Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

(Unknown infection) Browser hijack, generic host process error


  • This topic is locked This topic is locked
23 replies to this topic

#1 SS451

SS451

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 26 February 2011 - 01:45 PM

I've had an infection on my desktop machine for the past few days. I'm running Windows XP Pro XP SP3. I have used Malwarebytes Anti-Malware and PC Tools' Spyware Doctor (in combination with Rkill) in an attempt to clean up the infection, but so far have been only partly successful. I would really appreciate some help dealing with this infection.

Main issue is browser hijacking, especially when I try to go to sites like this one or other anti-malware sites from the google results. I also occasionally get a Generic Host Process for Win32 Services error, which causes my USB wireless card to stop working.

I ran Hijackthis, and the log follows. Let me know if I can provide any other useful information.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:40 PM, on 2/26/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Spyware Doctor\BDT\FGuard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\SupportSoft\bin\bcont.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: PC Tools Browser Guard - {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Ask.com Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Drop Down Deals\YontooIEClient.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (file missing)
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] "C:\WINDOWS\JM\JMInsIDE.exe"
O4 - HKLM\..\Run: [JMB36X Configure] "C:\WINDOWS\system32\JMRaidSetup.exe" boot
O4 - HKLM\..\Run: [RTHDCPL] "RTHDCPL.EXE"
O4 - HKLM\..\Run: [SkyTel] "SkyTel.EXE"
O4 - HKLM\..\Run: [Alcmtr] "ALCMTR.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LiveMonitor] "C:\Program Files\MSI\Live Update 3\LMonitor.exe"
O4 - HKLM\..\Run: [Airlink101 Airlink101 WLAN Monitor] "C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [PCTools FGuard] C:\Program Files\Spyware Doctor\BDT\FGuard.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsGui.exe" /hideGUI
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Desktop Software] "C:\Program Files\Common Files\SupportSoft\bin\bcont.exe" /ini "C:\Program Files\ComcastUI\Desktop Software\uinstaller.ini" /fromrun /starthidden
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Application Data\Dropbox\bin\Dropbox.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190045235843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190045231828
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - c:\program files\valve\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

--
End of file - 10160 bytes

BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:55 PM

Posted 03 March 2011 - 07:07 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.


Regards,
Georgi :hello:

cXfZ4wS.png


#3 SS451

SS451
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 03 March 2011 - 05:02 PM

Thanks for your reply. I should note that I do use MagicISO for CD emulation, and that Defogger apparently failed to disable it. All 4 emulated CD drives still appear in "My Computer" and seem to function normally, even after I ran Defogger and clicked disable. Exiting MagicISO in my system tray also didn't seem to disable the drives.

I've attached the logs from gmer (ark.txt) and the separate attach file from DDS (attach.txt). The other DDS log follows:


DDS (Ver_10-12-12.02) - NTFSx86
Run by User at 16:13:32.85 on Thu 03/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1256 [GMT -5:00]

AV: Malware Defense *Enabled/Outdated* {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Spyware Doctor\BDT\FGuard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\SupportSoft\bin\bcont.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\User\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\drop down deals\YontooIEClient.dll
TB: {ACB1E670-3217-45C4-A021-6B829A8A27CB} - No File
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
uRun: [Steam] "c:\program files\valve\steam\steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [JMB36X IDE Setup] "c:\windows\jm\JMInsIDE.exe"
mRun: [JMB36X Configure] "c:\windows\system32\JMRaidSetup.exe" boot
mRun: [RTHDCPL] "RTHDCPL.EXE"
mRun: [SkyTel] "SkyTel.EXE"
mRun: [Alcmtr] "ALCMTR.EXE"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [LiveMonitor] "c:\program files\msi\live update 3\LMonitor.exe"
mRun: [Airlink101 Airlink101 WLAN Monitor] "c:\program files\airlink101\airlink101 wlan monitor\WLANmon.exe"
mRun: [ANIWZCS2Service] "c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [PCTools FGuard] c:\program files\spyware doctor\bdt\FGuard.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\user~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\user\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\user~1\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\user~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.3\program\quickstart.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190045235843
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190045231828
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user~1\applic~1\mozilla\firefox\profiles\cvtts62y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=3&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig#min3
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 64545
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\user\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\user\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-1-17 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-12-10 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-12-10 656320]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2011-2-25 51984]
R0 TFSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2011-2-25 69392]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-1-17 251560]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-1-17 247760]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2009-7-6 72672]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-10-9 493248]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-11-16 550272]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2011-2-25 33552]
S3 cpuz132;cpuz132;\??\c:\docume~1\user~1\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\user~1\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\valve\steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [2010-3-8 25832]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-1-17 70536]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-12-10 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-1-17 1150936]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S4 WEBNTACCESS;WEBNTACCESS;c:\windows\system32\Ntaccess.sys [2008-4-27 17920]

=============== Created Last 30 ================

2011-02-27 22:17:25 -------- d-----w- C:\TDSSKiller_Quarantine
2011-02-26 04:41:47 69392 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2011-02-26 04:41:47 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2011-02-26 04:41:47 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2011-02-25 22:47:41 -------- d-----w- c:\program files\Drop Down Deals
2011-02-25 22:47:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer
2011-02-24 07:21:00 -------- d-----w- c:\docume~1\user~1\applic~1\Malwarebytes
2011-02-24 07:20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-24 07:20:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-24 07:20:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-24 07:20:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-24 06:02:41 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-24 06:02:41 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-24 05:55:26 0 ----a-w- c:\windows\Bmohupotovunika.bin
2011-02-24 05:55:25 -------- d-----w- c:\docume~1\user~1\locals~1\applic~1\{DE667F5A-81AA-4057-B7F5-A6833B2CC817}
2011-02-24 05:53:44 763392 ----a-w- c:\windows\system32\drivers\jcjigbm.sys
2011-02-24 05:53:29 53248 ----a-w- c:\windows\system32\6to4v32(2).dll
2011-02-02 17:46:50 -------- d-----w- c:\docume~1\user~1\locals~1\applic~1\SKIDROW
2011-02-01 23:56:07 -------- d-----w- c:\program files\Sid Meier's Civilization V

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 19:54:18 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-01-07 19:54:16 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-01-07 19:54:14 2000848 ----a-w- c:\windows\PCTBDCore.dll
2011-01-07 19:54:04 767952 ----a-w- c:\windows\BDTSupport.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-03-22 03:27:24 476 ----a-w- c:\program files\rkill.reg
2010-01-18 00:14:04 263168 ----a-w- c:\program files\rkill.com
2010-01-17 23:44:12 34355352 ----a-w- c:\program files\spyware-doctor.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_HD501LJ rev.CR100-10 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x8A783439]<<
c:\windows\system32\drivers\PCTCore.sys PC Tools Kernel Driver Suite
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a7897b8]; MOV EAX, [0x8a789834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A7AD670]
3 CLASSPNP[0xF7667FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x8A7ADE50]
5 PCTCore[0xF7849099] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000078[0x8A80FF18]
7 ACPI[0xF758E620] -> nt!IofCallDriver[0x804E13B9] -> [0x8A80BD98]
\Driver\atapi[0x8A897230] -> IRP_MJ_CREATE -> 0x8A783439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskSAMSUNG_HD501LJ_________________________CR100-10#3053554d314a504b303336353431202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A78327F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 16:15:45.18 ===============
Attached File  Attach.txt   22.23KB   1 downloadsAttached File  ark.txt   15.4KB   3 downloads

Edited by SS451, 03 March 2011 - 05:05 PM.


#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:55 PM

Posted 04 March 2011 - 08:28 AM

Hello SS451 ! Welcome to BleepingComputer Forums! :welcome:


My name is Georgi and and I will be helping you with your computer problems.


Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.



IMPORTANT NOTE: One or more of the identified infections is related to the rootkit TDL4. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please do this:



STEP 1


We need to temporary uninstall MagicIso since its driver can confuse the rootkit scanner results:
Don't worry, we will reinstall it again at the end of the cleaning process.


Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

MagicIso

Additional instructions can be found here if needed.





STEP 2


We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy





STEP 3


:exclame: Be sure to temporary disable Spyware Doctor with AntiVirus and ThreatFire as they could interfere with the fix. :exclame:


Please read carefully and follow these steps.


  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

    Posted Image
  • If an infected file is detected, the default action will be Cure, click on Continue.

    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • Select Skip to the sptd.sys.

    Posted Image
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    Posted Image
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.



Regards,
Georgi

cXfZ4wS.png


#5 SS451

SS451
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 04 March 2011 - 06:18 PM

Hi, Georgi. So MagicDisc was actually not very cooperative about uninstalling, so I had to use Revo Uninstall Pro to get rid of it for the time being. It appear to have been successful--at least the emulated CD drives are now gone.

In any event, I then disabled TeaTimer and installed and ran TDSS, as you instructed. It did detect some kind of rootkit and I did tell it to cure and then reboot. The log follows.

2011/03/04 18:10:01.0031 3340 TDSS rootkit removing tool 2.4.20.0 Mar 2 2011 10:44:30
2011/03/04 18:10:01.0046 3340 ================================================================================
2011/03/04 18:10:01.0046 3340 SystemInfo:
2011/03/04 18:10:01.0046 3340
2011/03/04 18:10:01.0046 3340 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/04 18:10:01.0046 3340 Product type: Workstation
2011/03/04 18:10:01.0046 3340 ComputerName: Computer
2011/03/04 18:10:01.0046 3340 UserName: User
2011/03/04 18:10:01.0046 3340 Windows directory: C:\WINDOWS
2011/03/04 18:10:01.0046 3340 System windows directory: C:\WINDOWS
2011/03/04 18:10:01.0046 3340 Processor architecture: Intel x86
2011/03/04 18:10:01.0046 3340 Number of processors: 2
2011/03/04 18:10:01.0046 3340 Page size: 0x1000
2011/03/04 18:10:01.0046 3340 Boot type: Normal boot
2011/03/04 18:10:01.0046 3340 ================================================================================
2011/03/04 18:10:01.0703 3340 Initialize success
2011/03/04 18:10:08.0750 2544 ================================================================================
2011/03/04 18:10:08.0750 2544 Scan started
2011/03/04 18:10:08.0750 2544 Mode: Manual;
2011/03/04 18:10:08.0750 2544 ================================================================================
2011/03/04 18:10:08.0968 2544 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/04 18:10:09.0015 2544 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/03/04 18:10:09.0062 2544 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/03/04 18:10:09.0109 2544 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/03/04 18:10:09.0187 2544 ANIO (920298c7aef97d8168d219d35975d295) C:\WINDOWS\system32\ANIO.SYS
2011/03/04 18:10:09.0203 2544 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/03/04 18:10:09.0265 2544 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/04 18:10:09.0281 2544 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/04 18:10:09.0421 2544 ati2mtag (1d99d1b43638e31ea5cf4a8fd199762b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/03/04 18:10:09.0531 2544 AtiHdmiService (fac04a8e09c8d70594382656d99772a3) C:\WINDOWS\system32\drivers\AtiHdmi.sys
2011/03/04 18:10:09.0562 2544 ATITool (1294314049f7cc8bf8ffa11d51458d35) C:\WINDOWS\system32\DRIVERS\ATITool.sys
2011/03/04 18:10:09.0562 2544 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/04 18:10:09.0593 2544 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/04 18:10:09.0625 2544 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/04 18:10:09.0656 2544 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/04 18:10:09.0687 2544 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/03/04 18:10:09.0703 2544 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/04 18:10:09.0718 2544 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/04 18:10:09.0734 2544 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/04 18:10:09.0937 2544 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/04 18:10:09.0968 2544 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/04 18:10:10.0000 2544 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/04 18:10:10.0015 2544 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/04 18:10:10.0046 2544 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/04 18:10:10.0062 2544 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/04 18:10:10.0093 2544 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/04 18:10:10.0093 2544 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/03/04 18:10:10.0125 2544 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/04 18:10:10.0140 2544 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/03/04 18:10:10.0171 2544 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/03/04 18:10:10.0203 2544 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/04 18:10:10.0218 2544 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/04 18:10:10.0234 2544 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/03/04 18:10:10.0265 2544 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/04 18:10:10.0281 2544 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/03/04 18:10:10.0312 2544 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/04 18:10:10.0359 2544 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/04 18:10:10.0390 2544 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/04 18:10:10.0406 2544 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/04 18:10:10.0546 2544 IntcAzAudAddService (47f27af890da3e51c633fdd510910115) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/03/04 18:10:10.0593 2544 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/03/04 18:10:10.0625 2544 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/03/04 18:10:10.0656 2544 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/04 18:10:10.0671 2544 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/04 18:10:10.0703 2544 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/04 18:10:10.0718 2544 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/04 18:10:10.0734 2544 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/04 18:10:10.0765 2544 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/04 18:10:10.0812 2544 JGOGO (c995c0e8b4503fac38793bb0236ad246) C:\WINDOWS\system32\DRIVERS\JGOGO.sys
2011/03/04 18:10:10.0812 2544 JRAID (f4a31e66a61c0783f51157519b03280b) C:\WINDOWS\system32\DRIVERS\jraid.sys
2011/03/04 18:10:10.0843 2544 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/04 18:10:10.0859 2544 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/03/04 18:10:10.0875 2544 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/04 18:10:10.0906 2544 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/04 18:10:10.0968 2544 LxrSII1d (7c12f93c005021861a36c11df951891a) C:\WINDOWS\system32\Drivers\LxrSII1d.sys
2011/03/04 18:10:11.0000 2544 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/04 18:10:11.0031 2544 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/04 18:10:11.0031 2544 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/04 18:10:11.0062 2544 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/04 18:10:11.0078 2544 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/04 18:10:11.0109 2544 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/04 18:10:11.0156 2544 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/04 18:10:11.0171 2544 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/04 18:10:11.0203 2544 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/04 18:10:11.0218 2544 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/04 18:10:11.0234 2544 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/04 18:10:11.0250 2544 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/04 18:10:11.0296 2544 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/03/04 18:10:11.0312 2544 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/04 18:10:11.0343 2544 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/03/04 18:10:11.0359 2544 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/04 18:10:11.0390 2544 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/03/04 18:10:11.0406 2544 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/04 18:10:11.0421 2544 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/04 18:10:11.0437 2544 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/04 18:10:11.0453 2544 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/04 18:10:11.0468 2544 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/04 18:10:11.0484 2544 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/04 18:10:11.0515 2544 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/03/04 18:10:11.0531 2544 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/04 18:10:11.0562 2544 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/04 18:10:11.0578 2544 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/04 18:10:11.0625 2544 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/04 18:10:11.0625 2544 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/04 18:10:11.0640 2544 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/03/04 18:10:11.0656 2544 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/03/04 18:10:11.0656 2544 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/04 18:10:11.0687 2544 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/04 18:10:11.0703 2544 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/04 18:10:11.0734 2544 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/03/04 18:10:11.0765 2544 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/03/04 18:10:11.0812 2544 PCTCore (995e6bc3bb92bb4a9eb49a663c43b6cb) C:\WINDOWS\system32\drivers\PCTCore.sys
2011/03/04 18:10:11.0828 2544 pctDS (f820b4c61d1e591325b679d479d4eea4) C:\WINDOWS\system32\drivers\pctDS.sys
2011/03/04 18:10:11.0875 2544 pctEFA (acc8c15f3d59f17c5d903ff1de3b43d3) C:\WINDOWS\system32\drivers\pctEFA.sys
2011/03/04 18:10:11.0906 2544 pctgntdi (5be722c8c9bba995693c8cd524d83b27) C:\WINDOWS\system32\drivers\pctgntdi.sys
2011/03/04 18:10:11.0937 2544 pctplsg (1ea4b41d30f28ff5e186a49b4a1d36d9) C:\WINDOWS\system32\drivers\pctplsg.sys
2011/03/04 18:10:12.0015 2544 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/04 18:10:12.0031 2544 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/04 18:10:12.0031 2544 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/04 18:10:12.0093 2544 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/04 18:10:12.0109 2544 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/04 18:10:12.0125 2544 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/04 18:10:12.0125 2544 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/04 18:10:12.0156 2544 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/04 18:10:12.0171 2544 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/04 18:10:12.0187 2544 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/04 18:10:12.0218 2544 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/04 18:10:12.0250 2544 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/04 18:10:12.0281 2544 Revoflt (8b5b8a11306190c6963d3473f052d3c8) C:\WINDOWS\system32\DRIVERS\revoflt.sys
2011/03/04 18:10:12.0343 2544 rt2870 (ca1f3487c964f80d76d4a79c8d1c1cbe) C:\WINDOWS\system32\DRIVERS\rt2870.sys
2011/03/04 18:10:12.0390 2544 RTLE8023xp (098de621085d7f922871a99b0ec7ddd6) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/03/04 18:10:12.0437 2544 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/04 18:10:12.0453 2544 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/03/04 18:10:12.0468 2544 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/03/04 18:10:12.0484 2544 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/04 18:10:12.0531 2544 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/03/04 18:10:12.0578 2544 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/04 18:10:12.0593 2544 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/04 18:10:12.0625 2544 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/04 18:10:12.0656 2544 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/03/04 18:10:12.0656 2544 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/04 18:10:12.0671 2544 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/04 18:10:12.0750 2544 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/04 18:10:12.0796 2544 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/04 18:10:12.0843 2544 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/04 18:10:12.0875 2544 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/04 18:10:12.0890 2544 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/04 18:10:12.0921 2544 TfFsMon (1c7be4e77d42a93e6cd82ef742a50524) C:\WINDOWS\system32\drivers\TfFsMon.sys
2011/03/04 18:10:12.0953 2544 TfNetMon (40d1ad5741204ea83661e1b4d3d0d0c5) C:\WINDOWS\system32\drivers\TfNetMon.sys
2011/03/04 18:10:12.0953 2544 TFSysMon (5d30e224ac2183357cb478b5cb73bd31) C:\WINDOWS\system32\drivers\TfSysMon.sys
2011/03/04 18:10:13.0000 2544 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/04 18:10:13.0031 2544 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/04 18:10:13.0078 2544 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/03/04 18:10:13.0140 2544 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/03/04 18:10:13.0156 2544 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/04 18:10:13.0171 2544 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/04 18:10:13.0171 2544 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/04 18:10:13.0234 2544 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/03/04 18:10:13.0265 2544 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/04 18:10:13.0281 2544 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/04 18:10:13.0296 2544 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/03/04 18:10:13.0328 2544 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/03/04 18:10:13.0343 2544 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/04 18:10:13.0390 2544 vpnva (e1f2333a88ec4a5c8ea6be357323b72d) C:\WINDOWS\system32\DRIVERS\vpnva.sys
2011/03/04 18:10:13.0421 2544 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/04 18:10:13.0453 2544 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/04 18:10:13.0500 2544 WEBNTACCESS (1dc273a5f666d68907632f75ee7917dd) C:\WINDOWS\system32\NTACCESS.SYS
2011/03/04 18:10:13.0609 2544 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/03/04 18:10:13.0640 2544 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/03/04 18:10:13.0687 2544 xnacc (a668f64fe42b3b0d8d87ecad14963b00) C:\WINDOWS\system32\DRIVERS\xnacc.sys
2011/03/04 18:10:13.0718 2544 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/03/04 18:10:13.0750 2544 ================================================================================
2011/03/04 18:10:13.0750 2544 Scan finished
2011/03/04 18:10:13.0750 2544 ================================================================================
2011/03/04 18:10:13.0750 3152 Detected object count: 1
2011/03/04 18:10:29.0390 3152 \HardDisk0 - will be cured after reboot
2011/03/04 18:10:29.0390 3152 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/03/04 18:10:49.0500 3372 Deinitialize success

#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:55 PM

Posted 05 March 2011 - 04:07 AM

Hi SS451,


Great work ! :thumbsup:
So let's continue...



STEP 1



I suggest you to uninstall BitTorrent as well !

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case BitTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


Also, please take a look here:

How cyber criminals infect victims via P2P with pirated software



STEP 2


AskBar Warning !!

I see you have the AskBar toolbar installed. This often comes bundled with spyware and is recommended you remove.

Please see here for more information:
http://www.bleepingcomputer.com/uninstall/94/Ask-Toolbar.html

If you would like to remove it, please go to add/Remove Programs and uninstall it.



STEP 3


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Virustotal

When the Virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\drivers\jcjigbm.sys

note, if VT says these files have already been analysed, make sure you click re-analyse file now.

Please post back the results of the scan in your next post.

If Virustotal is busy, try the same at Virscan: http://virscan.org/

Please repeat the steps for this file too:

c:\windows\system32\6to4v32(2).dll



STEP 4


Please download ComboFix from the link below:
Combofix

Save it to your Desktop <-- Important!!!

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click it & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply



Regards,
Georgi

cXfZ4wS.png


#7 SS451

SS451
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 05 March 2011 - 02:54 PM

Hi, so I see ComboFix is bound and determined to kill Firefox before it continues installing, so I will first post the VirusTotal logs before I continue with that, then make a separate post for the ComboFix information.

The ask.com toolbar may not have uninstalled perfectly. It's gone from the list in add/remove programs, but before it finished uninstalling, it gave me some kind of warning about something failing to deregister. Unfortunately, I clicked through before copying down the filename or registry entry.

I think I am going to leave BitTorrent installed for right now, if that's ok with you. Am I correct in understanding that it's not a danger to my computer so long as it isn't running? I mostly use it for downloading user-created mods for games I play, and I try to stick to trusted sites. However, I will be more careful about that in the future.

Here's the VirusTotal log for jcjigbm:

Antivirus Version Last Update Result
AhnLab-V3 2011.03.06.00 2011.03.05 Backdoor/Win32.Bubnix
AntiVir 7.11.4.71 2011.03.04 TR/Crypt.ZPACK.Gen
Antiy-AVL 2.0.3.7 2011.03.05 -
Avast 4.8.1351.0 2011.02.23 Win32:Bubak
Avast5 5.0.677.0 2011.03.05 Win32:Bubak
AVG 10.0.0.1190 2011.03.05 -
BitDefender 7.2 2011.03.05 Gen:Variant.Taterf.21
CAT-QuickHeal 11.00 2011.03.05 -
ClamAV 0.96.4.0 2011.03.05 -
Commtouch 5.2.11.5 2011.03.05 -
Comodo 7882 2011.03.05 -
DrWeb 5.0.2.03300 2011.03.05 -
Emsisoft 5.1.0.2 2011.03.05 -
eSafe 7.0.17.0 2011.03.03 -
eTrust-Vet 36.1.8198 2011.03.04 -
F-Prot 4.6.2.117 2011.03.04 -
F-Secure 9.0.16440.0 2011.03.05 Gen:Variant.Taterf.21
Fortinet 4.2.254.0 2011.03.05 -
GData 21 2011.03.05 Gen:Variant.Taterf.21
Ikarus T3.1.1.97.0 2011.03.05 -
Jiangmin 13.0.900 2011.03.05 -
K7AntiVirus 9.92.4032 2011.03.05 -
Kaspersky 7.0.0.125 2011.03.05 -
McAfee 5.400.0.1158 2011.03.05 Generic Rootkit.ej
McAfee-GW-Edition 2010.1C 2011.03.05 Generic Rootkit.ej
Microsoft 1.6603 2011.03.05 Trojan:WinNT/Bubnix.gen!A
NOD32 5928 2011.03.05 a variant of Win32/Bubnix.BN
Norman 6.07.03 2011.03.05 -
nProtect 2011-02-10.01 2011.02.15 Gen:Variant.Taterf.21
Panda 10.0.3.5 2011.03.05 -
PCTools 7.0.3.5 2011.03.05 -
Prevx 3.0 2011.03.05 -
Rising 23.47.05.03 2011.03.05 -
Sophos 4.63.0 2011.03.05 Mal/Bubnix-E
SUPERAntiSpyware 4.40.0.1006 2011.03.05 Trojan.Agent/Gen-Bubnix
Symantec 20101.3.0.103 2011.03.05 -
TheHacker 6.7.0.1.144 2011.03.05 -
TrendMicro 9.200.0.1012 2011.03.05 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.05 -
VBA32 3.12.14.3 2011.03.04 -
VIPRE 8608 2011.03.05 -
ViRobot 2011.3.5.4342 2011.03.05 -
VirusBuster 13.6.236.0 2011.03.05 -

Additional information
MD5 : 38d47d42e112f6d1c7edda7e4ffd91e2
SHA1 : b7b78bc7c5def0035e892fd39f250c9bddccb395
SHA256: 61d9519d34316a0f11c61010741c99b9a6d6bacda9c59f63d559c961972e049d

The other file you mentioned, 6to4v32(2).dll, doesn't seem to be in the system32 folder anymore. I do have hidden files showing, and I also used the windows "search" function (with hidden files and system folders) to look for it, but I did not find it. Something may have changed when I last rebooted my computer. I did have VirusTotal scan a file with a similar name, 6to4svc.dll. The log follows:

