Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser searches redirecting to god knows where. HJT/dds.txt/ark.txt files


  • This topic is locked This topic is locked
8 replies to this topic

#1 limac

limac

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 22 November 2011 - 10:05 PM

As the title suggests, the usual, search engines redirecting and svchost.exe running ~40% when running some programs.

Also now getting a process something like 123123123:4552304912.exe only using up 460kb. Read up that its a trojan apparently.


System Info
OS Version: Microsoft Windows XP Professional, Service Pack 2, 32 bit
Processor: AMD Athlon™ 64 X2 Dual Core Processor 4200+, x86 Family 15 Model 75 Stepping 2
Processor Count: 2
RAM: 2046 Mb
Graphics Card: NVIDIA GeForce 8600 GTS, 256 Mb
Hard Drives: C: Total - 131061 MB, Free - 1869 MB; H: Total - 152625 MB, Free - 21681 MB;
Motherboard: ASUSTeK Computer INC., M2N-E SLI
Antivirus: None


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:11:01 PM, on 11/21/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Akamai\netsession_win.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe
C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Li Mclaren\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSour...ctid=CT2670199
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz0.dll
R3 - URLSearchHook: Free Lunch Design TB Toolbar - {a5ae8924-4036-420f-b7f6-a47e4b8f692e} - C:\Program Files\Free_Lunch_Design_TB\prxtbFree.dll (file missing)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Free Lunch Design TB - {a5ae8924-4036-420f-b7f6-a47e4b8f692e} - C:\Program Files\Free_Lunch_Design_TB\prxtbFree.dll (file missing)
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Vuze Remote - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz0.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz0.dll
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll
O3 - Toolbar: Free Lunch Design TB Toolbar - {a5ae8924-4036-420f-b7f6-a47e4b8f692e} - C:\Program Files\Free_Lunch_Design_TB\prxtbFree.dll (file missing)
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OABNAEUASAAtAFIANgBGAEUAOQAtAEYARgBQADYANAAtAFQAOAA0AE0AUgAtAE8ARwB XAFQAVgAtADcARQBNAEIAUgA"&"inst=NwA2AC0ANQAwADkAOAAxADcAMwA5ADAALQBEADMAOAA xAEwAKwA1AC0AWABPADMANgArADEALQBUAEIAOQArADIALQBOADEARAArADEALQBQAEwAKwA5AC 0ARABEAFQAKwAyADUAOQA2ADEALQBJADkAMAArADEALQBEAEQAOQAwACsAMQAtAFMAVAA5ADAAQ QBQAFAAKwAxAA"&"prod=52"&"ver=9.0.894
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Akamai NetSession Interface] C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Akamai\netsession_win.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.112.88,85.255.112.236
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

--
End of file - 9393 bytes



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180
Run by Li Mclaren at 15:13:37 on 2011-11-21
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.997 [GMT 10:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Akamai\netsession_win.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe
C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Li Mclaren\Desktop\HijackThis.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2670199
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll
uURLSearchHooks: Free Lunch Design TB Toolbar: {a5ae8924-4036-420f-b7f6-a47e4b8f692e} - c:\program files\free_lunch_design_tb\prxtbFree.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Free Lunch Design TB Toolbar: {a5ae8924-4036-420f-b7f6-a47e4b8f692e} - c:\program files\free_lunch_design_tb\prxtbFree.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: Free Lunch Design TB Toolbar: {a5ae8924-4036-420f-b7f6-a47e4b8f692e} - c:\program files\free_lunch_design_tb\prxtbFree.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [Google Update] "c:\documents and settings\li mclaren\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Akamai NetSession Interface] c:\documents and settings\li mclaren\local settings\application data\akamai\netsession_win.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Launch LgDeviceAgent] "c:\program files\logitech\gamepanel software\LgDevAgt.exe"
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OABNAEUASAAtAFIANgBGAEUAOQAtAEYARgBQADYANAAtAFQAOAA0AE0AUgAtAE8ARwB XAFQAVgAtADcARQBNAEIAUgA"&"inst=NwA2AC0ANQAwADkAOAAxADcAMwA5ADAALQBEADMAOAA xAEwAKwA1AC0AWABPADMANgArADEALQBUAEIAOQArADIALQBOADEARAArADEALQBQAEwAKwA5AC 0ARABEAFQAKwAyADUAOQA2ADEALQBJADkAMAArADEALQBEAEQAOQAwACsAMQAtAFMAVAA5ADAAQ QBQAFAAKwAxAA"&"prod=52"&"ver=9.0.894
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
LSP: mswsock.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{4D7F8084-AC08-4316-9E30-7E13B4B2FC56} : DhcpNameServer = 192.168.1.254
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-11-16 239168]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-10-19 2253120]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 19720]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2011-10-29 14856]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-11-21 41272]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 gkmixern;gkmixern;\??\c:\docume~1\limcla~1\locals~1\temp\gkmixern.sys --> c:\docume~1\limcla~1\locals~1\temp\gkmixern.sys [?]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2011-7-10 18432]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v040 0.exe [2010-3-18 753504]
S4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2008-6-19 2560]
.
=============== Created Last 30 ================
.
2011-11-21 05:00:58 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-11-18 03:17:12 54016 ----a-w- c:\windows\system32\drivers\triicgp.sys
2011-11-17 01:10:23 -------- d-----w- C:\fixwareout
2011-11-16 13:59:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-11-16 13:59:21 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-11-16 13:05:08 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-11-16 13:04:55 -------- d-----w- c:\program files\DAEMON Tools Lite
2011-11-16 09:45:03 -------- d-sh--w- c:\documents and settings\li mclaren\local settings\application data\6704923e
2011-11-16 09:37:29 -------- d-----w- c:\documents and settings\li mclaren\local settings\application data\Xilisoft
2011-11-16 09:37:27 -------- d-----w- c:\documents and settings\li mclaren\application data\Xilisoft
2011-11-16 09:36:44 -------- d-----w- c:\program files\Xilisoft
2011-11-16 09:36:44 -------- d-----w- c:\documents and settings\all users\application data\Xilisoft
2011-11-11 03:26:06 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin
2011-11-11 03:26:06 446464 ----a-w- c:\windows\system32\nvunrm.exe
2011-11-10 15:50:38 -------- d-----w- c:\documents and settings\li mclaren\local settings\application data\Skyrim
2011-11-10 15:17:14 -------- d-----w- C:\Phoenix
2011-11-10 15:02:24 -------- d-----w- c:\documents and settings\li mclaren\local settings\application data\DownloadHQ
2011-11-09 21:05:53 -------- d-----w- c:\documents and settings\li mclaren\local settings\application data\Akamai
2011-11-07 08:34:36 -------- d-----w- c:\program files\common files\Akamai
2011-11-06 14:45:46 -------- d-----w- c:\documents and settings\li mclaren\application data\Need for Speed World
2011-11-06 07:04:24 -------- d-----w- c:\documents and settings\li mclaren\local settings\application data\Electronic_Arts_Inc
2011-11-04 07:13:15 -------- d-----w- c:\documents and settings\li mclaren\application data\fltk.org
2011-10-31 06:08:22 -------- d-----w- c:\documents and settings\li mclaren\application data\Bioshock2
2011-10-31 06:01:07 -------- d-sh--w- c:\documents and settings\all users\application data\SecuROM
2011-10-31 05:57:38 -------- d-----w- C:\36f5d95dd494e0d6b19797aabde1de
2011-10-31 05:52:28 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2011-10-29 02:17:33 -------- d-----w- c:\documents and settings\li mclaren\application data\PunkBuster
2011-10-29 02:00:57 -------- d-----w- c:\documents and settings\li mclaren\application data\DAEMON Tools Lite
2011-10-29 02:00:54 -------- d-----w- c:\documents and settings\all users\application data\DAEMON Tools Lite
2011-10-29 01:53:26 14856 ----a-w- c:\windows\system32\drivers\LGVirHid.sys
2011-10-28 11:49:46 -------- d-----w- c:\program files\PowerISO
2011-10-24 12:33:03 -------- d-----w- c:\program files\Games
.
==================== Find3M ====================
.
2011-11-20 15:35:16 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-11-12 16:12:15 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-11-12 16:12:08 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-11-10 16:10:47 285176 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-11-10 16:10:47 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-11-10 16:10:38 285176 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-10-28 09:50:07 428088 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-10-17 17:38:37 849 --sha-w- c:\windows\system32\mmf.sys
2011-08-31 07:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-30 13:05:04 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-30 13:05:04 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-30 13:05:04 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-30 13:05:04 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-26 10:50:51 271200 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-08-26 10:50:51 271200 ----a-w- c:\windows\system32\PnkBstrB.ex0
.
============= FINISH: 15:15:36.92 ===============

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-22 02:03:46
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST3250824A rev.3.AAH
Running: f8lq88cg.exe; Driver: C:\DOCUME~1\LIMCLA~1\LOCALS~1\Temp\pxtdapob.sys


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xB7ED4FA0]
SSDT sptd.sys ZwEnumerateKey [0xB7F08698]
SSDT sptd.sys ZwEnumerateValueKey [0xB7F08A26]
SSDT sptd.sys ZwOpenKey [0xB7ED4F80]
SSDT sptd.sys ZwQueryKey [0xB7F08AFE]
SSDT sptd.sys ZwQueryValueKey [0xB7F0897E]
SSDT sptd.sys ZwSetValueKey [0xB7F08B90]

