Windows Update blocked, AV disabled, IE redirect, etc [Solved]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Windows Update blocked, AV disabled, IE redirect, etc [Solved]

#1 glrk

Group: Member
Posts: 10
Joined: 19-April 09

Posted 19 April 2009 - 03:00 PM

I've picked up some malware and absolutely cannot remove it.

Symptoms:

- McAfee "Buffer Overflow Blocked" at startup
- Windows Update disabled
- Web sites are blocked and IE is often redirected
- Regedit disabled (I can now access but changes aren't saved)
- Registry keys renamed to %fystem... vice %system...
- PWS.LDPinchIE pops up periodically in malware scans...I delete it and it returns
- McAfee AV unable to scan
- NOHH06760.exe appears periodically in malware scans...also returns after reboot

After days of working this, any/all help is appreciated. glrk

OTListIt logfile created on: 4/19/2009 2:39:35 PM - Run 2
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 502.55 Mb Available Physical Memory | 49.13% Memory free
2.40 Gb Paging File | 2.00 Gb Available in Paging File | 83.23% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 96.97 Gb Free Space | 65.07% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MAINCOMPUTER
Current User Name: Mom and Dad
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe (ScanSoft, Inc.)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe (Roxio)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (Logitech Inc.)
PRC - C:\Program Files\Logitech\MouseWare\system\em_exec.exe (Logitech Inc.)
PRC - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe ()
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\WINDOWS\system32\CTsvcCDA.exe (Creative Technology Ltd)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe (Creative Technology Ltd)
PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\WINDOWS\system32\PnkBstrA.exe ()
PRC - C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
PRC - C:\WINDOWS\system32\MsPMSPSv.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
PRC - C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - C:\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (AdobeActiveFileMonitor [Auto | Running]) -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe ()
SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (Bonjour Service [Auto | Running]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (Creative Service for CDROM Access [Auto | Running]) -- C:\WINDOWS\system32\CTsvcCDA.exe (Creative Technology Ltd)
SRV - (getPlus® Helper [On_Demand | Stopped]) -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (NOS Microsystems Ltd.)
SRV - (gusvc [On_Demand | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (iPod Service [On_Demand | Running]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (mcmscsvc [Auto | Running]) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (McNASvc [Auto | Running]) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
SRV - (McODS [Auto | Stopped]) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McProxy [Auto | Running]) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McShield [Unknown | Running]) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon [On_Demand | Running]) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (MpfService [Auto | Running]) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SRV - (NVSvc [Auto | Running]) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (PnkBstrA [Auto | Running]) -- C:\WINDOWS\system32\PnkBstrA.exe ()
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (Viewpoint Manager Service [Auto | Running]) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
SRV - (WLSetupSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (WMDM PMSP Service [Auto | Running]) -- C:\WINDOWS\system32\MsPMSPSv.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (Cdr4_xp [System | Running]) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys (Sonic Solutions)
DRV - (Cdralw2k [System | Running]) -- C:\WINDOWS\System32\drivers\cdralw2k.sys (Sonic Solutions)
DRV - (cdudf_xp [System | Running]) -- C:\WINDOWS\System32\drivers\cdudf_xp.sys (Roxio)
DRV - (ctsfm2k [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys (Creative Technology Ltd)
DRV - (dvd_2K [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\Dvd_2k.sys (Roxio)
DRV - (E100B [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys (Intel Corporation)
DRV - (gameenum [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\gameenum.sys (Microsoft Corporation)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (HSFHWBS2 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (HSF_DP [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (L8042pr2 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\L8042pr2.Sys (Logitech, Inc.)
DRV - (LCcfltr [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\LCcFltr.Sys (Logitech, Inc.)
DRV - (LHidFlt2 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\LHidFlt2.Sys (Logitech, Inc.)
DRV - (LHidUsb [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\LHidUsb.Sys (Logitech, Inc.)
DRV - (LMouFlt2 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\LMouFlt2.Sys (Logitech, Inc.)
DRV - (mdmxsdk [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (mfeavfk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfebopk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mfehidk [System | Running]) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mferkdk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (mfesmfk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (mmc_2K [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\Mmc_2k.sys (Roxio)
DRV - (MODEMCSA [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys (Microsoft Corporation)
DRV - (MPFP [System | Running]) -- C:\WINDOWS\System32\Drivers\Mpfp.sys (McAfee, Inc.)
DRV - (nv [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
DRV - (OMCI [System | Running]) -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS (Dell Computer Corporation)
DRV - (ossrv [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ctoss2k.sys (Creative Technology Ltd.)
DRV - (P16X [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\P16X.sys (Creative Technology Ltd.)
DRV - (pfc [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (PfModNT [Auto | Running]) -- C:\WINDOWS\system32\PfModNT.sys (Creative Technology Ltd.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (pwd_2k [System | Running]) -- C:\WINDOWS\System32\drivers\pwd_2K.sys (Roxio)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (UdfReadr_xp [System | Running]) -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys (Roxio)
DRV - (USBAAPL [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\usbaapl.sys (Apple, Inc.)
DRV - (winachsf [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys (Conexant Systems, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost;*.local

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/03/14 05:48:13 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{73F85829-5F05-4B33-9D3C-C237E7153002}: C:\DOCUMENTS AND SETTINGS\MOM AND DAD\LOCAL SETTINGS\APPLICATION DATA\{73F85829-5F05-4B33-9D3C-C237E7153002} [2009/04/13 03:08:08 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{A731DEAD-E34A-4BF0-911F-4140B6246AD8}: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR.MAINCOMPUTER\LOCAL SETTINGS\APPLICATION DATA\{A731DEAD-E34A-4BF0-911F-4140B6246AD8} [2009/04/16 20:37:36 | 00,000,000 | ---D | M]

O1 HOSTS File: (305173 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-domains-registrations.com
O1 - Hosts: 127.0.0.1 www.1-domains-registrations.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 10509 more lines...
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O4 - HKLM..\Run: [adaptecdirectcd] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" (Roxio)
O4 - HKLM..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [adobe reader speed launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [applesyncnotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup (Creative Technology Ltd)
O4 - HKLM..\Run: [ituneshelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [Logitech Utility] Logi_MwX.Exe (Logitech Inc.)
O4 - HKLM..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /install ()
O4 - HKLM..\Run: [opwarese2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" (ScanSoft, Inc.)
O4 - HKLM..\Run: [quicktime task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [updreg] C:\WINDOWS\UpdReg.EXE (Creative Technology Ltd.)
O4 - HKCU..\Run: [aim6] File not found
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (Logitech Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = _ [binary data]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 (Microsoft Corporation)
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html ()
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html ()
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html ()
O9 - Extra Button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...tes/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {17492023-c23a-453e-a040-c7c580bbf700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab (System Requirements Lab Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O33 - MountPoints2\{efdc6b6b-2559-11dd-805b-0007e96a13cc}\Shell\AutoRun\command - "" = F:\wd_windows_tools\WDEULA.exe -- File not found
O33 - MountPoints2\{f099617e-417f-11dd-8075-0007e96a13cc}\Shell - "" = AutoRun
O33 - MountPoints2\{f099617e-417f-11dd-8075-0007e96a13cc}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f099617e-417f-11dd-8075-0007e96a13cc}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[7 C:\WINDOWS\*.tmp files]
[2009/04/19 13:42:26 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/04/19 09:14:24 | 00,076,500 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\Hold.dbx
[2009/04/19 09:08:12 | 82,614,384 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\Sent Items.dbx
[2009/04/19 09:08:12 | 00,646,256 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\Ryan.dbx
[2009/04/19 09:08:11 | 00,899,696 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\Recipes.dbx
[2009/04/19 09:08:11 | 00,009,404 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\Pop3uidl.dbx
[2009/04/19 09:07:59 | 39,208,432 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\Mom.dbx
[2009/04/19 09:07:59 | 00,266,096 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\Insurance.dbx
[2009/04/19 09:07:59 | 00,202,736 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\Kevin.dbx
[2009/04/19 09:07:43 | 02,485,872 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\Hill AFB .dbx
[2009/04/19 09:07:21 | 17,375,472 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\Fiesta Potluck -April 18th.dbx
[2009/04/19 09:07:21 | 00,720,496 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\Deleted Items.dbx
[2009/04/19 09:07:21 | 00,060,116 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\Drafts.dbx
[2009/04/19 09:07:20 | 24,406,256 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\Dad.dbx
[2009/04/19 09:07:20 | 02,103,536 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\College.dbx
[2009/04/19 09:07:20 | 01,089,776 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\Travel Stuff.dbx
[2009/04/19 09:07:20 | 00,139,376 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\2008 Taxes.dbx
[2009/04/19 09:07:20 | 00,139,376 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\2007 Taxes.dbx
[2009/04/19 09:05:44 | 01,301,616 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\Inbox.dbx
[2009/04/19 09:05:44 | 00,191,188 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\Outbox.dbx
[2009/04/19 09:05:44 | 00,074,720 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\Folders.dbx
[2009/04/19 09:05:44 | 00,009,656 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\Offline.dbx
[2009/04/19 08:54:50 | 00,000,000 | ---D | C] -- C:\_OTListIt
[2009/04/19 08:46:27 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\OTListIt2.exe
[2009/04/18 17:18:41 | 00,002,616 | ---- | C] () -- C:\WINDOWS\System32\tmp.reg
[2009/04/18 17:18:16 | 00,000,000 | ---D | C] -- C:\SmitfraudFix
[2009/04/18 17:17:06 | 01,831,732 | ---- | C] () -- C:\SmitfraudFix.exe
[2009/04/18 15:54:32 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/04/18 12:30:23 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/04/18 12:30:19 | 00,267,612 | ---- | C] () -- C:\Rooter.exe
[2009/04/18 12:24:01 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/04/18 12:23:05 | 00,000,611 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\Desktop\NTREGOPT.lnk
[2009/04/18 12:23:05 | 00,000,592 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\Desktop\ERUNT.lnk
[2009/04/18 12:23:05 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/04/18 12:22:38 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\erunt_setup.exe
[2009/04/18 12:21:16 | 00,021,504 | ---- | C] (Doug Knox) -- C:\SysRestorePoint.exe
[2009/04/18 11:47:59 | 00,001,341 | ---- | C] () -- C:\regtools.vbs
[2009/04/17 22:23:29 | 06,216,032 | ---- | C] (Microsoft Corporation) -- C:\windowsupdateagent30-x86.exe
[2009/04/17 18:13:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mom and Dad\Application Data\Malwarebytes
[2009/04/17 18:13:19 | 00,000,696 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/17 18:13:18 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/17 18:13:16 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/17 18:13:14 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/17 18:13:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/04/17 18:12:47 | 00,089,448 | ---- | C] () -- C:\WINDOWS\System32\drivers\7589167f.sys
[2009/04/16 22:02:45 | 00,245,725 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\Desktop\Address Book.WAB
[2009/04/16 08:31:24 | 00,109,010 | ---- | C] () -- C:\WINDOWS\System32\drivers\57ad7fb2.sys
[2009/04/15 20:06:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/04/14 14:21:45 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/14 14:21:45 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/14 14:21:44 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/14 14:21:44 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/14 14:21:44 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/14 14:21:43 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/14 14:21:43 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/14 14:21:43 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/14 14:21:42 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/14 14:20:47 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/14 14:20:46 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/14 14:20:45 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/13 03:08:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mom and Dad\Local Settings\Application Data\{73F85829-5F05-4B33-9D3C-C237E7153002}
[2009/04/13 03:08:08 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Vgazey.bin
[2009/04/13 03:08:07 | 00,000,408 | ---- | C] () -- C:\WINDOWS\Xqataf.dat
[2009/04/13 02:49:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/04/11 13:37:00 | 00,002,137 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\iTunes.lnk
[2009/04/11 13:36:32 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/04/11 13:36:29 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/04/11 13:36:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/04/11 00:15:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mom and Dad\Local Settings\Application Data\Help
[2009/04/11 00:15:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mom and Dad\Application Data\Help
[2009/04/11 00:14:09 | 00,006,780 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\Untitled Music CD ProjectHGJGKGGJK.cl5
[2009/04/05 09:51:32 | 00,000,849 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\Desktop\Burn CD & DVDs with Roxio.lnk
[2009/03/26 13:33:17 | 00,199,640 | ---- | C] () -- C:\DOCUME~1\MOMAND~1\My Documents\kevin expenses.pdf
[2009/03/21 08:06:58 | 00,989,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kernel32.dll
[2009/03/02 00:01:46 | 00,303,104 | ---- | C] () -- C:\WINDOWS\System32\FXStudioDLL.dll
[2009/03/02 00:01:45 | 00,235,532 | ---- | C] () -- C:\WINDOWS\System32\loadimage.dll
[2009/03/02 00:01:45 | 00,131,072 | ---- | C] () -- C:\WINDOWS\System32\RapBoxDSP.dll
[2009/03/02 00:01:45 | 00,126,976 | ---- | C] () -- C:\WINDOWS\System32\NewWaveAnzeige.dll
[2009/03/02 00:01:45 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\eJ_Tool.dll
[2009/03/02 00:01:45 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\fader.dll
[2009/03/02 00:01:44 | 00,360,448 | ---- | C] () -- C:\WINDOWS\System32\pxd32d5.dll
[2009/03/02 00:01:44 | 00,307,200 | ---- | C] () -- C:\WINDOWS\System32\fxstudio.dll
[2009/03/02 00:01:44 | 00,075,976 | ---- | C] () -- C:\WINDOWS\System32\Bassdec.dll
[2009/03/02 00:01:44 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\WndRgn.dll
[2009/03/02 00:01:44 | 00,029,696 | ---- | C] () -- C:\WINDOWS\System32\pthread.dll
[2009/02/27 07:53:52 | 00,297,472 | ---- | C] () -- C:\WINDOWS\System32\snuscauoytnf.dll
[2009/02/26 04:57:12 | 00,621,056 | ---- | C] () -- C:\WINDOWS\System32\nsfB5.dll
[2009/02/05 09:48:06 | 00,671,744 | ---- | C] () -- C:\WINDOWS\System32\nsg37.dll
[2008/11/21 15:47:52 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/11/21 15:45:16 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/11/21 15:45:16 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/11/21 15:44:16 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/03/09 13:08:29 | 00,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2007/12/28 22:28:46 | 00,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2007/12/28 22:28:46 | 00,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2007/12/28 22:28:46 | 00,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2007/12/10 00:24:31 | 00,022,328 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2007/10/26 20:52:31 | 00,000,021 | ---- | C] () -- C:\WINDOWS\atid.ini
[2007/09/26 21:47:02 | 00,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2007/09/26 21:45:43 | 00,002,092 | ---- | C] () -- C:\WINDOWS\System32\P16X.ini
[2007/09/26 21:45:43 | 00,000,026 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2007/09/26 21:45:42 | 00,047,616 | ---- | C] () -- C:\WINDOWS\System32\P16X.dll
[2007/09/26 21:45:40 | 00,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll
[2007/09/26 21:45:37 | 00,006,175 | ---- | C] () -- C:\WINDOWS\MIXDEF.INI
[2007/09/26 21:45:37 | 00,005,917 | ---- | C] () -- C:\WINDOWS\SBMIXDEF.INI
[2007/09/26 21:45:35 | 00,000,064 | ---- | C] () -- C:\WINDOWS\P16x.ini
[2007/09/26 21:44:16 | 00,000,245 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2007/09/26 19:29:37 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2007/09/26 17:43:10 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2007/09/26 17:33:40 | 00,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS7L.DLL
[2007/09/26 17:32:30 | 00,000,532 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2007/09/26 17:25:05 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/10/22 13:22:00 | 01,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/22 13:22:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/22 13:22:00 | 00,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 13:22:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/10/22 13:22:00 | 00,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2003/07/28 15:19:00 | 01,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2003/07/28 15:19:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2002/09/03 11:11:56 | 00,000,613 | ---- | C] () -- C:\WINDOWS\win.ini
[2002/09/03 11:06:05 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2002/05/15 11:13:20 | 00,081,920 | R--- | C] () -- C:\WINDOWS\System32\SipCal.dll
[1999/09/17 19:12:54 | 00,044,344 | ---- | C] () -- C:\WINDOWS\System32\Seqcal.sys