Antivirus Version Last Update Result
AhnLab-V3 2011.03.06.00 2011.03.05 -
AntiVir 7.11.4.71 2011.03.04 -
Antiy-AVL 2.0.3.7 2011.03.05 -
Avast 4.8.1351.0 2011.02.23 -
Avast5 5.0.677.0 2011.03.05 -
AVG 10.0.0.1190 2011.03.05 -
BitDefender 7.2 2011.03.05 -
CAT-QuickHeal 11.00 2011.03.05 -
ClamAV 0.96.4.0 2011.03.05 -
Commtouch 5.2.11.5 2011.03.05 -
Comodo 7882 2011.03.05 -
DrWeb 5.0.2.03300 2011.03.05 -
Emsisoft 5.1.0.2 2011.03.05 -
eSafe 7.0.17.0 2011.03.03 -
eTrust-Vet 36.1.8198 2011.03.04 -
F-Prot 4.6.2.117 2011.03.04 -
F-Secure 9.0.16440.0 2011.03.05 -
Fortinet 4.2.254.0 2011.03.05 -
GData 21 2011.03.05 -
Ikarus T3.1.1.97.0 2011.03.05 -
Jiangmin 13.0.900 2011.03.05 -
K7AntiVirus 9.92.4032 2011.03.05 -
Kaspersky 7.0.0.125 2011.03.05 -
McAfee 5.400.0.1158 2011.03.05 -
McAfee-GW-Edition 2010.1C 2011.03.05 -
Microsoft 1.6603 2011.03.05 -
NOD32 5928 2011.03.05 -
Norman 6.07.03 2011.03.05 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.03.05 -
PCTools 7.0.3.5 2011.03.05 -
Prevx 3.0 2011.03.05 -
Rising 23.47.05.03 2011.03.05 -
Sophos 4.63.0 2011.03.05 -
SUPERAntiSpyware 4.40.0.1006 2011.03.05 -
TheHacker 6.7.0.1.144 2011.03.05 -
TrendMicro 9.200.0.1012 2011.03.05 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.05 -
VBA32 3.12.14.3 2011.03.04 -
VIPRE 8608 2011.03.05 -
ViRobot 2011.3.5.4342 2011.03.05 -
VirusBuster 13.6.236.0 2011.03.05 -

Additional information
MD5 : c07d5197410aab28d0d93f943f59656d
SHA1 : d182982f55b9b7a18977ba359076d3c163a8e233
SHA256: 482164ba2b57c7026a7df3213e0ac59b752a898d9b880bc0629f9cadd05d2894

Will continue with ComboFix and hopefully post that info back here soon. Thanks for the help.

#8 SS451

SS451
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 05 March 2011 - 03:30 PM

Here's the ComboFix log. Thanks again for the help.

ComboFix 11-03-04.06 - User 03/05/2011 14:59:16.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1140 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\documents and settings\User\Local Settings\Application Data\{DE667F5A-81AA-4057-B7F5-A6833B2CC817}
c:\documents and settings\User\Local Settings\Application Data\{DE667F5A-81AA-4057-B7F5-A6833B2CC817}\chrome\content\_cfg.js
c:\documents and settings\User\Local Settings\Application Data\{DE667F5A-81AA-4057-B7F5-A6833B2CC817}\chrome\content\overlay.xul
c:\documents and settings\User\Local Settings\Application Data\{DE667F5A-81AA-4057-B7F5-A6833B2CC817}\install.rdf
C:\install.exe
c:\program files\Drop Down Deals
c:\program files\Drop Down Deals\YontooIEClient.dll
.
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-05 to 2011-03-05 )))))))))))))))))))))))))))))))
.
.
2011-03-05 20:11 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2011-03-05 20:11 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2011-03-05 19:20 . 2011-03-05 19:20 -------- d-----w- c:\windows\LastGood
2011-03-04 23:03 . 2011-03-04 23:03 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\VS Revo Group
2011-03-04 23:02 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-03-04 23:02 . 2011-03-04 23:02 -------- d-----w- c:\program files\VS Revo Group
2011-02-27 22:17 . 2011-02-27 22:17 -------- d-----w- C:\TDSSKiller_Quarantine
2011-02-26 04:41 . 2010-12-31 14:36 69392 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2011-02-26 04:41 . 2010-12-31 14:36 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2011-02-26 04:41 . 2010-12-31 14:36 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2011-02-24 07:21 . 2011-02-24 07:21 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2011-02-24 07:20 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-24 07:20 . 2011-02-24 07:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-24 07:20 . 2011-02-24 07:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-24 07:20 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-24 06:21 . 2011-02-24 06:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-02-24 06:02 . 2011-02-24 06:02 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-24 05:55 . 2011-02-24 05:55 0 ----a-w- c:\windows\Bmohupotovunika.bin
2011-02-24 05:53 . 2011-02-24 06:03 763392 ----a-w- c:\windows\system32\drivers\jcjigbm.sys
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-17 14:10 . 2010-01-18 00:22 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-01-07 19:54 . 2010-01-18 00:25 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-01-07 19:54 . 2010-01-18 00:25 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-01-07 19:54 . 2010-01-18 00:25 2000848 ----a-w- c:\windows\PCTBDCore.dll
2011-01-07 19:54 . 2010-01-18 00:25 767952 ----a-w- c:\windows\BDTSupport.dll
2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-06 16:54 . 2010-01-18 00:25 2125 ----a-w- c:\windows\UDB.zip
2010-12-31 13:10 . 2004-08-04 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-12-16 13:46 . 2010-01-18 00:22 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-12-10 18:24 . 2010-01-18 00:22 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-12-09 15:15 . 2004-08-04 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2004-08-04 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-03-22 03:27 . 2010-03-22 03:27 476 ----a-w- c:\program files\rkill.reg
2010-01-18 00:14 . 2010-01-18 00:14 263168 ----a-w- c:\program files\rkill.com
2010-01-17 23:44 . 2010-01-17 23:43 34355352 ----a-w- c:\program files\spyware-doctor.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2010-11-17 1242448]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
"Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-09-07 136176]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-12-03 14944136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 16269312]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"LiveMonitor"="c:\program files\MSI\Live Update 3\LMonitor.exe" [2008-03-14 498176]
"Airlink101 Airlink101 WLAN Monitor"="c:\program files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe" [2007-11-30 1949696]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"PCTools FGuard"="c:\program files\Spyware Doctor\BDT\FGuard.exe" [2011-01-07 108496]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\User\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\I:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\hattopic\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Aspyr\\Guitar Hero III\\GH3.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\dragon age origins\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\mass effect\\Binaries\\MassEffect.exe"=
"c:\\Documents and Settings\\User\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\torchlight\\Torchlight.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\torchlight\\TorchED\\Editor.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\mass effect 2\\Binaries\\MassEffect2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\mass effect 2\\MassEffect2Launcher.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\mass effect 2\\docs\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\dragon age origins\\bin_ship\\DAOrigins.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\dragon age origins\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\dragon age origins\\docs\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"c:\\Documents and Settings\\User\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16561\\SC2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16605\\SC2.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16755\\SC2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock 2\\SP\\Builds\\Binaries\\Bioshock2Launcher.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock 2\\MP\\Builds\\Binaries\\Bioshock2Launcher.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\assassins creed\\AssassinsCreed_Game.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\assassin's creed 2\\AssassinsCreedIIGame.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\assassin's creed 2\\UPlayBrowser.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [1/17/2010 7:22 PM 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [12/10/2010 4:19 PM 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [12/10/2010 4:19 PM 656320]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2/25/2011 11:41 PM 51984]
R0 TFSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2/25/2011 11:41 PM 69392]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [1/17/2010 7:22 PM 251560]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [1/17/2010 7:25 PM 247760]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [7/6/2009 5:58 PM 72672]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [10/9/2009 10:07 AM 493248]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2/25/2011 11:41 PM 33552]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Valve\Steam\SteamApps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [3/8/2010 4:44 PM 25832]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [1/17/2010 7:22 PM 70536]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [3/4/2011 6:02 PM 27064]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/10/2010 4:19 PM 366840]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WEBNTACCESS
*Deregistered* - PCTSDInjDriver32
*Deregistered* - WEBNTACCESS
.
Contents of the 'Scheduled Tasks' folder
.
2011-01-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1123561945-839522115-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-07 00:41]
.
2011-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1123561945-839522115-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-07 00:41]
.
2011-03-05 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-07-03 02:18]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\cvtts62y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=3&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig#min3
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 64545
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
BHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - c:\program files\Drop Down Deals\YontooIEClient.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
HKLM-Run-JMB36X IDE Setup - c:\windows\JM\JMInsIDE.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
HKLM-Run-StartCCC - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
HKLM-Run-ATICustomerCare - c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-05 15:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-796845957-1123561945-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-796845957-1123561945-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f6,d6,23,73,7a,d8,58,ad,59,62,ea,88,36,54,8f,cb,48,e2,56,3f,e9,bf,5f,
d7,7c,cd,3e,3a,09,83,f4,f0,b9,ef,ed,86,d6,40,ef,d6,ba,b4,a0,87,4a,85,1d,72,\
"??"=hex:86,99,5c,d3,19,75,49,c5,5a,b4,c6,dc,aa,43,de,87
.
[HKEY_USERS\S-1-5-21-796845957-1123561945-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:88,76,dd,ab,57,ce,ca,16,a4,8e,84,8d,84,e0,7a,75,54,d3,07,e4,41,
51,43,d7,d3,ce,72,e3,ab,8b,e6,af,f4,29,31,b6,82,90,e8,7e,70,46,e3,a8,12,b3,\
"rkeysecu"=hex:a9,39,50,a9,f4,7a,62,31,63,5a,7c,ef,3c,d6,3a,66
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(964)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\program files\Spyware Doctor\TFEngine\TFMon.dll
c:\program files\Spyware Doctor\TFEngine\TFRK.dll
.
- - - - - - - > 'lsass.exe'(1020)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2011-03-05 15:21:15
ComboFix-quarantined-files.txt 2011-03-05 20:21
.
Pre-Run: 144,590,188,544 bytes free
Post-Run: 146,327,453,696 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 468C02CBF48F5F12C538231BAA92A59F

#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:55 PM

Posted 05 March 2011 - 04:25 PM

Hi SS451, :)


We need to execute a CFScript to clean some remnants.


Please do this:

1. Please delete your copy of Combofix and download a fresh one from here.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

2. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/topic381731.html

KILLALL::
Collect::
c:\windows\system32\drivers\jcjigbm.sys
File::
c:\windows\Bmohupotovunika.bin
Firefox::
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\cvtts62y.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 64545

Save this as CFScript.txt, in the same location as ComboFix.exe

3. Close any open browsers.

Posted Image

4. Refering to the picture above, drag CFScript into ComboFix.exe

5. When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.

  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Successful".


**NOTE**
  • IF for some reason Combofix fails to upload anything you will see that message:

    Posted Image
  • Please double-click this file: C:\CF-Submit.htm and follow the instructions there to upload that zipped file.

6. When Combifix finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Also reply back to let me know how things are going.


Regards,
Georgi

cXfZ4wS.png


#10 SS451

SS451
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 05 March 2011 - 05:23 PM

Hi. So the upload apparently didn't work (CF said the web server was unavailable), but I followed your instructions to upload manually, and I believe that was successful. Here is the ComboFix log:

ComboFix 11-03-05.01 - User 03/05/2011 16:55:29.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1283 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
.
FILE ::
"c:\windows\Bmohupotovunika.bin"
.
file zipped: c:\windows\system32\drivers\jcjigbm.sys
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Bmohupotovunika.bin
c:\windows\system32\drivers\jcjigbm.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-02-05 to 2011-03-05 )))))))))))))))))))))))))))))))
.
.
2011-03-05 20:11 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2011-03-05 20:11 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2011-03-04 23:03 . 2011-03-04 23:03 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\VS Revo Group
2011-03-04 23:02 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-03-04 23:02 . 2011-03-04 23:02 -------- d-----w- c:\program files\VS Revo Group
2011-02-27 22:17 . 2011-02-27 22:17 -------- d-----w- C:\TDSSKiller_Quarantine
2011-02-26 04:41 . 2010-12-31 14:36 69392 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2011-02-26 04:41 . 2010-12-31 14:36 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2011-02-26 04:41 . 2010-12-31 14:36 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2011-02-24 07:21 . 2011-02-24 07:21 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2011-02-24 07:20 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-24 07:20 . 2011-02-24 07:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-24 07:20 . 2011-02-24 07:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-24 07:20 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-24 06:21 . 2011-02-24 06:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-02-24 06:02 . 2011-02-24 06:02 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-17 14:10 . 2010-01-18 00:22 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-01-07 19:54 . 2010-01-18 00:25 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-01-07 19:54 . 2010-01-18 00:25 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-01-07 19:54 . 2010-01-18 00:25 2000848 ----a-w- c:\windows\PCTBDCore.dll
2011-01-07 19:54 . 2010-01-18 00:25 767952 ----a-w- c:\windows\BDTSupport.dll
2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-06 16:54 . 2010-01-18 00:25 2125 ----a-w- c:\windows\UDB.zip
2010-12-31 13:10 . 2004-08-04 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-12-16 13:46 . 2010-01-18 00:22 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-12-10 18:24 . 2010-01-18 00:22 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-12-09 15:15 . 2004-08-04 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2004-08-04 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-03-22 03:27 . 2010-03-22 03:27 476 ----a-w- c:\program files\rkill.reg
2010-01-18 00:14 . 2010-01-18 00:14 263168 ----a-w- c:\program files\rkill.com
2010-01-17 23:44 . 2010-01-17 23:43 34355352 ----a-w- c:\program files\spyware-doctor.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2010-11-17 1242448]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
"Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-09-07 136176]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-12-03 14944136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 16269312]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"LiveMonitor"="c:\program files\MSI\Live Update 3\LMonitor.exe" [2008-03-14 498176]
"Airlink101 Airlink101 WLAN Monitor"="c:\program files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe" [2007-11-30 1949696]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"PCTools FGuard"="c:\program files\Spyware Doctor\BDT\FGuard.exe" [2011-01-07 108496]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\User\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\I:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\hattopic\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Aspyr\\Guitar Hero III\\GH3.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\dragon age origins\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\mass effect\\Binaries\\MassEffect.exe"=
"c:\\Documents and Settings\\User\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\torchlight\\Torchlight.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\torchlight\\TorchED\\Editor.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\mass effect 2\\Binaries\\MassEffect2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\mass effect 2\\MassEffect2Launcher.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\mass effect 2\\docs\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\dragon age origins\\bin_ship\\DAOrigins.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\dragon age origins\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\dragon age origins\\docs\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"c:\\Documents and Settings\\User\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16561\\SC2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16605\\SC2.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16755\\SC2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock 2\\SP\\Builds\\Binaries\\Bioshock2Launcher.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock 2\\MP\\Builds\\Binaries\\Bioshock2Launcher.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\assassins creed\\AssassinsCreed_Game.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\assassin's creed 2\\AssassinsCreedIIGame.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\assassin's creed 2\\UPlayBrowser.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [1/17/2010 7:22 PM 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [12/10/2010 4:19 PM 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [12/10/2010 4:19 PM 656320]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2/25/2011 11:41 PM 51984]
R0 TFSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2/25/2011 11:41 PM 69392]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [1/17/2010 7:22 PM 251560]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [1/17/2010 7:25 PM 247760]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [7/6/2009 5:58 PM 72672]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [10/9/2009 10:07 AM 493248]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Valve\Steam\SteamApps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [3/8/2010 4:44 PM 25832]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [1/17/2010 7:22 PM 70536]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [3/4/2011 6:02 PM 27064]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/10/2010 4:19 PM 366840]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2/25/2011 11:41 PM 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-01-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1123561945-839522115-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-07 00:41]
.
2011-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1123561945-839522115-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-07 00:41]
.
2011-03-05 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-07-03 02:18]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\cvtts62y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=3&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig#min3
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 64545
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-05 17:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-796845957-1123561945-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-796845957-1123561945-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f6,d6,23,73,7a,d8,58,ad,59,62,ea,88,36,54,8f,cb,48,e2,56,3f,e9,bf,5f,
d7,7c,cd,3e,3a,09,83,f4,f0,b9,ef,ed,86,d6,40,ef,d6,ba,b4,a0,87,4a,85,1d,72,\
"??"=hex:86,99,5c,d3,19,75,49,c5,5a,b4,c6,dc,aa,43,de,87
.
[HKEY_USERS\S-1-5-21-796845957-1123561945-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:88,76,dd,ab,57,ce,ca,16,a4,8e,84,8d,84,e0,7a,75,54,d3,07,e4,41,
51,43,d7,d3,ce,72,e3,ab,8b,e6,af,f4,29,31,b6,82,90,e8,7e,70,46,e3,a8,12,b3,\
"rkeysecu"=hex:a9,39,50,a9,f4,7a,62,31,63,5a,7c,ef,3c,d6,3a,66
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(964)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'lsass.exe'(1020)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
- - - - - - - > 'explorer.exe'(3356)
c:\windows\system32\WININET.dll
c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\LxrSII1s.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\OpenOffice.org 2.3\program\soffice.BIN
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2011-03-05 17:18:23 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-05 22:18
ComboFix2.txt 2011-03-05 20:21
.
Pre-Run: 146,359,996,416 bytes free
Post-Run: 146,335,518,720 bytes free
.
- - End Of File - - 0C25F75F8D2A496693880E00C5818C86

Edited by SS451, 06 March 2011 - 12:52 AM.


#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:55 PM

Posted 06 March 2011 - 08:36 AM

Hi SS451, :)



Delete your copy of Combofix and download a fresh one from here.

Save it your desktop but do not run it yet ! <--- important !!!



We need to execute a CFScript again.

Please do this:


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

2. Open notepad => navigate to format and make sure that wordwrap is unchecked. <--- important !!!

3. Copy/paste the text in the codebox below into it:

KILLALL::
firefox::
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\cvtts62y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=3&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 64545
FF - prefs.js: network.proxy.type - 0

4. Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

5. Close any open browsers.

6. Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.





NEXT...





Run Scan with Malwarebytes



I see you have Malwarebytes' Anti-Malware installed on your computer.
Please start the application by double-click on it's icon.
Once the program has loaded go to the UPDATE tab and check for updates.
When the update is complete, select the Scanner tab
Select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please save it to a convenient location and post the results in your next reply.



Also reply back to let me know how things are going.



Regards,
Georgi

cXfZ4wS.png


#12 SS451

SS451
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 06 March 2011 - 03:39 PM

Looks to me like it may not have worked this time either. On the other hand, what do I know? Here's the ComboFix log:

ComboFix 11-03-05.02 - User 03/06/2011 15:00:08.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1529 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-02-06 to 2011-03-06 )))))))))))))))))))))))))))))))
.
.
2011-03-05 20:11 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2011-03-05 20:11 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2011-03-04 23:03 . 2011-03-04 23:03 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\VS Revo Group
2011-03-04 23:02 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-03-04 23:02 . 2011-03-04 23:02 -------- d-----w- c:\program files\VS Revo Group
2011-02-27 22:17 . 2011-02-27 22:17 -------- d-----w- C:\TDSSKiller_Quarantine
2011-02-26 04:41 . 2010-12-31 14:36 69392 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2011-02-26 04:41 . 2010-12-31 14:36 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2011-02-26 04:41 . 2010-12-31 14:36 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2011-02-24 07:21 . 2011-02-24 07:21 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2011-02-24 07:20 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-24 07:20 . 2011-02-24 07:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-24 07:20 . 2011-02-24 07:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-24 07:20 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-24 06:21 . 2011-02-24 06:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-02-24 06:02 . 2011-02-24 06:02 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-17 14:10 . 2010-01-18 00:22 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-01-07 19:54 . 2010-01-18 00:25 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-01-07 19:54 . 2010-01-18 00:25 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-01-07 19:54 . 2010-01-18 00:25 2000848 ----a-w- c:\windows\PCTBDCore.dll
2011-01-07 19:54 . 2010-01-18 00:25 767952 ----a-w- c:\windows\BDTSupport.dll
2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-06 16:54 . 2010-01-18 00:25 2125 ----a-w- c:\windows\UDB.zip
2010-12-31 13:10 . 2004-08-04 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-12-16 13:46 . 2010-01-18 00:22 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-12-10 18:24 . 2010-01-18 00:22 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-12-09 15:15 . 2004-08-04 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2004-08-04 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-03-22 03:27 . 2010-03-22 03:27 476 ----a-w- c:\program files\rkill.reg
2010-01-18 00:14 . 2010-01-18 00:14 263168 ----a-w- c:\program files\rkill.com
2010-01-17 23:44 . 2010-01-17 23:43 34355352 ----a-w- c:\program files\spyware-doctor.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2010-11-17 1242448]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
"Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-09-07 136176]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-12-03 14944136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 16269312]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"LiveMonitor"="c:\program files\MSI\Live Update 3\LMonitor.exe" [2008-03-14 498176]
"Airlink101 Airlink101 WLAN Monitor"="c:\program files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe" [2007-11-30 1949696]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"PCTools FGuard"="c:\program files\Spyware Doctor\BDT\FGuard.exe" [2011-01-07 108496]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\User\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\hattopic\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Aspyr\\Guitar Hero III\\GH3.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\dragon age origins\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\mass effect\\Binaries\\MassEffect.exe"=
"c:\\Documents and Settings\\User\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\torchlight\\Torchlight.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\torchlight\\TorchED\\Editor.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\mass effect 2\\Binaries\\MassEffect2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\mass effect 2\\MassEffect2Launcher.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\mass effect 2\\docs\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\dragon age origins\\bin_ship\\DAOrigins.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\dragon age origins\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\dragon age origins\\docs\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"c:\\Documents and Settings\\User\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16561\\SC2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16605\\SC2.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16755\\SC2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock 2\\SP\\Builds\\Binaries\\Bioshock2Launcher.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock 2\\MP\\Builds\\Binaries\\Bioshock2Launcher.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\assassins creed\\AssassinsCreed_Game.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\assassin's creed 2\\AssassinsCreedIIGame.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\assassin's creed 2\\UPlayBrowser.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [1/17/2010 7:22 PM 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [12/10/2010 4:19 PM 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [12/10/2010 4:19 PM 656320]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2/25/2011 11:41 PM 51984]
R0 TFSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2/25/2011 11:41 PM 69392]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [1/17/2010 7:22 PM 251560]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [1/17/2010 7:25 PM 247760]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [7/6/2009 5:58 PM 72672]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [10/9/2009 10:07 AM 493248]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Valve\Steam\SteamApps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [3/8/2010 4:44 PM 25832]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [1/17/2010 7:22 PM 70536]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [3/4/2011 6:02 PM 27064]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/10/2010 4:19 PM 366840]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2/25/2011 11:41 PM 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-01-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1123561945-839522115-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-07 00:41]
.
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1123561945-839522115-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-07 00:41]
.
2011-03-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-07-03 02:18]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\cvtts62y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=3&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig#min3
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 64545
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-06 15:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-796845957-1123561945-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-796845957-1123561945-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f6,d6,23,73,7a,d8,58,ad,59,62,ea,88,36,54,8f,cb,48,e2,56,3f,e9,bf,5f,
d7,7c,cd,3e,3a,09,83,f4,f0,b9,ef,ed,86,d6,40,ef,d6,ba,b4,a0,87,4a,85,1d,72,\
"??"=hex:86,99,5c,d3,19,75,49,c5,5a,b4,c6,dc,aa,43,de,87
.
[HKEY_USERS\S-1-5-21-796845957-1123561945-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:88,76,dd,ab,57,ce,ca,16,a4,8e,84,8d,84,e0,7a,75,54,d3,07,e4,41,
51,43,d7,d3,ce,72,e3,ab,8b,e6,af,f4,29,31,b6,82,90,e8,7e,70,46,e3,a8,12,b3,\
"rkeysecu"=hex:a9,39,50,a9,f4,7a,62,31,63,5a,7c,ef,3c,d6,3a,66
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1060)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'lsass.exe'(1116)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
- - - - - - - > 'explorer.exe'(3844)
c:\windows\system32\WININET.dll
c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\LxrSII1s.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\OpenOffice.org 2.3\program\soffice.BIN
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2011-03-06 15:28:17 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-06 20:28
ComboFix2.txt 2011-03-05 22:18
ComboFix3.txt 2011-03-05 20:21
.
Pre-Run: 146,263,601,152 bytes free
Post-Run: 146,262,466,560 bytes free
.
- - End Of File - - 111A4E6EC0899FC52092B83399411287

Here's the MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5975

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/6/2011 3:37:34 PM
mbam-log-2011-03-06 (15-37-34).txt

Scan type: Quick scan
Objects scanned: 188625
Time elapsed: 2 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:55 PM

Posted 06 March 2011 - 04:09 PM

Hi SS451, :)


Let's take a deeper look.


We need to run an OTL Custom Scan


  • Please download OTL from the link below:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.Posted Image
    - Under File Scans, change File age to 90
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


Regards,
Georgi

cXfZ4wS.png


#14 SS451

SS451
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 06 March 2011 - 04:25 PM

Here's OTL.txt:

OTL logfile created on: 3/6/2011 4:12:19 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 57.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 136.26 Gb Free Space | 29.26% Space Free | Partition Type: NTFS
Drive D: | 654.81 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive I: | 465.76 Gb Total Space | 237.82 Gb Free Space | 51.06% Space Free | Partition Type: NTFS

Computer Name: FRANCIS-B381309 | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 90 Days

========== Processes (SafeList) ==========

PRC - [2011/03/06 16:11:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
PRC - [2011/03/05 22:32:42 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/01/07 14:54:08 | 000,247,760 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
PRC - [2010/02/26 00:10:20 | 021,979,992 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2009/11/13 13:18:53 | 000,323,392 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\DNA\btdna.exe
PRC - [2009/10/09 10:07:20 | 000,493,248 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
PRC - [2009/04/24 01:57:42 | 001,025,320 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Common Files\SupportSoft\bin\bcont.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/30 16:47:52 | 001,949,696 | ---- | M] (Airlink101) -- C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WlanMon.exe
PRC - [2007/09/10 20:48:26 | 002,510,848 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
PRC - [2007/09/10 20:47:20 | 002,359,296 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
PRC - [2007/03/07 08:51:52 | 000,049,152 | ---- | M] () -- C:\WINDOWS\system32\LxrSII1s.exe
PRC - [2007/01/19 10:49:04 | 000,049,152 | ---- | M] (Wireless Service) -- C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe


========== Modules (SafeList) ==========

MOD - [2011/03/06 16:11:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/01/07 14:54:08 | 000,247,760 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2010/12/31 09:36:22 | 000,070,928 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\TFEngine\TFService.exe -- (ThreatFire)
SRV - [2010/11/19 06:57:14 | 001,150,936 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2010/03/15 14:02:36 | 000,366,840 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2010/03/08 16:44:19 | 000,025,832 | ---- | M] (BioWare) [On_Demand | Stopped] -- c:\Program Files\Valve\Steam\SteamApps\common\dragon age origins\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)
SRV - [2009/10/09 10:07:20 | 000,493,248 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe -- (vpnagent)
SRV - [2007/03/07 08:51:52 | 000,049,152 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\LxrSII1s.exe -- (LxrSII1s)
SRV - [2007/01/19 10:49:26 | 000,049,152 | ---- | M] (Wireless Service) [Auto | Stopped] -- C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe -- (ANIWZCSdService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2011/01/17 09:10:26 | 000,251,560 | ---- | M] (PC Tools) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pctgntdi.sys -- (pctgntdi)
DRV - [2010/12/31 09:36:40 | 000,069,392 | --S- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TFSysMon)
DRV - [2010/12/31 09:36:38 | 000,033,552 | --S- | M] (PC Tools) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - [2010/12/31 09:36:36 | 000,051,984 | --S- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - [2010/12/16 08:46:04 | 000,070,536 | ---- | M] (PC Tools) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pctplsg.sys -- (pctplsg)
DRV - [2010/12/10 13:24:12 | 000,239,168 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2010/07/16 14:59:54 | 000,656,320 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pctEFA.sys -- (pctEFA)
DRV - [2010/07/16 14:59:54 | 000,338,880 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\pctDS.sys -- (pctDS)
DRV - [2010/07/06 21:27:52 | 005,069,312 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/12/30 11:20:54 | 000,027,064 | ---- | M] (VS Revo Group) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\revoflt.sys -- (Revoflt)
DRV - [2009/10/09 09:50:48 | 000,020,152 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vpnva.sys -- (vpnva)
DRV - [2009/08/19 07:05:56 | 000,100,368 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2007/11/16 10:56:26 | 000,550,272 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rt2870.sys -- (rt2870)
DRV - [2007/05/12 15:39:32 | 000,028,195 | ---- | M] (Alpha Networks Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\ANIO.sys -- (ANIO)
DRV - [2007/03/07 08:51:52 | 000,072,672 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LxrSII1d.sys -- (LxrSII1d)
DRV - [2007/03/01 15:05:38 | 000,090,496 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2006/11/02 20:32:00 | 004,394,496 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/10/29 22:31:58 | 000,043,648 | R--- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\jraid.sys -- (JRAID)
DRV - [2006/02/07 06:52:58 | 000,006,912 | R--- | M] (JMicron ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\JGOGO.sys -- (JGOGO)
DRV - [2005/05/30 17:58:52 | 000,028,160 | ---- | M] (W1zzard) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ATITool.sys -- (ATITool)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.bing.com/?pc=Z007&form=ZGAPHP
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.bing.com/?pc=Z007&form=ZGAPHP
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-796845957-1123561945-839522115-1003\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
IE - HKU\S-1-5-21-796845957-1123561945-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-796845957-1123561945-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.defaultthis.engineName: "The_Pirate_Bay Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=3&q="
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig#min3"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3
FF - prefs.js..keyword.URL: "http://www.google.com/search?q="
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 64545
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Firefox\extensions\\{cb84136f-9c44-433a-9048-c5cd9df1dc16}: C:\Program Files\Spyware Doctor\BDT\Firefox\ [2011/02/25 20:39:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/05 22:32:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/05 22:32:50 | 000,000,000 | ---D | M]

[2008/09/03 10:41:58 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2011/03/05 14:54:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\cvtts62y.default\extensions
[2010/04/28 10:05:29 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\cvtts62y.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/08/24 09:47:01 | 000,000,000 | ---D | M] (The Pirate Bay Toolbar) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\cvtts62y.default\extensions\{a33fa729-d155-4b23-842b-2c665ecabdb6}
[2011/01/05 22:40:55 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\cvtts62y.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/10/22 12:25:07 | 000,002,664 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\cvtts62y.default\searchplugins\liquipedia-starcraft-2-wiki-en.xml
[2010/11/16 20:40:57 | 000,001,153 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\cvtts62y.default\searchplugins\memory-alpha-en.xml
[2007/09/17 11:45:25 | 000,001,068 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\cvtts62y.default\searchplugins\wikipedia-english.xml
[2011/03/05 14:54:05 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2009/01/13 12:47:23 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2008/09/03 19:11:24 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
[2009/11/28 20:33:03 | 000,002,236 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\askcom.xml
[2011/02/25 17:47:39 | 000,001,919 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing-zugo.xml

O1 HOSTS File: ([2011/03/06 15:19:12 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - No CLSID value found.
O3 - HKU\S-1-5-21-796845957-1123561945-839522115-1003\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O4 - HKLM..\Run: [Airlink101 Airlink101 WLAN Monitor] C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe (Airlink101)
O4 - HKLM..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe (Wireless Service)
O4 - HKLM..\Run: [JMB36X Configure] C:\WINDOWS\System32\JMRaidSetup.exe (JMicron Technology Corp.)
O4 - HKLM..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe ()
O4 - HKLM..\Run: [PCTools FGuard] C:\Program Files\Spyware Doctor\BDT\FGuard.exe (Threat Expert Ltd.)
O4 - HKU\S-1-5-21-796845957-1123561945-839522115-1003..\Run: [BitTorrent DNA] C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
O4 - HKU\S-1-5-21-796845957-1123561945-839522115-1003..\Run: [Desktop Software] C:\Program Files\Common Files\SupportSoft\bin\bcont.exe (SupportSoft, Inc.)
O4 - HKU\S-1-5-21-796845957-1123561945-839522115-1003..\Run: [Steam] c:\program files\valve\steam\steam.exe (Valve Corporation)
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\User\Application Data\Dropbox\bin\Dropbox.exe ()
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-796845957-1123561945-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-796845957-1123561945-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-796845957-1123561945-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-796845957-1123561945-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190045235843 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190045231828 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.71.230 68.87.73.246
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/09/15 06:33:06 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/10/18 16:09:17 | 000,000,000 | R--D | M] - D:\Autorun -- [ CDFS ]
O32 - AutoRun File - [2005/10/15 01:42:09 | 000,253,952 | R--- | M] (Firaxis Games) - D:\autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2005/10/15 01:42:09 | 000,004,118 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2011/03/06 16:11:43 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2011/03/06 15:15:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/03/05 15:11:25 | 000,050,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\proquota.exe
[2011/03/05 15:11:25 | 000,050,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\proquota.exe
[2011/03/05 14:54:55 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/03/05 14:41:20 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/03/05 14:41:20 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/03/05 14:41:20 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/03/05 14:41:20 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/03/05 14:40:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/03/05 14:40:10 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/04 18:09:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\tdsskiller(3)
[2011/03/04 18:03:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\VS Revo Group
[2011/03/04 18:02:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Revo Uninstaller Pro
[2011/03/04 18:02:52 | 000,027,064 | ---- | C] (VS Revo Group) -- C:\WINDOWS\System32\drivers\revoflt.sys
[2011/03/04 18:02:51 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2011/03/04 18:02:08 | 007,809,352 | ---- | C] (VS Revo Group ) -- C:\Documents and Settings\User\Desktop\RevoUninProSetup.exe
[2011/03/03 16:20:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\gmer
[2011/02/27 18:39:14 | 008,891,219 | ---- | C] (Macrovision Corporation) -- C:\Documents and Settings\User\Desktop\Fallout3_GECK.exe
[2011/02/27 17:17:25 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2011/02/27 17:16:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\tdss
[2011/02/25 23:41:47 | 000,069,392 | --S- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfSysMon.sys
[2011/02/25 23:41:47 | 000,051,984 | --S- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfFsMon.sys
[2011/02/25 23:41:47 | 000,033,552 | --S- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfNetMon.sys
[2011/02/25 20:38:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PC Tools Security
[2011/02/24 16:22:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Mozilla
[2011/02/24 02:41:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/02/24 02:41:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/02/24 02:21:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Malwarebytes
[2011/02/24 02:20:54 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/02/24 02:20:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/02/24 02:20:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/02/24 02:20:50 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/02/24 02:20:50 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/02/24 02:15:46 | 007,734,240 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\User\Desktop\mbam-setup(2).exe
[2011/02/24 02:09:18 | 000,066,896 | ---- | C] (Malwarebytes Corporation) -- C:\Documents and Settings\User\Desktop\mbam-clean.exe
[2011/02/24 01:21:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/02/23 20:31:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/02/23 20:31:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/02/10 21:23:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\gbackup_smrcn5_up2
[2011/02/05 18:03:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Start Menu\Programs\StarCraft II
[2011/02/02 12:46:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\SKIDROW
[2011/02/01 18:56:07 | 000,000,000 | ---D | C] -- C:\Program Files\Sid Meier's Civilization V
[2011/01/21 18:53:26 | 000,000,000 | ---D | C] -- C:\Program Files\Ubisoft
[2011/01/21 18:53:15 | 001,974,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_42.dll
[2011/01/21 18:53:15 | 000,515,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_5.dll
[2011/01/21 18:53:15 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_5.dll
[2011/01/21 18:53:14 | 005,501,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dcsx_42.dll
[2011/01/21 18:53:14 | 000,235,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx11_42.dll
[2011/01/21 09:44:37 | 000,439,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shimgvw.dll
[2011/01/10 19:24:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2011/01/10 19:24:08 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/01/10 19:24:06 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/01/10 19:20:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
[2011/01/10 19:20:19 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2011/01/10 17:31:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Ubisoft
[2011/01/10 17:30:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Ubisoft
[2011/01/05 22:38:49 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2011/01/05 22:38:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
[2010/12/14 19:03:38 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2010/12/14 19:02:59 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2010/12/10 19:47:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\Bioshock2
[2010/12/10 19:47:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Bioshock2
[2010/12/10 19:45:01 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_42.dll
[2010/12/10 19:45:00 | 001,892,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_42.dll
[2010/12/10 16:19:49 | 000,656,320 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctEFA.sys
[2010/12/10 16:19:49 | 000,338,880 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctDS.sys
[2010/01/17 18:43:28 | 034,355,352 | ---- | C] (PC Tools ) -- C:\Program Files\spyware-doctor.exe
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2011/03/06 16:11:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2011/03/06 15:51:00 | 000,001,014 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1123561945-839522115-1003UA.job
[2011/03/06 15:19:31 | 000,000,015 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME{87D06C3C-0149-45E9-9F83-1DA548F42DEA}
[2011/03/06 15:19:23 | 000,000,007 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME
[2011/03/06 15:19:17 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2011/03/06 15:19:12 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/03/06 15:19:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/06 15:18:58 | 2146,750,464 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/06 14:53:48 | 004,281,172 | R--- | M] () -- C:\Documents and Settings\User\Desktop\ComboFix.exe
[2011/03/06 03:01:05 | 000,707,268 | ---- | M] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2011/03/05 21:51:00 | 000,000,962 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1123561945-839522115-1003Core.job
[2011/03/05 16:55:00 | 000,001,220 | ---- | M] () -- C:\CF-Submit.htm
[2011/03/05 14:55:03 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/03/04 18:02:53 | 000,000,943 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Revo Uninstaller Pro.lnk
[2011/03/04 18:02:53 | 000,000,925 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Revo Uninstaller Pro.lnk
[2011/03/04 18:01:30 | 001,261,440 | ---- | M] () -- C:\Documents and Settings\User\Desktop\tdsskiller(3).zip
[2011/03/04 18:01:16 | 007,809,352 | ---- | M] (VS Revo Group ) -- C:\Documents and Settings\User\Desktop\RevoUninProSetup.exe
[2011/03/04 17:51:57 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/03 16:07:30 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\User\Desktop\gmer.zip
[2011/03/03 16:05:12 | 000,624,128 | ---- | M] () -- C:\Documents and Settings\User\Desktop\dds.scr
[2011/02/27 18:39:32 | 001,318,466 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Fallout3_GECK_1.5_Update.exe
[2011/02/27 18:39:28 | 008,891,219 | ---- | M] (Macrovision Corporation) -- C:\Documents and Settings\User\Desktop\Fallout3_GECK.exe
[2011/02/27 16:36:28 | 000,721,324 | ---- | M] () -- C:\Documents and Settings\User\Desktop\rkill.com
[2011/02/27 00:20:38 | 000,172,544 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/26 13:33:10 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\User\defogger_reenable
[2011/02/26 13:28:51 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Defogger.exe
[2011/02/25 20:38:58 | 000,001,637 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2011/02/25 20:33:27 | 000,003,284 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCS{87D06C3C-0149-45E9-9F83-1DA548F42DEA}
[2011/02/25 20:27:52 | 000,513,032 | ---- | M] () -- C:\Documents and Settings\User\Desktop\sdasetup_aff.exe
[2011/02/24 02:20:54 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/02/24 02:05:15 | 000,066,896 | ---- | M] (Malwarebytes Corporation) -- C:\Documents and Settings\User\Desktop\mbam-clean.exe
[2011/02/24 00:59:40 | 000,002,436 | ---- | M] () -- C:\Documents and Settings\User\Application Data\66DE.0F3
[2011/02/24 00:55:26 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Ojubeqijiwawa.dat
[2011/02/13 14:30:46 | 007,734,240 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\User\Desktop\mbam-setup(2).exe
[2011/02/13 14:05:37 | 000,721,199 | ---- | M] () -- C:\Documents and Settings\User\Desktop\iExplore.exe
[2011/02/11 17:31:06 | 061,532,012 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Sid_Meiers_Civilization_V_Update_2-SKIDROW.rar
[2011/02/10 21:22:58 | 080,446,807 | ---- | M] () -- C:\Documents and Settings\User\Desktop\gbackup_smrcn5_up2.rar
[2011/02/10 11:15:26 | 000,276,560 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/02/10 02:21:52 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/02/10 02:18:36 | 002,006,551 | ---- | M] () -- C:\WINDOWS\iis6.BAK
[2011/01/31 19:41:02 | 000,001,957 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Comcast Desktop Software.lnk
[2011/01/24 18:24:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/01/21 17:37:25 | 000,000,078 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Assassin's Creed II.url
[2011/01/21 09:44:37 | 008,462,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shell32.dll
[2011/01/21 09:44:37 | 000,439,296 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shimgvw.dll
[2011/01/17 09:10:26 | 000,251,560 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2011/01/10 19:24:49 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/01/10 19:20:37 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2011/01/07 14:54:18 | 000,149,456 | ---- | M] (PC Tools) -- C:\WINDOWS\SGDetectionTool.dll
[2011/01/07 14:54:16 | 001,533,904 | ---- | M] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDRes.dll
[2011/01/07 14:54:14 | 002,000,848 | ---- | M] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll
[2011/01/07 14:54:04 | 000,767,952 | ---- | M] () -- C:\WINDOWS\BDTSupport.dll
[2011/01/07 09:09:02 | 000,290,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\dllcache\atmfd.dll
[2011/01/07 09:09:02 | 000,290,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\atmfd.dll
[2011/01/06 11:54:52 | 000,002,125 | ---- | M] () -- C:\WINDOWS\UDB.zip
[2011/01/05 22:38:49 | 000,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/12/31 09:36:40 | 000,069,392 | --S- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\TfSysMon.sys
[2010/12/31 09:36:38 | 000,033,552 | --S- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\TfNetMon.sys
[2010/12/31 09:36:36 | 000,051,984 | --S- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\TfFsMon.sys
[2010/12/31 08:10:33 | 001,854,976 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\win32k.sys
[2010/12/31 08:10:33 | 001,854,976 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\win32k.sys
[2010/12/22 07:34:28 | 000,301,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kerberos.dll
[2010/12/21 05:29:20 | 011,080,704 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2010/12/20 18:59:20 | 005,961,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2010/12/20 18:59:20 | 001,210,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\urlmon.dll
[2010/12/20 18:59:20 | 000,916,480 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
[2010/12/20 18:59:20 | 000,611,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mstime.dll
[2010/12/20 18:59:20 | 000,611,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstime.dll
[2010/12/20 18:59:20 | 000,206,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\occache.dll
[2010/12/20 18:59:20 | 000,066,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtmled.dll
[2010/12/20 18:59:19 | 001,991,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll
[2010/12/20 18:59:19 | 001,469,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetcpl.cpl
[2010/12/20 18:59:19 | 001,469,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetcpl.cpl
[2010/12/20 18:59:19 | 000,602,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeeds.dll
[2010/12/20 18:59:19 | 000,602,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll
[2010/12/20 18:59:19 | 000,184,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iepeers.dll
[2010/12/20 18:59:19 | 000,184,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iepeers.dll
[2010/12/20 18:59:19 | 000,055,296 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeedsbs.dll
[2010/12/20 18:59:19 | 000,055,296 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll
[2010/12/20 18:59:19 | 000,043,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\licmgr10.dll
[2010/12/20 18:59:19 | 000,043,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\licmgr10.dll
[2010/12/20 18:59:19 | 000,025,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\jsproxy.dll
[2010/12/20 18:59:19 | 000,025,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jsproxy.dll
[2010/12/20 18:59:16 | 000,743,424 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2010/12/20 18:59:16 | 000,387,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iedkcs32.dll
[2010/12/20 18:59:16 | 000,387,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedkcs32.dll
[2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/12/20 12:26:00 | 000,730,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\lsasrv.dll
[2010/12/20 12:26:00 | 000,730,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2010/12/20 07:55:27 | 000,173,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ie4uinit.exe
[2010/12/20 07:55:27 | 000,173,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ie4uinit.exe
[2010/12/20 07:55:26 | 000,385,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\html.iec
[2010/12/16 08:46:04 | 000,070,536 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2010/12/10 17:01:20 | 000,000,077 | ---- | M] () -- C:\Documents and Settings\User\Desktop\BioShock 2.url
[2010/12/10 13:24:12 | 000,239,168 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2010/12/09 09:30:22 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\csrsrv.dll
[2010/12/09 09:30:22 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\csrsrv.dll
[2010/12/09 08:42:26 | 002,148,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ntoskrnl.exe
[2010/12/09 08:42:26 | 002,148,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2010/12/09 08:38:47 | 002,192,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2010/12/09 08:07:07 | 002,027,008 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2010/12/09 08:07:07 | 002,027,008 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ntkrnlpa.exe
[2010/12/09 08:07:05 | 002,069,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/06 14:53:46 | 004,281,172 | R--- | C] () -- C:\Documents and Settings\User\Desktop\ComboFix.exe
[2011/03/05 16:55:00 | 000,001,220 | ---- | C] () -- C:\CF-Submit.htm
[2011/03/05 14:55:03 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/03/05 14:55:00 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/03/05 14:41:20 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/03/05 14:41:20 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/03/05 14:41:20 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/03/05 14:41:20 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/03/05 14:41:20 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/03/04 18:02:53 | 000,000,943 | ---- | C] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Revo Uninstaller Pro.lnk
[2011/03/04 18:02:53 | 000,000,925 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Revo Uninstaller Pro.lnk
[2011/03/04 18:02:10 | 001,261,440 | ---- | C] () -- C:\Documents and Settings\User\Desktop\tdsskiller(3).zip
[2011/03/03 16:12:26 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\User\Desktop\gmer.zip
[2011/03/03 16:12:21 | 000,624,128 | ---- | C] () -- C:\Documents and Settings\User\Desktop\dds.scr
[2011/02/27 18:39:32 | 001,318,466 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Fallout3_GECK_1.5_Update.exe
[2011/02/27 16:43:49 | 000,721,324 | ---- | C] () -- C:\Documents and Settings\User\Desktop\rkill.com
[2011/02/26 13:33:10 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\User\defogger_reenable
[2011/02/26 13:32:46 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Defogger.exe
[2011/02/25 23:38:58 | 2146,750,464 | -HS- | C] () -- C:\hiberfil.sys
[2011/02/25 20:38:58 | 000,001,637 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2011/02/25 20:27:51 | 000,513,032 | ---- | C] () -- C:\Documents and Settings\User\Desktop\sdasetup_aff.exe
[2011/02/24 02:20:54 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/02/24 00:55:26 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Ojubeqijiwawa.dat
[2011/02/24 00:54:01 | 000,002,436 | ---- | C] () -- C:\Documents and Settings\User\Application Data\66DE.0F3
[2011/02/13 14:05:37 | 000,721,199 | ---- | C] () -- C:\Documents and Settings\User\Desktop\iExplore.exe
[2011/02/11 17:10:22 | 061,532,012 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Sid_Meiers_Civilization_V_Update_2-SKIDROW.rar
[2011/02/10 21:18:33 | 080,446,807 | ---- | C] () -- C:\Documents and Settings\User\Desktop\gbackup_smrcn5_up2.rar
[2011/01/31 19:41:02 | 000,001,957 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Comcast Desktop Software.lnk
[2011/01/21 17:37:25 | 000,000,078 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Assassin's Creed II.url
[2011/01/10 19:24:49 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/01/10 19:20:37 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/12/10 17:01:20 | 000,000,077 | ---- | C] () -- C:\Documents and Settings\User\Desktop\BioShock 2.url
[2010/12/10 16:19:52 | 000,707,268 | ---- | C] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2010/11/30 17:28:39 | 008,892,928 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\atscie.msi
[2010/08/03 18:06:33 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2010/08/03 18:06:33 | 000,294,912 | ---- | C] () -- C:\WINDOWS\System32\ATIODE.exe
[2010/08/03 18:06:33 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ATIODCLI.exe
[2010/08/03 18:06:33 | 000,000,003 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2010/05/11 15:42:08 | 000,205,156 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2010/04/12 23:19:23 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2010/04/02 16:20:03 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/21 22:27:24 | 000,000,476 | ---- | C] () -- C:\Program Files\rkill.reg
[2010/03/21 19:38:59 | 000,014,302 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\VH56DJI7u87yo
[2010/03/21 19:38:59 | 000,014,302 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\VH56DJI7u87yo
[2010/01/17 19:25:21 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll0206.old
[2010/01/17 19:25:21 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old
[2010/01/17 19:25:21 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll
[2010/01/17 19:14:02 | 000,263,168 | ---- | C] () -- C:\Program Files\rkill.com
[2009/11/06 10:58:04 | 000,178,975 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2009/09/28 15:56:57 | 000,006,015 | ---- | C] () -- C:\WINDOWS\DiabUnin.dat
[2009/09/10 18:33:12 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/08/20 14:58:46 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/07/06 17:58:45 | 000,072,672 | ---- | C] () -- C:\WINDOWS\System32\drivers\LxrSII1d.sys
[2009/07/06 17:58:45 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\LxrSII1s.exe
[2009/07/03 14:59:42 | 000,000,164 | ---- | C] () -- C:\WINDOWS\install.dat
[2009/07/02 12:32:39 | 000,245,760 | ---- | C] () -- C:\WINDOWS\System32\WlanApp.dll
[2009/07/02 12:32:39 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\JJAKEn.dll
[2009/06/11 21:14:59 | 000,001,259 | ---- | C] () -- C:\WINDOWS\eReg.dat
[2008/10/07 09:13:30 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/09/05 22:29:58 | 000,414,208 | ---- | C] () -- C:\WINDOWS\System32\WgaTray.exe
[2008/04/27 13:46:11 | 000,009,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\FlashSys.sys
[2008/02/15 01:45:40 | 000,032,738 | ---- | C] () -- C:\WINDOWS\scunin.dat
[2007/10/26 23:47:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2007/10/10 02:01:22 | 000,000,206 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2007/09/17 19:37:13 | 000,172,544 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/09/17 16:19:42 | 003,107,788 | R--- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2007/09/17 12:42:09 | 000,001,156 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2007/09/17 11:10:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2007/09/17 10:47:27 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2007/09/15 06:34:54 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2007/09/15 06:30:41 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2007/09/14 21:04:50 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/09/14 21:02:07 | 000,276,560 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/04 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 07:00:00 | 000,435,866 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 07:00:00 | 000,068,636 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 07:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 186 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4B09F1E5
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8

< End of report >

Here's Extras.txt:

OTL Extras logfile created on: 3/6/2011 4:12:19 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 57.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 136.26 Gb Free Space | 29.26% Space Free | Partition Type: NTFS
Drive D: | 654.81 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive I: | 465.76 Gb Total Space | 237.82 Gb Free Space | 51.06% Space Free | Partition Type: NTFS

Computer Name: FRANCIS-B381309 | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 90 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-796845957-1123561945-839522115-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe" = C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4 -- (Firaxis Games)
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe" = C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4 Warlords -- (Firaxis Games)
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe" = C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Pitboss -- (Firaxis Games)
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe" = C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword -- (Firaxis Games)
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe" = C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword Pitboss -- (Firaxis Games)
"C:\Program Files\DC++\DCPlusPlus.exe" = C:\Program Files\DC++\DCPlusPlus.exe:*:Enabled:DC++ -- ()
"C:\Program Files\BitTorrent_DNA\dna.exe" = C:\Program Files\BitTorrent_DNA\dna.exe:*:Enabled:BitTorrent DNA -- ()
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Valve\Steam\Steam.exe" = C:\Program Files\Valve\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Program Files\Valve\Steam\SteamApps\hattopic\team fortress 2\hl2.exe" = C:\Program Files\Valve\Steam\SteamApps\hattopic\team fortress 2\hl2.exe:*:Enabled:hl2 -- ()
"C:\Program Files\Microsoft Games\Gears of War\Binaries\WarGame-G4WLive.exe" = C:\Program Files\Microsoft Games\Gears of War\Binaries\WarGame-G4WLive.exe:*:Enabled:Gears of War -- (Epic Games, Inc.)
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:Enabled:btdna -- (BitTorrent, Inc.)
"C:\Program Files\Starcraft\StarCraft.exe" = C:\Program Files\Starcraft\StarCraft.exe:*:Enabled:Starcraft -- (Blizzard Entertainment)
"C:\Program Files\Aspyr\Guitar Hero III\GH3.exe" = C:\Program Files\Aspyr\Guitar Hero III\GH3.exe:*:Enabled:Guitar Hero III -- (Aspyr Media, Inc.)
"C:\Program Files\Valve\Steam\SteamApps\common\peggle extreme\PeggleExtreme.exe" = C:\Program Files\Valve\Steam\SteamApps\common\peggle extreme\PeggleExtreme.exe:*:Enabled:Peggle Extreme -- ()
"C:\Program Files\Ventrilo\Ventrilo.exe" = C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- (Flagship Industries, Inc.)
"C:\Program Files\Valve\Steam\SteamApps\common\dragon age origins\bin_ship\daupdatersvc.service.exe" = C:\Program Files\Valve\Steam\SteamApps\common\dragon age origins\bin_ship\daupdatersvc.service.exe:*:Enabled:Dragon Age Origins Updater -- (BioWare)
"C:\Program Files\Valve\Steam\SteamApps\common\mass effect\Binaries\MassEffect.exe" = C:\Program Files\Valve\Steam\SteamApps\common\mass effect\Binaries\MassEffect.exe:*:Enabled:Mass Effect -- (BioWare)
"C:\Documents and Settings\User\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\User\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- ()
"C:\Program Files\Valve\Steam\SteamApps\common\torchlight\Torchlight.exe" = C:\Program Files\Valve\Steam\SteamApps\common\torchlight\Torchlight.exe:*:Enabled:Torchlight -- (Runic Games, Inc.)
"C:\Program Files\Valve\Steam\SteamApps\common\torchlight\TorchED\Editor.exe" = C:\Program Files\Valve\Steam\SteamApps\common\torchlight\TorchED\Editor.exe:*:Enabled:Torchlight Editor -- (Runic Games, Inc.)
"C:\Program Files\Valve\Steam\SteamApps\common\mass effect 2\Binaries\MassEffect2.exe" = C:\Program Files\Valve\Steam\SteamApps\common\mass effect 2\Binaries\MassEffect2.exe:*:Enabled:Mass Effect 2 -- (BioWare)
"C:\Program Files\Valve\Steam\SteamApps\common\mass effect 2\MassEffect2Launcher.exe" = C:\Program Files\Valve\Steam\SteamApps\common\mass effect 2\MassEffect2Launcher.exe:*:Enabled:Mass Effect 2 -- (BioWare)
"C:\Program Files\Valve\Steam\SteamApps\common\mass effect 2\docs\EA Help\Electronic_Arts_Technical_Support.htm" = C:\Program Files\Valve\Steam\SteamApps\common\mass effect 2\docs\EA Help\Electronic_Arts_Technical_Support.htm:*:Enabled:Mass Effect 2 -- ()
"C:\Program Files\Valve\Steam\SteamApps\common\dragon age origins\bin_ship\DAOrigins.exe" = C:\Program Files\Valve\Steam\SteamApps\common\dragon age origins\bin_ship\DAOrigins.exe:*:Enabled:Dragon Age: Origins - Awakening -- (BioWare)
"C:\Program Files\Valve\Steam\SteamApps\common\dragon age origins\DAOriginsLauncher.exe" = C:\Program Files\Valve\Steam\SteamApps\common\dragon age origins\DAOriginsLauncher.exe:*:Enabled:Dragon Age: Origins - Awakening -- (BioWare)
"C:\Program Files\Valve\Steam\SteamApps\common\dragon age origins\docs\EA Help\Electronic_Arts_Technical_Support.htm" = C:\Program Files\Valve\Steam\SteamApps\common\dragon age origins\docs\EA Help\Electronic_Arts_Technical_Support.htm:*:Enabled:Dragon Age: Origins - Awakening -- ()
"C:\Program Files\StarCraft II\StarCraft II.exe" = C:\Program Files\StarCraft II\StarCraft II.exe:*:Enabled:Blizzard Launcher -- (Blizzard Entertainment)
"C:\Program Files\StarCraft II\Versions\Base15405\SC2.exe" = C:\Program Files\StarCraft II\Versions\Base15405\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment, Inc.)
"C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
"C:\Program Files\StarCraft II\Versions\Base16561\SC2.exe" = C:\Program Files\StarCraft II\Versions\Base16561\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment, Inc.)
"C:\Program Files\StarCraft II\Versions\Base16605\SC2.exe" = C:\Program Files\StarCraft II\Versions\Base16605\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment, Inc.)
"C:\Program Files\StarCraft II\Versions\Base16755\SC2.exe" = C:\Program Files\StarCraft II\Versions\Base16755\SC2.exe:*:Enabled:StarCraft II -- (Blizzard Entertainment, Inc.)
"C:\Program Files\Valve\Steam\SteamApps\common\bioshock\Builds\Release\Bioshock.exe" = C:\Program Files\Valve\Steam\SteamApps\common\bioshock\Builds\Release\Bioshock.exe:*:Enabled:BioShock -- ()
"C:\Program Files\Valve\Steam\SteamApps\common\bioshock 2\SP\Builds\Binaries\Bioshock2Launcher.exe" = C:\Program Files\Valve\Steam\SteamApps\common\bioshock 2\SP\Builds\Binaries\Bioshock2Launcher.exe:*:Enabled:BioShock 2 -- (Sony DADC Austria AG)
"C:\Program Files\Valve\Steam\SteamApps\common\bioshock 2\MP\Builds\Binaries\Bioshock2Launcher.exe" = C:\Program Files\Valve\Steam\SteamApps\common\bioshock 2\MP\Builds\Binaries\Bioshock2Launcher.exe:*:Enabled:BioShock 2 -- (Sony DADC Austria AG)
"C:\Program Files\Valve\Steam\SteamApps\common\assassins creed\AssassinsCreed_Game.exe" = C:\Program Files\Valve\Steam\SteamApps\common\assassins creed\AssassinsCreed_Game.exe:*:Enabled:Assassin's Creed -- (Ubisoft)
"C:\Program Files\Valve\Steam\SteamApps\common\assassin's creed 2\AssassinsCreedIIGame.exe" = C:\Program Files\Valve\Steam\SteamApps\common\assassin's creed 2\AssassinsCreedIIGame.exe:*:Enabled:Assassin's Creed II -- ()
"C:\Program Files\Ubisoft\Ubisoft Game Launcher\UbisoftGameLauncher.exe" = C:\Program Files\Ubisoft\Ubisoft Game Launcher\UbisoftGameLauncher.exe:*:Enabled:Ubisoft Game Launcher -- (Ubisoft)
"C:\Program Files\Valve\Steam\SteamApps\common\assassin's creed 2\UPlayBrowser.exe" = C:\Program Files\Valve\Steam\SteamApps\common\assassin's creed 2\UPlayBrowser.exe:*:Enabled:UPlayBrowser Application -- (Ubisoft Entertainment)
"C:\Program Files\Valve\Steam\SteamApps\common\left 4 dead\left4dead.exe" = C:\Program Files\Valve\Steam\SteamApps\common\left 4 dead\left4dead.exe:*:Enabled:Left 4 Dead -- ()
"C:\Program Files\Valve\Steam\SteamApps\common\left 4 dead 2\left4dead2.exe" = C:\Program Files\Valve\Steam\SteamApps\common\left 4 dead 2\left4dead2.exe:*:Enabled:Left 4 Dead 2 -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{005F78AF-110D-398A-8430-BE98950A1E22}" = Google Talk Plugin
"{00C5F4F4-62F9-40D7-8000-AD8A9CD0C669}" = Microsoft Games for Windows - LIVE Redistributable
"{02EBDBB9-4600-41D3-B566-40CB861511D2}" = World of Warcraft FREE Trial
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam™
"{083F79E4-6FE9-46FB-A6C6-4F8862742947}" = ATI HYDRAVISION
"{0CE1A6C0-F3F7-49E6-8F9D-2431F9827441}" = Guitar Hero III
"{11083C7A-D0D6-4DA4-8C3A-74B8389EC07B}" = ATI Catalyst Registration
"{1170D24F-42B7-40CF-AA1B-6395CE562354}" = Gears of War
"{147AAF68-A89A-8E2E-97EE-A1F1430F9F68}" = Catalyst Control Center Graphics Previews Common
"{1C4551A6-4743-4093-91E4-1477CD655043}" = NVIDIA PhysX
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 11
"{2A6355EB-273D-4368-9DB6-FB99EBA9FABD}" = Cisco AnyConnect VPN Client
"{2C9EE786-1DDB-4C98-8FA4-B1B9B5A66B77}" = Microsoft Games for Windows - LIVE
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{32E4F0D2-C135-475E-A841-1D59A0D22989}" = Sid Meier's Civilization 4 - Beyond the Sword
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36CDA33B-909B-4719-97D1-C4B99309BDC7}" = ATI Parental Control & Encoder
"{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = JMB36X Raid Configurer
"{3E4B349F-10B5-4586-9D99-489A90A8B228}" = Sid Meier's Civilization 4 - Warlords
"{4640FDE1-B83A-4376-84ED-86F86BEE2D41}" = Driver Detective
"{47759129-8649-47D1-9EA5-4BB84D86DB97}" = Airlink101 WLAN Monitor
"{4C590030-7469-453E-8589-D15DA9D03F52}" = ANIWZCS2 Service
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5DA8F6CD-C70E-39D8-8430-3D9808D6BD17}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
"{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1" = Revo Uninstaller Pro 2.5.1
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6CA5F5DC-33C3-D56F-F399-BD5792397089}" = CCC Help English
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}" = ANIO Service
"{7FCC4EDC-6EE2-4309-ABD7-85F2667A7B90}" = WebEx Support Manager for Internet Explorer
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83C03FBE-4492-4133-BBAB-421CD88ADA32}" = OpenOffice.org 2.3
"{87323561-58BA-4D5B-BADA-A791B69D1705}" = Catalyst Control Center - Branding
"{881F5DE8-9367-4B81-A325-E91BBC6472F9}" = iTunes
"{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ACC73AA-6511-7C55-B1A9-8E5D1DEAFAA3}" = The Lord of the Rings FREE Trial
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{96DA8A90-1BD6-F86A-D51B-B46882A80980}" = ccc-utility
"{974C4B12-4D02-4879-85E0-61C95CC63E9E}" = Fallout 3
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A8589680-35C1-4732-ACCA-09B78921ECE3}" = Sid Meier's Civilization 4
"{A85AD707-781F-2B73-E134-38084AACB5D5}" = ATI AVIVO Codecs
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B343B0E3-212A-40B9-8207-1BD299228F5D}" = Fallout 3 - The Garden of Eden Creation Kit
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2274248-9536-B9E2-0886-84BF1F292219}" = ATI Catalyst Install Manager
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B8}" = WinZip 12.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEF7211D-CE3A-44C4-B321-D84A2099AE94}" = Comcast Desktop Software (v1.2.0.9)
"{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}" = Sid Meier's Civilization 4
"{D1DD73EB-36DE-D4E8-421A-88D0C8FD998F}" = ccc-core-static
"{D45EC259-4A19-4656-B588-C2C360DD18EA}" = Half-Life® 2
"{D86F3EA6-93A3-D020-0D77-204AB1696067}" = ATI Problem Report Wizard
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.0
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6E04BE8-2FA4-44C4-9BD3-142CE3EB15B4}_is1" = GPU Caps Viewer 1.9.2
"{F85E4782-5B90-4845-9D7D-D11DE2F5EA5E}" = HydraVision
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"7-Zip" = 7-Zip 4.55 beta
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Any DVD Converter Professional_is1" = Any DVD Converter Professional 4.0.3
"ATITool" = ATITool Overclocking Utility
"BitTorrent" = BitTorrent
"Browser Defender_is1" = Browser Defender 3.0
"Catan Online Welt" = Catan Online World
"DC++" = DC++ 0.706
"Diablo" = Diablo
"Driver Cleaner Pro" = DH Driver Cleaner Professional Edition
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Fallout 3 - The Pitt" = Fallout 3 - The Pitt
"Fallout New Vegas_is1" = Fallout New Vegas
"Game Console - WildGames" = Game Console - WildGames
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{1170D24F-42B7-40CF-AA1B-6395CE562354}" = Gears of War
"InstallShield_{47759129-8649-47D1-9EA5-4BB84D86DB97}" = Airlink101 WLAN Monitor
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MKV TO AVI CONVERTER_is1" = MKV TO AVI CONVERTER version 3.1
"Mozilla Firefox (3.6.15)" = Mozilla Firefox (3.6.15)
"MSI Live Update 3" = MSI Live Update 3
"Multitrack Stopwatch" = Multitrack Stopwatch
"MWSnap 3" = MWSnap 3
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Process Killer_is1" = Process Killer 2.0.1
"Spyware Doctor" = Spyware Doctor with AntiVirus 8.0
"Starcraft" = Starcraft
"StarCraft II" = StarCraft II
"Steam App 15100" = Assassin's Creed
"Steam App 17450" = Dragon Age: Origins
"Steam App 17460" = Mass Effect
"Steam App 220" = Half-Life 2
"Steam App 24980" = Mass Effect 2
"Steam App 300" = Day of Defeat: Source
"Steam App 33230" = Assassin's Creed II
"Steam App 340" = Half-Life 2: Lost Coast
"Steam App 3483" = Peggle Extreme
"Steam App 380" = Half-Life 2: Episode One
"Steam App 400" = Portal
"Steam App 41500" = Torchlight
"Steam App 420" = Half-Life 2: Episode Two
"Steam App 440" = Team Fortress 2
"Steam App 47730" = Dragon Age: Origins - Awakening
"Steam App 500" = Left 4 Dead
"Steam App 550" = Left 4 Dead 2
"Steam App 7670" = BioShock
"Steam App 8850" = BioShock 2
"VLC media player" = VideoLAN VLC media player 0.8.6c
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"WT016060" = Penguins!
"Xbox_360_CC_Driver" = Xbox 360 Controller for Windows
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-796845957-1123561945-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent
"BitTorrent DNA" = DNA
"Diablo" = Diablo
"Dropbox" = Dropbox

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/27/2011 6:32:02 PM | Computer Name = FRANCIS-B381309 | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/2796BAE63F1801E277261BA0D77770028F20EEE4.crt>
with error: The connection with the server was terminated abnormally

Error - 2/27/2011 6:32:02 PM | Computer Name = FRANCIS-B381309 | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/2796BAE63F1801E277261BA0D77770028F20EEE4.crt>
with error: This network connection does not exist.

Error - 2/27/2011 6:32:15 PM | Computer Name = FRANCIS-B381309 | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/2796BAE63F1801E277261BA0D77770028F20EEE4.crt>
with error: This network connection does not exist.

Error - 2/27/2011 6:32:15 PM | Computer Name = FRANCIS-B381309 | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/2796BAE63F1801E277261BA0D77770028F20EEE4.crt>
with error: This network connection does not exist.

Error - 2/27/2011 6:32:43 PM | Computer Name = FRANCIS-B381309 | Source = Bonjour Service | ID = 100
Description = WSARecvMsg failed (6)

Error - 2/27/2011 7:47:05 PM | Computer Name = FRANCIS-B381309 | Source = Application Error | ID = 1000
Description = Faulting application geck.exe, version 1.5.0.19, faulting module ntdll.dll,
version 5.1.2600.6055, fault address 0x00019af2.

Error - 3/5/2011 3:07:42 PM | Computer Name = FRANCIS-B381309 | Source = MsiInstaller | ID = 11905
Description = Product: Ask.com Toolbar -- Error 1905.Module C:\Program Files\Ask.com\GenericAskToolbar.dll
failed to unregister. HRESULT -2147220472. Contact your support personnel.

Error - 3/5/2011 6:09:54 PM | Computer Name = FRANCIS-B381309 | Source = Bonjour Service | ID = 100
Description = WSARecvMsg failed (6)

Error - 3/6/2011 3:45:26 PM | Computer Name = FRANCIS-B381309 | Source = Bonjour Service | ID = 100
Description = WSARecvMsg failed (6)

Error - 3/6/2011 4:19:47 PM | Computer Name = FRANCIS-B381309 | Source = Bonjour Service | ID = 100
Description = WSARecvMsg failed (6)

[ Cisco AnyConnect VPN Client Events ]
Error - 12/6/2010 3:06:30 AM | Computer Name = FRANCIS-B381309 | Source = vpnagent | ID = 67108866
Description = Function: CSocketTransport::callbackHandler File: .\IPC\SocketTransport.cpp
Line:
1257 Invoked Function: WSAGetOverlappedResult Return Code: 10054 (0x00002746) Description:
An existing connection was forcibly closed by the remote host.

Error - 12/6/2010 3:06:30 AM | Computer Name = FRANCIS-B381309 | Source = vpnagent | ID = 67108866
Description = Function: CSocketTransport::callbackHandler File: .\IPC\SocketTransport.cpp
Line:
1258 Invoked Function: WSARecv/WSARecvFrom Return Code: 997 (0x000003E5) Description:
Overlapped I/O operation is in progress.

Error - 12/6/2010 3:06:30 AM | Computer Name = FRANCIS-B381309 | Source = vpnagent | ID = 67108866
Description = Function: CIpcTransport::OnSocketReadComplete File: .\IPC\IPCTransport.cpp
Line:
823 Invoked Function: CSocketTransport::readSocket Return Code: -31522801 (0xFE1F000F)
Description:
SOCKETTRANSPORT_ERROR_TRANSPORT_FAILURE

Error - 12/6/2010 3:06:30 AM | Computer Name = FRANCIS-B381309 | Source = vpnagent | ID = 67108866
Description = Function: CIpcDepot::OnIpcMessageReceived File: .\IPC\IPCDepot.cpp Line:
811 Invoked Function: CIpcTransport::OnSocketReadComplete Return Code: -31522801
(0xFE1F000F) Description: SOCKETTRANSPORT_ERROR_TRANSPORT_FAILURE

Error - 12/6/2010 3:06:30 AM | Computer Name = FRANCIS-B381309 | Source = vpnagent | ID = 67108866
Description = Function: CTcpTransport::writeSocketBlocking File: .\IPC\SocketTransport.cpp
Line:
1644 Invoked Function: WSASend Return Code: 10054 (0x00002746) Description: An existing
connection was forcibly closed by the remote host.

Error - 12/6/2010 3:06:30 AM | Computer Name = FRANCIS-B381309 | Source = vpnagent | ID = 67108866
Description = Function: CIpcTransport::terminateIpcConnection File: .\IPC\IPCTransport.cpp
Line:
385 Invoked Function: CSocketTransport::writeSocketBlocking Return Code: -31522805
(0xFE1F000B) Description: SOCKETTRANSPORT_ERROR_WRITE

Error - 12/6/2010 3:06:38 AM | Computer Name = FRANCIS-B381309 | Source = vpnagent | ID = 67110873
Description = Termination reason code 5: The user is logging off the system.

Error - 12/6/2010 3:06:38 AM | Computer Name = FRANCIS-B381309 | Source = vpnagent | ID = 67108866
Description = Function: RestoreProxySettingsToBrowser File: .\BrowserProxy.cpp Line:
1040 Invoked Function: DeleteFile Return Code: 2 (0x00000002) Description: The system
cannot find the file specified.

Error - 1/8/2011 1:15:25 AM | Computer Name = FRANCIS-B381309 | Source = vpnagent | ID = 67110873
Description = Termination reason code 9: Client PC is shutting down.

Error - 1/8/2011 1:15:25 AM | Computer Name = FRANCIS-B381309 | Source = vpnagent | ID = 67108866
Description = Function: CMainThread::getDownloaderMessage File: .\MainThread.cpp Line:
964 Invoked Function: CVpnMgr::processEvents Return Code: 0 (0x00000000) Description:
fatal error, stopping service

[ OSession Events ]
Error - 9/30/2007 4:23:48 AM | Computer Name = FRANCIS-B381309 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 39216
seconds with 3300 seconds of active time. This session ended with a crash.

Error - 10/4/2009 10:50:16 PM | Computer Name = FRANCIS-B381309 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 2
seconds with 0 seconds of active time. This session ended with a crash.

Error - 10/4/2009 10:50:22 PM | Computer Name = FRANCIS-B381309 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 2
seconds with 0 seconds of active time. This session ended with a crash.

Error - 10/4/2009 10:50:26 PM | Computer Name = FRANCIS-B381309 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 2
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 3/6/2011 3:59:55 PM | Computer Name = FRANCIS-B381309 | Source = Service Control Manager | ID = 7031
Description = The Cisco AnyConnect VPN Agent service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 1000
milliseconds: Restart the service.

Error - 3/6/2011 3:59:55 PM | Computer Name = FRANCIS-B381309 | Source = Service Control Manager | ID = 7034
Description = The Ati HotKey Poller service terminated unexpectedly. It has done
this 1 time(s).

Error - 3/6/2011 3:59:55 PM | Computer Name = FRANCIS-B381309 | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 3/6/2011 3:59:55 PM | Computer Name = FRANCIS-B381309 | Source = Service Control Manager | ID = 7034
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).

Error - 3/6/2011 3:59:55 PM | Computer Name = FRANCIS-B381309 | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 3/6/2011 3:59:55 PM | Computer Name = FRANCIS-B381309 | Source = Service Control Manager | ID = 7034
Description = The Browser Defender Update Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/6/2011 3:59:55 PM | Computer Name = FRANCIS-B381309 | Source = Service Control Manager | ID = 7034
Description = The Bonjour Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 3/6/2011 3:59:55 PM | Computer Name = FRANCIS-B381309 | Source = Service Control Manager | ID = 7034
Description = The Application Layer Gateway Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/6/2011 3:59:55 PM | Computer Name = FRANCIS-B381309 | Source = Service Control Manager | ID = 7034
Description = The Print Spooler service terminated unexpectedly. It has done this
1 time(s).

Error - 3/6/2011 4:19:06 PM | Computer Name = FRANCIS-B381309 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt


< End of report >

#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:55 PM

Posted 06 March 2011 - 05:43 PM

Hi SS451, :)



We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    :OTL
    DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
    FF - prefs.js..browser.search.defaultengine: "Ask.com"
    FF - prefs.js..browser.search.defaultenginename: "Ask.com"
    FF - prefs.js..browser.search.defaultthis.engineName: "The_Pirate_Bay Customized Web Search"
    FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=3&q="
    FF - prefs.js..browser.search.order.1: "Ask.com"
    FF - prefs.js..browser.search.useDBForOrder: true
    FF - prefs.js..network.proxy.http: "127.0.0.1"
    FF - prefs.js..network.proxy.http_port: 64545
    FF - prefs.js..network.proxy.type: 0
    [2009/08/24 09:47:01 | 000,000,000 | ---D | M] (The Pirate Bay Toolbar) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\cvtts62y.default\extensions\{a33fa729-d155-4b23-842b-2c665ecabdb6}
    [2009/11/28 20:33:03 | 000,002,236 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\askcom.xml
    O3 - HKLM\..\Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - No CLSID value found.
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
    [2011/02/24 00:55:26 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Ojubeqijiwawa.dat
    [2011/02/24 00:59:40 | 000,002,436 | ---- | M] () -- C:\Documents and Settings\User\Application Data\66DE.0F3
    [2010/03/21 19:38:59 | 000,014,302 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\VH56DJI7u87yo
    [2010/03/21 19:38:59 | 000,014,302 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\VH56DJI7u87yo
    @Alternate Data Stream - 186 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    @Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
    @Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4B09F1E5
    @Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
    :commands
    [Reboot]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.



Regards,
Georgi

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users