Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zeroaccess Rootkit infecting TCP/IP stack


  • This topic is locked This topic is locked
76 replies to this topic

#1 depierce

depierce

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 23 May 2012 - 10:16 AM

Hello,

Running Win XP Pro sp3, Firefox 10.0.2 browser, noticed bad lags online, so I ran my usual checks (Malwarebytes Anti-malware, Spybot S&D, and Combofix).

Combofix reports back that my TCP/IP stack is infected by the Zeroaccess Rootkit, and proceeded to reboot to address the issue.

After scan completed, I ran Combofix again, and received the same rootkit warning.

Rebuilt the TCP/IP stack, no change.

Ran Kaspersky TDSSKiller, then RKill, and neither reported any hits. Ran Combofix again, and am getting the same rootkit warning.

Created a Kaspersky Recovery Disc 10, tried to run, but hangs at 36% each attempt. Tossed the disc, re-downloaded the ISO, recreated the CD, and ran the Recovery again, but still hung at 36%.

Combofix continues to report Zeroaccess rootkit activity.

Where do I go next?

Edited by depierce, 23 May 2012 - 10:18 AM.


BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:10:14 PM

Posted 23 May 2012 - 11:20 AM

Hi depierce,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes (unless explicitly asked to)
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

 

Please take note:

  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and I will guide you.
  • Please tell me if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps I have recommended please try one more time and if unsuccessful alert us of such and I will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

I need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links.. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


I also need a new log from the GMER anti-rootkit Scanner.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



In your next reply, please include the following:
  • DDS log
  • GMER log
  • Combofix log (located C:\Combofix.txt)

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 depierce

depierce
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 23 May 2012 - 04:36 PM

Hey Jason,

Sorry for the late reply, GMER took nearly 5 hours to run...

Here's a screen shot of the error message that started this adventure:


Posted Image

As well as a copy of the Combofix report you requested. All others logs are attached, as per instructions.

ComboFix 12-05-23.05 - Dad 05/23/2012 16:54:13.12.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2928 [GMT -4:00]
Running from: c:\documents and settings\Dad\Desktop\security\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-04-23 to 2012-05-23 )))))))))))))))))))))))))))))))
.
.
2012-05-22 23:36 . 2012-05-22 23:42 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-05-07 05:43 . 2012-05-07 05:43 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\Vidalia
2012-05-06 18:42 . 2012-05-06 18:42 -------- d-----w- c:\program files\Auto Clicker
2012-05-06 18:20 . 2012-05-06 18:20 -------- d-----w- c:\program files\Grimm's Hatchery
2012-05-06 18:18 . 2012-05-06 18:18 -------- d-----w- c:\program files\Big Fish Games Toolbar Installer
2012-05-03 18:22 . 2012-05-03 18:22 -------- d-----w- c:\program files\Common Files\Java
2012-05-03 18:16 . 2012-05-03 18:16 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-03 18:16 . 2012-05-03 18:16 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-03 18:16 . 2012-05-03 18:16 -------- d-----w- c:\program files\Java
2012-04-30 18:10 . 2012-04-30 18:10 -------- d-----w- c:\documents and settings\Dad\Application Data\.minecraft
2012-04-27 04:28 . 2012-04-27 04:28 -------- d-----w- c:\program files\Singular Inversions
2012-04-26 01:35 . 2012-04-26 01:35 -------- d-----w- c:\program files\HyperCam 2
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-03 18:16 . 2011-08-26 13:43 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-20 13:19 . 2012-03-30 12:44 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-20 13:19 . 2011-12-06 14:31 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 19:56 . 2011-08-13 22:08 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-05 23:11 . 2012-03-05 23:11 68888 ----a-w- c:\windows\system32\xinput1_3.dll
2012-03-04 05:05 . 2012-03-04 05:05 473656 ----a-w- c:\windows\system32\drivers\sptd.sys
2012-03-03 21:08 . 2012-03-03 21:08 108144 ----a-w- c:\windows\system32\CmdLineExt.dll
2012-02-23 17:43 . 2012-02-15 18:10 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\jax2323\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Documents and Settings\\Dad\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Documents and Settings\\Jax\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\Jax\\Application Data\\Spotify\\spotify.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dear esther\\dearesther.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56133:TCP"= 56133:TCP:Pando Media Booster
"56133:UDP"= 56133:UDP:Pando Media Booster
"56466:TCP"= 56466:TCP:Pando Media Booster
"56466:UDP"= 56466:UDP:Pando Media Booster
.
R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
R2 HitachiBackupService;Hitachi Backup Service;c:\program files\Hitachi\Hitachi Backup\HitachiBackupService.exe [6/6/2010 8:08 PM 53760]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/30/2012 8:44 AM 253088]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2/29/2012 7:32 PM 30576]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 13:19]
.
2012-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1003Core.job
- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-18 21:33]
.
2012-05-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1003UA.job
- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-18 21:33]
.
2012-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1004Core.job
- c:\documents and settings\Jax\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-07 22:54]
.
2012-05-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1004UA.job
- c:\documents and settings\Jax\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-07 22:54]
.
2012-05-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-15 16:06]
.
2012-05-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-15 16:06]
.
2011-11-03 c:\windows\Tasks\prismShakeIcon.job
- c:\program files\NCH Software\Prism\prism.exe [2011-08-08 02:00]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: Download with &Media Finder - c:\program files\Media Finder\hook.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 207.69.188.186 207.69.188.187
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\kr55hf9q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109856
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 4c908ad4000000000000001d09c02ea9
FF - user.js: extensions.BabylonToolbar_i.hardId - 4c908ad4000000000000001d09c02ea9
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15431
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.175:53
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-23 17:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(1040)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\locator.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-05-23 17:12:57 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-23 21:12
ComboFix2.txt 2012-05-23 01:55
.
Pre-Run: 43,987,992,576 bytes free
Post-Run: 43,988,189,184 bytes free
.
- - End Of File - - 572133DDA54D82A02496061E9208ABCC

Attached Files


Edited by depierce, 23 May 2012 - 11:59 PM.


#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:10:14 PM

Posted 24 May 2012 - 12:37 AM

depierce,

In the future, just copy/paste any logs asked for (unless explicitly instructed otherwise), it's easier to read the logs that way. :)

Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


:step1: Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
When asked to update the definitions, click Yes.
Click the "Scan" button to start scan:
Posted Image

On completion of the scan click "Save log", save it to your desktop and post in your next reply:
Posted Image

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

:step2: Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

In your next reply, please include:
  • aswMBR log
  • FSS log
  • How's your computer running now? Please be as descriptive as possible.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 depierce

depierce
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 24 May 2012 - 08:25 AM

You wrote:

"In the future, just copy/paste any logs asked for (unless explicitly instructed otherwise), it's easier to read the logs that way."

That's 100% fine, but FYI - you did explicitly instruct me to add them as attachments, here:

"Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results."


...because the instructions that pop up, and the first sentence of the log that is generated, state that the log should be added as an attachment.

Then you wrote again here:


"Then create another GMER log and post it as an attachment to the reply where you post your new DDS log."

In any case, I appreciate your help. The next steps will be sent later today. Thanks again :)

Dirk

Edited by depierce, 24 May 2012 - 08:37 AM.


#6 depierce

depierce
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 24 May 2012 - 08:33 AM

Jason,

When running aswMBR and FSS, do you want me to "fix" any of the issues found, or skip and just post the log?

Dirk

#7 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:10:14 PM

Posted 24 May 2012 - 10:13 AM

depierce,

I guess my instructions need to be changed then. Thanks for pointing out my conflicting instructions. :)

Just post the logs. We'll go into "fixing" any items after I've seen the logs.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#8 depierce

depierce
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 24 May 2012 - 10:26 AM

Jason,

The computer is running well, but I still get the Combofix ZeroAccess! rootkit warning. Anyway, here's the aswMBR log:


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-24 09:38:04
-----------------------------
09:38:04.437 OS Version: Windows 5.1.2600 Service Pack 3
09:38:04.437 Number of processors: 2 586 0x4802
09:38:04.437 ComputerName: COMP108 UserName: Dad
09:38:05.359 Initialize success
09:46:31.203 AVAST engine defs: 12052400
09:52:21.687 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
09:52:21.687 Disk 0 Vendor: Hitachi_HTS541616J9SA00 SB4OC74P Size: 152627MB BusType: 3
09:52:21.703 Disk 0 MBR read successfully
09:52:21.703 Disk 0 MBR scan
09:52:21.750 Disk 0 Windows XP default MBR code
09:52:21.750 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152617 MB offset 63
09:52:21.750 Disk 0 scanning sectors +312560640
09:52:21.828 Disk 0 scanning C:\WINDOWS\system32\drivers
09:52:33.796 Service scanning
09:52:54.828 Modules scanning
09:53:04.109 Disk 0 trace - called modules:
09:53:04.125 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys pciide.sys PCIIDEX.SYS
09:53:04.125 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aed3ab8]
09:53:04.125 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\0000006a[0x8aeeaf18]
09:53:04.140 5 ACPI.sys[b9e64620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8aee84d0]
09:53:05.125 AVAST engine scan C:\WINDOWS
09:53:19.718 AVAST engine scan C:\WINDOWS\system32
09:53:19.937 File: C:\WINDOWS\system32\5Cc2GH5r2.com_ **INFECTED** Win32:Malware-gen
09:56:48.203 AVAST engine scan C:\WINDOWS\system32\drivers
09:57:08.359 AVAST engine scan C:\Documents and Settings\Dad
10:57:10.109 AVAST engine scan C:\Documents and Settings\All Users
11:01:59.796 Scan finished successfully
11:11:02.281 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dad\Desktop\security\MBR.dat"
11:11:02.281 The log file has been saved successfully to "C:\Documents and Settings\Dad\Desktop\security\aswMBR.txt"


And the FSS log:

Farbar Service Scanner Version: 17-05-2012
Ran by Dad (administrator) on 24-05-2012 at 11:16:19
Running from "C:\Documents and Settings\Dad\Desktop\security"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(9) NetBT(10) PSched(7) Tcpip(8)
0x0A0000000900000005000000010000000200000003000000040000000600000007000000080000000A000000


**** End of log ****

#9 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:10:14 PM

Posted 24 May 2012 - 06:27 PM

depierce,

:step1: Please open notepad and copy/paste the text in the box below into it:

http://www.bleepingcomputer.com/forums/topic454607.html

Collect::
C:\WINDOWS\system32\5Cc2GH5r2.com_

FireFox::
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\kr55hf9q.default\
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109856
FF - user.js: extensions.BabylonToolbar_i.babExt - 
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 4c908ad4000000000000001d09c02ea9
FF - user.js: extensions.BabylonToolbar_i.hardId - 4c908ad4000000000000001d09c02ea9
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15431
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.175:53
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst

Save this as CFScript.txt


Posted Image

If prompted to update Combofix, please allow it to update.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box.


:step2: We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


In your next reply, please include:
  • Latest Combofix log
  • Both logs produced by OTL
  • How's your computer running now?

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#10 depierce

depierce
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 24 May 2012 - 10:39 PM

Jason,

As before, the computer runs well, but Combo fix continues to warn of the rootkit.

Here's the Combofix log:


ComboFix 12-05-24.03 - Dad 05/24/2012 22:56:41.13.2 - x86
Running from: c:\documents and settings\Dad\Desktop\security\ComboFix.exe
Command switches used :: c:\documents and settings\Dad\Desktop\security\CFScript.txt
.
file zipped: c:\windows\system32\5Cc2GH5r2.com_
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\5Cc2GH5r2.com_
.
.
((((((((((((((((((((((((( Files Created from 2012-04-25 to 2012-05-25 )))))))))))))))))))))))))))))))
.
.
2012-05-22 23:36 . 2012-05-22 23:42 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-05-07 05:43 . 2012-05-07 05:43 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\Vidalia
2012-05-06 18:42 . 2012-05-06 18:42 -------- d-----w- c:\program files\Auto Clicker
2012-05-06 18:20 . 2012-05-06 18:20 -------- d-----w- c:\program files\Grimm's Hatchery
2012-05-06 18:18 . 2012-05-06 18:18 -------- d-----w- c:\program files\Big Fish Games Toolbar Installer
2012-05-03 18:22 . 2012-05-03 18:22 -------- d-----w- c:\program files\Common Files\Java
2012-05-03 18:16 . 2012-05-03 18:16 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-03 18:16 . 2012-05-03 18:16 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-03 18:16 . 2012-05-03 18:16 -------- d-----w- c:\program files\Java
2012-04-30 18:10 . 2012-04-30 18:10 -------- d-----w- c:\documents and settings\Dad\Application Data\.minecraft
2012-04-27 04:28 . 2012-04-27 04:28 -------- d-----w- c:\program files\Singular Inversions
2012-04-26 01:35 . 2012-04-26 01:35 -------- d-----w- c:\program files\HyperCam 2
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-03 18:16 . 2011-08-26 13:43 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-20 13:19 . 2012-03-30 12:44 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-20 13:19 . 2011-12-06 14:31 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 19:56 . 2011-08-13 22:08 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-05 23:11 . 2012-03-05 23:11 68888 ----a-w- c:\windows\system32\xinput1_3.dll
2012-03-04 05:05 . 2012-03-04 05:05 473656 ----a-w- c:\windows\system32\drivers\sptd.sys
2012-03-03 21:08 . 2012-03-03 21:08 108144 ----a-w- c:\windows\system32\CmdLineExt.dll
2012-02-23 17:43 . 2012-02-15 18:10 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-05-23_21.07.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-25 03:06 . 2012-05-25 03:06 16384 c:\windows\temp\Perflib_Perfdata_68c.dat
+ 2012-05-25 03:07 . 2012-05-25 03:07 16384 c:\windows\temp\Perflib_Perfdata_22c.dat
+ 2004-08-04 10:00 . 2012-05-25 02:59 80860 c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2012-05-23 21:09 80860 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2012-05-25 02:59 484504 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2012-05-23 21:09 484504 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\jax2323\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Documents and Settings\\Dad\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Documents and Settings\\Jax\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\Jax\\Application Data\\Spotify\\spotify.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dear esther\\dearesther.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56133:TCP"= 56133:TCP:Pando Media Booster
"56133:UDP"= 56133:UDP:Pando Media Booster
"56466:TCP"= 56466:TCP:Pando Media Booster
"56466:UDP"= 56466:UDP:Pando Media Booster
.
R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
R2 HitachiBackupService;Hitachi Backup Service;c:\program files\Hitachi\Hitachi Backup\HitachiBackupService.exe [6/6/2010 8:08 PM 53760]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/30/2012 8:44 AM 253088]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2/29/2012 7:32 PM 30576]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 13:19]
.
2012-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1003Core.job
- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-18 21:33]
.
2012-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1003UA.job
- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-18 21:33]
.
2012-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1004Core.job
- c:\documents and settings\Jax\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-07 22:54]
.
2012-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1004UA.job
- c:\documents and settings\Jax\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-07 22:54]
.
2012-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-15 16:06]
.
2012-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-15 16:06]
.
2011-11-03 c:\windows\Tasks\prismShakeIcon.job
- c:\program files\NCH Software\Prism\prism.exe [2011-08-08 02:00]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: Download with &Media Finder - c:\program files\Media Finder\hook.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 207.69.188.186 207.69.188.187
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\kr55hf9q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-24 23:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(3548)
c:\windows\system32\WININET.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\ImgUtil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\locator.exe
.
**************************************************************************
.
Completion time: 2012-05-24 23:11:24 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-25 03:11
ComboFix2.txt 2012-05-23 21:12
ComboFix3.txt 2012-05-23 01:55
.
Pre-Run: 42,305,998,848 bytes free
Post-Run: 42,430,189,568 bytes free
.
- - End Of File - - 25C78ECB8A171CF63C7DDCC83F7E9DAD

The OTL log:

OTL logfile created on: 5/24/2012 11:23:50 PM - Run 1
OTL by OldTimer - Version 3.2.43.1 Folder = C:\Documents and Settings\Dad\Desktop\security
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.80 Gb Available Physical Memory | 86.15% Memory free
5.09 Gb Paging File | 4.85 Gb Available in Paging File | 95.41% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 39.52 Gb Free Space | 26.51% Space Free | Partition Type: NTFS

Computer Name: COMP108 | User Name: Dad | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/05/24 22:46:13 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dad\Desktop\security\OTL.exe
PRC - [2010/06/06 20:08:24 | 000,053,760 | ---- | M] (Hitachi GST) -- C:\Program Files\Hitachi\Hitachi Backup\HitachiBackupService.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2011/10/13 15:13:47 | 011,800,576 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\60df958ca96c9b8945f836759b6abd34\System.Web.ni.dll
MOD - [2011/10/13 15:13:38 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\abef85f2fb8ba830eda73e2d12e8d41e\System.ServiceProcess.ni.dll
MOD - [2011/10/13 15:12:21 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\bce0720436dc6cb76006377f295ea365\System.Configuration.ni.dll
MOD - [2011/10/13 15:12:16 | 000,256,000 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\474a341340f687bcbd7777f2820a8c7a\SMDiagnostics.ni.dll
MOD - [2011/10/13 15:12:09 | 017,403,904 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\ceadaf3b3d017c7a1ef10a06f8009f6f\System.ServiceModel.ni.dll
MOD - [2011/10/13 15:11:47 | 002,345,472 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\afd6134c090faf8c29cd64d4835142b2\System.Runtime.Serialization.ni.dll
MOD - [2011/10/13 15:11:42 | 001,070,080 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\d14065ede44df8e9b5d6b60c5ddccc69\System.IdentityModel.ni.dll
MOD - [2011/10/13 14:53:15 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\70cacc44f0b4257f6037eda7a59a0aeb\System.Xml.ni.dll
MOD - [2011/10/13 14:53:10 | 012,430,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\71a2ae9ad561a62181cbd9fb11e9de7a\System.Windows.Forms.ni.dll
MOD - [2011/10/13 14:52:57 | 001,587,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\c10bea3c4bb7ef654651141bf9419090\System.Drawing.ni.dll
MOD - [2011/10/13 14:51:42 | 007,950,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\af39f6e644af02873b9bae319f2bfb13\System.ni.dll
MOD - [2011/10/13 14:51:34 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll
MOD - [2011/08/05 05:41:25 | 000,063,328 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Synchronization.Files\2.0.0.0__89845dcd8080cc91\Microsoft.Synchronization.Files.dll
MOD - [2011/05/28 22:04:56 | 000,140,288 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2010/04/22 16:19:04 | 001,954,816 | ---- | M] () -- C:\Program Files\Hitachi\Hitachi Backup\OnlineBackupFacade.dll
MOD - [2006/10/26 19:21:22 | 000,056,056 | ---- | M] () -- C:\WINDOWS\system32\DLAAPI_W.DLL