INT 0x62 ? 8AD88CB8
INT 0x63 ? 8ADD0CB8
INT 0x73 ? 8ADD0CB8
INT 0x82 ? 8AD88CB8
INT 0xA4 ? 8AC94CB8

---- Kernel code sections - GMER 1.0.15 ----

.text sptd.sys B7E98000 28 Bytes [30, 48, 6E, 80, A4, 9B, 6E, ...]
.text sptd.sys B7E9801D 3 Bytes [49, 6E, 80]
.text sptd.sys B7E98024 164 Bytes [6E, 42, 53, 80, 68, A9, 54, ...]
.text sptd.sys B7E980C9 259 Bytes [88, 53, 80, A0, 8A, 53, 80, ...]
.text sptd.sys B7E981D4 4 Bytes [27, 39, 4F, 4E] {DAA ; CMP [EDI+0x4e], ECX}
.text ...
.sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xB7F441AA]
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B7BDF62C 5 Bytes JMP 8AC941C8
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6E5F380, 0x8D6CD5, 0xE8000020]
.PAGE1 C:\WINDOWS\System32\drivers\afd.sys unknown last section [0xB2826B00, 0x100, 0xC0000040]
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB0DBB300, 0x3AF78, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB83E0300, 0x1BCE, 0xE8000020]
? C:\DOCUME~1\LIMCLA~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtCreateFile + 6 7C90D688 4 Bytes [28, 00, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtCreateFile + B 7C90D68D 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 1 Byte [28]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 4 Bytes [28, 03, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtMapViewOfSection + B 7C90DC60 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtOpenFile + 6 7C90DD03 4 Bytes [68, 00, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtOpenFile + B 7C90DD08 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtOpenProcess + 6 7C90DD81 4 Bytes [A8, 01, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtOpenProcess + B 7C90DD86 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtOpenProcessToken + 6 7C90DD96 4 Bytes CALL 7B90F49C
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtOpenProcessToken + B 7C90DD9B 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtOpenProcessTokenEx + 6 7C90DDAB 4 Bytes [A8, 02, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtOpenProcessTokenEx + B 7C90DDB0 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtOpenThread + 6 7C90DDFF 4 Bytes [68, 01, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtOpenThread + B 7C90DE04 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtOpenThreadToken + 6 7C90DE14 4 Bytes [68, 02, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtOpenThreadToken + B 7C90DE19 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtOpenThreadTokenEx + 6 7C90DE29 4 Bytes CALL 7B90F530
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtOpenThreadTokenEx + B 7C90DE2E 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtQueryAttributesFile + 6 7C90DEE6 4 Bytes [A8, 00, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtQueryAttributesFile + B 7C90DEEB 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtQueryFullAttributesFile + 6 7C90DFB8 4 Bytes CALL 7B90F6BD
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtQueryFullAttributesFile + B 7C90DFBD 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtSetInformationFile + 6 7C90E5DF 4 Bytes [28, 01, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtSetInformationFile + B 7C90E5E4 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtSetInformationThread + 6 7C90E648 4 Bytes [28, 02, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtSetInformationThread + B 7C90E64D 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 1 Byte [68]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 4 Bytes [68, 03, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1080] ntdll.dll!NtUnmapViewOfSection + B 7C90E96B 1 Byte [E2]
.text C:\Program Files\Internet Explorer\iexplore.exe[2676] USER32.dll!TrackPopupMenu 77D94F16 5 Bytes JMP 013D4320 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Vuze_Remote\tbVuz0.dll (Conduit Toolbar/Conduit Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[2676] USER32.dll!TrackPopupMenuEx 77D9CAFE 5 Bytes JMP 013D4480 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Vuze_Remote\tbVuz0.dll (Conduit Toolbar/Conduit Ltd.)
.text C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe[4064] kernel32.dll!CreateThread + 1A 7C810849 4 Bytes CALL 02ACA939 C:\Program Files\Spybot - Search & Destroy\Plugins\Chai.dll
.text C:\WINDOWS\system32\svchost.exe[4728] USER32.dll!DialogBoxIndirectParamAorW 77D56896 5 Bytes [33, C0, C2, 18, 00] {XOR EAX, EAX; RET 0x18}
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtCreateFile + 6 7C90D688 4 Bytes [28, 00, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtCreateFile + B 7C90D68D 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 1 Byte [28]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 4 Bytes [28, 03, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtMapViewOfSection + B 7C90DC60 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtOpenFile + 6 7C90DD03 4 Bytes [68, 00, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtOpenFile + B 7C90DD08 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtOpenProcess + 6 7C90DD81 4 Bytes [A8, 01, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtOpenProcess + B 7C90DD86 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtOpenProcessToken + 6 7C90DD96 4 Bytes CALL 7B90F49C
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtOpenProcessToken + B 7C90DD9B 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtOpenProcessTokenEx + 6 7C90DDAB 4 Bytes [A8, 02, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtOpenProcessTokenEx + B 7C90DDB0 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtOpenThread + 6 7C90DDFF 4 Bytes [68, 01, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtOpenThread + B 7C90DE04 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtOpenThreadToken + 6 7C90DE14 4 Bytes [68, 02, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtOpenThreadToken + B 7C90DE19 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtOpenThreadTokenEx + 6 7C90DE29 4 Bytes CALL 7B90F530
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtOpenThreadTokenEx + B 7C90DE2E 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtQueryAttributesFile + 6 7C90DEE6 4 Bytes [A8, 00, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtQueryAttributesFile + B 7C90DEEB 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtQueryFullAttributesFile + 6 7C90DFB8 4 Bytes CALL 7B90F6BD
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtQueryFullAttributesFile + B 7C90DFBD 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtSetInformationFile + 6 7C90E5DF 4 Bytes [28, 01, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtSetInformationFile + B 7C90E5E4 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtSetInformationThread + 6 7C90E648 4 Bytes [28, 02, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtSetInformationThread + B 7C90E64D 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 1 Byte [68]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 4 Bytes [68, 03, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5564] ntdll.dll!NtUnmapViewOfSection + B 7C90E96B 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtCreateFile + 6 7C90D688 4 Bytes [28, 00, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtCreateFile + B 7C90D68D 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 1 Byte [28]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtMapViewOfSection + 6 7C90DC5B 4 Bytes [28, 03, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtMapViewOfSection + B 7C90DC60 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtOpenFile + 6 7C90DD03 4 Bytes [68, 00, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtOpenFile + B 7C90DD08 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtOpenProcess + 6 7C90DD81 4 Bytes [A8, 01, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtOpenProcess + B 7C90DD86 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtOpenProcessToken + 6 7C90DD96 4 Bytes CALL 7B90F49C
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtOpenProcessToken + B 7C90DD9B 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtOpenProcessTokenEx + 6 7C90DDAB 4 Bytes [A8, 02, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtOpenProcessTokenEx + B 7C90DDB0 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtOpenThread + 6 7C90DDFF 4 Bytes [68, 01, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtOpenThread + B 7C90DE04 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtOpenThreadToken + 6 7C90DE14 4 Bytes [68, 02, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtOpenThreadToken + B 7C90DE19 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtOpenThreadTokenEx + 6 7C90DE29 4 Bytes CALL 7B90F530
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtOpenThreadTokenEx + B 7C90DE2E 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtQueryAttributesFile + 6 7C90DEE6 4 Bytes [A8, 00, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtQueryAttributesFile + B 7C90DEEB 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtQueryFullAttributesFile + 6 7C90DFB8 4 Bytes CALL 7B90F6BD
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtQueryFullAttributesFile + B 7C90DFBD 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtSetInformationFile + 6 7C90E5DF 4 Bytes [28, 01, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtSetInformationFile + B 7C90E5E4 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtSetInformationThread + 6 7C90E648 4 Bytes [28, 02, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtSetInformationThread + B 7C90E64D 1 Byte [E2]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 1 Byte [68]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtUnmapViewOfSection + 6 7C90E966 4 Bytes [68, 03, 17, 00]
.text C:\Documents and Settings\Li Mclaren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5988] ntdll.dll!NtUnmapViewOfSection + B 7C90E96B 1 Byte [E2]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AD861E8
Device \FileSystem\Fastfat \FatCdrom 87F091E8
Device \Driver\usbohci \Device\USBPDO-0 8AC931E8
Device \Driver\usbehci \Device\USBPDO-1 8AD1B1E8
Device \Driver\Cdrom \Device\CdRom0 8AD171E8
Device \Driver\atapi \Device\Ide\IdePort0 8AD881E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 8AD881E8
Device \Driver\atapi \Device\Ide\IdePort1 8AD881E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 8AD881E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 8AD881E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 8AD881E8
Device \Driver\Cdrom \Device\CdRom1 8AD171E8
Device \Driver\Cdrom \Device\CdRom2 8AD171E8
Device \Driver\Cdrom \Device\CdRom3 8AD171E8
Device \Driver\dtsoftbus01 \Device\00000075 8ABC2430
Device \Driver\Cdrom \Device\CdRom4 8AD171E8
Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl 8ABC2430
Device \Driver\NetBT \Device\NetBt_Wins_Export 89AE21E8
Device \Driver\PCI_PNP8698 \Device\0000004b sptd.sys
Device \Driver\PCI_PNP8698 \Device\0000004b sptd.sys
Device \Driver\NetBT \Device\NetbiosSmb 89AE21E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{4D7F8084-AC08-4316-9E30-7E13B4B2FC56} 89AE21E8
Device \Driver\usbohci \Device\USBFDO-0 8AC931E8
Device \Driver\usbehci \Device\USBFDO-1 8AD1B1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89AB31E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89AB31E8
Device \Driver\iviVD \Device\Scsi\iviVD1 8ADCC1E8
Device \Driver\ayipnqtw \Device\Scsi\ayipnqtw1 8ACC5430
Device \Driver\nvgts \Device\Scsi\nvgts1 8AD871E8
Device \Driver\nvgts \Device\Scsi\nvgts2 8AD871E8
Device \Driver\ayipnqtw \Device\Scsi\ayipnqtw1Port5Path0Target0Lun0 8ACC5430
Device \Driver\iviVD \Device\Scsi\iviVD1Port0Path0Target0Lun0 8ADCC1E8
Device \FileSystem\Fastfat \Fat 87F091E8

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 89A961E8

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) B6DC0000-B6DC9000 (36864 bytes)
Module (noname) (*** hidden *** ) B8188000-B8196000 (57344 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:604] B6DC43E0
Thread System [4:608] B6DC43E0
Thread System [4:612] 89AC6330
Thread System [4:616] 89AC6330

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@khjeh 0x33 0x17 0xC8 0x0D ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001@khjeh 0x3A 0x43 0xF7 0xEE ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf40@khjeh 0xA0 0x09 0x81 0x16 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf41@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf42@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf43@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@khjeh 0x33 0x17 0xC8 0x0D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001@khjeh 0x3A 0x43 0xF7 0xEE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf40@khjeh 0xA0 0x09 0x81 0x16 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf41@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf42@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf43@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@khjeh 0x33 0x17 0xC8 0x0D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001@khjeh 0x3A 0x43 0xF7 0xEE ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf40@khjeh 0x37 0x36 0x08 0x71 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf41@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf42@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf43@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet004\Services\ESQULserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\ESQULserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\ESQULserv.sys@imagepath \systemroot\system32\drivers\ESQULwbbwcbxpidjtflyholxfgualduhgfwby.sys
Reg HKLM\SYSTEM\ControlSet004\Services\ESQULserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\ESQULserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\ESQULserv.sys\modules@ESQULserv \\?\globalroot\systemroot\system32\drivers\ESQULwbbwcbxpidjtflyholxfgualduh gfwby.sys
Reg HKLM\SYSTEM\ControlSet004\Services\ESQULserv.sys\modules@ESQULl \\?\globalroot\systemroot\system32\ESQULlntfwiusxngdckbswfctfcevkahdgbpa.dl l
Reg HKLM\SYSTEM\ControlSet004\Services\ESQULserv.sys\modules@ESQULclk \\?\globalroot\systemroot\system32\ESQULxhxomaffkgnyxvskmionkrylkhxfigbc.dl l
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@khjeh 0x33 0x17 0xC8 0x0D ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001@khjeh 0x3A 0x43 0xF7 0xEE ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf40@khjeh 0x2E 0x7B 0x13 0x1F ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf41@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf42@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf43@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@khjeh 0x33 0x17 0xC8 0x0D ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001@khjeh 0x3A 0x43 0xF7 0xEE ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf40@khjeh 0x2E 0x7B 0x13 0x1F ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf41@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf42@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf43@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@h0 0
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@khjeh 0x33 0x17 0xC8 0x0D ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001@khjeh 0x3A 0x43 0xF7 0xEE ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf40@khjeh 0x2E 0x7B 0x13 0x1F ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf41@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf42@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf43@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@h0 0
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@khjeh 0x33 0x17 0xC8 0x0D ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001@khjeh 0x3A 0x43 0xF7 0xEE ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf40@khjeh 0x2E 0x7B 0x13 0x1F ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf41@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf42@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf43@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@h0 0
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@khjeh 0x33 0x17 0xC8 0x0D ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001@khjeh 0x3A 0x43 0xF7 0xEE ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf40@khjeh 0x2E 0x7B 0x13 0x1F ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf41@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf42@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf43@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@h0 0
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@khjeh 0x33 0x17 0xC8 0x0D ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001@khjeh 0x3A 0x43 0xF7 0xEE ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf40@khjeh 0xA8 0xA2 0x59 0x88 ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf41@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf42@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf43@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@h0 0
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@khjeh 0x33 0x17 0xC8 0x0D ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001@khjeh 0x3C 0xEC 0xCF 0x1C ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf40@khjeh 0xB4 0x66 0x65 0x1A ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf41@khjeh 0x79 0xE0 0xA7 0x52 ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf42@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4\00000001\0Jf43@khjeh 0x28 0xC8 0x8F 0x7C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC@hdf12 0x5A 0x3C 0xB8 0x19 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC\00000001@hdf12 0x6C 0x93 0x15 0x9A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A 64CEC\00000001\gdq0@hdf12 0xA1 0x9C 0x67 0x2D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C 53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C 53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C 53EA4@khjeh 0x37 0xF5 0xD1 0x4D ...
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C@h0 1
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C@hdf12 0x5A 0x3C 0xB8 0x19 ...
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001@hdf12 0x6C 0x93 0x15 0x9A ...
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001@a0 0xA0 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CE C\00000001\gdq0@hdf12 0xA1 0x9C 0x67 0x2D ...
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@h0 0
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA 4@khjeh 0x37 0xF5 0xD1 0x4D ...

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\LocalService\Cookies\system@d.gossipcenter[1].txt 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8DI3KL2F\imp[14].com%2F&r=1 847 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8DI3KL2F\imp[15].com%2F&r=1 844 bytes
File C:\WINDOWS\$NtUninstallKB2757$\1728352830 0 bytes
File C:\WINDOWS\$NtUninstallKB2757$\1728352830\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB2757$\1728352830\L 0 bytes
File C:\WINDOWS\$NtUninstallKB2757$\1728352830\L\ooockaaq 138496 bytes
File C:\WINDOWS\$NtUninstallKB2757$\1728352830\loader.tlb 2632 bytes
File C:\WINDOWS\$NtUninstallKB2757$\1728352830\U 0 bytes
File C:\WINDOWS\$NtUninstallKB2757$\1728352830\U\@00000001 45968 bytes
File C:\WINDOWS\$NtUninstallKB2757$\1728352830\U\@000000c0 3072 bytes
File C:\WINDOWS\$NtUninstallKB2757$\1728352830\U\@000000cb 3072 bytes
File C:\WINDOWS\$NtUninstallKB2757$\1728352830\U\@000000cf 1536 bytes
File C:\WINDOWS\$NtUninstallKB2757$\1728352830\U\@80000000 23040 bytes
File C:\WINDOWS\$NtUninstallKB2757$\1728352830\U\@800000c0 32768 bytes
File C:\WINDOWS\$NtUninstallKB2757$\1728352830\U\@800000cb 24064 bytes
File C:\WINDOWS\$NtUninstallKB2757$\1728352830\U\@800000cf 31744 bytes
File C:\WINDOWS\$NtUninstallKB2757$\3579382902 0 bytes

---- EOF - GMER 1.0.15 ----


I know I'm not running the latest updates, been working on getting sp3 and a fulltime antivirus program.

Also hjt log was from a day or two ago, refuses to run now.

Attached Files



BC AdBot (Login to Remove)

 


#2 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:04 PM

Posted 24 November 2011 - 03:31 PM

Hi,

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.





Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

unite_blue.png

Please post the final results, good or bad. We like to know!


#3 limac

limac
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 25 November 2011 - 11:05 AM

Ok so ran both of those

tdsskiller found 5 or so threats, 2 major high risk ones and a few others that were medium suspicion. cured/skipped those then ran combofix.

since i posted this thread im not able to use any browsers on the infected computer and ipconfig shows that it couldnt get an ip, so i wasnt able to get the windows recovery thing.

when i ran combofix, it completed all 50 stages and then, stupidly, i thought it had finished and froze so i closed it to look for the log to post. couldnt find the log in c:\combofix.txt, although in C:\ there is a combofix folder with the my computer icon that opens the exact same window as my computer. so i restarted to see if would have an effect on the internet (it did not.)

here is the tdsskiller log:

