Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stubborn Windows Recovery Virus And Missing Shortcuts


  • This topic is locked This topic is locked
17 replies to this topic

#1 he's dead jim

he's dead jim

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 13 May 2011 - 06:12 PM

this is a continuation of the thread I started here:

http://www.bleepingcomputer.com/forums/topic396830.html/page__st__15

logs to follow in my next post

BC AdBot (Login to Remove)

 


#2 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 13 May 2011 - 06:27 PM

ok. here are the requested log files:

Attached Files



#3 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:50 PM

Posted 13 May 2011 - 08:46 PM

Hi he's dead jim,




Open windows explorer (right click the Start button and click Explore), At the top of windows explorer, click Tools > Folder Options > View tab, make sure the following two options are checked. Click apply, click ok button.

Display the contents of system folders
Show hidden files and folders



After that, click on Start > Run >copy/paste the following bolded command one at a time into run box and press Enter

C:\Documents and Settings\All Users\Start Menu\Programs ---> check if all shortcut icons in the Programs folder

C:\Documents and Settings\Michael\Local Settings\Temp --->Tell me what kind of folders in the Temp folder


Have you ever tried to run system restore to a previous state and roll back to the day before you were infected? Have you installed Microsoft Windows Recovery Console while running Combofix? Advise me in your next reply. Thanks



Step1


  • Please start OTL on your desktop.
  • Under the Custom Scans/Fixes box at the bottom, copy/paste the following contents of code box.

    :OTL
    IE - HKU\S-1-5-21-1440936148-3481316508-1564428167-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local
    O3 - HKU\S-1-5-21-1440936148-3481316508-1564428167-1006\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-1440936148-3481316508-1564428167-1006\..\Toolbar\WebBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1440936148-3481316508-1564428167-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    [2011/05/07 21:14:58 | 000,302,080 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\vl7bkpk2.exe
    [2011/05/05 17:48:41 | 000,000,224 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~15589156
    [2011/05/05 17:48:40 | 000,000,128 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~15589156r
    [2011/05/05 17:45:49 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\15589156
    [2011/05/02 19:12:26 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\4IKFo6.dat
    [2011/04/02 23:35:00 | 000,014,198 | ---- | C] () -- C:\Documents and Settings\Michael\Local Settings\Application Data\61am7kh612rw85n14158n8334sb5378m1c5h32
    [2011/04/02 23:35:00 | 000,014,198 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\61am7kh612rw85n14158n8334sb5378m1c5h32
    [2011/03/27 01:35:02 | 000,001,630 | ---- | C] () -- C:\Documents and Settings\Michael\Local Settings\Application Data\106v50l53jpe0d87ue1i
    [2011/03/27 01:35:02 | 000,001,630 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\106v50l53jpe0d87ue1i
    [2008/10/23 23:43:01 | 001,406,520 | ---- | C] () -- C:\WINDOWS\System32\iphlsdnu.ini.virus
    [2008/10/23 05:12:51 | 001,391,449 | ---- | C] () -- C:\WINDOWS\System32\kebkmcow.ini.virus
    [2008/10/22 05:01:48 | 001,391,449 | ---- | C] () -- C:\WINDOWS\System32\ksfecrvx.ini.virus
    [2008/10/20 23:41:46 | 001,359,353 | ---- | C] () -- C:\WINDOWS\System32\oheynawh.ini.virus
    [2008/10/20 05:33:40 | 001,346,352 | ---- | C] () -- C:\WINDOWS\System32\scckcpbv.ini.virus
    [2008/10/18 23:40:51 | 001,404,856 | ---- | C] () -- C:\WINDOWS\System32\hsqfhsgt.ini.virus
    [2008/10/17 23:38:42 | 001,404,856 | ---- | C] () -- C:\WINDOWS\System32\nutolpqp.ini.virus
    [2008/10/16 16:19:57 | 001,404,856 | ---- | C] () -- C:\WINDOWS\System32\oxrugriu.ini.virus
    [2008/10/15 16:19:25 | 001,396,448 | ---- | C] () -- C:\WINDOWS\System32\xuknorud.ini.virus
    [2008/10/14 16:19:18 | 001,382,703 | ---- | C] () -- C:\WINDOWS\System32\sqmkrkpr.ini.virus
    [2008/10/13 14:44:08 | 001,382,703 | ---- | C] () -- C:\WINDOWS\System32\uaetyhqn.ini.virus
    [2008/10/12 14:43:48 | 001,120,180 | ---- | C] () -- C:\WINDOWS\System32\twgjwokp.ini.virus
    [2008/10/10 11:59:10 | 001,120,180 | ---- | C] () -- C:\WINDOWS\System32\qstgovvs.ini.virus
    [2008/10/09 11:58:45 | 001,099,785 | ---- | C] () -- C:\WINDOWS\System32\vnntuihi.ini.virus
    [2008/10/08 11:58:13 | 001,066,428 | ---- | C] () -- C:\WINDOWS\System32\wcklmrsc.ini.virus
    [2008/10/07 11:57:41 | 001,066,428 | ---- | C] () -- C:\WINDOWS\System32\fnooyqnk.ini.virus
    [2008/10/06 11:57:10 | 001,035,673 | ---- | C] () -- C:\WINDOWS\System32\oguynuay.ini.virus
    [2008/10/06 09:56:23 | 001,031,207 | ---- | C] () -- C:\WINDOWS\System32\adhjrrjs.ini.virus
    @Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
    @Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
    @Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    
    :Commands
    [purity]
    [EMPTYFLASH]
    [start explorer]
    
  • Click Run Fix button on the top.
  • Click OK and let it run unhindered.
  • OTL will ask to reboot the machine. Please OK the prompt.
  • A report will open. Copy and Paste that report in your next reply.


Step2

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:

dir C:\system~1\_registry* /s > restore.txt 
start notepad restore.txt

Save the file as restore.bat by choosing save as All Files, and save it to your Desktop. It should look like:Posted Image
Double click on it to run, A Dos Window will prompt. When done, a restore text should appear. Copy/paste the contents in your next reply.


Step3

Please go to this thread to download and run DDS tool. Post back the output in your next reply. Thanks




In your next reply, please post back:

1.OTL delete log
2.Restore contents log
3.DDS.txt and Attach.txt

Let me know how things went.

Edited by sundavis, 14 May 2011 - 01:26 PM.


#4 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 14 May 2011 - 05:25 PM

ok. let me see if i got everything, lol..

these two settings are not checked

Display the contents of system folders
Show hidden files and folders


C:\Documents and Settings\All Users\Start Menu\Programs ---> check if all shortcut icons in the Programs folder

there are some icons showing but hardly any at all

C:\Documents and Settings\Michael\Local Settings\Temp --->Tell me what kind of folders in the Temp folder

there are 2 folders. one says ,<2.dir> and the other says <plug.tmp>


here is the rest:

Attached Files



#5 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:50 PM

Posted 14 May 2011 - 07:00 PM

Hi he's dead jim,




According to your logs, you have removed any restore points in your system that make us unable to roll back your system to the previous state. It's better to leave System Restore intact when it comes to malware removal. Even an infected restore point is better than none.

Besides that, all the startup entries and autoloading programs from Registry were removed, too. Windows Recovery virus will not delete those entries. Those are most likely to be deleted mistakenly.

Other than that, your system appears to be clean. :thumbsup: What we have done for now is nothing but to clean up the leftovers. The only option available to fix shortcut icons missing under all programs is to restore it manually. Those can be done by the following:

Navigate to the program's folder, right click on the <program name>.exe, click "Create Shortcut". Move the shortcut to Programs folder in the following filepath ---> C:\Documents and Settings\All Users\Start Menu\Programs.

Maybe start from scratch is also a good alternative if you feel comfortable. Let me know if you still need assistance. Otherwise, we should be done here. :thumbup2:

The following instructions are usually gvien to our members while the system is clear of malware and do some housecleaning.


Step1

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the X and the /Uninstall, it needs to be there.

Posted Image

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step2

Start OTL from your desktop.
  • Double click OTL and let it run
  • Then Click the Cleanup button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:


  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  • Update all programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  • Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .


Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

Edited by sundavis, 15 May 2011 - 04:13 AM.


#6 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 17 May 2011 - 10:25 PM

sorry for taking so long to get back to this thread. i explained the situation to my nephew (it was his computer) and showed him how to manually make the shortcuts.

when i popped up ccleaner i noticed that the 2 boxed for <delete start menu shortcuts> and <delete desktop shortcuts> were checked off.

now ccleaner was set to clean the temp files at startup automatically and he did not know how to change the settings. in fact he even forgot that it was set up to run at startup. could the virus have somehow caused those boxes to be checked?

also my sisters computer has the same virus but those two boxes are not checked on her ccleaner. can i use the above methods for her computer as well? or are they system specific?

and last but by far not least, thank you so much for all of your help with this problem. :)

Edited by he's dead jim, 17 May 2011 - 10:26 PM.


#7 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:50 PM

Posted 18 May 2011 - 04:39 AM

Hi he's dead jim,




he did not know how to change the settings...

Click Options tap in the left pane, press Settings button, Uncheck Run CCleaner when the computer starts.

could the virus have somehow caused those boxes to be checked?

No, the Windows Recovery virus will only relocate the shortcut icons onto Temp folders in all different OS versions. The tricky situation is almost any antimalware tools will clean useless contents

since those folders are named "temp" or those temps will be clear up by the owner mistakenly.

can i use the above methods for her computer as well? or are they system specific?

Yes, differet methods should be applied to the specific system accordingly. If you desire to clean the computer by yourself, make sure to leave the temp folders intact and hold on the system restore points. Otherwise, you should know where you can turn to. :thumbup2:

Edited by sundavis, 18 May 2011 - 04:41 AM.


#8 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 20 May 2011 - 09:20 PM

thanks again for all your help, but the virus is back. just one day after being fully cleaned, the computer is fully infected again. all my nephew did was to go to a website to watch some anime videos. he showed me the site on another computer and there did not see to be anything wrong with it as far as i could tell.

this time the spyware blaster never kicked in, and when i tried to go back to the clean restore point, the virus was still there. is there any way to track where the virus comes from by using some type of tracking program?

i would hate to wipe the drive and do a clean install only to have this thing pop up soon after.