========== Win32 Services (SafeList) ==========

SRV - [2012/05/04 18:53:31 | 000,489,256 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012/04/20 09:19:06 | 000,253,088 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2011/12/06 14:09:04 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011/06/13 12:07:00 | 004,121,080 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\system32\GameMon.des -- (npggsvc)
SRV - [2010/06/06 20:08:24 | 000,053,760 | ---- | M] (Hitachi GST) [Auto | Running] -- C:\Program Files\Hitachi\Hitachi Backup\HitachiBackupService.exe -- (HitachiBackupService)
SRV - [2004/10/22 06:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\mcdbus.sys -- (mcdbus)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\Dad\LOCALS~1\Temp\mbr.sys -- (mbr)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2012/03/04 01:05:44 | 000,473,656 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2010/12/13 15:37:46 | 000,030,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nx6000.sys -- (MSHUSBVideo)
DRV - [2009/02/25 18:58:57 | 003,565,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/10/10 00:17:42 | 001,123,328 | ---- | M] (Broadcom Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2007/05/10 13:24:34 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/02/08 23:05:30 | 000,028,120 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/02/08 23:05:30 | 000,012,856 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/11/21 07:25:44 | 000,045,568 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/11/15 05:16:24 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006/11/15 00:42:46 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/14 22:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2006/10/26 19:22:02 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/10/26 19:21:34 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/10/26 19:21:34 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/10/26 19:21:32 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/10/26 19:21:30 | 000,026,296 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/10/26 19:21:28 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/10/26 19:21:26 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/10/26 19:21:24 | 000,104,536 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2001/08/22 11:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {443789B7-F39C-4b5c-9287-DA72D38F4FE6}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect.search.aol.com/redirector/sredir?sredir=843&query={searchTerms}&invocationType=tb50-ie-opencandygames-chromesbox-en-us&tb_uuid=20120304050804140&tb_oid=04-03-2012&tb_mrud=04-03-2012


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2025429265-606747145-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-2025429265-606747145-839522115-1003\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-2025429265-606747145-839522115-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-2025429265-606747145-839522115-1003\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&AF=109856&tt=290312_bexdll&babsrc=SP_ss&mntrId=4c908ad4000000000000001d09c02ea9
IE - HKU\S-1-5-21-2025429265-606747145-839522115-1003\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect.search.aol.com/redirector/sredir?sredir=843&query={searchTerms}&invocationType=tb50-ie-opencandygames-chromesbox-en-us&tb_uuid=20120304050804140&tb_oid=04-03-2012&tb_mrud=04-03-2012
IE - HKU\S-1-5-21-2025429265-606747145-839522115-1003\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3106518
IE - HKU\S-1-5-21-2025429265-606747145-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig?hl=en"


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_233.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_32: C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.0.61118.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\Dad\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\Dad\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{184AA5E6-741D-464a-820E-94B3ABC2F3B4}: C:\WINDOWS\system32\10020
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/23 13:43:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/03/05 19:14:02 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\extensions\\{184AA5E6-741D-464a-820E-94B3ABC2F3B4}: C:\WINDOWS\system32\10020

[2012/02/15 11:24:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Dad\Application Data\Mozilla\Extensions
[2012/04/25 21:35:58 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\kr55hf9q.default\extensions
[2012/04/25 21:35:59 | 000,000,000 | ---D | M] (DealBulldog Toolbar) -- C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\kr55hf9q.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}
[2012/05/03 14:16:39 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/05/03 14:16:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}
[2012/05/03 14:16:19 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2012/02/23 13:43:48 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/04/01 05:53:14 | 000,002,353 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
[2012/02/15 14:10:30 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/02/15 14:10:30 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms},
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\Application\19.0.1084.52\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\Application\19.0.1084.52\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\Application\19.0.1084.52\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_233.dll
CHR - plugin: Google Talk Plugin (Enabled) = C:\Documents and Settings\Dad\Application Data\Mozilla\plugins\npgoogletalk.dll
CHR - plugin: Google Talk Plugin Video Accelerator (Enabled) = C:\Documents and Settings\Dad\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Java™ Platform SE 6 U32 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: Java Deployment Toolkit 6.0.320.5 (Enabled) = C:\WINDOWS\system32\npdeployJava1.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\5.0.61118.0\npctrl.dll
CHR - plugin: Microsoft Office Live Plug-in for Firefox (Enabled) = C:\Program Files\Microsoft\Office Live\npOLW.dll
CHR - plugin: Pando Web Plugin (Enabled) = C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - Extension: YouTube = C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Pixlr Grabber - Screen capture/image grabbing = C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\cjjghkapdciaiogkeofggpblmbbnjinn\1.0_0\
CHR - Extension: Google Search = C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: General Crawler = C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel\2.5_0\
CHR - Extension: Pixlr-o-matic = C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ehcibdjmpjlekgjhepbfmenfppliikcj\1.2_0\
CHR - Extension: Google Dictionary (by Google) = C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mgijmajocgfcbeboacabfgobmjgjcoja\3.0.12_0\
CHR - Extension: MuteTab = C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmkbaaijgpppbokgnhhoakihofedkgcc\1.1.4_0\
CHR - Extension: Gmail = C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/05/24 23:07:36 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Reg Error: Value error.) - {EAEE5C74-6D0D-4aca-9232-0DA4A7B866BA} - C:\Program Files\PicLensIE\cooliris.dll (Cooliris Inc.)
O2 - BHO: (SMTTB2009 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\DealBulldog Toolbar\tbcore3.dll File not found
O4 - HKLM..\Run: [DNS7reminder] C:\Program Files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe (Nuance Communications, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2025429265-606747145-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2025429265-606747145-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2025429265-606747145-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2025429265-606747145-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Download with &Media Finder - C:\Program Files\Media Finder\hook.html File not found
O9 - Extra Button: Launch Cooliris - {3437D640-C91A-458f-89F5-B9095EA4C28B} - C:\Program Files\PicLensIE\cooliris.dll (Cooliris Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 207.69.188.186 207.69.188.187
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{48A73334-130E-4330-9F86-1BCC6630F772}: DhcpNameServer = 207.69.188.186 207.69.188.187
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/08/05 05:09:50 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/05/24 22:48:25 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/05/24 01:11:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad\My Documents\Article Summaries
[2012/05/22 22:09:55 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/05/22 22:09:55 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/05/22 22:09:55 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/05/22 22:09:55 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/05/22 22:09:47 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/05/22 19:36:52 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0
[2012/05/14 14:56:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/05/08 17:40:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad\Desktop\New Folder
[2012/05/08 16:45:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad\Desktop\security
[2012/05/07 01:43:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad\Local Settings\Application Data\Vidalia
[2012/05/07 01:35:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad\Desktop\Tor Browser
[2012/05/06 14:42:32 | 000,000,000 | ---D | C] -- C:\Program Files\Auto Clicker
[2012/05/06 14:42:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Auto Clicker
[2012/05/06 14:20:29 | 000,000,000 | ---D | C] -- C:\Program Files\Grimm's Hatchery
[2012/05/06 14:20:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Grimm's Hatchery
[2012/05/06 14:18:51 | 000,000,000 | ---D | C] -- C:\Program Files\Big Fish Games Toolbar Installer
[2012/05/06 14:18:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Big Fish Games Toolbar Installer
[2012/05/05 11:23:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad\Desktop\0505
[2012/05/03 14:22:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/05/03 14:16:37 | 000,476,960 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\npdeployJava1.dll
[2012/05/03 14:16:37 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2012/05/03 14:16:37 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2012/05/03 14:16:37 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2012/05/03 14:16:37 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2012/05/03 14:16:11 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2012/04/30 14:10:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad\Application Data\.minecraft
[2012/04/27 00:28:39 | 000,000,000 | ---D | C] -- C:\Program Files\Singular Inversions
[2012/04/25 21:35:34 | 000,000,000 | ---D | C] -- C:\Program Files\HyperCam 2
[2012/04/25 21:35:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad\Start Menu\Programs\HyperCam 2
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/05/24 23:20:00 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1004UA.job
[2012/05/24 23:12:02 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1003UA.job
[2012/05/24 23:11:54 | 000,484,504 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/05/24 23:11:54 | 000,080,860 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/05/24 23:11:00 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-500UA.job
[2012/05/24 23:09:27 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/05/24 23:07:36 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/05/24 23:07:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/05/24 22:56:38 | 000,001,232 | ---- | M] () -- C:\CF-Submit.htm
[2012/05/24 22:04:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/05/24 19:20:00 | 000,000,918 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1004Core.job
[2012/05/24 14:02:22 | 000,109,056 | ---- | M] () -- C:\Documents and Settings\Dad\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/05/24 11:11:00 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-500Core.job
[2012/05/24 03:30:03 | 000,082,059 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\1337844381030.png
[2012/05/24 00:12:00 | 000,000,918 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1003Core.job
[2012/05/23 22:14:57 | 000,002,268 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\Google Chrome.lnk
[2012/05/22 19:59:45 | 000,000,328 | RHS- | M] () -- C:\boot.ini
[2012/05/16 01:01:49 | 000,393,073 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\HALFLIFE DESK.jpg
[2012/05/14 14:58:58 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/05/10 04:08:24 | 000,164,499 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\DR Seuss clarified.jpg
[2012/05/06 14:20:57 | 000,004,096 | ---- | M] () -- C:\WINDOWS\d3dx.dat
[2012/05/06 14:20:39 | 000,001,644 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Play Grimm's Hatchery.lnk
[2012/05/06 14:18:54 | 000,000,059 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\user.ini
[2012/05/03 14:16:18 | 000,476,960 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\npdeployJava1.dll
[2012/05/03 14:16:18 | 000,472,864 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2012/05/03 14:16:18 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2012/05/03 14:16:18 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2012/05/03 14:16:18 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2012/05/03 14:16:18 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2012/04/30 15:41:04 | 004,548,608 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\Rodrigo y Gabriela - Stairway to Heaven.mp3
[2012/04/30 08:07:54 | 002,205,808 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/04/25 21:47:29 | 000,071,140 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2012/04/25 21:37:58 | 040,967,366 | ---- | M] () -- C:\Documents and Settings\Dad\My Documents\clip0001.avi
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/05/24 22:56:38 | 000,001,232 | ---- | C] () -- C:\CF-Submit.htm
[2012/05/24 03:30:05 | 000,082,059 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\1337844381030.png
[2012/05/22 22:09:55 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/05/22 22:09:55 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/05/22 22:09:55 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/05/22 22:09:55 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/05/22 22:09:55 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/05/16 01:01:47 | 000,393,073 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\HALFLIFE DESK.jpg
[2012/05/10 04:08:23 | 000,164,499 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\DR Seuss clarified.jpg
[2012/05/06 14:20:57 | 000,004,096 | ---- | C] () -- C:\WINDOWS\d3dx.dat
[2012/05/06 14:20:39 | 000,001,644 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Play Grimm's Hatchery.lnk
[2012/05/06 14:18:54 | 000,000,059 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\user.ini
[2012/04/30 15:40:57 | 004,548,608 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\Rodrigo y Gabriela - Stairway to Heaven.mp3
[2012/04/25 21:47:29 | 000,071,140 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2012/04/25 21:37:01 | 040,967,366 | ---- | C] () -- C:\Documents and Settings\Dad\My Documents\clip0001.avi
[2012/03/24 16:42:57 | 000,000,234 | ---- | C] () -- C:\WINDOWS\System32\urhtps.dat
[2012/03/24 13:24:11 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\kr55hf9q.default.dat
[2012/02/29 22:57:05 | 000,342,560 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/02/15 11:27:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2012/02/01 10:10:13 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\Dad\Local Settings\Application Data\fusioncache.dat
[2012/01/09 18:35:04 | 000,015,970 | -HS- | C] () -- C:\Documents and Settings\Dad\Local Settings\Application Data\t34bp4t56t
[2012/01/09 18:35:04 | 000,015,970 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\t34bp4t56t
[2011/12/19 01:38:18 | 000,016,194 | -HS- | C] () -- C:\Documents and Settings\Dad\Local Settings\Application Data\277305w768y3b0p0p85g52p3a852e44ca4iip1773f6164
[2011/11/19 16:38:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\5Cc2GH5r2.com.b
[2011/11/19 12:57:12 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\o2UeMDCw.dat
[2011/11/10 17:08:07 | 000,399,504 | ---- | C] () -- C:\WINDOWS\System32\FCAgent32.dll
[2011/11/10 17:08:07 | 000,001,552 | ---- | C] () -- C:\WINDOWS\System32\FCAgent.ini
[2011/10/24 19:55:22 | 000,002,594 | ---- | C] () -- C:\Documents and Settings\Dad\Application Data\SAS7_000.DAT
[2011/09/29 08:21:07 | 001,970,176 | ---- | C] () -- C:\WINDOWS\System32\d3dx9.dll
[2011/09/20 17:34:50 | 000,000,109 | ---- | C] () -- C:\WINDOWS\GMouse.ini
[2011/09/05 20:29:03 | 000,157,744 | ---- | C] () -- C:\WINDOWS\hpoins28.dat
[2011/09/05 20:29:03 | 000,000,932 | ---- | C] () -- C:\WINDOWS\hpomdl28.dat
[2011/08/25 22:16:08 | 001,611,874 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-2025429265-606747145-839522115-1003-0.dat
[2011/08/25 22:16:05 | 000,394,594 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/08/08 18:13:11 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2011/08/08 18:13:11 | 000,000,673 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/08/07 16:20:38 | 000,000,654 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2011/08/05 15:32:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2011/08/05 15:24:28 | 000,593,920 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2011/08/05 14:50:30 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2011/08/05 07:13:06 | 000,109,056 | ---- | C] () -- C:\Documents and Settings\Dad\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/08/05 05:43:03 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/08/05 05:38:06 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2011/08/05 05:38:02 | 000,024,064 | ---- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
[2011/08/05 05:38:01 | 000,753,664 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2011/08/05 05:12:54 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/08/05 05:05:10 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/08/04 21:42:34 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/08/04 21:40:27 | 002,205,808 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Dad\My Documents\My Videos:Roxio EMC Stream

< End of report >

and the Extras log:

OTL Extras logfile created on: 5/24/2012 11:23:50 PM - Run 1
OTL by OldTimer - Version 3.2.43.1 Folder = C:\Documents and Settings\Dad\Desktop\security
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.80 Gb Available Physical Memory | 86.15% Memory free
5.09 Gb Paging File | 4.85 Gb Available in Paging File | 95.41% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 39.52 Gb Free Space | 26.51% Space Free | Partition Type: NTFS

Computer Name: COMP108 | User Name: Dad | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-2025429265-606747145-839522115-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
https [open] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"56133:TCP" = 56133:TCP:*:Enabled:Pando Media Booster
"56133:UDP" = 56133:UDP:*:Enabled:Pando Media Booster
"56466:TCP" = 56466:TCP:*:Enabled:Pando Media Booster
"56466:UDP" = 56466:UDP:*:Enabled:Pando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"56133:TCP" = 56133:TCP:*:Enabled:Pando Media Booster
"56133:UDP" = 56133:UDP:*:Enabled:Pando Media Booster
"56466:TCP" = 56466:TCP:*:Enabled:Pando Media Booster
"56466:UDP" = 56466:UDP:*:Enabled:Pando Media Booster

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Steam\steamapps\jax2323\team fortress 2\hl2.exe" = C:\Program Files\Steam\steamapps\jax2323\team fortress 2\hl2.exe:*:Disabled:hl2 -- ()
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
"C:\Program Files\BitTorrent\BitTorrent.exe" = C:\Program Files\BitTorrent\BitTorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"C:\Documents and Settings\Jax\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Jax\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Documents and Settings\Jax\Application Data\Spotify\spotify.exe" = C:\Documents and Settings\Jax\Application Data\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify Ltd)
"C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
"C:\Program Files\Steam\steamapps\common\dear esther\dearesther.exe" = C:\Program Files\Steam\steamapps\common\dear esther\dearesther.exe:*:Enabled:Dear Esther -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{18669FF9-C8FE-407a-9F70-E674896B1DB4}" = GPBaseService
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216032FF}" = Java™ 6 Update 32
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{325045C9-F040-3D98-892D-53D5E840266C}" = Google Talk Plugin
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{36FDBE6E-6684-462b-AE98-9A39A1B200CC}" = HPProductAssistant
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{411F3ABA-2AB5-4799-AA19-6ADF0A8F7424}" = Adobe Setup
"{4324BC93-C82F-ED16-BA86-5E34B9E05303}" = ccc-core-static
"{43509E18-076E-40FE-AF38-CA5ED400A5A9}" = Pixel Bender Toolkit
"{44E240EC-2224-4078-A88B-2CEE0D3016EF}" = Adobe After Effects CS4 Presets
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{45EC816C-0771-4C14-AE6D-72D1B578F4C8}" = Adobe After Effects CS4
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A5A427F-BA39-4BF0-9A47-9999FBE60C9F}" = Visual C++ Runtime for Dragon NaturallySpeaking
"{4D9C7DA3-D532-432D-A556-5F6CD186B0A5}" = DJ_AIO_03_F4200_ProductContext
"{4ED118EE-785C-CC18-5D2E-D5CA4BAA03F0}" = Catalyst Control Center Graphics Full New
"{5109C064-813E-4e87-B0DE-C8AF7B5BC02B}" = SmartWebPrintingOC
"{52A69E11-7CEB-4a7d-9607-68BA4F39A89B}" = DeviceDiscovery
"{539475B7-44B7-8B0A-134C-F01B9C8B7569}" = ccc-core-preinstall
"{553C904F-57A2-4113-888E-BA0C3D1C69C0}" = Microsoft VC9 runtime libraries
"{55559ABB-AB08-416F-A227-6319B545AF83}" = VitalSource Bookshelf
"{561968FD-56A1-49FD-9ED0-F55482C7C5BC}" = Adobe Media Encoder CS4 Exporter
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{5AC7AE54-55DF-1126-076C-623F008D40B6}" = Catalyst Control Center Graphics Full Existing
"{5ACE69F0-A3E8-44eb-88C1-0A841E700180}" = TrayApp
"{60DB5894-B5A1-4B62-B0F3-669A22C0EE5D}" = Adobe Dynamiclink Support
"{612B9183-67A9-4B44-9877-2F059E35B86A}" = Broadcom 440x 10/100 Integrated Controller
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{62653245-3DC5-4019-AF6B-4E62D6150D9E}" = F4200_Help
"{6351D217-3EE3-1967-29BE-6A77635FE485}" = Skins
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{67A9747A-E1F5-4E9A-81CC-12B5D5B81B6E}" = Adobe After Effects CS4 Third Party Content
"{67DFCE0D-BBA9-43AC-90B3-548390ECE522}" = F4200
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm
"{6AB9CD3A-F91F-233B-923B-6C59BA63524D}" = Catalyst Control Center HydraVision Full
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{8186FF34-D389-4B7E-9A2F-C197585BCFBD}" = Adobe Media Encoder CS4 Importer
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{85A91C22-C369-FCFB-5F1F-D59EB21AD0E1}" = CCC Help English
"{86BDD105-114A-4B20-BF8B-E46C7159A641}" = FaceGen Modeller 3.5 Free
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A85DEAD-7C1F-4368-881C-72AC74CB2E91}" = UnloadSupport
"{8BC914BF-F80D-47D9-BD1E-809EB6A7C23C}_is1" = FileCenter 7.1.0.48
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{91120000-00CA-0000-0000-0000000FF1CE}" = Microsoft Office Small Business 2007
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9DBCE8C7-FE94-4D8F-9FF0-38EF3D8BC99E}" = DJ_AIO_03_F4200_Software
"{A0B9F8DF-C949-45ed-9808-7DC5C0C19C81}" = Status
"{A11409F1-CD33-4076-85CB-4EE4A8439BFE}" = Scan
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A5AB9D5E-52E2-440e-A3ED-9512E253C81A}" = SolutionCenter
"{A6D0140F-E62F-9D1E-2408-9CFF91FF6FC8}" = ccc-utility
"{A7E19604-93AF-4611-8C9F-CE509C2B286F}_is1" = Free YouTube Downloader 3.3.115
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AE9A67F9-ADF1-4a44-BAB5-C1DB302B37A2}" = HP Deskjet F4200 All-In-One Driver Software 10.0 Rel .3
"{B05DE7B7-0B40-4411-BD4B-222CAE2D8F15}" = Adobe MotionPicture Color Files CS4
"{B15381DD-FF97-4FCD-A881-ED4DB0975500}" = Adobe Color Video Profiles AE CS4
"{B15B502F-FEC3-4AB5-9967-B3B7FFC99043}" = Hitachi LifeStudio 1.0.0.681 & Hitachi Backup 1.0.0.31
"{B29B526D-F027-4122-BC7A-D9E5BC86CC40}" = DJ_AIO_03_F4200_Software_Min
"{B3575D00-27EF-49C2-B9E0-14B3D954E992}" = Apple Application Support
"{B3BC9DB1-0B0A-48B0-B86B-EA77CAA7F800}" = Microsoft Corporation
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{B860298B-CE03-4DE2-B92E-422F2C20A2D8}_is1" = PDF-XChange Lite 4
"{B8DBED1E-8BC3-4d08-B94A-F9D7D88E9BBF}" = HPSSupply
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{BE9CEAAA-F069-4331-BF2F-8D350F6504F4}" = Adobe Media Encoder CS4 Additional Exporter
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C0A7E4F3-82CC-416B-82C6-BA06AACFD635}_is1" = Auto Clicker v1.2
"{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support
"{C44A7422-E380-44BE-79FE-1C032D8A03A7}" = Catalyst Control Center Core Implementation
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C73CA646-73B3-4AEF-A136-C37505745174}" = iTunes
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CA33D9AB-F574-71D7-0525-1C3BE9B11DFD}" = ATI Catalyst Install Manager
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg
"{CCF13D13-A87B-34E8-B689-1896D0C2DBA2}" = Google Talk Plugin
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D03482C5-9AD8-496D-B388-692AE04C93AF}" = Bonjour
"{D3A80508-CD83-4CA3-8671-914A1BC78B61}" = Microsoft Sync Framework 2.0 Provider Services (x86) ENU
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
"{D3EE034D-5B92-4A55-AA02-2E6D0A6A96EE}" = Windows Resource Kit Tools - SubInAcl.exe
"{D639085F-4B6E-4105-9F37-A0DBB023E2FB}" = Roxio MyDVD DE
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{D99A8E3A-AE5A-4692-8B19-6F16D454E240}" = Destination Component
"{DEB90B8E-0DCB-48CE-B90E-8842A2BD643E}" = Adobe Media Encoder CS4
"{E5D24929-91A4-B0A1-DE00-AFC453921EF7}" = Catalyst Control Center Graphics Light
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{E6C09BFB-BA75-15C7-5B18-A2CE31C4F42B}" = Catalyst Control Center Graphics Previews Common
"{E7712E53-7A7F-46EB-AA13-70D5987D30F2}" = Dragon NaturallySpeaking 10
"{EA08048C-3823-4DC8-B169-1D5D11FFC19F}_is1" = PDF-XChange 4
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F42CD69D-E393-47c8-B2CD-B139C4ADA9A8}" = Copy
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"{FEE4185F-3504-4ADB-91F5-521E08232045}" = RAPTOR
"{FF63121D-91C6-42CC-B341-F1AA729728E7}" = Microsoft Sync Framework 2.0 Core Components (x86) ENU
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"16 Big Fish Games" = 16 Big Fish Games
"4569969E1360D2854474C661EF9B4D54F143EB16" = Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"Adobe_3dcb365ab9e01871fb8c6f27b0ea079" = Adobe After Effects CS4
"ATI Display Driver" = ATI Display Driver
"Audacity_is1" = Audacity 2.0
"AVS Update Manager_is1" = AVS Update Manager 1.0
"AVS Video Editor 4_is1" = AVS Video Editor 4 4.2.1.166
"AVS Video Recorder_is1" = AVS Video Recorder 2.4 (Service Version)
"AVS YouTube Uploader 2.1_is1" = AVS YouTube Uploader version 2.1
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.3
"BFG-Big Fish Games Toolbar Installer" = Big Fish Games Toolbar Installer
"BFGC" = Big Fish Games: Game Manager
"BFG-Grimm's Hatchery" = Grimm's Hatchery
"BFG-The Agency of Anomalies - Cinderstone Orphanage" = The Agency of Anomalies: Cinderstone Orphanage
"BitTorrent" = BitTorrent
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"Cheat Engine 5.5_is1" = Cheat Engine 5.5
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Shrink_is1" = DVD Shrink 3.2
"eSupport UndeletePlus_is1" = eSupport UndeletePlus 3.0.2.830
"Free FLV Converter_is1" = Free FLV Converter V 7.1.0
"HP Imaging Device Functions" = HP Imaging Device Functions 10.0
"HP Smart Web Printing" = HP Smart Web Printing
"HP Solution Center & Imaging Support Tools" = HP Solution Center 10.0
"HyperCam 2" = HyperCam 2
"Icon Restore_is1" = Icon Restore 1.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InfraRecorder" = InfraRecorder
"Magic DVD Ripper_is1" = Magic DVD Ripper V5.5.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox 10.0.2 (x86 en-US)" = Mozilla Firefox 10.0.2 (x86 en-US)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Prism" = Prism Video Converter
"Revo Uninstaller" = Revo Uninstaller 1.93
"Shop for HP Supplies" = Shop for HP Supplies
"SMALLBUSINESSR" = Microsoft Office Small Business 2007
"Steam App 203810" = Dear Esther
"Steam App 211" = Source SDK
"Steam App 220" = Half-Life 2
"Steam App 380" = Half-Life 2: Episode One
"Steam App 440" = Team Fortress 2
"SynTPDeinstKey" = Dell Touchpad
"ToneGenHQY" = Audio Signal Generator
"VLC media player" = VLC media player 1.1.11
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR 4.01 (32-bit)
"WMFDist11" = Windows Media Format 11 runtime

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2025429265-606747145-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"f031ef6ac137efc5" = Dell Driver Download Manager
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/15/2012 5:32:05 PM | Computer Name = COMP108 | Source = EventSystem | ID = 4614
Description = The COM+ Event System detected an inconsistency in its internal state.
The assertion "GetLastError() == 122L" failed at line 162 of d:\comxp_sp3\com\com1x\src\events\shared\sectools.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 5/19/2012 10:08:00 PM | Computer Name = COMP108 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x00029f07.

Error - 5/19/2012 10:08:07 PM | Computer Name = COMP108 | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

Error - 5/19/2012 10:11:44 PM | Computer Name = COMP108 | Source = Bonjour Service | ID = 100
Description = 204: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 5/19/2012 10:11:44 PM | Computer Name = COMP108 | Source = Bonjour Service | ID = 100
Description = 224: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 5/19/2012 10:11:44 PM | Computer Name = COMP108 | Source = Bonjour Service | ID = 100
Description = 236: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 5/19/2012 10:28:34 PM | Computer Name = COMP108 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x00037331.

Error - 5/19/2012 10:33:43 PM | Computer Name = COMP108 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x000373bc.

Error - 5/20/2012 9:42:55 PM | Computer Name = COMP108 | Source = Application Hang | ID = 1002
Description = Hanging application Steam.exe, version 1.0.1065.11, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/22/2012 7:46:53 PM | Computer Name = COMP108 | Source = Application Hang | ID = 1002
Description = Hanging application Steam.exe, version 1.0.1065.11, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 5/24/2012 1:55:42 PM | Computer Name = COMP108 | Source = NETLOGON | ID = 3095
Description = This computer is configured as a member of a workgroup, not as a member
of a domain. The Netlogon service does not need to run in this configuration.

Error - 5/24/2012 1:57:14 PM | Computer Name = COMP108 | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 5/24/2012 3:16:12 PM | Computer Name = COMP108 | Source = NETLOGON | ID = 3095
Description = This computer is configured as a member of a workgroup, not as a member
of a domain. The Netlogon service does not need to run in this configuration.

Error - 5/24/2012 3:17:43 PM | Computer Name = COMP108 | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 5/24/2012 7:25:18 PM | Computer Name = COMP108 | Source = NETLOGON | ID = 3095
Description = This computer is configured as a member of a workgroup, not as a member
of a domain. The Netlogon service does not need to run in this configuration.

Error - 5/24/2012 7:26:47 PM | Computer Name = COMP108 | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 5/24/2012 10:54:45 PM | Computer Name = COMP108 | Source = NETLOGON | ID = 3095
Description = This computer is configured as a member of a workgroup, not as a member
of a domain. The Netlogon service does not need to run in this configuration.

Error - 5/24/2012 10:56:15 PM | Computer Name = COMP108 | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 5/24/2012 11:07:44 PM | Computer Name = COMP108 | Source = NETLOGON | ID = 3095
Description = This computer is configured as a member of a workgroup, not as a member
of a domain. The Netlogon service does not need to run in this configuration.

Error - 5/24/2012 11:09:20 PM | Computer Name = COMP108 | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.


< End of report >

#11 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:10:14 PM

Posted 25 May 2012 - 10:20 AM

depierce,

:step1: Please open notepad and copy/paste the text in the box below into it:

http://www.bleepingcomputer.com/forums/topic454607.html

Collect::[89]
C:\Documents and Settings\Dad\Local Settings\Application Data\t34bp4t56t
C:\Documents and Settings\All Users\Application Data\t34bp4t56t
C:\Documents and Settings\Dad\Local Settings\Application Data\277305w768y3b0p0p85g52p3a852e44ca4iip1773f6164
C:\WINDOWS\System32\5Cc2GH5r2.com.b
C:\Documents and Settings\All Users\Application Data\o2UeMDCw.dat

Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

If prompted to update Combofix, please allow it to update.

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box.


:step2: We need to create another OTL Report
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Click on the None button
  • Change the File Age to 360 Days
  • Check the following:
    • Use Company-Name WhiteList
    • Skip Microsoft files
    • Use No-Company-Name WhiteList
  • Change the Files Created Within and Files Modified Within to File Age
  • Check the boxes next to LOP Check and Purity Check
  • Push the Posted Image button.
  • One report will open, copy and paste it in your next reply


In your next reply, please include:
  • Combofix log
  • OTL log
  • How's your computer running now?

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#12 depierce

depierce
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 25 May 2012 - 12:03 PM

Jason;

Same news, different log :)


Combofix:

ComboFix 12-05-25.02 - Dad 05/25/2012 12:27:57.14.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2920 [GMT -4:00]
Running from: c:\documents and settings\Dad\Desktop\security\ComboFix.exe
Command switches used :: c:\documents and settings\Dad\Desktop\security\CFScript.txt
.
file zipped: c:\documents and settings\All Users\Application Data\o2UeMDCw.dat
file zipped: c:\documents and settings\All Users\Application Data\t34bp4t56t
file zipped: c:\documents and settings\Dad\Local Settings\Application Data\277305w768y3b0p0p85g52p3a852e44ca4iip1773f6164
file zipped: c:\documents and settings\Dad\Local Settings\Application Data\t34bp4t56t
file zipped: c:\windows\System32\5Cc2GH5r2.com.b
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\o2UeMDCw.dat
c:\documents and settings\All Users\Application Data\t34bp4t56t
c:\documents and settings\Dad\Local Settings\Application Data\277305w768y3b0p0p85g52p3a852e44ca4iip1773f6164
c:\documents and settings\Dad\Local Settings\Application Data\t34bp4t56t
c:\windows\System32\5Cc2GH5r2.com.b
.
---- Previous Run -------
.
c:\windows\system32\5Cc2GH5r2.com_
.
.
((((((((((((((((((((((((( Files Created from 2012-04-25 to 2012-05-25 )))))))))))))))))))))))))))))))
.
.
2012-05-22 23:36 . 2012-05-22 23:42 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-05-07 05:43 . 2012-05-07 05:43 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\Vidalia
2012-05-06 18:42 . 2012-05-06 18:42 -------- d-----w- c:\program files\Auto Clicker
2012-05-06 18:20 . 2012-05-06 18:20 -------- d-----w- c:\program files\Grimm's Hatchery
2012-05-06 18:18 . 2012-05-06 18:18 -------- d-----w- c:\program files\Big Fish Games Toolbar Installer
2012-05-03 18:22 . 2012-05-03 18:22 -------- d-----w- c:\program files\Common Files\Java
2012-05-03 18:16 . 2012-05-03 18:16 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-03 18:16 . 2012-05-03 18:16 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-03 18:16 . 2012-05-03 18:16 -------- d-----w- c:\program files\Java
2012-04-30 18:10 . 2012-04-30 18:10 -------- d-----w- c:\documents and settings\Dad\Application Data\.minecraft
2012-04-27 04:28 . 2012-04-27 04:28 -------- d-----w- c:\program files\Singular Inversions
2012-04-26 01:35 . 2012-04-26 01:35 -------- d-----w- c:\program files\HyperCam 2
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-03 18:16 . 2011-08-26 13:43 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-20 13:19 . 2012-03-30 12:44 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-20 13:19 . 2011-12-06 14:31 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 19:56 . 2011-08-13 22:08 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-05 23:11 . 2012-03-05 23:11 68888 ----a-w- c:\windows\system32\xinput1_3.dll
2012-03-04 05:05 . 2012-03-04 05:05 473656 ----a-w- c:\windows\system32\drivers\sptd.sys
2012-03-03 21:08 . 2012-03-03 21:08 108144 ----a-w- c:\windows\system32\CmdLineExt.dll
2012-02-23 17:43 . 2012-02-15 18:10 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-05-23_21.07.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-25 16:37 . 2012-05-25 16:37 16384 c:\windows\temp\Perflib_Perfdata_c8c.dat
+ 2012-05-25 16:39 . 2012-05-25 16:39 16384 c:\windows\temp\Perflib_Perfdata_5bc.dat
+ 2004-08-04 10:00 . 2012-05-25 16:44 80860 c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2012-05-23 21:09 80860 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2012-05-25 16:44 484504 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2012-05-23 21:09 484504 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\jax2323\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Documents and Settings\\Dad\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Documents and Settings\\Jax\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\Jax\\Application Data\\Spotify\\spotify.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dear esther\\dearesther.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56133:TCP"= 56133:TCP:Pando Media Booster
"56133:UDP"= 56133:UDP:Pando Media Booster
"56466:TCP"= 56466:TCP:Pando Media Booster
"56466:UDP"= 56466:UDP:Pando Media Booster
.
R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
R2 HitachiBackupService;Hitachi Backup Service;c:\program files\Hitachi\Hitachi Backup\HitachiBackupService.exe [6/6/2010 8:08 PM 53760]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/30/2012 8:44 AM 253088]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\Dad\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\Dad\LOCALS~1\Temp\CFcatchme.sys [?]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2/29/2012 7:32 PM 30576]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 13:19]
.
2012-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1003Core.job
- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-18 21:33]
.
2012-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1003UA.job
- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-18 21:33]
.
2012-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1004Core.job
- c:\documents and settings\Jax\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-07 22:54]
.
2012-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1004UA.job
- c:\documents and settings\Jax\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-07 22:54]
.
2012-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-15 16:06]
.
2012-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-15 16:06]
.
2011-11-03 c:\windows\Tasks\prismShakeIcon.job
- c:\program files\NCH Software\Prism\prism.exe [2011-08-08 02:00]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: Download with &Media Finder - c:\program files\Media Finder\hook.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 207.69.188.186 207.69.188.187
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\kr55hf9q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-25 12:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(4060)
c:\windows\system32\WININET.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\ImgUtil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\locator.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-05-25 12:46:05 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-25 16:46
ComboFix2.txt 2012-05-23 21:12
ComboFix3.txt 2012-05-23 01:55
.
Pre-Run: 40,521,797,632 bytes free
Post-Run: 40,519,852,032 bytes free
.
- - End Of File - - E7A45FC0C1FD83FD81D78D93B6B8EB12
Upload was successful


OTL:

OTL logfile created on: 5/25/2012 12:52:56 PM - Run 2
OTL by OldTimer - Version 3.2.43.1 Folder = C:\Documents and Settings\Dad\Desktop\security
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.81 Gb Available Physical Memory | 86.44% Memory free
5.09 Gb Paging File | 4.85 Gb Available in Paging File | 95.36% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 37.77 Gb Free Space | 25.34% Space Free | Partition Type: NTFS

Computer Name: COMP108 | User Name: Dad | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 360 Days

========== Files - Modified Within 360 Days ==========

[2012/05/25 12:44:05 | 000,484,504 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/05/25 12:44:05 | 000,080,860 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/05/25 12:42:07 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/05/25 12:42:00 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/05/25 12:39:21 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/05/25 12:11:00 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-500UA.job
[2012/05/25 12:04:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/05/25 11:20:00 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1004UA.job
[2012/05/25 11:12:00 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1003UA.job
[2012/05/25 11:11:00 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-500Core.job
[2012/05/24 19:20:00 | 000,000,918 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1004Core.job
[2012/05/24 14:02:22 | 000,109,056 | ---- | M] () -- C:\Documents and Settings\Dad\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/05/24 03:30:03 | 000,082,059 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\1337844381030.png
[2012/05/24 00:12:00 | 000,000,918 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1003Core.job
[2012/05/23 22:14:57 | 000,002,268 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\Google Chrome.lnk
[2012/05/22 19:59:45 | 000,000,328 | RHS- | M] () -- C:\boot.ini
[2012/05/16 01:01:49 | 000,393,073 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\HALFLIFE DESK.jpg
[2012/05/14 14:58:58 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/05/10 04:08:24 | 000,164,499 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\DR Seuss clarified.jpg
[2012/05/06 14:20:57 | 000,004,096 | ---- | M] () -- C:\WINDOWS\d3dx.dat
[2012/05/06 14:20:39 | 000,001,644 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Play Grimm's Hatchery.lnk
[2012/05/06 14:18:54 | 000,000,059 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\user.ini
[2012/04/30 15:41:04 | 004,548,608 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\Rodrigo y Gabriela - Stairway to Heaven.mp3
[2012/04/30 08:07:54 | 002,205,808 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/04/25 21:47:29 | 000,071,140 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2012/04/25 21:37:58 | 040,967,366 | ---- | M] () -- C:\Documents and Settings\Dad\My Documents\clip0001.avi
[2012/04/21 13:48:59 | 000,002,594 | ---- | M] () -- C:\Documents and Settings\Dad\Application Data\SAS7_000.DAT
[2012/04/13 23:20:15 | 000,000,262 | ---- | M] () -- C:\Documents and Settings\Dad\My Documents\Enyo.html
[2012/04/09 17:36:57 | 000,000,673 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/04/01 05:53:21 | 000,000,474 | ---- | M] () -- C:\user.js
[2012/03/27 10:32:36 | 000,065,536 | ---- | M] () -- C:\WINDOWS\System32\kr55hf9q.default.dat
[2012/03/27 02:14:44 | 000,000,032 | ---- | M] () -- C:\WINDOWS\System32\blckdom.res
[2012/03/26 23:58:22 | 000,000,234 | ---- | M] () -- C:\WINDOWS\System32\urhtps.dat
[2012/03/25 14:30:51 | 734,701,568 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\After Hours (1985).avi
[2012/03/18 17:44:58 | 000,210,824 | ---- | M] () -- C:\Documents and Settings\Dad\My Documents\Muvico Employment Application.pdf
[2012/03/10 16:33:38 | 000,000,248 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\Shortcut to march.lnk
[2012/03/04 01:25:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\vpd.properties
[2012/03/03 17:08:54 | 000,108,144 | ---- | M] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2012/02/15 11:27:29 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2012/02/15 11:24:17 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\Dad\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/02/05 18:50:56 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\InfraRecorder.lnk
[2012/02/05 16:52:57 | 000,000,917 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\Revo Uninstaller.lnk
[2012/02/01 10:10:13 | 000,000,126 | ---- | M] () -- C:\Documents and Settings\Dad\Local Settings\Application Data\fusioncache.dat
[2012/01/04 13:28:04 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2011/12/31 03:25:52 | 000,000,040 | ---- | M] () -- C:\Documents and Settings\Dad\jagex_cl_runescape_LIVE.dat
[2011/11/17 15:45:04 | 000,016,896 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\RunAsDate.exe
[2011/11/11 09:52:21 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/11/10 17:08:38 | 000,001,552 | ---- | M] () -- C:\WINDOWS\System32\FCAgent.ini
[2011/11/08 16:45:28 | 000,399,504 | ---- | M] () -- C:\WINDOWS\System32\FCAgent32.dll
[2011/11/02 22:00:23 | 000,000,264 | ---- | M] () -- C:\WINDOWS\tasks\prismShakeIcon.job
[2011/10/26 10:05:28 | 000,000,129 | ---- | M] () -- C:\Documents and Settings\Dad\jagex_runescape_preferences2.dat
[2011/10/26 10:05:04 | 000,000,035 | ---- | M] () -- C:\Documents and Settings\Dad\jagex_runescape_preferences.dat
[2011/10/17 15:13:03 | 000,010,240 | ---- | M] (Olof Lagerkvist) -- C:\WINDOWS\System32\imdsksvc.exe
[2011/09/29 08:21:08 | 000,000,670 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\Cheat Engine.lnk
[2011/09/20 17:45:53 | 000,000,109 | ---- | M] () -- C:\WINDOWS\GMouse.ini
[2011/09/05 22:58:50 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Dad\񀿉
[2011/09/05 20:47:23 | 000,157,744 | ---- | M] () -- C:\WINDOWS\hpoins28.dat
[2011/08/07 18:43:52 | 000,000,664 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Steam.lnk
[2011/08/07 18:03:43 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2011/08/07 16:20:38 | 000,072,748 | ---- | M] (Jordan Russell) -- C:\WINDOWS\unins000.exe
[2011/08/07 16:20:38 | 000,000,654 | ---- | M] () -- C:\WINDOWS\unins000.dat
[2011/08/05 20:16:01 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2011/08/05 15:59:38 | 000,307,200 | ---- | M] (FLV.com) -- C:\WINDOWS\System32\TubeFinder.exe
[2011/08/05 15:32:43 | 000,000,000 | ---- | M] () -- C:\WINDOWS\ativpsrm.bin
[2011/08/05 05:15:46 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Dad\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2011/08/05 05:13:50 | 000,008,192 | ---- | M] () -- C:\WINDOWS\REGLOCS.OLD
[2011/08/05 05:12:59 | 000,000,261 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2011/08/05 05:09:50 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/08/05 05:09:50 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2011/08/05 05:09:50 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2011/08/05 05:09:50 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2011/08/05 05:09:50 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2011/08/05 05:09:45 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2011/08/05 05:09:45 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2011/08/05 05:09:29 | 000,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2011/08/05 05:05:10 | 000,021,640 | ---- | M] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/06/26 02:45:56 | 000,256,000 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2011/06/13 12:07:00 | 004,121,080 | ---- | M] (INCA Internet Co., Ltd.) -- C:\WINDOWS\System32\GameMon.des
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== LOP Check ==========

[2012/03/12 22:50:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Big Fish Games
[2011/10/23 21:02:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2012/03/04 00:51:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
[2012/03/19 14:33:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Elephant Games
[2011/11/10 17:07:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileCenter
[2011/08/05 05:42:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitachi GST
[2011/11/19 12:42:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IM
[2011/11/19 12:41:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IncrediMail
[2011/08/07 17:56:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MagicSoftware
[2011/08/08 19:14:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2011/10/23 21:45:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nuance
[2012/04/13 10:10:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2011/10/23 21:46:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2011/08/20 07:11:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2012/04/30 14:10:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\.minecraft
[2012/02/02 03:31:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\4C908
[2012/03/05 19:42:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\Bioshock
[2012/05/24 13:04:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\BitTorrent
[2011/11/18 04:23:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\CEEKK8gRZ9hXwUV
[2011/10/23 21:06:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\DAEMON Tools Lite
[2012/03/04 00:56:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\DAEMON Tools Pro
[2012/03/19 10:52:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\EleFun Games
[2012/03/19 14:33:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\Elephant Games
[2011/11/13 14:45:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\FFP
[2011/12/05 22:41:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\GetRightToGo
[2012/02/05 19:04:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\InfraRecorder
[2012/03/13 14:33:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\Media Finder
[2011/10/23 21:49:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\Nuance
[2011/11/18 04:23:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\nxAA00uvS2ib3pG
[2012/03/04 00:52:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\OpenCandy
[2012/03/12 23:39:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\Orneon
[2011/11/18 04:23:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\QllOBBtxP0c
[2011/11/18 04:23:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\RccS22ibD3pn5aH
[2012/05/17 16:18:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jax\Application Data\.minecraft
[2012/05/19 14:59:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jax\Application Data\Audacity
[2012/05/22 19:57:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jax\Application Data\BitTorrent
[2012/04/27 00:29:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jax\Application Data\FaceGen
[2011/09/26 21:01:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jax\Application Data\FFP
[2011/11/15 19:31:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jax\Application Data\FileCenter
[2011/09/26 20:55:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jax\Application Data\FreeFLVConverter
[2011/10/23 22:17:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jax\Application Data\Nuance
[2012/05/22 18:37:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jax\Application Data\Processing
[2012/05/22 19:51:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jax\Application Data\Spotify
[2012/05/03 16:56:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jax\Application Data\Toolbar4
[2011/11/02 22:00:23 | 000,000,264 | ---- | M] () -- C:\WINDOWS\Tasks\prismShakeIcon.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Dad\My Documents\My Videos:Roxio EMC Stream

< End of report >

#13 depierce

depierce
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 25 May 2012 - 12:05 PM

Btw, I will be out of town Saturday the 26th, and unlikely to post any responses. What's our ETA on wrapping this up? "Pretty close" or "Still lots to do"?

Edited by depierce, 25 May 2012 - 12:07 PM.


#14 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:10:14 PM

Posted 25 May 2012 - 06:00 PM

depierce,

Please open notepad and copy/paste the text in the box below into it:

DirLook::
C:\Documents and Settings\Dad\Application Data\CEEKK8gRZ9hXwUV
C:\Documents and Settings\Dad\Application Data\nxAA00uvS2ib3pG
C:\Documents and Settings\Dad\Application Data\RccS22ibD3pn5aH

Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

If prompted to update Combofix, please allow it to update.

When finished, it shall produce a log for you. Post that log in your next reply.


I'm not sure when we will be finished working on your computer. We're closer to being finished than we were when we started, but I still have not determined why Combofix still says you're infected. That's fine if we cannot work on your computer on Saturday. :)
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#15 depierce

depierce
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 27 May 2012 - 09:21 AM

ComboFix 12-05-27.01 - Dad 05/27/2012 10:03:35.16.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2922 [GMT -4:00]
Running from: c:\documents and settings\Dad\Desktop\security\ComboFix.exe
Command switches used :: c:\documents and settings\Dad\Desktop\security\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-04-27 to 2012-05-27 )))))))))))))))))))))))))))))))
.
.
2012-05-22 23:36 . 2012-05-22 23:42 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-05-07 05:43 . 2012-05-07 05:43 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\Vidalia
2012-05-06 18:42 . 2012-05-06 18:42 -------- d-----w- c:\program files\Auto Clicker
2012-05-06 18:20 . 2012-05-06 18:20 -------- d-----w- c:\program files\Grimm's Hatchery
2012-05-06 18:18 . 2012-05-06 18:18 -------- d-----w- c:\program files\Big Fish Games Toolbar Installer
2012-05-03 18:22 . 2012-05-03 18:22 -------- d-----w- c:\program files\Common Files\Java
2012-05-03 18:16 . 2012-05-03 18:16 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-03 18:16 . 2012-05-03 18:16 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-03 18:16 . 2012-05-03 18:16 -------- d-----w- c:\program files\Java
2012-04-30 18:10 . 2012-04-30 18:10 -------- d-----w- c:\documents and settings\Dad\Application Data\.minecraft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-03 18:16 . 2011-08-26 13:43 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-20 13:19 . 2012-03-30 12:44 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-20 13:19 . 2011-12-06 14:31 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 19:56 . 2011-08-13 22:08 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-05 23:11 . 2012-03-05 23:11 68888 ----a-w- c:\windows\system32\xinput1_3.dll
2012-03-04 05:05 . 2012-03-04 05:05 473656 ----a-w- c:\windows\system32\drivers\sptd.sys
2012-03-03 21:08 . 2012-03-03 21:08 108144 ----a-w- c:\windows\system32\CmdLineExt.dll
2012-02-23 17:43 . 2012-02-15 18:10 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Dad\Application Data\CEEKK8gRZ9hXwUV ----
.
.
---- Directory of c:\documents and settings\Dad\Application Data\nxAA00uvS2ib3pG ----
.
.
---- Directory of c:\documents and settings\Dad\Application Data\RccS22ibD3pn5aH ----
.
.
.
((((((((((((((((((((((((((((( SnapShot@2012-05-23_21.07.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-27 14:12 . 2012-05-27 14:12 16384 c:\windows\temp\Perflib_Perfdata_ca4.dat
+ 2012-05-27 14:14 . 2012-05-27 14:14 16384 c:\windows\temp\Perflib_Perfdata_4f0.dat
+ 2004-08-04 10:00 . 2012-05-27 14:06 80860 c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2012-05-23 21:09 80860 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2012-05-27 14:06 484504 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2012-05-23 21:09 484504 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\jax2323\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Documents and Settings\\Dad\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Documents and Settings\\Jax\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\Jax\\Application Data\\Spotify\\spotify.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dear esther\\dearesther.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56133:TCP"= 56133:TCP:Pando Media Booster
"56133:UDP"= 56133:UDP:Pando Media Booster
"56466:TCP"= 56466:TCP:Pando Media Booster
"56466:UDP"= 56466:UDP:Pando Media Booster
.
R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
R2 HitachiBackupService;Hitachi Backup Service;c:\program files\Hitachi\Hitachi Backup\HitachiBackupService.exe [6/6/2010 8:08 PM 53760]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/30/2012 8:44 AM 253088]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\Dad\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\Dad\LOCALS~1\Temp\CFcatchme.sys [?]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2/29/2012 7:32 PM 30576]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 13:19]
.
2012-05-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1003Core.job
- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-18 21:33]
.
2012-05-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1003UA.job
- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-18 21:33]
.
2012-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1004Core.job
- c:\documents and settings\Jax\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-07 22:54]
.
2012-05-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-1004UA.job
- c:\documents and settings\Jax\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-07 22:54]
.
2012-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-15 16:06]
.
2012-05-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-606747145-839522115-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-15 16:06]
.
2011-11-03 c:\windows\Tasks\prismShakeIcon.job
- c:\program files\NCH Software\Prism\prism.exe [2011-08-08 02:00]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: Download with &Media Finder - c:\program files\Media Finder\hook.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 207.69.188.186 207.69.188.187
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\kr55hf9q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-27 10:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(2596)
c:\windows\system32\WININET.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\ImgUtil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\locator.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-05-27 10:19:12 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-27 14:19
ComboFix2.txt 2012-05-26 14:36
ComboFix3.txt 2012-05-25 16:50
ComboFix4.txt 2012-05-23 21:12
ComboFix5.txt 2012-05-27 13:56
.
Pre-Run: 14,563,958,784 bytes free
Post-Run: 14,562,258,944 bytes free
.
- - End Of File - - 3FB21EDCF70C3C85670EF3FCA2323B99




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users