Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

'NTOSKRNL-HOOK / Windows Anti-virus Pro' Removal [Solved]

Started by Sauron2029 , Aug 24 2009 12:31 PM

  • This topic is locked This topic is locked

#1
Sauron2029
Posted 24 August 2009 - 12:31 PM

Sauron2029

    Member

  • Member
  • PipPip
  • 12 posts
Greetings Geeks!

A few days ago I was using my computer when a window popped open informing me that a program called 'Windows Antivirus Pro' was trying to display a message on the desktop. I pressed cancel and immediately researched this on the internet and followed the steps to remove this pesky problem (using Malwarebytes).

I then purchased and ran McAfee Security Suite and found I also had the NTOSKRNL-HOOK trojan as well. No matter how many times I ran the scan, it would not get rid of this trojan. In the meantime, Windows Antivirus Pro came back. That's when I came to this site which I found via Google whilst trying to figure this all out.

Unfortunately, Malwarebytes won't even run anymore despite any renaming the .exe efforts I have done. Also, several programs just act like they are not there anymore including Task Manager and Firefox (which will run from the start menu but not the quick launch bar). I am also getting several svchost.exe crash errors every minute or two.

I will post any logs that I can get from the tutorial I read on this site. I can't run Malwarebytes so that's out obviously, but I will try Root Repeal and OTL and see what happens.

Any help will be GREATLY appreciated!

:)
  • 0

Advertisements

#2
Sauron2029
Posted 24 August 2009 - 12:33 PM

Sauron2029

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
No dice on the Root Repeal or OTL. Both programs when executed just bring up the 'Open With..." dialog as though they are not executables :) .

Eek!


***UPDATE***

I've gotten programs running again after a registry edit to restore the ability to run .exe files.

I'm back to just having the NTOSKRNL-HOOK which no anti-virus/malware/trojan can seem to stamp out!

Edited by Sauron2029, 29 August 2009 - 09:41 AM.

  • 0

#3
hammerman
Posted 29 August 2009 - 12:47 PM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hello and welcome to GeeksToGo.
I'm hammerman and I'm going to help you fix your problem.

Please note that I am still in training and my replies need to be checked by an expert. This means there may be a small delay between my posts. Please bear with me.

I am looking through your log now and will reply as soon as possible.

Before we begin, I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread. You can copy and paste these instructions into Notepad and then save the text file to your Desktop. If you need any help with this or further clarification, please let me know.
  • 0

#4
hammerman
Posted 29 August 2009 - 03:09 PM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hello,

-- Step 1 --

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image
  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

-- Step 2 --

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google....rotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.
  • Click on the Log tab.
  • In the Write to log box select all items.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new Window should appear.
  • Make sure Scan all drives is selected and click on the Start button.
  • When it is complete a new Window will appear to indicate that the scan is finished.
  • The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

  • 0

#5
Sauron2029
Posted 31 August 2009 - 12:48 AM

Sauron2029

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
hammerman, thank you so much for your reply and help! Here are the two logs you requested:

ComboFix 09-08-30.01 - Brandon 08/30/2009 23:00.1.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1022.493 [GMT -7:00]
Running from: c:\users\Brandon.Rodan242\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
SP: McAfee VirusScan *disabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\program files\INSTALL.LOG
c:\recycler\S-1-5-21-2225589205-1163395192-3403473811-1006
c:\recycler\S-1-5-21-2225589205-1163395192-3403473811-500
C:\windll32.dll
c:\windows\Installer\cc93f.msi
c:\windows\irc.txt
c:\windows\system32\certstore.dat
c:\windows\system32\drivers\kbiwkmhuyjqhfs.sys
c:\windows\system32\Install.txt
c:\windows\system32\kbiwkmjcvswobn.dll
c:\windows\system32\kbiwkmkmptlgqv.dat
c:\windows\system32\kbiwkmtpgmtfnq.dat
c:\windows\system32\kbiwkmwdbybanh.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmbvskjyso


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))
.

2009-08-31 06:17 . 2009-08-31 06:22 -------- d-----w- c:\users\Brandon.Rodan242\AppData\Local\temp
2009-08-31 06:17 . 2009-08-31 06:17 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2009-08-31 06:17 . 2009-08-31 06:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-31 06:17 . 2009-08-31 06:17 -------- d-----w- c:\users\Brandon\AppData\Local\temp
2009-08-31 06:17 . 2009-08-31 06:17 -------- d-----w- c:\users\BRANDO~1~ROD\AppData\Local\temp
2009-08-27 00:39 . 2009-08-27 00:39 -------- d-----w- c:\users\Brandon.Rodan242\AppData\Local\MigWiz
2009-08-24 18:05 . 2009-08-24 18:06 -------- d-----w- C:\Toolbox
2009-08-24 17:38 . 2009-08-24 17:38 -------- d-----w- c:\program files\ERUNT
2009-08-20 23:56 . 2009-08-20 23:56 -------- d-----w- c:\users\Brandon.Rodan242\AppData\Roaming\Malwarebytes
2009-08-20 23:56 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-20 23:56 . 2009-08-20 23:56 -------- d-----w- c:\programdata\Malwarebytes
2009-08-20 23:56 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-20 23:56 . 2009-08-24 18:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-20 23:45 . 2009-07-08 20:44 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-08-20 23:45 . 2009-07-08 20:44 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-08-20 23:45 . 2009-07-08 20:44 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-08-20 23:45 . 2009-07-16 19:32 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-08-20 23:43 . 2009-08-20 23:45 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-20 23:43 . 2009-08-20 23:44 -------- d-----w- c:\program files\McAfee.com
2009-08-20 23:43 . 2009-08-21 05:41 -------- d-----w- c:\program files\McAfee
2009-08-20 23:21 . 2009-07-08 20:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-08-20 23:10 . 2009-08-21 05:49 -------- d-----w- c:\programdata\McAfee
2009-08-19 06:45 . 2009-08-19 06:45 -------- d-----w- c:\programdata\GameHouse
2009-08-19 06:36 . 2009-08-19 06:36 -------- d-----w- c:\program files\RarZilla
2009-08-13 16:35 . 2009-06-15 15:29 156160 ----a-w- c:\windows\system32\t2embed.dll
2009-08-13 16:34 . 2009-07-14 13:02 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-13 16:34 . 2009-07-14 13:00 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-13 16:34 . 2009-07-14 13:01 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-13 16:34 . 2009-07-14 11:11 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-13 16:34 . 2009-06-10 12:10 31232 ----a-w- c:\windows\system32\msvidc32.dll
2009-08-13 16:34 . 2009-06-10 12:10 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-08-13 16:34 . 2009-06-10 12:09 12800 ----a-w- c:\windows\system32\msrle32.dll
2009-08-13 16:34 . 2009-06-10 12:07 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-08-13 16:34 . 2009-06-10 12:04 88576 ----a-w- c:\windows\system32\avifil32.dll
2009-08-13 16:34 . 2009-06-10 12:04 65024 ----a-w- c:\windows\system32\avicap32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 06:29 . 2009-08-31 06:29 41631 ----a-w- c:\windows\system32\certstore.dat
2009-08-31 06:21 . 2009-06-23 23:27 -------- d-----w- c:\users\Brandon.Rodan242\AppData\Roaming\DNA
2009-08-31 06:21 . 2009-06-23 23:27 -------- d-----w- c:\program files\DNA
2009-08-21 23:26 . 2009-06-23 23:33 -------- d-----w- c:\program files\Games
2009-08-18 23:33 . 2009-06-23 23:27 -------- d-----w- c:\users\Brandon.Rodan242\AppData\Roaming\BitTorrent
2009-08-13 23:03 . 2007-11-20 04:26 -------- d-----w- c:\program files\AIM6
2009-08-13 23:03 . 2007-11-20 04:27 -------- d-----w- c:\program files\Viewpoint
2009-08-13 23:03 . 2007-11-20 04:27 -------- d-----w- c:\programdata\Viewpoint
2009-08-13 23:01 . 2008-12-09 01:46 -------- d-----w- c:\programdata\AOL Downloads
2009-08-13 16:50 . 2007-12-23 21:46 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-13 16:48 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-03 22:57 . 2008-01-01 02:44 -------- d-----w- c:\users\Brandon.Rodan242\AppData\Roaming\Canon
2009-07-25 04:21 . 2009-07-25 04:21 135396 ---ha-w- c:\windows\system32\mlfcache.dat
2009-07-25 04:20 . 2009-07-25 04:20 -------- d-----w- c:\users\Brandon.Rodan242\AppData\Roaming\Apple Computer
2009-07-25 04:16 . 2009-07-25 04:15 -------- d-----w- c:\program files\Safari
2009-07-25 04:14 . 2009-07-25 04:14 -------- d-----w- c:\program files\Apple Software Update
2009-07-25 04:14 . 2009-07-25 04:14 -------- d-----w- c:\programdata\Apple
2009-07-25 01:34 . 2009-07-25 01:34 713992 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-07-23 16:59 . 2007-11-18 23:41 80904 ----a-w- c:\users\Brandon.Rodan242\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-21 21:52 . 2009-08-13 16:35 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-08-13 16:35 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-08-13 16:35 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-08-13 16:35 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 14:52 . 2009-08-13 16:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-08 20:44 . 2009-07-08 20:44 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-02 03:17 . 2009-07-02 03:17 69632 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 4.30.19.1\SetupAdmin.exe
2009-06-15 18:12 . 2009-08-13 16:35 408136 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-15 15:29 . 2009-08-13 16:35 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-06-15 15:28 . 2009-08-13 16:35 72704 ----a-w- c:\windows\system32\secur32.dll
2009-06-15 15:28 . 2009-08-13 16:35 272384 ----a-w- c:\windows\system32\schannel.dll
2009-06-15 15:25 . 2009-08-13 16:35 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-15 15:23 . 2009-08-13 16:35 1233920 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-15 15:23 . 2009-08-13 16:35 24064 ----a-w- c:\windows\system32\lpk.dll
2009-06-15 15:23 . 2009-08-13 16:35 494592 ----a-w- c:\windows\system32\kerberos.dll
2009-06-15 15:22 . 2009-08-13 16:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:21 . 2009-08-13 16:35 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 15:20 . 2009-08-13 16:35 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-06-15 13:10 . 2009-08-13 16:35 7680 ----a-w- c:\windows\system32\lsass.exe
2009-06-15 13:03 . 2009-08-13 16:35 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-10 12:16 . 2009-08-13 16:35 156160 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-04 12:47 . 2009-08-13 16:35 36352 ----a-w- c:\windows\system32\tsgqec.dll
2009-06-04 12:43 . 2009-08-13 16:35 1871872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-04 12:36 . 2009-08-13 16:35 116736 ----a-w- c:\windows\system32\aaclient.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-06-23 321344]
"Google Update"="c:\users\Brandon.Rodan242\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-07-25 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-11-23 1006264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13580832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 92704]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"CTHelper"="CTHELPER.EXE" - c:\windows\System32\CtHelper.exe [2008-02-21 19456]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\System32\Ctxfihlp.exe [2008-02-21 19968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="c:\windows\system32\READREG" [X]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-23 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BDARemote.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BDARemote.lnk
backup=c:\windows\pss\BDARemote.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2979632154-2472622693-673311761-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{3C64B300-38D7-4091-B236-4BE46F00E4CF}c:\\games\\soldier of fortune\\sof.exe"= UDP:c:\games\soldier of fortune\sof.exe:SoF
"UDP Query User{91FE160A-72C5-42C5-ACB6-3442AA48AD8E}c:\\games\\soldier of fortune\\sof.exe"= TCP:c:\games\soldier of fortune\sof.exe:SoF
"{3D38E612-03BF-4350-9E65-3E11252E4D5C}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{74DF458E-DC85-4DCE-AFA2-08226202FC34}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{D3128A9C-F202-4211-90FA-5DA372C74F1D}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{9872F371-0414-460D-AF2C-FAFAA6F1AD60}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{D3EBEC4C-DEEC-4B37-B357-FD29FE9CD675}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{297A9DB2-C2C8-4F65-8F3D-19214DCFB004}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"TCP Query User{4F8B0E8B-D4FE-4215-A220-A1A4625CDD12}c:\\program files\\pieautoupdater\\winmx.exe"= UDP:c:\program files\pieautoupdater\winmx.exe:WinMX Application
"UDP Query User{AC2B0356-3165-4B29-A454-F31365736F93}c:\\program files\\pieautoupdater\\winmx.exe"= TCP:c:\program files\pieautoupdater\winmx.exe:WinMX Application
"{90FF6D2A-3F90-4226-AABD-7ED0AEBB0C17}"= UDP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"{0DED102C-110E-4681-BD70-A9D766390DE9}"= TCP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"{26453132-050C-4135-900E-0474291EF3D4}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{8A29EF27-E9F7-47F6-9B79-10B26C84D365}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{DDA09D6B-B02C-4A9B-A75C-09E88D885DD6}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{26AED914-1F70-4A93-8DB1-9F3D25AD5382}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{2080DF58-428F-4017-8E20-C595CC5ECF61}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{147494DD-7901-4EBB-89A0-60109EA95031}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{CF7FA0AB-5BD0-49EB-998C-4E1D73DAE7E3}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{9FDB0174-775A-4D21-B862-85109EF78A3E}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{32C6096F-4AB6-4F09-9935-93ED61D3488E}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)
"{D8387652-DEE7-446E-B6F6-B5536F5D8C7F}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

S3 Creative ALchemy AL1 Licensing Service;Creative ALchemy AL1 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL1Licensing.exe [7/12/2008 8:41 PM 79360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2979632154-2472622693-673311761-1000Core.job
- c:\users\Brandon.Rodan242\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-25 04:17]

2009-08-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2979632154-2472622693-673311761-1000UA.job
- c:\users\Brandon.Rodan242\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-25 04:17]

2009-08-21 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-20 04:26]

2009-08-21 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-20 04:26]

2009-08-31 c:\windows\Tasks\User_Feed_Synchronization-{9F67757F-5FC7-4EE1-AFA1-2F404C3EEA2B}.job
- c:\windows\system32\msfeedssync.exe [2009-08-13 20:13]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
HKCU-Run-Aim6 - (no file)
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.kaijuphile.com/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
TCP: {015F60B8-2D39-41CB-A64B-CBD93D5A3157} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\users\Brandon.Rodan242\AppData\Roaming\Mozilla\Firefox\Profiles\m6uiopqu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.kaijuphile.com/
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Brandon.Rodan242\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\users\Brandon.Rodan242\AppData\Roaming\Mozilla\Firefox\Profiles\m6uiopqu.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-30 23:21
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kbiwkmbvskjyso]
"imagepath"="\systemroot\system32\drivers\kbiwkmhuyjqhfs.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kbiwkmbvskjyso]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\kbiwkmhuyjqhfs.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\System32\rundll32.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\microsoft shared\VS7Debug\mdm.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\program files\Zune\ZuneNss.exe
c:\windows\System32\RacAgent.exe
c:\windows\System32\lpremove.exe
c:\windows\System32\lpksetup.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-08-31 23:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-31 06:35

Pre-Run: 33,863,553,024 bytes free
Post-Run: 33,541,410,816 bytes free

339 --- E O F --- 2009-08-13 16:47






SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\Windows\System32\smss.exe
PID: 380
Hidden: No
Window Visible: No

Name: C:\Windows\System32\csrss.exe
PID: 444
Hidden: No
Window Visible: No

Name: C:\Windows\System32\wininit.exe
PID: 488
Hidden: No
Window Visible: No

Name: C:\Windows\System32\csrss.exe
PID: 496
Hidden: No
Window Visible: No

Name: C:\Windows\System32\services.exe
PID: 536
Hidden: No
Window Visible: No

Name: C:\Windows\System32\lsass.exe
PID: 560
Hidden: No
Window Visible: No

Name: C:\Windows\System32\lsm.exe
PID: 568
Hidden: No
Window Visible: No

Name: C:\Windows\System32\winlogon.exe
PID: 580
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 748
Hidden: No
Window Visible: No

Name: C:\Windows\System32\nvvsvc.exe
PID: 792
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 808
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 848
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 964
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 1016
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 1032
Hidden: No
Window Visible: No

Name: C:\Windows\System32\audiodg.exe
PID: 1108
Hidden: No
Window Visible: No

Name: C:\Program Files\Creative\Shared Files\CTAudSvc.exe
PID: 1136
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 1148
Hidden: No
Window Visible: No

Name: C:\Windows\System32\SLsvc.exe
PID: 1164
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 1220
Hidden: No
Window Visible: No

Name: C:\Windows\System32\rundll32.exe
PID: 1284
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 1412
Hidden: No
Window Visible: No

Name: C:\Windows\System32\spoolsv.exe
PID: 1596
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 1624
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
PID: 1884
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
PID: 1960
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\microsoft shared\VS7Debug\mdm.exe
PID: 276
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 12
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 372
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 896
Hidden: No
Window Visible: No

Name: C:\Windows\System32\svchost.exe
PID: 1336
Hidden: No
Window Visible: No

Name: C:\Windows\System32\SearchIndexer.exe
PID: 1428
Hidden: No
Window Visible: No

Name: C:\Windows\System32\dwm.exe
PID: 2456
Hidden: No
Window Visible: Yes

Name: C:\Windows\System32\taskeng.exe
PID: 2716
Hidden: No
Window Visible: No

Name: C:\Windows\System32\taskeng.exe
PID: 2904
Hidden: No
Window Visible: No

Name: C:\Program Files\Windows Defender\MSASCui.exe
PID: 3636
Hidden: No
Window Visible: No

Name: C:\Program Files\Zune\ZuneLauncher.exe
PID: 3724
Hidden: No
Window Visible: No

Name: C:\Windows\System32\rundll32.exe
PID: 3780
Hidden: No
Window Visible: No

Name: C:\Program Files\McAfee.com\Agent\mcagent.exe
PID: 3864
Hidden: No
Window Visible: No

Name: C:\Windows\ehome\ehtray.exe
PID: 3956
Hidden: No
Window Visible: No

Name: C:\Program Files\DNA\btdna.exe
PID: 4020
Hidden: No
Window Visible: No

Name: C:\Users\Brandon.Rodan242\AppData\Local\Google\Update\GoogleUpdate.exe
PID: 1836
Hidden: No
Window Visible: No

Name: C:\Program Files\Windows Media Player\wmpnscfg.exe
PID: 1608
Hidden: No
Window Visible: No

Name: C:\Program Files\Windows Media Player\wmpnetwk.exe
PID: 3200
Hidden: No
Window Visible: No

Name: C:\Windows\ehome\ehmsas.exe
PID: 3216
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
PID: 2680
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
PID: 1808
Hidden: No
Window Visible: No

Name: C:\Program Files\Zune\ZuneNss.exe
PID: 3156
Hidden: No
Window Visible: No

Name: C:\Windows\explorer.exe
PID: 1784
Hidden: No
Window Visible: No

Name: C:\Windows\System32\taskeng.exe
PID: 3496
Hidden: No
Window Visible: No

Name: C:\Windows\servicing\TrustedInstaller.exe
PID: 1084
Hidden: No
Window Visible: No

Name: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 2792
Hidden: No
Window Visible: No

Name: C:\Users\Brandon.Rodan242\Desktop\SysProt\SysProt.exe
PID: 2896
Hidden: No
Window Visible: Yes

Name: C:\Windows\System32\SearchProtocolHost.exe
PID: 3904
Hidden: No
Window Visible: No

Name: C:\Windows\System32\SearchFilterHost.exe
PID: 3660
Hidden: No
Window Visible: No

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \systemroot\system32\drivers\kbiwkmhuyjqhfs.sys
Service Name: kbiwkmbvskjyso
Module Base: ---
Module End: ---
Hidden: Yes

Module Name: \??\C:\Users\Brandon.Rodan242\Desktop\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: 8FA03000
Module End: 8FA0E000
Hidden: No

Module Name: C:\Windows\system32\ntoskrnl.exe
Service Name: ---
Module Base: 82000000
Module End: 82395000
Hidden: No

Module Name: C:\Windows\system32\hal.dll
Service Name: ---
Module Base: 82395000
Module End: 823C9000
Hidden: No

Module Name: C:\Windows\system32\kdcom.dll
Service Name: ---
Module Base: 806C6000
Module End: 806CE000
Hidden: No

Module Name: C:\Windows\system32\mcupdate_GenuineIntel.dll
Service Name: ---
Module Base: 80666000
Module End: 806C6000
Hidden: No

Module Name: C:\Windows\system32\PSHED.dll
Service Name: ---
Module Base: 8065D000
Module End: 80666000
Hidden: No

Module Name: C:\Windows\system32\BOOTVID.dll
Service Name: ---
Module Base: 80655000
Module End: 8065D000
Hidden: No

Module Name: C:\Windows\system32\CLFS.SYS
Service Name: CLFS
Module Base: 8061A000
Module End: 80655000
Hidden: No

Module Name: C:\Windows\system32\CI.dll
Service Name: ---
Module Base: 80539000
Module End: 8061A000
Hidden: No

Module Name: C:\Windows\system32\drivers\Wdf01000.sys
Service Name: Wdf01000
Module Base: 804BE000
Module End: 80539000
Hidden: No

Module Name: C:\Windows\system32\drivers\WDFLDR.SYS
Service Name: ---
Module Base: 804B1000
Module End: 804BE000
Hidden: No

Module Name: C:\Windows\system32\drivers\acpi.sys
Service Name: ACPI
Module Base: 8046E000
Module End: 804B1000
Hidden: No

Module Name: C:\Windows\system32\drivers\WMILIB.SYS
Service Name: ---
Module Base: 80465000
Module End: 8046E000
Hidden: No

Module Name: C:\Windows\system32\drivers\msisadrv.sys
Service Name: msisadrv
Module Base: 8045D000
Module End: 80465000
Hidden: No

Module Name: C:\Windows\system32\drivers\pci.sys
Service Name: pci
Module Base: 80438000
Module End: 8045D000
Hidden: No

Module Name: C:\Windows\system32\drivers\volmgr.sys
Service Name: volmgr
Module Base: 80429000
Module End: 80438000
Hidden: No

Module Name: C:\Windows\System32\drivers\mountmgr.sys
Service Name: MountMgr
Module Base: 80419000
Module End: 80429000
Hidden: No

Module Name: C:\Windows\system32\drivers\intelide.sys
Service Name: intelide
Module Base: 80412000
Module End: 80419000
Hidden: No

Module Name: C:\Windows\system32\drivers\PCIIDEX.SYS
Service Name: ---
Module Base: 80404000
Module End: 80412000
Hidden: No

Module Name: C:\Windows\System32\drivers\volmgrx.sys
Service Name: volmgrx
Module Base: 857B6000
Module End: 85800000
Hidden: No

Module Name: C:\Windows\system32\drivers\atapi.sys
Service Name: atapi
Module Base: 857AE000
Module End: 857B6000
Hidden: No

Module Name: C:\Windows\system32\drivers\ataport.SYS
Service Name: ---
Module Base: 85790000
Module End: 857AE000
Hidden: No

Module Name: C:\Windows\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: 8575F000
Module End: 85790000
Hidden: No

Module Name: C:\Windows\system32\drivers\fileinfo.sys
Service Name: FileInfo
Module Base: 8574F000
Module End: 8575F000
Hidden: No

Module Name: C:\Windows\system32\drivers\ndis.sys
Service Name: NDIS
Module Base: 8564B000
Module End: 8574F000
Hidden: No

Module Name: C:\Windows\system32\drivers\NETIO.SYS
Service Name: ---
Module Base: 855E7000
Module End: 85620000
Hidden: No

Module Name: C:\Windows\System32\Drivers\Ntfs.sys
Service Name: Ntfs
Module Base: 854DF000
Module End: 855E7000
Hidden: No

Module Name: C:\Windows\System32\Drivers\ksecdd.sys
Service Name: KSecDD
Module Base: 85475000
Module End: 854DF000
Hidden: No

Module Name: C:\Windows\system32\drivers\volsnap.sys
Service Name: volsnap
Module Base: 8543F000
Module End: 85475000
Hidden: No

Module Name: C:\Windows\System32\Drivers\spldr.sys
Service Name: spldr
Module Base: 85437000
Module End: 8543F000
Hidden: No

Module Name: C:\Windows\System32\drivers\partmgr.sys
Service Name: partmgr
Module Base: 85428000
Module End: 85437000
Hidden: No

Module Name: C:\Windows\System32\Drivers\mup.sys
Service Name: Mup
Module Base: 85419000
Module End: 85428000
Hidden: No

Module Name: C:\Windows\System32\drivers\ecache.sys
Service Name: Ecache
Module Base: 85BDB000
Module End: 85C00000
Hidden: No

Module Name: C:\Windows\system32\drivers\disk.sys
Service Name: disk
Module Base: 85408000
Module End: 85419000
Hidden: No

Module Name: C:\Windows\system32\drivers\CLASSPNP.SYS
Service Name: ---
Module Base: 85BBA000
Module End: 85BDB000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\agp440.sys
Service Name: agp440
Module Base: 85BAA000
Module End: 85BBA000
Hidden: No

Module Name: C:\Windows\system32\drivers\crcdisk.sys
Service Name: crcdisk
Module Base: 85BA1000
Module End: 85BAA000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\tunnel.sys
Service Name: tunnel
Module Base: 85838000
Module End: 85843000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\tunmp.sys
Service Name: tunmp
Module Base: 8805B000
Module End: 88064000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: 88002000
Module End: 88010000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\nvlddmkm.sys
Service Name: nvlddmkm
Module Base: 89CF6000
Module End: 8A400000
Hidden: No

Module Name: C:\Windows\System32\drivers\dxgkrnl.sys
Service Name: DXGKrnl
Module Base: 896D3000
Module End: 89770000
Hidden: No

Module Name: C:\Windows\System32\drivers\watchdog.sys
Service Name: ---
Module Base: 8801B000
Module End: 88028000
Hidden: No

Module Name: C:\Windows\system32\drivers\ctaud2k.sys
Service Name: ctaud2k
Module Base: 8806C000
Module End: 880EB000
Hidden: No

Module Name: C:\Windows\system32\drivers\portcls.sys
Service Name: ---
Module Base: 895D6000
Module End: 89603000
Hidden: No

Module Name: C:\Windows\system32\drivers\drmk.sys
Service Name: ---
Module Base: 895B1000
Module End: 895D6000
Hidden: No

Module Name: C:\Windows\system32\drivers\ks.sys
Service Name: ---
Module Base: 89587000
Module End: 895B1000
Hidden: No

Module Name: C:\Windows\system32\drivers\ctoss2k.sys
Service Name: ossrv
Module Base: 89553000
Module End: 89587000
Hidden: No

Module Name: C:\Windows\system32\drivers\ctprxy2k.sys
Service Name: ctprxy2k
Module Base: 88392000
Module End: 8839A000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\usbohci.sys
Service Name: usbohci
Module Base: 8804B000
Module End: 88055000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: 89476000
Module End: 894B3000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: 8803D000
Module End: 8804B000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\Rtnicxp.sys
Service Name: RTL8023xp
Module Base: 8594F000
Module End: 8595F000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: 89463000
Module End: 89476000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\kbdclass.sys
Service Name: kbdclass
Module Base: 881B0000
Module End: 881BB000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\serial.sys
Service Name: Serial
Module Base: 89449000
Module End: 89463000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\serenum.sys
Service Name: Serenum
Module Base: 894B3000
Module End: 894BD000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\parport.sys
Service Name: Parport
Module Base: 89431000
Module End: 89449000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\cdrom.sys
Service Name: cdrom
Module Base: 89419000
Module End: 89431000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: 881F1000
Module End: 881FC000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\msiscsi.sys
Service Name: iScsiPrt
Module Base: 897D5000
Module End: 89800000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\storport.sys
Service Name: ---
Module Base: 89795000
Module End: 897D5000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: 8940E000
Module End: 89419000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: 8977E000
Module End: 89795000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: 89403000
Module End: 8940E000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: 8A7DD000
Module End: 8A800000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: 85850000
Module End: 8585F000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: 89C03000
Module End: 89C16000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: 8A6ED000
Module End: 8A6FC000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\mouclass.sys
Service Name: mouclass
Module Base: 8A6E2000
Module End: 8A6ED000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: 85811000
Module End: 85813000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: 894BD000
Module End: 894C7000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\umbus.sys
Service Name: umbus
Module Base: 89610000
Module End: 8961D000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: 8A4AE000
Module End: 8A4E2000
Hidden: No

Module Name: C:\Windows\system32\drivers\ha20x2k.sys
Service Name: ha20x2k
Module Base: 8EADE000
Module End: 8EC00000
Hidden: No

Module Name: C:\Windows\system32\drivers\emupia2k.sys
Service Name: emupia
Module Base: 8A46F000
Module End: 8A49E000
Hidden: No

Module Name: C:\Windows\system32\drivers\ctsfm2k.sys
Service Name: ctsfm2k
Module Base: 8A446000
Module End: 8A46F000
Hidden: No

Module Name: C:\Windows\system32\CTHWIUT.DLL
Service Name: CTHWIUT.DLL
Module Base: 8A431000
Module End: 8A446000
Hidden: No

Module Name: C:\Windows\system32\CT20XUT.DLL
Service Name: CT20XUT.DLL
Module Base: 8A405000
Module End: 8A431000
Hidden: No

Module Name: C:\Windows\system32\CTEXFIFX.DLL
Service Name: CTEXFIFX.DLL
Module Base: 8E997000
Module End: 8EADE000
Hidden: No

Module Name: C:\Windows\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: 858AF000
Module End: 858BF000
Hidden: No

Module Name: C:\Windows\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: 882EC000
Module End: 882F3000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: 882F3000
Module End: 882FA000
Hidden: No

Module Name: C:\Windows\System32\drivers\vga.sys
Service Name: vga
Module Base: 8E94B000
Module End: 8E957000
Hidden: No

Module Name: C:\Windows\System32\drivers\VIDEOPRT.SYS
Service Name: ---
Module Base: 8E92A000
Module End: 8E94B000
Hidden: No

Module Name: C:\Windows\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: 8836A000
Module End: 88372000
Hidden: No

Module Name: C:\Windows\system32\drivers\rdpencdd.sys
Service Name: RDPENCDD
Module Base: 88372000
Module End: 8837A000
Hidden: No

Module Name: C:\Windows\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: 89C32000
Module End: 89C40000
Hidden: No

Module Name: C:\Windows\System32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: 8814E000
Module End: 88157000
Hidden: No

Module Name: C:\Windows\System32\drivers\tcpip.sys
Service Name: Tcpip
Module Base: 8E82E000
Module End: 8E8FF000
Hidden: No

Module Name: C:\Windows\System32\drivers\fwpkclnt.sys
Service Name: ---
Module Base: 8E815000
Module End: 8E82E000
Hidden: No

Module Name: C:\Windows\System32\Drivers\Mpfp.sys
Service Name: MPFP
Module Base: 8FBD7000
Module End: 8FC00000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\tdx.sys
Service Name: tdx
Module Base: 8E800000
Module End: 8E815000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\ipfltdrv.sys
Service Name: IpFilterDriver
Module Base: 8FBC5000
Module End: 8FBD7000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\smb.sys
Service Name: Smb
Module Base: 8FBB1000
Module End: 8FBC5000
Hidden: No

Module Name: C:\Windows\system32\drivers\afd.sys
Service Name: AFD
Module Base: 8FB6A000
Module End: 8FBB1000
Hidden: No

Module Name: C:\Windows\System32\DRIVERS\netbt.sys
Service Name: netbt
Module Base: 8FB38000
Module End: 8FB6A000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\pacer.sys
Service Name: PSched
Module Base: 8FB22000
Module End: 8FB38000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: 89C40000
Module End: 89C4E000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: 8FB0F000
Module End: 8FB22000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\rdbss.sys
Service Name: rdbss
Module Base: 8FAD4000
Module End: 8FB0F000
Hidden: No

Module Name: C:\Windows\system32\drivers\nsiproxy.sys
Service Name: nsiproxy
Module Base: 894DB000
Module End: 894E5000
Hidden: No

Module Name: C:\Windows\system32\drivers\mfehidk.sys
Service Name: mfehidk
Module Base: 8FAA1000
Module End: 8FAD4000
Hidden: No

Module Name: C:\Windows\System32\Drivers\dfsc.sys
Service Name: DfsC
Module Base: 8FA4A000
Module End: 8FA61000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\hidusb.sys
Service Name: HidUsb
Module Base: 8810F000
Module End: 88118000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: 858DF000
Module End: 858EF000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: 8580B000
Module End: 8580D000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: 8837A000
Module End: 88382000
Hidden: No

Module Name: C:\Windows\System32\Drivers\crashdmp.sys
Service Name: ---
Module Base: 8961D000
Module End: 8962A000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys
Service Name: ---
Module Base: 88010000
Module End: 8801B000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: 8838A000
Module End: 88392000
Hidden: Yes

Module Name: C:\Windows\System32\Drivers\fastfat.SYS
Service Name: fastfat
Module Base: 8F952000
Module End: 8F97A000
Hidden: No

Module Name: C:\Windows\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: 89503000
Module End: 8950D000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\monitor.sys
Service Name: monitor
Module Base: 8A70B000
Module End: 8A71A000
Hidden: No

Module Name: C:\Windows\system32\drivers\luafv.sys
Service Name: luafv
Module Base: 92D1D000
Module End: 92D38000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\lltdio.sys
Service Name: lltdio
Module Base: 8592F000
Module End: 8593F000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\rspndr.sys
Service Name: rspndr
Module Base: 9BADE000
Module End: 9BAF1000
Hidden: No

Module Name: C:\Windows\system32\drivers\HTTP.sys
Service Name: HTTP
Module Base: 9B962000
Module End: 9B9C8000
Hidden: No

Module Name: C:\Windows\System32\DRIVERS\srvnet.sys
Service Name: srvnet
Module Base: 9B907000
Module End: 9B922000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\bowser.sys
Service Name: bowser
Module Base: 9B8AC000
Module End: 9B8C5000
Hidden: No

Module Name: C:\Windows\System32\drivers\mpsdrv.sys
Service Name: mpsdrv
Module Base: 9B898000
Module End: 9B8AC000
Hidden: No

Module Name: C:\Windows\system32\drivers\mrxdav.sys
Service Name: MRxDAV
Module Base: 9B878000
Module End: 9B898000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\mrxsmb.sys
Service Name: mrxsmb
Module Base: 9B85A000
Module End: 9B878000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\mrxsmb10.sys
Service Name: mrxsmb10
Module Base: 9B821000
Module End: 9B85A000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\mrxsmb20.sys
Service Name: mrxsmb20
Module Base: 9B80F000
Module End: 9B821000
Hidden: No

Module Name: C:\Windows\System32\DRIVERS\srv2.sys
Service Name: srv2
Module Base: 9BABA000
Module End: 9BADE000
Hidden: No

Module Name: C:\Windows\System32\DRIVERS\srv.sys
Service Name: srv
Module Base: 9CB74000
Module End: 9CBC0000
Hidden: No

Module Name: C:\Windows\system32\drivers\spsys.sys
Service Name: ---
Module Base: 9CAE6000
Module End: 9CB74000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\asyncmac.sys
Service Name: AsyncMac
Module Base: 88160000
Module End: 88169000
Hidden: No

Module Name: C:\Windows\system32\drivers\peauth.sys
Service Name: PEAUTH
Module Base: 9EAA2000
Module End: 9EB80000
Hidden: No

Module Name: C:\Windows\System32\Drivers\secdrv.SYS
Service Name: secdrv
Module Base: 8950D000
Module End: 89517000
Hidden: No

Module Name: C:\Windows\System32\drivers\tcpipreg.sys
Service Name: tcpipreg
Module Base: 8FA2F000
Module End: 8FA3A000
Hidden: No

Module Name: C:\Windows\system32\drivers\mfebopk.sys
Service Name: mfebopk
Module Base: 882C2000
Module End: 882C9000
Hidden: No

Module Name: C:\Windows\system32\drivers\mfeavfk.sys
Service Name: mfeavfk
Module Base: 9BAA8000
Module End: 9BABA000
Hidden: No

Module Name: C:\Windows\system32\drivers\tdtcp.sys
Service Name: TDTCP
Module Base: 8F9F8000
Module End: 8FA03000
Hidden: No

Module Name: C:\Windows\System32\DRIVERS\tssecsrv.sys
Service Name: tssecsrv
Module Base: 9C91F000
Module End: 9C92B000
Hidden: No

Module Name: C:\Windows\System32\Drivers\RDPWD.SYS
Service Name: Wd
Module Base: A0CD2000
Module End: A0D00000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\cdfs.sys
Service Name: cdfs
Module Base: 999C4000
Module End: 999DA000
Hidden: No

Module Name: \??\C:\Combo-Fix\catchme.sys
Service Name: catchme
Module Base: 8839A000
Module End: 883A2000
Hidden: Yes

Module Name: \??\C:\Windows\system32\Drivers\PROCEXP90.SYS
Service Name: ---
Module Base: 9B9CE000
Module End: 9B9D0000
Hidden: Yes

Module Name: C:\Windows\system32\DRIVERS\fdc.sys
Service Name: fdc
Module Base: 88032000
Module End: 8803D000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\parvdm.sys
Service Name: Parvdm
Module Base: 88324000
Module End: 8832B000
Hidden: No

Module Name: C:\Windows\System32\Drivers\Null.SYS
Service Name: Null
Module Base: 882E5000
Module End: 882EC000
Hidden: No

Module Name: C:\Windows\system32\DRIVERS\flpydisk.sys
Service Name: flpydisk
Module Base: 894C7000
Module End: 894D1000
Hidden: No

Module Name: C:\Windows\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: 8E8FF000
Module End: 8E90A000
Hidden: No

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwCreateUserProcess
At Address: 82211004
Jump To: 8FABA4C6
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwYieldExecution
At Address: 82027767
Jump To: 8FABA52C
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwUnmapViewOfSection
At Address: 8220C7DC
Jump To: 8FABA556
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwTerminateProcess
At Address: 82201364
Jump To: 8FABA56F
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwSetInformationProcess
At Address: 821D169A
Jump To: 8FABA4DA
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwSetContextThread
At Address: 8226CE47
Jump To: 8FABA4EE
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwProtectVirtualMemory
At Address: 8220A10F
Jump To: 8FABA516
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwOpenThread
At Address: 8220A766
Jump To: 8FABA488
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwOpenProcess
At Address: 821EA55E
Jump To: 8FABA474
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwMapViewOfSection
At Address: 8220A926
Jump To: 8FABA540
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateProcessEx
At Address: 8226BCE7
Jump To: 8FABA4B0
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateProcess
At Address: 8226BC9C
Jump To: 8FABA49C
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateFile
At Address: 822188AF
Jump To: 8FABA502
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: PsSetContextThread
At Address: 8226CE47
Jump To: 8FABA4EE
Module Name: C:\Windows\system32\drivers\mfehidk.sys

Hooked Function: IoCreateFile
At Address: 822188AF
Jump To: 8FABA502
Module Name: C:\Windows\system32\drivers\mfehidk.sys

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: RODAN242:49221
Remote Address: NUQ04S01-IN-F101.GOOGLE.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: RODAN242:49217
Remote Address: NUQ04S01-IN-F132.GOOGLE.COM:HTTPS
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: RODAN242:49216
Remote Address: NUQ04S01-IN-F132.GOOGLE.COM:HTTPS
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: RODAN242:49215
Remote Address: NUQ04S01-IN-F132.GOOGLE.COM:HTTPS
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: RODAN242:49214
Remote Address: NUQ04S01-IN-F132.GOOGLE.COM:HTTPS
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: RODAN242:49213
Remote Address: NUQ04S01-IN-F132.GOOGLE.COM:HTTPS
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: RODAN242:49168
Remote Address: 208.43.133.44-STATIC.REVERSE.SOFTLAYER.COM:HTTP
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: CLOSE_WAIT

Local Address: RODAN242:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: RODAN242:49209
Remote Address: LOCALHOST:49208
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: RODAN242:49208
Remote Address: LOCALHOST:49209
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: RODAN242:49207
Remote Address: LOCALHOST:49206
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: RODAN242:49206
Remote Address: LOCALHOST:49207
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: RODAN242:49157
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\services.exe
State: LISTENING

Local Address: RODAN242:49156
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\lsass.exe
State: LISTENING

Local Address: RODAN242:49155
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: RODAN242:49154
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: RODAN242:49153
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: RODAN242:49152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\wininit.exe
State: LISTENING

Local Address: RODAN242:48273
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\DNA\btdna.exe
State: LISTENING

Local Address: RODAN242:6646
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
State: LISTENING

Local Address: RODAN242:3390
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: RODAN242:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING

Local Address: RODAN242:64930
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: RODAN242:62429
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: RODAN242:6646
Remote Address: NA
Type: UDP
Process: C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
State: NA

Local Address: RODAN242:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: RODAN242:SSDP
Remote Address: NA
Type: UDP
Process: C:\Program Files\DNA\btdna.exe
State: NA

Local Address: RODAN242:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: RODAN242:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: RODAN242:64931
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: RODAN242:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: RODAN242:58556
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: RODAN242:48273
Remote Address: NA
Type: UDP
Process: C:\Program Files\DNA\btdna.exe
State: NA

Local Address: RODAN242:LLMNR
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: RODAN242:IPSEC-MSFT
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: RODAN242:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: RODAN242:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: RODAN242:TEREDO
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: RODAN242:500
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

Local Address: RODAN242:123
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: F:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: F:\System Volume Information\tracking.log
Status: Access denied

Object: F:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
Status: Access denied

Object: C:\Windows.old\Documents and Settings\Brandon\Local Settings\Temporary Internet Files\Content.IE5\5FX8T5BJ\images[1].
Status: Hidden

Object: C:\Windows.old\Documents and Settings\Brandon\Local Settings\Temporary Internet Files\Content.IE5\6H87UTU5\theonering[1].
Status: Hidden

Object: C:\Windows.old\Documents and Settings\Brandon\Local Settings\Temporary Internet Files\Content.IE5\WHQFSXIN\103-5868736-9100644[1].
Status: Hidden

Object: C:\Windows.old\Documents and Settings\Brandon\Local Settings\Temporary Internet Files\Content.IE5\YXB4TG7Q\imgres[1].
Status: Hidden
  • 0

#6
hammerman
Posted 31 August 2009 - 04:24 AM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hello,

Can you please follow these steps and let me know how your computer's running now.

-- Step 1 --

I notice you are running the Peer-to-Peer (P2P) program BitTorrent. The files shared by P2P programs are often infected with viruses and malware, even though they may appear to be legitimate. For this reason, I would recommend you uninstall it. If you decide to keep it, I ask that you do not use it while we are fixing your problem.

An article indicating the Dangers of P2P can be found here

-- Step 2 --

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::

Folder::

Registry::

Driver::

Rootkit::
c:\windows\system32\drivers\kbiwkmhuyjqhfs.sys

RegLockDel::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kbiwkmbvskjyso]


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

-- Step 3 --

Start the Sysprot.exe program.
  • Click on the Log tab.
  • In the Write to log box select Kernel Modules only.
  • Select Hidden Objects Only
  • Click on the Create Log button on the bottom right.
  • Copy/paste the contents of the log file into your reply.
-- Step 4 --

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

  • 0

#7
Sauron2029
Posted 01 September 2009 - 05:11 PM

Sauron2029

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I ran Combo Fix as directed by dragging the script on to it. When it rebooted the computer to finish it never came back up to create the log file. I ran it again as a result and here is the log I got:


ComboFix 09-08-31.03 - Brandon 08/31/2009 16:30.3.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1022.445 [GMT -7:00]
Running from: c:\users\Brandon.Rodan242\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
SP: McAfee VirusScan *disabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\certstore.dat
.
---- Previous Run -------
.
c:\windows\system32\certstore.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kbiwkmbvskjyso
-------\Legacy_kbiwkmbvskjyso


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))
.

2009-08-31 23:43 . 2009-08-31 23:47 -------- d-----w- c:\users\Brandon.Rodan242\AppData\Local\temp
2009-08-31 23:43 . 2009-08-31 23:43 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-08-31 23:43 . 2009-08-31 23:43 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2009-08-31 23:43 . 2009-08-31 23:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-31 23:43 . 2009-08-31 23:43 -------- d-----w- c:\users\Brandon\AppData\Local\temp
2009-08-31 23:43 . 2009-08-31 23:43 -------- d-----w- c:\users\BRANDO~1~ROD\AppData\Local\temp
2009-08-27 00:39 . 2009-08-27 00:39 -------- d-----w- c:\users\Brandon.Rodan242\AppData\Local\MigWiz
2009-08-24 18:05 . 2009-08-24 18:06 -------- d-----w- C:\Toolbox
2009-08-24 17:38 . 2009-08-24 17:38 -------- d-----w- c:\program files\ERUNT
2009-08-20 23:56 . 2009-08-20 23:56 -------- d-----w- c:\users\Brandon.Rodan242\AppData\Roaming\Malwarebytes
2009-08-20 23:56 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-20 23:56 . 2009-08-20 23:56 -------- d-----w- c:\programdata\Malwarebytes
2009-08-20 23:56 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-20 23:56 . 2009-08-24 18:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-20 23:45 . 2009-07-08 20:44 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-08-20 23:45 . 2009-07-08 20:44 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-08-20 23:45 . 2009-07-08 20:44 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-08-20 23:45 . 2009-07-16 19:32 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-08-20 23:43 . 2009-08-20 23:45 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-20 23:43 . 2009-08-20 23:44 -------- d-----w- c:\program files\McAfee.com
2009-08-20 23:43 . 2009-08-21 05:41 -------- d-----w- c:\program files\McAfee
2009-08-20 23:21 . 2009-07-08 20:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-08-20 23:10 . 2009-08-21 05:49 -------- d-----w- c:\programdata\McAfee
2009-08-19 06:45 . 2009-08-19 06:45 -------- d-----w- c:\programdata\GameHouse
2009-08-19 06:36 . 2009-08-19 06:36 -------- d-----w- c:\program files\RarZilla
2009-08-13 16:35 . 2009-06-15 15:29 156160 ----a-w- c:\windows\system32\t2embed.dll
2009-08-13 16:34 . 2009-07-14 13:02 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-13 16:34 . 2009-07-14 13:00 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-13 16:34 . 2009-07-14 13:01 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-13 16:34 . 2009-07-14 11:11 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-13 16:34 . 2009-06-10 12:10 31232 ----a-w- c:\windows\system32\msvidc32.dll
2009-08-13 16:34 . 2009-06-10 12:10 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-08-13 16:34 . 2009-06-10 12:09 12800 ----a-w- c:\windows\system32\msrle32.dll
2009-08-13 16:34 . 2009-06-10 12:07 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-08-13 16:34 . 2009-06-10 12:04 88576 ----a-w- c:\windows\system32\avifil32.dll
2009-08-13 16:34 . 2009-06-10 12:04 65024 ----a-w- c:\windows\system32\avicap32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 23:47 . 2009-06-23 23:27 -------- d-----w- c:\users\Brandon.Rodan242\AppData\Roaming\DNA
2009-08-31 23:47 . 2009-06-23 23:27 -------- d-----w- c:\program files\DNA
2009-08-21 23:26 . 2009-06-23 23:33 -------- d-----w- c:\program files\Games
2009-08-13 23:03 . 2007-11-20 04:26 -------- d-----w- c:\program files\AIM6
2009-08-13 23:03 . 2007-11-20 04:27 -------- d-----w- c:\program files\Viewpoint
2009-08-13 23:03 . 2007-11-20 04:27 -------- d-----w- c:\programdata\Viewpoint
2009-08-13 23:01 . 2008-12-09 01:46 -------- d-----w- c:\programdata\AOL Downloads
2009-08-13 16:50 . 2007-12-23 21:46 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-13 16:48 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-03 22:57 . 2008-01-01 02:44 -------- d-----w- c:\users\Brandon.Rodan242\AppData\Roaming\Canon
2009-07-25 04:21 . 2009-07-25 04:21 135396 ---ha-w- c:\windows\system32\mlfcache.dat
2009-07-25 04:20 . 2009-07-25 04:20 -------- d-----w- c:\users\Brandon.Rodan242\AppData\Roaming\Apple Computer
2009-07-25 04:16 . 2009-07-25 04:15 -------- d-----w- c:\program files\Safari
2009-07-25 04:14 . 2009-07-25 04:14 -------- d-----w- c:\program files\Apple Software Update
2009-07-25 04:14 . 2009-07-25 04:14 -------- d-----w- c:\programdata\Apple
2009-07-25 01:34 . 2009-07-25 01:34 713992 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-07-23 16:59 . 2007-11-18 23:41 80904 ----a-w- c:\users\Brandon.Rodan242\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-21 21:52 . 2009-08-13 16:35 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-08-13 16:35 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-08-13 16:35 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-08-13 16:35 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 14:52 . 2009-08-13 16:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-08 20:44 . 2009-07-08 20:44 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-02 03:17 . 2009-07-02 03:17 69632 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 4.30.19.1\SetupAdmin.exe
2009-06-15 18:12 . 2009-08-13 16:35 408136 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-15 15:29 . 2009-08-13 16:35 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-06-15 15:28 . 2009-08-13 16:35 72704 ----a-w- c:\windows\system32\secur32.dll
2009-06-15 15:28 . 2009-08-13 16:35 272384 ----a-w- c:\windows\system32\schannel.dll
2009-06-15 15:25 . 2009-08-13 16:35 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-15 15:23 . 2009-08-13 16:35 1233920 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-15 15:23 . 2009-08-13 16:35 24064 ----a-w- c:\windows\system32\lpk.dll
2009-06-15 15:23 . 2009-08-13 16:35 494592 ----a-w- c:\windows\system32\kerberos.dll
2009-06-15 15:22 . 2009-08-13 16:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:21 . 2009-08-13 16:35 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 15:20 . 2009-08-13 16:35 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-06-15 13:10 . 2009-08-13 16:35 7680 ----a-w- c:\windows\system32\lsass.exe
2009-06-15 13:03 . 2009-08-13 16:35 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-10 12:16 . 2009-08-13 16:35 156160 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-04 12:47 . 2009-08-13 16:35 36352 ----a-w- c:\windows\system32\tsgqec.dll
2009-06-04 12:43 . 2009-08-13 16:35 1871872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-04 12:36 . 2009-08-13 16:35 116736 ----a-w- c:\windows\system32\aaclient.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-31_06.21.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-19 00:01 . 2009-08-31 22:45 41502 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-08-31 23:48 54394 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-11-18 23:41 . 2009-08-31 23:48 15866 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2979632154-2472622693-673311761-1000_UserData.bin
- 2006-11-02 13:02 . 2009-08-31 06:22 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2009-08-31 23:28 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2009-08-31 23:28 98304 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-02 13:02 . 2009-08-31 06:22 98304 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-02 13:02 . 2009-08-31 06:22 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 13:02 . 2009-08-31 23:28 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-08-31 23:45 . 2009-08-31 23:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-08-31 06:19 . 2009-08-31 06:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-08-31 23:45 . 2009-08-31 23:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-08-31 06:19 . 2009-08-31 06:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-06-23 321344]
"Google Update"="c:\users\Brandon.Rodan242\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-07-25 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-11-23 1006264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13580832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 92704]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"CTHelper"="CTHELPER.EXE" - c:\windows\System32\CtHelper.exe [2008-02-21 19456]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\System32\Ctxfihlp.exe [2008-02-21 19968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="c:\windows\system32\READREG" [X]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-23 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BDARemote.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BDARemote.lnk
backup=c:\windows\pss\BDARemote.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2979632154-2472622693-673311761-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{3C64B300-38D7-4091-B236-4BE46F00E4CF}c:\\games\\soldier of fortune\\sof.exe"= UDP:c:\games\soldier of fortune\sof.exe:SoF
"UDP Query User{91FE160A-72C5-42C5-ACB6-3442AA48AD8E}c:\\games\\soldier of fortune\\sof.exe"= TCP:c:\games\soldier of fortune\sof.exe:SoF
"{3D38E612-03BF-4350-9E65-3E11252E4D5C}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{74DF458E-DC85-4DCE-AFA2-08226202FC34}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{D3128A9C-F202-4211-90FA-5DA372C74F1D}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{9872F371-0414-460D-AF2C-FAFAA6F1AD60}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{D3EBEC4C-DEEC-4B37-B357-FD29FE9CD675}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{297A9DB2-C2C8-4F65-8F3D-19214DCFB004}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"TCP Query User{4F8B0E8B-D4FE-4215-A220-A1A4625CDD12}c:\\program files\\pieautoupdater\\winmx.exe"= UDP:c:\program files\pieautoupdater\winmx.exe:WinMX Application
"UDP Query User{AC2B0356-3165-4B29-A454-F31365736F93}c:\\program files\\pieautoupdater\\winmx.exe"= TCP:c:\program files\pieautoupdater\winmx.exe:WinMX Application
"{90FF6D2A-3F90-4226-AABD-7ED0AEBB0C17}"= UDP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"{0DED102C-110E-4681-BD70-A9D766390DE9}"= TCP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"{26453132-050C-4135-900E-0474291EF3D4}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{8A29EF27-E9F7-47F6-9B79-10B26C84D365}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{DDA09D6B-B02C-4A9B-A75C-09E88D885DD6}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{26AED914-1F70-4A93-8DB1-9F3D25AD5382}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{2080DF58-428F-4017-8E20-C595CC5ECF61}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{147494DD-7901-4EBB-89A0-60109EA95031}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{CF7FA0AB-5BD0-49EB-998C-4E1D73DAE7E3}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{9FDB0174-775A-4D21-B862-85109EF78A3E}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{32C6096F-4AB6-4F09-9935-93ED61D3488E}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)
"{D8387652-DEE7-446E-B6F6-B5536F5D8C7F}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

S3 Creative ALchemy AL1 Licensing Service;Creative ALchemy AL1 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL1Licensing.exe [7/12/2008 8:41 PM 79360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2979632154-2472622693-673311761-1000Core.job
- c:\users\Brandon.Rodan242\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-25 04:17]

2009-08-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2979632154-2472622693-673311761-1000UA.job
- c:\users\Brandon.Rodan242\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-25 04:17]

2009-08-21 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-20 04:26]

2009-08-21 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-20 04:26]

2009-08-31 c:\windows\Tasks\User_Feed_Synchronization-{9F67757F-5FC7-4EE1-AFA1-2F404C3EEA2B}.job
- c:\windows\system32\msfeedssync.exe [2009-08-13 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.kaijuphile.com/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
TCP: {015F60B8-2D39-41CB-A64B-CBD93D5A3157} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\users\Brandon.Rodan242\AppData\Roaming\Mozilla\Firefox\Profiles\m6uiopqu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.kaijuphile.com/
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Brandon.Rodan242\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\users\Brandon.Rodan242\AppData\Roaming\Mozilla\Firefox\Profiles\m6uiopqu.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-31 16:46
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\System32\rundll32.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\microsoft shared\VS7Debug\mdm.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\program files\Zune\ZuneNss.exe
.
**************************************************************************
.
Completion time: 2009-08-31 16:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-31 23:58
ComboFix2.txt 2009-08-31 06:35

Pre-Run: 33,444,622,336 bytes free
Post-Run: 33,416,081,408 bytes free

278 --- E O F --- 2009-08-13 16:47






SysProt Log:


ComboFix 09-08-31.03 - Brandon 08/31/2009 16:30.3.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1022.445 [GMT -7:00]
Running from: c:\users\Brandon.Rodan242\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
SP: McAfee VirusScan *disabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\certstore.dat
.
---- Previous Run -------
.
c:\windows\system32\certstore.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kbiwkmbvskjyso
-------\Legacy_kbiwkmbvskjyso


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))
.

2009-08-31 23:43 . 2009-08-31 23:47 -------- d-----w- c:\users\Brandon.Rodan242\AppData\Local\temp
2009-08-31 23:43 . 2009-08-31 23:43 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-08-31 23:43 . 2009-08-31 23:43 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2009-08-31 23:43 . 2009-08-31 23:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-31 23:43 . 2009-08-31 23:43 -------- d-----w- c:\users\Brandon\AppData\Local\temp
2009-08-31 23:43 . 2009-08-31 23:43 -------- d-----w- c:\users\BRANDO~1~ROD\AppData\Local\temp
2009-08-27 00:39 . 2009-08-27 00:39 -------- d-----w- c:\users\Brandon.Rodan242\AppData\Local\MigWiz
2009-08-24 18:05 . 2009-08-24 18:06 -------- d-----w- C:\Toolbox
2009-08-24 17:38 . 2009-08-24 17:38 -------- d-----w- c:\program files\ERUNT
2009-08-20 23:56 . 2009-08-20 23:56 -------- d-----w- c:\users\Brandon.Rodan242\AppData\Roaming\Malwarebytes
2009-08-20 23:56 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-20 23:56 . 2009-08-20 23:56 -------- d-----w- c:\programdata\Malwarebytes
2009-08-20 23:56 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-20 23:56 . 2009-08-24 18:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-20 23:45 . 2009-07-08 20:44 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-08-20 23:45 . 2009-07-08 20:44 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-08-20 23:45 . 2009-07-08 20:44 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-08-20 23:45 . 2009-07-16 19:32 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-08-20 23:43 . 2009-08-20 23:45 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-20 23:43 . 2009-08-20 23:44 -------- d-----w- c:\program files\McAfee.com
2009-08-20 23:43 . 2009-08-21 05:41 -------- d-----w- c:\program files\McAfee
2009-08-20 23:21 . 2009-07-08 20:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-08-20 23:10 . 2009-08-21 05:49 -------- d-----w- c:\programdata\McAfee
2009-08-19 06:45 . 2009-08-19 06:45 -------- d-----w- c:\programdata\GameHouse
2009-08-19 06:36 . 2009-08-19 06:36 -------- d-----w- c:\program files\RarZilla
2009-08-13 16:35 . 2009-06-15 15:29 156160 ----a-w- c:\windows\system32\t2embed.dll
2009-08-13 16:34 . 2009-07-14 13:02 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-13 16:34 . 2009-07-14 13:00 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-13 16:34 . 2009-07-14 13:01 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-13 16:34 . 2009-07-14 11:11 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-13 16:34 . 2009-06-10 12:10 31232 ----a-w- c:\windows\system32\msvidc32.dll
2009-08-13 16:34 . 2009-06-10 12:10 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-08-13 16:34 . 2009-06-10 12:09 12800 ----a-w- c:\windows\system32\msrle32.dll
2009-08-13 16:34 . 2009-06-10 12:07 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-08-13 16:34 . 2009-06-10 12:04 88576 ----a-w- c:\windows\system32\avifil32.dll
2009-08-13 16:34 . 2009-06-10 12:04 65024 ----a-w- c:\windows\system32\avicap32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 23:47 . 2009-06-23 23:27 -------- d-----w- c:\users\Brandon.Rodan242\AppData\Roaming\DNA
2009-08-31 23:47 . 2009-06-23 23:27 -------- d-----w- c:\program files\DNA
2009-08-21 23:26 . 2009-06-23 23:33 -------- d-----w- c:\program files\Games
2009-08-13 23:03 . 2007-11-20 04:26 -------- d-----w- c:\program files\AIM6
2009-08-13 23:03 . 2007-11-20 04:27 -------- d-----w- c:\program files\Viewpoint
2009-08-13 23:03 . 2007-11-20 04:27 -------- d-----w- c:\programdata\Viewpoint
2009-08-13 23:01 . 2008-12-09 01:46 -------- d-----w- c:\programdata\AOL Downloads
2009-08-13 16:50 . 2007-12-23 21:46 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-13 16:48 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-03 22:57 . 2008-01-01 02:44 -------- d-----w- c:\users\Brandon.Rodan242\AppData\Roaming\Canon
2009-07-25 04:21 . 2009-07-25 04:21 135396 ---ha-w- c:\windows\system32\mlfcache.dat
2009-07-25 04:20 . 2009-07-25 04:20 -------- d-----w- c:\users\Brandon.Rodan242\AppData\Roaming\Apple Computer
2009-07-25 04:16 . 2009-07-25 04:15 -------- d-----w- c:\program files\Safari
2009-07-25 04:14 . 2009-07-25 04:14 -------- d-----w- c:\program files\Apple Software Update
2009-07-25 04:14 . 2009-07-25 04:14 -------- d-----w- c:\programdata\Apple
2009-07-25 01:34 . 2009-07-25 01:34 713992 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-07-23 16:59 . 2007-11-18 23:41 80904 ----a-w- c:\users\Brandon.Rodan242\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-21 21:52 . 2009-08-13 16:35 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-08-13 16:35 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-08-13 16:35 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-08-13 16:35 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 14:52 . 2009-08-13 16:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-08 20:44 . 2009-07-08 20:44 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-02 03:17 . 2009-07-02 03:17 69632 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 4.30.19.1\SetupAdmin.exe
2009-06-15 18:12 . 2009-08-13 16:35 408136 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-15 15:29 . 2009-08-13 16:35 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-06-15 15:28 . 2009-08-13 16:35 72704 ----a-w- c:\windows\system32\secur32.dll
2009-06-15 15:28 . 2009-08-13 16:35 272384 ----a-w- c:\windows\system32\schannel.dll
2009-06-15 15:25 . 2009-08-13 16:35 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-15 15:23 . 2009-08-13 16:35 1233920 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-15 15:23 . 2009-08-13 16:35 24064 ----a-w- c:\windows\system32\lpk.dll
2009-06-15 15:23 . 2009-08-13 16:35 494592 ----a-w- c:\windows\system32\kerberos.dll
2009-06-15 15:22 . 2009-08-13 16:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:21 . 2009-08-13 16:35 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 15:20 . 2009-08-13 16:35 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-06-15 13:10 . 2009-08-13 16:35 7680 ----a-w- c:\windows\system32\lsass.exe
2009-06-15 13:03 . 2009-08-13 16:35 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-10 12:16 . 2009-08-13 16:35 156160 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-04 12:47 . 2009-08-13 16:35 36352 ----a-w- c:\windows\system32\tsgqec.dll
2009-06-04 12:43 . 2009-08-13 16:35 1871872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-04 12:36 . 2009-08-13 16:35 116736 ----a-w- c:\windows\system32\aaclient.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-31_06.21.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-19 00:01 . 2009-08-31 22:45 41502 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-08-31 23:48 54394 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-11-18 23:41 . 2009-08-31 23:48 15866 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2979632154-2472622693-673311761-1000_UserData.bin
- 2006-11-02 13:02 . 2009-08-31 06:22 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2009-08-31 23:28 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2009-08-31 23:28 98304 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-02 13:02 . 2009-08-31 06:22 98304 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-02 13:02 . 2009-08-31 06:22 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 13:02 . 2009-08-31 23:28 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-08-31 23:45 . 2009-08-31 23:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-08-31 06:19 . 2009-08-31 06:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-08-31 23:45 . 2009-08-31 23:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-08-31 06:19 . 2009-08-31 06:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-06-23 321344]
"Google Update"="c:\users\Brandon.Rodan242\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-07-25 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-11-23 1006264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13580832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 92704]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"CTHelper"="CTHELPER.EXE" - c:\windows\System32\CtHelper.exe [2008-02-21 19456]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\System32\Ctxfihlp.exe [2008-02-21 19968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="c:\windows\system32\READREG" [X]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-23 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BDARemote.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BDARemote.lnk
backup=c:\windows\pss\BDARemote.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2979632154-2472622693-673311761-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{3C64B300-38D7-4091-B236-4BE46F00E4CF}c:\\games\\soldier of fortune\\sof.exe"= UDP:c:\games\soldier of fortune\sof.exe:SoF
"UDP Query User{91FE160A-72C5-42C5-ACB6-3442AA48AD8E}c:\\games\\soldier of fortune\\sof.exe"= TCP:c:\games\soldier of fortune\sof.exe:SoF
"{3D38E612-03BF-4350-9E65-3E11252E4D5C}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{74DF458E-DC85-4DCE-AFA2-08226202FC34}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{D3128A9C-F202-4211-90FA-5DA372C74F1D}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{9872F371-0414-460D-AF2C-FAFAA6F1AD60}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{D3EBEC4C-DEEC-4B37-B357-FD29FE9CD675}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{297A9DB2-C2C8-4F65-8F3D-19214DCFB004}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"TCP Query User{4F8B0E8B-D4FE-4215-A220-A1A4625CDD12}c:\\program files\\pieautoupdater\\winmx.exe"= UDP:c:\program files\pieautoupdater\winmx.exe:WinMX Application
"UDP Query User{AC2B0356-3165-4B29-A454-F31365736F93}c:\\program files\\pieautoupdater\\winmx.exe"= TCP:c:\program files\pieautoupdater\winmx.exe:WinMX Application
"{90FF6D2A-3F90-4226-AABD-7ED0AEBB0C17}"= UDP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"{0DED102C-110E-4681-BD70-A9D766390DE9}"= TCP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"{26453132-050C-4135-900E-0474291EF3D4}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{8A29EF27-E9F7-47F6-9B79-10B26C84D365}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{DDA09D6B-B02C-4A9B-A75C-09E88D885DD6}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{26AED914-1F70-4A93-8DB1-9F3D25AD5382}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{2080DF58-428F-4017-8E20-C595CC5ECF61}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{147494DD-7901-4EBB-89A0-60109EA95031}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{CF7FA0AB-5BD0-49EB-998C-4E1D73DAE7E3}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{9FDB0174-775A-4D21-B862-85109EF78A3E}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{32C6096F-4AB6-4F09-9935-93ED61D3488E}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)
"{D8387652-DEE7-446E-B6F6-B5536F5D8C7F}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

S3 Creative ALchemy AL1 Licensing Service;Creative ALchemy AL1 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL1Licensing.exe [7/12/2008 8:41 PM 79360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2979632154-2472622693-673311761-1000Core.job
- c:\users\Brandon.Rodan242\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-25 04:17]

2009-08-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2979632154-2472622693-673311761-1000UA.job
- c:\users\Brandon.Rodan242\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-25 04:17]

2009-08-21 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-20 04:26]

2009-08-21 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-20 04:26]

2009-08-31 c:\windows\Tasks\User_Feed_Synchronization-{9F67757F-5FC7-4EE1-AFA1-2F404C3EEA2B}.job
- c:\windows\system32\msfeedssync.exe [2009-08-13 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.kaijuphile.com/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
TCP: {015F60B8-2D39-41CB-A64B-CBD93D5A3157} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\users\Brandon.Rodan242\AppData\Roaming\Mozilla\Firefox\Profiles\m6uiopqu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.kaijuphile.com/
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Brandon.Rodan242\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\users\Brandon.Rodan242\AppData\Roaming\Mozilla\Firefox\Profiles\m6uiopqu.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-31 16:46
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\System32\rundll32.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\microsoft shared\VS7Debug\mdm.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\program files\Zune\ZuneNss.exe
.
**************************************************************************
.
Completion time: 2009-08-31 16:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-31 23:58
ComboFix2.txt 2009-08-31 06:35

Pre-Run: 33,444,622,336 bytes free
Post-Run: 33,416,081,408 bytes free

278 --- E O F --- 2009-08-13 16:47







OTL Log:


OTL logfile created on: 9/1/2009 4:02:39 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Users\Brandon.Rodan242\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18813)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.46 Mb Total Physical Memory | 491.36 Mb Available Physical Memory | 48.06% Memory free
2.24 Gb Paging File | 1.59 Gb Available in Paging File | 70.79% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 31.09 Gb Free Space | 41.73% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 74.53 Gb Total Space | 34.73 Gb Free Space | 46.61% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: RODAN242
Current User Name: Brandon
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Windows\System32\nvvsvc.exe (NVIDIA Corporation)
PRC - C:\Program Files\Creative\Shared Files\CTAudSvc.exe (Creative Technology Ltd)
PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (Microsoft Corporation)
PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - c:\Program Files\Zune\ZuneNss.exe (Microsoft Corporation)
PRC - c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Windows\Explorer.EXE (Microsoft Corporation)
PRC - C:\Windows\System32\CtHelper.exe (Creative Technology Ltd)
PRC - C:\Windows\System32\Ctxfihlp.exe (Creative Technology Ltd)
PRC - C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
PRC - C:\Windows\ehome\ehtray.exe (Microsoft Corporation)
PRC - C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
PRC - C:\Users\Brandon.Rodan242\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
PRC - C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
PRC - C:\Windows\System32\CTXFISPI.EXE (Creative Technology Ltd)
PRC - C:\Windows\ehome\ehmsas.exe (Microsoft Corporation)
PRC - C:\Users\Brandon.Rodan242\Desktop\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (Creative ALchemy AL1 Licensing Service [On_Demand | Stopped]) -- C:\Program Files\Common Files\Creative Labs Shared\Service\AL1Licensing.exe (Creative Labs)
SRV - (CTAudSvcService [Auto | Running]) -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe (Creative Technology Ltd)
SRV - (ehRecvr [On_Demand | Stopped]) -- C:\Windows\ehome\ehRecvr.exe (Microsoft Corporation)
SRV - (ehSched [On_Demand | Stopped]) -- C:\Windows\ehome\ehsched.exe (Microsoft Corporation)
SRV - (ehstart [Auto | Stopped]) -- C:\Windows\ehome\ehstart.dll (Microsoft Corporation)
SRV - (Eventlog [Auto | Running]) -- C:\Windows\System32\wevtsvc.dll (Microsoft Corporation)
SRV - (FastUserSwitchingCompatibility [Auto | Running]) -- C:\Windows\System32\FastUv32.dll ()
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (mcmscsvc [Auto | Running]) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (McNASvc [Auto | Running]) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
SRV - (McODS [On_Demand | Stopped]) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McProxy [Auto | Running]) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McShield [Unknown | Running]) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon [Disabled | Stopped]) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (nvsvc [Auto | Running]) -- C:\Windows\System32\nvvsvc.exe (NVIDIA Corporation)
SRV - (Pml Driver HPZ12 [Auto | Running]) -- C:\Windows\System32\HPZipm12.dll (Hewlett-Packard)
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (WinDefend [Auto | Stopped]) -- C:\Program Files\Windows Defender\mpsvc.dll (Microsoft Corporation)
SRV - (WLSetupSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Running]) -- C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
SRV - (ZuneNetworkSvc [Auto | Running]) -- c:\Program Files\Zune\ZuneNss.exe (Microsoft Corporation)
SRV - (ZuneWlanCfgSvc [On_Demand | Stopped]) -- C:\Windows\System32\ZuneWlanCfgSvc.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (adp94xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (adpahci [Disabled | Stopped]) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (adpu160m [Disabled | Stopped]) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (adpu320 [Disabled | Stopped]) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (aic78xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (aliide [Disabled | Stopped]) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (Alpham1 [On_Demand | Stopped]) -- C:\Windows\System32\DRIVERS\Alpham1.sys (Ideazon Corporation)
DRV - (Alpham2 [On_Demand | Stopped]) -- C:\Windows\System32\DRIVERS\Alpham2.sys (Ideazon Corporation)
DRV - (arc [Disabled | Stopped]) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (arcsas [Disabled | Stopped]) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (atikmdag [On_Demand | Stopped]) -- C:\Windows\System32\DRIVERS\atikmdag.sys (ATI Technologies Inc.)
DRV - (BrFiltLo [On_Demand | Stopped]) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrFiltUp [On_Demand | Stopped]) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (Brserid [Disabled | Stopped]) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrSerWdm [Disabled | Stopped]) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm [Disabled | Stopped]) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (BrUsbSer [On_Demand | Stopped]) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (cmdide [Disabled | Stopped]) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (COMMONFX.DLL [On_Demand | Stopped]) -- C:\Windows\System32\COMMONFX.DLL (Creative Technology Ltd)
DRV - (CT20XUT.DLL [On_Demand | Running]) -- C:\Windows\System32\CT20XUT.DLL (Creative Technology Ltd.)
DRV - (ctac32k [On_Demand | Stopped]) -- C:\Windows\System32\drivers\ctac32k.sys (Creative Technology Ltd)
DRV - (ctaud2k [On_Demand | Running]) -- C:\Windows\System32\drivers\ctaud2k.sys (Creative Technology Ltd)
DRV - (CTAUDFX.DLL [On_Demand | Stopped]) -- C:\Windows\System32\CTAUDFX.DLL (Creative Technology Ltd)
DRV - (ctdvda2k [On_Demand | Stopped]) -- C:\Windows\System32\drivers\ctdvda2k.sys (Creative Technology Ltd)
DRV - (CTEAPSFX.DLL [On_Demand | Stopped]) -- C:\Windows\System32\CTEAPSFX.DLL (Creative Technology Ltd)
DRV - (CTEDSPFX.DLL [On_Demand | Stopped]) -- C:\Windows\System32\CTEDSPFX.DLL (Creative Technology Ltd)
DRV - (CTEDSPIO.DLL [On_Demand | Stopped]) -- C:\Windows\System32\CTEDSPIO.DLL (Creative Technology Ltd)
DRV - (CTEDSPSY.DLL [On_Demand | Stopped]) -- C:\Windows\System32\CTEDSPSY.DLL (Creative Technology Ltd)
DRV - (CTERFXFX.DLL [On_Demand | Stopped]) -- C:\Windows\System32\CTERFXFX.DLL (Creative Technology Ltd)
DRV - (CTEXFIFX.DLL [On_Demand | Running]) -- C:\Windows\System32\CTEXFIFX.DLL (Creative Technology Ltd.)
DRV - (CTHWIUT.DLL [On_Demand | Running]) -- C:\Windows\System32\CTHWIUT.DLL (Creative Technology Ltd.)
DRV - (ctprxy2k [On_Demand | Running]) -- C:\Windows\System32\drivers\ctprxy2k.sys (Creative Technology Ltd)
DRV - (CTSBLFX.DLL [On_Demand | Stopped]) -- C:\Windows\System32\CTSBLFX.DLL (Creative Technology Ltd)
DRV - (ctsfm2k [On_Demand | Running]) -- C:\Windows\System32\drivers\ctsfm2k.sys (Creative Technology Ltd)
DRV - (E1G60 [On_Demand | Stopped]) -- C:\Windows\System32\DRIVERS\E1G60I32.sys (Intel Corporation)
DRV - (elxstor [Disabled | Stopped]) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (emupia [On_Demand | Running]) -- C:\Windows\System32\drivers\emupia2k.sys (Creative Technology Ltd)
DRV - (ha10kx2k [On_Demand | Stopped]) -- C:\Windows\System32\drivers\ha10kx2k.sys (Creative Technology Ltd)
DRV - (ha20x2k [On_Demand | Running]) -- C:\Windows\System32\drivers\ha20x2k.sys (Creative Technology Ltd)
DRV - (HpCISSs [Disabled | Stopped]) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (iaStorV [Disabled | Stopped]) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (iirsp [Disabled | Stopped]) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (iteatapi [Disabled | Stopped]) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (iteraid [Disabled | Stopped]) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (LSI_FC [Disabled | Stopped]) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (LSI_SAS [Disabled | Stopped]) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (LSI_SCSI [Disabled | Stopped]) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (megasas [Disabled | Stopped]) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation)
DRV - (mfeavfk [On_Demand | Running]) -- C:\Windows\System32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfebopk [On_Demand | Running]) -- C:\Windows\System32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mfehidk [System | Running]) -- C:\Windows\System32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mferkdk [On_Demand | Stopped]) -- C:\Windows\System32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (mfesmfk [On_Demand | Stopped]) -- C:\Windows\System32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (MPFP [System | Running]) -- C:\Windows\System32\Drivers\Mpfp.sys (McAfee, Inc.)
DRV - (Mraid35x [Disabled | Stopped]) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (nfrd960 [Disabled | Stopped]) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (ntrigdigi [Disabled | Stopped]) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (nvlddmkm [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\nvlddmkm.sys (NVIDIA Corporation)
DRV - (nvraid [Disabled | Stopped]) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nvstor [Disabled | Stopped]) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (ossrv [On_Demand | Running]) -- C:\Windows\System32\drivers\ctoss2k.sys (Creative Technology Ltd.)
DRV - (ql2300 [Disabled | Stopped]) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (ql40xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (R300 [On_Demand | Stopped]) -- C:\Windows\System32\DRIVERS\atikmdag.sys (ATI Technologies Inc.)
DRV - (RTL8023xp [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (secdrv [Auto | Running]) -- C:\Windows\System32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SiSRaid2 [Disabled | Stopped]) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)
DRV - (SiSRaid4 [Disabled | Stopped]) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (Symc8xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (Sym_hi [Disabled | Stopped]) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (Sym_u3 [Disabled | Stopped]) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (uliahci [Disabled | Stopped]) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (UlSata [Disabled | Stopped]) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (ulsata2 [Disabled | Stopped]) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (UMPass [On_Demand | Stopped]) -- C:\Windows\System32\DRIVERS\umpass.sys (Microsoft Corporation)
DRV - (usbaudio [On_Demand | Stopped]) -- C:\Windows\System32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (usbbus [On_Demand | Stopped]) -- C:\Windows\System32\DRIVERS\lgusbbus.sys (LG Electronics Inc.)
DRV - (UsbDiag [On_Demand | Stopped]) -- C:\Windows\System32\DRIVERS\lgusbdiag.sys (LG Electronics Inc.)
DRV - (USBModem [On_Demand | Stopped]) -- C:\Windows\System32\DRIVERS\lgusbmodem.sys (LG Electronics Inc.)
DRV - (viaide [Disabled | Stopped]) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (vsmraid [Disabled | Stopped]) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.kaijuphile.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.kaijuphile.com/"
FF - prefs.js..extensions.enabledItems: [email protected]:1.4.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}:6.0.03
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}:6.0.05
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0.071303000006
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.2

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/07/13 21:48:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/15 22:33:36 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/31 15:48:18 | 00,000,000 | ---D | M]

[2008/09/13 13:04:52 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\mozilla\Extensions
[2008/09/13 13:04:52 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/08/30 23:47:03 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\mozilla\Firefox\Profiles\m6uiopqu.default\extensions
[2009/07/14 16:48:56 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\mozilla\Firefox\Profiles\m6uiopqu.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/08/04 23:54:51 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\mozilla\Firefox\Profiles\m6uiopqu.default\extensions\[email protected]
[2009/03/31 17:56:04 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\mozilla\Firefox\Profiles\m6uiopqu.default\extensions\[email protected]
[2009/08/30 23:47:03 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/08/14 20:23:33 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/01/19 15:29:42 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
[2008/03/09 17:42:55 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
[2008/07/13 02:19:36 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/08/14 20:23:28 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/08/14 20:23:28 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2007/04/10 17:21:08 | 00,163,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\np-mswmp.dll
[2008/03/19 19:23:20 | 00,114,688 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\np32dsw.dll
[2009/02/06 12:44:28 | 01,447,296 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npLegitCheckPlugin.dll
[2009/08/14 20:23:30 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2007/05/10 22:52:34 | 00,095,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2008/01/06 11:10:08 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2008/01/06 11:10:09 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2008/01/06 11:10:09 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2008/01/06 11:10:09 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2008/01/06 11:10:09 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2008/01/06 11:10:09 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2008/01/06 11:10:09 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2007/04/16 10:07:12 | 00,180,293 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npViewpoint.dll
[2009/07/15 11:10:00 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/07/15 11:10:00 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/07/15 11:10:00 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/07/15 11:10:00 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/07/15 11:10:00 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/07/15 11:10:00 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/07/15 11:10:00 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (27 bytes) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [CTHelper] C:\Windows\System32\CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTxfiHlp] C:\Windows\System32\CTXFIHLP.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [UpdReg] C:\Windows\UpdReg.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKCU..\Run: [BitTorrent DNA] C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Google Update] C:\Users\Brandon.Rodan242\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &ieSpell Options - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Check &Spelling - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Lookup on Merriam Webster - C:\Program Files\ieSpell\Merriam Webster.HTM ()
O8 - Extra context menu item: Lookup on Wikipedia - C:\Program Files\ieSpell\wikipedia.HTM ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O15 - HKCU\..Trusted Domains: real.com ([rhap-app-4-0] https in Trusted sites)
O15 - HKCU\..Trusted Domains: real.com ([rhapreg] https in Trusted sites)
O15 - HKCU\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebo...toUploader2.cab (Facebook Photo Uploader 4 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\Explorer.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 14:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/08/31 16:58:13 | 00,000,000 | ---D | C] -- C:\Users\Brandon.Rodan242\AppData\Local\temp
[2009/08/31 16:57:03 | 00,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2009/08/31 16:54:54 | 00,041,631 | ---- | C] () -- C:\Windows\System32\certstore.dat
[2009/08/30 22:49:39 | 00,229,376 | ---- | C] () -- C:\Windows\PEV.exe
[2009/08/30 22:49:39 | 00,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2009/08/30 22:49:39 | 00,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2009/08/30 22:49:39 | 00,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2009/08/30 22:49:39 | 00,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2009/08/30 22:49:39 | 00,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2009/08/30 22:49:39 | 00,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2009/08/30 22:49:39 | 00,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2009/08/30 22:48:41 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/08/30 22:46:50 | 00,000,000 | ---D | C] -- C:\Users\Brandon.Rodan242\Desktop\SysProt
[2009/08/26 18:17:20 | 00,000,000 | ---- | C] () -- C:\Users\Brandon.Rodan242\Desktop\settings.dat
[2009/08/26 17:39:15 | 00,000,000 | ---D | C] -- C:\Users\Brandon.Rodan242\AppData\Local\MigWiz
[2009/08/25 15:55:10 | 10,727,79264 | -HS- | C] () -- C:\hiberfil.sys
[2009/08/24 12:23:06 | 01,471,377 | -H-- | C] () -- C:\Users\Brandon.Rodan242\AppData\Local\IconCache.db
[2009/08/24 11:05:34 | 00,000,000 | ---D | C] -- C:\Toolbox
[2009/08/24 10:44:11 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Users\Brandon.Rodan242\Desktop\OTL.exe
[2009/08/24 10:41:21 | 00,472,064 | ---- | C] ( ) -- C:\Users\Brandon.Rodan242\Desktop\RootRepeal.exe
[2009/08/24 10:38:41 | 00,000,000 | ---D | C] -- C:\Windows\ERDNT
[2009/08/24 10:38:17 | 00,000,733 | ---- | C] () -- C:\Users\Brandon.Rodan242\Desktop\NTREGOPT.lnk
[2009/08/24 10:38:17 | 00,000,714 | ---- | C] () -- C:\Users\Brandon.Rodan242\Desktop\ERUNT.lnk
[2009/08/24 10:38:17 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/08/24 10:35:03 | 00,021,504 | ---- | C] (Doug Knox) -- C:\Users\Brandon.Rodan242\Desktop\SysRestorePoint.exe
[2009/08/24 10:05:53 | 00,272,384 | ---- | C] (OldTimer Tools) -- C:\Users\Brandon.Rodan242\Desktop\TFC.exe
[2009/08/20 23:22:57 | 19,240,7705 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2009/08/20 16:56:43 | 00,000,000 | ---D | C] -- C:\Users\Brandon.Rodan242\AppData\Roaming\Malwarebytes
[2009/08/20 16:56:30 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/08/20 16:56:27 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/08/20 16:56:27 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/08/20 16:56:26 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/08/20 16:50:51 | 00,000,109 | ---- | C] () -- C:\Users\Brandon.Rodan242\Desktop\fixtm.reg
[2009/08/20 16:45:12 | 00,079,816 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfeavfk.sys
[2009/08/20 16:45:12 | 00,040,552 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfesmfk.sys
[2009/08/20 16:45:12 | 00,035,272 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfebopk.sys
[2009/08/20 16:45:01 | 00,130,424 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\Mpfp.sys
[2009/08/20 16:44:26 | 00,000,344 | ---- | C] () -- C:\Windows\tasks\McDefragTask.job
[2009/08/20 16:44:23 | 00,000,322 | ---- | C] () -- C:\Windows\tasks\McQcTask.job
[2009/08/20 16:43:57 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2009/08/20 16:43:48 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2009/08/20 16:43:29 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee
[2009/08/20 16:21:32 | 00,034,248 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mferkdk.sys
[2009/08/20 16:10:53 | 00,000,000 | ---D | C] -- C:\ProgramData\McAfee
[2009/08/18 23:45:13 | 00,000,000 | ---D | C] -- C:\ProgramData\GameHouse
[2009/08/18 23:36:46 | 00,000,000 | ---D | C] -- C:\Program Files\RarZilla
[2009/08/13 09:35:56 | 00,156,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\t2embed.dll
[2009/08/13 09:35:55 | 00,289,792 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2009/08/13 09:35:55 | 00,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\fontsub.dll
[2009/08/13 09:35:55 | 00,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2009/08/13 09:35:55 | 00,024,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\lpk.dll
[2009/08/13 09:35:55 | 00,010,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dciman32.dll
[2009/08/13 09:35:42 | 00,156,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wkssvc.dll
[2009/08/13 09:35:34 | 05,937,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.dll
[2009/08/13 09:35:32 | 11,067,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieframe.dll
[2009/08/13 09:35:30 | 01,985,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iertutil.dll
[2009/08/13 09:35:30 | 01,208,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\urlmon.dll
[2009/08/13 09:35:29 | 01,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2009/08/13 09:35:29 | 00,915,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wininet.dll
[2009/08/13 09:35:29 | 00,594,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2009/08/13 09:35:29 | 00,386,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2009/08/13 09:35:29 | 00,206,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\occache.dll
[2009/08/13 09:35:28 | 01,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2009/08/13 09:35:28 | 00,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2009/08/13 09:35:28 | 00,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2009/08/13 09:35:28 | 00,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2009/08/13 09:35:28 | 00,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2009/08/13 09:35:28 | 00,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2009/08/13 09:35:28 | 00,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2009/08/13 09:35:28 | 00,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2009/08/13 09:35:28 | 00,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2009/08/13 09:35:28 | 00,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2009/08/13 09:35:28 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2009/08/13 09:35:27 | 00,057,667 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2009/08/13 09:35:21 | 00,494,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\kerberos.dll
[2009/08/13 09:35:21 | 00,216,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msv1_0.dll
[2009/08/13 09:35:21 | 00,175,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wdigest.dll
[2009/08/13 09:35:20 | 01,233,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\lsasrv.dll
[2009/08/13 09:35:20 | 00,408,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\ksecdd.sys
[2009/08/13 09:35:20 | 00,272,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\schannel.dll
[2009/08/13 09:35:19 | 00,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secur32.dll
[2009/08/13 09:35:19 | 00,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\lsass.exe
[2009/08/13 09:35:14 | 01,871,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstscax.dll
[2009/08/13 09:35:14 | 00,116,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\aaclient.dll
[2009/08/13 09:35:14 | 00,036,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tsgqec.dll
[2009/08/13 09:35:09 | 00,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\atl.dll
[2009/08/13 09:34:55 | 10,621,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmp.dll
[2009/08/13 09:34:51 | 00,313,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmpdxm.dll
[2009/08/13 09:34:48 | 00,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\spwmp.dll
[2009/08/13 09:34:47 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdxm.ocx
[2009/08/13 09:34:47 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxmasf.dll
[2009/08/13 09:34:45 | 08,147,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmploc.DLL
[2009/08/13 09:34:43 | 00,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdxm.tlb
[2009/08/13 09:34:43 | 00,018,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\amcompat.tlb
[2009/08/13 09:34:38 | 00,123,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msvfw32.dll
[2009/08/13 09:34:38 | 00,088,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\avifil32.dll
[2009/08/13 09:34:38 | 00,082,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mciavi32.dll
[2009/08/13 09:34:38 | 00,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\avicap32.dll
[2009/08/13 09:34:38 | 00,031,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msvidc32.dll
[2009/08/13 09:34:38 | 00,012,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msrle32.dll
[2008/11/02 10:05:29 | 00,000,061 | ---- | C] () -- C:\Windows\sbwin.ini
[2008/07/12 20:39:41 | 00,006,123 | ---- | C] () -- C:\Windows\System32\AudioDrv.ini
[2008/07/12 20:34:36 | 00,000,054 | ---- | C] () -- C:\Windows\System32\ctzapxx.ini
[2008/07/12 20:33:03 | 00,003,072 | ---- | C] () -- C:\Windows\CTXFIRES.DLL
[2008/07/12 20:32:04 | 00,108,544 | ---- | C] () -- C:\Windows\System32\APOMngr.DLL
[2008/07/12 20:32:04 | 00,069,120 | ---- | C] () -- C:\Windows\System32\CmdRtr.DLL
[2008/07/11 16:59:46 | 00,012,288 | ---- | C] () -- C:\Windows\impborl.dll
[2008/02/25 14:55:32 | 00,101,603 | ---- | C] () -- C:\Windows\System32\instwdm.ini
[2008/02/20 21:00:12 | 00,043,520 | ---- | C] () -- C:\Windows\System32\CTBURST.DLL
[2008/02/20 20:59:14 | 00,034,816 | ---- | C] ( ) -- C:\Windows\System32\a3d.dll
[2008/01/27 13:48:07 | 00,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2007/12/21 20:55:55 | 00,043,520 | ---- | C] () -- C:\Windows\System32\CmdLineExt03.dll
[2007/12/19 20:50:15 | 00,000,010 | ---- | C] () -- C:\Windows\WININIT.INI
[2007/11/23 16:06:54 | 00,000,041 | ---- | C] () -- C:\Windows\winampa.ini
[2007/11/23 15:38:09 | 00,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2007/11/23 12:59:25 | 00,000,000 | ---- | C] () -- C:\Windows\HPMProp.INI
[2007/08/13 20:45:02 | 00,077,824 | ---- | C] () -- C:\Windows\System32\CTMMACTL.DLL
[2007/04/12 08:10:28 | 00,105,728 | ---- | C] () -- C:\Windows\System32\APOMgrH.dll
[2006/11/02 05:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 03:23:31 | 00,000,215 | ---- | C] () -- C:\Windows\system.ini
[2006/11/02 03:23:31 | 00,000,144 | ---- | C] () -- C:\Windows\win.ini
[2006/11/02 02:14:14 | 00,061,440 | ---- | C] () -- C:\Windows\System32\FastUv32.dll
[2006/11/02 00:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/10/02 17:25:18 | 00,000,307 | ---- | C] () -- C:\Windows\System32\KILL.INI

========== Files - Modified Within 30 Days ==========

[2009/09/01 15:54:26 | 00,000,396 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{9F67757F-5FC7-4EE1-AFA1-2F404C3EEA2B}.job
[2009/09/01 15:49:45 | 00,003,584 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/09/01 15:49:45 | 00,003,584 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/09/01 15:49:39 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/09/01 15:49:32 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/09/01 15:49:24 | 10,727,79264 | -HS- | M] () -- C:\hiberfil.sys
[2009/08/31 22:48:43 | 00,054,400 | ---- | M] () -- C:\Windows\System32\BMXStateBkp-{00000002-00000000-00000008-00001102-00000005-00311102}.rfx
[2009/08/31 22:48:43 | 00,054,400 | ---- | M] () -- C:\Windows\System32\BMXState-{00000002-00000000-00000008-00001102-00000005-00311102}.rfx
[2009/08/31 22:48:43 | 00,000,788 | ---- | M] () -- C:\Windows\System32\DVCState-{00000002-00000000-00000008-00001102-00000005-00311102}.rfx
[2009/08/31 22:38:35 | 01,471,377 | -H-- | M] () -- C:\Users\Brandon.Rodan242\AppData\Local\IconCache.db
[2009/08/31 22:22:00 | 00,000,934 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2979632154-2472622693-673311761-1000UA.job
[2009/08/31 21:53:28 | 00,054,156 | -H-- | M] () -- C:\Windows\QTFont.qfn
[2009/08/31 21:22:02 | 00,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2979632154-2472622693-673311761-1000Core.job
[2009/08/31 16:54:54 | 00,041,631 | ---- | M] () -- C:\Windows\System32\certstore.dat
[2009/08/31 16:47:11 | 00,000,215 | ---- | M] () -- C:\Windows\system.ini
[2009/08/31 16:46:41 | 00,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2009/08/31 16:10:35 | 19,240,7705 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2009/08/26 18:17:20 | 00,000,000 | ---- | M] () -- C:\Users\Brandon.Rodan242\Desktop\settings.dat
[2009/08/24 10:44:11 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Users\Brandon.Rodan242\Desktop\OTL.exe
[2009/08/24 10:41:22 | 00,472,064 | ---- | M] ( ) -- C:\Users\Brandon.Rodan242\Desktop\RootRepeal.exe
[2009/08/24 10:38:17 | 00,000,733 | ---- | M] () -- C:\Users\Brandon.Rodan242\Desktop\NTREGOPT.lnk
[2009/08/24 10:38:17 | 00,000,714 | ---- | M] () -- C:\Users\Brandon.Rodan242\Desktop\ERUNT.lnk
[2009/08/24 10:35:07 | 00,021,504 | ---- | M] (Doug Knox) -- C:\Users\Brandon.Rodan242\Desktop\SysRestorePoint.exe
[2009/08/24 10:05:54 | 00,272,384 | ---- | M] (OldTimer Tools) -- C:\Users\Brandon.Rodan242\Desktop\TFC.exe
[2009/08/23 03:09:13 | 00,229,376 | ---- | M] () -- C:\Windows\PEV.exe
[2009/08/20 17:15:52 | 00,000,344 | ---- | M] () -- C:\Windows\tasks\McDefragTask.job
[2009/08/20 17:15:52 | 00,000,322 | ---- | M] () -- C:\Windows\tasks\McQcTask.job
[2009/08/20 16:53:18 | 00,000,109 | ---- | M] () -- C:\Users\Brandon.Rodan242\Desktop\fixtm.reg
[2009/08/18 23:45:34 | 00,618,410 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/08/18 23:45:34 | 00,103,818 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/08/18 23:45:33 | 00,716,948 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/08/13 16:03:45 | 00,001,070 | -H-- | M] () -- C:\IPH.PH
[2009/08/13 09:51:41 | 00,311,800 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/08/03 13:36:28 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/08/03 13:36:06 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
< End of report >






OTL Extras Log:

OTL Extras logfile created on: 9/1/2009 4:02:39 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Users\Brandon.Rodan242\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18813)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.46 Mb Total Physical Memory | 491.36 Mb Available Physical Memory | 48.06% Memory free
2.24 Gb Paging File | 1.59 Gb Available in Paging File | 70.79% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 31.09 Gb Free Space | 41.73% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 74.53 Gb Total Space | 34.73 Gb Free Space | 46.61% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: RODAN242
Current User Name: Brandon
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2979632154-2472622693-673311761-1000]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- File not found


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{03B36467-6150-46F9-8432-C1FB2B2125EE}" = lport=138 | protocol=17 | dir=in | app=system |
"{0C0164A1-BBD5-4DD0-B0F3-C105582A504C}" = lport=137 | protocol=17 | dir=in | app=system |
"{1A0A986E-CE4D-45BF-9C73-40FC1D8CC6C2}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{1FDFED5A-CD0F-4B47-B6D3-E91C772FA1BC}" = lport=7777 | protocol=17 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{220A0573-D87E-4CF3-9D83-2E64591FF5D8}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{2471BAC5-D32D-4556-BA19-5F750C9D6174}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{27C751D9-59FD-43A3-95DC-8E32D6915DAF}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{2ADE8C37-D274-48D2-9379-BE31CFC44A63}" = lport=554 | protocol=6 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{2CB33569-8C1B-4F69-A35D-508C58D5632E}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{45CE1B9E-2855-4ECC-95F0-02349885EAB5}" = lport=10243 | protocol=6 | dir=in | app=system |
"{482F901E-8F27-4745-87F7-A643EC3F7E8E}" = lport=2869 | protocol=6 | dir=in | app=system |
"{4B84E4D6-E958-42D7-A09B-99A63EEFB639}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{4DDEB78B-CC41-4A3B-9A2D-8C265F632E49}" = lport=554 | protocol=6 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{4F1D1887-82FF-4449-A32C-4259BA501082}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{60985C8D-3E58-4BF7-B911-535DF6D19946}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{65287F63-41D0-4C0B-9751-D57B85F8B30C}" = lport=7777 | protocol=17 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{662FC5F1-0B13-4CD9-93E4-E01032B267F6}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{66D8FF28-B2AC-4004-845A-81128B47CDCC}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{680DC512-F5BF-4BFA-9F10-958794878582}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{6D2627E6-4422-4DD6-960E-C93315409F03}" = rport=138 | protocol=17 | dir=out | app=system |
"{6D57F5E6-C0B4-44D9-AEE4-D69F40B3EBB4}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{6F65055A-D6FB-4B14-8700-7F94CC8170F9}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{73D762F0-2518-42BE-96D1-2B461209B442}" = lport=2869 | protocol=6 | dir=in | app=system |
"{77A32DDD-D20C-46C7-A152-894138D51299}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{790FD14E-EC26-4A86-B40C-31BCB8015A40}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{811F974F-9D10-4308-AD20-78FBAF06EBA8}" = lport=3390 | protocol=6 | dir=in | app=system |
"{864C1C2D-5977-4BAC-B815-9879471B5F8F}" = lport=3390 | protocol=6 | dir=in | app=system |
"{87169361-08BA-4A83-B4D1-CCCA9DBDA946}" = rport=445 | protocol=6 | dir=out | app=system |
"{88AF11AD-23A7-44F2-9D84-976E9F8D5629}" = lport=10243 | protocol=6 | dir=in | app=system |
"{88FEDE0D-D67F-4054-AFBF-4490DA11B28A}" = lport=2869 | protocol=6 | dir=in | app=system |
"{91DE6D12-F965-4261-B49D-F06BC87982CA}" = rport=10243 | protocol=6 | dir=out | app=system |
"{93A79AC0-68EF-4852-A1C3-57F76B670FA8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{9CF82142-0C1D-44AB-8DAF-64F3F340EA7A}" = lport=2869 | protocol=6 | dir=in | app=system |
"{A24FDCCA-6B54-4784-AB6F-160576E878E1}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{A339041D-AECC-40C1-9EB7-26811AEDC600}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{A4B9E0FB-36FE-4852-A69B-0DA449D7C325}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{A726A60A-1338-4468-9094-D3674D381482}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{AA4E527D-56E9-4CDA-A182-65174F23A0BA}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{AC5B32D0-0685-4181-94C0-6A4AF838BF44}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{AE570E4D-E7AF-4D68-8DDB-E9E07845E3D6}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |
"{AF7F7ADA-985E-4D32-AA3F-6CDF12B67AC1}" = lport=445 | protocol=6 | dir=in | app=system |
"{B0E9388D-69B2-4974-B098-58CA31719F81}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{BDB543CF-7822-452F-8DBF-5D85B84D6999}" = rport=10244 | protocol=6 | dir=out | app=system |
"{C2B88D07-77FC-4F4E-8B56-6F3C7725B6AD}" = lport=10244 | protocol=6 | dir=in | app=system |
"{C587CABC-ECE1-4440-9B57-F2041F5267CA}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{C8FB28BD-1FD5-4411-8752-A033FD3A1DA6}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{CBD684CC-C5BE-42E8-9189-AD3C7269D45B}" = lport=10244 | protocol=6 | dir=in | app=system |
"{D18C17B9-5F73-4F18-9429-2F5E85E1F31D}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{D57FA5ED-F1C8-49DA-ADE0-9540D88E9100}" = rport=10243 | protocol=6 | dir=out | app=system |
"{E3630B8E-C508-4926-A06C-1993150C9A92}" = rport=10244 | protocol=6 | dir=out | app=system |
"{E4C4CEB9-337D-4B72-8D96-DED02C2CB87D}" = rport=139 | protocol=6 | dir=out | app=system |
"{F1B0ABDB-A057-4627-8185-0D90886CAE04}" = lport=139 | protocol=6 | dir=in | app=system |
"{F44725D1-A9B3-4E1F-AC6F-CD00A1FAC403}" = rport=137 | protocol=17 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00F307D8-89D9-4534-B1FF-6417B32B7CB7}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{02845587-2EEF-4E27-BD15-C4CDD0412EDB}" = protocol=6 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{04BC7DF3-BBDC-447C-B130-9F9DDE483DF0}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{06C2560D-C034-4D41-AB4E-C22CE2397C8F}" = protocol=6 | dir=in | app=%programfiles%\zune\zunenss.exe |
"{0DED102C-110E-4681-BD70-A9D766390DE9}" = protocol=17 | dir=in | app=c:\program files\google\google talk\googletalk.exe |
"{13A1A0E7-149B-449C-AEE3-084870A3D6EC}" = protocol=6 | dir=out | svc=mcx2svc | app=%systemroot%\system32\svchost.exe |
"{147494DD-7901-4EBB-89A0-60109EA95031}" = protocol=6 | dir=in | app=c:\program files\dna\btdna.exe |
"{16642E16-EF4C-4F30-9921-3D397A23437C}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{2080DF58-428F-4017-8E20-C595CC5ECF61}" = dir=in | app=c:\program files\windows live\messenger\livecall.exe |
"{26453132-050C-4135-900E-0474291EF3D4}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{26AED914-1F70-4A93-8DB1-9F3D25AD5382}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |
"{29973C79-E787-48A5-9C40-F111AFE3D8D8}" = protocol=1 | dir=in | [email protected],-28543 |
"{32C6096F-4AB6-4F09-9935-93ED61D3488E}" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{355AD689-9714-4782-BABB-312BB66149AA}" = protocol=58 | dir=in | [email protected],-28545 |
"{380D7E10-D806-4693-9D5B-AD8FED06750F}" = protocol=6 | dir=in | app=%programfiles%\zune\zunenss.exe |
"{3D38E612-03BF-4350-9E65-3E11252E4D5C}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{44184C55-4D12-4160-9AB7-19AD79A9F299}" = protocol=17 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{4478F015-3051-4B98-9E93-38A71270B45D}" = protocol=17 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{4E8F4711-784E-4874-8653-46D70F2D72B3}" = protocol=6 | dir=out | svc=mcx2svc | app=%systemroot%\system32\svchost.exe |
"{5BA0746C-2900-4687-9E12-9B1FC6A8E1D8}" = protocol=6 | dir=out | app=%systemroot%\ehome\mcx2prov.exe |
"{7100C564-68A5-404C-8B7C-D5809069AB39}" = protocol=17 | dir=out | app=%programfiles%\zune\zunenss.exe |
"{74DF458E-DC85-4DCE-AFA2-08226202FC34}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{7A840A6B-7C05-437B-BDD4-6BDE35FB3EDE}" = protocol=1 | dir=out | [email protected],-28544 |
"{803DEC9E-6BF1-4130-927B-5C71727A6F7A}" = protocol=6 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{87A50525-032C-4FB2-8A92-19E37659D15D}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{88358A6C-6C31-4387-AA2C-F84FD232637C}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{8A29EF27-E9F7-47F6-9B79-10B26C84D365}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{90FF6D2A-3F90-4226-AABD-7ED0AEBB0C17}" = protocol=6 | dir=in | app=c:\program files\google\google talk\googletalk.exe |
"{9170E7C1-447B-42B9-A93D-26BD5A68FE3E}" = protocol=6 | dir=out | app=%programfiles%\zune\zunenss.exe |
"{9FDB0174-775A-4D21-B862-85109EF78A3E}" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{B20C61F8-14B7-49C3-8906-B2774C4296D3}" = protocol=6 | dir=out | app=%programfiles%\zune\zunenss.exe |
"{B9596D3E-44D2-47CE-BDB9-1086A1EF6040}" = protocol=58 | dir=out | [email protected],-28546 |
"{BB2372DC-61C9-4633-B5B9-C74EFF83A3C1}" = protocol=17 | dir=in | app=%programfiles%\zune\zunenss.exe |
"{C109EFDB-8157-454B-8BB3-BE53970A26D7}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{C6FC6DBF-FEE3-41AD-AEDF-910495C8305B}" = protocol=6 | dir=out | app=system |
"{CF7FA0AB-5BD0-49EB-998C-4E1D73DAE7E3}" = protocol=17 | dir=in | app=c:\program files\dna\btdna.exe |
"{D027A6EF-BE22-48E6-BAF0-446F59D8D0D4}" = protocol=6 | dir=out | app=%systemroot%\system32\wudfhost.exe |
"{D30E5EE2-1D62-4EE9-93A4-C39273DB0174}" = protocol=17 | dir=in | app=%programfiles%\zune\zunenss.exe |
"{D8387652-DEE7-446E-B6F6-B5536F5D8C7F}" = dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |
"{DAD5296B-01EA-403A-8398-D0F3AC92AF7C}" = protocol=6 | dir=out | app=system |
"{DDA09D6B-B02C-4A9B-A75C-09E88D885DD6}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |
"{E46537BF-A0EF-47C2-8003-3C7A8171CB69}" = protocol=6 | dir=out | app=system |
"{EAB3D2D6-9D81-4AF4-9BAA-3DD88C371D7B}" = protocol=17 | dir=out | app=%programfiles%\zune\zunenss.exe |
"{EFC52076-88CA-40C6-8CF4-036E7FDD8C7F}" = protocol=6 | dir=out | app=%systemroot%\ehome\mcx2prov.exe |
"TCP Query User{3C64B300-38D7-4091-B236-4BE46F00E4CF}C:\games\soldier of fortune\sof.exe" = protocol=6 | dir=in | app=c:\games\soldier of fortune\sof.exe |
"TCP Query User{4F8B0E8B-D4FE-4215-A220-A1A4625CDD12}C:\program files\pieautoupdater\winmx.exe" = protocol=6 | dir=in | app=c:\program files\pieautoupdater\winmx.exe |
"TCP Query User{97BD8DDA-7CE5-43DC-AE35-C0FE1DC10AC6}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"TCP Query User{D3128A9C-F202-4211-90FA-5DA372C74F1D}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{D3EBEC4C-DEEC-4B37-B357-FD29FE9CD675}C:\program files\aim6\aim6.exe" = protocol=6 | dir=in | app=c:\program files\aim6\aim6.exe |
"UDP Query User{297A9DB2-C2C8-4F65-8F3D-19214DCFB004}C:\program files\aim6\aim6.exe" = protocol=17 | dir=in | app=c:\program files\aim6\aim6.exe |
"UDP Query User{91FE160A-72C5-42C5-ACB6-3442AA48AD8E}C:\games\soldier of fortune\sof.exe" = protocol=17 | dir=in | app=c:\games\soldier of fortune\sof.exe |
"UDP Query User{9872F371-0414-460D-AF2C-FAFAA6F1AD60}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{AC2B0356-3165-4B29-A454-F31365736F93}C:\program files\pieautoupdater\winmx.exe" = protocol=17 | dir=in | app=c:\program files\pieautoupdater\winmx.exe |
"UDP Query User{AE0F6843-513F-4568-BE78-2F568B057E19}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}" = Zune Language Pack (FR)
"{16913489-B5E3-403E-AFD3-2B19BBE464D4}" = Opera 9.24
"{16D9439B-DF3D-43D1-A727-4B335300D07A}" = OverDrive Media Console
"{18DF995F-2ACC-47E4-A33B-A703F4D39E92}" = CuteFTP 5.0 XP
"{18F11181-EA1A-42AE-AF89-4867C7F7A6FA}" = Sound Blaster X-Fi
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{2758691A-2CDE-4942-A4AC-0E8F61FE2067}" = USB Video/Audio Device Driver
"{2A38B5AA-EA84-4F87-9937-2FB23982243A}" = Sonic Foundry ACID 4.0
"{2D6ED011-055B-4041-B198-BB903827EBFB}" = Safari
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8FC3B4FF-B033-809F-D74C-927E0408A01F}" = Catalyst Control Center InstallProxy
"{911B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}" = Microsoft Works 6.0
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{BAB0A0F0-44A4-0EA1-8405-1F3F13093A22}" = ATI Catalyst Install Manager
"{BD3DCAB0-3FE5-44FB-90DA-EFB0A2CD1387}" = Works Synchronization
"{C3A439E4-7303-491F-A678-CEA36A87D517}" = Microsoft Works Suite Add-in for Microsoft Word
"{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{DC19E750-988B-4005-A355-85EF66055EFE}" = Works Suite OS Pack
"{E0D51394-1D45-460A-B62D-383BC4F8B335}" = QuickTime
"{EE4ACABF-531E-419A-9225-B8E0FA4955AF}" = Zune Language Pack (ES)
"{FCC3BD6A-F118-475D-8748-7EE08EA0AF56}" = HDView for Internet Explorer
"{FF70513F-E3A7-402F-84FB-B7810A064BE2}" = Zune
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"AIM_6" = AIM 6
"ALchemy X-Fi" = Creative ALchemy (X-Fi Edition)
"AudioCS" = Creative Audio Console
"Creative Software AutoUpdate" = Creative Software AutoUpdate
"Easy CD-DA Extractor 11" = Easy CD-DA Extractor 11
"ERUNT_is1" = ERUNT 1.1j
"Escape Rosecliff Island 1.00" = Escape Rosecliff Island 1.00
"ID3-TagIT 3_is1" = ID3-TagIT 3
"ieSpell" = ieSpell
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer
"Mozilla Firefox (3.5.2)" = Mozilla Firefox (3.5.2)
"MSC" = McAfee SecurityCenter
"NVIDIA Drivers" = NVIDIA Drivers
"OpenAL" = OpenAL
"RarZilla Free Unrar 2.53" = RarZilla Free Unrar 2.53
"Smart Recorder" = Creative Smart Recorder
"SQLyog Community" = SQLyog Community 6.15 RC1
"SysInfo" = Creative System Information
"V CAST Music with Rhapsody" = V CAST Music with Rhapsody
"ViewpointMediaPlayer" = Viewpoint Media Player
"WaveStudio 7" = Creative WaveStudio 7
"Winamp3" = Winamp3 (remove only)
"Works2002Setup" = Microsoft Works 2002 Setup Launcher
"Yahoo! Messenger" = Yahoo! Messenger
"Zune" = Zune

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent DNA" = DNA
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/1/2009 12:46:01 AM | Computer Name = Rodan242 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 6.0.6000.16386, time stamp
0x4a481bab, faulting module svchost.exe, version 6.0.6000.16386, time stamp 0x4a481bab,
exception code 0xc0000005, fault offset 0x000019f8, process id 0x1690, application
start time 0x01ca2abf1a38f03f.

Error - 9/1/2009 12:48:23 AM | Computer Name = Rodan242 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 6.0.6000.16386, time stamp
0x4a481bab, faulting module svchost.exe, version 6.0.6000.16386, time stamp 0x4a481bab,
exception code 0xc0000005, fault offset 0x000019f8, process id 0x5a0, application
start time 0x01ca2abf6ef51b8a.

Error - 9/1/2009 12:57:20 AM | Computer Name = Rodan242 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 6.0.6000.16386, time stamp
0x4a481bab, faulting module svchost.exe, version 6.0.6000.16386, time stamp 0x4a481bab,
exception code 0xc0000005, fault offset 0x000019f8, process id 0x1674, application
start time 0x01ca2ac0ae5e5d71.

Error - 9/1/2009 1:15:25 AM | Computer Name = Rodan242 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 6.0.6000.16386, time stamp
0x4a481bab, faulting module svchost.exe, version 6.0.6000.16386, time stamp 0x4a481bab,
exception code 0xc0000005, fault offset 0x000019f8, process id 0xab8, application
start time 0x01ca2ac33405ce4d.

Error - 9/1/2009 1:19:42 AM | Computer Name = Rodan242 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 6.0.6000.16386, time stamp
0x4a481bab, faulting module svchost.exe, version 6.0.6000.16386, time stamp 0x4a481bab,
exception code 0xc0000005, fault offset 0x000019f8, process id 0xe6c, application
start time 0x01ca2ac3ce6f9b35.

Error - 9/1/2009 1:24:00 AM | Computer Name = Rodan242 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 6.0.6000.16386, time stamp
0x4a481bab, faulting module svchost.exe, version 6.0.6000.16386, time stamp 0x4a481bab,
exception code 0xc0000005, fault offset 0x000019f8, process id 0x8d0, application
start time 0x01ca2ac468cb1a01.

Error - 9/1/2009 1:33:15 AM | Computer Name = Rodan242 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 6.0.6000.16386, time stamp
0x4a481bab, faulting module svchost.exe, version 6.0.6000.16386, time stamp 0x4a481bab,
exception code 0xc0000005, fault offset 0x000019f8, process id 0xf48, application
start time 0x01ca2ac5b39bea00.

Error - 9/1/2009 1:35:40 AM | Computer Name = Rodan242 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 6.0.6000.16386, time stamp
0x4a481bab, faulting module svchost.exe, version 6.0.6000.16386, time stamp 0x4a481bab,
exception code 0xc0000005, fault offset 0x000019f8, process id 0xb18, application
start time 0x01ca2ac609b353d8.

Error - 9/1/2009 1:38:10 AM | Computer Name = Rodan242 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 6.0.6000.16386, time stamp
0x4a481bab, faulting module svchost.exe, version 6.0.6000.16386, time stamp 0x4a481bab,
exception code 0xc0000005, fault offset 0x000019f8, process id 0x4a4, application
start time 0x01ca2ac662aad50c.

Error - 9/1/2009 1:46:08 AM | Computer Name = Rodan242 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 6.0.6000.16386, time stamp
0x4a481bab, faulting module svchost.exe, version 6.0.6000.16386, time stamp 0x4a481bab,
exception code 0xc0000005, fault offset 0x000019f8, process id 0x5a0, application
start time 0x01ca2ac77f3da7bf.

[ Media Center Events ]
Error - 12/22/2007 2:50:08 PM | Computer Name = Rodan242 | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 3/3/2008 5:01:57 AM | Computer Name = Rodan242 | Source = McrMgr | ID = 100
Description =

Error - 5/22/2008 7:43:25 PM | Computer Name = Rodan242 | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 5/25/2008 3:35:43 PM | Computer Name = Rodan242 | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 6/1/2008 4:44:45 PM | Computer Name = Rodan242 | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 6/8/2008 1:40:05 AM | Computer Name = Rodan242 | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 1/6/2009 7:05:51 PM | Computer Name = Rodan242 | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 2/27/2009 6:35:47 PM | Computer Name = Rodan242 | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

[ System Events ]
Error - 8/31/2009 7:48:39 PM | Computer Name = Rodan242 | Source = DCOM | ID = 10005
Description =

Error - 8/31/2009 7:48:55 PM | Computer Name = Rodan242 | Source = Service Control Manager | ID = 7009
Description =

Error - 8/31/2009 7:48:55 PM | Computer Name = Rodan242 | Source = Service Control Manager | ID = 7000
Description =

Error - 8/31/2009 7:49:30 PM | Computer Name = Rodan242 | Source = DCOM | ID = 10010
Description =

Error - 8/31/2009 7:49:38 PM | Computer Name = Rodan242 | Source = DCOM | ID = 10010
Description =

Error - 8/31/2009 7:52:47 PM | Computer Name = Rodan242 | Source = Service Control Manager | ID = 7022
Description =

Error - 8/31/2009 11:23:44 PM | Computer Name = Rodan242 | Source = Service Control Manager | ID = 7000
Description =

Error - 9/1/2009 1:10:51 AM | Computer Name = Rodan242 | Source = Service Control Manager | ID = 7000
Description =

Error - 9/1/2009 1:41:47 AM | Computer Name = Rodan242 | Source = Service Control Manager | ID = 7000
Description =

Error - 9/1/2009 6:51:06 PM | Computer Name = Rodan242 | Source = Service Control Manager | ID = 7000
Description =


< End of report >
  • 0

#8
hammerman
Posted 02 September 2009 - 12:45 PM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hello,

Can you please confirm that the SysProt log was empty.

Please follow these steps and give me an update on how your computers running.

-- Step 1 --
  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:

    • C:\Windows\System32\FastUv32.dll
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

-- Step 2 --

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
-- Step 3 --

Delete your copy of MalwareBytes and then .....

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

-- Step 4 --

Run OTL and select Minimal Output. Use the Quick Scan button to start a scan.
Please post the OTL report in your reply.
  • 0

#9
Sauron2029
Posted 02 September 2009 - 05:00 PM

Sauron2029

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
The computer is running fine, but there are still occasional svchost.exe crashes.

I'm not sure how I posted the combo fix log twice and neglected the SysProt log, sorry! Here is the SysProt log and I'll get to work on your next steps!




SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys
Service Name: ---
Module Base: 89189000
Module End: 89194000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: 89350000
Module End: 89358000
Hidden: Yes
  • 0

#10
Sauron2029
Posted 02 September 2009 - 05:43 PM

Sauron2029

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
VirSCAN Log:



VirSCAN.org Scanned Report :
Scanned time : 2009/09/02 15:59:49 (MST)
Scanner results: 32% Scanner(12/37) found malware!
File Name : FastUv32.dll
File Size : 61440 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 460fa825f6113e93c297b9d175b5ceeb
SHA1 : d7ecb7b64e8c7a74f4548a9dc588921483b7da0a
Online report : http://virscan.org/r...b8ca86b487.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20090902223429 2009-09-02 4.19 Trojan.Inject!IK
AhnLab V3 2009.09.03.00 2009.09.03 2009-09-03 0.79 -
AntiVir 8.2.1.7 7.1.5.198 2009-09-02 0.25 BDS/Agent.akgj
Antiy 2.0.18 20090902.2756267 2009-09-02 0.12 Backdoor/Win32.Agent.akgj
Arcavir 2009 200909021713 2009-09-02 0.03 -
Authentium 5.1.1 200909021229 2009-09-02 1.17 -
AVAST! 4.7.4 090902-0 2009-09-02 0.01 -
AVG 8.5.288 270.13.76/2342 2009-09-03 0.33 -
BitDefender 7.81008.3922495 7.27500 2009-09-03 3.34 -
CA (VET) 9.0.0.143 31.6.6716 2009-09-03 7.46 Win32/Wimpixo.A trojan.
ClamAV 0.95.2 9765 2009-09-02 0.02 -
Comodo 3.11 2187 2009-09-02 0.91 -
CP Secure 1.3.0.5 2009.09.02 2009-09-02 0.06 -
Dr.Web 4.44.0.9170 2009.09.02 2009-09-02 5.22 -
F-Prot 4.4.4.56 20090902 2009-09-02 1.16 -
F-Secure 7.02.73807 2009.09.02.11 2009-09-02 8.02 Backdoor.Win32.Agent.akgj [AVP]
Fortinet 2.81-3.120 10.788 2009-09-02 0.20 W32/Agent.AKGJ!tr.bdr
GData 19.7570/19.461 20090902 2009-09-02 4.73 Backdoor.Win32.Agent.akgj [Engine:A]
ViRobot 20090902 2009.09.02 2009-09-02 0.41 -
Ikarus T3.1.01.68 2009.09.02.73458 2009-09-02 3.85 Trojan.Inject
JiangMin 11.0.800 2009.09.02 2009-09-02 3.48 -
Kaspersky 5.5.10 2009.09.02 2009-09-02 0.09 Backdoor.Win32.Agent.akgj
KingSoft 2009.2.5.15 2009.9.2.21 2009-09-02 0.50 Win32.Hack.PcClient.al.61440
McAfee 5.3.00 5728 2009-09-02 3.19 -
Microsoft 1.5005 2009.09.02 2009-09-02 5.20 -
Norman 6.01.09 6.01.00 2009-09-02 4.01 -
Panda 9.05.01 2009.09.02 2009-09-02 1.65 -
Trend Micro 8.700-1004 6.414.04 2009-09-02 0.03 -
Quick Heal 10.00 2009.09.02 2009-09-02 1.08 Backdoor.Agent.akgj
Rising 20.0 21.45.24.00 2009-09-02 0.80 -
Sophos 2.89.1 4.44 2009-09-03 3.34 -
Sunbelt 5370 5370 2009-09-02 1.31 -
Symantec 1.3.0.24 20090902.005 2009-09-02 0.05 -
nProtect 20090902.01 5169944 2009-09-02 6.09 -
The Hacker 6.3.4.3 v00396 2009-09-02 0.68 -
VBA32 3.12.10.10 20090901.1841 2009-09-01 1.91 Backdoor.Win32.Agent.akgj
VirusBuster 4.5.11.10 10.112.25/1842559 2009-09-02 2.26 -








Malwarebytes Log:


Malwarebytes' Anti-Malware 1.40
Database version: 2733
Windows 6.0.6000

9/2/2009 4:31:15 PM
mbam-log-2009-09-02 (16-31-15).txt

Scan type: Quick Scan
Objects scanned: 99745
Time elapsed: 7 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.





OTL Log:



OTL logfile created on: 9/2/2009 4:37:30 PM - Run 2
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Users\Brandon.Rodan242\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18813)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.46 Mb Total Physical Memory | 451.88 Mb Available Physical Memory | 44.19% Memory free
2.24 Gb Paging File | 1.54 Gb Available in Paging File | 68.67% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 30.58 Gb Free Space | 41.05% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 74.53 Gb Total Space | 34.72 Gb Free Space | 46.59% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: RODAN242
Current User Name: Brandon
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\Windows\System32\nvvsvc.exe (NVIDIA Corporation)
PRC - C:\Program Files\Creative\Shared Files\CTAudSvc.exe (Creative Technology Ltd)
PRC - C:\Windows\Explorer.EXE (Microsoft Corporation)
PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (Microsoft Corporation)
PRC - C:\Windows\System32\CtHelper.exe (Creative Technology Ltd)
PRC - C:\Windows\System32\Ctxfihlp.exe (Creative Technology Ltd)
PRC - C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Windows\ehome\ehtray.exe (Microsoft Corporation)
PRC - C:\Users\Brandon.Rodan242\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
PRC - C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
PRC - C:\Windows\System32\CTXFISPI.EXE (Creative Technology Ltd)
PRC - C:\Windows\ehome\ehmsas.exe (Microsoft Corporation)
PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - c:\Program Files\Zune\ZuneNss.exe (Microsoft Corporation)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Windows\System32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\Users\Brandon.Rodan242\Desktop\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (Creative ALchemy AL1 Licensing Service [On_Demand | Stopped]) -- C:\Program Files\Common Files\Creative Labs Shared\Service\AL1Licensing.exe (Creative Labs)
SRV - (CTAudSvcService [Auto | Running]) -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe (Creative Technology Ltd)
SRV - (ehRecvr [On_Demand | Stopped]) -- C:\Windows\ehome\ehRecvr.exe (Microsoft Corporation)
SRV - (ehSched [On_Demand | Stopped]) -- C:\Windows\ehome\ehsched.exe (Microsoft Corporation)
SRV - (ehstart [Auto | Stopped]) -- C:\Windows\ehome\ehstart.dll (Microsoft Corporation)
SRV - (Eventlog [Auto | Running]) -- C:\Windows\System32\wevtsvc.dll (Microsoft Corporation)
SRV - (FastUserSwitchingCompatibility [Auto | Running]) -- C:\Windows\System32\FastUv32.dll ()
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (mcmscsvc [Auto | Running]) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (McNASvc [Auto | Running]) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
SRV - (McODS [On_Demand | Stopped]) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McProxy [Auto | Running]) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McShield [Unknown | Running]) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon [Disabled | Stopped]) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (nvsvc [Auto | Running]) -- C:\Windows\System32\nvvsvc.exe (NVIDIA Corporation)
SRV - (Pml Driver HPZ12 [Auto | Running]) -- C:\Windows\System32\HPZipm12.dll (Hewlett-Packard)
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (WinDefend [Auto | Stopped]) -- C:\Program Files\Windows Defender\mpsvc.dll (Microsoft Corporation)
SRV - (WLSetupSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Running]) -- C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
SRV - (ZuneNetworkSvc [Auto | Running]) -- c:\Program Files\Zune\ZuneNss.exe (Microsoft Corporation)
SRV - (ZuneWlanCfgSvc [On_Demand | Stopped]) -- C:\Windows\System32\ZuneWlanCfgSvc.exe (Microsoft Corporation)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.kaijuphile.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.kaijuphile.com/"
FF - prefs.js..extensions.enabledItems: [email protected]:1.4.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}:6.0.03
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}:6.0.05
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}:6.0.16
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.2

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/07/13 21:48:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/15 22:33:36 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/02 16:18:39 | 00,000,000 | ---D | M]

[2008/09/13 13:04:52 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\mozilla\Extensions
[2008/09/13 13:04:52 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/09/02 16:36:19 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\mozilla\Firefox\Profiles\m6uiopqu.default\extensions
[2009/07/14 16:48:56 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\mozilla\Firefox\Profiles\m6uiopqu.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/08/04 23:54:51 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\mozilla\Firefox\Profiles\m6uiopqu.default\extensions\[email protected]
[2009/09/02 16:35:38 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/08/14 20:23:33 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/01/19 15:29:42 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
[2008/03/09 17:42:55 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
[2008/07/13 02:19:36 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/09/02 16:18:44 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
[2009/08/14 20:23:28 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/08/14 20:23:28 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2007/04/10 17:21:08 | 00,163,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\np-mswmp.dll
[2008/03/19 19:23:20 | 00,114,688 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\np32dsw.dll
[2009/09/02 16:17:57 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2009/02/06 12:44:28 | 01,447,296 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npLegitCheckPlugin.dll
[2009/08/14 20:23:30 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2007/05/10 22:52:34 | 00,095,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2008/01/06 11:10:08 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2008/01/06 11:10:09 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2008/01/06 11:10:09 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2008/01/06 11:10:09 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2008/01/06 11:10:09 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2008/01/06 11:10:09 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2008/01/06 11:10:09 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2007/04/16 10:07:12 | 00,180,293 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npViewpoint.dll
[2009/07/15 11:10:00 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/07/15 11:10:00 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/07/15 11:10:00 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/07/15 11:10:00 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/07/15 11:10:00 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/07/15 11:10:00 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/07/15 11:10:00 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (27 bytes) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [CTHelper] C:\Windows\System32\CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTxfiHlp] C:\Windows\System32\CTXFIHLP.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UpdReg] C:\Windows\UpdReg.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Google Update] C:\Users\Brandon.Rodan242\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &ieSpell Options - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Check &Spelling - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Lookup on Merriam Webster - C:\Program Files\ieSpell\Merriam Webster.HTM ()
O8 - Extra context menu item: Lookup on Wikipedia - C:\Program Files\ieSpell\wikipedia.HTM ()
O9 - Extra Button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O15 - HKCU\..Trusted Domains: real.com ([rhap-app-4-0] https in Trusted sites)
O15 - HKCU\..Trusted Domains: real.com ([rhapreg] https in Trusted sites)
O15 - HKCU\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebo...toUploader2.cab (Facebook Photo Uploader 4 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\Explorer.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 14:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 14 Days ==========

[2009/09/02 16:21:26 | 00,000,818 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/02 16:21:24 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/09/02 16:21:22 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/09/02 16:21:22 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/09/02 16:16:11 | 03,942,048 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Brandon.Rodan242\Desktop\mbam-setup.exe
[2009/08/31 16:58:13 | 00,000,000 | ---D | C] -- C:\Users\Brandon.Rodan242\AppData\Local\temp
[2009/08/31 16:57:03 | 00,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2009/08/30 22:49:39 | 00,229,376 | ---- | C] () -- C:\Windows\PEV.exe
[2009/08/30 22:49:39 | 00,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2009/08/30 22:49:39 | 00,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2009/08/30 22:49:39 | 00,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2009/08/30 22:49:39 | 00,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2009/08/30 22:49:39 | 00,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2009/08/30 22:49:39 | 00,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2009/08/30 22:49:39 | 00,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2009/08/30 22:48:41 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/08/30 22:46:50 | 00,000,000 | ---D | C] -- C:\Users\Brandon.Rodan242\Desktop\SysProt
[2009/08/26 18:17:20 | 00,000,000 | ---- | C] () -- C:\Users\Brandon.Rodan242\Desktop\settings.dat
[2009/08/26 17:39:15 | 00,000,000 | ---D | C] -- C:\Users\Brandon.Rodan242\AppData\Local\MigWiz
[2009/08/25 15:55:10 | 10,727,79264 | -HS- | C] () -- C:\hiberfil.sys
[2009/08/24 12:23:06 | 06,291,456 | -H-- | C] () -- C:\Users\Brandon.Rodan242\AppData\Local\IconCache.db
[2009/08/24 11:05:34 | 00,000,000 | ---D | C] -- C:\Toolbox
[2009/08/24 10:44:11 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Users\Brandon.Rodan242\Desktop\OTL.exe
[2009/08/24 10:41:21 | 00,472,064 | ---- | C] ( ) -- C:\Users\Brandon.Rodan242\Desktop\RootRepeal.exe
[2009/08/24 10:38:41 | 00,000,000 | ---D | C] -- C:\Windows\ERDNT
[2009/08/24 10:38:17 | 00,000,733 | ---- | C] () -- C:\Users\Brandon.Rodan242\Desktop\NTREGOPT.lnk
[2009/08/24 10:38:17 | 00,000,714 | ---- | C] () -- C:\Users\Brandon.Rodan242\Desktop\ERUNT.lnk
[2009/08/24 10:38:17 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/08/24 10:35:03 | 00,021,504 | ---- | C] (Doug Knox) -- C:\Users\Brandon.Rodan242\Desktop\SysRestorePoint.exe
[2009/08/24 10:05:53 | 00,272,384 | ---- | C] (OldTimer Tools) -- C:\Users\Brandon.Rodan242\Desktop\TFC.exe
[2009/08/20 23:22:57 | 19,240,7705 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2009/08/20 16:56:43 | 00,000,000 | ---D | C] -- C:\Users\Brandon.Rodan242\AppData\Roaming\Malwarebytes
[2009/08/20 16:56:27 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/08/20 16:50:51 | 00,000,109 | ---- | C] () -- C:\Users\Brandon.Rodan242\Desktop\fixtm.reg
[2009/08/20 16:45:12 | 00,079,816 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfeavfk.sys
[2009/08/20 16:45:12 | 00,040,552 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfesmfk.sys
[2009/08/20 16:45:12 | 00,035,272 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfebopk.sys
[2009/08/20 16:45:01 | 00,130,424 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\Mpfp.sys
[2009/08/20 16:44:26 | 00,000,344 | ---- | C] () -- C:\Windows\tasks\McDefragTask.job
[2009/08/20 16:44:23 | 00,000,322 | ---- | C] () -- C:\Windows\tasks\McQcTask.job
[2009/08/20 16:43:57 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2009/08/20 16:43:48 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2009/08/20 16:43:29 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee
[2009/08/20 16:21:32 | 00,034,248 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mferkdk.sys
[2009/08/20 16:10:53 | 00,000,000 | ---D | C] -- C:\ProgramData\McAfee

========== Files - Modified Within 14 Days ==========

[2009/09/02 16:35:21 | 00,000,396 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{9F67757F-5FC7-4EE1-AFA1-2F404C3EEA2B}.job
[2009/09/02 16:33:14 | 00,003,584 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/09/02 16:33:14 | 00,003,584 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/09/02 16:33:07 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/09/02 16:33:00 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/09/02 16:32:53 | 10,727,79264 | -HS- | M] () -- C:\hiberfil.sys
[2009/09/02 16:32:14 | 00,054,400 | ---- | M] () -- C:\Windows\System32\BMXStateBkp-{00000002-00000000-00000008-00001102-00000005-00311102}.rfx
[2009/09/02 16:32:14 | 00,054,400 | ---- | M] () -- C:\Windows\System32\BMXState-{00000002-00000000-00000008-00001102-00000005-00311102}.rfx
[2009/09/02 16:32:14 | 00,000,788 | ---- | M] () -- C:\Windows\System32\DVCState-{00000002-00000000-00000008-00001102-00000005-00311102}.rfx
[2009/09/02 16:31:37 | 06,291,456 | -H-- | M] () -- C:\Users\Brandon.Rodan242\AppData\Local\IconCache.db
[2009/09/02 16:22:05 | 00,000,934 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2979632154-2472622693-673311761-1000UA.job
[2009/09/02 16:21:26 | 00,000,818 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/02 16:16:26 | 03,942,048 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Brandon.Rodan242\Desktop\mbam-setup.exe
[2009/08/31 21:53:28 | 00,054,156 | -H-- | M] () -- C:\Windows\QTFont.qfn
[2009/08/31 21:22:02 | 00,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2979632154-2472622693-673311761-1000Core.job
[2009/08/31 16:47:11 | 00,000,215 | ---- | M] () -- C:\Windows\system.ini
[2009/08/31 16:46:41 | 00,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2009/08/31 16:10:35 | 19,240,7705 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2009/08/26 18:17:20 | 00,000,000 | ---- | M] () -- C:\Users\Brandon.Rodan242\Desktop\settings.dat
[2009/08/24 10:44:11 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Users\Brandon.Rodan242\Desktop\OTL.exe
[2009/08/24 10:41:22 | 00,472,064 | ---- | M] ( ) -- C:\Users\Brandon.Rodan242\Desktop\RootRepeal.exe
[2009/08/24 10:38:17 | 00,000,733 | ---- | M] () -- C:\Users\Brandon.Rodan242\Desktop\NTREGOPT.lnk
[2009/08/24 10:38:17 | 00,000,714 | ---- | M] () -- C:\Users\Brandon.Rodan242\Desktop\ERUNT.lnk
[2009/08/24 10:35:07 | 00,021,504 | ---- | M] (Doug Knox) -- C:\Users\Brandon.Rodan242\Desktop\SysRestorePoint.exe
[2009/08/24 10:05:54 | 00,272,384 | ---- | M] (OldTimer Tools) -- C:\Users\Brandon.Rodan242\Desktop\TFC.exe
[2009/08/23 03:09:13 | 00,229,376 | ---- | M] () -- C:\Windows\PEV.exe
[2009/08/20 17:15:52 | 00,000,344 | ---- | M] () -- C:\Windows\tasks\McDefragTask.job
[2009/08/20 17:15:52 | 00,000,322 | ---- | M] () -- C:\Windows\tasks\McQcTask.job
[2009/08/20 16:53:18 | 00,000,109 | ---- | M] () -- C:\Users\Brandon.Rodan242\Desktop\fixtm.reg

========== LOP Check ==========

[2009/09/01 16:14:39 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming
[2007/11/19 21:29:04 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\acccore
[2007/12/21 20:55:59 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\Atari
[2008/01/27 14:01:11 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\ATI
[2009/08/03 15:57:09 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\Canon
[2007/11/23 16:27:54 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\GlobalSCAPE
[2007/12/02 15:01:47 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\ID3-TagIT 3
[2008/07/09 19:35:29 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\Ideazon
[2007/11/25 13:11:18 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\ieSpell
[2006/11/02 05:37:34 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\Media Center Programs
[2008/07/09 20:29:18 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\Move Networks
[2009/04/22 16:52:38 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\NetMedia Providers
[2007/11/23 16:57:03 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\Opera
[2007/12/28 17:19:26 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\OverDrive
[2009/04/22 16:52:37 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\Publish Providers
[2009/02/24 10:36:24 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\Smart Recorder
[2009/06/23 16:33:16 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\SpinTop Games
[2008/05/18 08:20:16 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\SQLyog
[2009/08/31 21:22:02 | 00,000,882 | ---- | M] () -- C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2979632154-2472622693-673311761-1000Core.job
[2009/09/02 16:22:05 | 00,000,934 | ---- | M] () -- C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2979632154-2472622693-673311761-1000UA.job
[2009/08/20 17:15:52 | 00,000,344 | ---- | M] () -- C:\Windows\Tasks\McDefragTask.job
[2009/08/20 17:15:52 | 00,000,322 | ---- | M] () -- C:\Windows\Tasks\McQcTask.job
[2009/09/02 16:33:07 | 00,000,006 | -H-- | M] () -- C:\Windows\Tasks\SA.DAT
[2009/09/02 16:31:51 | 00,032,604 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2009/09/02 16:35:21 | 00,000,396 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{9F67757F-5FC7-4EE1-AFA1-2F404C3EEA2B}.job

========== Purity Check ==========


< End of report >
  • 0

Advertisements

#11
hammerman
Posted 03 September 2009 - 11:24 AM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hello,

WARNING:
You have a backdoor trojan installed on your computer.
Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned.
All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Can you please follow these steps.

-- Step 1 --

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
SRV - (FastUserSwitchingCompatibility [Auto | Running]) -- C:\Windows\System32\FastUv32.dll ()

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • This fix will produce a report. Please add this to your reply.
-- Step 2 --

Could you please run JavaRa again and select Remove Older Versions.

-- Step 3 --

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#12
Sauron2029
Posted 03 September 2009 - 09:16 PM

Sauron2029

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here are the requested logs:

OTL Log:




All processes killed
========== OTL ==========
Service\Driver FastUserSwitchingCompatibility stopped successfully.
Service\Driver FastUserSwitchingCompatibility deleted successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\FastUv32.dll
C:\Windows\System32\FastUv32.dll NOT unregistered.
C:\Windows\System32\FastUv32.dll moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Brandon
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Brandon.Rodan242
->Temp folder emptied: 379284 bytes
->Temporary Internet Files folder emptied: 5576121 bytes
->Java cache emptied: 13699548 bytes
->FireFox cache emptied: 146981799 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 24526 bytes

User: BRANDO~1~ROD
->Temp folder emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Mcx1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 170500 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 159.10 mb


OTL by OldTimer - Version 3.0.10.7 log created on 09032009_154621

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...






Kaspersky Online Scan:





--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, September 3, 2009
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit (build 6000)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, September 04, 2009 00:23:21
Records in database: 2744041
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 172323
Threats found: 2
Infected objects found: 1
Suspicious objects found: 1
Scan duration: 02:54:58


File name / Threat / Threats count
C:\Users\Brandon.Rodan242\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\73C65A36-000000AE.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\_OTL\MovedFiles\09032009_154621\Windows\System32\FastUv32.dll Infected: Backdoor.Win32.Agent.akgj 1

Selected area has been scanned.
  • 0

#13
hammerman
Posted 04 September 2009 - 03:55 PM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hello,

You have a suspicious e-mail in your Sent Items folder. After we remove that, can you give me an update on your svchost.exe problem. Do you have a Windows Vista CD/DVD?

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL

:Services

:Reg

:Files
C:\Users\Brandon.Rodan242\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\73C65A36-000000AE.eml 

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • This fix will produce a report. Please add this to your reply.

THEN..

Run OTL and select Minimal Output. Use the Quick Scan button to start a scan.
Please post the OTL report in your reply.
  • 0

#14
Sauron2029
Posted 04 September 2009 - 06:25 PM

Sauron2029

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Svhost has not crashed since running OTL the first time. I do indeed have the original Vista disc.

Here is the log from OTL after running the custom script:


All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Users\Brandon.Rodan242\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\73C65A36-000000AE.eml moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Brandon
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Brandon.Rodan242
->Temp folder emptied: 81637313 bytes
->Temporary Internet Files folder emptied: 433669 bytes
->Java cache emptied: 128020 bytes
->FireFox cache emptied: 41135736 bytes
->Google Chrome cache emptied: 6993165 bytes
->Apple Safari cache emptied: 0 bytes

User: BRANDO~1~ROD
->Temp folder emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Mcx1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
File delete failed. C:\Windows\temp\mcmsc_8TZ3jA5LuyJf95f scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\mcmsc_I6PnbbxoD2yqBZS scheduled to be deleted on reboot.
Windows Temp folder emptied: 25634 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 124.31 mb


OTL by OldTimer - Version 3.0.10.7 log created on 09042009_170215

Files\Folders moved on Reboot...
File\Folder C:\Windows\temp\mcmsc_8TZ3jA5LuyJf95f not found!
File\Folder C:\Windows\temp\mcmsc_I6PnbbxoD2yqBZS not found!

Registry entries deleted on Reboot...





Here is the log from the OTL Quick Scan:


OTL logfile created on: 9/4/2009 5:15:05 PM - Run 3
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Users\Brandon.Rodan242\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18813)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.46 Mb Total Physical Memory | 488.38 Mb Available Physical Memory | 47.77% Memory free
2.24 Gb Paging File | 1.66 Gb Available in Paging File | 74.01% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 29.40 Gb Free Space | 39.46% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 74.53 Gb Total Space | 34.72 Gb Free Space | 46.59% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: RODAN242
Current User Name: Brandon
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\Windows\System32\nvvsvc.exe (NVIDIA Corporation)
PRC - C:\Program Files\Creative\Shared Files\CTAudSvc.exe (Creative Technology Ltd)
PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (Microsoft Corporation)
PRC - C:\Windows\Explorer.EXE (Microsoft Corporation)
PRC - C:\Windows\System32\CtHelper.exe (Creative Technology Ltd)
PRC - C:\Windows\System32\Ctxfihlp.exe (Creative Technology Ltd)
PRC - C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Windows\ehome\ehtray.exe (Microsoft Corporation)
PRC - C:\Users\Brandon.Rodan242\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
PRC - C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
PRC - C:\Windows\ehome\ehmsas.exe (Microsoft Corporation)
PRC - C:\Windows\System32\CTXFISPI.EXE (Creative Technology Ltd)
PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - C:\Users\Brandon.Rodan242\Desktop\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (Creative ALchemy AL1 Licensing Service [On_Demand | Stopped]) -- C:\Program Files\Common Files\Creative Labs Shared\Service\AL1Licensing.exe (Creative Labs)
SRV - (CTAudSvcService [Auto | Running]) -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe (Creative Technology Ltd)
SRV - (ehRecvr [On_Demand | Stopped]) -- C:\Windows\ehome\ehRecvr.exe (Microsoft Corporation)
SRV - (ehSched [On_Demand | Stopped]) -- C:\Windows\ehome\ehsched.exe (Microsoft Corporation)
SRV - (ehstart [Auto | Stopped]) -- C:\Windows\ehome\ehstart.dll (Microsoft Corporation)
SRV - (Eventlog [Auto | Running]) -- C:\Windows\System32\wevtsvc.dll (Microsoft Corporation)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (mcmscsvc [Auto | Running]) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (McNASvc [Auto | Stopped]) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
SRV - (McODS [On_Demand | Stopped]) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McProxy [Auto | Running]) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McShield [Unknown | Running]) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon [Disabled | Stopped]) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (nvsvc [Auto | Running]) -- C:\Windows\System32\nvvsvc.exe (NVIDIA Corporation)
SRV - (Pml Driver HPZ12 [Auto | Running]) -- C:\Windows\System32\HPZipm12.dll (Hewlett-Packard)
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (WinDefend [Auto | Stopped]) -- C:\Program Files\Windows Defender\mpsvc.dll (Microsoft Corporation)
SRV - (WLSetupSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Running]) -- C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
SRV - (ZuneNetworkSvc [Auto | Stopped]) -- c:\Program Files\Zune\ZuneNss.exe (Microsoft Corporation)
SRV - (ZuneWlanCfgSvc [On_Demand | Stopped]) -- C:\Windows\System32\ZuneWlanCfgSvc.exe (Microsoft Corporation)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.kaijuphile.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.kaijuphile.com/"
FF - prefs.js..extensions.enabledItems: [email protected]:1.4.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}:6.0.03
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}:6.0.05
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}:6.0.16
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.2

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/07/13 21:48:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/15 22:33:36 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/02 16:18:39 | 00,000,000 | ---D | M]

[2008/09/13 13:04:52 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\mozilla\Extensions
[2008/09/13 13:04:52 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/09/03 16:21:37 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\mozilla\Firefox\Profiles\m6uiopqu.default\extensions
[2009/07/14 16:48:56 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\mozilla\Firefox\Profiles\m6uiopqu.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/08/04 23:54:51 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\mozilla\Firefox\Profiles\m6uiopqu.default\extensions\[email protected]
[2009/09/03 16:21:37 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/08/14 20:23:33 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/01/19 15:29:42 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
[2008/03/09 17:42:55 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
[2008/07/13 02:19:36 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/09/02 16:18:44 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
[2009/08/14 20:23:28 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/08/14 20:23:28 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2007/04/10 17:21:08 | 00,163,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\np-mswmp.dll
[2008/03/19 19:23:20 | 00,114,688 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\np32dsw.dll
[2009/09/02 16:17:57 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2009/02/06 12:44:28 | 01,447,296 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npLegitCheckPlugin.dll
[2009/08/14 20:23:30 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2007/05/10 22:52:34 | 00,095,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2008/01/06 11:10:08 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2008/01/06 11:10:09 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2008/01/06 11:10:09 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2008/01/06 11:10:09 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2008/01/06 11:10:09 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2008/01/06 11:10:09 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2008/01/06 11:10:09 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2007/04/16 10:07:12 | 00,180,293 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npViewpoint.dll
[2009/07/15 11:10:00 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/07/15 11:10:00 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/07/15 11:10:00 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/07/15 11:10:00 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/07/15 11:10:00 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/07/15 11:10:00 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/07/15 11:10:00 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (27 bytes) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [CTHelper] C:\Windows\System32\CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTxfiHlp] C:\Windows\System32\CTXFIHLP.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UpdReg] C:\Windows\UpdReg.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Google Update] C:\Users\Brandon.Rodan242\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &ieSpell Options - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Check &Spelling - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Lookup on Merriam Webster - C:\Program Files\ieSpell\Merriam Webster.HTM ()
O8 - Extra context menu item: Lookup on Wikipedia - C:\Program Files\ieSpell\wikipedia.HTM ()
O9 - Extra Button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O15 - HKCU\..Trusted Domains: real.com ([rhap-app-4-0] https in Trusted sites)
O15 - HKCU\..Trusted Domains: real.com ([rhapreg] https in Trusted sites)
O15 - HKCU\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebo...toUploader2.cab (Facebook Photo Uploader 4 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\Explorer.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 14:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 14 Days ==========

[2009/09/03 15:46:21 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/09/02 16:42:40 | 00,041,631 | ---- | C] () -- C:\Windows\System32\certstore.dat
[2009/09/02 16:21:26 | 00,000,818 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/02 16:21:24 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/09/02 16:21:22 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/09/02 16:21:22 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/09/02 16:16:11 | 03,942,048 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Brandon.Rodan242\Desktop\mbam-setup.exe
[2009/08/31 16:58:13 | 00,000,000 | ---D | C] -- C:\Users\Brandon.Rodan242\AppData\Local\temp
[2009/08/31 16:57:03 | 00,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2009/08/30 22:49:39 | 00,229,376 | ---- | C] () -- C:\Windows\PEV.exe
[2009/08/30 22:49:39 | 00,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2009/08/30 22:49:39 | 00,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2009/08/30 22:49:39 | 00,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2009/08/30 22:49:39 | 00,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2009/08/30 22:49:39 | 00,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2009/08/30 22:49:39 | 00,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2009/08/30 22:49:39 | 00,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2009/08/30 22:48:41 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/08/30 22:46:50 | 00,000,000 | ---D | C] -- C:\Users\Brandon.Rodan242\Desktop\SysProt
[2009/08/26 18:17:20 | 00,000,000 | ---- | C] () -- C:\Users\Brandon.Rodan242\Desktop\settings.dat
[2009/08/26 17:39:15 | 00,000,000 | ---D | C] -- C:\Users\Brandon.Rodan242\AppData\Local\MigWiz
[2009/08/25 15:55:10 | 10,727,79264 | -HS- | C] () -- C:\hiberfil.sys
[2009/08/24 12:23:06 | 01,468,245 | -H-- | C] () -- C:\Users\Brandon.Rodan242\AppData\Local\IconCache.db
[2009/08/24 11:05:34 | 00,000,000 | ---D | C] -- C:\Toolbox
[2009/08/24 10:44:11 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Users\Brandon.Rodan242\Desktop\OTL.exe
[2009/08/24 10:41:21 | 00,472,064 | ---- | C] ( ) -- C:\Users\Brandon.Rodan242\Desktop\RootRepeal.exe
[2009/08/24 10:38:41 | 00,000,000 | ---D | C] -- C:\Windows\ERDNT
[2009/08/24 10:38:17 | 00,000,733 | ---- | C] () -- C:\Users\Brandon.Rodan242\Desktop\NTREGOPT.lnk
[2009/08/24 10:38:17 | 00,000,714 | ---- | C] () -- C:\Users\Brandon.Rodan242\Desktop\ERUNT.lnk
[2009/08/24 10:38:17 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/08/24 10:35:03 | 00,021,504 | ---- | C] (Doug Knox) -- C:\Users\Brandon.Rodan242\Desktop\SysRestorePoint.exe
[2009/08/24 10:05:53 | 00,272,384 | ---- | C] (OldTimer Tools) -- C:\Users\Brandon.Rodan242\Desktop\TFC.exe

========== Files - Modified Within 14 Days ==========

[2009/09/04 17:13:14 | 00,003,584 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/09/04 17:13:14 | 00,003,584 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/09/04 17:13:07 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/09/04 17:13:00 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/09/04 17:12:52 | 10,727,79264 | -HS- | M] () -- C:\hiberfil.sys
[2009/09/04 17:12:09 | 00,054,400 | ---- | M] () -- C:\Windows\System32\BMXStateBkp-{00000002-00000000-00000008-00001102-00000005-00311102}.rfx
[2009/09/04 17:12:09 | 00,054,400 | ---- | M] () -- C:\Windows\System32\BMXState-{00000002-00000000-00000008-00001102-00000005-00311102}.rfx
[2009/09/04 17:12:09 | 00,000,788 | ---- | M] () -- C:\Windows\System32\DVCState-{00000002-00000000-00000008-00001102-00000005-00311102}.rfx
[2009/09/03 20:23:51 | 01,468,245 | -H-- | M] () -- C:\Users\Brandon.Rodan242\AppData\Local\IconCache.db
[2009/09/03 20:22:04 | 00,000,934 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2979632154-2472622693-673311761-1000UA.job
[2009/09/03 17:16:58 | 00,000,396 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{9F67757F-5FC7-4EE1-AFA1-2F404C3EEA2B}.job
[2009/09/02 16:42:40 | 00,041,631 | ---- | M] () -- C:\Windows\System32\certstore.dat
[2009/09/02 16:21:26 | 00,000,818 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/02 16:16:26 | 03,942,048 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Brandon.Rodan242\Desktop\mbam-setup.exe
[2009/08/31 21:53:28 | 00,054,156 | -H-- | M] () -- C:\Windows\QTFont.qfn
[2009/08/31 21:22:02 | 00,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2979632154-2472622693-673311761-1000Core.job
[2009/08/31 16:47:11 | 00,000,215 | ---- | M] () -- C:\Windows\system.ini
[2009/08/31 16:46:41 | 00,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2009/08/31 16:10:35 | 19,240,7705 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2009/08/26 18:17:20 | 00,000,000 | ---- | M] () -- C:\Users\Brandon.Rodan242\Desktop\settings.dat
[2009/08/24 10:44:11 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Users\Brandon.Rodan242\Desktop\OTL.exe
[2009/08/24 10:41:22 | 00,472,064 | ---- | M] ( ) -- C:\Users\Brandon.Rodan242\Desktop\RootRepeal.exe
[2009/08/24 10:38:17 | 00,000,733 | ---- | M] () -- C:\Users\Brandon.Rodan242\Desktop\NTREGOPT.lnk
[2009/08/24 10:38:17 | 00,000,714 | ---- | M] () -- C:\Users\Brandon.Rodan242\Desktop\ERUNT.lnk
[2009/08/24 10:35:07 | 00,021,504 | ---- | M] (Doug Knox) -- C:\Users\Brandon.Rodan242\Desktop\SysRestorePoint.exe
[2009/08/24 10:05:54 | 00,272,384 | ---- | M] (OldTimer Tools) -- C:\Users\Brandon.Rodan242\Desktop\TFC.exe
[2009/08/23 03:09:13 | 00,229,376 | ---- | M] () -- C:\Windows\PEV.exe

========== LOP Check ==========

[2009/09/01 16:14:39 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming
[2007/11/19 21:29:04 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\acccore
[2007/12/21 20:55:59 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\Atari
[2008/01/27 14:01:11 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\ATI
[2009/08/03 15:57:09 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\Canon
[2007/11/23 16:27:54 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\GlobalSCAPE
[2007/12/02 15:01:47 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\ID3-TagIT 3
[2008/07/09 19:35:29 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\Ideazon
[2007/11/25 13:11:18 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\ieSpell
[2006/11/02 05:37:34 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\Media Center Programs
[2008/07/09 20:29:18 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\Move Networks
[2009/04/22 16:52:38 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\NetMedia Providers
[2007/11/23 16:57:03 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\Opera
[2007/12/28 17:19:26 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\OverDrive
[2009/04/22 16:52:37 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\Publish Providers
[2009/02/24 10:36:24 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\Smart Recorder
[2009/06/23 16:33:16 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\SpinTop Games
[2008/05/18 08:20:16 | 00,000,000 | ---D | M] -- C:\Users\Brandon.Rodan242\AppData\Roaming\SQLyog
[2009/08/31 21:22:02 | 00,000,882 | ---- | M] () -- C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2979632154-2472622693-673311761-1000Core.job
[2009/09/03 20:22:04 | 00,000,934 | ---- | M] () -- C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2979632154-2472622693-673311761-1000UA.job
[2009/08/20 17:15:52 | 00,000,344 | ---- | M] () -- C:\Windows\Tasks\McDefragTask.job
[2009/08/20 17:15:52 | 00,000,322 | ---- | M] () -- C:\Windows\Tasks\McQcTask.job
[2009/09/04 17:13:07 | 00,000,006 | -H-- | M] () -- C:\Windows\Tasks\SA.DAT
[2009/09/04 17:11:57 | 00,032,604 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2009/09/03 17:16:58 | 00,000,396 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{9F67757F-5FC7-4EE1-AFA1-2F404C3EEA2B}.job

========== Purity Check ==========


< End of report >
  • 0

#15
hammerman
Posted 05 September 2009 - 04:08 AM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hello,

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
[2009/09/02 16:42:40 | 00,041,631 | ---- | C] () -- C:\Windows\System32\certstore.dat

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • This fix will produce a report. Please add this to your reply.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP