-984060213-3574103687-2901243566-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-984060213-3574103687-2901243566-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-984060213-3574103687-2901243566-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-984060213-3574103687-2901243566-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\S-1-5-21-984060213-3574103687-2901243566-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Download with &Shareaza - C:\Program Files\Shareaza\RazaWebHook32.dll (Shareaza Development Team)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab (Windows Live OneCare safety scanner control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.68.166 68.87.74.166
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Downloads\Wallpapers\pool.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 15:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/12/15 04:10:05 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Users\user\Desktop\OTL.exe
[2010/12/15 03:43:10 | 000,352,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\taskschd.dll
[2010/12/15 03:43:10 | 000,345,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmicmiplugin.dll
[2010/12/15 03:43:10 | 000,270,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\taskcomp.dll
[2010/12/15 03:43:05 | 000,292,352 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2010/12/15 03:43:05 | 000,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\fontsub.dll
[2010/12/15 03:43:05 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2010/12/15 03:42:56 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010/12/15 03:42:55 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2010/12/15 03:42:55 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010/12/15 03:42:55 | 000,173,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2010/12/15 03:42:55 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2010/12/15 03:42:54 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2010/12/15 03:42:54 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2010/12/15 03:42:54 | 000,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2010/12/15 03:42:54 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2010/12/15 03:42:54 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2010/12/15 03:42:54 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2010/12/15 03:42:54 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2010/12/15 03:42:54 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2010/12/15 03:42:54 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2010/12/15 03:42:54 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010/12/15 03:42:54 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2010/12/15 03:42:54 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2010/12/15 03:42:50 | 002,038,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2010/12/15 03:42:45 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\consent.exe
[2010/12/15 03:42:33 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2010/12/14 22:18:31 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Roaming\Canneverbe Limited
[2010/12/14 22:18:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Canneverbe Limited
[2010/12/14 22:18:04 | 000,000,000 | ---D | C] -- C:\Program Files\CDBurnerXP
[2010/12/14 11:50:25 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Roaming\PeaZip
[2010/12/14 11:49:35 | 000,000,000 | ---D | C] -- C:\Program Files\PeaZip
[2010/12/12 22:14:26 | 000,000,000 | ---D | C] -- C:\Opera11Beta
[2010/12/08 14:24:22 | 000,000,000 | ---D | C] -- C:\Users\user\Desktop\daniweb
[2010/12/07 03:55:41 | 000,000,000 | ---D | C] -- C:\Users\user\Desktop\Spyware Battle
[2010/12/07 03:52:05 | 000,000,000 | ---D | C] -- C:\Users\user\Documents\Downloads
[2010/12/07 03:21:42 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/12/07 02:40:35 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\QtWeb.NET
[2010/12/07 02:40:34 | 000,000,000 | ---D | C] -- C:\Program Files\QtWeb
[2010/12/06 18:44:10 | 000,295,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHost.exe
[2010/12/06 18:44:10 | 000,099,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHostProxy.dll
[2010/12/06 18:44:10 | 000,049,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netfxperf.dll
[2010/12/05 18:13:23 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2010/12/05 18:13:23 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2010/12/05 18:13:23 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010/12/05 18:11:07 | 000,018,816 | ---- | C] (Sophos Plc) -- C:\Windows\System32\SAVRKBootTasks.sys
[2010/12/05 16:15:41 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/12/05 14:44:31 | 000,000,000 | ---D | C] -- C:\Users\user\DoctorWeb
[2010/12/05 14:29:11 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/12/05 06:40:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Alwil Software
[2010/12/05 06:40:40 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/12/05 05:13:47 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/12/05 05:10:13 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/12/05 04:22:24 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/12/05 04:22:24 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/12/05 04:22:24 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/12/05 04:20:59 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/12/05 04:20:54 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/12/05 04:19:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/12/05 04:01:41 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/12/05 01:31:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/12/05 01:31:41 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/12/04 23:32:27 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Roaming\Reallusion
[2010/12/04 23:32:26 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Roaming\tmp
[2010/12/04 15:04:38 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Roaming\AVG10
[2010/12/04 15:02:39 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
[2010/12/04 15:00:35 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG10
[2010/12/04 14:23:58 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/12/04 01:39:10 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Roaming\Malwarebytes
[2010/12/04 01:38:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/12/04 01:38:53 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/12/03 03:53:19 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2010/12/03 03:00:27 | 000,867,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmpmde.dll
[2010/12/03 03:00:25 | 000,036,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rtutils.dll
[2010/12/03 03:00:03 | 001,696,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\gameux.dll
[2010/12/03 03:00:01 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll
[2010/12/03 03:00:01 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll
[2010/12/03 02:59:39 | 008,147,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmploc.DLL
[2010/12/03 02:59:13 | 000,954,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc40.dll
[2010/12/03 02:59:12 | 000,954,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc40u.dll
[2010/12/03 02:58:24 | 000,017,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netevent.dll
[2010/12/03 02:57:50 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\asycfilt.dll
[2010/12/03 02:57:45 | 000,317,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MP4SDECD.DLL
[2010/12/03 02:57:43 | 000,231,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msshsq.dll
[2010/12/03 02:57:41 | 000,081,920 | ---- | C] (Radius Inc.) -- C:\Windows\System32\iccvid.dll
[2010/12/03 02:57:40 | 000,157,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\t2embed.dll
[2010/12/03 02:35:26 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010/12/03 00:19:27 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Local\AVERT
[2010/12/02 23:42:44 | 000,229,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\sst2058.sys
[2010/11/29 19:24:09 | 000,000,000 | ---D | C] -- C:\Program Files\x264vfw
[2010/11/22 13:24:30 | 000,000,000 | ---D | C] -- C:\Users\user\AppData\Roaming\Google
[1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]
[1 C:\Users\user\Documents\*.tmp files -> C:\Users\user\Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/15 04:12:08 | 000,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{7307DFB2-72C8-42EB-AE0F-711B0FD3E38C}.job
[2010/12/15 04:10:01 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/12/15 04:09:52 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\user\Desktop\OTL.exe
[2010/12/15 04:04:03 | 000,604,764 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/12/15 04:04:03 | 000,108,096 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/12/15 04:02:43 | 000,264,874 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/12/15 04:02:22 | 000,133,632 | ---- | M] () -- C:\Users\user\Desktop\RKUnhookerLE.EXE
[2010/12/15 03:58:16 | 000,264,874 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/12/15 03:56:54 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/12/15 03:56:19 | 000,003,664 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/12/15 03:56:19 | 000,003,664 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/12/15 03:56:06 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/12/15 03:55:59 | 000,426,160 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/12/15 03:52:38 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2010/12/14 06:02:01 | 000,203,776 | ---- | M] () -- C:\Users\user\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/12 06:08:26 | 000,007,808 | ---- | M] () -- C:\Users\user\AppData\Local\d3d9caps.dat
[2010/12/10 00:22:47 | 000,008,564 | ---- | M] () -- C:\Users\user\Documents\Payment Tracking.xlsx
[2010/12/08 13:54:21 | 000,001,155 | ---- | M] () -- C:\ProgramData\1086269154.dat
[2010/12/07 03:52:39 | 000,000,000 | ---- | M] () -- C:\Users\user\defogger_reenable
[2010/12/07 02:40:39 | 000,000,760 | ---- | M] () -- C:\Users\Public\Desktop\QtWeb.lnk
[2010/12/05 18:12:46 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2010/12/05 18:12:46 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2010/12/05 18:12:46 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2010/12/05 18:12:46 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010/12/05 06:42:51 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2010/12/02 23:44:26 | 000,229,376 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\sst2058.sys
[2010/11/15 21:35:07 | 006,996,912 | ---- | M] () -- C:\Users\user\Documents\Cricket Payment.one
[1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]
[1 C:\Users\user\Documents\*.tmp files -> C:\Users\user\Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/15 04:02:44 | 000,133,632 | ---- | C] () -- C:\Users\user\Desktop\RKUnhookerLE.EXE
[2010/12/09 14:22:41 | 000,008,564 | ---- | C] () -- C:\Users\user\Documents\Payment Tracking.xlsx
[2010/12/07 03:52:39 | 000,000,000 | ---- | C] () -- C:\Users\user\defogger_reenable
[2010/12/07 02:40:39 | 000,000,760 | ---- | C] () -- C:\Users\Public\Desktop\QtWeb.lnk
[2010/12/05 04:22:24 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/12/05 04:22:24 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/12/05 04:22:24 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2010/12/05 04:22:24 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/12/05 04:22:24 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/12/03 04:03:58 | 000,001,111 | ---- | C] () -- C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
[2010/12/03 00:08:29 | 000,001,155 | ---- | C] () -- C:\ProgramData\1086269154.dat
[2010/11/15 21:35:05 | 006,996,912 | ---- | C] () -- C:\Users\user\Documents\Cricket Payment.one
[2010/08/30 10:13:37 | 000,000,092 | ---- | C] () -- C:\Users\user\AppData\Local\fusioncache.dat
[2010/04/11 14:04:48 | 000,027,648 | ---- | C] () -- C:\Windows\System32\AVSredirect.dll
[2010/02/05 13:00:51 | 000,000,016 | ---- | C] () -- C:\Windows\System32\msvcsv60.dll
[2010/02/01 08:42:41 | 000,491,520 | ---- | C] () -- C:\Windows\System32\libencdec.dll
[2009/12/06 03:34:45 | 000,000,400 | ---- | C] () -- C:\Windows\g_mgpmro423.ini
[2009/10/12 03:18:57 | 000,000,204 | ---- | C] () -- C:\Windows\inikujaga.INI
[2009/08/31 11:59:43 | 000,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/08/26 07:54:48 | 000,007,680 | ---- | C] () -- C:\Windows\System32\RdCi1027.dll
[2009/07/20 17:11:25 | 000,000,077 | ---- | C] () -- C:\Windows\OPHC.INI
[2009/07/08 13:11:44 | 000,819,200 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/07/08 13:11:44 | 000,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/06/05 07:08:28 | 000,000,604 | -H-- | C] () -- C:\ProgramData\T2
[2009/06/05 07:08:28 | 000,000,604 | -H-- | C] () -- C:\Program Files\STLL Notifier
[2009/06/04 17:48:02 | 000,000,013 | ---- | C] () -- C:\Users\user\AppData\Local\springsettings.cfg
[2009/05/30 18:09:46 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/05/16 09:38:03 | 000,000,092 | ---- | C] () -- C:\Windows\BBW_INFO.INI
[2009/04/16 04:24:14 | 000,921,600 | ---- | C] () -- C:\Windows\System32\vorbisenc.dll
[2009/04/16 04:24:14 | 000,237,568 | ---- | C] () -- C:\Windows\System32\OggDS.dll
[2009/04/16 04:24:14 | 000,188,416 | ---- | C] () -- C:\Windows\System32\vorbis.dll
[2009/04/16 04:24:14 | 000,045,056 | ---- | C] () -- C:\Windows\System32\Ogg.dll
[2009/04/02 18:40:40 | 000,264,874 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/04/02 18:40:40 | 000,264,874 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/03/23 04:34:11 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2009/03/22 11:21:31 | 000,203,776 | ---- | C] () -- C:\Users\user\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/22 04:29:15 | 000,101,264 | ---- | C] () -- C:\Users\user\AppData\Roaming\nvModes.001
[2009/03/19 10:44:26 | 000,101,264 | ---- | C] () -- C:\Users\user\AppData\Roaming\nvModes.dat
[2009/03/19 09:13:43 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2009/03/19 08:35:08 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2009/03/19 07:42:58 | 000,007,808 | ---- | C] () -- C:\Users\user\AppData\Local\d3d9caps.dat
[2007/11/26 07:10:10 | 000,007,680 | ---- | C] () -- C:\Windows\System32\emcoinst.dll
[2007/06/18 23:59:36 | 000,070,400 | ---- | C] () -- C:\Windows\System32\PhysXLoader.dll
[2007/04/19 22:57:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2007/04/19 22:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2007/04/19 22:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2007/04/19 22:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2007/04/19 22:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2007/04/19 22:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2007/04/19 22:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2007/04/19 22:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2007/04/19 22:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2006/11/02 06:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 01:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 16 bytes -> C:\Users\user\Downloads:Shareaza.GUID
@Alternate Data Stream - 1330 bytes -> C:\ProgramData\Microsoft:bbHbGVYEleZjtdQf9zxQPmf6HN
@Alternate Data Stream - 1205 bytes -> C:\Users\user\AppData\Local\YIuAe7I3sqvwIyB:5LT4JklZxsI8MGPvqvcaffPoV0L