#9 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:50 PM

Posted 21 May 2011 - 06:40 AM

Hi he's dead jim,



is there any way to track where the virus comes from by using some type of tracking program?

No, i don't think so. Please proceed the following and post the fresh OTL logs as instruced in my previous post.


Step1

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\TDSSKiller folder). Please copy and paste the contents of that file here.


Step2

  • If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  • Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  • Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow Combofix to continue scanning for malware.
  • When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  • Do not mouse click on Combofix while it is running. That may cause it to stall.



In your next reply, please post back:

1.TDSSKiller.txt
2.ComboFix log
3.OTListIt.txt and Extra.txt

Let me know what the symptoms you're still experiencing now.

#10 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 22 May 2011 - 02:45 PM

i think i found the source of the reoccurence. my nephew used his thumb drive in 2 other computers and now both of them have this virus as well. i am starting the cleaning from scratch. i cannot use anything right now instead of combofix in safe mode because nothing else works at the moment. combofix is running and i will post the log when it is done. thanks. :)

#11 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 22 May 2011 - 06:51 PM

ok, so here's what i did so far:

1 - ran combofix in safe mode and the log is below

2 - ran tdss in safe mode and the log is below

3 - ran malwarebytes in safe mode and it rebooted at the end to normal mode to remove stuff. the log is below

4 - ran spybot and superantispy and both programs came up with nothing

5 - ran an OTL scan as per your original post in the previous thread and the logs are below

:)

i will have to post the text of the files because the message says i have reached my upload quota.

i will post each log file separately so as not to get them confused

Edited by he's dead jim, 22 May 2011 - 06:53 PM.


#12 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 22 May 2011 - 06:56 PM

ok that's not working either. it just posts all the logs into one post even when i try to separate them.

i will have to upload them using another service. hang on a minute.

Edited by he's dead jim, 22 May 2011 - 07:02 PM.


#13 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 22 May 2011 - 07:00 PM

----------------------------------------------------------------------------------------------------------------------
Combofix Log
----------------------------------------------------------------------------------------------------------------------
ComboFix 11-05-21.03 - Michael 05/22/2011 15:40:42.9.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.693 [GMT -4:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Michael\Application Data\defender.exe
c:\documents and settings\Michael\Application Data\Microsoft\conhost.exe
.
----- BITS: Possible infected sites -----
.
hxxp://apnmedia.ask.com
.
((((((((((((((((((((((((( Files Created from 2011-04-22 to 2011-05-22 )))))))))))))))))))))))))))))))
.
.
2011-05-20 21:42 . 2011-05-20 21:42 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-16 20:03 . 2011-05-16 20:03 -------- d-----w- c:\documents and settings\Michael\Local Settings\Application Data\AskToolbar
2011-05-16 20:03 . 2011-05-16 20:03 -------- d-----w- c:\program files\Ask.com
2011-05-14 22:10 . 2011-05-14 22:10 -------- d-----w- C:\_OTL
2011-05-13 13:27 . 2003-06-25 20:05 266360 ----a-w- c:\windows\system32\TweakUI.exe
2011-05-13 13:24 . 2011-05-13 13:24 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-08 03:48 . 2011-05-08 03:49 -------- d-----w- c:\program files\SpywareBlaster
2011-05-08 03:38 . 2011-05-08 03:38 -------- d-----w- c:\program files\Safer Networking
2011-05-08 02:58 . 2011-05-08 02:58 -------- d-----w- c:\documents and settings\Michael\Application Data\SUPERAntiSpyware.com
2011-05-08 02:58 . 2011-05-08 02:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-08 01:19 . 2011-05-08 01:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-05-07 23:31 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-07 23:31 . 2011-05-07 23:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-07 23:31 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-07 17:47 . 2011-05-07 17:47 -------- d-----w- c:\program files\Microsoft.NET
2011-05-07 17:31 . 2011-05-07 17:31 -------- d-----w- c:\windows\system32\winrm
2011-05-07 17:30 . 2011-05-08 17:27 -------- d-----w- c:\documents and settings\Michael\Application Data\Windows Desktop Search
2011-05-06 19:31 . 2008-04-14 04:09 14592 ------w- c:\windows\system32\drivers\kbdhid.sys
2011-05-06 01:00 . 2011-05-06 01:00 -------- d-----w- c:\program files\iPod
2011-05-06 01:00 . 2011-05-06 01:01 -------- d-----w- c:\program files\iTunes
2011-05-06 01:00 . 2011-05-06 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-05-06 00:57 . 2011-05-06 00:57 -------- d-----w- c:\program files\Apple Software Update
2011-05-06 00:55 . 2011-05-06 00:55 -------- d-----w- c:\program files\Bonjour
2011-05-05 21:36 . 2011-05-05 21:36 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\Mozilla
2011-05-05 21:33 . 2011-05-05 21:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-05 21:22 . 2011-05-05 21:22 -------- d-----w- c:\documents and settings\Mike\PrivacIE
2011-05-05 21:21 . 2011-05-05 21:21 -------- d-----w- c:\documents and settings\Mike\Application Data\Malwarebytes
2011-05-05 21:21 . 2011-05-05 21:21 -------- d-----w- c:\documents and settings\Mike\IETldCache
2011-05-02 19:43 . 2011-05-02 19:43 -------- d-----w- c:\documents and settings\LocalService\PrivacIE
2011-05-02 17:46 . 2011-05-02 17:46 -------- d-----w- c:\documents and settings\LocalService\IECompatCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-06 00:40 . 2010-11-13 20:42 43520 ------w- c:\windows\system32\CmdLineExt03.dll
2011-04-06 20:20 . 2011-04-06 20:20 91424 ------w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ------w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ------w- c:\windows\system32\dns-sd.exe
2011-03-11 14:10 . 2004-10-12 17:42 471552 ----a-w- c:\windows\apppatch\aclayers.dll
2011-03-07 05:33 . 2004-10-12 17:43 692736 ------w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-10-12 17:46 420864 ------w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-10-12 17:46 1857920 ------w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-10-12 17:46 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-10-12 17:44 43520 ------w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-10-12 17:43 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-10-12 17:43 385024 ------w- c:\windows\system32\html.iec
2007-10-19 17:50 . 2007-10-19 17:50 23402288 ------w- c:\program files\AdbeRdr810_en_US.exe
2007-09-09 15:43 . 2007-09-09 15:42 401720 ------w- c:\program files\HiJackThis.exe
2007-03-13 13:17 . 2007-06-07 12:12 87656 ------w- c:\program files\UnHyCam2.exe
2007-03-13 13:17 . 2007-06-07 12:12 882264 ------w- c:\program files\HyCam2.exe
2007-02-23 15:54 . 2007-06-07 12:12 69632 ------w- c:\program files\CamRes2.dll
2007-02-23 15:54 . 2007-06-07 12:12 57344 ------w- c:\program files\MClick2.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-08_04.08.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-20 19:06 . 2011-05-20 21:45 5228 c:\windows\system32\Restore\rstrlog.dat
+ 2011-05-13 13:24 . 2011-05-13 13:24 239776 c:\windows\system32\Macromed\Flash\FlashUtil10q_Plugin.exe
+ 2011-05-16 20:03 . 2011-05-16 20:03 102400 c:\windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ARPPRODUCTICON.exe
+ 2010-01-27 01:07 . 2011-05-13 13:24 6271136 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2011-05-16 20:03 . 2011-05-16 20:03 2230272 c:\windows\Installer\ecdafb1.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-01 1487240]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-02-01 23:17 1487240 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-01 1487240]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Nexon\\MapleStory\\MapleStory.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Photo Story 3 for Windows\\PhotoStory3.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59055:TCP"= 59055:TCP:Pando Media Booster
"59055:UDP"= 59055:UDP:Pando Media Booster
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
S1 MpKsl68ffa88b;MpKsl68ffa88b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F91A8077-D608-4946-9BAD-1009EC788A81}\MpKsl68ffa88b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F91A8077-D608-4946-9BAD-1009EC788A81}\MpKsl68ffa88b.sys [?]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 02:25 PM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 02:41 PM 67656]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 01:16 PM 130384]
S3 Fadpu16E;Fadpu16E;\??\c:\docume~1\Michael\LOCALS~1\Temp\Fadpu16E.sys --> c:\docume~1\Michael\LOCALS~1\Temp\Fadpu16E.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [10/12/2004 01:46 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 01:16 PM 753504]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/28/2009 05:57 PM 24652]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-05-20 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-02-01 23:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=14196&l=dis
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\k3amy4jo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=FWV5&o=14193&locale=en_US&apn_uid=0956cc10-e840-4179-a84e-449b9d4ff386&apn_ptnrs=FM&apn_sauid=A25E786D-F2A4-48DD-9946-D047DB8591D7&apn_dtid=TES002YYUS&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 58727
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: IE Tab 2 (FF 3.6+): {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} - %profile%\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Malware Protection - c:\documents and settings\Michael\Application Data\defender.exe
HKLM-Run-conhost - c:\documents and settings\Michael\Application Data\Microsoft\conhost.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-22 15:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,47,37,bb,49,99,15,25,45,a6,b3,13,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,47,37,bb,49,99,15,25,45,a6,b3,13,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(204)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\l3codeca.acm
.
Completion time: 2011-05-22 15:56:16
ComboFix-quarantined-files.txt 2011-05-22 19:55
ComboFix2.txt 2011-05-08 14:03
ComboFix3.txt 2011-05-08 04:10
.
Pre-Run: 111,197,769,728 bytes free
Post-Run: 111,187,685,376 bytes free
.
- - End Of File - - CBBB596D975E24BE68A3C2F19C467F72
----------------------------------------------------------------------------------------------------------------------










----------------------------------------------------------------------------------------------------------------------
TDSS Log
----------------------------------------------------------------------------------------------------------------------
2011/05/22 15:59:30.0390 1940 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/22 15:59:30.0453 1940 ================================================================================
2011/05/22 15:59:30.0453 1940 SystemInfo:
2011/05/22 15:59:30.0453 1940
2011/05/22 15:59:30.0453 1940 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/22 15:59:30.0453 1940 Product type: Workstation
2011/05/22 15:59:30.0453 1940 ComputerName: PICARDFAMILY
2011/05/22 15:59:30.0453 1940 UserName: Michael
2011/05/22 15:59:30.0453 1940 Windows directory: C:\WINDOWS
2011/05/22 15:59:30.0453 1940 System windows directory: C:\WINDOWS
2011/05/22 15:59:30.0453 1940 Processor architecture: Intel x86
2011/05/22 15:59:30.0453 1940 Number of processors: 1
2011/05/22 15:59:30.0453 1940 Page size: 0x1000
2011/05/22 15:59:30.0453 1940 Boot type: Safe boot
2011/05/22 15:59:30.0453 1940 ================================================================================
2011/05/22 15:59:30.0968 1940 Initialize success
2011/05/22 15:59:33.0109 2040 ================================================================================
2011/05/22 15:59:33.0109 2040 Scan started
2011/05/22 15:59:33.0109 2040 Mode: Manual;
2011/05/22 15:59:33.0109 2040 ================================================================================
2011/05/22 15:59:40.0484 2040 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/05/22 15:59:41.0046 2040 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/22 15:59:41.0609 2040 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/22 15:59:42.0140 2040 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/05/22 15:59:42.0734 2040 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/22 15:59:43.0312 2040 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/22 15:59:43.0921 2040 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/05/22 15:59:44.0421 2040 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/05/22 15:59:44.0921 2040 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/05/22 15:59:45.0437 2040 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/05/22 15:59:45.0984 2040 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/05/22 15:59:46.0640 2040 ALCXSENS (a9355a51698f6901b362ef738b15631d) C:\WINDOWS\system32\drivers\ALCXSENS.SYS
2011/05/22 15:59:47.0328 2040 ALCXWDM (cd86a348fc4016842dbd5ac7398fb48d) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/05/22 15:59:47.0843 2040 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/05/22 15:59:48.0375 2040 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/05/22 15:59:48.0875 2040 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/05/22 15:59:49.0375 2040 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2011/05/22 15:59:49.0921 2040 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/05/22 15:59:50.0437 2040 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/05/22 15:59:50.0953 2040 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/05/22 15:59:51.0453 2040 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/05/22 15:59:51.0937 2040 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
2011/05/22 15:59:52.0468 2040 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/22 15:59:53.0031 2040 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/22 15:59:54.0125 2040 ATI Remote Wonder II (368be3db3a6b9621df51216d323cda23) C:\WINDOWS\system32\drivers\ATIRWVD.SYS
2011/05/22 15:59:55.0203 2040 ati2mtag (f48fe6d69f7a224a2157d052e3b1a0fc) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/05/22 15:59:56.0250 2040 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/22 15:59:56.0796 2040 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/22 15:59:57.0281 2040 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/22 15:59:57.0937 2040 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/05/22 15:59:58.0421 2040 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/22 15:59:58.0953 2040 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/05/22 15:59:59.0437 2040 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/22 15:59:59.0953 2040 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/22 16:00:00.0484 2040 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/22 16:00:01.0468 2040 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/05/22 16:00:02.0046 2040 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/05/22 16:00:02.0625 2040 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/05/22 16:00:03.0187 2040 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/05/22 16:00:03.0718 2040 DC21x4 (bb005cb49d0638039703ac4f67fe0a05) C:\WINDOWS\system32\DRIVERS\dc21x4.sys
2011/05/22 16:00:04.0234 2040 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/22 16:00:05.0140 2040 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/22 16:00:06.0062 2040 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/22 16:00:06.0625 2040 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/22 16:00:07.0140 2040 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/22 16:00:07.0703 2040 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/05/22 16:00:08.0171 2040 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/22 16:00:09.0375 2040 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/22 16:00:09.0984 2040 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/22 16:00:10.0484 2040 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/22 16:00:10.0968 2040 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/05/22 16:00:11.0500 2040 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/22 16:00:12.0046 2040 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/22 16:00:12.0609 2040 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/22 16:00:13.0140 2040 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/05/22 16:00:13.0671 2040 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/22 16:00:14.0171 2040 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/22 16:00:14.0671 2040 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/05/22 16:00:15.0250 2040 HSFHWBS2 (33dfc0afa95f9a2c753ff2adb7d4a21f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2011/05/22 16:00:16.0218 2040 HSF_DP (b2dfc168d6f7512faea085253c5a37ad) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2011/05/22 16:00:16.0812 2040 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/22 16:00:17.0437 2040 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/05/22 16:00:17.0953 2040 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/05/22 16:00:18.0468 2040 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/22 16:00:19.0093 2040 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/22 16:00:19.0609 2040 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/05/22 16:00:20.0078 2040 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/05/22 16:00:20.0578 2040 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/22 16:00:21.0093 2040 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/22 16:00:21.0593 2040 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/22 16:00:22.0156 2040 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/22 16:00:22.0781 2040 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/22 16:00:23.0296 2040 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/22 16:00:23.0859 2040 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/22 16:00:24.0359 2040 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/22 16:00:24.0859 2040 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/22 16:00:25.0406 2040 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/22 16:00:26.0046 2040 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/22 16:00:27.0093 2040 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/05/22 16:00:27.0578 2040 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/22 16:00:28.0078 2040 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/22 16:00:28.0578 2040 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/05/22 16:00:29.0109 2040 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/22 16:00:29.0578 2040 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/22 16:00:30.0109 2040 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/22 16:00:30.0734 2040 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/05/22 16:00:31.0296 2040 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/22 16:00:32.0062 2040 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/22 16:00:32.0796 2040 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/22 16:00:33.0281 2040 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/22 16:00:33.0750 2040 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/22 16:00:34.0265 2040 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/22 16:00:34.0750 2040 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/22 16:00:35.0281 2040 Mtlmnt5 (c53775780148884ac87c455489a0c070) C:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys
2011/05/22 16:00:36.0328 2040 Mtlstrm (54886a652bf5685192141df304e923fd) C:\WINDOWS\system32\DRIVERS\Mtlstrm.sys
2011/05/22 16:00:37.0421 2040 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/22 16:00:37.0953 2040 mxnic (e1cdf20697d992cf83ff86dd04df1285) C:\WINDOWS\system32\DRIVERS\mxnic.sys
2011/05/22 16:00:38.0546 2040 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/22 16:00:39.0078 2040 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/22 16:00:39.0562 2040 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/22 16:00:40.0093 2040 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/22 16:00:40.0625 2040 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/22 16:00:41.0125 2040 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/22 16:00:41.0703 2040 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/22 16:00:42.0296 2040 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/22 16:00:43.0031 2040 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/22 16:00:43.0609 2040 NtMtlFax (576b34ceae5b7e5d9fd2775e93b3db53) C:\WINDOWS\system32\DRIVERS\NtMtlFax.sys
2011/05/22 16:00:44.0218 2040 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2011/05/22 16:00:44.0718 2040 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/22 16:00:46.0046 2040 nv (69766e223343b4da517f49666556edc7) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/05/22 16:00:47.0437 2040 nvax (47b3852808dd579a463fce7085b77413) C:\WINDOWS\system32\drivers\nvax.sys
2011/05/22 16:00:47.0937 2040 NVENET (5155e22da2f2e1ca4023d00f6eb31b5e) C:\WINDOWS\system32\DRIVERS\NVENET.sys
2011/05/22 16:00:48.0609 2040 nvnforce (adbcba116496229a163193bbe0bb28ce) C:\WINDOWS\system32\drivers\nvapu.sys
2011/05/22 16:00:49.0140 2040 nv_agp (29291c3a7256337327051cc37e4fc09a) C:\WINDOWS\system32\DRIVERS\nv_agp.sys
2011/05/22 16:00:49.0609 2040 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/22 16:00:50.0078 2040 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/22 16:00:50.0609 2040 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2011/05/22 16:00:51.0109 2040 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/22 16:00:51.0625 2040 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/22 16:00:52.0109 2040 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/22 16:00:52.0625 2040 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/22 16:00:53.0578 2040 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/22 16:00:54.0125 2040 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/22 16:00:56.0343 2040 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/05/22 16:00:56.0859 2040 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/05/22 16:00:57.0437 2040 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/22 16:00:58.0015 2040 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/22 16:00:58.0531 2040 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/22 16:00:59.0031 2040 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/05/22 16:00:59.0562 2040 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/05/22 16:01:00.0078 2040 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/05/22 16:01:00.0609 2040 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/05/22 16:01:01.0125 2040 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/05/22 16:01:01.0625 2040 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/22 16:01:02.0156 2040 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/22 16:01:02.0640 2040 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/22 16:01:03.0187 2040 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/22 16:01:03.0750 2040 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/22 16:01:04.0328 2040 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/22 16:01:04.0906 2040 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/22 16:01:05.0546 2040 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/22 16:01:06.0093 2040 RecAgent (e9aaa0092d74a9d371659c4c38882e12) C:\WINDOWS\system32\DRIVERS\RecAgent.sys
2011/05/22 16:01:06.0578 2040 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/22 16:01:07.0187 2040 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/05/22 16:01:07.0421 2040 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/05/22 16:01:07.0609 2040 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/05/22 16:01:08.0187 2040 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/22 16:01:08.0687 2040 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/22 16:01:09.0187 2040 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/22 16:01:09.0796 2040 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/05/22 16:01:10.0750 2040 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/05/22 16:01:11.0453 2040 Slntamr (2c1779c0feb1f4a6033600305eba623a) C:\WINDOWS\system32\DRIVERS\slntamr.sys
2011/05/22 16:01:12.0156 2040 SlNtHal (f9b8e30e82ee95cf3e1d3e495599b99c) C:\WINDOWS\system32\DRIVERS\Slnthal.sys
2011/05/22 16:01:12.0687 2040 SlWdmSup (db56bb2c55723815cf549d7fc50cfceb) C:\WINDOWS\system32\DRIVERS\SlWdmSup.sys
2011/05/22 16:01:13.0234 2040 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/05/22 16:01:13.0718 2040 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/22 16:01:14.0328 2040 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/22 16:01:15.0015 2040 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/22 16:01:15.0718 2040 ssmdrv (3d2829fde1c52fc64da5413889ce4dee) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/05/22 16:01:16.0218 2040 SunkFilt (d8cbd8b4bf4dc9cd64b5cc8e2bec1b96) C:\WINDOWS\System32\Drivers\sunkfilt.sys
2011/05/22 16:01:16.0718 2040 SunkFilt39 (fabcc3bec89a2853958cefb28943c470) C:\WINDOWS\System32\Drivers\sunkfilt39.sys
2011/05/22 16:01:17.0625 2040 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/22 16:01:18.0125 2040 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/22 16:01:18.0687 2040 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/05/22 16:01:19.0187 2040 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/05/22 16:01:19.0734 2040 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/05/22 16:01:20.0234 2040 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/05/22 16:01:20.0765 2040 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/22 16:01:21.0453 2040 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/22 16:01:22.0046 2040 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
2011/05/22 16:01:22.0640 2040 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/22 16:01:23.0125 2040 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/22 16:01:23.0593 2040 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/22 16:01:24.0125 2040 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/05/22 16:01:24.0671 2040 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
2011/05/22 16:01:25.0218 2040 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/22 16:01:25.0765 2040 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/05/22 16:01:26.0437 2040 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/22 16:01:27.0140 2040 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/05/22 16:01:27.0640 2040 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/05/22 16:01:28.0187 2040 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/22 16:01:28.0671 2040 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/22 16:01:29.0187 2040 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/22 16:01:29.0765 2040 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/05/22 16:01:30.0296 2040 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/22 16:01:30.0781 2040 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/22 16:01:31.0296 2040 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/22 16:01:31.0765 2040 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/22 16:01:32.0312 2040 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/22 16:01:32.0812 2040 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/05/22 16:01:33.0312 2040 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/05/22 16:01:33.0859 2040 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/22 16:01:34.0406 2040 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/22 16:01:35.0593 2040 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/05/22 16:01:36.0562 2040 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/22 16:01:37.0375 2040 winachsf (2dc7c0b6175a0a8ed84a4f70199c93b5) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/05/22 16:01:38.0046 2040 WinDriver6 (8741604ecc3c006b7d2f769bf55dea9a) C:\WINDOWS\system32\drivers\windrvr6.sys
2011/05/22 16:01:38.0765 2040 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/22 16:01:39.0328 2040 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/22 16:01:39.0984 2040 ================================================================================
2011/05/22 16:01:39.0984 2040 Scan finished
2011/05/22 16:01:39.0984 2040 ================================================================================
----------------------------------------------------------------------------------------------------------------------









----------------------------------------------------------------------------------------------------------------------
Malwarebytes Log
----------------------------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6642

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/22/2011 06:49:27 PM
mbam-log-2011-05-22 (18-49-27).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 304720
Time elapsed: 1 hour(s), 26 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP3\A0000217.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\RP3\A0000218.exe (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\application data\Sun\Java\deployment\cache\6.0\51\aef85f3-5f0aab42 (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.
----------------------------------------------------------------------------------------------------------------------










----------------------------------------------------------------------------------------------------------------------
OTL Log
----------------------------------------------------------------------------------------------------------------------
OTL logfile created on: 5/22/2011 07:38:10 PM - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\Michael\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.48 Mb Total Physical Memory | 524.64 Mb Available Physical Memory | 51.26% Memory free
4.81 Gb Paging File | 4.56 Gb Available in Paging File | 94.69% Paging File free
Paging file location(s): C:\pagefile.sys 4000 4000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 103.55 Gb Free Space | 69.47% Space Free | Partition Type: NTFS
Drive J: | 1.92 Gb Total Space | 1.70 Gb Free Space | 88.35% Space Free | Partition Type: NTFS

Computer Name: PICARDFAMILY | User Name: Michael | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/22 19:36:42 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Michael\Desktop\OTL.exe
PRC - [2010/07/24 16:44:17 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/05/22 19:36:42 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Michael\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (x10nets)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2008/04/14 05:42:36 | 000,073,796 | ---- | M] (Smart Link) [Disabled | Stopped] -- C:\WINDOWS\System32\slserv.exe -- (SLService)
SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Disabled | Stopped] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2005/05/13 18:17:11 | 000,126,976 | ---- | M] () [Disabled | Stopped] -- C:\WINDOWS\system32\UAService7.exe -- (UserAccess7) SecuROM User Access Service (V7)
SRV - [2004/10/01 10:40:49 | 000,065,536 | ---- | M] (New Boundary Technologies, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)


========== Driver Services (SafeList) ==========

DRV - [2010/05/10 14:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 14:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/02/11 08:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2007/04/23 10:59:47 | 000,028,352 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2005/05/12 22:15:07 | 001,198,080 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/10/01 12:03:48 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2004/09/07 18:57:00 | 000,316,152 | ---- | M] (Jungo) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\windrvr6.sys -- (WinDriver6)
DRV - [2004/08/04 01:41:46 | 000,095,424 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slnthal.sys -- (SlNtHal)
DRV - [2004/08/04 01:41:46 | 000,013,240 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slwdmsup.sys -- (SlWdmSup)
DRV - [2004/08/04 01:41:44 | 000,404,990 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slntamr.sys -- (Slntamr)
DRV - [2004/08/04 01:41:40 | 000,180,360 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ntmtlfax.sys -- (NtMtlFax)
DRV - [2004/08/04 01:41:40 | 000,126,686 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mtlmnt5.sys -- (Mtlmnt5)
DRV - [2004/08/04 01:41:40 | 000,013,776 | ---- | M] (Smart Link) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\RecAgent.sys -- (RecAgent)
DRV - [2004/08/04 01:41:38 | 001,309,184 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mtlstrm.sys -- (Mtlstrm)
DRV - [2004/08/04 01:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/06/18 01:56:22 | 000,220,032 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2004/06/18 01:55:38 | 000,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/06/18 01:55:04 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/05/25 15:58:04 | 000,396,032 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce) Service for NVIDIA® nForce™
DRV - [2004/05/25 15:58:02 | 000,048,640 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax) Service for NVIDIA® nForce™
DRV - [2004/03/22 21:27:20 | 000,042,936 | ---- | M] (Alcor Micro Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Sunkfilt39.sys -- (SunkFilt39)
DRV - [2004/03/22 21:01:38 | 000,040,564 | ---- | M] (Alcor Micro Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Sunkfilt.sys -- (SunkFilt)
DRV - [2003/12/15 13:28:46 | 000,257,872 | ---- | M] (Jungo) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atirwvd.sys -- (ATI Remote Wonder II)
DRV - [2003/08/21 11:31:52 | 000,462,940 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2003/08/16 05:22:16 | 000,072,771 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENET.sys -- (NVENET)
DRV - [2003/08/14 18:16:38 | 000,404,736 | ---- | M] (Sensaura Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/03/20 01:51:00 | 000,018,688 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2001/08/17 09:49:32 | 000,019,968 | ---- | M] (Macronix International Co., Ltd. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxnic.sys -- (mxnic)
DRV - [2001/08/17 08:12:02 | 000,063,208 | ---- | M] (Intel Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dc21x4.sys -- (DC21x4)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1440936148-3481316508-1564428167-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-1440936148-3481316508-1564428167-1006\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
IE - HKU\S-1-5-21-1440936148-3481316508-1564428167-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.defaulturl: "http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query="
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}:2.5.10.1
FF - prefs.js..keyword.URL: "http://websearch.ask.com/redirect?client=ff&src=kw&tb=FWV5&o=14193&locale=en_US&apn_uid=0956cc10-e840-4179-a84e-449b9d4ff386&apn_ptnrs=FM&apn_sauid=A25E786D-F2A4-48DD-9946-D047DB8591D7&apn_dtid=TES002YYUS&q="
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 58727
FF - prefs.js..network.proxy.type: 0


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/18 21:32:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/07 17:20:55 | 000,000,000 | ---D | M]

[2010/07/26 10:51:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Michael\Application Data\Mozilla\Extensions
[2011/05/16 16:08:44 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\k3amy4jo.default\extensions
[2010/07/25 20:32:18 | 000,000,000 | ---D | M] (IE Tab 2 (FF 3.6+)) -- C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\k3amy4jo.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
[2010/06/24 22:12:57 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\k3amy4jo.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/05/16 16:08:11 | 000,000,000 | ---D | M] (Ask Toolbar) -- C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\k3amy4jo.default\extensions\toolbar@ask.com
[2009/08/28 17:59:25 | 000,004,207 | ---- | M] () -- C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\k3amy4jo.default\searchplugins\aim-search.xml
[2011/05/16 16:08:11 | 000,002,396 | ---- | M] () -- C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\k3amy4jo.default\searchplugins\askcom.xml
[2010/01/20 22:45:08 | 000,002,184 | ---- | M] () -- C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\k3amy4jo.default\searchplugins\bing.xml
[2011/05/16 16:08:44 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/16 14:19:34 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/16 14:18:56 | 000,423,656 | ---- | M] (Oracle) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2005/12/05 22:31:00 | 000,114,688 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
[2007/04/16 13:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
[2011/05/03 07:30:11 | 000,001,919 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing-zugo.xml

O1 HOSTS File: ([2011/05/22 15:51:43 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (FrostWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (FrostWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1440936148-3481316508-1564428167-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1440936148-3481316508-1564428167-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1440936148-3481316508-1564428167-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1440936148-3481316508-1564428167-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/26 21:04:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/22 19:36:41 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Michael\Desktop\OTL.exe
[2011/05/22 18:52:20 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/05/22 15:56:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/05/16 16:03:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Local Settings\Application Data\AskToolbar
[2011/05/16 16:03:26 | 000,000,000 | ---D | C] -- C:\Program Files\Ask.com
[2011/05/16 16:03:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Start Menu\Programs\FrostWire
[2011/05/13 20:00:41 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Michael\Recent
[2011/05/13 19:48:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Desktop\Uncle Johnny Boy
[2011/05/13 09:27:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Powertoys for Windows XP
[2011/05/07 23:48:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBlaster
[2011/05/07 23:48:09 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2011/05/07 23:38:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Safer Networking
[2011/05/07 23:38:27 | 000,000,000 | ---D | C] -- C:\Program Files\Safer Networking
[2011/05/07 22:58:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\SUPERAntiSpyware.com
[2011/05/07 22:58:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2011/05/07 22:58:24 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/05/07 21:19:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/05/07 21:19:15 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/05/07 19:31:58 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/07 19:31:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/05/07 19:31:55 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/05/07 19:31:55 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/05/07 13:47:42 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2011/05/07 13:39:12 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
[2011/05/07 13:31:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\winrm
[2011/05/07 13:31:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\WindowsPowerShell
[2011/05/07 13:30:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Windows Desktop Search
[2011/05/05 21:01:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2011/05/05 21:00:22 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/05/05 21:00:13 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/05/05 21:00:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/05/05 20:58:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
[2011/05/05 20:58:03 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2011/05/05 20:57:19 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2011/05/05 20:55:57 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2011/05/05 17:33:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/05/05 17:33:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/05/05 17:32:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/05/03 07:30:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Mozilla
[2011/05/02 00:17:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\AdobeUM
[2011/04/30 13:41:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/04/29 03:08:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Apple Computer
[2011/04/29 03:08:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Apple Computer
[2011/04/28 22:12:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/04/28 21:40:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2007/10/19 13:50:26 | 023,402,288 | ---- | C] ( ) -- C:\Program Files\AdbeRdr810_en_US.exe
[2007/09/09 11:42:47 | 000,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Program Files\HiJackThis.exe
[2007/06/07 08:12:10 | 000,882,264 | ---- | C] (Hyperionics) -- C:\Program Files\HyCam2.exe
[2007/06/07 08:12:10 | 000,087,656 | ---- | C] (Hyperionics) -- C:\Program Files\UnHyCam2.exe
[2007/06/07 08:12:10 | 000,069,632 | ---- | C] (Hyperionics) -- C:\Program Files\CamRes2.dll
[2007/06/07 08:12:10 | 000,057,344 | ---- | C] (Hyperionics) -- C:\Program Files\MClick2.dll
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
[1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/22 19:36:42 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Michael\Desktop\OTL.exe
[2011/05/22 19:01:00 | 000,000,238 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2011/05/22 18:51:23 | 000,001,230 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/22 18:51:05 | 000,002,048 | ---- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/22 16:04:12 | 000,250,776 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/05/22 15:51:43 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/05/18 22:54:32 | 000,000,900 | ---- | M] () -- C:\Documents and Settings\Michael\Application Data\39FA.A0F
[2011/05/17 09:01:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/05/16 16:03:17 | 000,000,878 | ---- | M] () -- C:\Documents and Settings\Michael\Application Data\Microsoft\Internet Explorer\Quick Launch\FrostWire 4.21.6.lnk
[2011/05/16 16:03:17 | 000,000,860 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\FrostWire 4.21.6.lnk
[2011/05/13 19:59:23 | 000,000,640 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Shortcut to GameLauncher.exe.lnk
[2011/05/13 19:58:00 | 000,000,798 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Shortcut (2) to launcher.exe.lnk
[2011/05/13 19:57:54 | 000,000,789 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Shortcut to launcher.exe.lnk
[2011/05/13 19:55:13 | 000,000,840 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Word.lnk
[2011/05/13 19:55:05 | 000,000,828 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Excel.lnk
[2011/05/13 10:22:17 | 000,000,297 | -HS- | M] () -- C:\boot.ini
[2011/05/07 22:58:27 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/05/07 19:31:58 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/07 17:55:35 | 000,000,836 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Shortcut to HijackThis.exe.lnk
[2011/05/07 17:25:39 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/05/07 17:13:08 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/05/07 14:09:18 | 000,505,446 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/05/07 14:09:18 | 000,087,852 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/05/05 21:01:35 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/05/05 20:40:30 | 000,043,520 | ---- | M] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2011/05/05 20:37:41 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\firefox.lnk
[2011/05/05 17:32:57 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
[1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/18 22:54:21 | 000,000,900 | ---- | C] () -- C:\Documents and Settings\Michael\Application Data\39FA.A0F
[2011/05/16 16:03:39 | 000,000,238 | ---- | C] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2011/05/16 16:03:17 | 000,000,878 | ---- | C] () -- C:\Documents and Settings\Michael\Application Data\Microsoft\Internet Explorer\Quick Launch\FrostWire 4.21.6.lnk
[2011/05/16 16:03:17 | 000,000,860 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\FrostWire 4.21.6.lnk
[2011/05/13 19:59:23 | 000,000,640 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Shortcut to GameLauncher.exe.lnk
[2011/05/13 19:58:00 | 000,000,798 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Shortcut (2) to launcher.exe.lnk
[2011/05/13 19:57:54 | 000,000,789 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Shortcut to launcher.exe.lnk
[2011/05/13 19:55:13 | 000,000,840 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Word.lnk
[2011/05/13 19:55:05 | 000,000,828 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Excel.lnk
[2011/05/13 09:27:37 | 000,160,217 | ---- | C] () -- C:\WINDOWS\System32\PowerToysLicense.rtf
[2011/05/07 22:58:27 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/05/07 19:31:58 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/07 17:55:35 | 000,000,836 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Shortcut to HijackThis.exe.lnk
[2011/05/07 17:13:08 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/05/07 13:34:52 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2011/05/07 13:30:34 | 000,001,803 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Search.lnk
[2011/05/07 13:29:24 | 000,225,262 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msimain.sdb
[2011/05/05 21:01:35 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/05/05 20:57:22 | 000,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/05/05 20:57:19 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Apple Software Update.lnk
[2011/05/05 20:35:29 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\firefox.lnk
[2010/11/13 16:42:32 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2010/08/05 13:44:38 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Michael\Local Settings\Application Data\prvlcl.dat
[2010/07/24 17:03:58 | 000,000,064 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sandra.ldb
[2010/03/20 12:31:14 | 000,005,120 | ---- | C] () -- C:\Documents and Settings\Michael\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/29 09:02:29 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/09/07 16:19:19 | 000,018,389 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/06/07 08:12:10 | 000,113,628 | ---- | C] () -- C:\Program Files\HyCam2.chm
[2007/06/07 08:12:10 | 000,005,272 | ---- | C] () -- C:\Program Files\HyCam2.tlb
[2007/06/07 08:12:10 | 000,001,186 | ---- | C] () -- C:\Program Files\16-44100d.wav
[2007/06/07 08:12:10 | 000,000,956 | ---- | C] () -- C:\Program Files\16-44100u.wav
[2007/06/07 08:12:10 | 000,000,652 | ---- | C] () -- C:\Program Files\16-22050d.wav
[2007/06/07 08:12:10 | 000,000,587 | ---- | C] () -- C:\Program Files\8-44100d.wav
[2007/06/07 08:12:10 | 000,000,442 | ---- | C] () -- C:\Program Files\16-22050u.wav
[2007/06/07 08:12:10 | 000,000,421 | ---- | C] () -- C:\Program Files\8-44100u.wav
[2007/06/07 08:12:10 | 000,000,340 | ---- | C] () -- C:\Program Files\16-11025d.wav
[2007/06/07 08:12:10 | 000,000,326 | ---- | C] () -- C:\Program Files\16-11025u.wav
[2007/06/07 08:12:10 | 000,000,317 | ---- | C] () -- C:\Program Files\8-22050d.wav
[2007/06/07 08:12:10 | 000,000,260 | ---- | C] () -- C:\Program Files\16-8000d.wav
[2007/06/07 08:12:10 | 000,000,225 | ---- | C] () -- C:\Program Files\8-22050u.wav
[2007/06/07 08:12:10 | 000,000,220 | ---- | C] () -- C:\Program Files\16-8000u.wav
[2007/06/07 08:12:10 | 000,000,183 | ---- | C] () -- C:\Program Files\8-11025d.wav
[2007/06/07 08:12:10 | 000,000,151 | ---- | C] () -- C:\Program Files\8-8000d.wav
[2007/06/07 08:12:10 | 000,000,135 | ---- | C] () -- C:\Program Files\8-11025u.wav
[2007/06/07 08:12:10 | 000,000,127 | ---- | C] () -- C:\Program Files\8-8000u.wav
[2007/06/07 08:12:10 | 000,000,082 | ---- | C] () -- C:\Program Files\HomePage.url
[2007/05/12 13:50:28 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2007/04/10 21:51:54 | 000,002,166 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2007/04/05 00:10:48 | 000,000,305 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\addr_file.html
[2006/11/17 18:16:36 | 000,000,027 | ---- | C] () -- C:\WINDOWS\cap.ini
[2006/11/03 18:56:30 | 000,000,139 | ---- | C] () -- C:\WINDOWS\chmpchss.INI
[2006/03/31 19:24:57 | 000,000,326 | ---- | C] () -- C:\Documents and Settings\Michael\Application Data\wklnhst.dat
[2005/07/25 14:02:49 | 000,000,024 | ---- | C] () -- C:\WINDOWS\Kyor.ini
[2005/06/28 20:17:37 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/05/24 17:32:44 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\DivXsm.exe
[2005/05/20 22:07:50 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ATIMMC.INI
[2005/05/16 21:30:34 | 000,516,096 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2005/05/13 18:17:11 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\UAService7.exe
[2005/05/03 19:36:44 | 000,011,599 | ---- | C] () -- C:\WINDOWS\hpdj6500.ini
[2005/05/03 16:18:54 | 000,093,878 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2005/04/28 19:38:16 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/04/28 00:22:38 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/04/28 00:22:34 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/04/28 00:22:34 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/04/04 13:52:42 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2005/04/04 13:35:24 | 000,745,472 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2005/03/06 16:42:00 | 000,000,480 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2004/12/26 13:49:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2004/12/26 13:46:56 | 000,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2004/12/26 13:33:31 | 000,000,526 | ---- | C] () -- C:\WINDOWS\eReg.dat
[2004/12/25 20:25:35 | 000,055,189 | ---- | C] () -- C:\WINDOWS\War3Unin.dat
[2004/12/25 18:20:12 | 000,035,382 | ---- | C] () -- C:\WINDOWS\scunin.dat
[2004/10/12 13:54:32 | 000,000,060 | ---- | C] () -- C:\WINDOWS\System32\SYSDRV.DAT
[2004/10/12 13:45:50 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/10/12 13:45:35 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/10/12 13:45:35 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/10/12 13:45:31 | 000,005,151 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/10/12 13:45:26 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/10/12 13:45:19 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/10/12 13:44:49 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/10/12 13:44:48 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/10/12 13:43:37 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/10/12 13:42:40 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/10/01 12:01:56 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2004/10/01 11:35:21 | 000,543,232 | ---- | C] () -- C:\WINDOWS\zHotkey.exe
[2004/10/01 11:35:21 | 000,532,544 | ---- | C] () -- C:\WINDOWS\PIC.dll
[2004/10/01 11:35:21 | 000,036,864 | ---- | C] () -- C:\WINDOWS\ShowWnd.exe
[2004/10/01 11:35:21 | 000,024,576 | ---- | C] () -- C:\WINDOWS\HKNTDLL.dll
[2004/10/01 11:05:21 | 000,018,253 | ---- | C] () -- C:\WINDOWS\System32\ssnvfx.ini
[2004/10/01 10:40:49 | 000,471,300 | ---- | C] () -- C:\WINDOWS\wallpe.exe
[2004/08/26 21:07:50 | 000,002,048 | ---- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/26 21:01:37 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/26 19:12:43 | 000,001,238 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/08/26 19:12:43 | 000,000,463 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2004/08/26 19:12:10 | 000,505,446 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/26 19:12:10 | 000,087,852 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/26 13:54:56 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/26 13:54:01 | 000,250,776 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/06/10 17:49:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/06/10 16:22:33 | 000,352,256 | ---- | C] () -- C:\WINDOWS\System32\HotlineClient.exe
[2004/03/17 09:12:48 | 000,000,362 | ---- | C] () -- C:\WINDOWS\hpfins_s04_main.dat
[2004/03/17 09:11:51 | 000,005,428 | ---- | C] () -- C:\WINDOWS\hpfmdl_s04_main.dat
[2004/01/28 11:42:06 | 000,013,601 | ---- | C] () -- C:\WINDOWS\System32\vctest.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2000/04/25 13:58:08 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\Wrkgadm.exe

========== LOP Check ==========

[2010/09/30 20:13:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/01/19 21:11:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileCure
[2010/07/23 15:27:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NexonUS
[2007/09/09 13:36:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Outspark
[2010/01/19 20:42:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2011/01/19 17:48:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2010/12/12 20:30:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2011/05/07 23:50:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/08/28 17:57:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2011/05/05 21:01:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/01/05 22:57:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2008/12/02 20:13:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Anthony\Application Data\GetRightToGo
[2007/06/01 15:20:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Anthony\Application Data\LucasArts
[2007/08/13 10:40:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Anthony\Application Data\Nexon
[2007/06/01 15:21:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Anthony\Application Data\Petroglyph
[2008/01/31 18:51:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Anthony\Application Data\Photodex
[2005/01/03 08:14:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Anthony\Application Data\Template
[2007/05/28 14:13:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lisa\Application Data\LucasArts
[2007/09/07 19:23:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lisa\Application Data\Nexon
[2007/05/28 14:14:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lisa\Application Data\Petroglyph
[2006/12/17 23:12:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lisa\Application Data\Template
[2011/01/28 18:45:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\.minecraft
[2009/08/28 17:58:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\acccore
[2010/01/19 21:18:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Blitware
[2011/05/17 22:17:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\FrostWire
[2010/01/12 19:10:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Magic Set Editor
[2008/05/13 11:03:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Nexon
[2010/07/16 14:24:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\SystemRequirementsLab
[2009/11/19 07:38:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Template
[2010/07/26 10:11:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\uTorrent
[2011/05/08 13:27:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Windows Desktop Search
[2010/07/26 10:23:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Windows Search
[2009/10/09 19:32:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Wizards of the Coast
[2011/05/22 19:01:00 | 000,000,238 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job

========== Purity Check ==========



========== Custom Scans ==========


< >

< >


< MD5 for: EXPLORER.EXE >
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/04/14 05:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ERDNT\cache\svchost.exe
[2008/04/14 05:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/13 20:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\svchost.exe
[2008/04/14 05:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: USERINIT.EXE >
[2008/04/14 05:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2008/04/14 05:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/13 20:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\userinit.exe
[2008/04/14 05:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: VOLSNAP.SYS >
[2008/04/14 00:11:02 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\ServicePackFiles\i386\volsnap.sys
[2008/04/13 14:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\volsnap.sys
[2008/04/14 00:11:02 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\system32\drivers\Volsnap.sys

< MD5 for: WINLOGON.EXE >
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< %ALLUSERSPROFILE%\Application Data\*. >
[2008/09/09 08:41:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2009/08/28 17:56:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL
[2009/08/28 17:58:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL OCP
[2010/01/05 22:48:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2010/01/05 22:55:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2007/09/05 18:36:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ATI MMC
[2010/09/30 20:13:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2004/10/01 11:38:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2010/01/19 21:11:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileCure
[2009/12/02 17:51:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
[2010/07/25 21:20:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/06/23 18:20:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2011/05/07 17:25:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2010/07/23 15:27:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NexonUS
[2010/07/26 10:56:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NOS
[2004/10/01 11:49:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\nView_Profiles
[2007/09/09 13:36:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Outspark
[2010/01/19 20:42:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2011/01/19 17:48:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2004/10/01 10:40:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Prism Deploy
[2004/10/01 12:05:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pure Networks
[2004/10/01 12:04:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\QuickTime
[2010/12/12 20:30:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2011/05/22 16:07:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/07/16 14:22:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/07/25 20:39:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2006/06/29 21:46:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2011/05/07 23:50:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/08/28 17:57:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2007/04/05 15:44:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2011/05/05 21:01:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/01/05 22:57:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

< %ALLUSERSPROFILE%\Application Data\*.exe /s >
[2009/02/04 13:56:14 | 000,075,112 | ---- | M] (GEAR Software, Inc.) -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\DifXInstall32.exe
[2011/04/27 01:59:44 | 000,073,000 | ---- | M] (Apple Inc.) -- C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.2.2.14\SetupAdmin.exe
[2011/01/19 19:40:47 | 000,172,032 | ---- | M] (Nexon) -- C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe

< %APPDATA%\*. >
[2011/01/28 18:45:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\.minecraft
[2009/08/28 17:58:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\acccore
[2009/06/29 18:40:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Adobe
[2009/08/05 08:27:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\AdobeUM
[2005/06/28 20:17:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\AOL
[2011/05/05 21:04:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Apple Computer
[2010/01/19 21:18:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Blitware
[2011/05/17 22:17:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\FrostWire
[2004/08/26 21:09:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Identities
[2008/05/13 11:02:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Macromedia
[2010/01/12 19:10:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Magic Set Editor
[2010/07/25 21:21:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Malwarebytes
[2011/05/22 15:50:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Microsoft
[2009/08/16 11:22:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Mozilla
[2008/05/13 11:03:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Nexon
[2004/10/01 11:46:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Sun
[2011/05/07 22:58:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\SUPERAntiSpyware.com
[2004/10/01 11:47:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Symantec
[2010/07/16 14:24:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\SystemRequirementsLab
[2009/11/19 07:38:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Template
[2010/07/26 10:11:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\uTorrent
[2011/05/08 13:27:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Windows Desktop Search
[2010/07/26 10:23:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Windows Search
[2009/10/09 19:32:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Wizards of the Coast
[2004/10/01 12:04:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\You've Got Pictures Screensaver

< %APPDATA%\*.exe /s >
[2011/05/01 20:15:42 | 008,151,592 | ---- | M] (FrostWire Team) -- C:\Documents and Settings\Michael\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.5.windows.exe
[2011/05/15 22:47:31 | 008,167,208 | ---- | M] (FrostWire Team) -- C:\Documents and Settings\Michael\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.6.windows.exe
[2011/01/30 19:11:17 | 004,506,256 | ---- | M] (Lime Wire LLC) -- C:\Documents and Settings\Michael\Application Data\FrostWire\.NetworkShare\LimeWireWin4.16.6.exe
[2011/02/01 19:04:18 | 000,052,616 | ---- | M] () -- C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\k3amy4jo.default\extensions\toolbar@ask.com\chrome\content\issigned.exe

< %SYSTEMDRIVE%\*.exe >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< C:\program files\common files\data\* /s >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2004/08/26 13:53:19 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/08/26 13:53:18 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/08/26 13:53:18 | 000,864,256 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >

< C:\Documents and Settings\mhumphrey\Desktop\*.* /s >

< End of report >
----------------------------------------------------------------------------------------------------------------------










----------------------------------------------------------------------------------------------------------------------
Extras Log
----------------------------------------------------------------------------------------------------------------------
OTL Extras logfile created on: 5/22/2011 07:38:10 PM - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\Michael\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.48 Mb Total Physical Memory | 524.64 Mb Available Physical Memory | 51.26% Memory free
4.81 Gb Paging File | 4.56 Gb Available in Paging File | 94.69% Paging File free
Paging file location(s): C:\pagefile.sys 4000 4000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 103.55 Gb Free Space | 69.47% Space Free | Partition Type: NTFS
Drive J: | 1.92 Gb Total Space | 1.70 Gb Free Space | 88.35% Space Free | Partition Type: NTFS