01:20:52.0062 1584 TDSS rootkit removing tool 2.6.21.0 Nov 24 2011 12:32:44
01:20:52.0140 1584 ============================================================
01:20:52.0140 1584 Current date / time: 2011/11/26 01:20:52.0140
01:20:52.0140 1584 SystemInfo:
01:20:52.0140 1584
01:20:52.0140 1584 OS Version: 5.1.2600 ServicePack: 2.0
01:20:52.0140 1584 Product type: Workstation
01:20:52.0140 1584 ComputerName: LI
01:20:52.0140 1584 UserName: Li Mclaren
01:20:52.0140 1584 Windows directory: C:\WINDOWS
01:20:52.0140 1584 System windows directory: C:\WINDOWS
01:20:52.0140 1584 Processor architecture: Intel x86
01:20:52.0140 1584 Number of processors: 2
01:20:52.0140 1584 Page size: 0x1000
01:20:52.0140 1584 Boot type: Safe boot
01:20:52.0140 1584 ============================================================
01:20:53.0250 1584 Initialize success
01:21:33.0515 1608 ============================================================
01:21:33.0515 1608 Scan started
01:21:33.0515 1608 Mode: Manual; SigCheck; TDLFS;
01:21:33.0515 1608 ============================================================
01:21:36.0031 1608 6704923e (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\1049756775:2566614465.exe
01:21:36.0031 1608 Suspicious file (Hidden): C:\WINDOWS\1049756775:2566614465.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
01:21:36.0031 1608 6704923e ( Rootkit.Win32.PMax.gen ) - infected
01:21:36.0031 1608 6704923e - detected Rootkit.Win32.PMax.gen (0)
01:21:36.0218 1608 Abiosdsk - ok
01:21:36.0359 1608 abp480n5 - ok
01:21:36.0640 1608 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
01:21:41.0453 1608 ACPI - ok
01:21:41.0703 1608 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
01:21:41.0875 1608 ACPIEC - ok
01:21:42.0062 1608 adfs - ok
01:21:42.0203 1608 adpu160m - ok
01:21:42.0421 1608 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
01:21:42.0593 1608 aec - ok
01:21:42.0828 1608 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
01:21:42.0921 1608 AFD - ok
01:21:43.0078 1608 Aha154x - ok
01:21:43.0234 1608 aic78u2 - ok
01:21:43.0406 1608 aic78xx - ok
01:21:43.0593 1608 AliIde - ok
01:21:43.0781 1608 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
01:21:43.0843 1608 AmdK8 - ok
01:21:44.0000 1608 amsint - ok
01:21:44.0203 1608 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
01:21:44.0328 1608 Arp1394 - ok
01:21:44.0531 1608 asc - ok
01:21:44.0687 1608 asc3350p - ok
01:21:44.0843 1608 asc3550 - ok
01:21:45.0046 1608 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
01:21:45.0187 1608 AsyncMac - ok
01:21:45.0421 1608 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
01:21:45.0546 1608 atapi - ok
01:21:45.0750 1608 Atdisk - ok
01:21:45.0968 1608 atksgt (f9c24d25d9ff29f894995a64812b4d85) C:\WINDOWS\system32\DRIVERS\atksgt.sys
01:21:46.0343 1608 atksgt - ok
01:21:46.0593 1608 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
01:21:46.0734 1608 Atmarpc - ok
01:21:46.0984 1608 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
01:21:47.0109 1608 audstub - ok
01:21:47.0328 1608 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
01:21:47.0468 1608 Beep - ok
01:21:47.0687 1608 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
01:21:47.0828 1608 cbidf2k - ok
01:21:48.0046 1608 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
01:21:48.0187 1608 CCDECODE - ok
01:21:48.0375 1608 cd20xrnt - ok
01:21:48.0578 1608 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
01:21:48.0703 1608 Cdaudio - ok
01:21:48.0937 1608 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
01:21:49.0109 1608 Cdfs - ok
01:21:49.0343 1608 Cdrom (9527c0b54c7538c17970fa770bd8179d) C:\WINDOWS\system32\DRIVERS\cdrom.sys
01:21:49.0343 1608 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cdrom.sys. Real md5: 9527c0b54c7538c17970fa770bd8179d, Fake md5: af9c19b3100fe010496b1a27181fbf72
01:21:49.0343 1608 Cdrom ( Rootkit.Win32.ZAccess.e ) - infected
01:21:49.0343 1608 Cdrom - detected Rootkit.Win32.ZAccess.e (0)
01:21:49.0500 1608 Changer - ok
01:21:50.0031 1608 cm102u32 (59e789cd92a1c8a5075f9bafd454a2e0) C:\WINDOWS\system32\drivers\c6501.sys
01:21:50.0687 1608 cm102u32 - ok
01:21:50.0843 1608 CmdIde - ok
01:21:50.0984 1608 Cpqarray - ok
01:21:51.0140 1608 dac2w2k - ok
01:21:51.0312 1608 dac960nt - ok
01:21:51.0515 1608 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
01:21:51.0671 1608 Disk - ok
01:21:52.0078 1608 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
01:21:52.0562 1608 dmboot - ok
01:21:52.0812 1608 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
01:21:52.0984 1608 dmio - ok
01:21:53.0218 1608 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
01:21:53.0343 1608 dmload - ok
01:21:53.0609 1608 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
01:21:53.0750 1608 DMusic - ok
01:21:53.0953 1608 dpti2o - ok
01:21:54.0109 1608 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
01:21:54.0234 1608 drmkaud - ok
01:21:54.0500 1608 dtsoftbus01 (fb38473835476a6fb272215a1d972af9) C:\WINDOWS\system32\DRIVERS\dtsoftbus01.sys
01:21:54.0578 1608 dtsoftbus01 - ok
01:21:54.0765 1608 dvd43llh (1fc1eed3ea0c3a0ecf8a95b97e1b4831) C:\WINDOWS\system32\DRIVERS\dvd43llh.sys
01:21:54.0796 1608 dvd43llh ( UnsignedFile.Multi.Generic ) - warning
01:21:54.0796 1608 dvd43llh - detected UnsignedFile.Multi.Generic (1)
01:21:55.0046 1608 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
01:21:55.0203 1608 Fastfat - ok
01:21:55.0390 1608 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
01:21:55.0546 1608 Fdc - ok
01:21:55.0765 1608 FilterService (f83c0fd028dd37be4a337b138eba6b7b) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
01:21:55.0781 1608 FilterService - ok
01:21:56.0000 1608 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
01:21:56.0140 1608 Fips - ok
01:21:56.0390 1608 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
01:21:56.0515 1608 Flpydisk - ok
01:21:56.0765 1608 FltMgr (54fd90f0038f07920cb9fb6591bde82f) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
01:21:57.0171 1608 FltMgr - ok
01:21:57.0390 1608 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
01:21:57.0515 1608 Fs_Rec - ok
01:21:57.0765 1608 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
01:21:57.0921 1608 Ftdisk - ok
01:21:58.0125 1608 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
01:21:58.0140 1608 GEARAspiWDM - ok
01:21:58.0281 1608 gkmixern - ok
01:21:58.0531 1608 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
01:21:58.0656 1608 Gpc - ok
01:21:58.0843 1608 hamachi (7929a161f9951d173ca9900fe7067391) C:\WINDOWS\system32\DRIVERS\hamachi.sys
01:21:58.0859 1608 hamachi - ok
01:21:59.0078 1608 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
01:21:59.0187 1608 HidUsb - ok
01:21:59.0390 1608 hpn - ok
01:21:59.0593 1608 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
01:21:59.0812 1608 HPZid412 - ok
01:22:00.0046 1608 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
01:22:00.0109 1608 HPZipr12 - ok
01:22:00.0296 1608 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
01:22:00.0343 1608 HPZius12 - ok
01:22:00.0562 1608 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
01:22:00.0765 1608 HTTP - ok
01:22:00.0953 1608 i2omgmt - ok
01:22:01.0125 1608 i2omp - ok
01:22:01.0328 1608 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
01:22:01.0453 1608 i8042prt - ok
01:22:01.0703 1608 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
01:22:01.0843 1608 Imapi - ok
01:22:02.0000 1608 ini910u - ok
01:22:02.0171 1608 IntelIde - ok
01:22:02.0375 1608 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
01:22:02.0500 1608 Ip6Fw - ok
01:22:02.0718 1608 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
01:22:02.0843 1608 IpFilterDriver - ok
01:22:03.0078 1608 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
01:22:03.0203 1608 IpInIp - ok
01:22:03.0453 1608 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
01:22:03.0593 1608 IpNat - ok
01:22:03.0843 1608 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
01:22:03.0968 1608 IPSec - ok
01:22:04.0187 1608 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
01:22:04.0265 1608 IRENUM - ok
01:22:04.0515 1608 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
01:22:04.0625 1608 isapnp - ok
01:22:04.0875 1608 iviVD (7bd8ff29fecc1f4ef5b26ce3ffa80ae8) C:\WINDOWS\system32\DRIVERS\iviVD.sys
01:22:04.0906 1608 iviVD - ok
01:22:05.0156 1608 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
01:22:05.0265 1608 Kbdclass - ok
01:22:05.0500 1608 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
01:22:05.0625 1608 kbdhid - ok
01:22:05.0890 1608 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
01:22:06.0046 1608 kmixer - ok
01:22:06.0312 1608 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
01:22:06.0437 1608 KSecDD - ok
01:22:06.0625 1608 lbrtfdc - ok
01:22:06.0828 1608 LGBusEnum (170e7093a77ad586f3a012a3db651d94) C:\WINDOWS\system32\drivers\LGBusEnum.sys
01:22:06.0843 1608 LGBusEnum - ok
01:22:07.0031 1608 LGVirHid (d2dd04d1c8df65eecd1f2c7fb947d43e) C:\WINDOWS\system32\drivers\LGVirHid.sys
01:22:07.0046 1608 LGVirHid - ok
01:22:07.0218 1608 lirsgt (8ccf9ed46d52af1375875f74a91ffacf) C:\WINDOWS\system32\DRIVERS\lirsgt.sys
01:22:07.0234 1608 lirsgt - ok
01:22:07.0562 1608 LVcKap (9ce361764c5dd5fa5506510fe5d2297b) C:\WINDOWS\system32\DRIVERS\LVcKap.sys
01:22:07.0859 1608 LVcKap - ok
01:22:08.0031 1608 LVPr2Mon (94d03b31f36bb362fa5713470fcf1c79) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
01:22:08.0046 1608 LVPr2Mon - ok
01:22:08.0343 1608 LVRS (a198cd8a1c813d9ceba29a29d45fc94c) C:\WINDOWS\system32\DRIVERS\lvrs.sys
01:22:08.0625 1608 LVRS - ok
01:22:08.0781 1608 LVUSBSta (8b79a50360fc31df6b7b979b686b4aa2) C:\WINDOWS\system32\drivers\LVUSBSta.sys
01:22:08.0796 1608 LVUSBSta - ok
01:22:10.0015 1608 LVUVC (5c20c4be679842cbee729b0cff5928bd) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
01:22:12.0109 1608 LVUVC - ok
01:22:12.0343 1608 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
01:22:12.0453 1608 mnmdd - ok
01:22:12.0640 1608 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
01:22:12.0750 1608 Modem - ok
01:22:12.0984 1608 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
01:22:13.0109 1608 Mouclass - ok
01:22:13.0328 1608 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
01:22:13.0453 1608 mouhid - ok
01:22:13.0718 1608 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
01:22:13.0859 1608 MountMgr - ok
01:22:14.0046 1608 mraid35x - ok
01:22:14.0281 1608 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
01:22:14.0437 1608 MRxDAV - ok
01:22:14.0765 1608 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
01:22:14.0984 1608 MRxSmb - ok
01:22:15.0156 1608 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
01:22:15.0265 1608 Msfs - ok
01:22:15.0484 1608 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
01:22:15.0609 1608 MSKSSRV - ok
01:22:15.0843 1608 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
01:22:15.0968 1608 MSPCLOCK - ok
01:22:16.0203 1608 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
01:22:16.0312 1608 MSPQM - ok
01:22:16.0531 1608 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
01:22:16.0656 1608 mssmbios - ok
01:22:16.0890 1608 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
01:22:17.0015 1608 MSTEE - ok
01:22:17.0187 1608 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
01:22:17.0203 1608 MTsensor - ok