< End of report >

OTL's "Extras.txt":

OTL Extras logfile created on: 15/12/2010 04:11:08 - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\user\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18999)
Locale: 0000040d | Country: ישראל | Language: HEB | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 61.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 146.00 Gb Total Space | 18.47 Gb Free Space | 12.65% Space Free | Partition Type: NTFS

Computer Name: MORTIMER | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-984060213-3574103687-2901243566-1000\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [01.checksum] -- "C:\Program Files\corz\checksum\checksum.exe" cr "%1" ()
Directory [03.checksum] -- "C:\Program Files\corz\checksum\checksum.exe" vr "%1" ()
Directory [Add to archive] -- "C:\Program Files\PeaZip\PEAZIP.EXE" "-add2multi" "%1" (Giorgio Tani)
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Browse path with PeaZip] -- "C:\Program Files\PeaZip\PEAZIP.EXE" "-ext2browsepath" "%1" (Giorgio Tani)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-984060213-3574103687-2901243566-501]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{158FFC39-5B6A-40B7-8CE8-40A03C380B8B}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\command & conquer red alert 3 demo\ra3demo.exe |
"{192903FC-5693-41ED-BFC0-8728030560AA}" = protocol=17 | dir=in | app=c:\program files\thq\gas powered games\supreme commander - forged alliance\bin\forgedalliance.exe |
"{488E777C-2B55-43D9-8A4D-D682E2DB4E00}" = protocol=6 | dir=in | app=c:\program files\thq\gas powered games\gpgnet\gpg.multiplayer.client.exe |
"{4C103757-7D78-40B5-8CB1-0CF1C241169C}" = protocol=6 | dir=in | app=c:\program files\opera 10 beta\opera.exe |
"{5AA93742-32FF-4AC6-B120-DAFB9F215610}" = dir=in | app=c:\program files\dell\mediadirect\mediadirect.exe |
"{5F6D064E-CB0D-4458-8D0C-374194F27EB3}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{6231DA63-AB0B-4E68-9A11-8C9BA4F47DC6}" = dir=in | app=c:\program files\dell\mediadirect\pcmservice.exe |
"{6AF6983F-5E18-4675-A7BC-B0DD0002C15F}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\command & conquer red alert 3 demo\ra3demo.exe |
"{8DE9EDE0-24A9-4132-8E08-55CFFCA42829}" = dir=in | app=c:\program files\dell\mediadirect\kernel\dms\clmsservice.exe |
"{918B1EA1-B9D6-4CC5-B1E2-17FBB66661E9}" = protocol=17 | dir=in | app=c:\program files\thq\gas powered games\gpgnet\gpg.multiplayer.client.exe |
"{9B7ED0D0-8D8D-401A-995F-985459DA2A47}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{A1FA2199-844E-49C5-A0A1-E381F11750C4}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{A4D46F82-CE79-4B4A-9D13-3DBF3EFC897F}" = protocol=6 | dir=in | app=c:\program files\steam\steam.exe |
"{A64137AC-F03D-41F2-90C9-9C35B723FA1B}" = protocol=17 | dir=in | app=c:\program files\opera 10 beta\opera.exe |
"{B7D1AA19-AACD-4295-AB38-5D1522AFD5F7}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{BE4FAADA-06E0-4812-8F5D-B61808731567}" = protocol=17 | dir=in | app=c:\program files\steam\steam.exe |
"{CA9284D6-7E8C-4A8A-8964-E21058DD1211}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{DC24988F-79F0-468D-94EB-D88C9ABC97F3}" = dir=in | app=c:\program files\dell\mediadirect\kernel\dmp\clbrowserengine.exe |
"{FB5B8F6D-3555-4363-9B52-B1014C2BBE6C}" = protocol=6 | dir=in | app=c:\program files\thq\gas powered games\supreme commander - forged alliance\bin\forgedalliance.exe |
"TCP Query User{00131FCC-1B2D-462F-BCD4-A7150BEAE4BD}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{01DEABA3-1049-4A5B-BBA5-BAC730D8466D}C:\program files\trillian\trillian.exe" = protocol=6 | dir=in | app=c:\program files\trillian\trillian.exe |
"TCP Query User{06E5368B-7289-4339-AC48-7F85CB1EA5A6}C:\program files\qtweb\qtweb.exe" = protocol=6 | dir=in | app=c:\program files\qtweb\qtweb.exe |
"TCP Query User{0D0E903A-9993-42B2-BF37-4710B838235A}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{1F6BA708-9D3B-4068-B81D-8C35364BB28D}C:\program files\shareaza\shareaza.exe" = protocol=6 | dir=in | app=c:\program files\shareaza\shareaza.exe |
"TCP Query User{26F344EC-E422-4E97-A7B2-6FA155F314C5}C:\downloads\programs\[portable] lan games repository 1.0.0 [final]\cnc ra2+yr [portable]\gamemd.exe" = protocol=6 | dir=in | app=c:\downloads\programs\[portable] lan games repository 1.0.0 [final]\cnc ra2+yr [portable]\gamemd.exe |
"TCP Query User{2FCF3354-1D2C-4949-B7B5-378DC1BCFBE7}C:\downloads\programs\utorrent-1.8.3-beta-14809.upx.exe" = protocol=6 | dir=in | app=c:\downloads\programs\utorrent-1.8.3-beta-14809.upx.exe |
"TCP Query User{355B209A-DDA5-41A2-9727-E54C6B59766A}C:\program files\utorrent\utorrent.exe" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"TCP Query User{52B55D4E-77E3-4945-82D6-ABC674A4F796}C:\emule\emule.exe" = protocol=6 | dir=in | app=c:\emule\emule.exe |
"TCP Query User{5FB049CB-E03A-4859-96F8-46790B428F10}C:\program files\tmunitedforever\tmforever.exe" = protocol=6 | dir=in | app=c:\program files\tmunitedforever\tmforever.exe |
"TCP Query User{729BCD96-9FCE-41C2-864F-AFAD68B85A16}C:\program files\utorrent\utorrent.exe" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"TCP Query User{8374CF25-4050-425D-A050-AE082C4D487C}C:\program files\reaper\reaper.exe" = protocol=6 | dir=in | app=c:\program files\reaper\reaper.exe |
"TCP Query User{9CDE5330-98D0-49FB-812D-88784503B9A6}C:\program files\trillian\trillian.exe" = protocol=6 | dir=in | app=c:\program files\trillian\trillian.exe |
"TCP Query User{A60BB104-DB8B-4AE5-982A-A2B5EA79C0B6}C:\program files\2k sports\nba 2k10\nba2k10.exe" = protocol=6 | dir=in | app=c:\program files\2k sports\nba 2k10\nba2k10.exe |
"TCP Query User{B1E1DF38-0FFD-4E18-839A-AB78E009CFFC}C:\opera11beta\opera.exe" = protocol=6 | dir=in | app=c:\opera11beta\opera.exe |
"TCP Query User{E1B14DC5-4763-4096-94B7-8A8648360BB9}C:\emule\emule.exe" = protocol=6 | dir=in | app=c:\emule\emule.exe |
"TCP Query User{FA8DE177-EDD7-4123-A98E-CBF0BD7A3AF7}C:\program files\opera 10 beta\opera.exe" = protocol=6 | dir=in | app=c:\program files\opera 10 beta\opera.exe |
"UDP Query User{2834EE77-35F2-4F78-A89B-B36D54D714E1}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{2BA48637-3F7F-4571-831D-AFC9B9A74D30}C:\program files\utorrent\utorrent.exe" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"UDP Query User{33451580-2729-4F6A-ADB9-FD0754F901D1}C:\program files\2k sports\nba 2k10\nba2k10.exe" = protocol=17 | dir=in | app=c:\program files\2k sports\nba 2k10\nba2k10.exe |
"UDP Query User{55C649C1-82E3-4169-8B44-9F6E24713A79}C:\program files\reaper\reaper.exe" = protocol=17 | dir=in | app=c:\program files\reaper\reaper.exe |
"UDP Query User{586C345B-38CC-4081-929D-9313657BF331}C:\program files\opera 10 beta\opera.exe" = protocol=17 | dir=in | app=c:\program files\opera 10 beta\opera.exe |
"UDP Query User{74FFEBF5-0B13-4957-A04D-3DA93EA118F8}C:\program files\tmunitedforever\tmforever.exe" = protocol=17 | dir=in | app=c:\program files\tmunitedforever\tmforever.exe |
"UDP Query User{783E8876-61F9-4996-9491-B2212C31F793}C:\program files\utorrent\utorrent.exe" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"UDP Query User{7E1DD72F-61FF-490A-965F-05C255555A96}C:\program files\trillian\trillian.exe" = protocol=17 | dir=in | app=c:\program files\trillian\trillian.exe |
"UDP Query User{8C0EA685-8BCA-4074-9C79-9EAF5F55CBD8}C:\emule\emule.exe" = protocol=17 | dir=in | app=c:\emule\emule.exe |
"UDP Query User{919C8FC7-02A5-47AB-9AB0-63937D542323}C:\downloads\programs\[portable] lan games repository 1.0.0 [final]\cnc ra2+yr [portable]\gamemd.exe" = protocol=17 | dir=in | app=c:\downloads\programs\[portable] lan games repository 1.0.0 [final]\cnc ra2+yr [portable]\gamemd.exe |
"UDP Query User{9309304D-70A6-4710-8C6F-EAC544D5E648}C:\emule\emule.exe" = protocol=17 | dir=in | app=c:\emule\emule.exe |
"UDP Query User{96838492-B108-4ED8-BBA6-63A940009860}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{A5AF1C27-EBF9-47B7-B4DD-FDDCD758DFAD}C:\program files\shareaza\shareaza.exe" = protocol=17 | dir=in | app=c:\program files\shareaza\shareaza.exe |
"UDP Query User{AA386331-D737-40CF-AA08-59814640AA8E}C:\opera11beta\opera.exe" = protocol=17 | dir=in | app=c:\opera11beta\opera.exe |
"UDP Query User{AB756866-DA01-4141-B412-0E2FB86F7092}C:\program files\trillian\trillian.exe" = protocol=17 | dir=in | app=c:\program files\trillian\trillian.exe |
"UDP Query User{B24FAA1D-8451-414A-B4B1-AD87825E070A}C:\downloads\programs\utorrent-1.8.3-beta-14809.upx.exe" = protocol=17 | dir=in | app=c:\downloads\programs\utorrent-1.8.3-beta-14809.upx.exe |
"UDP Query User{ECFE0B10-244F-453D-8AAC-BA28D6BC5153}C:\program files\qtweb\qtweb.exe" = protocol=17 | dir=in | app=c:\program files\qtweb\qtweb.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{048DB60B-5AD7-40D3-ACDA-6E8B233829FA}" = Logitech Harmony Remote Software 7
"{0A9C9BD5-8588-40D4-8A1A-860E3D2ED6EE}" = NBA 2K10
"{13C0E1F7-BB8A-4545-B25E-628D025A94AD}_is1" = QtWeb Internet Browser 3.7
"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 2.6.2
"{1A834332-A9EE-440C-9505-2D07F445F05A}" = MOBILedit! Support Libraries
"{1C99893D-BC98-4456-AA3E-B67AB42301A6}" = E-MU USB Audio
"{1D5E29AD-39A9-4D0A-A8B6-46A6FCD8C995}" = Live! Cam Avatar v1.0
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{25613C10-27D2-410B-942B-D922D5C3A7BE}" = Interlok driver setup x32
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java™ 6 Update 22
"{342F5437-C87D-4BB5-89B9-B23E16C6A395}" = Microsoft Visual C++ 8.0 Support DLLs
"{39600969-41C3-4658-876E-16F108FC5C92}" = ISO Recorder
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{40A594D0-1490-4979-9382-D2B764F949C6}" = BlackBerry Media Sync
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
"{47DA7D2E-408C-4050-B75F-95F6D2E6A332}_is1" = MOBILedit! ver. 4.3.0.827
"{49480197-4A67-4EAB-AD44-001862FCEEB7}" = Saitek SD6 Programming Software 6.6.6.9
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5A2BC38A-406C-4A5B-BF45-6991F9A05325}_is1" = PeaZip 3.5.1
"{5C6F884D-680C-448B-B4C9-22296EE1B206}" = Logitech Harmony Remote Software 7
"{5C81AD72-BDF9-497B-A974-B7F3A91694A8}" = AxCrypt 1.7.1878.0
"{655CD886-3B90-4E4D-B314-92BDA9B08C86}" = Vegas Movie Studio HD 9.0c
"{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}" = Live! Cam Avatar Creator
"{65F1CF63-31E0-450B-96F3-4A88BE7361A6}" = AGEIA PhysX v7.07.09
"{68A35043-C55A-4237-88C9-37EE1C63ED71}" = Microsoft Visual J# 2.0 Redistributable Package
"{6B9DD988-5ECB-4623-BBFF-8A8F2DA3ED16}" = Rhinoceros 4.0 Evaluation
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{7F0C4457-8E64-491B-8D7B-991504365D1E}" = QuickSet
"{8471021C-F529-43DE-84DF-3612E10F58C4}" = Remote Control USB Driver
"{87CC8013-56D1-43E1-A0A5-AD406B4EBA95}" = Opera 10.63
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040D-0000-0000000FF1CE}" = Microsoft Office Proof (Hebrew) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{926CC8AE-8414-43DF-8EB4-CF26D9C3C663}" =
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}" = OutlookAddinSetup
"{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}" = MediaDirect
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BA0D0121-A3BA-487D-9C78-7AB0E676C722}" = Miroslav Philharmonik
"{BC4AE628-81A4-4FC6-863A-7A9BA2E2531F}" = Nokia Connectivity Cable Driver
"{C19BE821-89B1-4A96-AC7C-873810C0CB5F}" = ContentSAFER for Wizmax
"{C23B8C30-E05E-4CB5-8188-F27CC3B2DD3E}" = Sibelius 5
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C61177FD-37C4-4C5F-BE6C-E04A8AC399B6}" = EclipseCrossword
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE86E2F5-850C-4207-94A3-A58D647B1733}" = BlackBerry Desktop Software 5.0.1
"{E1BBBAC5-2857-4155-82A6-54492CE88620}" = Opera 9.64
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype 5.0
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{FE0646A7-19D0-41B4-A2BB-2C35D644270D}" = Windows Live OneCare safety scanner
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Advanced Crossfading" = Advanced Crossfading 1.7.6.1180
"Advanced Video FX Engine" = Advanced Video FX Engine
"Applied Acoustics Lounge Lizard EP VSTi DXi v3.0" = Applied Acoustics Lounge Lizard EP VSTi DXi v3.0
"ASIO4ALL" = ASIO4ALL
"Audacity_is1" = Audacity 1.2.6
"AudioEase Speakersphone VST RTAS_is1" = AudioEase Speakersphone VST RTAS v1.03
"Best Service Artist Drums" = Best Service Artist Drums
"BlackBerry_{CE86E2F5-850C-4207-94A3-A58D647B1733}" = BlackBerry Desktop Software 5.0.1
"checksum" = corz checksum utility for windows
"Complex Evolution_is1" = Complex Evolution 5.1.1 (build 455)
"Creative OEM002" = Laptop Integrated Webcam Driver (1.00.10.0320)
"Dell Webcam Center" = Dell Webcam Center
"Dell Webcam Manager" = Dell Webcam Manager
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Everything" = Everything 1.2.1.371
"ffdshow_is1" = ffdshow [rev 3054] [2009-08-23]
"FileZilla Client" = FileZilla Client 3.3.0.1
"FlashBoot_is1" = FlashBoot 1.4.0.157
"foobar2000" = foobar2000 v0.9.6.4 beta 2
"G-Force" = G-Force
"Graboid Video" = Graboid Video 1.73
"Highway Pursuit_is1" = Highway Pursuit v1.1
"HUFFYUV" = Huffyuv AVI lossless video codec (Remove Only)
"ID3-TagIT 3_is1" = ID3-TagIT 3
"ImagePrinter" = ImagePrinter 1.5.5
"InqScribe_is1" = InqScribe 2.0.5
"IrfanView" = IrfanView (remove only)
"IsoBuster_is1" = IsoBuster 2.5
"iZotope Vinyl_is1" = iZotope Vinyl
"JetBee_is1" = JetBee FREE 4.0.7 (build 321)
"Little Alarm Clock" = Little Alarm Clock
"LoopBe1" = LoopBe1 - Internal MIDI Port
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Visual J# 2.0 Redistributable Package" = Microsoft Visual J# 2.0 Redistributable Package
"MixVibesProducer.exe" = MixVibes PRODUCER uninstall
"MP3 Splitter_is1" = MP3 Splitter
"MuseScore 0.9" = MuseScore 0.9 MuseScore score typesetter
"Musette_is1" = Musette version 2.9.11
"Native Instruments FM8 v1.0.1.002 VSTi DXi RTAS" = Native Instruments FM8 v1.0.1.002 VSTi DXi RTAS
"Native Instruments Guitar Rig 3" = Native Instruments Guitar Rig 3
"Native Instruments Kontakt 3" = Native Instruments Kontakt 3
"Native Instruments Xpress Keyboards v1.0" = Native Instruments Xpress Keyboards v1.0
"NVIDIA Drivers" = NVIDIA Drivers
"Picasa 3" = Picasa 3
"Quadra" = Quadra (remove only)
"REAPER" = REAPER
"Scribe" = Express Scribe
"Shareaza_is1" = Shareaza 2.5.2.0
"SmartQRP_is1" = SmartQRP 1.0
"Sonnox Oxford Reverb Native VST_is1" = Sonnox Oxford Reverb Native VST v1.0
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.4
"SoundToys Native Effects VST RTAS_is1" = SoundToys Native Effects VST RTAS v4.0.2
"SUPER " = SUPER Version 2010.bld.37 (Jan 2, 2010)
"SynTPDeinstKey" = Dell Touchpad
"TempoPerfect" = TempoPerfect Metronome Software
"TmUnitedForever_is1" = TmUnitedForever StarEdition
"Transcribe!_is1" = Transcribe! 7.30
"Trillian" = Trillian
"vis_milk.dllWinamp" = MilkDrop for Winamp 2x (remove only)
"VLC media player" = VLC media player 1.0.1
"Winamp" = Winamp
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"x264vfw" = x264vfw - H.264/MPEG-4 AVC codec (remove only)
"Xvid_is1" = Xvid 1.2.2 final uninstall

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-984060213-3574103687-2901243566-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = Torrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 14/12/2010 14:32:31 | Computer Name = MORTIMER | Source = Application Error | ID = 1000
Description = Faulting application QtWeb.exe, version 3.5.0.59, time stamp 0x4cf6cf3a,
faulting module QtWeb.exe, version 3.5.0.59, time stamp 0x4cf6cf3a, exception code
0xc0000005, fault offset 0x00af9ce6, process id 0x324, application start time 0x01cb9b6e280581b3.

Error - 14/12/2010 20:40:45 | Computer Name = MORTIMER | Source = Application Error | ID = 1000
Description = Faulting application Transcribe.exe, version 0.7.0.30, time stamp
0x43de3c82, faulting module QuickTime.qts_unloaded, version 0.0.0.0, time stamp
0x4c87d299, exception code 0xc0000005, fault offset 0x6710bb69, process id 0x7a4,
application start time 0x01cb9b62c5429cd3.

Error - 14/12/2010 20:57:19 | Computer Name = MORTIMER | Source = Application Error | ID = 1000
Description = Faulting application Transcribe.exe, version 0.7.0.30, time stamp
0x43de3c82, faulting module QuickTime.qts_unloaded, version 0.0.0.0, time stamp
0x4c87d299, exception code 0xc0000005, fault offset 0x5c55bb69, process id 0x1764,
application start time 0x01cb9bf2fee16d53.

Error - 14/12/2010 22:49:25 | Computer Name = MORTIMER | Source = Application Error | ID = 1000
Description = Faulting application Transcribe.exe, version 0.7.0.30, time stamp
0x43de3c82, faulting module QuickTime.qts_unloaded, version 0.0.0.0, time stamp
0x4c87d299, exception code 0xc0000005, fault offset 0x621bbb69, process id 0x1348,
application start time 0x01cb9bf308478e13.

Error - 15/12/2010 01:02:07 | Computer Name = MORTIMER | Source = Application Hang | ID = 1002
Description = The program Explorer.EXE version 6.0.6002.18005 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: c7c Start Time: 01cb9a99d7582ad3 Termination Time: 63

Error - 15/12/2010 05:56:42 | Computer Name = MORTIMER | Source = Windows Search Service | ID = 7040
Description =

Error - 15/12/2010 05:56:42 | Computer Name = MORTIMER | Source = Windows Search Service | ID = 7040
Description =

Error - 15/12/2010 05:56:42 | Computer Name = MORTIMER | Source = Windows Search Service | ID = 3029
Description =

Error - 15/12/2010 05:56:42 | Computer Name = MORTIMER | Source = Windows Search Service | ID = 3028
Description =

Error - 15/12/2010 05:56:42 | Computer Name = MORTIMER | Source = Windows Search Service | ID = 3058
Description =

[ OSession Events ]
Error - 20/10/2009 04:22:34 | Computer Name = user-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 1938
seconds with 1740 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 15/12/2010 01:15:41 | Computer Name = MORTIMER | Source = cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 15/12/2010 01:15:50 | Computer Name = MORTIMER | Source = cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 15/12/2010 04:34:47 | Computer Name = MORTIMER | Source = cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 15/12/2010 04:34:50 | Computer Name = MORTIMER | Source = cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 15/12/2010 04:34:52 | Computer Name = MORTIMER | Source = cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 15/12/2010 04:34:54 | Computer Name = MORTIMER | Source = cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 15/12/2010 04:34:57 | Computer Name = MORTIMER | Source = cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 15/12/2010 05:56:38 | Computer Name = MORTIMER | Source = Service Control Manager | ID = 7000
Description =

Error - 15/12/2010 05:56:43 | Computer Name = MORTIMER | Source = Service Control Manager | ID = 7024
Description =

Error - 15/12/2010 05:56:43 | Computer Name = MORTIMER | Source = Service Control Manager | ID = 7031
Description =


< End of report >

Thank you so much for your time.

-Wolf

#4 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:52 AM

Posted 15 December 2010 - 11:34 AM

Hello KingMorton,

Do you know what this is?
C:\Users\user\Desktop\Spyware Battle


Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case Torrent and Shareaza). These programs allow file sharing between users as the name(s) suggest. In today's world cyber crime has become an enormous problem. Different ways are used to infect personal computers to make use of their stored data or machine power for further propagation of malware files. A popular means is the use of file-sharing tools as a huge amount of prospective victims can be reached through them.

It is therefore possible to be infected by downloading infected files via peer-to-peer tools and so these tools must be used with extreme care. Some further reading on this subject, along with included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes on copyright laws in many countries over the world and you are putting yourself at risk of of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

If you decide to keep this program please refrain from using it until we get your computer clean.


I see you have ComboFix installed. You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Step 1.

Previous Logs

I need to see logs/reports from the latest runs of ComboFix and MBAM

Please navigate to ComboFix.txt and post the log in your next reply. If ComboFix.txt is not available navigate to C:\Qoobox\.

In the Qoobox Folder will be up to 4 previous ComboFix.txt reports in the following format:

Example:
C:\qoobox\ComboFix2.txt 2007-12-29 17:07:26
C:\qoobox\ComboFix3.txt 2007-12-27 20:42:53
C:\qoobox\ComboFix4.txt 2007-12-27 15:56:10
C:\qoobox\ComboFix5.txt 2007-12-27 15:33:58

Check the date and time then choose the last run of ComboFix.#txt and post that report in your next reply

Open MBAM and click on the Logs tab. Copy/paste the log from the last run of MBAM in your next reply.

Step 2.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

In your next reply please include the following:

Combofix.txt
MBAM Log
TDSSKiller log



Thanks!!
PW

#5 KingMorton

KingMorton
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 15 December 2010 - 03:27 PM

"ComboFix.txt":

ComboFix 10-12-04.01 - user 12/05/2010 4:30.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1255.972.1033.18.2045.1280 [GMT -6:00]
Running from: c:\users\user\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Data

.
((((((((((((((((((((((((( Files Created from 2010-11-05 to 2010-12-05 )))))))))))))))))))))))))))))))
.

2010-12-05 10:56 . 2010-12-05 10:56 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-12-05 10:56 . 2010-12-05 10:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-05 07:31 . 2010-12-05 07:35 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-12-05 07:31 . 2010-12-05 07:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-05 05:32 . 2010-12-05 05:32 -------- d-----w- c:\users\user\AppData\Roaming\Reallusion
2010-12-05 05:32 . 2010-12-05 05:32 -------- d-----w- c:\users\user\AppData\Roaming\tmp
2010-12-04 21:04 . 2010-12-04 21:04 -------- d-----w- c:\users\user\AppData\Roaming\AVG10
2010-12-04 21:02 . 2010-12-04 21:02 -------- d--h--w- c:\programdata\Common Files
2010-12-04 21:00 . 2010-12-05 10:11 -------- d-----w- c:\programdata\AVG10
2010-12-04 20:23 . 2010-12-04 20:23 -------- d-----w- c:\program files\AVG
2010-12-04 07:39 . 2010-12-04 07:39 -------- d-----w- c:\users\user\AppData\Roaming\Malwarebytes
2010-12-04 07:38 . 2010-11-29 23:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-04 07:38 . 2010-12-04 07:38 -------- d-----w- c:\programdata\Malwarebytes
2010-12-04 07:38 . 2010-12-04 07:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-04 07:38 . 2010-11-29 23:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-03 09:53 . 2010-12-04 20:22 -------- d-----w- c:\programdata\MFAData
2010-12-03 09:06 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EF18CC0A-6B91-47A0-B36C-F23C25AC1831}\mpengine.dll
2010-12-03 06:19 . 2010-12-03 08:39 -------- d-----w- c:\users\user\AppData\Local\AVERT
2010-12-03 05:42 . 2010-12-03 05:44 229376 ----a-w- c:\windows\system32\drivers\sst2058.sys
2010-12-03 05:42 . 2010-12-03 05:42 0 ----a-w- c:\windows\system32\drivers\sst2058.tmp
2010-11-30 01:24 . 2010-11-30 01:24 -------- d-----w- c:\program files\x264vfw

