Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google Redirect problem + Something (don't know) [Solved]


  • This topic is locked This topic is locked

#1
sudz

sudz

    New Member

  • Member
  • Pip
  • 8 posts
Hi - basically, one of my computers has gotten the Google Redirect virus quite a while back (I'm talking March 30th here), but I've been so busy doing other things that I haven't had the time to post logs on it until now. I should also mention that the infected computer managed to infect itself with thousands of copies of Trojan.KillAV all originating from a single file C:\Windows\sig.mjc overnight (April 7th/8th). All currently in quarantine. But because of this, I don't want to have that computer online or on network until I can resolve this problem.

NOTE: I have been running scans on my computer (Symantec Antivirus, Ad-ware, Spybot, Malwarebytes, Kaspersky) and Malwarebytes and Kaspersky in particular has caught several infections - relsolving these infections did not stop my problem. (In fact, my Trojan.KillAV infection was after I detected a whole slew of infections with Malwarebytes). I do have the logs of all the scans I have done between March 30th to April 17th just in case anyone wants them.

OTListIt Log - <I've did it for 60 days - Sorry!>
OTListIt logfile created on: 17/04/2009 10:59:13 AM - Run 5
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = L:\
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

511.48 Mb Total Physical Memory | 122.22 Mb Available Physical Memory | 23.89% Memory free
1.22 Gb Paging File | 0.89 Gb Available in Paging File | 73.05% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.53 Gb Total Space | 4.31 Gb Free Space | 22.05% Space Free | Partition Type: NTFS
Drive D: | 17.73 Gb Total Space | 12.14 Gb Free Space | 68.44% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 233.76 Gb Total Space | 25.41 Gb Free Space | 10.87% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive L: | 3.80 Gb Total Space | 1.46 Gb Free Space | 38.57% Space Free | Partition Type: FAT32

Computer Name: PENGUIN
Current User Name: Candy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 60 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\System32\Ati2evxx.exe ()
PRC - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple, Inc.)
PRC - C:\Program Files\Norton AntiVirus\DefWatch.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (SEIKO EPSON CORPORATION)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Norton AntiVirus\Rtvscan.exe (Symantec Corporation)
PRC - C:\WINDOWS\system32\UAService7.exe ()
PRC - C:\Program Files\UltraVNC\WinVNC.exe (UltraVNC)
PRC - C:\WINDOWS\System32\wbem\unsecapp.exe (Microsoft Corporation)
PRC - C:\WINDOWS\System32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\Ati2evxx.exe ()
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
PRC - L:\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple, Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Ati HotKey Poller [Auto | Running]) -- C:\WINDOWS\System32\Ati2evxx.exe ()
SRV - (ATI Smart [Auto | Stopped]) -- C:\WINDOWS\system32\ati2sgag.exe ()
SRV - (ccEvtMgr [Auto | Running]) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
SRV - (ccSetMgr [Auto | Running]) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (DefWatch [Auto | Running]) -- C:\Program Files\Norton AntiVirus\DefWatch.exe (Symantec Corporation)
SRV - (EPSONStatusAgent2 [Auto | Running]) -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (SEIKO EPSON CORPORATION)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (iPod Service [On_Demand | Stopped]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (Lavasoft Ad-Aware Service [Auto | Running]) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (LiveUpdate [On_Demand | Stopped]) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE (Symantec Corporation)
SRV - (lxby_device [On_Demand | Stopped]) -- C:\WINDOWS\system32\lxbycoms.exe (Lexmark International, Inc.)
SRV - (SavRoam [On_Demand | Stopped]) -- C:\Program Files\Norton AntiVirus\SavRoam.exe (symantec)
SRV - (SPBBCSvc [Auto | Running]) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
SRV - (Symantec AntiVirus [Auto | Running]) -- C:\Program Files\Norton AntiVirus\Rtvscan.exe (Symantec Corporation)
SRV - (UserAccess7 [Auto | Running]) -- C:\WINDOWS\system32\UAService7.exe ()
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (winvnc [Auto | Running]) -- C:\Program Files\UltraVNC\WinVNC.exe (UltraVNC)
SRV - (WLSetupSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (ati2mtag [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (ctac32k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ctac32k.sys (Creative Technology Ltd)
DRV - (ctaud2k [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ctaud2k.sys (Creative Technology Ltd)
DRV - (ctljystk [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\ctljystk.sys (Creative Technology Ltd.)
DRV - (ctprxy2k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ctprxy2k.sys (Creative Technology Ltd)
DRV - (ctsfm2k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ctsfm2k.sys (Creative Technology Ltd)
DRV - (DLH5X [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\DLH5XND5.sys (D-Link Corporation)
DRV - (eeCtrl [System | Running]) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (emu10k [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\emu10k1m.sys (Creative Technology Ltd.)
DRV - (emu10k1 [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\ctlfacem.sys (Creative Technology Ltd.)
DRV - (emupia [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\emupia2k.sys (Creative Technology Ltd)
DRV - (EraserUtilRebootDrv [On_Demand | Running]) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (FsVga [System | Running]) -- C:\WINDOWS\system32\DRIVERS\fsvga.sys (Microsoft Corporation)
DRV - (gameenum [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\gameenum.sys (Microsoft Corporation)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (ha10kx2k [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys (Creative Technology Ltd)
DRV - (HCF_MSFT [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HCF_MSFT.sys (Conexant)
DRV - (hidgame [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\hidgame.sys (Microsoft Corporation)
DRV - (imagedrv [Boot | Running]) -- C:\WINDOWS\System32\Drivers\imagedrv.sys (Ahead Software AG)
DRV - (imagesrv [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\imagesrv.sys (Ahead Software AG)
DRV - (Lbd [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (NAVENG [On_Demand | Running]) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090407.003\NAVENG.SYS (Symantec Corporation)
DRV - (NAVEX15 [On_Demand | Running]) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090407.003\NAVEX15.SYS (Symantec Corporation)
DRV - (nv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
DRV - (ossrv [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.)
DRV - (PfModNT [Auto | Running]) -- C:\WINDOWS\System32\PfModNT.sys (Creative Technology Ltd.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\PxHelp20.sys (Sonic Solutions)
DRV - (QCDonner [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\LVCD.sys (Logitech Inc.)
DRV - (RT25USBAP [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\rt25usbap.sys (Ralink Technology Inc.)
DRV - (SAVRT [System | Running]) -- C:\Program Files\Norton AntiVirus\savrt.sys (Symantec Corporation)
DRV - (SAVRTPEL [System | Running]) -- C:\Program Files\Norton AntiVirus\Savrtpel.sys (Symantec Corporation)
DRV - (Secdrv [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (sfdrv01 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfdrv01.sys (Protection Technology)
DRV - (sfhlp02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfhlp02.sys (Protection Technology)
DRV - (sfman [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\sfmanm.sys (Creative Technology Ltd.)
DRV - (sfsync02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfsync02.sys (Protection Technology)
DRV - (sfvfs02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfvfs02.sys (Protection Technology)
DRV - (SONYPVU1 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS (Sony Corporation)
DRV - (SPBBCDrv [System | Running]) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (sptd [Boot | Running]) -- C:\WINDOWS\System32\Drivers\sptd.sys ()
DRV - (SymEvent [On_Demand | Running]) -- C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Corporation)
DRV - (viaagp1 [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)
DRV - (vnccom [Auto | Running]) -- C:\WINDOWS\System32\Drivers\vnccom.SYS (RDV Soft)
DRV - (vncdrv [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\vncdrv.sys (RDV Soft)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost

FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/04/02 20:22:11 | 00,000,000 | ---D | M]


O1 HOSTS File: (62929 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.altnetp2p.com
O1 - Hosts: 127.0.0.1 www.bonzi.com
O1 - Hosts: 127.0.0.1 www.brilliantdigital.com
O1 - Hosts: 127.0.0.1 www.b3d.com
O1 - Hosts: 127.0.0.1 ad.dk.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.es.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.fr.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.it.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.jp.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.kr.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.linkexchange.com
O1 - Hosts: 127.0.0.1 ad.linksynergy.com
O1 - Hosts: 127.0.0.1 ad.nl.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.no.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.preferences.com
O1 - Hosts: 127.0.0.1 ad.se.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.sma.punto.net
O1 - Hosts: 127.0.0.1 ad.uk.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.webprovider.com
O1 - Hosts: 127.0.0.1 ad08.focalink.com
O1 - Hosts: 127.0.0.1 ad1.adcept.net
O1 - Hosts: 127.0.0.1 ad2.adcept.net
O1 - Hosts: 127.0.0.1 ad3.adcept.net
O1 - Hosts: 1817 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {491AF6C5-21F2-46E1-C653-3DF529127D7B} - C:\WINDOWS\wcidBHO.dll (Symantec Corporation)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key error. File not found
O2 - BHO: (no name) - {85CF4327-68DE-1974-B32E-766E84A9706C} - C:\WINDOWS\wcidBHO.dll (Symantec Corporation)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra Button: Norton Confidence Online - {144FDEB7-A23D-4D39-A00E-AA44195535B6} - C:\WINDOWS\wcidButton.exe (Symantec Corporation)
O9 - Extra Button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - F:\Paltalk\Paltalk.exe (AVM Software Inc.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Sites: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: 50 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} http://zone.msn.com/...nx.1.0.0.67.cab (CPlayFirstTriJinxControl Object)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://by108fd.bay10...es/MsnPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {62D21B0B-D96F-45F7-968E-7DC16E31FE57} http://tcrew.gamenga...oinActiveXE.cab (DazoinControl Class)
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} http://zone.msn.com/...h2.1.0.0.55.cab (CPlayFirstDinerDash2Control Object)
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://zone.msn.com/...mjolauncher.cab (MJLauncherCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://dl8-cdn-09.su...ows-i586-jc.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} http://dist.globalga...ffyLauncher.cab (NeffyLauncherCtl Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} http://sympatico.zon...ersion=1,0,0,10 (AstoundLauncher Control)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: ActiveGS.cab http://www.virtualap...rg/activegs.cab (Reg Error: Key error.)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O16 - DPF: RaptisoftGameLoader http://www.miniclip....tgameloader.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! Cribbage http://download.game...nts/y/it1_x.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! Euchre http://download.game...nts/y/et1_x.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! Go http://download.game...nts/y/gt2_x.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! Go Fish http://download.game...nts/y/zt3_x.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! Graffiti http://download.game...ts/y/grt5_x.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! MahJong http://download.game...nts/y/ot0_x.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! MahJong Solitaire http://download.game...s/y/mjst3_x.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! Word Racer http://download.game...nts/y/wt0_x.cab (Reg Error: Key error.)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\wesiluya.dll) - C:\WINDOWS\system32\wesiluya.dll File not found
O20 - AppInit_DLLs: (zufizc.dll) - File not found
O20 - AppInit_DLLs: (c:\windows\system32\yanasiba.dll) - c:\windows\system32\yanasiba.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll ()
O20 - Winlogon\Notify\iassdo32: DllName - iassdo32.dll - File not found
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O33 - MountPoints2\{66bd2a05-9a3f-11dc-bfc1-00055dff0a13}\Shell - "" = AutoRun
O33 - MountPoints2\{66bd2a05-9a3f-11dc-bfc1-00055dff0a13}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{66bd2a05-9a3f-11dc-bfc1-00055dff0a13}\Shell\AutoRun\command - "" = I:\TTconfig.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 60 Days ==========