========== Files - Modified Within 30 Days ==========

[4 C:\WINDOWS\System32\*.tmp files]
[7 C:\WINDOWS\*.tmp files]
[2009/04/19 14:40:34 | 00,109,010 | ---- | M] () -- C:\WINDOWS\System32\drivers\57ad7fb2.sys
[2009/04/19 14:40:34 | 00,089,448 | ---- | M] () -- C:\WINDOWS\System32\drivers\7589167f.sys
[2009/04/19 13:42:41 | 00,013,736 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/19 13:27:33 | 00,027,040 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/04/19 13:24:08 | 00,088,566 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/04/19 13:23:47 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/19 13:23:43 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/19 13:16:15 | 00,305,173 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/04/19 09:14:56 | 01,301,616 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\Inbox.dbx
[2009/04/19 09:14:56 | 00,191,188 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\Outbox.dbx
[2009/04/19 09:14:56 | 00,074,720 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\Folders.dbx
[2009/04/19 09:14:56 | 00,009,656 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\Offline.dbx
[2009/04/19 08:46:53 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\OTListIt2.exe
[2009/04/18 17:32:33 | 00,000,613 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/04/18 17:32:33 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/04/18 17:32:33 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2009/04/18 17:25:35 | 00,002,616 | ---- | M] () -- C:\WINDOWS\System32\tmp.reg
[2009/04/18 17:25:32 | 00,000,848 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090419-131615.backup
[2009/04/18 17:17:09 | 01,831,732 | ---- | M] () -- C:\SmitfraudFix.exe
[2009/04/18 12:30:23 | 00,267,612 | ---- | M] () -- C:\Rooter.exe
[2009/04/18 12:23:05 | 00,000,611 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\Desktop\NTREGOPT.lnk
[2009/04/18 12:23:05 | 00,000,592 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\Desktop\ERUNT.lnk
[2009/04/18 12:22:42 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\erunt_setup.exe
[2009/04/18 12:21:22 | 00,021,504 | ---- | M] (Doug Knox) -- C:\SysRestorePoint.exe
[2009/04/18 11:48:11 | 00,001,341 | ---- | M] () -- C:\regtools.vbs
[2009/04/17 22:58:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/04/17 22:23:38 | 06,216,032 | ---- | M] (Microsoft Corporation) -- C:\windowsupdateagent30-x86.exe
[2009/04/17 18:13:19 | 00,000,696 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/17 06:57:29 | 00,002,137 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\iTunes.lnk
[2009/04/17 06:39:56 | 82,614,384 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\Sent Items.dbx
[2009/04/17 06:38:28 | 01,089,776 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\Travel Stuff.dbx
[2009/04/17 06:38:26 | 00,266,096 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\Insurance.dbx
[2009/04/17 06:38:24 | 00,646,256 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\Ryan.dbx
[2009/04/17 06:38:22 | 00,899,696 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\Recipes.dbx
[2009/04/17 06:38:16 | 17,375,472 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\Fiesta Potluck -April 18th.dbx
[2009/04/17 06:38:06 | 39,208,432 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\Mom.dbx
[2009/04/17 06:37:36 | 02,103,536 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\College.dbx
[2009/04/17 06:37:32 | 02,485,872 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\Hill AFB .dbx
[2009/04/17 06:37:32 | 00,202,736 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\Kevin.dbx
[2009/04/17 06:37:28 | 00,139,376 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\2008 Taxes.dbx
[2009/04/17 06:37:28 | 00,139,376 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\2007 Taxes.dbx
[2009/04/17 06:37:26 | 24,406,256 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\Dad.dbx
[2009/04/17 06:37:06 | 00,720,496 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\Deleted Items.dbx
[2009/04/17 06:37:06 | 00,076,500 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\Hold.dbx
[2009/04/17 06:37:06 | 00,060,116 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\Drafts.dbx
[2009/04/17 06:26:03 | 00,000,000 | ---- | M] () -- C:\WINDOWS\Vgazey.bin
[2009/04/17 06:20:52 | 00,009,404 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\Pop3uidl.dbx
[2009/04/16 18:44:18 | 00,002,483 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\Desktop\Word.lnk
[2009/04/16 15:00:49 | 00,183,808 | ---- | M] () -- C:\Documents and Settings\Mom and Dad\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/16 14:53:37 | 00,000,408 | ---- | M] () -- C:\WINDOWS\Xqataf.dat
[2009/04/16 06:56:07 | 00,000,520 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\spider.sav
[2009/04/15 22:00:36 | 10,727,75168 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2009/04/15 03:16:53 | 00,356,120 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/15 03:16:53 | 00,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/15 03:16:53 | 00,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/15 03:05:54 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/15 01:27:00 | 00,000,352 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/04/12 22:51:58 | 00,000,739 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\MySpaceIM.lnk
[2009/04/11 12:48:56 | 00,121,344 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\Home Costs 07.xls
[2009/04/11 12:41:44 | 00,002,481 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\Desktop\Excel.lnk
[2009/04/11 00:14:09 | 00,006,780 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\Untitled Music CD ProjectHGJGKGGJK.cl5
[2009/04/09 13:16:52 | 00,245,725 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\Desktop\Address Book.WAB
[2009/04/09 07:57:49 | 00,019,968 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\My medication list.doc
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/06 08:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/04/05 09:51:32 | 00,000,849 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\Desktop\Burn CD & DVDs with Roxio.lnk
[2009/03/27 00:58:38 | 01,203,922 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/03/26 13:33:17 | 00,199,640 | ---- | M] () -- C:\DOCUME~1\MOMAND~1\My Documents\kevin expenses.pdf
[2009/03/25 11:06:30 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys
[2009/03/25 11:06:28 | 00,214,024 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys
[2009/03/25 11:06:28 | 00,079,880 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2009/03/25 11:06:28 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2009/03/25 11:05:54 | 00,034,216 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys
[2009/03/22 00:32:59 | 01,579,330 | -H-- | M] () -- C:\Documents and Settings\Mom and Dad\Local Settings\Application Data\IconCache.db
[2009/03/21 08:06:58 | 00,989,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\kernel32.dll
[2009/03/21 08:06:58 | 00,989,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kernel32.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

ROOTER Report

Microsoft Windows XP Home Edition (5.1.2600) Service Pack 3

A:\ [Removable] (Total:0 Mo/Free:0 Mo)
C:\ [Fixed] - NTFS - (Total:152617 Mo/Free:997 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)

Sun 04/19/2009|14:36

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\Program Files\McAfee.com\Agent\mcagent.exe
---------- C:\Program Files\Java\jre6\bin\jusched.exe
---------- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
---------- C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
---------- C:\Program Files\iTunes\iTunesHelper.exe
---------- C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
---------- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
---------- C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
---------- C:\Program Files\Logitech\MouseWare\system\em_exec.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
---------- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
---------- C:\Program Files\Bonjour\mDNSResponder.exe
---------- C:\WINDOWS\system32\CTsvcCDA.exe
---------- C:\Program Files\Java\jre6\bin\jqs.exe
---------- C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
---------- c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
---------- C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
---------- c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
---------- C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
---------- C:\Program Files\McAfee\MPF\MPFSrv.exe
---------- C:\WINDOWS\system32\nvsvc32.exe
---------- C:\WINDOWS\system32\PnkBstrA.exe
---------- C:\WINDOWS\System32\locator.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\Program Files\Viewpoint\Common\ViewpointService.exe
---------- C:\WINDOWS\system32\MsPMSPSv.exe
---------- C:\WINDOWS\system32\wscntfy.exe
---------- C:\Program Files\iPod\bin\iPodService.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
---------- C:\Program Files\Internet Explorer\iexplore.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!

----------------------\\ Cracks & Keygens..