01:22:17.0468 1608 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
01:22:17.0609 1608 Mup - ok
01:22:17.0843 1608 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
01:22:17.0984 1608 NABTSFEC - ok
01:22:18.0250 1608 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
01:22:18.0421 1608 NDIS - ok
01:22:18.0656 1608 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
01:22:18.0765 1608 NdisIP - ok
01:22:18.0984 1608 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
01:22:19.0109 1608 NdisTapi - ok
01:22:19.0312 1608 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
01:22:19.0437 1608 Ndisuio - ok
01:22:19.0671 1608 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
01:22:19.0812 1608 NdisWan - ok
01:22:20.0062 1608 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
01:22:20.0187 1608 NDProxy - ok
01:22:20.0375 1608 Netaapl (1352e1648213551923a0a822e441553c) C:\WINDOWS\system32\DRIVERS\netaapl.sys
01:22:20.0421 1608 Netaapl - ok
01:22:20.0625 1608 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
01:22:20.0750 1608 NetBIOS - ok
01:22:21.0046 1608 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
01:22:21.0203 1608 NetBT - ok
01:22:21.0421 1608 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
01:22:21.0562 1608 NIC1394 - ok
01:22:21.0812 1608 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
01:22:21.0921 1608 Npfs - ok
01:22:22.0281 1608 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
01:22:22.0609 1608 Ntfs - ok
01:22:22.0828 1608 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
01:22:22.0921 1608 Null - ok
01:22:26.0015 1608 nv (4b54dcd6adee535df80f07c59ddd8f14) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
01:22:31.0734 1608 nv - ok
01:22:32.0000 1608 nvata (0344aa9113dc16eec379f4652020849d) C:\WINDOWS\system32\DRIVERS\nvata.sys
01:22:32.0046 1608 nvata - ok
01:22:32.0218 1608 NVENETFD (7d275ecda4628318912f6c945d5cf963) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
01:22:32.0281 1608 NVENETFD - ok
01:22:32.0453 1608 nvgts (ea98bfe4931bd13d747d647c1859796e) C:\WINDOWS\system32\DRIVERS\nvgts.sys
01:22:32.0500 1608 nvgts - ok
01:22:32.0656 1608 nvnetbus (b64aacefad2be5bff5353fe681253c67) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
01:22:32.0687 1608 nvnetbus - ok
01:22:32.0937 1608 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
01:22:33.0046 1608 NwlnkFlt - ok
01:22:33.0265 1608 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
01:22:33.0406 1608 NwlnkFwd - ok
01:22:33.0656 1608 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
01:22:33.0781 1608 ohci1394 - ok
01:22:34.0046 1608 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
01:22:34.0171 1608 Parport - ok
01:22:34.0406 1608 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
01:22:34.0531 1608 PartMgr - ok
01:22:34.0765 1608 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
01:22:34.0875 1608 ParVdm - ok
01:22:35.0046 1608 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
01:22:35.0171 1608 PCI - ok
01:22:35.0375 1608 PCIDump - ok
01:22:35.0562 1608 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
01:22:35.0671 1608 PCIIde - ok
01:22:35.0937 1608 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
01:22:36.0093 1608 Pcmcia - ok
01:22:36.0281 1608 PDCOMP - ok
01:22:36.0406 1608 PDFRAME - ok
01:22:36.0546 1608 PDRELI - ok
01:22:36.0687 1608 PDRFRAME - ok
01:22:36.0859 1608 perc2 - ok
01:22:36.0984 1608 perc2hib - ok
01:22:37.0187 1608 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
01:22:37.0312 1608 PptpMiniport - ok
01:22:37.0546 1608 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
01:22:37.0671 1608 Processor - ok
01:22:37.0937 1608 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
01:22:38.0062 1608 PSched - ok
01:22:38.0296 1608 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
01:22:38.0406 1608 Ptilink - ok
01:22:38.0640 1608 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
01:22:38.0656 1608 PxHelp20 - ok
01:22:38.0796 1608 ql1080 - ok
01:22:38.0968 1608 Ql10wnt - ok
01:22:39.0156 1608 ql12160 - ok
01:22:39.0312 1608 ql1240 - ok
01:22:39.0484 1608 ql1280 - ok
01:22:39.0656 1608 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
01:22:39.0765 1608 RasAcd - ok
01:22:40.0015 1608 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
01:22:40.0140 1608 Rasl2tp - ok
01:22:40.0375 1608 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
01:22:40.0500 1608 RasPppoe - ok
01:22:40.0734 1608 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
01:22:40.0843 1608 Raspti - ok
01:22:41.0046 1608 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
01:22:41.0218 1608 Rdbss - ok
01:22:41.0437 1608 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
01:22:41.0546 1608 RDPCDD - ok
01:22:41.0828 1608 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
01:22:42.0000 1608 rdpdr - ok
01:22:42.0250 1608 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
01:22:42.0406 1608 RDPWD - ok
01:22:42.0640 1608 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
01:22:42.0765 1608 redbook - ok
01:22:42.0953 1608 Secdrv (4e7c4709aab1f24e8fe1763ddbffb93d) C:\WINDOWS\system32\DRIVERS\secdrv.sys
01:22:42.0968 1608 Secdrv ( UnsignedFile.Multi.Generic ) - warning
01:22:42.0968 1608 Secdrv - detected UnsignedFile.Multi.Generic (1)
01:22:43.0171 1608 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
01:22:43.0296 1608 serenum - ok
01:22:43.0500 1608 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
01:22:43.0640 1608 Serial - ok
01:22:43.0890 1608 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
01:22:44.0031 1608 Sfloppy - ok
01:22:44.0203 1608 Simbad - ok
01:22:44.0406 1608 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
01:22:44.0515 1608 SLIP - ok
01:22:44.0734 1608 Sparrow - ok
01:22:44.0937 1608 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
01:22:45.0046 1608 splitter - ok
01:22:45.0390 1608 sptd (f42efefb765235f24b24e1d2b6f99f46) C:\WINDOWS\System32\Drivers\sptd.sys
01:22:45.0546 1608 sptd - ok
01:22:45.0703 1608 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
01:22:45.0812 1608 sr - ok
01:22:46.0109 1608 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
01:22:46.0265 1608 Srv - ok
01:22:46.0515 1608 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
01:22:46.0625 1608 streamip - ok
01:22:46.0859 1608 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
01:22:46.0968 1608 swenum - ok
01:22:47.0218 1608 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
01:22:47.0343 1608 swmidi - ok
01:22:47.0546 1608 symc810 - ok
01:22:47.0703 1608 symc8xx - ok
01:22:47.0875 1608 sym_hi - ok
01:22:48.0062 1608 sym_u3 - ok
01:22:48.0265 1608 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
01:22:48.0390 1608 sysaudio - ok
01:22:48.0687 1608 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
01:22:48.0890 1608 Tcpip - ok
01:22:49.0125 1608 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
01:22:49.0250 1608 TDPIPE - ok
01:22:49.0468 1608 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
01:22:49.0593 1608 TDTCP - ok
01:22:49.0843 1608 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
01:22:49.0953 1608 TermDD - ok
01:22:50.0187 1608 TosIde - ok
01:22:50.0390 1608 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
01:22:50.0515 1608 Udfs - ok
01:22:50.0718 1608 ultra - ok
01:22:50.0953 1608 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
01:22:51.0125 1608 Update - ok
01:22:51.0375 1608 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
01:22:51.0437 1608 USBAAPL - ok
01:22:51.0625 1608 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
01:22:51.0750 1608 usbaudio - ok
01:22:51.0984 1608 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
01:22:52.0093 1608 usbccgp - ok
01:22:52.0328 1608 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
01:22:52.0437 1608 usbehci - ok
01:22:52.0671 1608 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
01:22:52.0812 1608 usbhub - ok
01:22:53.0046 1608 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
01:22:53.0156 1608 usbohci - ok
01:22:53.0375 1608 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
01:22:53.0484 1608 usbprint - ok
01:22:53.0703 1608 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
01:22:53.0812 1608 usbscan - ok
01:22:54.0015 1608 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
01:22:54.0140 1608 USBSTOR - ok
01:22:54.0390 1608 usbvideo (8968ff3973a883c49e8b564200f565b9) C:\WINDOWS\system32\Drivers\usbvideo.sys
01:22:54.0515 1608 usbvideo - ok
01:22:54.0765 1608 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
01:22:54.0875 1608 VgaSave - ok
01:22:55.0062 1608 ViaIde - ok
01:22:55.0281 1608 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
01:22:55.0390 1608 VolSnap - ok
01:22:55.0640 1608 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
01:22:55.0750 1608 Wanarp - ok
01:22:56.0093 1608 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
01:22:56.0265 1608 Wdf01000 - ok
01:22:56.0390 1608 WDICA - ok
01:22:56.0562 1608 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
01:22:56.0687 1608 wdmaud - ok
01:22:57.0000 1608 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
01:22:57.0109 1608 WSTCODEC - ok
01:22:57.0171 1608 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
01:22:57.0484 1608 \Device\Harddisk0\DR0 - ok
01:22:57.0515 1608 MBR (0x1B8) (a4a15d6782e6fe1dce41a606cb3affe3) \Device\Harddisk1\DR1
01:22:58.0640 1608 \Device\Harddisk1\DR1 - ok
01:22:58.0640 1608 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk2\DR6
01:22:58.0734 1608 \Device\Harddisk2\DR6 - ok
01:22:58.0750 1608 Boot (0x1200) (be3a84b61e2ed3df89e571b920273e3a) \Device\Harddisk0\DR0\Partition0
01:22:58.0750 1608 \Device\Harddisk0\DR0\Partition0 - ok
01:22:58.0750 1608 Boot (0x1200) (255abb81de2a874091e701ca15e94465) \Device\Harddisk1\DR1\Partition0
01:22:58.0750 1608 \Device\Harddisk1\DR1\Partition0 - ok
01:22:58.0765 1608 Boot (0x1200) (1ad4818c1d1ce05468b767d723f13ff2) \Device\Harddisk2\DR6\Partition0
01:22:58.0765 1608 \Device\Harddisk2\DR6\Partition0 - ok
01:22:58.0765 1608 ============================================================
01:22:58.0765 1608 Scan finished
01:22:58.0765 1608 ============================================================
01:22:58.0890 1448 Detected object count: 4
01:22:58.0890 1448 Actual detected object count: 4
01:23:35.0906 1448 HKLM\SYSTEM\ControlSet011\services\6704923e - will be deleted on reboot
01:23:35.0921 1448 HKLM\SYSTEM\ControlSet012\services\6704923e - will be deleted on reboot
01:23:35.0937 1448 C:\WINDOWS\1049756775:2566614465.exe - will be deleted on reboot
01:23:35.0937 1448 6704923e ( Rootkit.Win32.PMax.gen ) - User select action: Delete
01:23:36.0312 1448 Backup copy found, using it..
01:23:36.0359 1448 C:\WINDOWS\system32\DRIVERS\cdrom.sys - will be cured on reboot
01:23:46.0375 1448 C:\WINDOWS\system32\c_88891.nls - will be deleted on reboot
01:23:46.0578 1448 C:\WINDOWS\system32\c_88891.nl_ - will be deleted on reboot
01:23:49.0203 1448 Cdrom ( Rootkit.Win32.ZAccess.e ) - User select action: Cure
01:23:49.0203 1448 dvd43llh ( UnsignedFile.Multi.Generic ) - skipped by user
01:23:49.0203 1448 dvd43llh ( UnsignedFile.Multi.Generic ) - User select action: Skip
01:23:49.0203 1448 Secdrv ( UnsignedFile.Multi.Generic ) - skipped by user
01:23:49.0203 1448 Secdrv ( UnsignedFile.Multi.Generic ) - User select action: Skip
01:24:32.0656 0560 Deinitialize success


running in safe mode the entire time.


trying combofix again because im guessing it didnt create the log file because i closed it prematurely. will leave it running over night and post it in the morning, provided it finishes what its doing (been stuck saying completed stage 50 since i re-ran it)



ComboFix 11-11-25.01 - Li Mclaren 11/26/2011 2:29.2.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1604 [GMT 10:00]
Running from: c:\documents and settings\Li Mclaren\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-- Previous Run --
.
Infected copy of c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{26903F7F-BC5C-4BAA-A401-E235B93EAA5C}\RP1366\A0603145.exe
.
Infected copy of c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{26903F7F-BC5C-4BAA-A401-E235B93EAA5C}\RP1366\A0603145.exe
.
Infected copy of c:\program files\iPod\bin\iPodService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{26903F7F-BC5C-4BAA-A401-E235B93EAA5C}\RP1366\A0603146.exe
.
--------
.
.
((((((((((((((((((((((((( Files Created from 2011-10-25 to 2011-11-25 )))))))))))))))))))))))))))))))
.
.
2011-11-23 05:01 . 2011-11-23 05:01 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-11-23 04:25 . 2011-11-23 04:25 -------- d-----w- c:\program files\MSXML 6.0
2011-11-23 04:21 . 2011-11-23 04:21 -------- d-----w- c:\windows\ServicePackFiles
2011-11-23 03:56 . 2011-11-23 04:02 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-11-23 03:52 . 2010-02-24 12:31 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-11-23 03:22 . 2011-11-23 03:22 -------- d-----w- c:\program files\MSXML 4.0
2011-11-23 03:07 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-11-23 03:07 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-11-23 03:03 . 2011-11-23 03:03 -------- d-----w- c:\documents and settings\Li Mclaren\Local Settings\Application Data\PCHealth
2011-11-23 02:38 . 2011-11-23 02:38 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2011-11-23 02:38 . 2011-11-23 02:38 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2011-11-23 02:38 . 2011-11-23 02:38 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2011-11-23 02:38 . 2011-11-23 02:38 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2011-11-23 02:38 . 2011-11-23 02:38 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2011-11-23 02:38 . 2011-11-23 02:38 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2011-11-23 02:38 . 2011-11-23 02:38 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2011-11-23 02:37 . 2011-11-23 02:38 -------- d-----w- c:\program files\QuickTime
2011-11-23 02:19 . 2010-02-16 13:17 2137088 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-11-23 02:18 . 2010-02-16 13:19 2181376 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-11-23 02:18 . 2010-02-16 12:39 2016768 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-11-23 02:18 . 2010-02-16 12:39 2058368 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2011-11-23 02:18 . 2011-11-23 04:31 -------- d--h--w- c:\windows\$hf_mig$
2011-11-23 02:09 . 2009-08-06 09:24 44768 ----a-w- c:\windows\system32\wups2.dll
2011-11-23 02:09 . 2009-08-06 09:24 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2011-11-23 02:09 . 2009-08-06 09:24 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2011-11-23 02:09 . 2009-08-06 09:24 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2011-11-23 02:09 . 2009-08-06 09:24 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2011-11-22 17:30 . 2011-11-22 17:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-11-17 01:10 . 2011-11-17 01:17 -------- d-----w- C:\fixwareout
2011-11-16 13:59 . 2011-11-23 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-11-16 13:59 . 2011-11-16 13:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-11-16 13:05 . 2011-11-16 13:05 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-11-16 13:04 . 2011-11-16 13:05 -------- d-----w- c:\program files\DAEMON Tools Lite
2011-11-16 09:55 . 2011-11-16 09:55 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Conduit
2011-11-16 09:55 . 2011-11-22 12:53 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Vuze_Remote
2011-11-16 09:51 . 2011-11-16 09:51 -------- d-s---w- c:\documents and settings\LocalService\UserData
2011-11-16 09:37 . 2011-11-16 09:37 -------- d-----w- c:\documents and settings\Li Mclaren\Local Settings\Application Data\Xilisoft
2011-11-16 09:37 . 2011-11-16 09:37 -------- d-----w- c:\documents and settings\Li Mclaren\Application Data\Xilisoft
2011-11-16 09:36 . 2011-11-16 09:36 -------- d-----w- c:\program files\Xilisoft
2011-11-16 09:36 . 2011-11-16 09:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Xilisoft
2011-11-11 03:26 . 2008-07-29 03:33 446464 ----a-w- c:\windows\system32\nvunrm.exe
2011-11-11 03:26 . 2008-07-07 15:45 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin
2011-11-10 15:50 . 2011-11-11 03:39 -------- d-----w- c:\documents and settings\Li Mclaren\Local Settings\Application Data\Skyrim
2011-11-10 15:17 . 2011-11-10 15:17 -------- d-----w- C:\Phoenix
2011-11-10 15:02 . 2011-11-10 15:02 -------- d-----w- c:\documents and settings\Li Mclaren\Local Settings\Application Data\DownloadHQ
2011-11-09 21:05 . 2011-11-23 04:09 -------- d-----w- c:\documents and settings\Li Mclaren\Local Settings\Application Data\Akamai
2011-11-06 14:45 . 2011-11-06 14:45 -------- d-----w- c:\documents and settings\Li Mclaren\Application Data\Need for Speed World
2011-11-06 07:04 . 2011-11-06 07:04 -------- d-----w- c:\documents and settings\Li Mclaren\Local Settings\Application Data\Electronic_Arts_Inc
2011-11-04 07:13 . 2011-11-04 07:13 -------- d-----w- c:\documents and settings\Li Mclaren\Application Data\fltk.org
2011-10-31 06:08 . 2011-11-04 05:15 -------- d-----w- c:\documents and settings\Li Mclaren\Application Data\Bioshock2
2011-10-31 06:01 . 2011-10-31 06:01 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SecuROM
2011-10-31 05:57 . 2011-10-31 05:57 -------- d-----w- C:\36f5d95dd494e0d6b19797aabde1de
2011-10-31 05:52 . 2011-10-31 05:53 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2011-10-29 02:17 . 2011-10-29 02:17 -------- d-----w- c:\documents and settings\Li Mclaren\Application Data\PunkBuster
2011-10-29 02:00 . 2011-11-17 00:21 -------- d-----w- c:\documents and settings\Li Mclaren\Application Data\DAEMON Tools Lite
2011-10-29 02:00 . 2011-10-29 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2011-10-29 01:53 . 2009-11-23 07:37 14856 ----a-w- c:\windows\system32\drivers\LGVirHid.sys
2011-10-28 11:49 . 2011-10-31 16:20 -------- d-----w- c:\program files\PowerISO
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 15:25 . 2004-08-04 02:59 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-11-20 15:35 . 2007-11-29 00:31 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-11-12 16:12 . 2007-11-29 00:31 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-11-12 16:12 . 2007-11-29 00:31 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-10-28 09:50 . 2007-10-26 11:56 428088 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-10-24 04:29 . 2011-10-24 04:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 04:29 . 2011-10-24 04:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-08 04:50 . 2011-10-19 09:15 602432 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2011-10-08 04:50 . 2011-10-19 09:13 65536 ----a-w- c:\windows\system32\OpenCL.dll
2011-10-08 04:50 . 2011-10-19 09:13 919872 ----a-w- c:\windows\system32\nvdispco32.dll
2011-10-08 04:50 . 2011-10-19 09:13 877376 ----a-w- c:\windows\system32\nvgenco32.dll
2011-10-08 04:50 . 2011-10-19 09:13 5595136 ----a-w- c:\windows\system32\nvcuda.dll
2011-10-08 04:50 . 2011-10-19 09:13 2398016 ----a-w- c:\windows\system32\nvcuvid.dll
2011-10-08 04:50 . 2011-10-19 09:13 2099520 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-10-08 04:50 . 2011-10-19 09:13 17240064 ----a-w- c:\windows\system32\nvcompiler.dll
2011-10-08 04:50 . 2007-09-16 15:07 54272 ----a-w- c:\windows\system32\nvwddi.dll
2011-10-08 04:50 . 2007-09-16 15:07 4226688 ----a-w- c:\windows\system32\nv4_disp.dll
2011-10-08 04:50 . 2007-09-16 15:07 298304 ----a-w- c:\windows\system32\nvsvc32.exe
2011-10-08 04:50 . 2007-09-16 15:07 2449408 ----a-w- c:\windows\system32\nvapi.dll
2011-10-08 04:50 . 2007-09-16 15:07 220992 ----a-w- c:\windows\system32\nvcolor.exe
2011-10-08 04:50 . 2007-09-16 15:07 203072 ----a-w- c:\windows\system32\nvmctray.dll
2011-10-08 04:50 . 2007-09-16 15:07 17956864 ----a-w- c:\windows\system32\nvoglnt.dll
2011-10-08 04:50 . 2007-09-16 15:07 16744256 ----a-w- c:\windows\system32\nvcpl.dll
2011-10-08 04:50 . 2007-09-16 15:07 12791488 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-08-30 13:05 . 2011-08-30 13:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-30 13:05 . 2011-08-30 13:05 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-30 13:05 . 2011-08-30 13:05 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-30 13:05 . 2011-08-30 13:05 178536 ----a-w- c:\windows\system32\dnssdX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-26 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-08-03 358472]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2010-08-02 1809992]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2010-08-03 3649096]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]
"NvMediaCenter"="NvMCTray.dll" [2011-10-08 203072]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2011-10-08 1632360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OABNAEUASAAtAFIANgBGAEUAOQAtAEYARgBQADYANAAtAFQAOAA0AE0AUgAtAE8ARwBXAFQAVgAtADcARQBNAEIAUgA&inst=NwA2AC0ANQAwADkAOAAxADcAMwA5ADAALQBEADMAOAAxAEwAKwA1AC0AWABPADMANgArADEALQBUAEIAOQArADIALQBOADEARAArADEALQBQAEwAKwA5AC0ARABEAFQAKwAyADUAOQA2ADEALQBJADkAMAArADEALQBEAEQAOQAwACsAMQAtAFMAVAA5ADAAQQBQAFAAKwAxAA&prod=52&ver=9.0.894" [?]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-29 11:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-08-31 01:57 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
2008-11-17 07:50 827904 ----a-w- c:\program files\dvd43\DVD43_Tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-05 14:40 133104 ----atw- c:\documents and settings\Li Mclaren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-09 08:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2008-02-13 02:02 564496 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2008-02-13 02:06 2196240 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2011-10-08 04:50 16744256 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-10-08 04:50 203072 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 04:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 02:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LVCOMSer"=2 (0x2)
"LicCtrlService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Bonjour Service"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\steamapps\\retrotorque23\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\youdontknowwhoi_am@hotmail.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Activision\\Prototype\\prototypef.exe"=
"c:\\Program Files\\Steam\\steamapps\\limac25\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Orcs Must Die!\\Build\\release\\OrcsMustDie.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"h:\\Games\\Bioshock 2\\SP\\Builds\\Binaries\\Bioshock2.exe"=
"h:\\Games\\Bioshock 2\\MP\\Builds\\Binaries\\Bioshock2.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Documents and Settings\\Li Mclaren\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\DAEMON Tools Lite\\DTLite.exe"=
"c:\\Documents and Settings\\Li Mclaren\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Logitech\\GamePanel Software\\Applets\\LCDRSS.exe"=
"c:\\Program Files\\Xilisoft\\AVI to DVD Converter 6\\dvdcreator.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65241:TCP"= 65241:TCP:65241
"6112:TCP"= 6112:TCP:Warcraft
"56899:TCP"= 56899:TCP:Pando Media Booster
"56899:UDP"= 56899:UDP:Pando Media Booster
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3389:UDP"= 3389:UDP:RDP
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [11/16/2011 11:05 PM 239168]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [11/23/2009 5:37 PM 19720]
S0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.Net\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [10/19/2011 7:15 PM 2253120]
S3 gkmixern;gkmixern;\??\c:\docume~1\LIMCLA~1\LOCALS~1\Temp\gkmixern.sys --> c:\docume~1\LIMCLA~1\LOCALS~1\Temp\gkmixern.sys [?]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [10/29/2011 11:53 AM 14856]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [7/10/2011 5:44 PM 18432]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.Net\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [6/19/2008 3:15 PM 2560]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 73790670
*Deregistered* - 73790670
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 02:34]
.
2011-11-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-682003330-839522115-1003Core.job
- c:\documents and settings\Li Mclaren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 14:40]
.
2011-11-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-682003330-839522115-1003UA.job
- c:\documents and settings\Li Mclaren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 14:40]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
TCP: DhcpNameServer = 192.168.1.254
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{a5ae8924-4036-420f-b7f6-a47e4b8f692e} - c:\program files\Free_Lunch_Design_TB\prxtbFree.dll
BHO-{a5ae8924-4036-420f-b7f6-a47e4b8f692e} - c:\program files\Free_Lunch_Design_TB\prxtbFree.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-{a5ae8924-4036-420f-b7f6-a47e4b8f692e} - c:\program files\Free_Lunch_Design_TB\prxtbFree.dll
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{A5AE8924-4036-420F-B7F6-A47E4B8F692E} - c:\program files\Free_Lunch_Design_TB\prxtbFree.dll
Notify-NavLogon - (no file)
SafeBoot-97747194.sys
MSConfigStartUp-C6501Sound - c6501.cpl
MSConfigStartUp-DAEMON Tools - c:\program files\DAEMON Tools\daemon.exe
MSConfigStartUp-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
MSConfigStartUp-nwiz - nwiz.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-26 03:11
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1645522239-682003330-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"??"=hex:4f,ee,6c,d6,60,2e,74,19,47,68,23,cd,5c,01,85,92,10,c0,e5,be,9b,51,38,
8e,b7,bf,40,a8,95,0b,07,9a,0f,7a,3c,5a,ef,c0,06,9e,94,82,04,91,37,04,d6,46,\
"??"=hex:64,58,f5,de,59,f5,e6,fa,79,79,f1,53,39,10,e3,97
.
[HKEY_USERS\S-1-5-21-1645522239-682003330-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:a7,4e,ae,42,e4,c0,d5,86,b8,c3,cd,b6,6e,ee,a6,aa,35,60,73,00,88,
44,c5,1d,11,25,4e,83,d4,e0,12,de,77,bb,72,2e,9a,85,75,9a,a1,7a,ab,55,25,32,\
"rkeysecu"=hex:53,85,d1,34,67,2c,6e,e4,02,9a,ad,ce,8b,64,5d,d8
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \04F7528984592EA0]
"1"=hex:d5,3e,50,00,82,25,c9,f6,dd,f6,18,c9,99,5b,70,06,b4,b6,07,c1,1b,95,01,
2f
"2"=hex:e4,d7,da,38,b0,b5,3c,88,a2,01,5f,80,71,fc,07,41,22,5f,c1,26,5d,01,8c,
86
"3"=hex:d5,3e,50,00,82,25,c9,f6,dd,f6,18,c9,99,5b,70,06,53,86,fb,a3,af,c0,18,
8b,f9,e5,ef,ce,f2,5f,47,59,1f,2b,25,f6,12,48,81,74
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \04F7528984592EA0\FD1E79A92259B5BC6F3673C7C70B3F80]
"1"=hex:a0,05,e5,14,70,56,59,19,19,f2,d5,d0,45,ea,42,c8,7b,0e,8f,12,8d,fe,0d,
89,e7,25,77,a8,98,63,f3,0c
"2"=hex:14,ce,87,8d,79,74,ee,b2
"3"=hex:1d,5c,da,c6,17,51,7b,e4,5b,de,25,fd,b5,a6,0c,bb,c1,b3,26,48,b5,e2,95,
36,09,17,fa,61,8f,dc,23,7a,d3,9d,a9,6b,cd,cb,28,32,4e,53,02,50,2c,3c,ac,ec,\
"4"=hex:bd,75,77,15,24,56,01,85
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:c9,3a,93,65,d5,aa,5c,a5,af,ff,f0,6c,ea,dc,3b,16,d5,46,14,1e,de,21,e3,
92,cf,d2,a7,a7,d7,a8,3c,60,6f,1e,ad,24,4c,e4,b3,35,f5,88,93,81,10,50,6e,57,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,d5,51,9f,32,fb,06,fa,
8c,e8,22,fe,5a,96,f6,72,ff,b7,d3,87,b3,8d,54,9f,32,5f,3a,e2,a1,97,10,45,b9,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:c7,b0,18,85,7b,39,96,ed
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1000)
c:\windows\system32\msi.dll
.
Completion time: 2011-11-26 03:15:14
ComboFix-quarantined-files.txt 2011-11-25 17:14
.
Pre-Run: 981,561,344 bytes free
Post-Run: 3,410,935,808 bytes free
.
- - End Of File - - 0CB005E6D8748A6B06D49B5FBF950335


anyway there it is (finished quicker than i thought it would.)

Edited by limac, 25 November 2011 - 11:24 AM.


#4 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:04 PM

Posted 25 November 2011 - 12:10 PM

Our tools are designed to run in the normal boot mode. They actually run worse in safe mode.

Please rerun TDSSKiller and ComboFix, but run them in 'normal mode' this time. Post the resulting logs in your next reply :thumbup2:

Edited by Gammo, 25 November 2011 - 12:12 PM.

unite_blue.png

Please post the final results, good or bad. We like to know!


#5 limac

limac
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 25 November 2011 - 12:29 PM

>< ok i might do it tomorrow though

4:30 am here in aus

thanks all the same however =D

#6 limac

limac
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 25 November 2011 - 08:19 PM

12:17:15.0296 3580 TDSS rootkit removing tool 2.6.21.0 Nov 24 2011 12:32:44
12:17:16.0203 3580 ============================================================
12:17:16.0203 3580 Current date / time: 2011/11/26 12:17:16.0203
12:17:16.0203 3580 SystemInfo:
12:17:16.0203 3580
12:17:16.0203 3580 OS Version: 5.1.2600 ServicePack: 2.0
12:17:16.0203 3580 Product type: Workstation
12:17:16.0203 3580 ComputerName: LI
12:17:16.0203 3580 UserName: Li Mclaren
12:17:16.0203 3580 Windows directory: C:\WINDOWS
12:17:16.0203 3580 System windows directory: C:\WINDOWS
12:17:16.0203 3580 Processor architecture: Intel x86
12:17:16.0203 3580 Number of processors: 2
12:17:16.0203 3580 Page size: 0x1000
12:17:16.0203 3580 Boot type: Normal boot
12:17:16.0203 3580 ============================================================
12:17:16.0875 3580 Initialize success
12:17:22.0453 3620 ============================================================
12:17:22.0453 3620 Scan started
12:17:22.0453 3620 Mode: Manual; SigCheck; TDLFS;
12:17:22.0453 3620 ============================================================
12:17:22.0750 3620 Abiosdsk - ok
12:17:22.0750 3620 abp480n5 - ok
12:17:22.0812 3620 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
12:17:23.0031 3620 ACPI - ok
12:17:23.0109 3620 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
12:17:23.0250 3620 ACPIEC - ok
12:17:23.0281 3620 adfs - ok
12:17:23.0296 3620 adpu160m - ok
12:17:23.0328 3620 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
12:17:23.0468 3620 aec - ok
12:17:23.0531 3620 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
12:17:23.0546 3620 AFD - ok
12:17:23.0562 3620 Aha154x - ok
12:17:23.0578 3620 aic78u2 - ok
12:17:23.0593 3620 aic78xx - ok
12:17:23.0625 3620 AliIde - ok
12:17:23.0656 3620 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
12:17:23.0687 3620 AmdK8 - ok
12:17:23.0703 3620 amsint - ok
12:17:23.0750 3620 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
12:17:23.0875 3620 Arp1394 - ok
12:17:23.0906 3620 asc - ok
12:17:23.0921 3620 asc3350p - ok
12:17:23.0937 3620 asc3550 - ok
12:17:23.0984 3620 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
12:17:24.0109 3620 AsyncMac - ok
12:17:24.0187 3620 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
12:17:24.0328 3620 atapi - ok
12:17:24.0375 3620 Atdisk - ok
12:17:24.0421 3620 atksgt (f9c24d25d9ff29f894995a64812b4d85) C:\WINDOWS\system32\DRIVERS\atksgt.sys
12:17:24.0515 3620 atksgt - ok
12:17:24.0609 3620 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
12:17:24.0750 3620 Atmarpc - ok
12:17:24.0781 3620 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
12:17:24.0906 3620 audstub - ok
12:17:24.0906 3620 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
12:17:25.0062 3620 Beep - ok
12:17:25.0171 3620 catchme - ok
12:17:25.0218 3620 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
12:17:25.0343 3620 cbidf2k - ok
12:17:25.0390 3620 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
12:17:25.0531 3620 CCDECODE - ok
12:17:25.0546 3620 cd20xrnt - ok
12:17:25.0562 3620 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
12:17:25.0687 3620 Cdaudio - ok
12:17:25.0750 3620 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
12:17:25.0890 3620 Cdfs - ok
12:17:25.0953 3620 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
12:17:26.0093 3620 Cdrom - ok
12:17:26.0125 3620 Changer - ok
12:17:26.0203 3620 cm102u32 (59e789cd92a1c8a5075f9bafd454a2e0) C:\WINDOWS\system32\drivers\c6501.sys
12:17:26.0312 3620 cm102u32 - ok
12:17:26.0343 3620 CmdIde - ok
12:17:26.0359 3620 Cpqarray - ok
12:17:26.0375 3620 dac2w2k - ok
12:17:26.0390 3620 dac960nt - ok
12:17:26.0453 3620 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
12:17:26.0609 3620 Disk - ok
12:17:26.0718 3620 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
12:17:26.0906 3620 dmboot - ok
12:17:26.0968 3620 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
12:17:27.0093 3620 dmio - ok
12:17:27.0171 3620 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
12:17:27.0312 3620 dmload - ok
12:17:27.0343 3620 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
12:17:27.0484 3620 DMusic - ok
12:17:27.0531 3620 dpti2o - ok
12:17:27.0609 3620 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
12:17:27.0718 3620 drmkaud - ok
12:17:27.0781 3620 dtsoftbus01 (fb38473835476a6fb272215a1d972af9) C:\WINDOWS\system32\DRIVERS\dtsoftbus01.sys
12:17:27.0781 3620 dtsoftbus01 - ok
12:17:27.0812 3620 dvd43llh (1fc1eed3ea0c3a0ecf8a95b97e1b4831) C:\WINDOWS\system32\DRIVERS\dvd43llh.sys
12:17:27.0828 3620 dvd43llh ( UnsignedFile.Multi.Generic ) - warning
12:17:27.0828 3620 dvd43llh - detected UnsignedFile.Multi.Generic (1)
12:17:27.0890 3620 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
12:17:28.0046 3620 Fastfat - ok
12:17:28.0046 3620 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
12:17:28.0187 3620 Fdc - ok
12:17:28.0250 3620 FilterService (f83c0fd028dd37be4a337b138eba6b7b) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
12:17:28.0250 3620 FilterService - ok
12:17:28.0312 3620 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
12:17:28.0437 3620 Fips - ok
12:17:28.0468 3620 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
12:17:28.0593 3620 Flpydisk - ok
12:17:28.0656 3620 FltMgr (54fd90f0038f07920cb9fb6591bde82f) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
12:17:28.0984 3620 FltMgr - ok
12:17:29.0031 3620 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
12:17:29.0156 3620 Fs_Rec - ok
12:17:29.0187 3620 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
12:17:29.0312 3620 Ftdisk - ok
12:17:29.0375 3620 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
12:17:29.0375 3620 GEARAspiWDM - ok
12:17:29.0484 3620 gkmixern - ok
12:17:29.0515 3620 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
12:17:29.0640 3620 Gpc - ok
12:17:29.0703 3620 hamachi (7929a161f9951d173ca9900fe7067391) C:\WINDOWS\system32\DRIVERS\hamachi.sys
12:17:29.0718 3620 hamachi - ok
12:17:29.0765 3620 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
12:17:29.0859 3620 HidUsb - ok
12:17:29.0875 3620 hpn - ok
12:17:29.0921 3620 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
12:17:30.0046 3620 HPZid412 - ok
12:17:30.0109 3620 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
12:17:30.0140 3620 HPZipr12 - ok
12:17:30.0171 3620 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
12:17:30.0203 3620 HPZius12 - ok
12:17:30.0250 3620 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
12:17:30.0281 3620 HTTP - ok
12:17:30.0296 3620 i2omgmt - ok
12:17:30.0312 3620 i2omp - ok
12:17:30.0359 3620 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
12:17:30.0468 3620 i8042prt - ok
12:17:30.0546 3620 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
12:17:30.0671 3620 Imapi - ok
12:17:30.0687 3620 ini910u - ok
12:17:30.0718 3620 IntelIde - ok
12:17:30.0750 3620 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
12:17:30.0859 3620 Ip6Fw - ok
12:17:30.0921 3620 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
12:17:31.0031 3620 IpFilterDriver - ok
12:17:31.0109 3620 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
12:17:31.0218 3620 IpInIp - ok
12:17:31.0265 3620 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
12:17:31.0359 3620 IpNat - ok
12:17:31.0437 3620 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
12:17:31.0546 3620 IPSec - ok
12:17:31.0609 3620 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
12:17:31.0687 3620 IRENUM - ok
12:17:31.0734 3620 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
12:17:31.0843 3620 isapnp - ok
12:17:31.0890 3620 iviVD (7bd8ff29fecc1f4ef5b26ce3ffa80ae8) C:\WINDOWS\system32\DRIVERS\iviVD.sys
12:17:31.0906 3620 iviVD - ok
12:17:31.0937 3620 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
12:17:32.0062 3620 Kbdclass - ok
12:17:32.0125 3620 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
12:17:32.0250 3620 kbdhid - ok
12:17:32.0296 3620 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
12:17:32.0390 3620 kmixer - ok
12:17:32.0484 3620 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
12:17:32.0515 3620 KSecDD - ok
12:17:32.0531 3620 lbrtfdc - ok
12:17:32.0578 3620 LGBusEnum (170e7093a77ad586f3a012a3db651d94) C:\WINDOWS\system32\drivers\LGBusEnum.sys
12:17:32.0578 3620 LGBusEnum - ok
12:17:32.0625 3620 LGVirHid (d2dd04d1c8df65eecd1f2c7fb947d43e) C:\WINDOWS\system32\drivers\LGVirHid.sys
12:17:32.0640 3620 LGVirHid - ok
12:17:32.0687 3620 lirsgt (8ccf9ed46d52af1375875f74a91ffacf) C:\WINDOWS\system32\DRIVERS\lirsgt.sys
12:17:32.0687 3620 lirsgt - ok
12:17:32.0750 3620 LVcKap (9ce361764c5dd5fa5506510fe5d2297b) C:\WINDOWS\system32\DRIVERS\LVcKap.sys
12:17:32.0781 3620 LVcKap - ok
12:17:32.0828 3620 LVPr2Mon (94d03b31f36bb362fa5713470fcf1c79) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
12:17:32.0828 3620 LVPr2Mon - ok
12:17:32.0890 3620 LVRS (a198cd8a1c813d9ceba29a29d45fc94c) C:\WINDOWS\system32\DRIVERS\lvrs.sys
12:17:32.0906 3620 LVRS - ok
12:17:32.0953 3620 LVUSBSta (8b79a50360fc31df6b7b979b686b4aa2) C:\WINDOWS\system32\drivers\LVUSBSta.sys
12:17:32.0953 3620 LVUSBSta - ok
12:17:33.0093 3620 LVUVC (5c20c4be679842cbee729b0cff5928bd) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
12:17:33.0265 3620 LVUVC - ok
12:17:33.0296 3620 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
12:17:33.0421 3620 mnmdd - ok
12:17:33.0500 3620 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
12:17:33.0609 3620 Modem - ok
12:17:33.0671 3620 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
12:17:33.0796 3620 Mouclass - ok
12:17:33.0875 3620 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
12:17:33.0984 3620 mouhid - ok
12:17:34.0031 3620 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
12:17:34.0140 3620 MountMgr - ok
12:17:34.0171 3620 mraid35x - ok
12:17:34.0203 3620 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
12:17:34.0312 3620 MRxDAV - ok
12:17:34.0390 3620 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
12:17:34.0437 3620 MRxSmb - ok
12:17:34.0484 3620 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
12:17:34.0609 3620 Msfs - ok
12:17:34.0640 3620 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
12:17:34.0750 3620 MSKSSRV - ok
12:17:34.0781 3620 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
12:17:34.0906 3620 MSPCLOCK - ok
12:17:34.0953 3620 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
12:17:35.0062 3620 MSPQM - ok
12:17:35.0343 3620 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
12:17:35.0453 3620 mssmbios - ok
12:17:35.0484 3620 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
12:17:35.0609 3620 MSTEE - ok
12:17:35.0687 3620 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
12:17:35.0687 3620 MTsensor - ok
12:17:35.0734 3620 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
12:17:35.0843 3620 Mup - ok
12:17:35.0906 3620 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
12:17:36.0015 3620 NABTSFEC - ok
12:17:36.0093 3620 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
12:17:36.0203 3620 NDIS - ok
12:17:36.0265 3620 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
12:17:36.0390 3620 NdisIP - ok
12:17:36.0406 3620 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
12:17:36.0515 3620 NdisTapi - ok
12:17:36.0546 3620 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
12:17:36.0671 3620 Ndisuio - ok
12:17:36.0703 3620 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
12:17:36.0812 3620 NdisWan - ok
12:17:36.0875 3620 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
12:17:37.0000 3620 NDProxy - ok
12:17:37.0046 3620 Netaapl (1352e1648213551923a0a822e441553c) C:\WINDOWS\system32\DRIVERS\netaapl.sys
12:17:37.0062 3620 Netaapl - ok
12:17:37.0125 3620 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
12:17:37.0234 3620 NetBIOS - ok
12:17:37.0265 3620 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
12:17:37.0390 3620 NetBT - ok
12:17:37.0453 3620 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
12:17:37.0562 3620 NIC1394 - ok
12:17:37.0640 3620 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
12:17:37.0750 3620 Npfs - ok
12:17:37.0781 3620 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
12:17:37.0937 3620 Ntfs - ok
12:17:37.0984 3620 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
12:17:38.0109 3620 Null - ok
12:17:38.0468 3620 nv (4b54dcd6adee535df80f07c59ddd8f14) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
12:17:38.0921 3620 nv - ok
12:17:39.0000 3620 nvata (0344aa9113dc16eec379f4652020849d) C:\WINDOWS\system32\DRIVERS\nvata.sys
12:17:39.0031 3620 nvata - ok
12:17:39.0062 3620 NVENETFD (7d275ecda4628318912f6c945d5cf963) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
12:17:39.0078 3620 NVENETFD - ok
12:17:39.0140 3620 nvgts (ea98bfe4931bd13d747d647c1859796e) C:\WINDOWS\system32\DRIVERS\nvgts.sys
12:17:39.0140 3620 nvgts - ok
12:17:39.0171 3620 nvnetbus (b64aacefad2be5bff5353fe681253c67) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
12:17:39.0171 3620 nvnetbus - ok
12:17:39.0218 3620 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
12:17:39.0343 3620 NwlnkFlt - ok
12:17:39.0359 3620 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
12:17:39.0484 3620 NwlnkFwd - ok
12:17:39.0562 3620 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
12:17:39.0671 3620 ohci1394 - ok
12:17:39.0718 3620 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
12:17:39.0828 3620 Parport - ok
12:17:39.0859 3620 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
12:17:39.0984 3620 PartMgr - ok
12:17:40.0031 3620 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
12:17:40.0156 3620 ParVdm - ok
12:17:40.0218 3620 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
12:17:40.0328 3620 PCI - ok
12:17:40.0390 3620 PCIDump - ok
12:17:40.0421 3620 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
12:17:40.0531 3620 PCIIde - ok
12:17:40.0625 3620 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
12:17:40.0734 3620 Pcmcia - ok
12:17:40.0781 3620 PDCOMP - ok
12:17:40.0796 3620 PDFRAME - ok
12:17:40.0812 3620 PDRELI - ok
12:17:40.0812 3620 PDRFRAME - ok
12:17:40.0843 3620 perc2 - ok
12:17:40.0859 3620 perc2hib - ok
12:17:40.0906 3620 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
12:17:41.0015 3620 PptpMiniport - ok
12:17:41.0062 3620 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
12:17:41.0171 3620 Processor - ok
12:17:41.0265 3620 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
12:17:41.0359 3620 PSched - ok
12:17:41.0437 3620 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
12:17:41.0546 3620 Ptilink - ok
12:17:41.0609 3620 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
12:17:41.0609 3620 PxHelp20 - ok
12:17:41.0625 3620 ql1080 - ok
12:17:41.0640 3620 Ql10wnt - ok
12:17:41.0656 3620 ql12160 - ok
12:17:41.0671 3620 ql1240 - ok
12:17:41.0703 3620 ql1280 - ok
12:17:41.0765 3620 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
12:17:41.0875 3620 RasAcd - ok
12:17:41.0937 3620 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
12:17:42.0046 3620 Rasl2tp - ok
12:17:42.0078 3620 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
12:17:42.0187 3620 RasPppoe - ok
12:17:42.0265 3620 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
12:17:42.0375 3620 Raspti - ok
12:17:42.0406 3620 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
12:17:42.0531 3620 Rdbss - ok
12:17:42.0609 3620 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
12:17:42.0703 3620 RDPCDD - ok
12:17:42.0781 3620 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
12:17:42.0890 3620 rdpdr - ok
12:17:42.0937 3620 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
12:17:43.0062 3620 RDPWD - ok
12:17:43.0375 3620 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
12:17:43.0484 3620 redbook - ok
12:17:43.0578 3620 Secdrv (4e7c4709aab1f24e8fe1763ddbffb93d) C:\WINDOWS\system32\DRIVERS\secdrv.sys
12:17:43.0593 3620 Secdrv ( UnsignedFile.Multi.Generic ) - warning
12:17:43.0593 3620 Secdrv - detected UnsignedFile.Multi.Generic (1)
12:17:43.0640 3620 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
12:17:43.0750 3620 serenum - ok
12:17:43.0781 3620 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
12:17:43.0890 3620 Serial - ok
12:17:43.0937 3620 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
12:17:44.0046 3620 Sfloppy - ok
12:17:44.0093 3620 Simbad - ok
12:17:44.0125 3620 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
12:17:44.0250 3620 SLIP - ok
12:17:44.0296 3620 Sparrow - ok
12:17:44.0343 3620 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
12:17:44.0453 3620 splitter - ok
12:17:44.0531 3620 sptd (f42efefb765235f24b24e1d2b6f99f46) C:\WINDOWS\System32\Drivers\sptd.sys
12:17:44.0531 3620 Suspicious file (NoAccess): C:\WINDOWS\System32\Drivers\sptd.sys. md5: f42efefb765235f24b24e1d2b6f99f46
12:17:44.0531 3620 sptd ( LockedFile.Multi.Generic ) - warning
12:17:44.0531 3620 sptd - detected LockedFile.Multi.Generic (1)
12:17:44.0578 3620 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
12:17:44.0656 3620 sr - ok
12:17:44.0703 3620 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
12:17:44.0734 3620 Srv - ok
12:17:44.0781 3620 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
12:17:44.0890 3620 streamip - ok
12:17:44.0921 3620 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
12:17:45.0046 3620 swenum - ok
12:17:45.0140 3620 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
12:17:45.0250 3620 swmidi - ok
12:17:45.0281 3620 symc810 - ok
12:17:45.0296 3620 symc8xx - ok
12:17:45.0312 3620 sym_hi - ok
12:17:45.0312 3620 sym_u3 - ok
12:17:45.0375 3620 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
12:17:45.0484 3620 sysaudio - ok
12:17:45.0546 3620 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
12:17:45.0609 3620 Tcpip - ok
12:17:45.0640 3620 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
12:17:45.0765 3620 TDPIPE - ok
12:17:45.0843 3620 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
12:17:45.0953 3620 TDTCP - ok
12:17:46.0000 3620 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
12:17:46.0109 3620 TermDD - ok
12:17:46.0171 3620 TosIde - ok
12:17:46.0218 3620 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
12:17:46.0328 3620 Udfs - ok
12:17:46.0375 3620 ultra - ok
12:17:46.0406 3620 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
12:17:46.0531 3620 Update - ok
12:17:46.0609 3620 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
12:17:46.0640 3620 USBAAPL - ok
12:17:46.0671 3620 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
12:17:46.0781 3620 usbaudio - ok
12:17:46.0875 3620 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
12:17:46.0984 3620 usbccgp - ok
12:17:47.0000 3620 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
12:17:47.0109 3620 usbehci - ok
12:17:47.0187 3620 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
12:17:47.0296 3620 usbhub - ok
12:17:47.0359 3620 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
12:17:47.0468 3620 usbohci - ok
12:17:47.0531 3620 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
12:17:47.0640 3620 usbprint - ok
12:17:47.0734 3620 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
12:17:47.0843 3620 usbscan - ok
12:17:47.0875 3620 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
12:17:47.0984 3620 USBSTOR - ok
12:17:48.0015 3620 usbvideo (8968ff3973a883c49e8b564200f565b9) C:\WINDOWS\system32\Drivers\usbvideo.sys
12:17:48.0140 3620 usbvideo - ok
12:17:48.0218 3620 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
12:17:48.0328 3620 VgaSave - ok
12:17:48.0359 3620 ViaIde - ok
12:17:48.0406 3620 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
12:17:48.0515 3620 VolSnap - ok
12:17:48.0593 3620 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
12:17:48.0703 3620 Wanarp - ok
12:17:48.0765 3620 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
12:17:48.0796 3620 Wdf01000 - ok
12:17:48.0812 3620 WDICA - ok
12:17:48.0875 3620 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
12:17:48.0984 3620 wdmaud - ok
12:17:49.0078 3620 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
12:17:49.0203 3620 WSTCODEC - ok
12:17:49.0234 3620 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
12:17:49.0421 3620 \Device\Harddisk0\DR0 - ok
12:17:49.0437 3620 MBR (0x1B8) (a4a15d6782e6fe1dce41a606cb3affe3) \Device\Harddisk1\DR1
12:17:50.0343 3620 \Device\Harddisk1\DR1 - ok
12:17:50.0343 3620 Boot (0x1200) (be3a84b61e2ed3df89e571b920273e3a) \Device\Harddisk0\DR0\Partition0
12:17:50.0343 3620 \Device\Harddisk0\DR0\Partition0 - ok
12:17:50.0375 3620 Boot (0x1200) (c55f9ed1a422f99e8da527656e1f2829) \Device\Harddisk1\DR1\Partition0
12:17:50.0375 3620 \Device\Harddisk1\DR1\Partition0 - ok
12:17:50.0375 3620 ============================================================
12:17:50.0375 3620 Scan finished
12:17:50.0375 3620 ============================================================
12:17:50.0484 3612 Detected object count: 3
12:17:50.0484 3612 Actual detected object count: 3
12:17:55.0265 3612 dvd43llh ( UnsignedFile.Multi.Generic ) - skipped by user
12:17:55.0265 3612 dvd43llh ( UnsignedFile.Multi.Generic ) - User select action: Skip
12:17:55.0265 3612 Secdrv ( UnsignedFile.Multi.Generic ) - skipped by user
12:17:55.0265 3612 Secdrv ( UnsignedFile.Multi.Generic ) - User select action: Skip
12:17:55.0281 3612 sptd ( LockedFile.Multi.Generic ) - skipped by user
12:17:55.0281 3612 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
12:17:57.0578 3576 Deinitialize success


ComboFix 11-11-25.02 - Li Mclaren 11/26/2011 4:43.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1499 [GMT 10:00]
Running from: c:\documents and settings\Li Mclaren\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\
.
.
((((((((((((((((((((((((( Files Created from 2011-10-25 to 2011-11-25 )))))))))))))))))))))))))))))))
.
.
2011-11-25 18:38 . 2011-11-25 18:39 -------- d-----w- c:\windows\LastGood
2011-11-23 05:01 . 2011-11-23 05:01 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-11-23 04:25 . 2011-11-23 04:25 -------- d-----w- c:\program files\MSXML 6.0
2011-11-23 04:21 . 2011-11-23 04:21 -------- d-----w- c:\windows\ServicePackFiles
2011-11-23 03:56 . 2011-11-23 04:02 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-11-23 03:52 . 2010-02-24 12:31 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-11-23 03:22 . 2011-11-23 03:22 -------- d-----w- c:\program files\MSXML 4.0
2011-11-23 03:07 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-11-23 03:07 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-11-23 03:03 . 2011-11-23 03:03 -------- d-----w- c:\documents and settings\Li Mclaren\Local Settings\Application Data\PCHealth
2011-11-23 02:38 . 2011-11-23 02:38 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2011-11-23 02:38 . 2011-11-23 02:38 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2011-11-23 02:38 . 2011-11-23 02:38 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2011-11-23 02:38 . 2011-11-23 02:38 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2011-11-23 02:38 . 2011-11-23 02:38 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2011-11-23 02:38 . 2011-11-23 02:38 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2011-11-23 02:38 . 2011-11-23 02:38 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2011-11-23 02:37 . 2011-11-23 02:38 -------- d-----w- c:\program files\QuickTime
2011-11-23 02:19 . 2010-02-16 13:17 2137088 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-11-23 02:18 . 2010-02-16 13:19 2181376 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-11-23 02:18 . 2010-02-16 12:39 2016768 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-11-23 02:18 . 2010-02-16 12:39 2058368 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2011-11-23 02:18 . 2011-11-25 18:39 -------- d--h--w- c:\windows\$hf_mig$
2011-11-23 02:09 . 2009-08-06 09:24 44768 ----a-w- c:\windows\system32\wups2.dll
2011-11-23 02:09 . 2009-08-06 09:24 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2011-11-23 02:09 . 2009-08-06 09:24 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2011-11-23 02:09 . 2009-08-06 09:24 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2011-11-23 02:09 . 2009-08-06 09:24 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2011-11-22 17:30 . 2011-11-22 17:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-11-17 01:10 . 2011-11-17 01:17 -------- d-----w- C:\fixwareout
2011-11-16 13:59 . 2011-11-23 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-11-16 13:59 . 2011-11-16 13:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-11-16 13:05 . 2011-11-16 13:05 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-11-16 13:04 . 2011-11-16 13:05 -------- d-----w- c:\program files\DAEMON Tools Lite
2011-11-16 09:55 . 2011-11-16 09:55 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Conduit
2011-11-16 09:55 . 2011-11-22 12:53 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Vuze_Remote
2011-11-16 09:51 . 2011-11-16 09:51 -------- d-s---w- c:\documents and settings\LocalService\UserData
2011-11-16 09:37 . 2011-11-16 09:37 -------- d-----w- c:\documents and settings\Li Mclaren\Local Settings\Application Data\Xilisoft
2011-11-16 09:37 . 2011-11-16 09:37 -------- d-----w- c:\documents and settings\Li Mclaren\Application Data\Xilisoft
2011-11-16 09:36 . 2011-11-16 09:36 -------- d-----w- c:\program files\Xilisoft
2011-11-16 09:36 . 2011-11-16 09:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Xilisoft
2011-11-11 03:26 . 2008-07-29 03:33 446464 ----a-w- c:\windows\system32\nvunrm.exe
2011-11-11 03:26 . 2008-07-07 15:45 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin
2011-11-10 15:50 . 2011-11-11 03:39 -------- d-----w- c:\documents and settings\Li Mclaren\Local Settings\Application Data\Skyrim
2011-11-10 15:17 . 2011-11-10 15:17 -------- d-----w- C:\Phoenix
2011-11-10 15:02 . 2011-11-10 15:02 -------- d-----w- c:\documents and settings\Li Mclaren\Local Settings\Application Data\DownloadHQ
2011-11-09 21:05 . 2011-11-23 04:09 -------- d-----w- c:\documents and settings\Li Mclaren\Local Settings\Application Data\Akamai
2011-11-06 14:45 . 2011-11-06 14:45 -------- d-----w- c:\documents and settings\Li Mclaren\Application Data\Need for Speed World
2011-11-06 07:04 . 2011-11-06 07:04 -------- d-----w- c:\documents and settings\Li Mclaren\Local Settings\Application Data\Electronic_Arts_Inc
2011-11-04 07:13 . 2011-11-04 07:13 -------- d-----w- c:\documents and settings\Li Mclaren\Application Data\fltk.org
2011-10-31 06:08 . 2011-11-04 05:15 -------- d-----w- c:\documents and settings\Li Mclaren\Application Data\Bioshock2
2011-10-31 06:01 . 2011-10-31 06:01 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SecuROM
2011-10-31 05:57 . 2011-10-31 05:57 -------- d-----w- C:\36f5d95dd494e0d6b19797aabde1de
2011-10-31 05:52 . 2011-10-31 05:53 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2011-10-29 02:17 . 2011-10-29 02:17 -------- d-----w- c:\documents and settings\Li Mclaren\Application Data\PunkBuster
2011-10-29 02:00 . 2011-11-17 00:21 -------- d-----w- c:\documents and settings\Li Mclaren\Application Data\DAEMON Tools Lite
2011-10-29 02:00 . 2011-10-29 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2011-10-29 01:53 . 2009-11-23 07:37 14856 ----a-w- c:\windows\system32\drivers\LGVirHid.sys
2011-10-28 11:49 . 2011-10-31 16:20 -------- d-----w- c:\program files\PowerISO
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 15:25 . 2004-08-04 02:59 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-11-20 15:35 . 2007-11-29 00:31 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-11-12 16:12 . 2007-11-29 00:31 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-11-12 16:12 . 2007-11-29 00:31 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-10-28 09:50 . 2007-10-26 11:56 428088 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-10-24 04:29 . 2011-10-24 04:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 04:29 . 2011-10-24 04:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-08 04:50 . 2011-10-19 09:15 602432 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2011-10-08 04:50 . 2011-10-19 09:13 65536 ----a-w- c:\windows\system32\OpenCL.dll
2011-10-08 04:50 . 2011-10-19 09:13 919872 ----a-w- c:\windows\system32\nvdispco32.dll
2011-10-08 04:50 . 2011-10-19 09:13 877376 ----a-w- c:\windows\system32\nvgenco32.dll
2011-10-08 04:50 . 2011-10-19 09:13 5595136 ----a-w- c:\windows\system32\nvcuda.dll
2011-10-08 04:50 . 2011-10-19 09:13 2398016 ----a-w- c:\windows\system32\nvcuvid.dll
2011-10-08 04:50 . 2011-10-19 09:13 2099520 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-10-08 04:50 . 2011-10-19 09:13 17240064 ----a-w- c:\windows\system32\nvcompiler.dll
2011-10-08 04:50 . 2007-09-16 15:07 54272 ----a-w- c:\windows\system32\nvwddi.dll
2011-10-08 04:50 . 2007-09-16 15:07 4226688 ----a-w- c:\windows\system32\nv4_disp.dll
2011-10-08 04:50 . 2007-09-16 15:07 298304 ----a-w- c:\windows\system32\nvsvc32.exe
2011-10-08 04:50 . 2007-09-16 15:07 2449408 ----a-w- c:\windows\system32\nvapi.dll
2011-10-08 04:50 . 2007-09-16 15:07 220992 ----a-w- c:\windows\system32\nvcolor.exe
2011-10-08 04:50 . 2007-09-16 15:07 203072 ----a-w- c:\windows\system32\nvmctray.dll
2011-10-08 04:50 . 2007-09-16 15:07 17956864 ----a-w- c:\windows\system32\nvoglnt.dll
2011-10-08 04:50 . 2007-09-16 15:07 16744256 ----a-w- c:\windows\system32\nvcpl.dll
2011-10-08 04:50 . 2007-09-16 15:07 12791488 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-08-30 13:05 . 2011-08-30 13:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-30 13:05 . 2011-08-30 13:05 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-30 13:05 . 2011-08-30 13:05 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-30 13:05 . 2011-08-30 13:05 178536 ----a-w- c:\windows\system32\dnssdX.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-25_17.11.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-27 23:44 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 39424 c:\windows\system32\pngfilt.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 39424 c:\windows\system32\pngfilt.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 16384 c:\windows\system32\jsproxy.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 96256 c:\windows\system32\inseng.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 96256 c:\windows\system32\inseng.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 81920 c:\windows\system32\ieencode.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 81920 c:\windows\system32\ieencode.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 55808 c:\windows\system32\extmgr.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 55808 c:\windows\system32\extmgr.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 39424 c:\windows\system32\dllcache\pngfilt.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 39424 c:\windows\system32\dllcache\pngfilt.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 48640 c:\windows\system32\dllcache\mqupgrd.dll
+ 2004-08-04 04:56 . 2009-06-25 18:36 48640 c:\windows\system32\dllcache\mqupgrd.dll
+ 2004-08-04 04:56 . 2009-06-25 18:36 95744 c:\windows\system32\dllcache\mqsec.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 95744 c:\windows\system32\dllcache\mqsec.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 16896 c:\windows\system32\dllcache\mqise.dll
+ 2004-08-04 04:56 . 2009-06-25 18:36 16896 c:\windows\system32\dllcache\mqise.dll
+ 2004-08-04 04:56 . 2009-06-25 18:36 47104 c:\windows\system32\dllcache\mqdscli.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 47104 c:\windows\system32\dllcache\mqdscli.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 19968 c:\windows\system32\dllcache\mqbkup.exe
+ 2004-08-04 04:56 . 2009-06-22 11:49 19968 c:\windows\system32\dllcache\mqbkup.exe
+ 2004-08-04 02:58 . 2009-06-22 11:48 91776 c:\windows\system32\dllcache\mqac.sys
+ 2004-08-04 04:56 . 2010-04-16 15:36 16384 c:\windows\system32\dllcache\jsproxy.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 96256 c:\windows\system32\dllcache\inseng.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 96256 c:\windows\system32\dllcache\inseng.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 81920 c:\windows\system32\dllcache\ieencode.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 81920 c:\windows\system32\dllcache\ieencode.dll
+ 2007-10-26 11:37 . 2010-04-16 13:36 18432 c:\windows\system32\dllcache\iedw.exe
- 2007-10-26 11:37 . 2004-08-04 04:56 18432 c:\windows\system32\dllcache\iedw.exe
+ 2004-08-04 04:56 . 2010-04-16 15:36 55808 c:\windows\system32\dllcache\extmgr.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 55808 c:\windows\system32\dllcache\extmgr.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 4608 c:\windows\system32\dllcache\mqsvc.exe
+ 2004-08-04 04:56 . 2009-06-22 11:49 4608 c:\windows\system32\dllcache\mqsvc.exe
+ 2004-08-04 04:56 . 2010-04-16 15:36 532480 c:\windows\system32\mstime.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 146432 c:\windows\system32\msrating.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 146432 c:\windows\system32\msrating.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 449024 c:\windows\system32\mshtmled.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 251392 c:\windows\system32\iepeers.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 205312 c:\windows\system32\dxtrans.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 357888 c:\windows\system32\dxtmsft.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 357888 c:\windows\system32\dxtmsft.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 662016 c:\windows\system32\dllcache\wininet.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 624640 c:\windows\system32\dllcache\urlmon.dll
- 2004-08-04 04:56 . 2009-12-08 09:13 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 532480 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 146432 c:\windows\system32\dllcache\msrating.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 146432 c:\windows\system32\dllcache\msrating.dll
+ 2004-08-04 04:56 . 2009-06-25 18:36 169472 c:\windows\system32\dllcache\msmqocm.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 449024 c:\windows\system32\dllcache\mshtmled.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 471552 c:\windows\system32\dllcache\mqutil.dll
+ 2004-08-04 04:56 . 2009-06-25 18:36 471552 c:\windows\system32\dllcache\mqutil.dll
+ 2004-08-04 04:56 . 2009-06-25 18:36 186880 c:\windows\system32\dllcache\mqtrig.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 186880 c:\windows\system32\dllcache\mqtrig.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 117248 c:\windows\system32\dllcache\mqtgsvc.exe
+ 2004-08-04 04:56 . 2009-06-22 11:49 117248 c:\windows\system32\dllcache\mqtgsvc.exe
+ 2004-08-04 04:56 . 2009-06-25 18:36 517120 c:\windows\system32\dllcache\mqsnap.dll
+ 2004-08-04 04:56 . 2009-06-25 18:36 123392 c:\windows\system32\dllcache\mqrtdep.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 123392 c:\windows\system32\dllcache\mqrtdep.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 177152 c:\windows\system32\dllcache\mqrt.dll
+ 2004-08-04 04:56 . 2009-06-25 18:36 177152 c:\windows\system32\dllcache\mqrt.dll
+ 2004-08-04 04:56 . 2009-06-25 18:36 661504 c:\windows\system32\dllcache\mqqm.dll
+ 2004-08-04 04:56 . 2009-06-25 18:36 225280 c:\windows\system32\dllcache\mqoa.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 225280 c:\windows\system32\dllcache\mqoa.dll
+ 2004-08-04 04:56 . 2009-06-25 18:36 138240 c:\windows\system32\dllcache\mqad.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 138240 c:\windows\system32\dllcache\mqad.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 251392 c:\windows\system32\dllcache\iepeers.dll
+ 2004-08-04 04:56 . 2008-10-23 13:01 283648 c:\windows\system32\dllcache\gdi32.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 205312 c:\windows\system32\dllcache\dxtrans.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 357888 c:\windows\system32\dllcache\dxtmsft.dll
- 2004-08-04 04:56 . 2004-08-04 04:56 357888 c:\windows\system32\dllcache\dxtmsft.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 151040 c:\windows\system32\dllcache\cdfview.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 151040 c:\windows\system32\cdfview.dll
- 2004-08-04 04:56 . 2009-11-27 17:33 1291264 c:\windows\system32\quartz.dll
+ 2004-08-04 04:56 . 2010-02-05 18:40 1291264 c:\windows\system32\quartz.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 1506304 c:\windows\system32\dllcache\shdocvw.dll
+ 2004-08-04 04:56 . 2010-02-05 18:40 1291264 c:\windows\system32\dllcache\quartz.dll
- 2004-08-04 04:56 . 2009-11-27 17:33 1291264 c:\windows\system32\dllcache\quartz.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 3065344 c:\windows\system32\dllcache\mshtml.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 1054208 c:\windows\system32\dllcache\danim.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 1023488 c:\windows\system32\dllcache\browseui.dll
+ 2004-08-04 04:56 . 2010-04-16 15:36 1054208 c:\windows\system32\danim.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-08-03 358472]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2010-08-02 1809992]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2010-08-03 3649096]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OABNAEUASAAtAFIANgBGAEUAOQAtAEYARgBQADYANAAtAFQAOAA0AE0AUgAtAE8ARwBXAFQAVgAtADcARQBNAEIAUgA&inst=NwA2AC0ANQAwADkAOAAxADcAMwA5ADAALQBEADMAOAAxAEwAKwA1AC0AWABPADMANgArADEALQBUAEIAOQArADIALQBOADEARAArADEALQBQAEwAKwA5AC0ARABEAFQAKwAyADUAOQA2ADEALQBJADkAMAArADEALQBEAEQAOQAwACsAMQAtAFMAVAA5ADAAQQBQAFAAKwAxAA&prod=52&ver=9.0.894" [?]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-29 11:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-08-31 01:57 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-26 21:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2011-11-10 09:17 3514176 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
2008-11-17 07:50 827904 ----a-w- c:\program files\dvd43\DVD43_Tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-05 14:40 133104 ----atw- c:\documents and settings\Li Mclaren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-09 08:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2008-02-13 02:02 564496 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2008-02-13 02:06 2196240 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2011-10-08 04:50 16744256 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-10-08 04:50 203072 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2011-10-08 04:50 1632360 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 04:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-01-26 05:31 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 02:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LVCOMSer"=2 (0x2)
"LicCtrlService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Bonjour Service"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\steamapps\\retrotorque23\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\youdontknowwhoi_am@hotmail.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Activision\\Prototype\\prototypef.exe"=
"c:\\Program Files\\Steam\\steamapps\\limac25\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Orcs Must Die!\\Build\\release\\OrcsMustDie.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"h:\\Games\\Bioshock 2\\SP\\Builds\\Binaries\\Bioshock2.exe"=
"h:\\Games\\Bioshock 2\\MP\\Builds\\Binaries\\Bioshock2.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Documents and Settings\\Li Mclaren\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\DAEMON Tools Lite\\DTLite.exe"=
"c:\\Documents and Settings\\Li Mclaren\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Logitech\\GamePanel Software\\Applets\\LCDRSS.exe"=
"c:\\Program Files\\Xilisoft\\AVI to DVD Converter 6\\dvdcreator.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65241:TCP"= 65241:TCP:65241
"6112:TCP"= 6112:TCP:Warcraft
"56899:TCP"= 56899:TCP:Pando Media Booster
"56899:UDP"= 56899:UDP:Pando Media Booster
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3389:UDP"= 3389:UDP:RDP
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [10/19/2011 7:15 PM 2253120]
R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [11/16/2011 11:05 PM 239168]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [11/23/2009 5:37 PM 19720]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [10/29/2011 11:53 AM 14856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.Net\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 gkmixern;gkmixern;\??\c:\docume~1\LIMCLA~1\LOCALS~1\Temp\gkmixern.sys --> c:\docume~1\LIMCLA~1\LOCALS~1\Temp\gkmixern.sys [?]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [7/10/2011 5:44 PM 18432]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.Net\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [6/19/2008 3:15 PM 2560]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 58368490
*Deregistered* - 58368490
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 02:34]
.
2011-11-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-682003330-839522115-1003Core.job
- c:\documents and settings\Li Mclaren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 14:40]
.
2011-11-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-682003330-839522115-1003UA.job
- c:\documents and settings\Li Mclaren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 14:40]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
TCP: DhcpNameServer = 192.168.1.254
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-26 04:51
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1645522239-682003330-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"??"=hex:4f,ee,6c,d6,60,2e,74,19,47,68,23,cd,5c,01,85,92,10,c0,e5,be,9b,51,38,
8e,b7,bf,40,a8,95,0b,07,9a,0f,7a,3c,5a,ef,c0,06,9e,94,82,04,91,37,04,d6,46,\
"??"=hex:64,58,f5,de,59,f5,e6,fa,79,79,f1,53,39,10,e3,97
.
[HKEY_USERS\S-1-5-21-1645522239-682003330-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:a7,4e,ae,42,e4,c0,d5,86,b8,c3,cd,b6,6e,ee,a6,aa,35,60,73,00,88,
44,c5,1d,11,25,4e,83,d4,e0,12,de,77,bb,72,2e,9a,85,75,9a,a1,7a,ab,55,25,32,\
"rkeysecu"=hex:53,85,d1,34,67,2c,6e,e4,02,9a,ad,ce,8b,64,5d,d8
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \04F7528984592EA0]
"1"=hex:d5,3e,50,00,82,25,c9,f6,dd,f6,18,c9,99,5b,70,06,b4,b6,07,c1,1b,95,01,
2f
"2"=hex:e4,d7,da,38,b0,b5,3c,88,a2,01,5f,80,71,fc,07,41,22,5f,c1,26,5d,01,8c,
86
"3"=hex:d5,3e,50,00,82,25,c9,f6,dd,f6,18,c9,99,5b,70,06,53,86,fb,a3,af,c0,18,
8b,f9,e5,ef,ce,f2,5f,47,59,1f,2b,25,f6,12,48,81,74
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \04F7528984592EA0\FD1E79A92259B5BC6F3673C7C70B3F80]
"1"=hex:a0,05,e5,14,70,56,59,19,19,f2,d5,d0,45,ea,42,c8,7b,0e,8f,12,8d,fe,0d,
89,e7,25,77,a8,98,63,f3,0c
"2"=hex:14,ce,87,8d,79,74,ee,b2
"3"=hex:1d,5c,da,c6,17,51,7b,e4,5b,de,25,fd,b5,a6,0c,bb,c1,b3,26,48,b5,e2,95,
36,09,17,fa,61,8f,dc,23,7a,d3,9d,a9,6b,cd,cb,28,32,4e,53,02,50,2c,3c,ac,ec,\
"4"=hex:bd,75,77,15,24,56,01,85
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:c9,3a,93,65,d5,aa,5c,a5,af,ff,f0,6c,ea,dc,3b,16,d5,46,14,1e,de,21,e3,
92,cf,d2,a7,a7,d7,a8,3c,60,6f,1e,ad,24,4c,e4,b3,35,f5,88,93,81,10,50,6e,57,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,d5,51,9f,32,fb,06,fa,
8c,e8,22,fe,5a,96,f6,72,ff,b7,d3,87,b3,8d,54,9f,32,5f,3a,e2,a1,97,10,45,b9,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:c7,b0,18,85,7b,39,96,ed
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
Completion time: 2011-11-26 04:53:31
ComboFix-quarantined-files.txt 2011-11-25 18:53
ComboFix2.txt 2011-11-25 17:15
.
Pre-Run: 3,251,187,712 bytes free
Post-Run: 3,227,697,152 bytes free
.
- - End Of File - - 0DA74B5B7823130796CA75CAFEED032C

#7 limac

limac
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:04 AM

Posted 25 November 2011 - 09:27 PM

ok so this morning, searches no longer redirect. cc cleaner and mbam run fine.


not sure how to figure out if its completely gone though

#8 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:04 PM

Posted 28 November 2011 - 04:19 PM

Hi,

Please download OTM
  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes
    
    :Services
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    c:\windows\system32\config\systemprofile\Local Settings\Application Data\Conduit
    c:\windows\system32\config\systemprofile\Local Settings\Application Data\Vuze_Remote
    c:\documents and settings\Li Mclaren\Local Settings\Application Data\DownloadHQ
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [emptyflash]
    [createrestorepoint]
    [reboot]
    
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, click the "Update" tab and click the "Check For updates" button.
  • Once the updates were downloaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

unite_blue.png

Please post the final results, good or bad. We like to know!


#9 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:04 PM

Posted 21 December 2011 - 05:56 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

unite_blue.png

Please post the final results, good or bad. We like to know!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users