[2009/04/04 00:03:47 | 00,015,234 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\Curly Brace.bmp
[2009/04/03 16:43:06 | 00,005,893 | ---- | C] () -- C:\Documents and Settings\Candy\My Documents\Apr 3 2009 16-43.html
[2009/04/03 13:58:18 | 00,005,354 | ---- | C] () -- C:\Documents and Settings\Candy\My Documents\Apr 3 2009 13-58.html
[2009/04/03 10:44:29 | 00,003,880 | ---- | C] () -- C:\Documents and Settings\Candy\My Documents\Apr 3 2009 10-44.html
[2009/03/31 17:35:36 | 53,639,9872 | -HS- | C] () -- C:\hiberfil.sys
[2009/03/31 13:59:25 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/03/30 19:25:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Candy\Application Data\Malwarebytes
[2009/03/30 19:25:26 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/03/30 19:25:23 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/03/30 19:25:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/29 18:58:06 | 24,768,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/03/25 00:37:35 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[2009/03/04 17:34:35 | 00,002,713 | -HS- | C] () -- C:\WINDOWS\System32\nupotuku.exe
[2009/02/23 11:19:02 | 00,015,688 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/02/22 19:07:32 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2009/02/21 21:39:48 | 00,064,160 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/02/21 21:39:37 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/02/21 21:38:23 | 00,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/02/21 21:38:11 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/02/21 21:38:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/02/21 21:36:29 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
[2009/02/21 21:33:05 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2009/02/21 21:26:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Candy\Local Settings\Application Data\Symantec
[2009/02/21 21:25:48 | 00,109,744 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009/02/21 21:25:48 | 00,048,816 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009/02/21 21:25:35 | 00,466,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\capicom.dll
[2008/08/29 23:05:06 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/08/29 23:05:06 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2007/11/01 23:46:23 | 00,000,203 | ---- | C] () -- C:\WINDOWS\GSdx9.INI
[2007/09/26 22:33:38 | 00,002,528 | ---- | C] () -- C:\WINDOWS\FCIC.INI
[2007/09/07 19:41:01 | 00,000,263 | ---- | C] () -- C:\WINDOWS\YODESK.INI
[2007/08/28 19:06:58 | 00,685,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2007/08/03 23:22:52 | 00,037,376 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/01/08 02:15:25 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\nod.dll
[2007/01/08 02:14:56 | 00,005,244 | ---- | C] () -- C:\WINDOWS\System32\fscflist.ini
[2007/01/08 02:14:53 | 00,000,073 | ---- | C] () -- C:\WINDOWS\System32\fscagent.ini
[2006/05/03 15:23:13 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/12/04 21:04:54 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXPRMON.DLL
[2005/12/04 21:04:54 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\LXPMONUI.DLL
[2005/12/04 21:01:46 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbyvs.dll
[2005/11/13 19:02:59 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/10/06 22:36:47 | 00,044,544 | ---- | C] () -- C:\WINDOWS\System32\GIF89.DLL
[2005/10/06 22:36:02 | 00,000,467 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2005/08/26 15:04:50 | 00,000,120 | ---- | C] () -- C:\WINDOWS\B&ARROW.INI
[2005/04/20 14:43:46 | 00,192,577 | ---- | C] () -- C:\WINDOWS\System32\libcurl.dll
[2004/09/19 09:47:33 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2004/07/11 19:01:39 | 00,000,386 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2004/06/11 01:27:12 | 00,131,072 | ---- | C] ( ) -- C:\WINDOWS\System32\ATIDEMGR.dll
[2004/06/10 22:46:34 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[2004/06/06 12:53:42 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2004/06/05 12:56:16 | 00,679,936 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2004/04/05 22:14:31 | 00,007,168 | ---- | C] () -- C:\WINDOWS\System32\e0893c13.dll
[2004/01/16 03:21:36 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\031d2b86.dll
[2003/12/24 02:18:40 | 00,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2003/12/24 02:18:40 | 00,000,180 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2003/12/13 18:46:58 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/10/19 13:04:48 | 00,000,545 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2003/09/22 00:39:55 | 00,003,715 | ---- | C] () -- C:\WINDOWS\MTB12ST.INI
[2003/09/16 11:52:28 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2003/09/16 11:43:31 | 00,884,736 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2003/09/16 11:41:43 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[2003/07/04 23:29:49 | 00,000,192 | ---- | C] () -- C:\WINDOWS\Winamp.ini
[2003/07/04 23:29:14 | 00,000,041 | ---- | C] () -- C:\WINDOWS\winampa.ini
[2003/07/04 23:13:57 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/07/04 19:15:02 | 00,000,241 | ---- | C] () -- C:\WINDOWS\QSync.INI
[2003/07/04 19:14:00 | 00,005,187 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2003/07/04 11:52:19 | 00,000,033 | ---- | C] () -- C:\WINDOWS\wwwbatch.ini
[2003/07/04 03:25:39 | 00,000,128 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2003/07/04 03:25:38 | 00,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2003/07/04 03:25:19 | 00,037,727 | ---- | C] () -- C:\WINDOWS\System32\Emu10kx.ini
[2003/07/04 03:25:19 | 00,000,029 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2002/10/06 14:42:57 | 00,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2002/08/29 04:40:50 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\dbmsadsn.dll
[2002/03/22 12:40:00 | 00,126,976 | ---- | C] ( ) -- C:\WINDOWS\System32\Interop.VSFlex7L.dll
[2001/08/23 12:00:00 | 00,000,723 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 12:00:00 | 00,000,435 | ---- | C] () -- C:\WINDOWS\system.ini
[1999/01/27 13:39:06 | 00,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 07:56:08 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== Files - Modified Within 60 Days ==========

[8 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2009/04/17 10:54:46 | 00,002,262 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/17 10:53:32 | 00,000,431 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ics
[2009/04/17 10:53:19 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/17 10:53:11 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/17 10:53:05 | 53,639,9872 | -HS- | M] () -- C:\hiberfil.sys
[2009/04/10 15:22:08 | 00,024,888 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000000-00000000-0000000A-00001102-00000002-80641102}.rfx
[2009/04/10 15:22:08 | 00,024,888 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000000-00000000-0000000A-00001102-00000002-80641102}.rfx
[2009/04/10 15:22:08 | 00,016,420 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000000-00000000-0000000A-00001102-00000002-80641102}.rfx
[2009/04/10 15:22:08 | 00,016,420 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000000-00000000-0000000A-00001102-00000002-80641102}.rfx
[2009/04/10 15:22:08 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2009/04/10 15:22:08 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2009/04/10 15:22:08 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000000-00000000-0000000A-00001102-00000002-80641102}.dat
[2009/04/10 15:22:08 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000000-00000000-0000000A-00001102-00000002-80641102}.dat
[2009/04/08 22:46:39 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/04/08 22:46:35 | 00,227,840 | ---- | M] () -- C:\Documents and Settings\Candy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/07 07:31:06 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/04/06 23:08:42 | 00,000,568 | ---- | M] () -- C:\Documents and Settings\Candy\My Documents\My Sharing Folders.lnk
[2009/04/06 20:39:23 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/04/05 13:35:07 | 00,000,288 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
[2009/04/05 08:00:37 | 00,000,314 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
[2009/04/04 00:03:47 | 00,015,234 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Curly Brace.bmp
[2009/04/03 16:43:06 | 00,005,893 | ---- | M] () -- C:\Documents and Settings\Candy\My Documents\Apr 3 2009 16-43.html
[2009/04/03 13:58:18 | 00,005,354 | ---- | M] () -- C:\Documents and Settings\Candy\My Documents\Apr 3 2009 13-58.html
[2009/04/03 10:44:29 | 00,003,880 | ---- | M] () -- C:\Documents and Settings\Candy\My Documents\Apr 3 2009 10-44.html
[2009/03/31 14:20:26 | 00,000,435 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/03/29 20:17:10 | 00,062,929 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/03/29 19:03:59 | 00,365,704 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.bak
[2009/03/29 12:41:49 | 00,365,704 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090329-201710.backup
[2009/03/28 23:52:16 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/03/27 23:58:05 | 00,000,600 | ---- | M] () -- C:\Documents and Settings\Candy\Local Settings\Application Data\PUTTY.RND
[2009/03/27 01:36:25 | 00,000,263 | ---- | M] () -- C:\WINDOWS\YODESK.INI
[2009/03/26 16:49:56 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/03/26 16:49:50 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/03/26 01:51:16 | 00,000,192 | ---- | M] () -- C:\WINDOWS\Winamp.ini
[2009/03/08 22:14:11 | 00,480,096 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/03/08 22:14:11 | 00,408,000 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/03/08 22:14:11 | 00,064,404 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/03/05 02:03:58 | 00,364,422 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090329-124149.backup
[2009/03/05 01:50:10 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/03/05 01:40:50 | 00,000,723 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/03/05 01:40:50 | 00,000,211 | RHS- | M] () -- C:\boot.ini
[2009/03/04 22:15:16 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\ruwikeyo
[2009/03/04 17:34:35 | 00,002,713 | -HS- | M] () -- C:\WINDOWS\System32\nupotuku.exe
[2009/03/04 09:20:02 | 00,364,328 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090305-010358.backup
[2009/03/04 01:17:42 | 00,000,386 | ---- | M] () -- C:\WINDOWS\WININIT.INI
[2009/02/25 12:55:00 | 24,768,960 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/02/22 00:15:37 | 03,717,944 | -H-- | M] () -- C:\Documents and Settings\Candy\Local Settings\Application Data\IconCache.db
[2009/02/21 21:39:24 | 00,015,688 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/02/21 21:38:23 | 00,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/02/21 21:33:05 | 00,000,000 | ---- | M] () -- C:\WINDOWS\vpc32.INI
[2009/02/21 18:59:30 | 03,374,937 | ---- | M] () -- C:\WINDOWS\{00000000-00000000-0000000A-00001102-00000002-80641102}.CDF
[2009/02/21 18:59:30 | 03,374,937 | ---- | M] () -- C:\WINDOWS\{00000000-00000000-0000000A-00001102-00000002-80641102}.BAK
< End of report >


Rooter Rookit Log
Microsoft Windows XP Professional (5.1.2600) Service Pack 3

A:\ [Removable] (Total:0 Mo/Free:0 Mo)
C:\ [Fixed] - NTFS - (Total:20002 Mo/Free:279 Mo)
D:\ [Fixed] - NTFS - (Total:18159 Mo/Free:139 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
F:\ [Fixed] - NTFS - (Total:239366 Mo/Free:1443 Mo)
G:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
H:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
J:\ [Removable] (Total:0 Mo/Free:0 Mo)
L:\ [Removable] (Total:3886 Mo/Free:1498 Mo)

17/04/2009|11:19

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\System32\Ati2evxx.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
---------- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
---------- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
---------- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
---------- C:\Program Files\Norton AntiVirus\DefWatch.exe
---------- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
---------- C:\Program Files\Java\jre6\bin\jqs.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\Program Files\Norton AntiVirus\Rtvscan.exe
---------- C:\WINDOWS\system32\UAService7.exe
---------- C:\Program Files\UltraVNC\WinVNC.exe
---------- C:\WINDOWS\System32\wbem\unsecapp.exe
---------- C:\WINDOWS\System32\wbem\wmiprvse.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\Ati2evxx.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
---------- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
---------- C:\Program Files\QuickTime\qttask.exe
---------- C:\Program Files\Java\jre6\bin\jusched.exe
---------- L:\OTListIt2.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - 31/03/2009|14:00
2 - "C:\Rooter$\Rooter_2.txt" - 31/03/2009|14:02
3 - "C:\Rooter$\Rooter_3.txt" - 31/03/2009|14:32
4 - "C:\Rooter$\Rooter_4.txt" - 02/04/2009|19:58
5 - "C:\Rooter$\Rooter_5.txt" - 03/04/2009|21:12
6 - "C:\Rooter$\Rooter_6.txt" - 05/04/2009| 0:37
7 - "C:\Rooter$\Rooter_7.txt" - 08/04/2009|22:41
8 - "C:\Rooter$\Rooter_8.txt" - 17/04/2009|11:20

----------------------\\ Scan completed at 11:20


Thanks! (And sorry if I take a day to reply - very busy life!)
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
can you post the contents of C:\Rooter$\Rooter_1.txt
  • 0

#3
sudz

sudz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi,

Sorry - I don't seem to have Rooter_1.txt with me - I might have deleted it or something. I do have Rooter_2.txt with me though.