C:\DOCUME~1\MOMAND~1\My Documents\LimeWire\Saved\FL Studio 6.0.8 + Crack.aka Fruity loops+all plugins unlocked!(XXL Edition)\FL Studio 6.0.8 + Crack.aka Fruity loops+all plugins unlocked!(XXL Edition).rar

1 - "C:\Rooter$\Rooter_1.txt" - Sat 04/18/2009|12:31
2 - "C:\Rooter$\Rooter_2.txt" - Sun 04/19/2009|14:37

#2 Jimmy2012

Group: Retired Staff
Posts: 6,238
Joined: 11-September 07

Posted 25 April 2009 - 09:44 PM

Hello glrk and welcome to Geeks to go.

Sorry about the delay.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt so we can continue cleaning the system.

#3 glrk

Group: Member
Posts: 10
Joined: 19-April 09

Posted 25 April 2009 - 11:38 PM

Thanks for the response but I think I've killed off the virus using Combofix. It removed a trojan that was blocking Update and my AV. Once the trojan was removed my AV found more and removed another virus. Bottom line is I think all is well.

Thanks again! glrk

#4 Jimmy2012

Group: Retired Staff
Posts: 6,238
Joined: 11-September 07

Posted 26 April 2009 - 06:39 PM

Are you sure you don't want to post your logs so that we can make sure there is nothing else there?

#5 glrk

Group: Member
Posts: 10
Joined: 19-April 09

Posted 26 April 2009 - 07:20 PM

Thanks jimmy2012,
You're right....this just isn't the right place for amateurs. THe trojan was back this morning redirecting IE although Malwarebytes, McAfee, and Spybot S&D weren't finding anything. As always, any/all help is appreciated. r/ glrk

ComboFix 09-04-25.A3 - Mom and Dad 04/26/2009 19:10.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.665 [GMT -6:00]
Running from: c:\documents and settings\Mom and Dad\Desktop\ComboFax.exe
FW: McAfee Personal Firewall *enabled*
.

((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-4-27 )))))))))))))))))))))))))))))))
.

2009-04-25 21:33 . 2009-04-25 21:33 -------- d-----w c:\documents and settings\Mom and Dad\Application Data\McAfee
2009-04-25 19:30 . 2009-04-25 19:31 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-25 04:14 . 2009-04-25 04:14 -------- d-----w c:\documents and settings\Mom and Dad\Application Data\Windows Search
2009-04-25 04:14 . 2009-04-25 04:16 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-04-25 04:13 . 2009-04-25 04:13 -------- d-----w c:\documents and settings\Mom and Dad\Application Data\Windows Desktop Search
2009-04-25 04:13 . 2009-04-25 04:13 -------- d-----w c:\program files\Windows Desktop Search
2009-04-25 04:13 . 2009-04-25 04:13 -------- d-----w c:\windows\system32\GroupPolicy
2009-04-25 04:12 . 2008-03-07 17:02 98304 -c----w c:\windows\system32\dllcache\nlhtml.dll
2009-04-25 04:12 . 2008-03-07 17:02 29696 -c----w c:\windows\system32\dllcache\mimefilt.dll
2009-04-25 04:12 . 2008-03-07 17:02 192000 -c----w c:\windows\system32\dllcache\offfilt.dll
2009-04-24 03:00 . 2009-04-24 03:08 23328 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-24 03:00 . 2009-04-24 03:00 32 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-24 03:00 . 2009-04-24 03:00 32 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-24 03:00 . 2009-04-24 03:00 32 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-24 03:00 . 2009-04-24 03:00 2161 ----a-w C:\rollback.ini
2009-04-24 02:53 . 2009-04-24 03:21 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-04-24 02:53 . 2009-04-24 03:21 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-04-24 02:53 . 2009-04-24 02:53 -------- d-----w c:\documents and settings\Mom and Dad\Local Settings\Application Data\Downloaded Installations
2009-04-24 02:27 . 2009-04-24 02:27 -------- d-----w C:\VundoFix Backups
2009-04-24 00:38 . 2009-04-24 00:38 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-24 00:21 . 2009-04-24 00:22 39424 ----a-w c:\windows\system32\winglsetup.exe
2009-04-22 12:47 . 2009-04-22 12:47 2402613 ----a-w C:\bd_rem_tool.zip
2009-04-19 14:54 . 2009-04-19 14:54 -------- d-----w C:\_OTListIt
2009-04-19 14:46 . 2009-04-19 14:46 501248 ----a-w C:\OTListIt2.exe
2009-04-18 23:18 . 2009-04-18 23:29 -------- d-----w C:\SmitfraudFix
2009-04-18 23:17 . 2009-04-18 23:17 1831732 ----a-w C:\SmitfraudFix.exe
2009-04-18 18:30 . 2009-04-19 20:37 -------- d-----w C:\Rooter$
2009-04-18 18:30 . 2009-04-18 18:30 267612 ----a-w C:\Rooter.exe
2009-04-18 18:22 . 2009-04-18 18:22 791393 ----a-w C:\erunt_setup.exe
2009-04-18 18:21 . 2009-04-18 18:21 21504 ----a-w C:\SysRestorePoint.exe
2009-04-18 18:18 . 2009-04-18 18:19 50688 ----a-w C:\ATF_Cleaner.exe
2009-04-18 17:47 . 2009-04-18 17:48 1341 ----a-w C:\regtools.vbs
2009-04-18 04:23 . 2009-04-18 04:23 6216032 ----a-w C:\windowsupdateagent30-x86.exe
2009-04-18 00:13 . 2009-04-18 00:13 -------- d-----w c:\documents and settings\Mom and Dad\Application Data\Malwarebytes
2009-04-18 00:13 . 2009-04-06 21:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-18 00:13 . 2009-04-06 21:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-18 00:13 . 2009-04-18 00:13 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-18 00:13 . 2009-04-18 00:13 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-16 02:06 . 2009-04-18 14:56 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-14 20:21 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-14 20:21 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 20:21 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 20:21 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-14 20:21 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 20:21 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 20:21 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 20:21 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 20:21 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 20:20 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 20:20 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 20:20 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 09:08 . 2009-04-17 12:26 0 ----a-w c:\windows\Vgazey.bin
2009-04-13 09:08 . 2009-04-13 09:08 -------- d-----w c:\documents and settings\Mom and Dad\Local Settings\Application Data\{73F85829-5F05-4B33-9D3C-C237E7153002}
2009-04-13 09:08 . 2009-04-16 20:53 408 ----a-w c:\windows\Xqataf.dat
2009-04-11 19:36 . 2009-04-11 19:36 -------- d-----w c:\program files\iPod
2009-04-11 19:36 . 2009-04-11 19:36 -------- d-----w c:\program files\iTunes
2009-04-11 19:36 . 2009-04-11 19:36 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-11 06:15 . 2009-04-11 06:15 -------- d-----w c:\documents and settings\Mom and Dad\Local Settings\Application Data\Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 20:24 . 2008-03-19 01:36 -------- d-----w c:\documents and settings\Mom and Dad\Application Data\LimeWire
2009-04-25 21:33 . 2007-09-27 01:53 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-24 06:50 . 2008-03-19 01:33 -------- d-----w c:\program files\LimeWire
2009-04-24 03:22 . 2007-10-27 02:51 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-24 02:39 . 2009-04-24 02:27 137 ----a-w C:\VundoFix.txt
2009-04-22 12:49 . 2009-04-22 12:48 290 ------w C:\Win32.Worm.Downladup.Gen.log
2009-04-19 20:40 . 2009-04-19 14:48 85514 ----a-w C:\OTListIt.Txt
2009-04-19 20:37 . 2009-04-18 18:31 3282 ----a-w C:\Rooter.txt
2009-04-19 14:48 . 2009-04-19 14:48 31164 ----a-w C:\Extras.Txt
2009-04-18 23:28 . 2009-04-18 23:18 2140 ----a-w C:\rapport.txt
2009-04-18 00:02 . 2007-09-26 21:20 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-17 23:59 . 2007-12-26 00:53 -------- d-----w c:\documents and settings\Mom and Dad\Application Data\Microsoft Games
2009-04-17 02:56 . 2007-09-27 01:58 -------- d-----w c:\program files\McAfee
2009-04-11 19:36 . 2008-06-25 03:14 -------- d-----w c:\program files\Common Files\Apple
2009-04-11 17:36 . 2008-03-19 01:34 -------- d-----w c:\program files\Java
2009-04-08 03:12 . 2008-01-25 22:59 -------- d-----w c:\documents and settings\Mom and Dad\Application Data\Canon
2009-04-02 04:31 . 2008-01-30 13:24 -------- d-----w c:\documents and settings\Mom and Dad\Application Data\Move Networks
2009-03-25 17:06 . 2007-09-27 01:59 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 17:06 . 2007-09-27 01:59 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 17:06 . 2007-09-27 01:59 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 17:06 . 2007-09-27 01:59 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 17:05 . 2007-09-27 01:59 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-22 21:06 . 2007-12-29 04:07 -------- d-----w c:\program files\Diablo II
2009-03-20 19:41 . 2007-10-26 20:40 29656 ----a-w c:\documents and settings\Mom and Dad\Application Data\GDIPFONTCACHEV1.DAT
2009-03-19 22:32 . 2008-01-29 18:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-19 02:12 . 2007-09-26 23:42 -------- d-----w c:\program files\Common Files\Adobe
2009-03-12 13:37 . 2007-10-07 17:00 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-12 04:04 . 2009-03-12 04:04 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-12 04:03 . 2009-03-12 04:03 -------- d-----w c:\program files\Bonjour
2009-03-12 04:02 . 2009-03-12 04:01 -------- d-----w c:\program files\QuickTime
2009-03-09 11:19 . 2008-12-14 21:45 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2003-03-31 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 05:59 . 2009-03-12 04:00 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 05:59 . 2008-06-25 03:15 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-02 06:53 . 2007-09-27 03:27 29656 ----a-w c:\documents and settings\Mom and Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-02 02:10 . 2009-03-02 02:08 -------- d-----w c:\program files\Image-Line
2009-03-02 02:10 . 2009-03-02 02:10 -------- d-----w c:\program files\VstPlugins
2009-03-02 02:05 . 2009-03-02 02:05 -------- d-----w c:\program files\My-Tool
2009-03-02 02:05 . 2009-03-02 02:05 -------- d-----w c:\program files\Conduit
2009-03-01 22:06 . 2009-03-01 22:06 -------- d-----w c:\program files\VirtualDJ
2009-03-01 10:24 . 2009-03-01 10:24 244 ---ha-w C:\sqmnoopt07.sqm
2009-03-01 10:24 . 2009-03-01 10:24 232 ---ha-w C:\sqmdata07.sqm
2009-03-01 10:07 . 2009-03-01 10:07 232 ---ha-w C:\sqmdata06.sqm
2009-03-01 10:07 . 2009-03-01 10:07 244 ---ha-w C:\sqmnoopt06.sqm
2009-03-01 04:17 . 2009-03-01 04:17 244 ---ha-w C:\sqmnoopt05.sqm
2009-03-01 04:17 . 2009-03-01 04:17 232 ---ha-w C:\sqmdata05.sqm
2009-03-01 04:17 . 2009-03-01 04:17 244 ---ha-w C:\sqmnoopt04.sqm
2009-03-01 04:17 . 2009-03-01 04:17 232 ---ha-w C:\sqmdata04.sqm
2009-03-01 04:16 . 2009-03-01 04:16 244 ---ha-w C:\sqmnoopt03.sqm
2009-03-01 04:16 . 2009-03-01 04:16 232 ---ha-w C:\sqmdata03.sqm
2009-03-01 03:56 . 2009-03-01 03:56 244 ---ha-w C:\sqmnoopt02.sqm
2009-03-01 03:56 . 2009-03-01 03:56 232 ---ha-w C:\sqmdata02.sqm
2009-03-01 03:50 . 2009-03-01 03:50 244 ---ha-w C:\sqmnoopt01.sqm
2009-03-01 03:44 . 2009-03-01 03:44 244 ---ha-w C:\sqmnoopt00.sqm
2009-02-27 13:53 . 2009-02-27 13:53 297472 ----a-w c:\windows\system32\snuscauoytnf.dll
2009-02-26 19:22 . 2008-06-23 23:56 -------- d-----w c:\documents and settings\Mom and Dad\Application Data\U3
2009-02-26 10:57 . 2009-02-26 10:57 621056 ----a-w c:\windows\system32\nsfB5.dll
2009-02-20 08:10 . 2006-06-23 17:33 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 07:56 81920 ------w c:\windows\system32\ieencode.dll
2009-02-15 13:18 . 2007-10-24 05:58 29272 ----a-w c:\documents and settings\Ryan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 12:10 . 2003-03-31 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-07-26 04:31 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2003-03-31 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2003-03-31 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2003-03-31 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 01:02 . 2002-08-29 01:04 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2003-03-31 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2003-03-31 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-03-31 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-05 15:48 . 2009-02-05 15:48 671744 ----a-w c:\windows\system32\nsg37.dll
2009-02-03 19:59 . 2003-03-31 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-07-09 07:50 . 2008-07-09 07:50 29272 ----a-w c:\documents and settings\Ryan\Application Data\GDIPFONTCACHEV1.DAT
2007-12-10 06:24 . 2007-12-10 06:24 22328 ----a-w c:\documents and settings\Ryan\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-04-26_22.16.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-27 01:03 . 2009-04-27 01:03 16384 c:\windows\Temp\Perflib_Perfdata_38c.dat
+ 2007-09-26 20:35 . 2009-04-27 01:03 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-09-26 20:35 . 2009-04-26 18:22 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-09-26 20:35 . 2009-04-27 01:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-09-26 20:35 . 2009-04-26 18:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-09-26 20:35 . 2009-04-27 01:03 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-09-26 20:35 . 2009-04-26 18:22 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"updreg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"quicktime task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"ituneshelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"applesyncnotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"adobe reader speed launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"adaptecdirectcd"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-11-9 67128]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R1 57ad7fb2;57ad7fb2; [x]
R1 7589167f;7589167f; [x]
R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
S3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\Drivers\LCcFltr.Sys [2003-11-07 14092]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f099617e-417f-11dd-8075-0007e96a13cc}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:34]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-09-27 16:53]

2009-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-09-27 16:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.excite.com/
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 19:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\drivers\ovfsthxqobiurum.sys 83456 bytes executable
c:\windows\system32\ovfsthxcxdulbbm.dat 1162735 bytes
c:\windows\system32\ovfsthxkixlthww.dll 18432 bytes executable
c:\windows\system32\ovfsthxqjnkoehi.dll 18432 bytes executable
c:\windows\system32\ovfsthxqwvbnptj.dll 60928 bytes executable
c:\windows\system32\ovfsthxtfqestgl.dat 43 bytes

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthxyxevdymr]
"imagepath"="\systemroot\system32\drivers\ovfsthxqobiurum.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2936)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-27 19:15
ComboFix-quarantined-files.txt 2009-04-27 01:14
ComboFix2.txt 2009-04-27 00:01
ComboFix3.txt 2009-04-26 22:18
ComboFix4.txt 2009-04-25 00:44

Pre-Run: 106,651,480,064 bytes free
Post-Run: 106,640,240,640 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
271 --- E O F --- 2009-04-25 23:13

#6 Jimmy2012

Group: Retired Staff
Posts: 6,238
Joined: 11-September 07

Posted 26 April 2009 - 08:20 PM

Hello glrk,

Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
- c:\windows\Vgazey.bin
Click on the submit button
Please post the results in your next reply.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote

File::
c:\windows\system32\snuscauoytnf.dll
c:\windows\system32\nsfB5.dll

Rootkit::
c:\windows\system32\drivers\ovfsthxqobiurum.sys
c:\windows\system32\ovfsthxcxdulbbm.dat
c:\windows\system32\ovfsthxkixlthww.dll
c:\windows\system32\ovfsthxqjnkoehi.dll
c:\windows\system32\ovfsthxqwvbnptj.dll
c:\windows\system32\ovfsthxtfqestgl.dat

Driver::
57ad7fb2
7589167f
ovfsthxyxevdymr

SysRst::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt. Please post the following reports into your next reply:

Combofix.txt
The Jotti log.

#7 glrk

Group: Member
Posts: 10
Joined: 19-April 09

Posted 26 April 2009 - 10:19 PM

jimmy2012,
Appreciate the help! r/ glrk

Jotti text was:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

I received the same result both before and after running the notepad file through Combofix. Let me know if you want me to run it with McAfee firewall disabled.

Combofix text was:

ComboFix 09-04-25.A3 - Mom and Dad 04/26/2009 22:01.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.635 [GMT -6:00]
Running from: C:\Combo-Fix.exe
Command switches used :: C:\CFScript.txt
FW: McAfee Personal Firewall *enabled*

FILE ::
c:\windows\system32\nsfB5.dll
c:\windows\system32\snuscauoytnf.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ovfsthxqobiurum.sys
c:\windows\system32\nsfB5.dll
c:\windows\system32\ovfsthxcxdulbbm.dat
c:\windows\system32\ovfsthxkixlthww.dll
c:\windows\system32\ovfsthxqjnkoehi.dll
c:\windows\system32\ovfsthxqwvbnptj.dll
c:\windows\system32\ovfsthxtfqestgl.dat
c:\windows\system32\snuscauoytnf.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_57ad7fb2
-------\Service_7589167f

((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-4-27 )))))))))))))))))))))))))))))))
.

2009-04-27 03:58 . 2009-04-27 03:58 3006230 ----a-r C:\Combo-Fix.exe
2009-04-25 21:33 . 2009-04-25 21:33 -------- d-----w c:\documents and settings\Mom and Dad\Application Data\McAfee
2009-04-25 19:30 . 2009-04-25 19:31 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-25 04:14 . 2009-04-25 04:14 -------- d-----w c:\documents and settings\Mom and Dad\Application Data\Windows Search
2009-04-25 04:14 . 2009-04-25 04:16 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-04-25 04:13 . 2009-04-25 04:13 -------- d-----w c:\documents and settings\Mom and Dad\Application Data\Windows Desktop Search
2009-04-25 04:13 . 2009-04-25 04:13 -------- d-----w c:\program files\Windows Desktop Search
2009-04-25 04:13 . 2009-04-25 04:13 -------- d-----w c:\windows\system32\GroupPolicy
2009-04-25 04:12 . 2008-03-07 17:02 98304 -c----w c:\windows\system32\dllcache\nlhtml.dll
2009-04-25 04:12 . 2008-03-07 17:02 29696 -c----w c:\windows\system32\dllcache\mimefilt.dll
2009-04-25 04:12 . 2008-03-07 17:02 192000 -c----w c:\windows\system32\dllcache\offfilt.dll
2009-04-24 03:00 . 2009-04-24 03:08 23328 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-24 03:00 . 2009-04-24 03:00 32 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-24 03:00 . 2009-04-24 03:00 32 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-24 03:00 . 2009-04-24 03:00 32 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-24 03:00 . 2009-04-24 03:00 2161 ----a-w C:\rollback.ini
2009-04-24 02:53 . 2009-04-24 03:21 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-04-24 02:53 . 2009-04-24 03:21 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-04-24 02:53 . 2009-04-24 02:53 -------- d-----w c:\documents and settings\Mom and Dad\Local Settings\Application Data\Downloaded Installations
2009-04-24 02:27 . 2009-04-24 02:27 -------- d-----w C:\VundoFix Backups
2009-04-24 00:38 . 2009-04-24 00:38 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-24 00:21 . 2009-04-24 00:22 39424 ----a-w c:\windows\system32\winglsetup.exe
2009-04-22 12:47 . 2009-04-22 12:47 2402613 ----a-w C:\bd_rem_tool.zip
2009-04-19 14:54 . 2009-04-19 14:54 -------- d-----w C:\_OTListIt
2009-04-19 14:46 . 2009-04-19 14:46 501248 ----a-w C:\OTListIt2.exe
2009-04-18 23:18 . 2009-04-18 23:29 -------- d-----w C:\SmitfraudFix
2009-04-18 23:17 . 2009-04-18 23:17 1831732 ----a-w C:\SmitfraudFix.exe
2009-04-18 18:30 . 2009-04-19 20:37 -------- d-----w C:\Rooter$
2009-04-18 18:30 . 2009-04-18 18:30 267612 ----a-w C:\Rooter.exe
2009-04-18 18:22 . 2009-04-18 18:22 791393 ----a-w C:\erunt_setup.exe
2009-04-18 18:21 . 2009-04-18 18:21 21504 ----a-w C:\SysRestorePoint.exe
2009-04-18 18:18 . 2009-04-18 18:19 50688 ----a-w C:\ATF_Cleaner.exe
2009-04-18 17:47 . 2009-04-18 17:48 1341 ----a-w C:\regtools.vbs
2009-04-18 04:23 . 2009-04-18 04:23 6216032 ----a-w C:\windowsupdateagent30-x86.exe
2009-04-18 00:13 . 2009-04-18 00:13 -------- d-----w c:\documents and settings\Mom and Dad\Application Data\Malwarebytes
2009-04-18 00:13 . 2009-04-06 21:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-18 00:13 . 2009-04-06 21:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-18 00:13 . 2009-04-18 00:13 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-18 00:13 . 2009-04-18 00:13 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-16 02:06 . 2009-04-18 14:56 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-14 20:21 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-14 20:21 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 20:21 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 20:21 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-14 20:21 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 20:21 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 20:21 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 20:21 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 20:21 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 20:20 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 20:20 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 20:20 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 09:08 . 2009-04-17 12:26 0 ----a-w c:\windows\Vgazey.bin
2009-04-13 09:08 . 2009-04-13 09:08 -------- d-----w c:\documents and settings\Mom and Dad\Local Settings\Application Data\{73F85829-5F05-4B33-9D3C-C237E7153002}
2009-04-13 09:08 . 2009-04-16 20:53 408 ----a-w c:\windows\Xqataf.dat
2009-04-11 19:36 . 2009-04-11 19:36 -------- d-----w c:\program files\iPod
2009-04-11 19:36 . 2009-04-11 19:36 -------- d-----w c:\program files\iTunes
2009-04-11 19:36 . 2009-04-11 19:36 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-11 06:15 . 2009-04-11 06:15 -------- d-----w c:\documents and settings\Mom and Dad\Local Settings\Application Data\Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 01:23 . 2007-09-27 01:58 -------- d-----w c:\program files\McAfee
2009-04-26 20:24 . 2008-03-19 01:36 -------- d-----w c:\documents and settings\Mom and Dad\Application Data\LimeWire
2009-04-25 21:33 . 2007-09-27 01:53 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-24 06:50 . 2008-03-19 01:33 -------- d-----w c:\program files\LimeWire
2009-04-24 03:22 . 2007-10-27 02:51 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-24 02:39 . 2009-04-24 02:27 137 ----a-w C:\VundoFix.txt
2009-04-22 12:49 . 2009-04-22 12:48 290 ------w C:\Win32.Worm.Downladup.Gen.log
2009-04-19 20:40 . 2009-04-19 14:48 85514 ----a-w C:\OTListIt.Txt
2009-04-19 20:37 . 2009-04-18 18:31 3282 ----a-w C:\Rooter.txt
2009-04-19 14:48 . 2009-04-19 14:48 31164 ----a-w C:\Extras.Txt
2009-04-18 23:28 . 2009-04-18 23:18 2140 ----a-w C:\rapport.txt
2009-04-18 00:02 . 2007-09-26 21:20 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-17 23:59 . 2007-12-26 00:53 -------- d-----w c:\documents and settings\Mom and Dad\Application Data\Microsoft Games
2009-04-11 19:36 . 2008-06-25 03:14 -------- d-----w c:\program files\Common Files\Apple
2009-04-11 17:36 . 2008-03-19 01:34 -------- d-----w c:\program files\Java
2009-04-08 03:12 . 2008-01-25 22:59 -------- d-----w c:\documents and settings\Mom and Dad\Application Data\Canon
2009-04-02 04:31 . 2008-01-30 13:24 -------- d-----w c:\documents and settings\Mom and Dad\Application Data\Move Networks
2009-03-25 17:06 . 2007-09-27 01:59 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 17:06 . 2007-09-27 01:59 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 17:06 . 2007-09-27 01:59 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 17:06 . 2007-09-27 01:59 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 17:05 . 2007-09-27 01:59 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-22 21:06 . 2007-12-29 04:07 -------- d-----w c:\program files\Diablo II
2009-03-20 19:41 . 2007-10-26 20:40 29656 ----a-w c:\documents and settings\Mom and Dad\Application Data\GDIPFONTCACHEV1.DAT
2009-03-19 22:32 . 2008-01-29 18:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-19 02:12 . 2007-09-26 23:42 -------- d-----w c:\program files\Common Files\Adobe
2009-03-12 13:37 . 2007-10-07 17:00 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-12 04:04 . 2009-03-12 04:04 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-12 04:03 . 2009-03-12 04:03 -------- d-----w c:\program files\Bonjour
2009-03-12 04:02 . 2009-03-12 04:01 -------- d-----w c:\program files\QuickTime
2009-03-09 11:19 . 2008-12-14 21:45 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2003-03-31 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 05:59 . 2009-03-12 04:00 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 05:59 . 2008-06-25 03:15 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-02 06:53 . 2007-09-27 03:27 29656 ----a-w c:\documents and settings\Mom and Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-02 02:10 . 2009-03-02 02:08 -------- d-----w c:\program files\Image-Line
2009-03-02 02:10 . 2009-03-02 02:10 -------- d-----w c:\program files\VstPlugins
2009-03-02 02:05 . 2009-03-02 02:05 -------- d-----w c:\program files\My-Tool
2009-03-02 02:05 . 2009-03-02 02:05 -------- d-----w c:\program files\Conduit
2009-03-01 22:06 . 2009-03-01 22:06 -------- d-----w c:\program files\VirtualDJ
2009-03-01 10:24 . 2009-03-01 10:24 244 ---ha-w C:\sqmnoopt07.sqm
2009-03-01 10:24 . 2009-03-01 10:24 232 ---ha-w C:\sqmdata07.sqm
2009-03-01 10:07 . 2009-03-01 10:07 232 ---ha-w C:\sqmdata06.sqm
2009-03-01 10:07 . 2009-03-01 10:07 244 ---ha-w C:\sqmnoopt06.sqm
2009-03-01 04:17 . 2009-03-01 04:17 244 ---ha-w C:\sqmnoopt05.sqm
2009-03-01 04:17 . 2009-03-01 04:17 232 ---ha-w C:\sqmdata05.sqm
2009-03-01 04:17 . 2009-03-01 04:17 244 ---ha-w C:\sqmnoopt04.sqm
2009-03-01 04:17 . 2009-03-01 04:17 232 ---ha-w C:\sqmdata04.sqm
2009-03-01 04:16 . 2009-03-01 04:16 244 ---ha-w C:\sqmnoopt03.sqm
2009-03-01 04:16 . 2009-03-01 04:16 232 ---ha-w C:\sqmdata03.sqm
2009-03-01 03:56 . 2009-03-01 03:56 244 ---ha-w C:\sqmnoopt02.sqm
2009-03-01 03:56 . 2009-03-01 03:56 232 ---ha-w C:\sqmdata02.sqm
2009-03-01 03:50 . 2009-03-01 03:50 244 ---ha-w C:\sqmnoopt01.sqm
2009-03-01 03:44 . 2009-03-01 03:44 244 ---ha-w C:\sqmnoopt00.sqm
2009-02-26 19:22 . 2008-06-23 23:56 -------- d-----w c:\documents and settings\Mom and Dad\Application Data\U3
2009-02-20 08:10 . 2006-06-23 17:33 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 07:56 81920 ------w c:\windows\system32\ieencode.dll
2009-02-15 13:18 . 2007-10-24 05:58 29272 ----a-w c:\documents and settings\Ryan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 12:10 . 2003-03-31 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-07-26 04:31 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2003-03-31 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2003-03-31 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2003-03-31 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 01:02 . 2002-08-29 01:04 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2003-03-31 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2003-03-31 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-03-31 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-05 15:48 . 2009-02-05 15:48 671744 ----a-w c:\windows\system32\nsg37.dll
2009-02-03 19:59 . 2003-03-31 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-07-09 07:50 . 2008-07-09 07:50 29272 ----a-w c:\documents and settings\Ryan\Application Data\GDIPFONTCACHEV1.DAT
2007-12-10 06:24 . 2007-12-10 06:24 22328 ----a-w c:\documents and settings\Ryan\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-04-26_22.16.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-09-26 20:35 . 2009-04-27 03:31 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-09-26 20:35 . 2009-04-26 18:22 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-09-26 20:35 . 2009-04-27 03:31 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-09-26 20:35 . 2009-04-26 18:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-09-26 20:35 . 2009-04-27 03:31 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-09-26 20:35 . 2009-04-26 18:22 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\combo-fix\AWF.cmd
04/24/2009 11:01 629 {EE39DE0F-F58A-4ADC-B443-06F27AF6BB1E}\RP701\A0097433.cmd

c:\combo-fix\c.bat
04/26/2009 03:23 37663 {EE39DE0F-F58A-4ADC-B443-06F27AF6BB1E}\RP701\A0097419.bat

04/26/2009 10:04 91 c:\combo-fix\CCS.bat
04/26/2009 10:01 91 {EE39DE0F-F58A-4ADC-B443-06F27AF6BB1E}\RP701\A0097417.bat

c:\combo-fix\Combobatch.bat
04/26/2009 10:02 7584 {EE39DE0F-F58A-4ADC-B443-06F27AF6BB1E}\RP701\A0097418.bat

c:\combo-fix\Create.cmd
04/26/2009 03:57 5680 {EE39DE0F-F58A-4ADC-B443-06F27AF6BB1E}\RP701\A0097430.cmd

c:\combo-fix\FD-SV.cmd
04/24/2009 11:07 1370 {EE39DE0F-F58A-4ADC-B443-06F27AF6BB1E}\RP701\A0097431.cmd

c:\combo-fix\SnapShot.cmd
04/24/2009 11:07 3133 {EE39DE0F-F58A-4ADC-B443-06F27AF6BB1E}\RP701\A0097432.cmd

04/26/2009 10:06 122 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegDCMD-Mom and Dad.reg
04/26/2009 10:00 107 {EE39DE0F-F58A-4ADC-B443-06F27AF6BB1E}\RP701\A0097427.reg

c:\documents and settings\Mom and Dad\Desktop\ComboFax.exe
04/26/2009 04:12 3006230 {EE39DE0F-F58A-4ADC-B443-06F27AF6BB1E}\RP701\A0097420.exe

03/09/2007 11:09 116960 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\ComponentLauncher.exe
03/09/2007 11:09 116960 {EE39DE0F-F58A-4ADC-B443-06F27AF6BB1E}\RP701\A0097424.exe

03/09/2007 11:05 2476256 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\Photoshop Album Starter Edition.exe
03/09/2007 11:05 2476256 {EE39DE0F-F58A-4ADC-B443-06F27AF6BB1E}\RP701\A0097423.exe

c:\windows\system32\drivers\ovfsthxqobiurum.sys
04/26/2009 10:02 83456 {EE39DE0F-F58A-4ADC-B443-06F27AF6BB1E}\RP701\A0097409.sys

c:\windows\system32\ovfsthxkixlthww.dll
04/26/2009 10:02 18432 {EE39DE0F-F58A-4ADC-B443-06F27AF6BB1E}\RP701\A0097410.dll

c:\windows\system32\ovfsthxqjnkoehi.dll
04/26/2009 10:02 18432 {EE39DE0F-F58A-4ADC-B443-06F27AF6BB1E}\RP701\A0097411.dll

c:\windows\system32\ovfsthxqwvbnptj.dll
04/26/2009 08:32 60928 {EE39DE0F-F58A-4ADC-B443-06F27AF6BB1E}\RP701\A0097412.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"updreg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"quicktime task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"ituneshelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"applesyncnotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"adobe reader speed launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"adaptecdirectcd"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-11-07 19968]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-11-9 67128]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
S3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\Drivers\LCcFltr.Sys [2003-11-07 14092]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f099617e-417f-11dd-8075-0007e96a13cc}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:34]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-09-27 16:53]

2009-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-09-27 16:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.excite.com/
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 22:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1228)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\locator.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2009-04-27 22:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-27 04:09
ComboFix2.txt 2009-04-27 01:15
ComboFix3.txt 2009-04-27 00:01
ComboFix4.txt 2009-04-26 22:18
ComboFix5.txt 2009-04-27 04:00

Pre-Run: 106,639,126,528 bytes free
Post-Run: 106,643,640,320 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
335 --- E O F --- 2009-04-25 23:13

#8 Jimmy2012

Group: Retired Staff
Posts: 6,238
Joined: 11-September 07

Posted 27 April 2009 - 01:36 PM

Hello glrk,

Quote

I received the same result both before and after running the notepad file through Combofix. Let me know if you want me to run it with McAfee firewall disabled.

That's fine, please try to upload and scan this file with Jotti.

c:\windows\Xqataf.dat

#9 glrk

Group: Member
Posts: 10
Joined: 19-April 09

Posted 27 April 2009 - 08:06 PM

Jimmy2012,
Ran c:\windows\Xqataf.dat through Jotti and it came back with nothing found.

I greatly appreciate your help with this. r/ glrk

#10 Jimmy2012

Group: Retired Staff
Posts: 6,238
Joined: 11-September 07

Posted 27 April 2009 - 10:48 PM

Hello glrk,

Download RootRepeal.zip and unzip it to your Desktop.

Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Click the Scan button
In the Select Scan dialog, check:
- Hidden Services
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan

Note: The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program

Please post the contents of RootRepeal.txt in your next reply.

#11 glrk

Group: Member
Posts: 10
Joined: 19-April 09

Posted 28 April 2009 - 07:23 PM

RootRepeal Report attached. Thanks for your help. r/ glrk

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/28 19:15
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF7812000 Size: 187776 File Visible: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2189056 File Visible: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF5858000 Size: 138496 File Visible: -
Status: -

Name: agp440.sys
Image Path: agp440.sys
Address: 0xF78C1000 Size: 42368 File Visible: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF77CA000 Size: 96512 File Visible: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xF7E55000 Size: 3072 File Visible: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7DD7000 Size: 4224 File Visible: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7C71000 Size: 12288 File Visible: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF7A71000 Size: 63744 File Visible: -
Status: -

Name: Cdr4_xp.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS
Address: 0xF7F6D000 Size: 2432 File Visible: -
Status: -

Name: Cdralw2k.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdralw2k.SYS
Address: 0xF7F6E000 Size: 2560 File Visible: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xF7AD1000 Size: 62976 File Visible: -
Status: -

Name: cdudf_xp.SYS
Image Path: C:\WINDOWS\System32\Drivers\cdudf_xp.SYS
Address: 0xF598C000 Size: 241152 File Visible: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xF78A1000 Size: 53248 File Visible: -
Status: -

Name: ctoss2k.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
Address: 0xF7094000 Size: 178400 File Visible: -
Status: -

Name: ctsfm2k.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
Address: 0xF7074000 Size: 129920 File Visible: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF7891000 Size: 36352 File Visible: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF7AB1000 Size: 61440 File Visible: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF565C000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7E11000 Size: 8192 File Visible: No
Status: -

Name: dvd_2K.SYS
Image Path: C:\WINDOWS\System32\Drivers\dvd_2K.SYS
Address: 0xF7C21000 Size: 19104 File Visible: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF765C000 Size: 12288 File Visible: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7E8A000 Size: 4096 File Visible: -
Status: -

Name: e100b325.sys
Image Path: C:\WINDOWS\System32\DRIVERS\e100b325.sys
Address: 0xF6E76000 Size: 145408 File Visible: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xB972F000 Size: 143744 File Visible: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xF7BD1000 Size: 27392 File Visible: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF7A41000 Size: 44544 File Visible: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Address: 0xF7C39000 Size: 20480 File Visible: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF77AA000 Size: 129792 File Visible: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7DD5000 Size: 7936 File Visible: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF77E2000 Size: 125056 File Visible: -
Status: -

Name: gameenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\gameenum.sys
Address: 0xF7D3D000 Size: 10624 File Visible: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xF78F1000 Size: 40960 File Visible: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000 Size: 131840 File Visible: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\System32\Drivers\HIDCLASS.SYS
Address: 0xF7A91000 Size: 36864 File Visible: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS
Address: 0xF7C49000 Size: 28672 File Visible: -
Status: -

Name: HSF_CNXT.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Address: 0xF6E9A000 Size: 680704 File Visible: -
Status: -

Name: HSF_DP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
Address: 0xF6F41000 Size: 1042432 File Visible: -
Status: -

Name: HSFHWBS2.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
Address: 0xF7040000 Size: 212224 File Visible: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB9B56000 Size: 264832 File Visible: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\imapi.sys
Address: 0xF7901000 Size: 42112 File Visible: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Address: 0xF7AA1000 Size: 36352 File Visible: -
Status: -

Name: ipfltdrv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys
Address: 0xF7A01000 Size: 32896 File Visible: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xF573C000 Size: 152832 File Visible: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xF5922000 Size: 75264 File Visible: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF7861000 Size: 37248 File Visible: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xF7BF1000 Size: 24576 File Visible: -
Status: -

Name: kbdhid.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdhid.sys
Address: 0xF7CE9000 Size: 14592 File Visible: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7D61000 Size: 8192 File Visible: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\drivers\ks.sys
Address: 0xF70E4000 Size: 143360 File Visible: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF7781000 Size: 92288 File Visible: -
Status: -

Name: LCcFltr.Sys
Image Path: C:\WINDOWS\System32\Drivers\LCcFltr.Sys
Address: 0xF7658000 Size: 12832 File Visible: -
Status: -

Name: LHidFlt2.Sys
Image Path: C:\WINDOWS\System32\DRIVERS\LHidFlt2.Sys
Address: 0xF7B21000 Size: 24320 File Visible: -
Status: -

Name: LHidUsb.Sys
Image Path: C:\WINDOWS\System32\Drivers\LHidUsb.Sys
Address: 0xF7A81000 Size: 33504 File Visible: -
Status: -

Name: LMouFlt2.Sys
Image Path: C:\WINDOWS\System32\DRIVERS\LMouFlt2.Sys
Address: 0xF5C87000 Size: 63328 File Visible: -
Status: -

Name: mdmxsdk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xBA23F000 Size: 9920 File Visible: -
Status: -

Name: mfeavfk.sys
Image Path: C:\WINDOWS\system32\drivers\mfeavfk.sys
Address: 0xB9C0F000 Size: 73152 File Visible: -
Status: -

Name: mfebopk.sys
Image Path: C:\WINDOWS\system32\drivers\mfebopk.sys
Address: 0xF7B49000 Size: 28544 File Visible: -
Status: -

Name: mfehidk.sys
Image Path: C:\WINDOWS\system32\drivers\mfehidk.sys
Address: 0xF5762000 Size: 207296 File Visible: -
Status: -

Name: mfesmfk.sys
Image Path: C:\WINDOWS\system32\drivers\mfesmfk.sys
Address: 0xB99B6000 Size: 33824 File Visible: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7DD9000 Size: 4224 File Visible: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF7BC9000 Size: 30080 File Visible: -
Status: -

Name: MODEMCSA.sys
Image Path: C:\WINDOWS\system32\drivers\MODEMCSA.sys
Address: 0xF7D11000 Size: 16128 File Visible: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xF7BF9000 Size: 23040 File Visible: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouhid.sys
Address: 0xF7CED000 Size: 12160 File Visible: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF7871000 Size: 42368 File Visible: -
Status: -

Name: Mpfp.sys
Image Path: C:\WINDOWS\System32\Drivers\Mpfp.sys
Address: 0xF58A2000 Size: 159744 File Visible: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xBA28B000 Size: 180608 File Visible: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xF5795000 Size: 455296 File Visible: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF7C59000 Size: 19072 File Visible: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xF7941000 Size: 35072 File Visible: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xF7D59000 Size: 15488 File Visible: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF76AD000 Size: 105344 File Visible: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF76C7000 Size: 182656 File Visible: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xF7D51000 Size: 10112 File Visible: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xBAD0C000 Size: 14592 File Visible: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xF6E2C000 Size: 91520 File Visible: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF79B1000 Size: 40576 File Visible: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xF7A11000 Size: 34688 File Visible: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xF587A000 Size: 162816 File Visible: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF7C61000 Size: 30848 File Visible: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF76F4000 Size: 574976 File Visible: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2189056 File Visible: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7F6F000 Size: 2944 File Visible: -
Status: -

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF9D5000 Size: 4530176 File Visible: -
Status: -

Name: nv4_mini.sys
Image Path: C:\WINDOWS\System32\DRIVERS\nv4_mini.sys
Address: 0xF7284000 Size: 3994624 File Visible: -
Status: -

Name: OMCI.SYS
Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
Address: 0xF5A0F000 Size: 12864 File Visible: -
Status: -

Name: P16X.sys
Image Path: C:\WINDOWS\system32\drivers\P16X.sys
Address: 0xF7107000 Size: 1330048 File Visible: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xF6E62000 Size: 80128 File Visible: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF7AE9000 Size: 19712 File Visible: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF7DB3000 Size: 6784 File Visible: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF7801000 Size: 68224 File Visible: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7E29000 Size: 3328 File Visible: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xF7AE1000 Size: 28672 File Visible: -
Status: -

Name: pfc.sys
Image Path: C:\WINDOWS\system32\drivers\pfc.sys
Address: 0xF7D45000 Size: 9856 File Visible: -
Status: -

Name: PfModNT.sys
Image Path: C:\WINDOWS\system32\PfModNT.sys
Address: 0xF7DC7000 Size: 4352 File Visible: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2189056 File Visible: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF70C0000 Size: 147456 File Visible: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xF6E1B000 Size: 69120 File Visible: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xF7BE1000 Size: 17792 File Visible: -
Status: -

Name: pwd_2k.SYS
Image Path: C:\WINDOWS\System32\Drivers\pwd_2k.SYS
Address: 0xF6E43000 Size: 126944 File Visible: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF78B1000 Size: 35712 File Visible: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xF5A2B000 Size: 8832 File Visible: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xF7911000 Size: 51328 File Visible: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xF7921000 Size: 41472 File Visible: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xF7931000 Size: 48384 File Visible: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xF7BE9000 Size: 16512 File Visible: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2189056 File Visible: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xF582D000 Size: 175744 File Visible: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7DDB000 Size: 4224 File Visible: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xF78E1000 Size: 57600 File Visible: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB39E6000 Size: 45056 File Visible: No
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serenum.sys
Address: 0xF7D41000 Size: 15744 File Visible: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serial.sys
Address: 0xF7AC1000 Size: 64512 File Visible: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF7798000 Size: 73472 File Visible: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys
Address: 0xBA121000 Size: 333952 File Visible: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xF7D93000 Size: 4352 File Visible: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB99E6000 Size: 60800 File Visible: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xF58C9000 Size: 361600 File Visible: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xF7BD9000 Size: 20480 File Visible: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xF7951000 Size: 40704 File Visible: -
Status: -

Name: TSDDD.dll
Image Path: C:\WINDOWS\System32\TSDDD.dll
Address: 0xBFF50000 Size: 12288 File Visible: -
Status: -

Name: UdfReadr_xp.SYS
Image Path: C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS
Address: 0xF5947000 Size: 206464 File Visible: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xF6DBD000 Size: 384768 File Visible: -
Status: -

Name: usbccgp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbccgp.sys
Address: 0xF7B19000 Size: 32128 File Visible: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xF7DD1000 Size: 8192 File Visible: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Address: 0xF7BC1000 Size: 30208 File Visible: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xF79C1000 Size: 59520 File Visible: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xF724C000 Size: 147456 File Visible: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Address: 0xF7BB9000 Size: 20608 File Visible: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF7C51000 Size: 20992 File Visible: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Address: 0xF7270000 Size: 81920 File Visible: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF7881000 Size: 52352 File Visible: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xF7A51000 Size: 34560 File Visible: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF7B69000 Size: 20480 File Visible: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xB9961000 Size: 83072 File Visible: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS
Address: 0xF7D63000 Size: 8192 File Visible: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2189056 File Visible: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Temp\mcafee_0AEWOXE23XZ0Q0k
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\mcmsc_BA4mmul5zwemXar
Status: Allocation size mismatch (API: 4096, Raw: 0)

Processes
-------------------
Path: System
PID: 4 Status: -

Path: C:\WINDOWS\system32\PnkBstrA.exe
PID: 144 Status: -

Path: C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
PID: 232 Status: -

Path: C:\WINDOWS\system32\locator.exe
PID: 260 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 404 Status: -

Path: C:\Program Files\Java\jre6\bin\jusched.exe
PID: 484 Status: -

Path: C:\WINDOWS\system32\MsPMSPSv.exe
PID: 512 Status: -

Path: C:\WINDOWS\system32\smss.exe
PID: 564 Status: -

Path: C:\WINDOWS\system32\searchindexer.exe
PID: 620 Status: -

Path: C:\WINDOWS\system32\csrss.exe
PID: 636 Status: -

Path: C:\WINDOWS\system32\winlogon.exe
PID: 660 Status: -

Path: C:\WINDOWS\system32\services.exe
PID: 704 Status: -

Path: C:\WINDOWS\system32\lsass.exe
PID: 716 Status: -

Path: C:\WINDOWS\system32\winlogon.exe
PID: 804 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 872 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 948 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1044 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1088 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1148 Status: -

Path: C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
PID: 1176 Status: -

Path: C:\DOCUME~1\MOMAND~1\LOCALS~1\temp\Temporary Directory 2 for RootRepeal.zip\RootRepeal.exe
PID: 1200 Status: -

Path: C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PID: 1292 Status: -

Path: C:\WINDOWS\system32\spoolsv.exe
PID: 1404 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1508 Status: -

Path: C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
PID: 1536 Status: -

Path: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 1568 Status: -

Path: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 1580 Status: -

Path: C:\WINDOWS\system32\CTsvcCDA.EXE
PID: 1608 Status: -

Path: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 1660 Status: -

Path: C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
PID: 1696 Status: -

Path: C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
PID: 1724 Status: -

Path: C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
PID: 1844 Status: -

Path: C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
PID: 1892 Status: -

Path: C:\Program Files\McAfee\MPF\MpfSrv.exe
PID: 1968 Status: -

Path: C:\WINDOWS\system32\nvsvc32.exe
PID: 2000 Status: -

Path: C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
PID: 2296 Status: -

Path: C:\Program Files\iTunes\iTunesHelper.exe
PID: 2432 Status: -

Path: C:\Program Files\McAfee.com\Agent\mcagent.exe
PID: 2492 Status: -

Path: C:\WINDOWS\system32\alg.exe
PID: 2568 Status: -

Path: C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
PID: 2844 Status: -

Path: C:\WINDOWS\system32\csrss.exe
PID: 2856 Status: -

Path: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PID: 2952 Status: -

Path: C:\Program Files\McAfee.com\Agent\mcagent.exe
PID: 2960 Status: -

Path: C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
PID: 3136 Status: -

Path: C:\WINDOWS\explorer.exe
PID: 3148 Status: -

Path: C:\Program Files\Internet Explorer\iexplore.exe
PID: 3176 Status: -

Path: C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
PID: 3296 Status: -

Path: C:\Program Files\Java\jre6\bin\jusched.exe
PID: 3548 Status: -

Path: C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
PID: 3564 Status: -

Path: C:\Program Files\iTunes\iTunesHelper.exe
PID: 3600 Status: -

Path: C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
PID: 3636 Status: -

Path: C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
PID: 3668 Status: -

Path: C:\Program Files\Messenger\msmsgs.exe
PID: 3688 Status: -

Path: C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
PID: 3748 Status: -

Path: C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
PID: 3776 Status: -

Path: C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PID: 3796 Status: -

Path: C:\Program Files\iPod\bin\iPodService.exe
PID: 3904 Status: -

Path: C:\WINDOWS\explorer.exe
PID: 4036 Status: -

SSDT
-------------------
#: 000 Function Name: NtAcceptConnectPort
Status: Not hooked

#: 001 Function Name: NtAccessCheck
Status: Not hooked

#: 002 Function Name: NtAccessCheckAndAuditAlarm
Status: Not hooked

#: 003 Function Name: NtAccessCheckByType
Status: Not hooked

#: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm
Status: Not hooked

#: 005 Function Name: NtAccessCheckByTypeResultList
Status: Not hooked

#: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm
Status: Not hooked

#: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Status: Not hooked

#: 008 Function Name: NtAddAtom
Status: Not hooked

#: 009 Function Name: NtAddBootEntry
Status: Not hooked

#: 010 Function Name: NtAdjustGroupsToken
Status: Not hooked

#: 011 Function Name: NtAdjustPrivilegesToken
Status: Not hooked

#: 012 Function Name: NtAlertResumeThread
Status: Not hooked

#: 013 Function Name: NtAlertThread
Status: Not hooked

#: 014 Function Name: NtAllocateLocallyUniqueId
Status: Not hooked

#: 015 Function Name: NtAllocateUserPhysicalPages
Status: Not hooked

#: 016 Function Name: NtAllocateUuids
Status: Not hooked

#: 017 Function Name: NtAllocateVirtualMemory
Status: Not hooked

#: 018 Function Name: NtAreMappedFilesTheSame
Status: Not hooked

#: 019 Function Name: NtAssignProcessToJobObject
Status: Not hooked

#: 020 Function Name: NtCallbackReturn
Status: Not hooked

#: 021 Function Name: NtCancelDeviceWakeupRequest
Status: Not hooked

#: 022 Function Name: NtCancelIoFile
Status: Not hooked

#: 023 Function Name: NtCancelTimer
Status: Not hooked

#: 024 Function Name: NtClearEvent
Status: Not hooked

#: 025 Function Name: NtClose
Status: Not hooked

#: 026 Function Name: NtCloseObjectAuditAlarm
Status: Not hooked

#: 027 Function Name: NtCompactKeys
Status: Not hooked

#: 028 Function Name: NtCompareTokens
Status: Not hooked

#: 029 Function Name: NtCompleteConnectPort
Status: Not hooked

#: 030 Function Name: NtCompressKey
Status: Not hooked

#: 031 Function Name: NtConnectPort
Status: Not hooked

#: 032 Function Name: NtContinue
Status: Not hooked

#: 033 Function Name: NtCreateDebugObject
Status: Not hooked

#: 034 Function Name: NtCreateDirectoryObject
Status: Not hooked

#: 035 Function Name: NtCreateEvent
Status: Not hooked

#: 036 Function Name: NtCreateEventPair
Status: Not hooked

#: 037 Function Name: NtCreateFile
Status: Not hooked

#: 038 Function Name: NtCreateIoCompletion
Status: Not hooked

#: 039 Function Name: NtCreateJobObject
Status: Not hooked

#: 040 Function Name: NtCreateJobSet
Status: Not hooked

#: 041 Function Name: NtCreateKey
Status: Not hooked

#: 042 Function Name: NtCreateMailslotFile
Status: Not hooked

#: 043 Function Name: NtCreateMutant
Status: Not hooked

#: 044 Function Name: NtCreateNamedPipeFile
Status: Not hooked

#: 045 Function Name: NtCreatePagingFile
Status: Not hooked

#: 046 Function Name: NtCreatePort
Status: Not hooked

#: 047 Function Name: NtCreateProcess
Status: Not hooked

#: 048 Function Name: NtCreateProcessEx
Status: Not hooked

#: 049 Function Name: NtCreateProfile
Status: Not hooked

#: 050 Function Name: NtCreateSection
Status: Not hooked

#: 051 Function Name: NtCreateSemaphore
Status: Not hooked

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Not hooked

#: 053 Function Name: NtCreateThread
Status: Not hooked

#: 054 Function Name: NtCreateTimer
Status: Not hooked

#: 055 Function Name: NtCreateToken
Status: Not hooked

#: 056 Function Name: NtCreateWaitablePort
Status: Not hooked

#: 057 Function Name: NtDebugActiveProcess
Status: Not hooked

#: 058 Function Name: NtDebugContinue
Status: Not hooked

#: 059 Function Name: NtDelayExecution
Status: Not hooked

#: 060 Function Name: NtDeleteAtom
Status: Not hooked

#: 061 Function Name: NtDeleteBootEntry
Status: Not hooked

#: 062 Function Name: NtDeleteFile
Status: Not hooked

#: 063 Function Name: NtDeleteKey
Status: Not hooked

#: 064 Function Name: NtDeleteObjectAuditAlarm
Status: Not hooked

#: 065 Function Name: NtDeleteValueKey
Status: Not hooked

#: 066 Function Name: NtDeviceIoControlFile
Status: Not hooked

#: 067 Function Name: NtDisplayString
Status: Not hooked

#: 068 Function Name: NtDuplicateObject
Status: Not hooked

#: 069 Function Name: NtDuplicateToken
Status: Not hooked

#: 070 Function Name: NtEnumerateBootEntries
Status: Not hooked

#: 071 Function Name: NtEnumerateKey
Status: Not hooked

#: 072 Function Name: NtEnumerateSystemEnvironmentValuesEx
Status: Not hooked

#: 073 Function Name: NtEnumerateValueKey
Status: Not hooked

#: 074 Function Name: NtExtendSection
Status: Not hooked

#: 075 Function Name: NtFilterToken
Status: Not hooked

#: 076 Function Name: NtFindAtom
Status: Not hooked

#: 077 Function Name: NtFlushBuffersFile
Status: Not hooked

#: 078 Function Name: NtFlushInstructionCache
Status: Not hooked

#: 079 Function Name: NtFlushKey
Status: Not hooked

#: 080 Function Name: NtFlushVirtualMemory
Status: Not hooked

#: 081 Function Name: NtFlushWriteBuffer
Status: Not hooked

#: 082 Function Name: NtFreeUserPhysicalPages
Status: Not hooked

#: 083 Function Name: NtFreeVirtualMemory
Status: Not hooked

#: 084 Function Name: NtFsControlFile
Status: Not hooked

#: 085 Function Name: NtGetContextThread
Status: Not hooked

#: 086 Function Name: NtGetDevicePowerState
Status: Not hooked

#: 087 Function Name: NtGetPlugPlayEvent
Status: Not hooked

#: 088 Function Name: NtGetWriteWatch
Status: Not hooked

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Not hooked

#: 090 Function Name: NtImpersonateClientOfPort
Status: Not hooked

#: 091 Function Name: NtImpersonateThread
Status: Not hooked

#: 092 Function Name: NtInitializeRegistry
Status: Not hooked

#: 093 Function Name: NtInitiatePowerAction
Status: Not hooked

#: 094 Function Name: NtIsProcessInJob
Status: Not hooked

#: 095 Function Name: NtIsSystemResumeAutomatic
Status: Not hooked

#: 096 Function Name: NtListenPort
Status: Not hooked

#: 097 Function Name: NtLoadDriver
Status: Not hooked

#: 098 Function Name: NtLoadKey
Status: Not hooked

#: 099 Function Name: NtLoadKey2
Status: Not hooked

#: 100 Function Name: NtLockFile
Status: Not hooked

#: 101 Function Name: NtLockProductActivationKeys
Status: Not hooked

#: 102 Function Name: NtLockRegistryKey
Status: Not hooked

#: 103 Function Name: NtLockVirtualMemory
Status: Not hooked

#: 104 Function Name: NtMakePermanentObject
Status: Not hooked

#: 105 Function Name: NtMakeTemporaryObject
Status: Not hooked

#: 106 Function Name: NtMapUserPhysicalPages
Status: Not hooked

#: 107 Function Name: NtMapUserPhysicalPagesScatter
Status: Not hooked

#: 108 Function Name: NtMapViewOfSection
Status: Not hooked

#: 109 Function Name: NtModifyBootEntry
Status: Not hooked

#: 110 Function Name: NtNotifyChangeDirectoryFile
Status: Not hooked

#: 111 Function Name: NtNotifyChangeKey
Status: Not hooked

#: 112 Function Name: NtNotifyChangeMultipleKeys
Status: Not hooked

#: 113 Function Name: NtOpenDirectoryObject
Status: Not hooked

#: 114 Function Name: NtOpenEvent
Status: Not hooked

#: 115 Function Name: NtOpenEventPair
Status: Not hooked

#: 116 Function Name: NtOpenFile
Status: Not hooked

#: 117 Function Name: NtOpenIoCompletion
Status: Not hooked

#: 118 Function Name: NtOpenJobObject
Status: Not hooked

#: 119 Function Name: NtOpenKey
Status: Not hooked

#: 120 Function Name: NtOpenMutant
Status: Not hooked

#: 121 Function Name: NtOpenObjectAuditAlarm
Status: Not hooked

#: 122 Function Name: NtOpenProcess
Status: Not hooked

#: 123 Function Name: NtOpenProcessToken
Status: Not hooked

#: 124 Function Name: NtOpenProcessTokenEx
Status: Not hooked

#: 125 Function Name: NtOpenSection
Status: Not hooked

#: 126 Function Name: NtOpenSemaphore
Status: Not hooked

#: 127 Function Name: NtOpenSymbolicLinkObject
Status: Not hooked

#: 128 Function Name: NtOpenThread
Status: Not hooked

#: 129 Function Name: NtOpenThreadToken
Status: Not hooked

#: 130 Function Name: NtOpenThreadTokenEx
Status: Not hooked

#: 131 Function Name: NtOpenTimer
Status: Not hooked

#: 132 Function Name: NtPlugPlayControl
Status: Not hooked

#: 133 Function Name: NtPowerInformation
Status: Not hooked

#: 134 Function Name: NtPrivilegeCheck
Status: Not hooked

#: 135 Function Name: NtPrivilegeObjectAuditAlarm
Status: Not hooked

#: 136 Function Name: NtPrivilegedServiceAuditAlarm
Status: Not hooked

#: 137 Function Name: NtProtectVirtualMemory
Status: Not hooked

#: 138 Function Name: NtPulseEvent
Status: Not hooked

#: 139 Function Name: NtQueryAttributesFile
Status: Not hooked

#: 140 Function Name: NtQueryBootEntryOrder
Status: Not hooked

#: 141 Function Name: NtQueryBootOptions
Status: Not hooked

#: 142 Function Name: NtQueryDebugFilterState
Status: Not hooked

#: 143 Function Name: NtQueryDefaultLocale
Status: Not hooked

#: 144 Function Name: NtQueryDefaultUILanguage
Status: Not hooked

#: 145 Function Name: NtQueryDirectoryFile
Status: Not hooked

#: 146 Function Name: NtQueryDirectoryObject
Status: Not hooked

#: 147 Function Name: NtQueryEaFile
Status: Not hooked

#: 148 Function Name: NtQueryEvent
Status: Not hooked

#: 149 Function Name: NtQueryFullAttributesFile
Status: Not hooked

#: 150 Function Name: NtQueryInformationAtom
Status: Not hooked

#: 151 Function Name: NtQueryInformationFile
Status: Not hooked

#: 152 Function Name: NtQueryInformationJobObject
Status: Not hooked

#: 153 Function Name: NtQueryInformationPort
Status: Not hooked

#: 154 Function Name: NtQueryInformationProcess
Status: Not hooked

#: 155 Function Name: NtQueryInformationThread
Status: Not hooked

#: 156 Function Name: NtQueryInformationToken
Status: Not hooked

#: 157 Function Name: NtQueryInstallUILanguage
Status: Not hooked

#: 158 Function Name: NtQueryIntervalProfile
Status: Not hooked

#: 159 Function Name: NtQueryIoCompletion
Status: Not hooked

#: 160 Function Name: NtQueryKey
Status: Not hooked

#: 161 Function Name: NtQueryMultipleValueKey
Status: Not hooked

#: 162 Function Name: NtQueryMutant
Status: Not hooked

#: 163 Function Name: NtQueryObject
Status: Not hooked

#: 164 Function Name: NtQueryOpenSubKeys
Status: Not hooked

#: 165 Function Name: NtQueryPerformanceCounter
Status: Not hooked

#: 166 Function Name: NtQueryQuotaInformationFile
Status: Not hooked

#: 167 Function Name: NtQuerySection
Status: Not hooked

#: 168 Function Name: NtQuerySecurityObject
Status: Not hooked

#: 169 Function Name: NtQuerySemaphore
Status: Not hooked

#: 170 Function Name: NtQuerySymbolicLinkObject
Status: Not hooked

#: 171 Function Name: NtQuerySystemEnvironmentValue
Status: Not hooked

#: 172 Function Name: NtQuerySystemEnvironmentValueEx
Status: Not hooked

#: 173 Function Name: NtQuerySystemInformation
Status: Not hooked

#: 174 Function Name: NtQuerySystemTime
Status: Not hooked

#: 175 Function Name: NtQueryTimer
Status: Not hooked

#: 176 Function Name: NtQueryTimerResolution
Status: Not hooked

#: 177 Function Name: NtQueryValueKey
Status: Not hooked

#: 178 Function Name: NtQueryVirtualMemory
Status: Not hooked

#: 179 Function Name: NtQueryVolumeInformationFile
Status: Not hooked

#: 180 Function Name: NtQueueApcThread
Status: Not hooked

#: 181 Function Name: NtRaiseException
Status: Not hooked

#: 182 Function Name: NtRaiseHardError
Status: Not hooked

#: 183 Function Name: NtReadFile
Status: Not hooked

#: 184 Function Name: NtReadFileScatter
Status: Not hooked

#: 185 Function Name: NtReadRequestData
Status: Not hooked

#: 186 Function Name: NtReadVirtualMemory
Status: Not hooked

#: 187 Function Name: NtRegisterThreadTerminatePort
Status: Not hooked

#: 188 Function Name: NtReleaseMutant
Status: Not hooked

#: 189 Function Name: NtReleaseSemaphore
Status: Not hooked

#: 190 Function Name: NtRemoveIoCompletion
Status: Not hooked

#: 191 Function Name: NtRemoveProcessDebug
Status: Not hooked

#: 192 Function Name: NtRenameKey
Status: Not hooked

#: 193 Function Name: NtReplaceKey
Status: Not hooked

#: 194 Function Name: NtReplyPort
Status: Not hooked

#: 195 Function Name: NtReplyWaitReceivePort
Status: Not hooked

#: 196 Function Name: NtReplyWaitReceivePortEx
Status: Not hooked

#: 197 Function Name: NtReplyWaitReplyPort
Status: Not hooked

#: 198 Function Name: NtRequestDeviceWakeup
Status: Not hooked

#: 199 Function Name: NtRequestPort
Status: Not hooked

#: 200 Function Name: NtRequestWaitReplyPort
Status: Not hooked

#: 201 Function Name: NtRequestWakeupLatency
Status: Not hooked

#: 202 Function Name: NtResetEvent
Status: Not hooked

#: 203 Function Name: NtResetWriteWatch
Status: Not hooked

#: 204 Function Name: NtRestoreKey
Status: Not hooked

#: 205 Function Name: NtResumeProcess
Status: Not hooked

#: 206 Function Name: NtResumeThread
Status: Not hooked

#: 207 Function Name: NtSaveKey
Status: Not hooked

#: 208 Function Name: NtSaveKeyEx
Status: Not hooked

#: 209 Function Name: NtSaveMergedKeys
Status: Not hooked

#: 210 Function Name: NtSecureConnectPort
Status: Not hooked

#: 211 Function Name: NtSetBootEntryOrder
Status: Not hooked

#: 212 Function Name: NtSetBootOptions
Status: Not hooked

#: 213 Function Name: NtSetContextThread
Status: Not hooked

#: 214 Function Name: NtSetDebugFilterState
Status: Not hooked

#: 215 Function Name: NtSetDefaultHardErrorPort
Status: Not hooked

#: 216 Function Name: NtSetDefaultLocale
Status: Not hooked

#: 217 Function Name: NtSetDefaultUILanguage
Status: Not hooked

#: 218 Function Name: NtSetEaFile
Status: Not hooked

#: 219 Function Name: NtSetEvent
Status: Not hooked

#: 220 Function Name: NtSetEventBoostPriority
Status: Not hooked

#: 221 Function Name: NtSetHighEventPair
Status: Not hooked

#: 222 Function Name: NtSetHighWaitLowEventPair
Status: Not hooked

#: 223 Function Name: NtSetInformationDebugObject
Status: Not hooked

#: 224 Function Name: NtSetInformationFile
Status: Not hooked

#: 225 Function Name: NtSetInformationJobObject
Status: Not hooked

#: 226 Function Name: NtSetInformationKey
Status: Not hooked

#: 227 Function Name: NtSetInformationObject
Status: Not hooked

#: 228 Function Name: NtSetInformationProcess
Status: Not hooked

#: 229 Function Name: NtSetInformationThread
Status: Not hooked

#: 230 Function Name: NtSetInformationToken
Status: Not hooked

#: 231 Function Name: NtSetIntervalProfile
Status: Not hooked

#: 232 Function Name: NtSetIoCompletion
Status: Not hooked

#: 233 Function Name: NtSetLdtEntries
Status: Not hooked

#: 234 Function Name: NtSetLowEventPair
Status: Not hooked

#: 235 Function Name: NtSetLowWaitHighEventPair
Status: Not hooked

#: 236 Function Name: NtSetQuotaInformationFile
Status: Not hooked

#: 237 Function Name: NtSetSecurityObject
Status: Not hooked

#: 238 Function Name: NtSetSystemEnvironmentValue
Status: Not hooked

#: 239 Function Name: NtSetSystemEnvironmentValueEx
Status: Not hooked

#: 240 Function Name: NtSetSystemInformation
Status: Not hooked

#: 241 Function Name: NtSetSystemPowerState
Status: Not hooked

#: 242 Function Name: NtSetSystemTime
Status: Not hooked

#: 243 Function Name: NtSetThreadExecutionState
Status: Not hooked

#: 244 Function Name: NtSetTimer
Status: Not hooked

#: 245 Function Name: NtSetTimerResolution
Status: Not hooked

#: 246 Function Name: NtSetUuidSeed
Status: Not hooked

#: 247 Function Name: NtSetValueKey
Status: Not hooked

#: 248 Function Name: NtSetVolumeInformationFile
Status: Not hooked

#: 249 Function Name: NtShutdownSystem
Status: Not hooked

#: 250 Function Name: NtSignalAndWaitForSingleObject
Status: Not hooked

#: 251 Function Name: NtStartProfile
Status: Not hooked

#: 252 Function Name: NtStopProfile
Status: Not hooked

#: 253 Function Name: NtSuspendProcess
Status: Not hooked

#: 254 Function Name: NtSuspendThread
Status: Not hooked

#: 255 Function Name: NtSystemDebugControl
Status: Not hooked

#: 256 Function Name: NtTerminateJobObject
Status: Not hooked

#: 257 Function Name: NtTerminateProcess
Status: Not hooked

#: 258 Function Name: NtTerminateThread
Status: Not hooked

#: 259 Function Name: NtTestAlert
Status: Not hooked

#: 260 Function Name: NtTraceEvent
Status: Not hooked

#: 261 Function Name: NtTranslateFilePath
Status: Not hooked

#: 262 Function Name: NtUnloadDriver
Status: Not hooked

#: 263 Function Name: NtUnloadKey
Status: Not hooked

#: 264 Function Name: NtUnloadKeyEx
Status: Not hooked

#: 265 Function Name: NtUnlockFile
Status: Not hooked

#: 266 Function Name: NtUnlockVirtualMemory
Status: Not hooked

#: 267 Function Name: NtUnmapViewOfSection
Status: Not hooked

#: 268 Function Name: NtVdmControl
Status: Not hooked

#: 269 Function Name: NtWaitForDebugEvent
Status: Not hooked

#: 270 Function Name: NtWaitForMultipleObjects
Status: Not hooked

#: 271 Function Name: NtWaitForSingleObject
Status: Not hooked

#: 272 Function Name: NtWaitHighEventPair
Status: Not hooked

#: 273 Function Name: NtWaitLowEventPair
Status: Not hooked

#: 274 Function Name: NtWriteFile
Status: Not hooked

#: 275 Function Name: NtWriteFileGather
Status: Not hooked

#: 276 Function Name: NtWriteRequestData
Status: Not hooked

#: 277 Function Name: NtWriteVirtualMemory
Status: Not hooked

#: 278 Function Name: NtYieldExecution
Status: Not hooked

#: 279 Function Name: NtCreateKeyedEvent
Status: Not hooked

#: 280 Function Name: NtOpenKeyedEvent
Status: Not hooked

#: 281 Function Name: NtReleaseKeyedEvent
Status: Not hooked

#: 282 Function Name: NtWaitForKeyedEvent
Status: Not hooked

#: 283 Function Name: NtQueryPortInformationProcess
Status: Not hooked

Stealth Objects:

Hidden Services:

#12 Jimmy2012

Group: Retired Staff
Posts: 6,238
Joined: 11-September 07

Posted 28 April 2009 - 09:36 PM

Hello glrk,

Please start Malwarebytes' Anti-Malware and update it.
To update please do this, click Update and then click Check for Updates.
It will now install any updates it finds.
Once it is done updating please click Scanner and then click "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please do an online scan with Kaspersky WebScanner

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure the following is checked.
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

~~~~~~~~~~~~~~~
In your next reply please have these logs.
The Malwarebytes log
And the Kaspersky log

#13 glrk

Group: Member
Posts: 10
Joined: 19-April 09

Posted 29 April 2009 - 08:02 PM

Jimmy 2012,

Malwarebytes and Kaspersky logs attached.

KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, April 29, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, April 29, 2009 23:15:23
Records in database: 2101635
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 77687
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:25:23

File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c009AFE9.dat.vir Infected: Trojan.Win32.Agent2.ijy 1
C:\regtools.vbs Infected: not-a-virus:RiskTool.VBS.DisReg.a 1

The selected area was scanned.

Malwarebytes' Anti-Malware 1.36
Database version: 2058
Windows 5.1.2600 Service Pack 3

4/29/2009 7:00:11 AM
mbam-log-2009-04-29 (07-00-11).txt

Scan type: Quick Scan
Objects scanned: 89419
Time elapsed: 4 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

r/ glrk

#14 Jimmy2012

Group: Retired Staff
Posts: 6,238
Joined: 11-September 07

Posted 30 April 2009 - 12:27 PM

Hello glrk,

How is your computer running now?

#15 glrk

Group: Member
Posts: 10
Joined: 19-April 09

Posted 30 April 2009 - 07:01 PM

Jimmy 2012,
The computer seems back to normal...you're a lifesaver. Thanks for your time and effort. And your web site has been a gold mine of info for a number of unrelated computer questions. Again, thanks for your help! r/ glrk

Back to Virus, Spyware, Malware Removal

Share this topic:

2 Pages
1
2
→

Please log in to reply

Windows Update blocked, AV disabled, IE redirect, etc [Solved] - Geeks to Go Forums