Computer Name: PICARDFAMILY | User Name: Michael | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-1440936148-3481316508-1564428167-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"ANTIVIRUSDISABLENOTIFY" = 0
"FIREWALLDISABLENOTIFY" = 0
"UPDATESDISABLENOTIFY" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"59055:TCP" = 59055:TCP:*:Enabled:Pando Media Booster
"59055:UDP" = 59055:UDP:*:Enabled:Pando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"59055:TCP" = 59055:TCP:*:Enabled:Pando Media Booster
"59055:UDP" = 59055:UDP:*:Enabled:Pando Media Booster
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Warcraft III\Warcraft III.exe" = C:\Program Files\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III -- (Blizzard Entertainment)
"C:\Program Files\LucasArts\Star Wars Empire at War\GameData\sweaw.exe" = C:\Program Files\LucasArts\Star Wars Empire at War\GameData\sweaw.exe:*:Enabled:Star Wars: Empire at War -- (Lucasfilm Entertainment Company, Ltd.)
"C:\Nexon\MapleStory\MapleStory.exe" = C:\Nexon\MapleStory\MapleStory.exe:*:Disabled:MapleStory -- (Wizet)
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" = C:\Program Files\Veoh Networks\Veoh\VeohClient.exe:*:Enabled:Veoh Client -- (Veoh Networks)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\Photo Story 3 for Windows\PhotoStory3.exe" = C:\Program Files\Photo Story 3 for Windows\PhotoStory3.exe:*:Enabled:Photo Story 3 for Windows -- (Microsoft Corp.)
"C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe" = C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager -- (Nexon)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Program Files\FrostWire\FrostWire.exe" = C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire -- (FrostWire Group)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{0405E51E-9582-4207-8F38-AC44201D3808}" = VeohTV BETA
"{083F79E4-6FE9-46FB-A6C6-4F8862742947}" = ATI HYDRAVISION
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{1D643CD7-4DD6-11D7-A4E0-000874180BB3}" = Microsoft Money 2004
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java™ 6 Update 21
"{2A9A40C7-6670-4D5F-8F41-D12E2E08B48B}" = Star WarsŪ: Knights of the Old Republic ™
"{3347F781-9C89-4C9B-B471-B1FFC3BC4A84}" = ATIRW2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D50E33F-0DB8-4E3B-B75C-2B872A33D87B}" = HP Deskjet 6500
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{48E16DC7-79EC-45F1-847A-F8D3C620515E}" = MapleStory
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F41AD68-89F2-4262-A32C-2F70B01FCE9E}" = Photo Story 3 for Windows
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{629F65FB-7F3C-4D66-A1C0-20722744B7B6}" = Star Wars® Knights of the Old Republic® II: The Sith Lords™
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{7148F0A8-6813-11D6-A77B-00B0D0142000}" = Java 2 Runtime Environment, SE v1.4.2
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}" = Digital Media Reader
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{853A4763-6643-4604-8D64-28BDD8925F4C}" = Apple Application Support
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{8988F5D0-C83F-41F4-B41B-86031F9B37F5}" = ATI Multimedia Center
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C3727F2-8E37-49E4-820C-03B1677F53B6}" = Stronghold Crusader
"{8C64E145-54BA-11D6-91B1-00500462BE80}" = Microsoft Money 2004 System Pack
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{92482FB3-C05B-41C6-89E7-75D985602A6E}" = System Requirements Lab
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{99AE7207-8612-4DBA-A8F8-BAE5C633390D}" = Star Wars Empire at War
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5181519-9F3D-4372-ABC6-C333C2F3A816}_is1" = RunAlyzer
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BEAD39CD-901D-4267-8B8B-EAA83CB4B70D}" = Pivot Stickfigure Animator
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2E4B5BD-32DB-4817-A060-341AB17C3F90}" = Bonjour
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}" = DAO
"{C917BA70-28A3-4C74-B163-41FD8C8E1A5A}" = Stronghold
"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DBA8B9E1-C6FF-4624-9598-73D3B41A0903}" = Microsoft Picture It! Photo Premium 9
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E914A24F-2412-4374-B420-86D21D6D444A}" = LEGO Star Wars
"{EA2DB6E0-72C5-4ef9-A3A0-E6705F4A6A9E}" = Nexon Game Manager
"{EDE28287-D32C-415E-9C97-2BF9F9260150}" = ATI Decoder
"{F59A9E08-A6A4-4ACF-91F2-D0344956C30B}" = iTunes
"{FF262740-C85A-11D5-BBEC-00D0B740900A}" = Multimedia Keyboard Driver
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AGEod's American Civil War_is1" = AGEod's American Civil War
"All ATI Software" = ATI - Software Uninstall Utility
"Animals of Africa" = Animals of Africa
"ATI Display Driver" = ATI Display Driver
"Basketball" = Basketball
"Block Rox" = Block Rox
"CCleaner" = CCleaner
"Championship Chess" = Championship Chess
"Chess" = Chess
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1" = SoftV92 Data Fax Modem with SmartCP
"Defraggler" = Defraggler
"Draw Poker" = Draw Poker
"Drop" = Drop
"eGames Master's Edition 151" = eGames Master's Edition 151
"FrostWire" = FrostWire 4.21.6
"Galaxy of Games 201" = Galaxy of Games 201
"Galaxy Video Poker Special Edition" = Galaxy Video Poker Special Edition
"HijackThis" = HijackThis 2.0.2
"HP Deskjet 6500 Series_Driver" = HP Deskjet 6500 Series
"ie8" = Windows Internet Explorer 8
"InstallShield_{3347F781-9C89-4C9B-B471-B1FFC3BC4A84}" = ATI Remote Wonder 2.3
"InstallShield_{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}" = Digital Media Reader
"InstallShield_{8988F5D0-C83F-41F4-B41B-86031F9B37F5}" = ATI Multimedia Center 9.01
"InstallShield_{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}" = DAO
"InstallShield_{E914A24F-2412-4374-B420-86D21D6D444A}" = LEGO Star Wars
"InstallShield_{EDE28287-D32C-415E-9C97-2BF9F9260150}" = ATI Decoder
"InterActual Player" = InterActual Player
"King Solitaire" = King Solitaire
"Magic Set Editor 2_is1" = Magic Set Editor 2 - 0.3.8 beta
"Mahjongg Master 3 Special Edition" = Mahjongg Master 3 Special Edition
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mancala" = Mancala
"MapleStory" = MapleStory
"Max Mix Foto" = Max Mix Foto
"Maze" = Maze
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"Nero - Burning Rom!UninstallKey" = Nero OEM
"Nero BurnRights!UninstallKey" = Nero BurnRights
"NVIDIA Drivers" = NVIDIA Drivers
"PictureIt_v9" = Microsoft Picture It! Photo Premium 9
"Port Magic" = Pure Networks Port Magic
"Puzzle Master 2 Special Edition" = Puzzle Master 2 Special Edition
"Quik 21" = Quik 21
"RealPlayer 6.0" = RealPlayer Basic
"Roulette Fever Special Edition" = Roulette Fever Special Edition
"Secret Circuit" = Secret Circuit
"ShockwaveFlash" = Adobe Flash Player 9
"SpywareBlaster_is1" = SpywareBlaster 4.4
"Starcraft" = Starcraft
"StreetPlugin" = Learn2 Player (Uninstall Only)
"Tri Peaks" = Tri Peaks
"Tweak UI 2.10" = Tweak UI
"UnityWebPlayer" = Unity Web Player
"Unlocker" = Unlocker 1.9.0
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"XviD_is1" = XviD MPEG-4 Video Codec
"Zap 21" = Zap 21

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1440936148-3481316508-1564428167-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.8

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/7/2011 05:25:26 PM | Computer Name = PICARDFAMILY | Source = Microsoft Security Client | ID = 1001
Description =

Error - 5/8/2011 01:07:20 PM | Computer Name = PICARDFAMILY | Source = UserAccess7 | ID = 0
Description =

Error - 5/8/2011 01:28:04 PM | Computer Name = PICARDFAMILY | Source = Windows Search Service | ID = 3024
Description = The update cannot be started because the content sources cannot be
accessed. Fix the errors and try the update again. Context: Windows Application,
SystemIndex Catalog

Error - 5/18/2011 10:54:43 PM | Computer Name = PICARDFAMILY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 5/20/2011 05:22:09 PM | Computer Name = PICARDFAMILY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 5/20/2011 05:22:09 PM | Computer Name = PICARDFAMILY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/20/2011 05:54:32 PM | Computer Name = PICARDFAMILY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 5/20/2011 05:54:32 PM | Computer Name = PICARDFAMILY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/22/2011 03:59:28 PM | Computer Name = PICARDFAMILY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 5/22/2011 03:59:28 PM | Computer Name = PICARDFAMILY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 5/22/2011 03:36:19 PM | Computer Name = PICARDFAMILY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/22/2011 03:56:27 PM | Computer Name = PICARDFAMILY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 5/22/2011 03:57:23 PM | Computer Name = PICARDFAMILY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/22/2011 03:57:27 PM | Computer Name = PICARDFAMILY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/22/2011 04:01:53 PM | Computer Name = PICARDFAMILY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/22/2011 04:02:03 PM | Computer Name = PICARDFAMILY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/22/2011 04:02:31 PM | Computer Name = PICARDFAMILY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/22/2011 06:51:14 PM | Computer Name = PICARDFAMILY | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p
asc3550
cbidf
cd20xrnt
CmdIde
Cpqarray
dac2w2k
dac960nt
dpti2o
hpn
i2omp
ini910u
IntelIde
mraid35x
perc2
perc2hib
ql1080
Ql10wnt
ql12160
ql1240
ql1280
sisagp
Sparrow
symc810
symc8xx
sym_hi
sym_u3
TosIde
ultra
viaagp
ViaIde

Error - 5/22/2011 06:51:16 PM | Computer Name = PICARDFAMILY | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 5/22/2011 06:52:47 PM | Computer Name = PICARDFAMILY | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service MDM with arguments
"" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}


< End of report >

Edited by he's dead jim, 23 May 2011 - 12:17 PM.


#14 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:50 PM

Posted 23 May 2011 - 11:29 PM

Hi he's dead jim,



Go into the Control Panel (Classic View) and double-click the Java Icon. (looks like a coffee cup)

On the Update tab, click on Update Now buttons. When done, press Apply and OK the button.



Step1

  • Go into the Control Panel (Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave both Checked

    Applications and Applets
    Trace and Log Files
  • Click OK on Delete Temporary Files Window
  • Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


Step2

  • Please download Flash_Disinfector and save it to your desktop.
  • Double click to run it.
  • You will be prompted to plug in your flash drive. Remember to plug in the flash drive to disinfect as well.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.


Step3

  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
File::
C:\Documents and Settings\Michael\Application Data\39FA.A0F
C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job

Folder::
C:\program files\Ask.com
C:\documents and settings\Michael\Local Settings\Application Data\AskToolbar

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"=-
[-HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

Driver::
Fadpu16E

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step4

Please run the ESET Online Scanner

Note: You will need to use Internet explorer for this scan

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt .
  • Copy and paste that log as a reply to this topic and also let me know how things are now.



In your next reply, please post back:

1.ComboFix log
2.Eset Online Scanner Report

Let me know if you have any remaining issues on your pc.

#15 he's dead jim

he's dead jim
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 24 May 2011 - 11:15 AM

----------------------------------------------------------------------------------------------------------------------
Combofix Log
----------------------------------------------------------------------------------------------------------------------


ComboFix 11-05-23.02 - Michael 05/24/2011 10:26:52.10.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.600 [GMT -4:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael\Desktop\cfscript.txt
.
FILE ::
"c:\documents and settings\Michael\Application Data\39FA.A0F"
"c:\windows\tasks\Scheduled Update for Ask Toolbar.job"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Michael\Application Data\39FA.A0F
c:\documents and settings\Michael\Local Settings\Application Data\AskToolbar
c:\documents and settings\Michael\Local Settings\Application Data\AskToolbar\osearch.xml
c:\program files\Ask.com
c:\program files\Ask.com\assets\oobe\b.png
c:\program files\Ask.com\assets\oobe\bl.png
c:\program files\Ask.com\assets\oobe\br.png
c:\program files\Ask.com\assets\oobe\l.png
c:\program files\Ask.com\assets\oobe\pointer.png
c:\program files\Ask.com\assets\oobe\r.png
c:\program files\Ask.com\assets\oobe\t.png
c:\program files\Ask.com\assets\oobe\tl.png
c:\program files\Ask.com\assets\oobe\tr.png
c:\program files\Ask.com\cobrand.ico
c:\program files\Ask.com\config.xml
c:\program files\Ask.com\favicon.ico
c:\program files\Ask.com\fv_8c.ico
c:\program files\Ask.com\GenericAskToolbar.dll
c:\program files\Ask.com\mupcfg.xml
c:\program files\Ask.com\SaUpdate.exe
c:\program files\Ask.com\UpdateTask.exe
c:\windows\tasks\Scheduled Update for Ask Toolbar.job
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_FADPU16E
-------\Service_Fadpu16E
.
.
((((((((((((((((((((((((( Files Created from 2011-04-24 to 2011-05-24 )))))))))))))))))))))))))))))))
.
.
2011-05-20 21:42 . 2011-05-20 21:42 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-13 13:27 . 2003-06-25 20:05 266360 ----a-w- c:\windows\system32\TweakUI.exe
2011-05-13 13:24 . 2011-05-13 13:24 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-08 03:48 . 2011-05-08 03:49 -------- d-----w- c:\program files\SpywareBlaster
2011-05-08 03:38 . 2011-05-08 03:38 -------- d-----w- c:\program files\Safer Networking
2011-05-08 02:58 . 2011-05-08 02:58 -------- d-----w- c:\documents and settings\Michael\Application Data\SUPERAntiSpyware.com
2011-05-08 02:58 . 2011-05-08 02:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-08 01:19 . 2011-05-08 01:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-05-07 23:31 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-07 23:31 . 2011-05-07 23:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-07 23:31 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-07 17:47 . 2011-05-07 17:47 -------- d-----w- c:\program files\Microsoft.NET
2011-05-07 17:31 . 2011-05-07 17:31 -------- d-----w- c:\windows\system32\winrm
2011-05-07 17:30 . 2011-05-08 17:27 -------- d-----w- c:\documents and settings\Michael\Application Data\Windows Desktop Search
2011-05-06 19:31 . 2008-04-14 04:09 14592 ------w- c:\windows\system32\drivers\kbdhid.sys
2011-05-06 01:00 . 2011-05-06 01:00 -------- d-----w- c:\program files\iPod
2011-05-06 01:00 . 2011-05-06 01:01 -------- d-----w- c:\program files\iTunes
2011-05-06 01:00 . 2011-05-06 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-05-06 00:57 . 2011-05-06 00:57 -------- d-----w- c:\program files\Apple Software Update
2011-05-06 00:55 . 2011-05-06 00:55 -------- d-----w- c:\program files\Bonjour
2011-05-05 21:36 . 2011-05-05 21:36 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\Mozilla
2011-05-05 21:33 . 2011-05-05 21:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-05 21:22 . 2011-05-05 21:22 -------- d-----w- c:\documents and settings\Mike\PrivacIE
2011-05-05 21:21 . 2011-05-05 21:21 -------- d-----w- c:\documents and settings\Mike\Application Data\Malwarebytes
2011-05-05 21:21 . 2011-05-05 21:21 -------- d-----w- c:\documents and settings\Mike\IETldCache
2011-05-02 19:43 . 2011-05-02 19:43 -------- d-----w- c:\documents and settings\LocalService\PrivacIE
2011-05-02 17:46 . 2011-05-02 17:46 -------- d-----w- c:\documents and settings\LocalService\IECompatCache
2011-05-02 04:17 . 2011-05-02 04:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2011-04-29 07:08 . 2011-04-29 07:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2011-04-29 07:08 . 2011-04-29 07:08 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-06 00:40 . 2010-11-13 20:42 43520 ------w- c:\windows\system32\CmdLineExt03.dll
2011-04-06 20:20 . 2011-04-06 20:20 91424 ------w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ------w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ------w- c:\windows\system32\dns-sd.exe
2011-03-11 14:10 . 2004-10-12 17:42 471552 ----a-w- c:\windows\apppatch\aclayers.dll
2011-03-07 05:33 . 2004-10-12 17:43 692736 ------w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-10-12 17:46 420864 ------w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-10-12 17:46 1857920 ------w- c:\windows\system32\win32k.sys
2007-10-19 17:50 . 2007-10-19 17:50 23402288 ------w- c:\program files\AdbeRdr810_en_US.exe
2007-09-09 15:43 . 2007-09-09 15:42 401720 ------w- c:\program files\HiJackThis.exe
2007-03-13 13:17 . 2007-06-07 12:12 87656 ------w- c:\program files\UnHyCam2.exe
2007-03-13 13:17 . 2007-06-07 12:12 882264 ------w- c:\program files\HyCam2.exe
2007-02-23 15:54 . 2007-06-07 12:12 69632 ------w- c:\program files\CamRes2.dll
2007-02-23 15:54 . 2007-06-07 12:12 57344 ------w- c:\program files\MClick2.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Nexon\\MapleStory\\MapleStory.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Photo Story 3 for Windows\\PhotoStory3.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59055:TCP"= 59055:TCP:Pando Media Booster
"59055:UDP"= 59055:UDP:Pando Media Booster
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 02:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 02:41 PM 67656]
S1 MpKsl68ffa88b;MpKsl68ffa88b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F91A8077-D608-4946-9BAD-1009EC788A81}\MpKsl68ffa88b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F91A8077-D608-4946-9BAD-1009EC788A81}\MpKsl68ffa88b.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 01:16 PM 130384]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [10/12/2004 01:46 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 01:16 PM 753504]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/28/2009 05:57 PM 24652]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\k3amy4jo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=FWV5&o=14193&locale=en_US&apn_uid=0956cc10-e840-4179-a84e-449b9d4ff386&apn_ptnrs=FM&apn_sauid=A25E786D-F2A4-48DD-9946-D047DB8591D7&apn_dtid=TES002YYUS&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 58727
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: IE Tab 2 (FF 3.6+): {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} - %profile%\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-24 10:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,47,37,bb,49,99,15,25,45,a6,b3,13,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,47,37,bb,49,99,15,25,45,a6,b3,13,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(528)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-05-24 10:40:15 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-24 14:40
.
Pre-Run: 111,104,716,800 bytes free
Post-Run: 111,098,109,952 bytes free
.
- - End Of File - - 412BE50AEC7DFF01BDA681A01824BEEB


----------------------------------------------------------------------------------------------------------------------









----------------------------------------------------------------------------------------------------------------------
EST Online Scanner Report
----------------------------------------------------------------------------------------------------------------------

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# firefox.exe=1.9.2.8
# OnlineScanner.ocx=1.0.0.6522
# api_version=3.0.2
# EOSSerial=60817acb6cd4944aabadd6bc464179b7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-05-24 04:09:54
# local_time=2011-05-24 12:09:54 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 26157064 26157064 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=122166
# found=12
# cleaned=12
# scan_time=4921
C:\Documents and Settings\Michael\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.5.windows.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Michael\Application Data\FrostWire\.AppSpecialShare\frostwire-4.21.6.windows.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Michael\Application Data\Microsoft\Internet Explorer\Quick Launch\eBay.lnk Win32/Adware.ADON application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Michael\Application Data\Sun\Java\Deployment\cache\6.0\38\24112126-564f2ce4 Win32/Adware.SafetyAntiSpyware.A application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Michael\Application Data\Sun\Java\Deployment\cache\6.0\45\6dfd656d-47ad8dee Java/TrojanDownloader.OpenStream.NCA trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Michael\My Documents\Downloads\frostwire-4.21.5.windows.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Michael\My Documents\Downloads\unlocker1.9.0.exe Win32/Adware.ADON application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Michael\Start Menu\eBay.lnk Win32/Adware.ADON application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP5\A0000411.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP5\A0000412.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP5\A0000413.lnk Win32/Adware.ADON application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP5\A0000414.lnk Win32/Adware.ADON application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users