Also - I don't know if this is worth mentioning - but Malwarebytes did pick up a Rootkit.Trace on March 31st in a scan that was at 12:17pm - the main reason why I decided to test for Rootkits to begin with. My first Rootkit test was also after Malware's detection.

Sorry! And thank you!

Rooter Rootkit Log <March 31st - Rooter_2.txt>
Microsoft Windows XP Professional (5.1.2600) Service Pack 3

A:\ [Removable] (Total:0 Mo/Free:0 Mo)
C:\ [Fixed] - NTFS - (Total:20002 Mo/Free:4009 Mo)
D:\ [Fixed] - NTFS - (Total:18159 Mo/Free:110 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
F:\ [Fixed] - NTFS - (Total:239366 Mo/Free:1400 Mo)
G:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
J:\ [Removable] (Total:0 Mo/Free:0 Mo)
K:\ [Removable] (Total:982 Mo/Free:830 Mo)
L:\ [Removable] (Total:3886 Mo/Free:1498 Mo)

31/03/2009|14:02

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - 31/03/2009|14:00
2 - "C:\Rooter$\Rooter_2.txt" - 31/03/2009|14:02
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hello

Download RootRepeal.zip and unzip it to your Desktop.
  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    Note: The scan can take some time. DO NOT run any other programs while the scan is running

  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post



Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click GooredFix.exe to run it.
  • Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: Do not run Option #2 yet.
  • 0

#5
sudz

sudz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi,

Got some problems with RootRepeal.

First thing is that each time I open RootRepeal, it comes up with an error message that says (Could not find the kernel on disk "C:\WINDOWS\system32\ntoskrnl.exe"). However, I've looked in that directory, and that file is definitely there.

Second thing is that when RootRepeal tries to do an entire scan, it crashes. I decided to scan it tab by tab, and found out that it crashes when it tries to scan SSDT and when it tries to scan Hidden Services (I do have the crash logs). I have managed to scan the others without problems - I will post them. GooredLog will be in my next post.

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/18 13:29
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF8345000 Size: 187776 File Visible: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2189184 File Visible: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xB23B2000 Size: 138496 File Visible: -
Status: -

Name: amdk7.sys
Image Path: C:\WINDOWS\System32\DRIVERS\amdk7.sys
Address: 0xF8706000 Size: 37760 File Visible: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF82D7000 Size: 98304 File Visible: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0x00000000 Size: 0 File Visible: -
Status: -

Name: ati2cqag.dll
Image Path: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBF049000 Size: 229376 File Visible: -
Status: -

Name: ati2dvag.dll
Image Path: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF012000 Size: 225280 File Visible: -
Status: -

Name: ati2mtag.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ati2mtag.sys
Address: 0xF7D5C000 Size: 860160 File Visible: -
Status: -

Name: ati3duag.dll
Image Path: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBF081000 Size: 2158592 File Visible: -
Status: -

Name: ativvaxx.dll
Image Path: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBF290000 Size: 520192 File Visible: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xF8B54000 Size: 3072 File Visible: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF8A30000 Size: 4224 File Visible: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF88C6000 Size: 12288 File Visible: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xB25D6000 Size: 63744 File Visible: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xF8566000 Size: 62976 File Visible: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xF8506000 Size: 53248 File Visible: -
Status: -

Name: ctac32k.sys
Image Path: C:\WINDOWS\System32\drivers\ctac32k.sys
Address: 0xB2745000 Size: 85728 File Visible: -
Status: -

Name: ctaud2k.sys
Image Path: C:\WINDOWS\system32\drivers\ctaud2k.sys
Address: 0xF7BF2000 Size: 488544 File Visible: -
Status: -

Name: ctoss2k.sys
Image Path: C:\WINDOWS\system32\drivers\ctoss2k.sys
Address: 0xF7B92000 Size: 101792 File Visible: -
Status: -

Name: ctprxy2k.sys
Image Path: C:\WINDOWS\System32\drivers\ctprxy2k.sys
Address: 0xF89DA000 Size: 5632 File Visible: -
Status: -

Name: ctsfm2k.sys
Image Path: C:\WINDOWS\System32\drivers\ctsfm2k.sys
Address: 0xB270D000 Size: 125280 File Visible: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF84F6000 Size: 36352 File Visible: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF82EF000 Size: 153344 File Visible: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF89BC000 Size: 5888 File Visible: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF8716000 Size: 61440 File Visible: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB21D4000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A76000 Size: 8192 File Visible: No
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF7E36000 Size: 12288 File Visible: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF8B40000 Size: 4096 File Visible: -
Status: -

Name: eeCtrl.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
Address: 0xB2231000 Size: 385024 File Visible: -
Status: -

Name: emupia2k.sys
Image Path: C:\WINDOWS\System32\drivers\emupia2k.sys
Address: 0xB272C000 Size: 98720 File Visible: -
Status: -

Name: EraserUtilRebootDrv.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
Address: 0xB2214000 Size: 118784 File Visible: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xB0CF8000 Size: 143744 File Visible: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xF883E000 Size: 27392 File Visible: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF7A77000 Size: 44544 File Visible: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Address: 0xF885E000 Size: 20480 File Visible: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF82B7000 Size: 129792 File Visible: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF8A24000 Size: 7936 File Visible: -
Status: -

Name: fsvga.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fsvga.sys
Address: 0xF813C000 Size: 12160 File Visible: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF8315000 Size: 125056 File Visible: -
Status: -

Name: gameenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\gameenum.sys
Address: 0xF814C000 Size: 10624 File Visible: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys
Address: 0xF8836000 Size: 28672 File Visible: -
Status: -

Name: ha10kx2k.sys
Image Path: C:\WINDOWS\system32\drivers\ha10kx2k.sys
Address: 0xB275A000 Size: 675872 File Visible: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000 Size: 131840 File Visible: -
Status: -

Name: HCF_MSFT.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HCF_MSFT.sys
Address: 0xF7C6A000 Size: 907456 File Visible: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS
Address: 0xF8876000 Size: 28672 File Visible: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB1151000 Size: 264832 File Visible: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xF8726000 Size: 52480 File Visible: -
Status: -

Name: imagedrv.sys
Image Path: imagedrv.sys
Address: 0xF89BE000 Size: 5888 File Visible: -
Status: -

Name: imagesrv.sys
Image Path: imagesrv.sys
Address: 0xF8373000 Size: 127488 File Visible: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\imapi.sys
Address: 0xF8556000 Size: 42112 File Visible: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xB232A000 Size: 152832 File Visible: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xB2455000 Size: 75264 File Visible: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF84B6000 Size: 37248 File Visible: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xF882E000 Size: 24576 File Visible: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF89B6000 Size: 8192 File Visible: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xB0CCD000 Size: 172416 File Visible: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\drivers\ks.sys
Address: 0xF7BAB000 Size: 143360 File Visible: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF828E000 Size: 92288 File Visible: -
Status: -

Name: Lbd.sys
Image Path: Lbd.sys
Address: 0xF8516000 Size: 57472 File Visible: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF8A34000 Size: 4224 File Visible: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF880E000 Size: 30080 File Visible: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xF8826000 Size: 23040 File Visible: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF84C6000 Size: 42368 File Visible: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xB1C07000 Size: 180608 File Visible: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xB228F000 Size: 455296 File Visible: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF88AE000 Size: 19072 File Visible: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xF85C6000 Size: 35072 File Visible: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xF8114000 Size: 15488 File Visible: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF8194000 Size: 105344 File Visible: -
Status: -

Name: naveng.sys
Image Path: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090407.003\naveng.sys
Address: 0xB0F27000 Size: 82400 File Visible: -
Status: -

Name: navex15.sys
Image Path: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090407.003\navex15.sys
Address: 0xB0F3C000 Size: 869440 File Visible: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF81D4000 Size: 182656 File Visible: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xF8138000 Size: 10112 File Visible: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xB20C0000 Size: 14592 File Visible: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xF7B18000 Size: 91520 File Visible: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF8606000 Size: 40576 File Visible: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xF7AA7000 Size: 34688 File Visible: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xB23D4000 Size: 162816 File Visible: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF88B6000 Size: 30848 File Visible: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF8201000 Size: 574976 File Visible: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2189184 File Visible: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF8AD7000 Size: 2944 File Visible: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xF7B2F000 Size: 80128 File Visible: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF873E000 Size: 19712 File Visible: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF8A56000 Size: 6784 File Visible: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF8334000 Size: 68224 File Visible: -
Status: -

Name: PCI_NTPNP7134
Image Path: \Driver\PCI_NTPNP7134
Address: 0x00000000 Size: 0 File Visible: No
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xF8736000 Size: 28672 File Visible: -
Status: -

Name: PfModNT.sys
Image Path: C:\WINDOWS\System32\PfModNT.sys
Address: 0xF8A5C000 Size: 4352 File Visible: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2189184 File Visible: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF7BCE000 Size: 147456 File Visible: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xF7B07000 Size: 69120 File Visible: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xF884E000 Size: 17792 File Visible: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF8746000 Size: 16608 File Visible: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xF8170000 Size: 8832 File Visible: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xF8596000 Size: 51328 File Visible: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xF85A6000 Size: 41472 File Visible: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xF85B6000 Size: 48384 File Visible: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xF8856000 Size: 16512 File Visible: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2189184 File Visible: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xB22FF000 Size: 175744 File Visible: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF8A36000 Size: 4224 File Visible: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdpdr.sys
Address: 0xF7A37000 Size: 196224 File Visible: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xF8576000 Size: 57600 File Visible: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB1CA4000 Size: 45056 File Visible: No
Status: -

Name: savrt.sys
Image Path: C:\Program Files\Norton AntiVirus\savrt.sys
Address: 0xB2648000 Size: 360448 File Visible: -
Status: -

Name: Savrtpel.sys
Image Path: C:\Program Files\Norton AntiVirus\Savrtpel.sys
Address: 0xB2572000 Size: 81920 File Visible: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS
Address: 0xF8393000 Size: 98304 File Visible: -
Status: -

Name: secdrv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\secdrv.sys
Address: 0xB1D44000 Size: 40960 File Visible: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serenum.sys
Address: 0xF8140000 Size: 15744 File Visible: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serial.sys
Address: 0xF8586000 Size: 64512 File Visible: -
Status: -

Name: sfdrv01.sys
Image Path: sfdrv01.sys
Address: 0xF81AE000 Size: 73728 File Visible: -
Status: -

Name: sfhlp02.sys
Image Path: sfhlp02.sys
Address: 0xF8756000 Size: 32768 File Visible: -
Status: -

Name: sfsync02.sys
Image Path: sfsync02.sys
Address: 0xF84D6000 Size: 36864 File Visible: -
Status: -

Name: sfvfs02.sys
Image Path: sfvfs02.sys
Address: 0xF81C0000 Size: 81920 File Visible: -
Status: -

Name: SPBBCDrv.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
Address: 0xB2350000 Size: 401408 File Visible: -
Status: -

Name: sptd.sys
Image Path: sptd.sys
Address: 0xF83AB000 Size: 958464 File Visible: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF82A5000 Size: 73472 File Visible: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys
Address: 0xB1A25000 Size: 333952 File Visible: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xF89DE000 Size: 4352 File Visible: -
Status: -

Name: SYMEVENT.SYS
Image Path: C:\Program Files\Symantec\SYMEVENT.SYS
Address: 0xB2626000 Size: 139264 File Visible: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB198D000 Size: 60800 File Visible: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xB23FC000 Size: 361600 File Visible: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xF8846000 Size: 20480 File Visible: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xF85D6000 Size: 40704 File Visible: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xF79B1000 Size: 384768 File Visible: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xF8A00000 Size: 8192 File Visible: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Address: 0xF881E000 Size: 30208 File Visible: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xF8646000 Size: 59520 File Visible: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xF7B6E000 Size: 147456 File Visible: -
Status: -

Name: USBSTOR.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Address: 0xF8806000 Size: 26368 File Visible: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Address: 0xF8816000 Size: 20608 File Visible: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF88A6000 Size: 20992 File Visible: -
Status: -

Name: viaagp.sys
Image Path: viaagp.sys
Address: 0xF8526000 Size: 42240 File Visible: -
Status: -

Name: viaagp1.sys
Image Path: viaagp1.sys
Address: 0xF874E000 Size: 26880 File Visible: -
Status: -

Name: viaide.sys
Image Path: viaide.sys
Address: 0xF89BA000 Size: 5376 File Visible: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Address: 0xF7D48000 Size: 81920 File Visible: -
Status: -

Name: vnccom.SYS
Image Path: C:\WINDOWS\System32\Drivers\vnccom.SYS
Address: 0xF8A62000 Size: 6016 File Visible: -
Status: -

Name: vncdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\vncdrv.sys
Address: 0xF89DC000 Size: 4736 File Visible: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF84E6000 Size: 52352 File Visible: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xF7A87000 Size: 34560 File Visible: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF87C6000 Size: 20480 File Visible: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xB1808000 Size: 83072 File Visible: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\WMILIB.SYS
Address: 0xF89B8000 Size: 8192 File Visible: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2189184 File Visible: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\aaw7boot.log
Status: Could not get file information (Error 0xc0000008)

Path: C:\ATI
Status: Could not get file information (Error 0xc0000008)

Path: C:\AUTOEXEC.BAT
Status: Could not get file information (Error 0xc0000008)

Path: C:\boot.ini
Status: Could not get file information (Error 0xc0000008)

Path: C:\CONFIG.SYS
Status: Could not get file information (Error 0xc0000008)

Path: C:\debug.log
Status: Could not get file information (Error 0xc0000008)

Path: C:\debugInstaller.txt
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings
Status: Could not get file information (Error 0xc0000008)

Path: C:\gputest.txt
Status: Could not get file information (Error 0xc0000008)

Path: C:\hiberfil.sys
Status: Could not get file information (Error 0xc0000008)

Path: C:\IO.SYS
Status: Could not get file information (Error 0xc0000008)

Path: C:\LogiSetup.log
Status: Could not get file information (Error 0xc0000008)

Path: C:\lxby.log
Status: Could not get file information (Error 0xc0000008)

Path: C:\lxbyscan.log
Status: Could not get file information (Error 0xc0000008)

Path: C:\MSDOS.SYS
Status: Could not get file information (Error 0xc0000008)

Path: C:\My Downloads
Status: Could not get file information (Error 0xc0000008)

Path: C:\NTDETECT.COM
Status: Could not get file information (Error 0xc0000008)

Path: C:\ntldr
Status: Could not get file information (Error 0xc0000008)

Path: C:\Packman
Status: Could not get file information (Error 0xc0000008)

Path: C:\PkgClnup.log
Status: Could not get file information (Error 0xc0000008)

Path: C:\playground.log
Status: Could not get file information (Error 0xc0000008)

Path: C:\Program Files
Status: Could not get file information (Error 0xc0000008)

Path: C:\RECYCLER
Status: Could not get file information (Error 0xc0000008)

Path: C:\Rooter$
Status: Could not get file information (Error 0xc0000008)

Path: C:\Rooter.txt
Status: Could not get file information (Error 0xc0000008)

Path: C:\rstat
Status: Could not get file information (Error 0xc0000008)

Path: C:\Sierra
Status: Could not get file information (Error 0xc0000008)

Path: C:\System Volume Information
Status: Could not get file information (Error 0xc0000008)

Path: C:\Team17
Status: Could not get file information (Error 0xc0000008)

Path: C:\Temp
Status: Could not get file information (Error 0xc0000008)

Path: C:\tv3d_debug.txt
Status: Could not get file information (Error 0xc0000008)

Path: C:\Westwood
Status: Could not get file information (Error 0xc0000008)

Path: C:\WINDOWS
Status: Could not get file information (Error 0xc0000008)

Processes
-------------------
Path: System
PID: 4 Status: -

Path: C:\WINDOWS\system32\ctfmon.exe
PID: 448 Status: -

Path: C:\WINDOWS\system32\smss.exe
PID: 496 Status: -

Path: C:\WINDOWS\system32\csrss.exe
PID: 560 Status: -

Path: C:\WINDOWS\system32\winlogon.exe
PID: 584 Status: -

Path: C:\WINDOWS\system32\services.exe
PID: 628 Status: -

Path: C:\WINDOWS\system32\lsass.exe
PID: 640 Status: -

Path: C:\WINDOWS\system32\ati2evxx.exe
PID: 804 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 820 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 896 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 936 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 988 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1076 Status: -

Path: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PID: 1148 Status: -

Path: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PID: 1176 Status: -

Path: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PID: 1264 Status: -

Path: C:\WINDOWS\system32\spoolsv.exe
PID: 1400 Status: -

Path: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 1528 Status: -

Path: C:\Program Files\Norton AntiVirus\DefWatch.exe
PID: 1572 Status: -

Path: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
PID: 1612 Status: -

Path: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 1640 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1764 Status: -

Path: C:\Program Files\Norton AntiVirus\Rtvscan.exe
PID: 1776 Status: -

Path: C:\WINDOWS\system32\UAService7.exe
PID: 1876 Status: -

Path: C:\Program Files\UltraVNC\winvnc.exe
PID: 1916 Status: -

Path: C:\WINDOWS\explorer.exe
PID: 2096 Status: -

Path: C:\WINDOWS\system32\alg.exe
PID: 2336 Status: -

Path: C:\Documents and Settings\Candy\Desktop\RootRepeal\RootRepeal.exe
PID: 2620 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 2956 Status: -

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x82f681e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x82f681e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x82f681e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x82f681e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82f681e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82f681e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x82f681e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x82f681e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82f681e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82f681e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82f681e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82f681e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82f681e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82f681e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82f681e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82f681e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x82f681e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82f681e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82f681e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82f681e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82f681e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x82f681e8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x82989790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x82989790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x82989790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x82989790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82989790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82989790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x82989790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x82989790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82989790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82989790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82989790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82989790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82989790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82989790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82989790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82989790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x82989790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x82989790 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x82cdb790 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x82cdb790 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x82cdb790 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x82cdb790 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82cdb790 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82cdb790 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82cdb790 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82cdb790 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x82cdb790 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82cdb790 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x82cdb790 Size: -

Object: Hidden Code [Driver: imagedrv, IRP_MJ_CREATE]
Process: System Address: 0x82f691e8 Size: -

Object: Hidden Code [Driver: imagedrv, IRP_MJ_CLOSE]
Process: System Address: 0x82f691e8 Size: -

Object: Hidden Code [Driver: imagedrv, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82f691e8 Size: -

Object: Hidden Code [Driver: imagedrv, IRP_MJ_POWER]
Process: System Address: 0x82f691e8 Size: -

Object: Hidden Code [Driver: imagedrv, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82f691e8 Size: -

Object: Hidden Code [Driver: imagedrv, IRP_MJ_PNP]
Process: System Address: 0x82f691e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0xff5921e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0xff5921e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0xff5921e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0xff5921e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xff5921e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0xff5921e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0xff5921e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0xff5921e8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x82cd21e8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x82cd21e8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82cd21e8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82cd21e8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x82cd21e8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82cd21e8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x82cd21e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x82fd61e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x82fd61e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x82fd61e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82fd61e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82fd61e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82fd61e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82fd61e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x82fd61e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x82fd61e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82fd61e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x82fd61e8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x82997590 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x82997590 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82997590 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82997590 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x82997590 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x82997590 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x82cb0588 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x82cb0588 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82cb0588 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82cb0588 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x82cb0588 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82cb0588 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x82cb0588 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0xff5d1790 Size: -

Object: Hidden Code [Driver: MS_PS, IRP_MJ_CREATE]
Process: System Address: 0x82c3e790 Size: -

Object: Hidden Code [Driver: MS_PS, IRP_MJ_CLOSE]
Process: System Address: 0x82c3e790 Size: -

Object: Hidden Code [Driver: MS_PS, IRP_MJ_READ]
Process: System Address: 0x82c3e790 Size: -

Object: Hidden Code [Driver: MS_PS, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82c3e790 Size: -

Object: Hidden Code [Driver: MS_PS, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82c3e790 Size: -

Object: Hidden Code [Driver: MS_PS, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82c3e790 Size: -

Object: Hidden Code [Driver: MS_PS, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82c3e790 Size: -

Object: Hidden Code [Driver: MS_PS, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82c3e790 Size: -

Object: Hidden Code [Driver: MS_PS, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82c3e790 Size: -

Object: Hidden Code [Driver: MS_PS, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82c3e790 Size: -

Object: Hidden Code [Driver: MS_PS, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82c3e790 Size: -

Object: Hidden Code [Driver: MS_PS, IRP_MJ_CLEANUP]
Process: System Address: 0x82c3e790 Size: -

Object: Hidden Code [Driver: MS_PS, IRP_MJ_PNP]
Process: System Address: 0x82c3e790 Size: -
  • 0

#6
sudz

sudz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is GooredLog.txt

GooredFix v1.92 by jpshortstuff
Log created at 13:28 on 18/04/2009 running Option #1 (Candy)
Firefox version [Unable to determine]

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"[email protected]"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"
  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hello

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

  • 0

#8
sudz

sudz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi, finally something new from Malwarebytes :)

Malwarebytes' Anti-Malware 1.36
Database version: 2009
Windows 5.1.2600 Service Pack 3

19/04/2009 2:26:05 PM
mbam-log-2009-04-19 (14-26-05).txt

Scan type: Quick Scan
Objects scanned: 82437
Time elapsed: 6 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iassdo32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



KASPERSKY ONLINE SCANNER 7.0 REPORTKASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, April 19, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build
2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, April 19, 2009 20:00:48
Records in database: 2060951