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 16:41 . 2009-10-08 20:37 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-25 14:07 . 2010-09-25 14:07 40960 ----a-r- c:\users\user\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2010-09-25 14:07 . 2010-09-25 14:07 40960 ----a-r- c:\users\user\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2010-09-15 02:50 . 2010-10-13 21:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2006-05-03 10:06 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\System32\msfDX.dll
2008-03-16 13:30 216064 --sh--r- c:\windows\System32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 857648]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-02-01 36864]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-05-06 405504]
"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2009-06-03 237568]
"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2009-06-03 131072]

c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^LoopBe1 Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\LoopBe1 Monitor.lnk
backup=c:\windows\pss\LoopBe1 Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2010-03-11 03:32 648536 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 21:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-11-29 23:42 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-11-01 13:39 189736 ------w- c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-10 23:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-984060213-3574103687-2901243566-501]
"EnableNotificationsRef"=dword:00000001

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 136176]
R3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\DRIVERS\emusba10.sys [2007-11-26 163352]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [x]
R3 SaiKF620;SaiKF620;c:\windows\system32\DRIVERS\SaiKF620.sys [2008-10-22 106496]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
S2 emaudsv;E-MU Audio Service;c:\windows\system32\emaudsv.exe [2007-11-26 20992]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 21:05]

2010-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 21:05]

2010-12-05 c:\windows\Tasks\User_Feed_Synchronization-{7307DFB2-72C8-42EB-AE0F-711B0FD3E38C}.job
- c:\windows\system32\msfeedssync.exe [2010-04-07 04:54]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download with &Shareaza - c:\program files\Shareaza\RazaWebHook32.dll/3000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-PyKeylogger - c:\program files\PyKeylogger\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-05 04:58
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-984060213-3574103687-2901243566-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:b3,14,25,7e,32,e9,a6,84,b6,68,48,44,df,1d,78,50,2e,e3,41,f6,f4,1d,d6,
60,90,0d,4e,06,b1,37,94,22,f7,ab,d7,b8,a2,ce,b5,12,a9,88,54,96,17,27,c5,ff,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-12-05 05:13:15
ComboFix-quarantined-files.txt 2010-12-05 11:12

Pre-Run: 6,480,678,912 bytes free
Post-Run: 6,958,465,024 bytes free

- - End Of File - - 7E656281F8F00A2DB91AC121555E678F

MBAM's last full scan (MBAM has since been uninstalled, so I grabbed this from [user]\AppData\Roaming\MBAM\Logs...):

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5241

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

04/12/2010 01:42:25
mbam-log-2010-12-04 (01-42-25).txt

Scan type: Full scan (C:\|)
Objects scanned: 3346
Time elapsed: 2 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

TDSSKiller's Log (it actually found and removed something!):

2010/12/15 14:06:18.0227 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:40
2010/12/15 14:06:18.0227 ================================================================================
2010/12/15 14:06:18.0227 SystemInfo:
2010/12/15 14:06:18.0227
2010/12/15 14:06:18.0227 OS Version: 6.0.6002 ServicePack: 2.0
2010/12/15 14:06:18.0227 Product type: Workstation
2010/12/15 14:06:18.0227 ComputerName: MORTIMER
2010/12/15 14:06:18.0227 UserName: user
2010/12/15 14:06:18.0227 Windows directory: C:\Windows
2010/12/15 14:06:18.0227 System windows directory: C:\Windows
2010/12/15 14:06:18.0227 Processor architecture: Intel x86
2010/12/15 14:06:18.0227 Number of processors: 2
2010/12/15 14:06:18.0227 Page size: 0x1000
2010/12/15 14:06:18.0227 Boot type: Normal boot
2010/12/15 14:06:18.0227 ================================================================================
2010/12/15 14:06:18.0788 Initialize success
2010/12/15 14:06:55.0557 ================================================================================
2010/12/15 14:06:55.0557 Scan started
2010/12/15 14:06:55.0557 Mode: Manual;
2010/12/15 14:06:55.0557 ================================================================================
2010/12/15 14:06:56.0540 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2010/12/15 14:06:56.0634 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2010/12/15 14:06:56.0774 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2010/12/15 14:06:56.0883 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2010/12/15 14:06:56.0993 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2010/12/15 14:06:57.0117 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2010/12/15 14:06:57.0242 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2010/12/15 14:06:57.0351 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2010/12/15 14:06:57.0461 aliide (3a99cb23a2d326fd532618705d6e3048) C:\Windows\system32\drivers\aliide.sys
2010/12/15 14:06:57.0585 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2010/12/15 14:06:57.0695 amdide (4333c133dbd71c7d7fe4fb1b83f9ee3e) C:\Windows\system32\drivers\amdide.sys
2010/12/15 14:06:57.0804 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2010/12/15 14:06:57.0897 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
2010/12/15 14:06:58.0038 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2010/12/15 14:06:58.0131 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2010/12/15 14:06:58.0287 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/12/15 14:06:58.0381 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2010/12/15 14:06:58.0506 BCM43XV (cf6a67c90951e3e763d2135dede44b85) C:\Windows\system32\DRIVERS\bcmwl6.sys
2010/12/15 14:06:58.0568 bcm4sbxp (08015d34f6fdd0b355805bad978497c3) C:\Windows\system32\DRIVERS\bcm4sbxp.sys
2010/12/15 14:06:58.0693 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2010/12/15 14:06:58.0880 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2010/12/15 14:06:59.0005 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2010/12/15 14:06:59.0099 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2010/12/15 14:06:59.0208 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2010/12/15 14:06:59.0301 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2010/12/15 14:06:59.0379 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2010/12/15 14:06:59.0473 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2010/12/15 14:06:59.0567 BthEnum (6d39c954799b63ba866910234cf7d726) C:\Windows\system32\DRIVERS\BthEnum.sys
2010/12/15 14:06:59.0676 BTHMODEM (9a966a8e86d1771911ae34a20d11bff3) C:\Windows\system32\DRIVERS\bthmodem.sys
2010/12/15 14:06:59.0816 BthPan (5904efa25f829bf84ea6fb045134a1d8) C:\Windows\system32\DRIVERS\bthpan.sys
2010/12/15 14:06:59.0941 BTHPORT (5a3abaa2f8eece7aefb942773766e3db) C:\Windows\system32\Drivers\BTHport.sys
2010/12/15 14:07:00.0066 BTHUSB (94e2941280e3756a5e0bcb467865c43a) C:\Windows\system32\Drivers\BTHUSB.sys
2010/12/15 14:07:00.0253 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2010/12/15 14:07:00.0347 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2010/12/15 14:07:00.0487 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2010/12/15 14:07:00.0565 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2010/12/15 14:07:00.0752 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2010/12/15 14:07:00.0846 cmdide (dfb94a6fc3a26972b0461ab5f1d8272b) C:\Windows\system32\drivers\cmdide.sys
2010/12/15 14:07:00.0955 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2010/12/15 14:07:00.0986 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2010/12/15 14:07:01.0095 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2010/12/15 14:07:01.0189 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2010/12/15 14:07:01.0345 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2010/12/15 14:07:01.0485 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2010/12/15 14:07:01.0641 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
2010/12/15 14:07:01.0766 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2010/12/15 14:07:01.0907 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2010/12/15 14:07:02.0031 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2010/12/15 14:07:02.0172 emusba10 (0407b78faaa9437ffccd6c393d483309) C:\Windows\system32\DRIVERS\emusba10.sys
2010/12/15 14:07:02.0281 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2010/12/15 14:07:02.0359 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2010/12/15 14:07:02.0437 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2010/12/15 14:07:02.0655 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2010/12/15 14:07:02.0733 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2010/12/15 14:07:02.0827 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/12/15 14:07:02.0889 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2010/12/15 14:07:02.0999 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2010/12/15 14:07:03.0077 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2010/12/15 14:07:03.0217 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2010/12/15 14:07:03.0357 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/12/15 14:07:03.0482 HidBth (fcb3f4be408f72c1bd81bcaba87fc22f) C:\Windows\system32\DRIVERS\hidbth.sys
2010/12/15 14:07:03.0560 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2010/12/15 14:07:03.0638 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2010/12/15 14:07:03.0747 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2010/12/15 14:07:03.0857 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
2010/12/15 14:07:03.0919 HSF_DPV (ec36f1d542ed4252390d446bf6d4dfd0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
2010/12/15 14:07:04.0091 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2010/12/15 14:07:04.0184 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2010/12/15 14:07:04.0262 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/12/15 14:07:04.0356 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2010/12/15 14:07:04.0496 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2010/12/15 14:07:04.0668 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2010/12/15 14:07:04.0746 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2010/12/15 14:07:04.0886 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/12/15 14:07:05.0120 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2010/12/15 14:07:05.0354 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2010/12/15 14:07:05.0463 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2010/12/15 14:07:05.0588 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2010/12/15 14:07:05.0697 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/12/15 14:07:05.0760 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2010/12/15 14:07:05.0853 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2010/12/15 14:07:06.0087 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/12/15 14:07:06.0181 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
2010/12/15 14:07:06.0306 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2010/12/15 14:07:06.0462 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2010/12/15 14:07:06.0571 LoopBeMidi1 (de65ebd42567c33c0152e308a982b834) C:\Windows\system32\drivers\loopbe1.sys
2010/12/15 14:07:06.0649 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2010/12/15 14:07:06.0727 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2010/12/15 14:07:06.0883 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2010/12/15 14:07:06.0992 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2010/12/15 14:07:07.0086 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2010/12/15 14:07:07.0304 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2010/12/15 14:07:07.0398 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2010/12/15 14:07:07.0491 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2010/12/15 14:07:07.0569 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2010/12/15 14:07:07.0679 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2010/12/15 14:07:07.0757 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2010/12/15 14:07:07.0866 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2010/12/15 14:07:07.0959 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2010/12/15 14:07:08.0053 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2010/12/15 14:07:08.0162 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/12/15 14:07:08.0225 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/12/15 14:07:08.0271 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/12/15 14:07:08.0349 msahci (5457dcfa7c0da43522f4d9d4049c1472) C:\Windows\system32\drivers\msahci.sys
2010/12/15 14:07:08.0427 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2010/12/15 14:07:08.0552 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2010/12/15 14:07:08.0646 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2010/12/15 14:07:08.0771 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2010/12/15 14:07:08.0880 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/12/15 14:07:08.0958 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2010/12/15 14:07:09.0051 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2010/12/15 14:07:09.0145 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/12/15 14:07:09.0254 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2010/12/15 14:07:09.0317 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2010/12/15 14:07:09.0395 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2010/12/15 14:07:09.0488 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2010/12/15 14:07:09.0613 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/12/15 14:07:09.0707 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/12/15 14:07:09.0785 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/12/15 14:07:09.0909 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2010/12/15 14:07:10.0003 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2010/12/15 14:07:10.0097 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2010/12/15 14:07:10.0253 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2010/12/15 14:07:10.0502 nmwcd (c82f4cc10ad315b6d6bcb14d0a7cad66) C:\Windows\system32\drivers\ccdcmb.sys
2010/12/15 14:07:10.0611 nmwcdc (60ef5f5621d7832f00a3f190a0c905e2) C:\Windows\system32\drivers\ccdcmbo.sys
2010/12/15 14:07:10.0721 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2010/12/15 14:07:10.0814 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2010/12/15 14:07:10.0908 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2010/12/15 14:07:11.0033 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2010/12/15 14:07:11.0157 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2010/12/15 14:07:11.0454 nvlddmkm (c14e3c26a348e359b89b4a02279d76c4) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2010/12/15 14:07:11.0750 nvraid (6f785db62a6d8f3fafd3e5695277e849) C:\Windows\system32\drivers\nvraid.sys
2010/12/15 14:07:11.0828 nvstor (4a5fcab82d9bf6af8a023a66802fe9e9) C:\Windows\system32\drivers\nvstor.sys
2010/12/15 14:07:11.0953 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2010/12/15 14:07:12.0171 OEM02Dev (4db21d44fe49614e3a85e5c07ef09397) C:\Windows\system32\DRIVERS\OEM02Dev.sys
2010/12/15 14:07:12.0218 OEM02Vfx (86326062a90494bdd79ce383511d7d69) C:\Windows\system32\DRIVERS\OEM02Vfx.sys
2010/12/15 14:07:12.0327 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
2010/12/15 14:07:12.0437 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2010/12/15 14:07:12.0483 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2010/12/15 14:07:12.0561 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2010/12/15 14:07:12.0671 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2010/12/15 14:07:12.0795 pciide (20b869152448f80ac49cf10264e91f5e) C:\Windows\system32\drivers\pciide.sys
2010/12/15 14:07:12.0905 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2010/12/15 14:07:13.0014 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2010/12/15 14:07:13.0232 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2010/12/15 14:07:13.0326 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2010/12/15 14:07:13.0435 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2010/12/15 14:07:13.0560 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2010/12/15 14:07:13.0700 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2010/12/15 14:07:13.0825 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2010/12/15 14:07:13.0950 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2010/12/15 14:07:14.0059 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/12/15 14:07:14.0153 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/12/15 14:07:14.0246 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2010/12/15 14:07:14.0324 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2010/12/15 14:07:14.0465 RDID1027 (6840d09bf9a491e096a30dae6463a58e) C:\Windows\system32\Drivers\rdwm1027.sys
2010/12/15 14:07:14.0589 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/12/15 14:07:14.0683 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2010/12/15 14:07:14.0761 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2010/12/15 14:07:14.0839 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2010/12/15 14:07:14.0979 RFCOMM (6482707f9f4da0ecbab43b2e0398a101) C:\Windows\system32\DRIVERS\rfcomm.sys
2010/12/15 14:07:15.0073 rimmptsk (d85e3fa9f5b1f29bb4ed185c450d1470) C:\Windows\system32\DRIVERS\rimmptsk.sys
2010/12/15 14:07:15.0120 rimsptsk (db8eb01c58c9fada00c70b1775278ae0) C:\Windows\system32\DRIVERS\rimsptsk.sys
2010/12/15 14:07:15.0213 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\Windows\system32\DRIVERS\RimSerial.sys
2010/12/15 14:07:15.0276 rismxdp (6c1f93c0760c9f79a1869d07233df39d) C:\Windows\system32\DRIVERS\rixdptsk.sys
2010/12/15 14:07:15.0369 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
2010/12/15 14:07:15.0479 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2010/12/15 14:07:15.0619 SaiKF620 (5ee9ad410120bfba6490f6447fcc815f) C:\Windows\system32\DRIVERS\SaiKF620.sys
2010/12/15 14:07:15.0759 SaiMini (a79fbdbc6a979259e38dea7d29b57619) C:\Windows\system32\DRIVERS\SaiMini.sys
2010/12/15 14:07:15.0822 SaiNtBus (bb20eba89e0ef39697a1a8728c5685fe) C:\Windows\system32\drivers\SaiBus.sys
2010/12/15 14:07:15.0884 SAVRKBootTasks (0aef47e0a6b0cba8c9833d55298b2791) C:\Windows\system32\SAVRKBootTasks.sys
2010/12/15 14:07:15.0978 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2010/12/15 14:07:16.0103 sdbus (8f36b54688c31eed4580129040c6a3d3) C:\Windows\system32\DRIVERS\sdbus.sys
2010/12/15 14:07:16.0181 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/12/15 14:07:16.0321 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2010/12/15 14:07:16.0415 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2010/12/15 14:07:16.0524 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2010/12/15 14:07:16.0617 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
2010/12/15 14:07:16.0727 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2010/12/15 14:07:16.0820 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
2010/12/15 14:07:16.0898 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2010/12/15 14:07:16.0992 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2010/12/15 14:07:17.0070 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2010/12/15 14:07:17.0163 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2010/12/15 14:07:17.0226 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2010/12/15 14:07:17.0382 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2010/12/15 14:07:17.0507 srv (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys
2010/12/15 14:07:17.0569 srv2 (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys
2010/12/15 14:07:17.0616 srvnet (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys
2010/12/15 14:07:17.0787 sst2058 (771c1b8d307cf8a930798acf3e43a2d3) C:\Windows\system32\drivers\sst2058.sys
2010/12/15 14:07:17.0928 STHDA (167909a1c36aa3e8f2582962f0ccc748) C:\Windows\system32\drivers\stwrt.sys
2010/12/15 14:07:18.0037 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2010/12/15 14:07:18.0146 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2010/12/15 14:07:18.0240 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2010/12/15 14:07:18.0333 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2010/12/15 14:07:18.0427 SynTP (dd17b63f26430e179ef6bdef5ac735bd) C:\Windows\system32\DRIVERS\SynTP.sys
2010/12/15 14:07:18.0567 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2010/12/15 14:07:18.0645 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2010/12/15 14:07:18.0770 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2010/12/15 14:07:18.0879 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2010/12/15 14:07:18.0926 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2010/12/15 14:07:18.0989 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2010/12/15 14:07:19.0098 TermDD (a048056f5e1a96a9bf3071b91741a5aa) C:\Windows\system32\DRIVERS\termdd.sys
2010/12/15 14:07:19.0238 TPkd (5f226c681049fb1df1578af32bb641f1) C:\Windows\system32\drivers\TPkd.sys
2010/12/15 14:07:19.0363 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/12/15 14:07:19.0503 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2010/12/15 14:07:19.0597 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2010/12/15 14:07:19.0706 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2010/12/15 14:07:19.0800 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2010/12/15 14:07:19.0909 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2010/12/15 14:07:20.0003 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2010/12/15 14:07:20.0096 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2010/12/15 14:07:20.0159 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2010/12/15 14:07:20.0237 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2010/12/15 14:07:20.0361 upperdev (bb16932a4189e82d6c455042c11849b6) C:\Windows\system32\DRIVERS\usbser_lowerflt.sys
2010/12/15 14:07:20.0533 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/12/15 14:07:20.0611 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2010/12/15 14:07:20.0751 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2010/12/15 14:07:20.0814 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2010/12/15 14:07:20.0876 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2010/12/15 14:07:20.0970 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2010/12/15 14:07:21.0095 usbser (d575246188f63de0accf6eac5fb59e6a) C:\Windows\system32\DRIVERS\usbser.sys
2010/12/15 14:07:21.0173 UsbserFilt (e748d50b3b2ec7f40a2ba67fb094cf01) C:\Windows\system32\DRIVERS\usbser_lowerfltj.sys
2010/12/15 14:07:21.0251 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/12/15 14:07:21.0360 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/12/15 14:07:21.0453 usbvideo (0a6b81f01bc86399482e27e6fda7b33b) C:\Windows\system32\Drivers\usbvideo.sys
2010/12/15 14:07:21.0609 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/12/15 14:07:21.0719 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2010/12/15 14:07:21.0781 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2010/12/15 14:07:21.0843 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2010/12/15 14:07:21.0921 viaide (58c8d5ac5c3eef40e7e704a5ced7987d) C:\Windows\system32\drivers\viaide.sys
2010/12/15 14:07:22.0046 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2010/12/15 14:07:22.0109 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2010/12/15 14:07:22.0218 volsnap (15694a3a34d44548c290b77b5b45e128) C:\Windows\system32\drivers\volsnap.sys
2010/12/15 14:07:22.0218 Suspicious file (Forged): C:\Windows\system32\drivers\volsnap.sys. Real md5: 15694a3a34d44548c290b77b5b45e128, Fake md5: 147281c01fcb1df9252de2a10d5e7093
2010/12/15 14:07:22.0233 volsnap - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/12/15 14:07:22.0343 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2010/12/15 14:07:22.0452 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2010/12/15 14:07:22.0577 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/15 14:07:22.0592 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/15 14:07:22.0670 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2010/12/15 14:07:22.0826 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\Windows\system32\DRIVERS\wdcsam.sys
2010/12/15 14:07:22.0935 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2010/12/15 14:07:23.0060 winachsf (5c7bdcf5864db00323fe2d90fa26a8a2) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
2010/12/15 14:07:23.0216 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2010/12/15 14:07:23.0325 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2010/12/15 14:07:23.0435 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2010/12/15 14:07:23.0575 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/12/15 14:07:23.0669 ================================================================================
2010/12/15 14:07:23.0669 Scan finished
2010/12/15 14:07:23.0669 ================================================================================
2010/12/15 14:07:23.0684 Detected object count: 1
2010/12/15 14:07:33.0372 volsnap (15694a3a34d44548c290b77b5b45e128) C:\Windows\system32\drivers\volsnap.sys
2010/12/15 14:07:33.0387 Suspicious file (Forged): C:\Windows\system32\drivers\volsnap.sys. Real md5: 15694a3a34d44548c290b77b5b45e128, Fake md5: 147281c01fcb1df9252de2a10d5e7093
2010/12/15 14:07:37.0662 Backup copy found, using it..
2010/12/15 14:07:37.0677 C:\Windows\system32\drivers\volsnap.sys - will be cured after reboot
2010/12/15 14:07:37.0677 Rootkit.Win32.TDSS.tdl3(volsnap) - User select action: Cure
2010/12/15 14:07:41.0687 Deinitialize success

"Spyware Battle" is a folder I created to tidy up the desktop a bit from all the scanners I downloaded in my initial panic.
It only contains GMER and some of its logs.

I'll be sure to alert my contemporaries to the dangers of online file-sharing.

Thanks again,
-Wolf

Edited by KingMorton, 15 December 2010 - 03:28 PM.


#6 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:52 AM

Posted 15 December 2010 - 06:54 PM

Hi KingMorton


No need for the large font. :)

Step 1.

RKill by Grinler

Link #1
Link #2
Link #3

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
  • It shall produce a log located at C:\RKill. Please copy and paste it into your next reply.


Step 2.

Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

Step 3.

Your logs show remnants of AVG. We need to uninstall AVG completely as it will interfere with the running of ComboFix.

Download AppRemover and run for any AVG leftovers.

Step 4.

Next please delete the copy of Combofix from your desktop.

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs. http://www.bleepingcomputer.com/forums/topic114351.html

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Step 5.

* Go to start > Run copy/paste the contents of the code box excluding "code" in the run box and click OK.

cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt&del log.txt
A command window opens. Wait until a log.txt file opens.

* Please copy/paste the log file in your reply.


In your next reply please include the following:

RKill log
MBAM log
ComboFix.txt
ipconfig log


How is your computer running. Any redirects / pop-ups?


Thanks!!
PW

#7 KingMorton

KingMorton
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 15 December 2010 - 09:04 PM

At no point did RKill flash a blank screen. Also - the .exe was the only one of the three which proided Run-as-Admin in the context menu. Perhaps the step's text should be ammended?

Regardless, here are the requested logs:

Rkill:


This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 12/15/2010 at 18:02:29.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:



Rkill completed on 12/15/2010 at 18:02:32.

MBAM:


Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5324

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18999

15/12/2010 18:10:05
mbam-log-2010-12-15 (18-10-05).txt

Scan type: Quick scan
Objects scanned: 148501
Time elapsed: 3 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ComboFix:


ComboFix 10-12-15.04 - user 12/15/2010 19:13:15.2.2 - x86
Microsoft Windows Vista Home Premium 6.0.6002.2.1255.972.1033.18.2045.1249 [GMT -6:00]
Running from: c:\users\user\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\sst2058.sys
c:\windows\system32\drivers\sst2058.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_sst2058
-------\Service_sst2058


((((((((((((((((((((((((( Files Created from 2010-11-16 to 2010-12-16 )))))))))))))))))))))))))))))))
.

2010-12-16 01:20 . 2010-12-16 01:36 -------- d-----w- c:\users\user\AppData\Local\temp
2010-12-16 01:20 . 2010-12-16 01:20 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-12-16 01:20 . 2010-12-16 01:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-16 00:05 . 2010-11-29 23:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-16 00:05 . 2010-11-29 23:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-15 09:43 . 2010-10-12 13:41 515584 ----a-w- c:\program files\Windows Mail\wab.exe
2010-12-15 09:43 . 2010-10-12 15:53 33280 ----a-w- c:\program files\Windows Mail\wabfind.dll
2010-12-15 09:43 . 2010-10-12 13:41 66048 ----a-w- c:\program files\Windows Mail\wabmig.exe
2010-12-15 09:43 . 2010-11-04 18:56 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-12-15 09:43 . 2010-11-04 18:55 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-12-15 09:43 . 2010-11-04 18:55 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-12-15 09:43 . 2010-11-04 18:55 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-12-15 09:43 . 2010-11-04 16:34 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-12-15 09:43 . 2010-10-28 15:44 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-12-15 09:43 . 2010-10-28 13:27 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-15 09:43 . 2010-06-16 15:30 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-12-15 09:38 . 2010-11-03 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-12-15 04:18 . 2010-12-15 04:18 -------- d-----w- c:\users\user\AppData\Roaming\Canneverbe Limited
2010-12-15 04:18 . 2010-12-15 04:18 -------- d-----w- c:\programdata\Canneverbe Limited
2010-12-15 04:18 . 2010-12-15 04:18 -------- d-----w- c:\program files\CDBurnerXP
2010-12-14 17:50 . 2010-12-14 18:32 -------- d-----w- c:\users\user\AppData\Roaming\PeaZip
2010-12-14 17:49 . 2010-12-14 17:49 -------- d-----w- c:\program files\PeaZip
2010-12-14 07:57 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3C10A425-97D6-40A8-891C-1F8C31B0FA99}\mpengine.dll
2010-12-13 04:14 . 2010-12-13 04:14 -------- d-----w- C:\Opera11Beta
2010-12-07 08:40 . 2010-12-07 08:40 -------- d-----w- c:\users\user\AppData\Local\QtWeb.NET
2010-12-07 08:40 . 2010-12-07 09:52 -------- d-----w- c:\program files\QtWeb
2010-12-07 00:44 . 2009-11-08 16:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-12-07 00:44 . 2009-11-08 16:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-12-07 00:44 . 2009-11-08 16:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-12-07 00:44 . 2009-11-08 16:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-12-07 00:44 . 2009-11-08 16:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-12-06 00:11 . 2010-05-26 16:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-12-05 22:15 . 2010-12-05 22:15 -------- d-----w- c:\program files\Sophos
2010-12-05 20:44 . 2010-12-05 20:44 -------- d-----w- c:\users\user\DoctorWeb
2010-12-05 20:29 . 2010-12-05 20:31 -------- d-----w- c:\program files\Windows Live Safety Center
2010-12-05 12:40 . 2010-12-05 12:40 -------- d-----w- c:\programdata\Alwil Software
2010-12-05 12:40 . 2010-12-05 12:40 -------- d-----w- c:\program files\Alwil Software
2010-12-05 05:32 . 2010-12-05 05:32 -------- d-----w- c:\users\user\AppData\Roaming\Reallusion
2010-12-05 05:32 . 2010-12-05 05:32 -------- d-----w- c:\users\user\AppData\Roaming\tmp
2010-12-04 21:04 . 2010-12-04 21:04 -------- d-----w- c:\users\user\AppData\Roaming\AVG10
2010-12-04 21:02 . 2010-12-04 21:02 -------- d--h--w- c:\programdata\Common Files
2010-12-04 21:00 . 2010-12-05 10:11 -------- d-----w- c:\programdata\AVG10
2010-12-04 20:23 . 2010-12-04 20:23 -------- d-----w- c:\program files\AVG
2010-12-04 07:39 . 2010-12-04 07:39 -------- d-----w- c:\users\user\AppData\Roaming\Malwarebytes
2010-12-04 07:38 . 2010-12-04 07:38 -------- d-----w- c:\programdata\Malwarebytes
2010-12-04 07:38 . 2010-12-16 00:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-03 09:53 . 2010-12-04 20:22 -------- d-----w- c:\programdata\MFAData
2010-12-03 09:00 . 2010-08-20 16:05 867328 ----a-w- c:\windows\system32\wmpmde.dll
2010-12-03 09:00 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-12-03 09:00 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-12-03 09:00 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-12-03 09:00 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-12-03 08:59 . 2010-09-13 13:56 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2010-12-03 08:59 . 2010-09-13 13:56 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-12-03 08:59 . 2010-08-31 15:46 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-12-03 08:59 . 2010-08-31 15:46 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-12-03 08:58 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-12-03 08:58 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-12-03 08:58 . 2010-09-06 13:45 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-12-03 08:58 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll
2010-12-03 08:58 . 2010-09-06 13:45 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-12-03 08:58 . 2010-09-06 13:45 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-12-03 08:58 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-12-03 08:58 . 2010-06-17 18:08 10926592 ----a-w- c:\program files\Movie Maker\MOVIEMK.dll
2010-12-03 08:58 . 2010-06-17 16:16 150016 ----a-w- c:\program files\Movie Maker\MOVIEMK.exe
2010-12-03 08:58 . 2010-01-29 15:40 1616384 ----a-w- c:\program files\Windows Mail\msoe.dll
2010-12-03 08:57 . 2010-06-11 16:15 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-12-03 08:57 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-12-03 08:57 . 2010-06-28 17:00 1316864 ----a-w- c:\windows\system32\ole32.dll
2010-12-03 08:57 . 2010-06-28 14:54 339968 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2010-12-03 08:57 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-12-03 08:57 . 2010-08-10 15:53 274944 ----a-w- c:\windows\system32\schannel.dll
2010-12-03 08:57 . 2010-04-05 17:02 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-12-03 08:57 . 2010-05-04 19:13 231424 ----a-w- c:\windows\system32\msshsq.dll
2010-12-03 08:57 . 2010-08-17 14:11 128000 ----a-w- c:\windows\system32\spoolsv.exe
2010-12-03 08:57 . 2010-05-27 20:08 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-12-03 08:57 . 2010-08-26 16:37 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-12-03 08:57 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
2010-12-03 08:49 . 2010-08-31 15:44 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-12-03 06:19 . 2010-12-03 08:39 -------- d-----w- c:\users\user\AppData\Local\AVERT
2010-11-30 01:24 . 2010-11-30 01:24 -------- d-----w- c:\program files\x264vfw

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-15 20:09 . 2009-05-31 00:09 226280 ----a-w- c:\windows\system32\drivers\volsnap.sys
2010-12-06 00:12 . 2010-10-13 21:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-19 16:41 . 2009-10-08 20:37 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-25 14:07 . 2010-09-25 14:07 40960 ----a-r- c:\users\user\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2010-09-25 14:07 . 2010-09-25 14:07 40960 ----a-r- c:\users\user\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2006-05-03 10:06 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 31232 --sh--r- c:\windows\System32\msfDX.dll
2008-03-16 13:30 216064 --sh--r- c:\windows\System32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 857648]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-02-01 36864]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-05-06 405504]
"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2009-06-03 237568]
"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2009-06-03 131072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^LoopBe1 Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\LoopBe1 Monitor.lnk
backup=c:\windows\pss\LoopBe1 Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2010-03-11 03:32 648536 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 21:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-11-29 23:42 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-11-01 13:39 189736 ------w- c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-10 23:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-984060213-3574103687-2901243566-501]
"EnableNotificationsRef"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 136176]
R3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\DRIVERS\emusba10.sys [2007-11-26 163352]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [x]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\453A.tmp [x]
R3 SaiKF620;SaiKF620;c:\windows\system32\DRIVERS\SaiKF620.sys [2008-10-22 106496]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-05-26 18816]
S2 emaudsv;E-MU Audio Service;c:\windows\system32\emaudsv.exe [2007-11-26 20992]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 21:05]

2010-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 21:05]

2010-12-16 c:\windows\Tasks\User_Feed_Synchronization-{7307DFB2-72C8-42EB-AE0F-711B0FD3E38C}.job
- c:\windows\system32\msfeedssync.exe [2010-12-15 04:25]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download with &Shareaza - c:\program files\Shareaza\RazaWebHook32.dll/3000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-15 19:36
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\user\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\453A.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-984060213-3574103687-2901243566-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:b3,14,25,7e,32,e9,a6,84,b6,68,48,44,df,1d,78,50,2e,e3,41,f6,f4,1d,d6,
60,90,0d,4e,06,b1,37,94,22,f7,ab,d7,b8,a2,ce,b5,12,a9,88,54,96,17,27,c5,ff,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\STacSV.exe
c:\windows\system32\conime.exe
c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
c:\windows\system32\scrnsave.scr
.
**************************************************************************
.
Completion time: 2010-12-15 19:42:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-16 01:41

Pre-Run: 23,776,333,824 bytes free
Post-Run: 23,392,075,776 bytes free

- - End Of File - - 7C28CCDDB20DA35214115A582E4885D4

IpConfig:



Windows IP Configuration

Host Name . . . . . . . . . . . . : MORTIMER
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom 802.11g Network Adapter
Physical Address. . . . . . . . . : 00-1D-D9-34-B0-41
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller
Physical Address. . . . . . . . . : 00-1C-23-A7-2E-57
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::4d72:e5aa:38b8:caff%8(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.107(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . :  15 Ž 2010 19:22:26
Lease Expires . . . . . . . . . . :  15 Ž 2010 21:22:25
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 201333795
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-11-53-FF-63-00-1C-23-A7-2E-57
DNS Servers . . . . . . . . . . . : 68.87.68.166
68.87.74.166
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{796339DF-8FDF-4497-8632-C65351DB193D}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 10:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{8CE8A08B-1B96-43E5-A0AE-46ABD0961A0A}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:3844:6e3f:ba0a:ffee(Preferred)
Link-local IPv6 Address . . . . . : fe80::3844:6e3f:ba0a:ffee%13(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: cns.s3woodstock.ga.atlanta.comcast.net
Address: 68.87.68.166

Name: google.com
Addresses: 74.125.45.103
74.125.45.147
74.125.45.106
74.125.45.104
74.125.45.99
74.125.45.105


Pinging google.com [74.125.45.99] with 32 bytes of data:
Reply from 74.125.45.99: bytes=32 time=53ms TTL=52
Reply from 74.125.45.99: bytes=32 time=50ms TTL=52

Ping statistics for 74.125.45.99:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 50ms, Maximum = 53ms, Average = 51ms
===========================================================================
Interface List
9 ...00 1d d9 34 b0 41 ...... Broadcom 802.11g Network Adapter
8 ...00 1c 23 a7 2e 57 ...... Broadcom 440x 10/100 Integrated Controller
1 ........................... Software Loopback Interface 1
12 ...00 00 00 00 00 00 00 e0 isatap.{796339DF-8FDF-4497-8632-C65351DB193D}
16 ...00 00 00 00 00 00 00 e0 isatap.{8CE8A08B-1B96-43E5-A0AE-46ABD0961A0A}
13 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.107 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.107 276
192.168.1.107 255.255.255.255 On-link 192.168.1.107 276
192.168.1.255 255.255.255.255 On-link 192.168.1.107 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.107 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.107 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
13 18 ::/0 On-link
1 306 ::1/128 On-link
13 18 2001::/32 On-link
13 266 2001:0:4137:9e76:3844:6e3f:ba0a:ffee/128
On-link
8 276 fe80::/64 On-link
13 266 fe80::/64 On-link
13 266 fe80::3844:6e3f:ba0a:ffee/128
On-link
8 276 fe80::4d72:e5aa:38b8:caff/128
On-link
1 306 ff00::/8 On-link
13 266 ff00::/8 On-link
8 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None


A quick related question:
Your profile states that Antivir is your AV of choice. Would you recommend it?
Also - did you spring for the premium version, or do you make do with the free edition?

Thank you kindly (yet again),

-Wolf

#8 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:52 AM

Posted 16 December 2010 - 05:22 AM

Hi KingMorton

Please note that you are infected with a trojan (horse) or a Backdoor / Backdoor Server.

Due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately:
  • Disconnect the infected computer from the internet until the computer can be cleaned.
  • From a clean computer, change your online passwords-- for email, for banks, eBay, forums etc.... (Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information).
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall?

However, since the major rootkit infection has already been eliminated, I am happy to try and clean your PC (I am just providing you with the above information to underline the impact that can occur with files like these on your pc).

Should you have any questions, please feel free to ask. Let me know what your decision is.

If you still wish to proceed with the cleaning process please do the following

If you use the Initio Driver for USB Default Controller and Sophos Anti-Rootkit they have files missing and will need to be reinstalled.

I assume you installed the following program. Let me know if you did not.

PyKeylogger


Step 1.

We need to run a Combofix Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <<----Important
3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\programdata\AVG10
c:\program files\AVG

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-984060213-3574103687-2901243566-501]
"EnableNotificationsRef"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If Combofix prompts you to update the program please allow it to do so.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2.

  • Please download mbrcheck from Here
  • Save that file to your desktop and double click on it to run it.
  • It will show a Black screen with some data on it then hit any key to continue.
  • Once it finishes there will be a log produced on your desktop that is labeled mbrcheck*.txt (where the * is date)
  • Please post the contents of that log in your next reply.

In your next reply please include the following:

ComboFix.txt
mbrcheck*.txt (where the * is date)


How is your computer running? Any problems?

Thanks!!
PW

#9 KingMorton

KingMorton
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 16 December 2010 - 07:25 AM

I appreciate the info. Seeing as how I can not afford to have a backdoor infection on this computer, I will format and start a-new.

Thanks,
-Wolf

#10 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:52 AM

Posted 16 December 2010 - 09:00 AM

I understand your decision. :thumbup2:

Here is the Symantec write up of the infection you had.

Secure List Information.


Your profile states that Antivir is your AV of choice. Would you recommend it?

I highly recommend AntiVir Free. See the link below.

Here are some more steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of them, however by following the rest of them you will reduce the risk of becoming re-infected.

It is critical to stay up to date with the latest upgrades to your Operating System, as this can help prevent future problems. Microsoft has released the latest upgrades to the XP OS platform, which can be referenced here

New viruses come out every minute, so it is essential that you keep your antivirus program updated and have the latest signatures to provide you with the best possible protection from malicious software. Some free Antivirus solutions are Avira Antivir, Avast and Microsoft Security Essentials
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

For most users the built in Windows Firewall is sufficient. If you use a third party firewall make sure you have only one firewall installed at a time.

Install Spyware Blaster and update it regularly
If you wish, the commercial version provides automatic updating.

Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
SuperAntiSpyware is another good scanner with high detection and removal rates. Both programs are free for non commercial home use but provide
a resident and do not nag if you purchase the paid versions. I personally prefer and highly recommend the licensed version of MBAM

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please read and follow How did I get infected?, With steps so it does not happen again! as well as How to prevent Malware by Miekiemoes

Any Problems or questions? Anything else I can help you with?

Thanks!!

Edited by pwgib, 16 December 2010 - 09:20 AM.

PW

#11 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:52 AM

Posted 21 December 2010 - 10:09 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
PW




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users