Scan settings
Scan using the following databaseextended
Scan archivesyes
Scan mail databasesyes

Scan areaMy Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
L:\

Scan statistics
Files scanned179051
Threat name12
Infected objects22
Suspicious objects0
Duration of the scan03:22:36

File nameThreat nameThreats count
C:\Program Files\UltraVNC\WinVNC.exe/C:\Program
Files\UltraVNC\WinVNC.exeInfected: not-a-virus:RemoteAdmin.Win32.WinVNC.c1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec
AntiVirus Corporate Edition\7.5\Quarantine\01200000\49BC96DB.VBNInfected:
Trojan.Win32.Monder.bzea1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec
AntiVirus Corporate Edition\7.5\Quarantine\01200001\49BC970B.VBNInfected:
Trojan-Downloader.Win32.Agent.bqxc1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec
AntiVirus Corporate Edition\7.5\Quarantine\01200002\49BC9737.VBNInfected:
Trojan.Win32.Monder.bzea1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec
AntiVirus Corporate Edition\7.5\Quarantine\01200003\49BC976C.VBNInfected:
Trojan.Win32.Monder.bzea1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec
AntiVirus Corporate Edition\7.5\Quarantine\01200004\49BC9797.VBNInfected:
Trojan.Win32.Monder.bzdz1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec
AntiVirus Corporate Edition\7.5\Quarantine\01200005\49BC97A7.VBNInfected:
Trojan.Win32.Monder.bzea1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec
AntiVirus Corporate Edition\7.5\Quarantine\01200006\49BC9C3F.VBNInfected:
Trojan.Win32.Monder.bzdz1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec
AntiVirus Corporate Edition\7.5\Quarantine\01200007\49BC9C81.VBNInfected:
Trojan.Win32.Monder.bzea1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec
AntiVirus Corporate Edition\7.5\Quarantine\01200008\49BDF4B4.VBNInfected:
Trojan.Win32.Monder.bzdz1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec
AntiVirus Corporate Edition\7.5\Quarantine\01200009\49BE0295.VBNInfected:
Trojan.Win32.Monder.bzea1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec
AntiVirus Corporate Edition\7.5\Quarantine\09300000\49B4B41B.VBNInfected:
Backdoor.Win32.Agent.aekn1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec
AntiVirus Corporate Edition\7.5\Quarantine\0A080000.VBNInfected:
Backdoor.Win32.VB.hku1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec
AntiVirus Corporate Edition\7.5\Quarantine\0A080003\4BAA1C5E.VBNInfected:
Trojan.Win32.Pakes.nay1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec
AntiVirus Corporate Edition\7.5\Quarantine\0A080022.VBNInfected:
Backdoor.Win32.VB.hku1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec
AntiVirus Corporate Edition\7.5\Quarantine\0CB80001.VBNInfected:
P2P-Worm.Win32.Kapucen.ac1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec
AntiVirus Corporate Edition\7.5\Quarantine\0CB80003.VBNInfected:
Trojan.Win32.Monderc.gen1

C:\Program Files\mIRC\mirc.exeInfected:
not-a-virus:Client-IRC.Win32.mIRC.6311

C:\Program Files\UltraVNC\vnchooks.dllInfected:
not-a-virus:RemoteAdmin.Win32.WinVNC.c1

C:\Program Files\UltraVNC\vncviewer.exeInfected:
not-a-virus:RemoteAdmin.Win32.WinVNC.11021

C:\Program Files\UltraVNC\winvnc.exeInfected:
not-a-virus:RemoteAdmin.Win32.WinVNC.c1

D:\Downloads\mirc612.exeInfected: not-a-virus:Client-IRC.Win32.mIRC.6121

The selected area was scanned.

It would also be nice if I could get rid of all those stupid quarantined viruses.
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
its safer to leave them there


post a new OTL log and tell me how its running
  • 0

#10
sudz

sudz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Well, for the moment, I'm no longer being redirected - crossing my fingers that it'll stay that way, but who knows. But for now, thank you very much, you may close this topic if there isn't anything else.


OTListIt logfile created on: 21/04/2009 8:06:49 PM - Run 6
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = L:\
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

511.48 Mb Total Physical Memory | 107.48 Mb Available Physical Memory | 21.01% Memory free
1.22 Gb Paging File | 0.88 Gb Available in Paging File | 72.43% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.53 Gb Total Space | 4.07 Gb Free Space | 20.83% Space Free | Partition Type: NTFS
Drive D: | 17.73 Gb Total Space | 12.14 Gb Free Space | 68.44% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 233.76 Gb Total Space | 25.48 Gb Free Space | 10.90% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive L: | 3.80 Gb Total Space | 1.46 Gb Free Space | 38.55% Space Free | Partition Type: FAT32

Computer Name: PENGUIN
Current User Name: Candy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\System32\Ati2evxx.exe ()
PRC - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple, Inc.)
PRC - C:\Program Files\Norton AntiVirus\DefWatch.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (SEIKO EPSON CORPORATION)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Norton AntiVirus\Rtvscan.exe (Symantec Corporation)
PRC - C:\WINDOWS\system32\UAService7.exe ()
PRC - C:\Program Files\UltraVNC\WinVNC.exe (UltraVNC)
PRC - C:\WINDOWS\System32\wbem\unsecapp.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\Ati2evxx.exe ()
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
PRC - L:\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple, Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Ati HotKey Poller [Auto | Running]) -- C:\WINDOWS\System32\Ati2evxx.exe ()
SRV - (ATI Smart [Auto | Stopped]) -- C:\WINDOWS\system32\ati2sgag.exe ()
SRV - (ccEvtMgr [Auto | Running]) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
SRV - (ccSetMgr [Auto | Running]) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (DefWatch [Auto | Running]) -- C:\Program Files\Norton AntiVirus\DefWatch.exe (Symantec Corporation)
SRV - (EPSONStatusAgent2 [Auto | Running]) -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (SEIKO EPSON CORPORATION)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (iPod Service [On_Demand | Stopped]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (Lavasoft Ad-Aware Service [Auto | Running]) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (LiveUpdate [On_Demand | Stopped]) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE (Symantec Corporation)
SRV - (lxby_device [On_Demand | Stopped]) -- C:\WINDOWS\system32\lxbycoms.exe (Lexmark International, Inc.)
SRV - (SavRoam [On_Demand | Stopped]) -- C:\Program Files\Norton AntiVirus\SavRoam.exe (symantec)
SRV - (SPBBCSvc [Auto | Running]) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
SRV - (Symantec AntiVirus [Auto | Running]) -- C:\Program Files\Norton AntiVirus\Rtvscan.exe (Symantec Corporation)
SRV - (UserAccess7 [Auto | Running]) -- C:\WINDOWS\system32\UAService7.exe ()
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (winvnc [Auto | Running]) -- C:\Program Files\UltraVNC\WinVNC.exe (UltraVNC)
SRV - (WLSetupSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (ati2mtag [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (ctac32k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ctac32k.sys (Creative Technology Ltd)
DRV - (ctaud2k [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ctaud2k.sys (Creative Technology Ltd)
DRV - (ctljystk [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\ctljystk.sys (Creative Technology Ltd.)
DRV - (ctprxy2k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ctprxy2k.sys (Creative Technology Ltd)
DRV - (ctsfm2k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ctsfm2k.sys (Creative Technology Ltd)
DRV - (DLH5X [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\DLH5XND5.sys (D-Link Corporation)
DRV - (eeCtrl [System | Running]) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (emu10k [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\emu10k1m.sys (Creative Technology Ltd.)
DRV - (emu10k1 [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\ctlfacem.sys (Creative Technology Ltd.)
DRV - (emupia [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\emupia2k.sys (Creative Technology Ltd)
DRV - (EraserUtilRebootDrv [On_Demand | Running]) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (FsVga [System | Running]) -- C:\WINDOWS\system32\DRIVERS\fsvga.sys (Microsoft Corporation)
DRV - (gameenum [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\gameenum.sys (Microsoft Corporation)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (ha10kx2k [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys (Creative Technology Ltd)
DRV - (HCF_MSFT [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HCF_MSFT.sys (Conexant)
DRV - (hidgame [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\hidgame.sys (Microsoft Corporation)
DRV - (imagedrv [Boot | Running]) -- C:\WINDOWS\System32\Drivers\imagedrv.sys (Ahead Software AG)
DRV - (imagesrv [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\imagesrv.sys (Ahead Software AG)
DRV - (Lbd [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (NAVENG [On_Demand | Running]) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090420.002\NAVENG.SYS (Symantec Corporation)
DRV - (NAVEX15 [On_Demand | Running]) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090420.002\NAVEX15.SYS (Symantec Corporation)
DRV - (nv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
DRV - (ossrv [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.)
DRV - (PfModNT [Auto | Running]) -- C:\WINDOWS\System32\PfModNT.sys (Creative Technology Ltd.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\PxHelp20.sys (Sonic Solutions)
DRV - (QCDonner [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\LVCD.sys (Logitech Inc.)
DRV - (RT25USBAP [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\rt25usbap.sys (Ralink Technology Inc.)
DRV - (SAVRT [System | Running]) -- C:\Program Files\Norton AntiVirus\savrt.sys (Symantec Corporation)
DRV - (SAVRTPEL [System | Running]) -- C:\Program Files\Norton AntiVirus\Savrtpel.sys (Symantec Corporation)
DRV - (Secdrv [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (sfdrv01 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfdrv01.sys (Protection Technology)
DRV - (sfhlp02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfhlp02.sys (Protection Technology)
DRV - (sfman [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\sfmanm.sys (Creative Technology Ltd.)
DRV - (sfsync02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfsync02.sys (Protection Technology)
DRV - (sfvfs02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfvfs02.sys (Protection Technology)
DRV - (SONYPVU1 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS (Sony Corporation)
DRV - (SPBBCDrv [System | Running]) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (sptd [Boot | Running]) -- C:\WINDOWS\System32\Drivers\sptd.sys ()
DRV - (SymEvent [On_Demand | Running]) -- C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Corporation)
DRV - (viaagp1 [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)
DRV - (vnccom [Auto | Running]) -- C:\WINDOWS\System32\Drivers\vnccom.SYS (RDV Soft)
DRV - (vncdrv [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\vncdrv.sys (RDV Soft)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost

FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/04/02 20:22:11 | 00,000,000 | ---D | M]


O1 HOSTS File: (62929 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.altnetp2p.com
O1 - Hosts: 127.0.0.1 www.bonzi.com
O1 - Hosts: 127.0.0.1 www.brilliantdigital.com
O1 - Hosts: 127.0.0.1 www.b3d.com
O1 - Hosts: 127.0.0.1 ad.dk.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.es.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.fr.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.it.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.jp.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.kr.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.linkexchange.com
O1 - Hosts: 127.0.0.1 ad.linksynergy.com
O1 - Hosts: 127.0.0.1 ad.nl.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.no.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.preferences.com
O1 - Hosts: 127.0.0.1 ad.se.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.sma.punto.net
O1 - Hosts: 127.0.0.1 ad.uk.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.webprovider.com
O1 - Hosts: 127.0.0.1 ad08.focalink.com
O1 - Hosts: 127.0.0.1 ad1.adcept.net
O1 - Hosts: 127.0.0.1 ad2.adcept.net
O1 - Hosts: 127.0.0.1 ad3.adcept.net
O1 - Hosts: 1817 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {491AF6C5-21F2-46E1-C653-3DF529127D7B} - C:\WINDOWS\wcidBHO.dll (Symantec Corporation)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key error. File not found
O2 - BHO: (no name) - {85CF4327-68DE-1974-B32E-766E84A9706C} - C:\WINDOWS\wcidBHO.dll (Symantec Corporation)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra Button: Norton Confidence Online - {144FDEB7-A23D-4D39-A00E-AA44195535B6} - C:\WINDOWS\wcidButton.exe (Symantec Corporation)
O9 - Extra Button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - F:\Paltalk\Paltalk.exe (AVM Software Inc.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Sites: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: 50 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} http://zone.msn.com/...nx.1.0.0.67.cab (CPlayFirstTriJinxControl Object)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://by108fd.bay10...es/MsnPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {62D21B0B-D96F-45F7-968E-7DC16E31FE57} http://tcrew.gamenga...oinActiveXE.cab (DazoinControl Class)
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} http://zone.msn.com/...h2.1.0.0.55.cab (CPlayFirstDinerDash2Control Object)
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://zone.msn.com/...mjolauncher.cab (MJLauncherCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://dl8-cdn-09.su...ows-i586-jc.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} http://dist.globalga...ffyLauncher.cab (NeffyLauncherCtl Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} http://sympatico.zon...ersion=1,0,0,10 (AstoundLauncher Control)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: ActiveGS.cab http://www.virtualap...rg/activegs.cab (Reg Error: Key error.)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O16 - DPF: RaptisoftGameLoader http://www.miniclip....tgameloader.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! Cribbage http://download.game...nts/y/it1_x.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! Euchre http://download.game...nts/y/et1_x.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! Go http://download.game...nts/y/gt2_x.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! Go Fish http://download.game...nts/y/zt3_x.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! Graffiti http://download.game...ts/y/grt5_x.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! MahJong http://download.game...nts/y/ot0_x.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! MahJong Solitaire http://download.game...s/y/mjst3_x.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! Word Racer http://download.game...nts/y/wt0_x.cab (Reg Error: Key error.)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\wesiluya.dll) - C:\WINDOWS\system32\wesiluya.dll File not found
O20 - AppInit_DLLs: (zufizc.dll) - File not found
O20 - AppInit_DLLs: (c:\windows\system32\yanasiba.dll) - c:\windows\system32\yanasiba.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll ()
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O33 - MountPoints2\{66bd2a05-9a3f-11dc-bfc1-00055dff0a13}\Shell - "" = AutoRun
O33 - MountPoints2\{66bd2a05-9a3f-11dc-bfc1-00055dff0a13}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{66bd2a05-9a3f-11dc-bfc1-00055dff0a13}\Shell\AutoRun\command - "" = I:\TTconfig.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 30 Days ==========

[2009/04/20 01:27:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2009/04/19 18:59:53 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/19 18:59:52 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/19 18:59:52 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/19 18:59:51 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/19 18:59:51 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/19 18:59:50 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/19 18:59:50 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/19 18:58:32 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/19 18:58:31 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/19 18:58:31 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/18 13:27:52 | 00,094,208 | ---- | C] () -- C:\Documents and Settings\Candy\Desktop\GooredFix.exe
[2009/04/18 12:44:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Candy\Desktop\RootRepeal
[2009/04/04 00:03:47 | 00,015,234 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\Curly Brace.bmp
[2009/04/03 16:43:06 | 00,005,893 | ---- | C] () -- C:\Documents and Settings\Candy\My Documents\Apr 3 2009 16-43.html
[2009/04/03 13:58:18 | 00,005,354 | ---- | C] () -- C:\Documents and Settings\Candy\My Documents\Apr 3 2009 13-58.html
[2009/04/03 10:44:29 | 00,003,880 | ---- | C] () -- C:\Documents and Settings\Candy\My Documents\Apr 3 2009 10-44.html
[2009/03/31 17:35:36 | 53,639,9872 | -HS- | C] () -- C:\hiberfil.sys
[2009/03/31 13:59:25 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/03/30 19:25:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Candy\Application Data\Malwarebytes
[2009/03/30 19:25:26 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/03/30 19:25:23 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/03/30 19:25:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/29 18:58:06 | 24,921,544 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/03/25 00:37:35 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[2009/02/21 21:33:05 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2008/08/29 23:05:06 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/08/29 23:05:06 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2007/11/01 23:46:23 | 00,000,203 | ---- | C] () -- C:\WINDOWS\GSdx9.INI
[2007/09/26 22:33:38 | 00,002,528 | ---- | C] () -- C:\WINDOWS\FCIC.INI
[2007/09/07 19:41:01 | 00,000,263 | ---- | C] () -- C:\WINDOWS\YODESK.INI
[2007/08/28 19:06:58 | 00,685,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2007/08/03 23:22:52 | 00,037,376 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/01/08 02:15:25 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\nod.dll
[2007/01/08 02:14:56 | 00,005,244 | ---- | C] () -- C:\WINDOWS\System32\fscflist.ini
[2007/01/08 02:14:53 | 00,000,073 | ---- | C] () -- C:\WINDOWS\System32\fscagent.ini
[2006/05/03 15:23:13 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/12/04 21:04:54 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXPRMON.DLL
[2005/12/04 21:04:54 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\LXPMONUI.DLL
[2005/12/04 21:01:46 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbyvs.dll
[2005/11/13 19:02:59 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/10/06 22:36:47 | 00,044,544 | ---- | C] () -- C:\WINDOWS\System32\GIF89.DLL
[2005/10/06 22:36:02 | 00,000,467 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2005/08/26 15:04:50 | 00,000,120 | ---- | C] () -- C:\WINDOWS\B&ARROW.INI
[2005/04/20 14:43:46 | 00,192,577 | ---- | C] () -- C:\WINDOWS\System32\libcurl.dll
[2004/09/19 09:47:33 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2004/07/11 19:01:39 | 00,000,386 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2004/06/11 01:27:12 | 00,131,072 | ---- | C] ( ) -- C:\WINDOWS\System32\ATIDEMGR.dll
[2004/06/10 22:46:34 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[2004/06/06 12:53:42 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2004/06/05 12:56:16 | 00,679,936 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2004/04/05 22:14:31 | 00,007,168 | ---- | C] () -- C:\WINDOWS\System32\e0893c13.dll
[2004/01/16 03:21:36 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\031d2b86.dll
[2003/12/24 02:18:40 | 00,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2003/12/24 02:18:40 | 00,000,180 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2003/12/13 18:46:58 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/10/23 18:57:24 | 00,000,055 | ---- | C] () -- C:\WINDOWS\emule.INI
[2003/10/19 13:04:48 | 00,000,545 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2003/09/22 00:39:55 | 00,003,715 | ---- | C] () -- C:\WINDOWS\MTB12ST.INI
[2003/09/16 11:52:28 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2003/09/16 11:43:31 | 00,884,736 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2003/09/16 11:41:43 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[2003/07/04 23:29:49 | 00,000,192 | ---- | C] () -- C:\WINDOWS\Winamp.ini
[2003/07/04 23:29:14 | 00,000,041 | ---- | C] () -- C:\WINDOWS\winampa.ini
[2003/07/04 23:13:57 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/07/04 19:15:02 | 00,000,241 | ---- | C] () -- C:\WINDOWS\QSync.INI
[2003/07/04 19:14:00 | 00,005,187 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2003/07/04 11:52:19 | 00,000,033 | ---- | C] () -- C:\WINDOWS\wwwbatch.ini
[2003/07/04 03:25:39 | 00,000,128 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2003/07/04 03:25:38 | 00,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2003/07/04 03:25:19 | 00,037,727 | ---- | C] () -- C:\WINDOWS\System32\Emu10kx.ini
[2003/07/04 03:25:19 | 00,000,029 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2002/10/06 14:42:57 | 00,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2002/08/29 04:40:50 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\dbmsadsn.dll
[2002/03/22 12:40:00 | 00,126,976 | ---- | C] ( ) -- C:\WINDOWS\System32\Interop.VSFlex7L.dll
[2001/08/23 12:00:00 | 00,000,723 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 12:00:00 | 00,000,435 | ---- | C] () -- C:\WINDOWS\system.ini
[1999/01/27 13:39:06 | 00,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 07:56:08 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== Files - Modified Within 30 Days ==========

[8 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2009/04/21 20:03:15 | 00,002,262 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/21 20:03:02 | 00,000,431 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ics
[2009/04/21 20:01:59 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/21 20:01:37 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/21 20:01:26 | 53,639,9872 | -HS- | M] () -- C:\hiberfil.sys
[2009/04/21 00:22:07 | 00,024,888 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000000-00000000-0000000A-00001102-00000002-80641102}.rfx
[2009/04/21 00:22:07 | 00,024,888 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000000-00000000-0000000A-00001102-00000002-80641102}.rfx
[2009/04/21 00:22:07 | 00,016,420 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000000-00000000-0000000A-00001102-00000002-80641102}.rfx
[2009/04/21 00:22:07 | 00,016,420 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000000-00000000-0000000A-00001102-00000002-80641102}.rfx
[2009/04/21 00:22:07 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2009/04/21 00:22:07 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2009/04/21 00:22:07 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000000-00000000-0000000A-00001102-00000002-80641102}.dat
[2009/04/21 00:22:07 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000000-00000000-0000000A-00001102-00000002-80641102}.dat
[2009/04/20 22:15:40 | 00,480,096 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/20 22:15:40 | 00,408,000 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/20 22:15:40 | 00,064,404 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/20 22:10:32 | 00,174,672 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/04/20 01:27:35 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/20 01:26:25 | 02,004,735 | ---- | M] () -- C:\WINDOWS\iis6.BAK
[2009/04/19 02:07:19 | 02,645,410 | -H-- | M] () -- C:\Documents and Settings\Candy\Local Settings\Application Data\IconCache.db
[2009/04/18 20:39:02 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/04/18 13:26:24 | 00,094,208 | ---- | M] () -- C:\Documents and Settings\Candy\Desktop\GooredFix.exe
[2009/04/08 22:46:39 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/04/08 22:46:35 | 00,227,840 | ---- | M] () -- C:\Documents and Settings\Candy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/07 07:31:06 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/04/06 23:08:42 | 00,000,568 | ---- | M] () -- C:\Documents and Settings\Candy\My Documents\My Sharing Folders.lnk
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/06 10:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/04/05 13:35:07 | 00,000,288 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
[2009/04/05 08:00:37 | 00,000,314 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
[2009/04/04 00:03:47 | 00,015,234 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Curly Brace.bmp
[2009/04/03 16:43:06 | 00,005,893 | ---- | M] () -- C:\Documents and Settings\Candy\My Documents\Apr 3 2009 16-43.html
[2009/04/03 13:58:18 | 00,005,354 | ---- | M] () -- C:\Documents and Settings\Candy\My Documents\Apr 3 2009 13-58.html
[2009/04/03 10:44:29 | 00,003,880 | ---- | M] () -- C:\Documents and Settings\Candy\My Documents\Apr 3 2009 10-44.html
[2009/03/31 14:20:26 | 00,000,435 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/03/29 20:17:10 | 00,062,929 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/03/29 19:03:59 | 00,365,704 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.bak
[2009/03/29 12:41:49 | 00,365,704 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090329-201710.backup
[2009/03/28 23:52:16 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/03/27 23:58:05 | 00,000,600 | ---- | M] () -- C:\Documents and Settings\Candy\Local Settings\Application Data\PUTTY.RND
[2009/03/27 02:58:38 | 01,203,922 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/03/27 01:36:25 | 00,000,263 | ---- | M] () -- C:\WINDOWS\YODESK.INI
[2009/03/26 01:51:16 | 00,000,192 | ---- | M] () -- C:\WINDOWS\Winamp.ini
< End of report >


Again, many thanks! *Hoping it doesn't go and act up again*
  • 0

#11
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hello

Run OTList2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTLI
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - AppInit_DLLs: (C:\WINDOWS\system32\wesiluya.dll) - C:\WINDOWS\system32\wesiluya.dll File not found
    O20 - AppInit_DLLs: (zufizc.dll) - File not found
    O20 - AppInit_DLLs: (c:\windows\system32\yanasiba.dll) - c:\windows\system32\yanasiba.dll File not found
    O33 - MountPoints2\{66bd2a05-9a3f-11dc-bfc1-00055dff0a13}\Shell - "" = AutoRun
    O33 - MountPoints2\{66bd2a05-9a3f-11dc-bfc1-00055dff0a13}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{66bd2a05-9a3f-11dc-bfc1-00055dff0a13}\Shell\AutoRun\command - "" = I:\TTconfig.exe -- File not found
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL2 log ( don't check the boxes beside LOP Check or Purity this time, and don't run the Custom Scan )

  • 0

#12
sudz

sudz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hiyo, here's OTListIt Scan Log

OTListIt logfile created on: 21/04/2009 10:55:44 PM - Run 7
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = L:\
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

511.48 Mb Total Physical Memory | 85.64 Mb Available Physical Memory | 16.74% Memory free
1.22 Gb Paging File | 0.80 Gb Available in Paging File | 65.75% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.53 Gb Total Space | 3.84 Gb Free Space | 19.67% Space Free | Partition Type: NTFS
Drive D: | 17.73 Gb Total Space | 12.14 Gb Free Space | 68.44% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 233.76 Gb Total Space | 25.48 Gb Free Space | 10.90% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive K: | 982.72 Mb Total Space | 828.06 Mb Free Space | 84.26% Space Free | Partition Type: FAT
Drive L: | 3.80 Gb Total Space | 1.46 Gb Free Space | 38.53% Space Free | Partition Type: FAT32

Computer Name: PENGUIN
Current User Name: Candy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\System32\Ati2evxx.exe ()
PRC - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple, Inc.)
PRC - C:\Program Files\Norton AntiVirus\DefWatch.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (SEIKO EPSON CORPORATION)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Norton AntiVirus\Rtvscan.exe (Symantec Corporation)
PRC - C:\WINDOWS\system32\UAService7.exe ()
PRC - C:\Program Files\UltraVNC\WinVNC.exe (UltraVNC)
PRC - C:\WINDOWS\system32\Ati2evxx.exe ()
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\System32\wbem\unsecapp.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
PRC - C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - L:\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe (Apple, Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft

Corporation)
SRV - (Ati HotKey Poller [Auto | Running]) -- C:\WINDOWS\System32\Ati2evxx.exe ()
SRV - (ATI Smart [Auto | Stopped]) -- C:\WINDOWS\system32\ati2sgag.exe ()
SRV - (ccEvtMgr [Auto | Running]) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
SRV - (ccSetMgr [Auto | Running]) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

(Microsoft Corporation)
SRV - (DefWatch [Auto | Running]) -- C:\Program Files\Norton AntiVirus\DefWatch.exe (Symantec Corporation)
SRV - (EPSONStatusAgent2 [Auto | Running]) -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (SEIKO EPSON CORPORATION)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

(Macrovision Corporation)
SRV - (iPod Service [On_Demand | Stopped]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (Lavasoft Ad-Aware Service [Auto | Running]) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (LiveUpdate [On_Demand | Stopped]) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE (Symantec Corporation)
SRV - (lxby_device [On_Demand | Stopped]) -- C:\WINDOWS\system32\lxbycoms.exe (Lexmark International, Inc.)
SRV - (SavRoam [On_Demand | Stopped]) -- C:\Program Files\Norton AntiVirus\SavRoam.exe (symantec)
SRV - (SPBBCSvc [Auto | Running]) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
SRV - (Symantec AntiVirus [Auto | Running]) -- C:\Program Files\Norton AntiVirus\Rtvscan.exe (Symantec Corporation)
SRV - (UserAccess7 [Auto | Running]) -- C:\WINDOWS\system32\UAService7.exe ()
SRV - (winvnc [Auto | Running]) -- C:\Program Files\UltraVNC\WinVNC.exe (UltraVNC)

========== Driver Services (SafeList) ==========

DRV - (ati2mtag [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (ctac32k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ctac32k.sys (Creative Technology Ltd)
DRV - (ctaud2k [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ctaud2k.sys (Creative Technology Ltd)
DRV - (ctljystk [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\ctljystk.sys (Creative Technology Ltd.)
DRV - (ctprxy2k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ctprxy2k.sys (Creative Technology Ltd)
DRV - (ctsfm2k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ctsfm2k.sys (Creative Technology Ltd)
DRV - (DLH5X [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\DLH5XND5.sys (D-Link Corporation)
DRV - (eeCtrl [System | Running]) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (emu10k [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\emu10k1m.sys (Creative Technology Ltd.)
DRV - (emu10k1 [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\ctlfacem.sys (Creative Technology Ltd.)
DRV - (emupia [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\emupia2k.sys (Creative Technology Ltd)
DRV - (EraserUtilRebootDrv [On_Demand | Running]) -- C:\Program Files\Common Files\Symantec

Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (FsVga [System | Running]) -- C:\WINDOWS\system32\DRIVERS\fsvga.sys (Microsoft Corporation)
DRV - (gameenum [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\gameenum.sys (Microsoft Corporation)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (ha10kx2k [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys (Creative Technology Ltd)
DRV - (HCF_MSFT [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HCF_MSFT.sys (Conexant)
DRV - (hidgame [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\hidgame.sys (Microsoft Corporation)
DRV - (imagedrv [Boot | Running]) -- C:\WINDOWS\System32\Drivers\imagedrv.sys (Ahead Software AG)
DRV - (imagesrv [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\imagesrv.sys (Ahead Software AG)
DRV - (Lbd [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (NAVENG [On_Demand | Running]) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090420.002\NAVENG.SYS

(Symantec Corporation)
DRV - (NAVEX15 [On_Demand | Running]) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090420.002\NAVEX15.SYS

(Symantec Corporation)
DRV - (nv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
DRV - (ossrv [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.)
DRV - (PfModNT [Auto | Running]) -- C:\WINDOWS\System32\PfModNT.sys (Creative Technology Ltd.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\PxHelp20.sys (Sonic Solutions)
DRV - (QCDonner [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\LVCD.sys (Logitech Inc.)
DRV - (RT25USBAP [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\rt25usbap.sys (Ralink Technology Inc.)
DRV - (SAVRT [System | Running]) -- C:\Program Files\Norton AntiVirus\savrt.sys (Symantec Corporation)
DRV - (SAVRTPEL [System | Running]) -- C:\Program Files\Norton AntiVirus\Savrtpel.sys (Symantec Corporation)
DRV - (Secdrv [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe

Limited, and Macrovision Japan and Asia K.K.)
DRV - (sfdrv01 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfdrv01.sys (Protection Technology)
DRV - (sfhlp02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfhlp02.sys (Protection Technology)
DRV - (sfman [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\sfmanm.sys (Creative Technology Ltd.)
DRV - (sfsync02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfsync02.sys (Protection Technology)
DRV - (sfvfs02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfvfs02.sys (Protection Technology)
DRV - (SONYPVU1 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS (Sony Corporation)
DRV - (SPBBCDrv [System | Running]) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec

Corporation)
DRV - (sptd [Boot | Running]) -- C:\WINDOWS\System32\Drivers\sptd.sys ()
DRV - (SymEvent [On_Demand | Running]) -- C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Corporation)
DRV - (viaagp1 [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)
DRV - (vnccom [Auto | Running]) -- C:\WINDOWS\System32\Drivers\vnccom.SYS (RDV Soft)
DRV - (vncdrv [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\vncdrv.sys (RDV Soft)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/

{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/

{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost

FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/04/02 20:22:11

| 00,000,000 | ---D | M]


O1 HOSTS File: (62929 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.altnetp2p.com
O1 - Hosts: 127.0.0.1 www.bonzi.com
O1 - Hosts: 127.0.0.1 www.brilliantdigital.com
O1 - Hosts: 127.0.0.1 www.b3d.com
O1 - Hosts: 127.0.0.1 ad.dk.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.es.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.fr.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.it.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.jp.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.kr.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.linkexchange.com
O1 - Hosts: 127.0.0.1 ad.linksynergy.com
O1 - Hosts: 127.0.0.1 ad.nl.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.no.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.preferences.com
O1 - Hosts: 127.0.0.1 ad.se.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.sma.punto.net
O1 - Hosts: 127.0.0.1 ad.uk.doubleclick.net
O1 - Hosts: 127.0.0.1 ad.webprovider.com
O1 - Hosts: 127.0.0.1 ad08.focalink.com
O1 - Hosts: 127.0.0.1 ad1.adcept.net
O1 - Hosts: 127.0.0.1 ad2.adcept.net
O1 - Hosts: 127.0.0.1 ad3.adcept.net
O1 - Hosts: 1817 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0

\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {491AF6C5-21F2-46E1-C653-3DF529127D7B} - C:\WINDOWS\wcidBHO.dll (Symantec Corporation)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - Reg Error: Key error. File not found
O2 - BHO: (no name) - {85CF4327-68DE-1974-B32E-766E84A9706C} - C:\WINDOWS\wcidBHO.dll (Symantec Corporation)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft

Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6

\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6

\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 (Microsoft

Corporation)
O9 - Extra Button: Norton Confidence Online - {144FDEB7-A23D-4D39-A00E-AA44195535B6} - C:\WINDOWS\wcidButton.exe (Symantec

Corporation)
O9 - Extra Button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - F:\Paltalk\Paltalk.exe (AVM Software Inc.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft

Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Sites: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: 50 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab

(Shockwave ActiveX Control)
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} http://zone.msn.com/...nx.1.0.0.67.cab

(CPlayFirstTriJinxControl Object)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://by108fd.bay10...es/MsnPUpld.cab (MSN Photo

Upload Tool)
O16 - DPF: {62D21B0B-D96F-45F7-968E-7DC16E31FE57} http://tcrew.gamenga...oinActiveXE.cab (DazoinControl Class)
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} http://zone.msn.com/...h2.1.0.0.55.cab

(CPlayFirstDinerDash2Control Object)
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://zone.msn.com/...mjolauncher.cab (MJLauncherCtrl

Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://dl8-cdn-09.su...l-6u13-windows-

i586-jc.cab?e=1238718166578&h=cf5ba89223b35e3722d81a8d61147cfb/&filename=jinstall-6u13-windows-i586-jc.cab (Java Plug-in

1.6.0_13)
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} http://dist.globalga...ffyLauncher.cab

(NeffyLauncherCtl Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn...ro.cab56649.cab (MSN Games -

Installer)
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7}

http://sympatico.zon...ersion=1,0,0,10 (AstoundLauncher Control)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java

Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java

Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab

(Shockwave Flash Object)
O16 - DPF: ActiveGS.cab http://www.virtualap...rg/activegs.cab (Reg Error: Key error.)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O16 - DPF: RaptisoftGameLoader http://www.miniclip....tgameloader.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! Cribbage http://download.game...nts/y/it1_x.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! Euchre http://download.game...nts/y/et1_x.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! Go http://download.game...nts/y/gt2_x.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! Go Fish http://download.game...nts/y/zt3_x.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! Graffiti http://download.game...ts/y/grt5_x.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! MahJong http://download.game...nts/y/ot0_x.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! MahJong Solitaire http://download.game...s/y/mjst3_x.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! Word Racer http://download.game...nts/y/wt0_x.cab (Reg Error: Key error.)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web

Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE

DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE

DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE

DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE

DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE

DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows

Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE

DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE

DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows

Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web

Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll ()
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec

Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 30 Days ==========

[2009/04/21 22:27:21 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2009/04/21 22:26:56 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live SkyDrive
[2009/04/20 01:27:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2009/04/19 18:59:53 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/19 18:59:52 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/19 18:59:52 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/19 18:59:51 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/19 18:59:51 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/19 18:59:50 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/19 18:59:50 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/19 18:58:32 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/19 18:58:31 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/19 18:58:31 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/18 13:27:52 | 00,094,208 | ---- | C] () -- C:\Documents and Settings\Candy\Desktop\GooredFix.exe
[2009/04/18 12:44:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Candy\Desktop\RootRepeal
[2009/04/04 00:03:47 | 00,015,234 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\Curly Brace.bmp
[2009/04/03 16:43:06 | 00,005,893 | ---- | C] () -- C:\Documents and Settings\Candy\My Documents\Apr 3 2009 16-43.html
[2009/04/03 13:58:18 | 00,005,354 | ---- | C] () -- C:\Documents and Settings\Candy\My Documents\Apr 3 2009 13-58.html
[2009/04/03 10:44:29 | 00,003,880 | ---- | C] () -- C:\Documents and Settings\Candy\My Documents\Apr 3 2009 10-44.html
[2009/03/31 17:35:36 | 53,639,9872 | -HS- | C] () -- C:\hiberfil.sys
[2009/03/31 13:59:25 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/03/30 19:25:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Candy\Application Data\Malwarebytes
[2009/03/30 19:25:26 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/03/30 19:25:23 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/03/30 19:25:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/29 18:58:06 | 24,921,544 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/03/25 00:37:35 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[2009/02/21 21:33:05 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2008/08/29 23:05:06 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/08/29 23:05:06 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2007/11/01 23:46:23 | 00,000,203 | ---- | C] () -- C:\WINDOWS\GSdx9.INI
[2007/09/26 22:33:38 | 00,002,528 | ---- | C] () -- C:\WINDOWS\FCIC.INI
[2007/09/07 19:41:01 | 00,000,263 | ---- | C] () -- C:\WINDOWS\YODESK.INI
[2007/08/28 19:06:58 | 00,685,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2007/08/03 23:22:52 | 00,037,376 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/01/08 02:15:25 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\nod.dll
[2007/01/08 02:14:56 | 00,005,244 | ---- | C] () -- C:\WINDOWS\System32\fscflist.ini
[2007/01/08 02:14:53 | 00,000,073 | ---- | C] () -- C:\WINDOWS\System32\fscagent.ini
[2006/05/03 15:23:13 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/12/04 21:04:54 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXPRMON.DLL
[2005/12/04 21:04:54 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\LXPMONUI.DLL
[2005/12/04 21:01:46 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbyvs.dll
[2005/11/13 19:02:59 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/10/06 22:36:47 | 00,044,544 | ---- | C] () -- C:\WINDOWS\System32\GIF89.DLL
[2005/10/06 22:36:02 | 00,000,467 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2005/08/26 15:04:50 | 00,000,120 | ---- | C] () -- C:\WINDOWS\B&ARROW.INI
[2005/04/20 14:43:46 | 00,192,577 | ---- | C] () -- C:\WINDOWS\System32\libcurl.dll
[2004/09/19 09:47:33 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2004/07/11 19:01:39 | 00,000,386 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2004/06/11 01:27:12 | 00,131,072 | ---- | C] ( ) -- C:\WINDOWS\System32\ATIDEMGR.dll
[2004/06/10 22:46:34 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[2004/06/06 12:53:42 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2004/06/05 12:56:16 | 00,679,936 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2004/04/05 22:14:31 | 00,007,168 | ---- | C] () -- C:\WINDOWS\System32\e0893c13.dll
[2004/01/16 03:21:36 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\031d2b86.dll
[2003/12/24 02:18:40 | 00,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2003/12/24 02:18:40 | 00,000,180 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2003/12/13 18:46:58 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/10/23 18:57:24 | 00,000,055 | ---- | C] () -- C:\WINDOWS\emule.INI
[2003/10/19 13:04:48 | 00,000,545 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2003/09/22 00:39:55 | 00,003,715 | ---- | C] () -- C:\WINDOWS\MTB12ST.INI
[2003/09/16 11:52:28 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2003/09/16 11:43:31 | 00,884,736 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2003/09/16 11:41:43 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[2003/07/04 23:29:49 | 00,000,192 | ---- | C] () -- C:\WINDOWS\Winamp.ini
[2003/07/04 23:29:14 | 00,000,041 | ---- | C] () -- C:\WINDOWS\winampa.ini
[2003/07/04 23:13:57 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/07/04 19:15:02 | 00,000,241 | ---- | C] () -- C:\WINDOWS\QSync.INI
[2003/07/04 19:14:00 | 00,005,187 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2003/07/04 11:52:19 | 00,000,033 | ---- | C] () -- C:\WINDOWS\wwwbatch.ini
[2003/07/04 03:25:39 | 00,000,128 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2003/07/04 03:25:38 | 00,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2003/07/04 03:25:19 | 00,037,727 | ---- | C] () -- C:\WINDOWS\System32\Emu10kx.ini
[2003/07/04 03:25:19 | 00,000,029 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2002/10/06 14:42:57 | 00,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2002/08/29 04:40:50 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\dbmsadsn.dll
[2002/03/22 12:40:00 | 00,126,976 | ---- | C] ( ) -- C:\WINDOWS\System32\Interop.VSFlex7L.dll
[2001/08/23 12:00:00 | 00,000,723 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 12:00:00 | 00,000,435 | ---- | C] () -- C:\WINDOWS\system.ini
[1999/01/27 13:39:06 | 00,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 07:56:08 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== Files - Modified Within 30 Days ==========

[8 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2009/04/21 22:49:32 | 00,000,431 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ics
[2009/04/21 22:49:24 | 00,002,262 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/21 22:48:16 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/21 22:47:57 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/21 22:47:51 | 00,177,856 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/04/21 22:47:50 | 53,639,9872 | -HS- | M] () -- C:\hiberfil.sys
[2009/04/21 22:47:10 | 00,024,888 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000000-00000000-0000000A-00001102-

00000002-80641102}.rfx
[2009/04/21 22:47:10 | 00,024,888 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000000-00000000-0000000A-00001102

-00000002-80641102}.rfx
[2009/04/21 22:47:10 | 00,016,420 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000000-00000000-0000000A-00001102-

00000002-80641102}.rfx
[2009/04/21 22:47:10 | 00,016,420 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000000-00000000-0000000A-00001102-

00000002-80641102}.rfx
[2009/04/21 22:47:10 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2009/04/21 22:47:10 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2009/04/21 22:47:10 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000000-00000000-0000000A-00001102-

00000002-80641102}.dat
[2009/04/21 22:47:10 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000000-00000000-0000000A-00001102-

00000002-80641102}.dat
[2009/04/21 22:46:30 | 03,191,700 | -H-- | M] () -- C:\Documents and Settings\Candy\Local Settings\Application

Data\IconCache.db
[2009/04/21 22:30:21 | 00,041,568 | ---- | M] () -- C:\Documents and Settings\Candy\Local Settings\Application

Data\GDIPFONTCACHEV1.DAT
[2009/04/21 22:29:48 | 00,000,899 | ---- | M] () -- C:\Documents and Settings\Candy\My Documents\My Sharing Folders.lnk
[2009/04/21 22:06:08 | 00,000,600 | ---- | M] () -- C:\Documents and Settings\Candy\Local Settings\Application Data\PUTTY.RND
[2009/04/20 22:15:40 | 00,480,096 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/20 22:15:40 | 00,408,000 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/20 22:15:40 | 00,064,404 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/20 01:27:35 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/20 01:26:25 | 02,004,735 | ---- | M] () -- C:\WINDOWS\iis6.BAK
[2009/04/18 20:39:02 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/04/18 13:26:24 | 00,094,208 | ---- | M] () -- C:\Documents and Settings\Candy\Desktop\GooredFix.exe
[2009/04/08 22:46:39 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/04/08 22:46:35 | 00,227,840 | ---- | M] () -- C:\Documents and Settings\Candy\Local Settings\Application Data\DCBC2A71

-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/07 07:31:06 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/06 10:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/04/05 13:35:07 | 00,000,288 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
[2009/04/05 08:00:37 | 00,000,314 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
[2009/04/04 00:03:47 | 00,015,234 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Curly Brace.bmp
[2009/04/03 16:43:06 | 00,005,893 | ---- | M] () -- C:\Documents and Settings\Candy\My Documents\Apr 3 2009 16-43.html
[2009/04/03 13:58:18 | 00,005,354 | ---- | M] () -- C:\Documents and Settings\Candy\My Documents\Apr 3 2009 13-58.html
[2009/04/03 10:44:29 | 00,003,880 | ---- | M] () -- C:\Documents and Settings\Candy\My Documents\Apr 3 2009 10-44.html
[2009/03/31 14:20:26 | 00,000,435 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/03/29 20:17:10 | 00,062,929 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/03/29 19:03:59 | 00,365,704 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.bak
[2009/03/29 12:41:49 | 00,365,704 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090329-201710.backup
[2009/03/28 23:52:16 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/03/27 02:58:38 | 01,203,922 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/03/27 01:36:25 | 00,000,263 | ---- | M] () -- C:\WINDOWS\YODESK.INI
[2009/03/26 01:51:16 | 00,000,192 | ---- | M] () -- C:\WINDOWS\Winamp.ini
< End of report >


(Thanks for getting rid of those stupid leftovers from my previous Vundo infection)
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
your logs are clean

Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



Download ToolsCleaner2 to your desktop and run it ( by de A.Rothstein & Dj Quiou )
  • Click the Pt. Restauration button and press OK to the prompts.
  • Click the Corbeille button and press OK to the prompt.
  • Click the Fichiers temp button and press OK to the prompt.
  • Click the Recherche button and let it run ( it may look like it freezes but let it continue )
  • Once it is done click the Suppression button and let it remove anything it finds.
  • Close the program


Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html



Below I have included a number of recommendations for how to protect your computer against malware infections.
  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.

  • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

  • Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
    secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
    blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
    Here


    If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure.
    • NoScript - for blocking ads and other potential website attacks
    • McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.

  • FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.

  • Please read my guide on how to prevent malware and about safe computing here
Thank you for your patience, and performing all of the procedures requested.
  • 0

#14
sudz

sudz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank you a lot! Praying to hope that it won't go kaboom again :)

But for now, I think this is resolved - if it isn't then I'll bug again.
  • 0

#15
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP