Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Redirect Virus? Malwarebytes won't run. Unable to execute file err

Started by Boboli3 , Oct 25 2009 11:32 PM

  • This topic is locked This topic is locked

#16
heir
Posted 27 October 2009 - 03:23 AM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Let's have a look with another scanner.

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
  • 0

Advertisements

#17
Boboli3
Posted 27 October 2009 - 09:46 AM

Boboli3

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-27 08:44:47
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\BOBTAN~1\LOCALS~1\Temp\fgldqpob.sys


---- System - GMER 1.0.15 ----

SSDT 8A672B68 ZwConnectPort
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA45A3DC0]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA45A4020]

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[4168] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 010126D2 C:\WINDOWS\system32\wopoliro.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4168] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4168] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351FF7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4168] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4168] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351FBC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4168] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4168] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F3E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4168] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352032 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4168] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4168] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3521F4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4168] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 01012DD0 C:\WINDOWS\system32\wopoliro.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[4168] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [02462070] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[4168] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [024620B0] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[4168] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [02462030] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[4168] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [02462000] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[4168] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [02464C50] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Udfs.SYS (UDF File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SGEFLT.SYS (PnP Disk Filter Driver/Utimaco Safeware AG)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\Program Files\Symantec AntiVirus\DefWatch.exe [176] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\ehome\mcrdsvc.exe [316] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [648] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [680] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [772] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [812] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [952] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [1000] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [1012] 0x10000000
Library C:\WINDOWS\system32\fapilizu.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [1012] 0x00D90000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1068] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1200] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [1228] 0x005F0000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1292] 0x10000000
Library C:\WINDOWS\System32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1440] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [1508] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [1544] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [1648] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1772] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [1824] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1900] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe [1960] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe [2060] 0x00DB0000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\system32\dllhost.exe [2160] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe [2468] 0x00D50000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\Program Files\Toshiba\Tvs\TvsTray.exe [2732] 0x00BA0000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\system32\TPSODDCtl.exe [2744] 0x003A0000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\system32\TPSMain.exe [2756] 0x003B0000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe [2788] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\system32\thpsrv.exe [2796] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\system32\SgLogPlayer.exe [2812] 0x005D0000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2888] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2976] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\Program Files\ltmoh\Ltmoh.exe [3004] 0x00860000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\Program Files\Apoint2K\Apoint.exe [3016] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\system32\TPSBattM.exe [3020] 0x00A30000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccApp.exe [3060] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\PROGRA~1\SYMANT~1\VPTray.exe [3072] 0x00B30000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\Program Files\Symantec AntiVirus\Rtvscan.exe [3092] 0x00A10000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe [3328] 0x00B20000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [3340] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\Program Files\Messenger\msmsgs.exe [3352] 0x10000000
Library C:\WINDOWS\System32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [3628] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\system32\ThpSrv.exe [3632] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\Program Files\Apoint2K\Apntex.exe [3848] 0x10000000
Library C:\WINDOWS\system32\dezudesu.dll (*** hidden *** ) @ C:\WINDOWS\system32\RAMASST.exe [3892] 0x00B90000

---- Services - GMER 1.0.15 ----

Service system32\drivers\SKYNETvwwgklcl.sys (*** hidden *** ) [SYSTEM] SKYNETjcjsieah <-- ROOTKIT !!!
Service system32\drivers\UACkxoufdtinm.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjcjsieah@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjcjsieah@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjcjsieah@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjcjsieah@imagepath \systemroot\system32\drivers\SKYNETvwwgklcl.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjcjsieah\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjcjsieah\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjcjsieah\main@sid 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjcjsieah\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjcjsieah\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjcjsieah\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjcjsieah\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjcjsieah\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjcjsieah\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjcjsieah\[email protected] \systemroot\system32\drivers\SKYNETvwwgklcl.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjcjsieah\[email protected] \systemroot\system32\SKYNETwpjpsaho.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjcjsieah\[email protected] \systemroot\system32\SKYNETqcdltepy.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjcjsieah\[email protected] \systemroot\system32\SKYNETkienorpt.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjcjsieah\[email protected] \systemroot\system32\SKYNETqguxpult.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACkxoufdtinm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACkxoufdtinm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACcmptttnpax.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjcjsieah@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjcjsieah@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjcjsieah@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjcjsieah@imagepath \systemroot\system32\drivers\SKYNETvwwgklcl.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjcjsieah\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjcjsieah\main@aid 10002
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjcjsieah\main@sid 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjcjsieah\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjcjsieah\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjcjsieah\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjcjsieah\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjcjsieah\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjcjsieah\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjcjsieah\[email protected] \systemroot\system32\drivers\SKYNETvwwgklcl.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjcjsieah\[email protected] \systemroot\system32\SKYNETwpjpsaho.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjcjsieah\[email protected] \systemroot\system32\SKYNETqcdltepy.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjcjsieah\[email protected] \systemroot\system32\SKYNETkienorpt.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjcjsieah\[email protected] \systemroot\system32\SKYNETqguxpult.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACkxoufdtinm.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACkxoufdtinm.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACcmptttnpax.dll

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----
  • 0

#18
heir
Posted 27 October 2009 - 10:55 AM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
We'll get back to that MBR Rootkit.

Let's take care of the other rootkits.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Gotya.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt .

  • 0

#19
Boboli3
Posted 27 October 2009 - 11:26 AM

Boboli3

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
ComboFix 09-10-26.06 - Bob Tan 10/27/2009 10:05.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1368 [GMT -7:00]
Running from: c:\documents and settings\Bob Tan\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
ADS - WINDOWS: deleted 72 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Bob Tan\Application Data\inst.exe
c:\program files\Shared
c:\program files\Shared\lib.sig
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\kb913800.exe
c:\windows\run.log
c:\windows\system32\balayoyu.dll
c:\windows\system32\dezudesu.dll.tmp
c:\windows\system32\duhofele.dll
c:\windows\system32\duzibofa.dll
c:\windows\system32\fapilizu.dll.tmp
c:\windows\system32\jaguvonu.dll
c:\windows\system32\jahomayo.dll
c:\windows\system32\levukote.dll
c:\windows\system32\mabagasu.dll
c:\windows\system32\puyepidu.dll.tmp
c:\windows\system32\ruvubeye.dll
c:\windows\system32\sekanawo.dll
c:\windows\system32\tapubanu.dll
c:\windows\system32\tevuyupu.dll
c:\windows\system32\tuduriro.dll
c:\windows\system32\UACidetvknkuj.db
c:\windows\system32\vENXFfhk.ini
c:\windows\system32\vENXFfhk.ini2
c:\windows\system32\wopoliro.dll
c:\windows\system32\ziwupume.dll
c:\windows\Tasks\ihnlenxj.job
c:\windows\wiaservv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SKYNETjcjsieah
-------\Legacy_UACd.sys
-------\Service_SKYNETjcjsieah
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 )))))))))))))))))))))))))))))))
.

2009-10-26 14:33 . 2009-10-26 14:33 77312 ----a-w- C:\mbr.exe
2009-10-26 05:13 . 2009-02-11 17:19 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-26 05:13 . 2009-02-11 17:19 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-26 05:13 . 2009-10-27 01:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-25 16:13 . 2009-10-25 16:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware1
2009-10-16 04:14 . 2009-10-16 04:14 -------- d-----w- c:\documents and settings\Bob Tan\Application Data\Verizon Wireless
2009-10-15 17:42 . 2009-10-15 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon Wireless
2009-10-15 17:41 . 2009-10-15 17:41 -------- d-----w- c:\program files\Verizon Wireless
2009-10-01 02:48 . 2009-10-01 02:48 -------- d-----w- c:\program files\Microsoft
2009-10-01 02:48 . 2009-10-01 02:48 -------- d-----w- c:\program files\Windows Live SkyDrive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-27 17:11 . 2009-08-13 19:22 -------- d-----w- c:\program files\Symantec AntiVirus
2009-10-26 19:27 . 2006-08-19 03:02 -------- d-----w- c:\program files\Common Files\AOL
2009-10-26 03:27 . 2007-09-15 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-10-19 16:13 . 2009-09-12 06:27 -------- d-----w- c:\program files\The Greek Poker
2009-10-15 02:05 . 2006-08-19 01:16 -------- d-----w- c:\program files\Microsoft Works
2009-09-30 16:49 . 2009-07-23 00:46 -------- d-----w- c:\documents and settings\Bob Tan\Application Data\Vso
2009-09-30 16:49 . 2009-07-23 00:46 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-09-30 16:49 . 2009-07-23 00:46 47360 ----a-w- c:\documents and settings\Bob Tan\Application Data\pcouffin.sys
2009-09-30 16:49 . 2009-07-23 03:55 -------- d-----w- c:\program files\DVDFab 6
2009-09-16 23:08 . 2006-08-19 02:16 59168 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-16 05:51 . 2008-02-18 01:07 -------- d-----w- c:\documents and settings\Bob Tan\Application Data\U3
2009-09-16 05:13 . 2009-09-11 06:08 137568 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-16 04:50 . 2009-09-11 05:00 -------- d-----w- c:\program files\Linksys
2009-09-16 03:38 . 2009-09-11 06:15 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-11 14:18 . 2006-08-18 23:47 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 06:06 . 2009-09-11 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Linksys
2009-09-11 05:04 . 2009-09-11 05:04 -------- d-----w- c:\program files\WebEx
2009-09-11 05:03 . 2006-08-19 02:20 -------- d-----w- c:\program files\Java
2009-09-09 18:27 . 2006-08-19 01:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-08 06:31 . 2009-09-08 05:46 1376 ----a-w- c:\windows\checkip.dat
2009-09-04 21:03 . 2006-08-18 23:47 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2006-08-18 23:48 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2006-08-18 23:47 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2006-08-18 23:47 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2006-08-18 23:49 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 22:09 . 2009-08-20 22:09 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-11 17:02 . 2009-08-11 17:02 61224 ----a-w- c:\documents and settings\Bob Tan\GoToAssistDownloadHelper.exe
2009-08-05 09:01 . 2006-08-18 23:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2006-08-18 23:48 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-27 04:04 . 2009-07-27 04:04 51200 --sha-w- c:\windows\system32\lerajune.dll
2009-07-27 04:03 . 2009-07-27 04:03 51200 --sha-w- c:\windows\system32\tomavita.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bebbed3-2118-400f-b8e5-378910ec78bc}]
2009-07-27 04:04 51200 --sha-w- c:\windows\system32\lerajune.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SgeIconOvl]
@="{ba930330-a721-11d3-a7b9-00500464ee16}"
[HKEY_CLASSES_ROOT\CLSID\{ba930330-a721-11d3-a7b9-00500464ee16}]
2006-04-13 00:31 77824 ----a-w- c:\program files\Utimaco\SafeGuard Easy\SgeDrse.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SgeIconOvl2]
@="{2030D939-54A7-4fea-9B06-49EA77EFC87F}"
[HKEY_CLASSES_ROOT\CLSID\{2030D939-54A7-4fea-9B06-49EA77EFC87F}]
2006-04-13 00:31 77824 ----a-w- c:\program files\Utimaco\SafeGuard Easy\SgeDrse.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="thpsrv" [X]
"SgeEcView"="c:\program files\Utimaco\SafeGuard Easy\Ecview.exe" [2006-04-13 24576]
"EdWizard"="c:\program files\Utimaco\SafeGuard Easy\EdWizard.exe" [2006-04-13 245760]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 73728]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"TPSODDCtl"="TPSODDCtl.exe" - c:\windows\system32\TPSODDCtl.exe [2006-04-25 110592]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2006-04-25 315392]
"NDSTray.exe"="NDSTray.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-8-18 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NotLog]
2002-01-22 23:28 110592 ----a-w- c:\windows\system32\SGLogEx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-06 00:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SGLogNotification]
2005-03-31 19:27 69632 ----a-w- c:\windows\system32\SGLogNotification.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Principia Online Update.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Principia Online Update.lnk
backup=c:\windows\pss\Principia Online Update.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Symantec AntiVirus\\DefWatch.exe"=
"c:\\WINDOWS\\system32\\SgLogPlayer.exe"=
"c:\\WINDOWS\\system32\\ThpSrv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 AES-256;AES-256;c:\windows\system32\drivers\AES256.sys [4/12/2006 5:32 PM 18464]
R0 SgeFlt;SgeFlt;c:\windows\system32\drivers\SGEFLT.sys [4/12/2006 5:34 PM 61466]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [12/27/2004 11:31 PM 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [8/18/2006 7:17 PM 6144]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [5/5/2006 6:00 PM 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [5/5/2006 5:59 PM 33024]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [5/5/2006 5:33 PM 3456]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 11:50 AM 98816]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/30/2008 12:37 AM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 8:02 PM 102448]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\DRIVERS\PTDCWWAN.sys --> c:\windows\system32\DRIVERS\PTDCWWAN.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/15/2005 1:27 PM 169200]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [3/20/2009 7:03 PM 32408]
S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [12/2/2007 6:55 PM 727908]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [12/2/2007 6:55 PM 44928]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://desktop.google.com/uninstall-feedback.html?hl=en
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
Trusted Zone: antispyexpert.com
Trusted Zone: avsystemcare.com
Trusted Zone: imageservr.com
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: turbotax.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
Trusted Zone: antispyexpert.com
Trusted Zone: avsystemcare.com
Trusted Zone: imageservr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
Handler: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021} - c:\progra~1\NETEXC~1.0\FlowHook.dll
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{4AED1C2F-9ACE-4FDB-8493-ED1C9F4CD6F6} - c:\windows\system32\khfFXNEv.dll
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKLM-Run-hopidajuj - c:\windows\system32\mabagasu.dll
HKLM-Run-kutigoraha - tevuyupu.dll
SharedTaskScheduler-{ffe847bf-de1a-4e35-843d-a8cf328da22b} - c:\windows\system32\mabagasu.dll
SSODL-nerokoduk-{ffe847bf-de1a-4e35-843d-a8cf328da22b} - c:\windows\system32\mabagasu.dll
SafeBoot-mcmscsvc
SafeBoot-MCODS



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-27 10:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\windows\system32\SGGINA.DLL
c:\windows\system32\vrlogon.dll
c:\windows\system32\SGEGINA.DLL
c:\program files\Utimaco\SafeGuard Easy\CMFCAPI.DLL
c:\program files\Utimaco\SafeGuard Easy\FLTAPI.dll
c:\program files\Utimaco\SafeGuard Easy\SGE_INFO0409.DLL
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\windows\system32\LogMsgApp.Dll
c:\windows\system32\LogData.dll
c:\windows\system32\SGLogEx.dll
c:\windows\system32\SGLogNotification.dll
c:\windows\system32\GetUserSid.dll

- - - - - - - > 'lsass.exe'(980)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll

- - - - - - - > 'Explorer.exe'(356)
c:\windows\system32\WININET.dll
c:\program files\Utimaco\SafeGuard Easy\SgMsgBhk.dll
c:\program files\Utimaco\SafeGuard Easy\SgeDrse.dll
c:\program files\Utimaco\SafeGuard Easy\SgeUtil.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\windows\system32\lerajune.dll
c:\program files\Microsoft Office\Office10\msohev.dll
c:\program files\Utimaco\SafeGuard Easy\SGEDRV.dll
c:\program files\Utimaco\SafeGuard Easy\FLTAPI.DLL
c:\program files\Utimaco\SafeGuard Easy\SGEAPI.dll
c:\program files\Utimaco\SafeGuard Easy\CfgApi.dll
c:\program files\Utimaco\SafeGuard Easy\SgeRmd.dll
c:\program files\Utimaco\SafeGuard Easy\RandSeed.dll
c:\program files\Utimaco\SafeGuard Easy\CmfcApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Utimaco\SafeGuard Easy\SgeClient.exe
c:\program files\Utimaco\SafeGuard Easy\SgeCtl.exe
c:\windows\system32\SgLogPlayer.exe
c:\combofix\CF19142.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\ThpSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\thpsrv.exe
c:\windows\system32\TPSBattM.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\dllhost.exe
c:\program files\Apoint2K\Apntex.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-27 10:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-27 17:24

Pre-Run: 55,894,368,256 bytes free
Post-Run: 55,747,907,584 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /forceresetreg

- - End Of File - - 95E32991B4F937AB78D00EA7529ACEA5
  • 0

#20
Boboli3
Posted 27 October 2009 - 11:52 AM

Boboli3

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Heir,

I have noticed since I ran the combofix that my machine is running quite a bit faster. It will still not allow me to run malwarebytes though. Thanks for all the help!! I really appreciate it.
  • 0

#21
heir
Posted 27 October 2009 - 11:57 AM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Looking a bit better.
That indication of a MBR rootkit needs to investigated though

Step 1.
mbr:

Goto Start -> Run...

Copy this line:

C:\mbr.exe

into the runbox and click OK A log C:\mgr.log will be created post it's content.

Step 2.
RootRepeal:

Download RootRepeal from one of the following locations and save it to your desktop:Link 1
Link 2
Link 3
  • Double click Posted Image to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Posted Image button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    Note: The scan can take some time. DO NOT run any other programs while the scan is running

  • When the scan is complete, click the Posted Image button and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

Step 3.
GMER:

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.

Step 4.
OTL:

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Standard Output.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open a notepad window with OTL.Txt that's saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of that file and post it with your next reply.

Step 5.
Things I would like to see in your reply:

  • The content of C:\mbr.log from step 1.
  • The content of RootRepeal.txt from step 2.
  • The content of GMER.txt from step 3.
  • The content of OTL.txt from step 4.
  • Information on how your computer is running now

  • 0

#22
heir
Posted 27 October 2009 - 12:17 PM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Comment on my previous post.
There is no need to download RootRepeal, GMER and OTL again.
Use the ones already downloaded. (my mistake :) )
  • 0

#23
Boboli3
Posted 27 October 2009 - 12:18 PM

Boboli3

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Step 1:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully

Step 2: Same Problem: gave me the same errors.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/27 11:02
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA46C7000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A01000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mbr.sys
Image Path: C:\DOCUME~1\BOBTAN~1\LOCALS~1\Temp\mbr.sys
Address: 0xB765C000 Size: 20864 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA390E000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8a662570

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xa4b06dc0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xa4b07020

==EOF==

Step 3:

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-27 11:11:23
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\BOBTAN~1\LOCALS~1\Temp\fgldqpob.sys


---- System - GMER 1.0.15 ----

SSDT 8A662570 ZwConnectPort
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA4B06DC0]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA4B07020]

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\BOBTAN~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\internet explorer\iexplore.exe[2080] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2080] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351FF7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2080] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2080] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351FBC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2080] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2080] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F3E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2080] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352032 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2080] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2080] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3521F4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2196] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2196] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351FF7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2196] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2196] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351FBC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2196] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2196] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F3E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2196] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352032 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2196] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2196] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3521F4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\internet explorer\iexplore.exe[2080] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [02132070] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\internet explorer\iexplore.exe[2080] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [021320B0] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\internet explorer\iexplore.exe[2080] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [02132030] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\internet explorer\iexplore.exe[2080] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [02132000] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\internet explorer\iexplore.exe[2080] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [02134C50] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2196] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [021A2070] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2196] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [021A20B0] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2196] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [021A2030] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2196] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [021A2000] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2196] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [021A4C50] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Udfs.SYS (UDF File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SGEFLT.SYS (PnP Disk Filter Driver/Utimaco Safeware AG)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\32F36B64A4B252548A72860862EBE504\Usage@SAVUI 995819840

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

Step 4:

OTL logfile created on: 10/27/2009 11:13:44 AM - Run 2
OTL by OldTimer - Version 3.0.22.1 Folder = C:\Documents and Settings\Bob Tan\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.31 Gb Available Physical Memory | 65.81% Memory free
3.84 Gb Paging File | 3.32 Gb Available in Paging File | 86.46% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.60 Gb Total Space | 51.95 Gb Free Space | 46.55% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BOB
Current User Name: Bob Tan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/10/27 11:12:37 | 00,521,728 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bob Tan\Desktop\OTL.exe
PRC - [2009/08/26 22:18:44 | 00,634,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\internet explorer\iexplore.exe
PRC - [2009/07/26 16:44:34 | 03,883,856 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe
PRC - [2009/06/05 11:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/03/09 05:19:15 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/02/06 17:07:48 | 00,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/11/09 13:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/13 17:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
PRC - [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2007/06/14 19:57:42 | 00,145,504 | ---- | M] (B.H.A Corporation) -- C:\WINDOWS\System32\bgsvcgen.exe
PRC - [2007/01/04 14:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/05/25 18:30:16 | 00,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\System32\TODDSrv.exe
PRC - [2006/04/24 19:54:14 | 00,110,592 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\System32\TPSODDCtl.exe
PRC - [2006/04/24 19:54:12 | 00,315,392 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\System32\TPSMain.exe
PRC - [2006/04/24 19:54:04 | 00,045,056 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\System32\TPSBattM.exe
PRC - [2006/04/12 17:34:24 | 00,024,576 | ---- | M] (Utimaco Safeware AG) -- C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
PRC - [2006/04/12 17:33:08 | 00,090,112 | ---- | M] (Utimaco Safeware AG) -- C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
PRC - [2006/04/12 17:30:40 | 00,131,072 | ---- | M] () -- C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
PRC - [2006/04/12 17:26:54 | 00,147,456 | ---- | M] (Utimaco Safeware AG) -- C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
PRC - [2006/04/09 21:24:28 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehRecvr.exe
PRC - [2006/02/02 12:11:38 | 00,073,728 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Tvs\TvsTray.exe
PRC - [2005/12/20 12:46:20 | 00,176,128 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\System32\ThpSrv.exe
PRC - [2005/11/28 11:31:32 | 00,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2005/11/28 11:29:00 | 00,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2005/11/28 11:28:14 | 00,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2005/11/15 13:28:04 | 00,085,744 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2005/11/15 13:27:54 | 01,756,912 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2005/11/15 13:27:44 | 00,020,208 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2005/11/02 16:41:04 | 00,978,944 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
PRC - [2005/10/04 12:42:50 | 00,177,776 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2005/10/04 12:42:42 | 00,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2005/10/04 12:42:40 | 00,048,752 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2005/08/05 13:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehSched.exe
PRC - [2005/08/05 13:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe
PRC - [2005/07/12 17:14:42 | 00,040,960 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
PRC - [2005/05/17 11:42:02 | 00,049,152 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
PRC - [2005/03/31 12:27:00 | 00,061,440 | ---- | M] (Utimaco Safeware AG) -- C:\WINDOWS\System32\SgLogPlayer.exe
PRC - [2005/01/17 16:38:38 | 00,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2004/12/30 00:32:20 | 00,065,536 | ---- | M] (TOSHIBA) -- C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
PRC - [2004/08/28 00:37:00 | 00,155,648 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\WINDOWS\System32\RAMASST.exe
PRC - [2004/08/28 00:33:00 | 00,110,592 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\WINDOWS\System32\DVDRAMSV.exe
PRC - [2004/08/18 03:37:44 | 00,184,320 | ---- | M] (Agere Systems) -- C:\Program Files\ltmoh\Ltmoh.exe
PRC - [2004/03/23 22:40:42 | 00,196,608 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint2K\Apoint.exe
PRC - [2003/02/26 11:08:42 | 00,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint2K\Apntex.exe

========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (getPlus® Helper [On_Demand | Stopped])
SRV - [2009/07/13 14:02:50 | 00,542,496 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
SRV - [2009/06/05 11:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2009/03/09 05:19:15 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/11/09 13:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService [Auto | Running])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2007/08/16 08:56:16 | 00,309,744 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9 [Auto | Stopped])
SRV - [2007/08/16 08:56:14 | 00,166,384 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- (RoxWatch9 [Auto | Stopped])
SRV - [2007/08/16 08:56:10 | 01,092,080 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9 [On_Demand | Stopped])
SRV - [2007/07/24 05:14:08 | 00,088,560 | ---- | M] (Sonic Solutions) -- C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe -- (Roxio UPnP Renderer 9 [On_Demand | Stopped])
SRV - [2007/07/24 05:14:06 | 00,358,896 | ---- | M] (Sonic Solutions) -- C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe -- (Roxio Upnp Server 9 [Auto | Stopped])
SRV - [2007/06/14 19:57:42 | 00,145,504 | ---- | M] (B.H.A Corporation) -- C:\WINDOWS\System32\bgsvcgen.exe -- (bgsvcgen [Auto | Running])
SRV - [2007/01/04 14:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Running])
SRV - [2006/05/25 18:30:16 | 00,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\System32\TODDSrv.exe -- (TODDSrv [Auto | Running])
SRV - [2006/04/12 17:33:08 | 00,090,112 | ---- | M] (Utimaco Safeware AG) -- C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe -- (SgeCtl [Auto | Running])
SRV - [2006/04/12 17:30:40 | 00,131,072 | ---- | M] () -- C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe -- (SgeClient [Auto | Running])
SRV - [2006/04/12 17:26:54 | 00,147,456 | ---- | M] (Utimaco Safeware AG) -- C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe -- (WksCfgSrv [Auto | Running])
SRV - [2006/04/09 21:24:28 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehRecvr.exe -- (ehRecvr [Auto | Running])
SRV - [2005/12/20 12:46:20 | 00,176,128 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\System32\ThpSrv.exe -- (Thpsrv [Auto | Running])
SRV - [2005/11/28 11:31:32 | 00,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor [Auto | Running])
SRV - [2005/11/28 11:29:00 | 00,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng [Auto | Running])
SRV - [2005/11/28 11:28:14 | 00,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc [Auto | Running])
SRV - [2005/11/15 13:27:56 | 00,169,200 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam [On_Demand | Stopped])
SRV - [2005/11/15 13:27:54 | 01,756,912 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [Auto | Running])
SRV - [2005/11/15 13:27:44 | 00,020,208 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch [Auto | Running])
SRV - [2005/10/19 17:39:34 | 00,214,672 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [On_Demand | Stopped])
SRV - [2005/10/04 12:42:50 | 00,177,776 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr [Auto | Running])
SRV - [2005/10/04 12:42:48 | 00,083,568 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc [On_Demand | Stopped])
SRV - [2005/10/04 12:42:42 | 00,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr [Auto | Running])
SRV - [2005/08/05 13:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehSched.exe -- (ehSched [Auto | Running])
SRV - [2005/08/05 13:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe -- (McrdSvc [Auto | Running])
SRV - [2005/08/03 18:29:52 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wdfmgr.exe -- (UMWdf [On_Demand | Stopped])
SRV - [2005/07/12 17:14:42 | 00,040,960 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr [Auto | Running])
SRV - [2005/03/31 12:27:00 | 00,061,440 | ---- | M] (Utimaco Safeware AG) -- C:\WINDOWS\System32\SgLogPlayer.exe -- (SgLogPlayer [Auto | Running])
SRV - [2005/03/30 21:48:22 | 00,992,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc [On_Demand | Stopped])
SRV - [2005/01/17 16:38:38 | 00,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs [Auto | Running])
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2004/08/28 00:33:00 | 00,110,592 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\WINDOWS\System32\DVDRAMSV.exe -- (DVD-RAM_Service [Auto | Running])
SRV - [2004/08/10 04:11:50 | 00,085,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mhn.dll -- (MHN [On_Demand | Stopped])
SRV - [2003/03/09 22:31:02 | 00,065,795 | ---- | M] (HP) -- C:\WINDOWS\System32\HPZipm12.exe -- (Pml Driver HPZ12 [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2009/09/30 09:49:36 | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\System32\Drivers\pcouffin.sys -- (pcouffin [On_Demand | Running])
DRV - [2009/08/27 01:00:00 | 01,323,568 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091026.007\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
DRV - [2009/08/27 01:00:00 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2009/08/27 01:00:00 | 00,102,448 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
DRV - [2009/08/27 01:00:00 | 00,084,912 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091026.007\NAVENG.SYS -- (NAVENG [On_Demand | Running])
DRV - [2009/06/05 11:42:38 | 00,039,424 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2009/05/13 23:25:06 | 00,214,024 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys -- (mfehidk [System | Running])
DRV - [2009/05/13 23:25:06 | 00,079,816 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Stopped])
DRV - [2009/05/13 23:25:06 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys -- (mfesmfk [On_Demand | Stopped])
DRV - [2009/05/13 23:25:06 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Stopped])
DRV - [2009/05/13 23:24:34 | 00,034,248 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys -- (mferkdk [On_Demand | Stopped])
DRV - [2009/03/20 19:03:36 | 00,032,408 | ---- | M] (Smith Micro Inc.) -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys -- (SMSIVZAM5 [On_Demand | Stopped])
DRV - [2009/03/19 16:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2009/01/09 17:18:02 | 00,027,136 | R--- | M] (Research in Motion Ltd) -- C:\WINDOWS\System32\DRIVERS\RimSerial.sys -- (RimVSerPort [On_Demand | Running])
DRV - [2008/05/21 09:26:40 | 00,049,904 | R--- | M] (Avanquest Software) -- C:\WINDOWS\System32\drivers\BVRPMPR5.SYS -- (BVRPMPR5 [On_Demand | Stopped])
DRV - [2008/05/20 19:33:50 | 00,022,784 | ---- | M] (Research In Motion Limited) -- C:\WINDOWS\System32\Drivers\RimUsb.sys -- (RimUsb [On_Demand | Stopped])
DRV - [2008/04/13 11:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
DRV - [2008/04/13 09:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2007/09/07 20:42:46 | 00,021,275 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\System32\DRIVERS\AegisP.sys -- (AegisP [Auto | Running])
DRV - [2007/05/01 03:00:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2006/06/30 13:21:30 | 01,169,980 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2006/06/28 11:50:00 | 00,098,816 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\System32\DRIVERS\tdudf.sys -- (tdudf [Auto | Running])
DRV - [2006/05/30 16:42:52 | 00,045,696 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\System32\DRIVERS\Tvs.sys -- (Tvs [On_Demand | Running])
DRV - [2006/05/05 18:00:02 | 00,013,568 | ---- | M] (UPEK Inc.) -- C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys -- (FdRedir [Auto | Running])
DRV - [2006/05/05 17:59:52 | 00,033,024 | ---- | M] (UPEK Inc.) -- C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys -- (FileDisk2 [Auto | Running])
DRV - [2006/05/05 17:43:38 | 00,028,800 | ---- | M] (UPEK Inc.) -- C:\WINDOWS\System32\Drivers\tcusb.sys -- (TcUsb [On_Demand | Running])
DRV - [2006/05/05 17:33:04 | 00,003,456 | ---- | M] (UPEK Inc.) -- C:\Program Files\Protector Suite QL\smihlp.sys -- (smihlp [Auto | Running])
DRV - [2006/04/12 17:34:42 | 00,061,466 | ---- | M] (Utimaco Safeware AG) -- C:\WINDOWS\SYSTEM32\DRIVERS\SGEFLT.SYS -- (SgeFlt [Boot | Running])
DRV - [2006/04/12 17:32:24 | 00,018,464 | ---- | M] (Utimaco Safeware AG) -- C:\WINDOWS\SYSTEM32\DRIVERS\AES256.SYS -- (AES-256 [Boot | Running])
DRV - [2006/04/01 17:46:28 | 00,471,264 | ---- | M] (Atheros Communications, Inc.) -- C:\WINDOWS\System32\DRIVERS\ar5211.sys -- (AR5211 [On_Demand | Stopped])
DRV - [2006/03/21 17:18:58 | 00,179,200 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\e1e5132.sys -- (e1express [On_Demand | Stopped])
DRV - [2006/03/02 18:49:00 | 00,015,360 | ---- | M] (TOSHIBA Corporation.) -- C:\WINDOWS\System32\DRIVERS\tdcmdpst.sys -- (tdcmdpst [On_Demand | Running])
DRV - [2006/02/28 13:36:20 | 00,176,128 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\System32\drivers\ADIHdAud.sys -- (ADIHdAudAddService [On_Demand | Running])
DRV - [2006/02/20 02:17:40 | 00,033,408 | ---- | M] (B.H.A Corporation) -- C:\WINDOWS\System32\drivers\cdrbsdrv.sys -- (cdrbsdrv [System | Running])
DRV - [2005/12/26 14:33:26 | 00,016,768 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\DRIVERS\TVALZ.SYS -- (TVALZ [Boot | Running])
DRV - [2005/12/13 09:08:44 | 01,124,097 | ---- | M] (Agere Systems) -- C:\WINDOWS\System32\DRIVERS\AGRSM.sys -- (AgereSoftModem [On_Demand | Running])
DRV - [2005/12/05 01:55:30 | 01,428,096 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\w39n51.sys -- (w39n51 [On_Demand | Running])
DRV - [2005/11/30 10:12:36 | 00,162,560 | ---- | M] (Texas Instruments) -- C:\WINDOWS\System32\drivers\tifm21.sys -- (tifm21 [On_Demand | Running])
DRV - [2005/11/28 12:09:26 | 00,013,568 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\s24trans.sys -- (s24trans [Auto | Running])
DRV - [2005/10/19 17:39:04 | 00,195,728 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI [System | Running])
DRV - [2005/10/19 17:38:58 | 00,024,720 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV [On_Demand | Running])
DRV - [2005/10/10 16:31:42 | 00,163,328 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Running])
DRV - [2005/09/17 00:20:06 | 00,108,168 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
DRV - [2005/09/09 14:47:10 | 00,009,344 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\System32\DRIVERS\tosrfec.sys -- (tosrfec [On_Demand | Stopped])
DRV - [2005/08/26 14:22:50 | 00,053,896 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL [System | Running])
DRV - [2005/08/26 14:22:48 | 00,334,984 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT [System | Running])
DRV - [2005/08/24 15:20:28 | 00,009,472 | ---- | M] () -- C:\WINDOWS\System32\DRIVERS\tbiosdrv.sys -- (tbiosdrv [On_Demand | Running])
DRV - [2005/06/02 03:33:00 | 00,102,384 | ---- | M] (Matsushita Electric Industrial Co.,Ltd.) -- C:\WINDOWS\System32\Drivers\meiudf.sys -- (meiudf [System | Running])
DRV - [2005/05/27 02:46:22 | 00,913,280 | R--- | M] (Logitech Inc.) -- C:\WINDOWS\System32\DRIVERS\LV302AV.SYS -- (PID_08A0 [On_Demand | Stopped])
DRV - [2005/05/27 02:38:00 | 00,007,136 | R--- | M] (Logitech Inc.) -- C:\WINDOWS\System32\DRIVERS\lv302af.sys -- (pepifilter [On_Demand | Stopped])
DRV - [2005/05/27 02:31:28 | 00,022,016 | R--- | M] (Logitech Inc.) -- C:\WINDOWS\System32\drivers\lvusbsta.sys -- (LVUSBSta [On_Demand | Stopped])
DRV - [2005/03/30 21:48:20 | 00,372,832 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [On_Demand | Stopped])
DRV - [2005/03/04 19:53:00 | 00,127,872 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\System32\drivers\AEAudio.sys -- (AEAudioService [On_Demand | Running])
DRV - [2004/12/27 23:31:50 | 00,016,384 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\DRIVERS\thpdrv.sys -- (Thpdrv [Boot | Running])
DRV - [2004/11/13 12:24:52 | 00,006,144 | R--- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\DRIVERS\Thpevm.SYS -- (Thpevm [Boot | Running])
DRV - [2004/08/10 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2004/08/10 05:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\Drivers\RootMdm.sys -- (ROOTMODEM [On_Demand | Running])
DRV - [2004/05/08 20:38:06 | 00,101,833 | ---- | M] (Alps Electric Co., Ltd.) -- C:\WINDOWS\System32\DRIVERS\Apfiltr.sys -- (ApfiltrService [On_Demand | Running])
DRV - [2003/09/19 01:47:00 | 00,010,368 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\System32\drivers\pfc.sys -- (Pfc [On_Demand | Running])
DRV - [2003/09/10 23:36:54 | 00,021,060 | ---- | M] (InterVideo, Inc.) -- C:\WINDOWS\System32\drivers\iviaspi.sys -- (Iviaspi [On_Demand | Running])
DRV - [2003/06/24 21:30:18 | 00,727,908 | ---- | M] (Keyspan) -- C:\WINDOWS\System32\DRIVERS\USA19H2k.sys -- (USA19H [On_Demand | Stopped])
DRV - [2003/06/24 21:21:20 | 00,044,928 | ---- | M] (Keyspan) -- C:\WINDOWS\System32\DRIVERS\USA19H2kp.SYS -- (USA19H2KP [On_Demand | Stopped])
DRV - [2003/03/09 22:31:02 | 00,021,456 | ---- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
DRV - [2003/03/09 22:31:02 | 00,016,080 | ---- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
DRV - [2003/03/09 22:31:00 | 00,051,024 | ---- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
DRV - [2003/01/29 14:35:00 | 00,012,032 | ---- | M] (TOSHIBA Corporation.) -- C:\WINDOWS\System32\DRIVERS\netdevio.sys -- (Netdevio [Auto | Running])
DRV - [2003/01/10 13:13:04 | 00,033,588 | R--- | M] (America Online, Inc.) -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys -- (wanatw [On_Demand | Stopped])
DRV - [2001/08/17 14:56:16 | 00,007,552 | ---- | M] (Sony Corporation) -- C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS -- (SONYPVU1 [On_Demand | Stopped])

========== Modules (SafeList) ==========

MOD - [2009/10/27 11:12:37 | 00,521,728 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bob Tan\Desktop\OTL.exe
MOD - [2009/07/26 21:04:07 | 00,051,200 | -HS- | M] () -- C:\WINDOWS\System32\lerajune.dll
MOD - [2008/04/13 17:12:51 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2006/04/12 17:33:06 | 00,024,576 | ---- | M] (Utimaco Safeware AG) -- C:\Program Files\Utimaco\SafeGuard Easy\SgMsgBhk.dll

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.c...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo....e...-8&fr=b1ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/07/07 22:42:27 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2008/12/23 18:27:22 | 00,000,000 | ---D | M]


O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {0bebbed3-2118-400f-b8e5-378910ec78bc} - C:\WINDOWS\System32\lerajune.dll ()
O2 - BHO: (EWPBrowseObject Class) - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll ()
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [EdWizard] C:\Program Files\Utimaco\SafeGuard Easy\EdWizard.exe (Utimaco Safeware AG)
O4 - HKLM..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe (Agere Systems)
O4 - HKLM..\Run: [NDSTray.exe] File not found
O4 - HKLM..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SgeEcView] C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe (Utimaco Safeware AG)
O4 - HKLM..\Run: [ThpSrv] C:\WINDOWS\System32\thpsrv.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe (TOSHIBA CORPORATION)
O4 - HKLM..\Run: [TPSMain] C:\WINDOWS\System32\TPSMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TPSODDCtl] C:\WINDOWS\System32\TPSODDCtl.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - HKCU..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (TOSHIBA)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk = C:\WINDOWS\System32\RAMASST.exe (Matsushita Electric Industrial Co., Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe File not found
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: antispyexpert.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: avsystemcare.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: imageservr.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: onerateld.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: safetydownload.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: spyguardpro.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: storageguardsoft.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: trustedantivirus.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: virusremover2008.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: virusschlacht.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: antispyexpert.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: avsystemcare.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: imageservr.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: onerateld.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: safetydownload.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: spyguardpro.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: storageguardsoft.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: trustedantivirus.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: virusremover2008.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: virusschlacht.com ([]* in Trusted sites)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} https://supportcente...oad/tgctlcm.cab (Reg Error: Key error.)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.micr...veX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zon...kr.cab56986.cab (Checkers Class)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.micr...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} http://dl.tvunetworks.com/TVUAx.cab (CTVUAxCtrl Object)
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zon...wn.cab56986.cab (Solitaire Showdown Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zon...1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase6662.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2....re/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://messenger.zon...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zon...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} http://upload.facebo...Uploader4_5.cab (Facebook Photo Uploader 4)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: CabBuilder http://kiw.imgag.com...llerControl.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\flowto {C7101FB0-28FB-11D5-883A-204C4F4F5021} - C:\Program Files\NetExchange Pro3.0\FlowHook.dll ()
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (tapubanu.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (SGGINA.DLL) - C:\WINDOWS\System32\SGGINA.DLL (Utimaco Safeware AG)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\System32\NavLogon.dll (Symantec Corporation)
O20 - Winlogon\Notify\NotLog: DllName - SGLogEx.dll - C:\WINDOWS\System32\SGLogEx.dll (Utimaco Safeware AG)
O20 - Winlogon\Notify\psfus: DllName - psqlpwd.dll - C:\WINDOWS\System32\psqlpwd.dll (UPEK Inc.)
O20 - Winlogon\Notify\SGLogNotification: DllName - SGLogNotification.dll - C:\WINDOWS\System32\SGLogNotification.dll (Utimaco Safeware AG)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/08/18 17:34:15 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2 C:\WINDOWS\*.tmp files]
[2009/10/15 10:42:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Verizon Wireless
[2009/10/15 21:14:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Bob Tan\Application Data\Verizon Wireless
[2009/10/25 09:13:42 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware1
[2009/09/30 19:48:55 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2009/10/15 10:41:59 | 00,000,000 | ---D | C] -- C:\Program Files\Verizon Wireless
[2009/09/30 19:48:41 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live SkyDrive
[2009/10/27 11:12:34 | 00,521,728 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Bob Tan\Desktop\OTL.exe
[2009/10/27 11:02:12 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Bob Tan\Desktop\RootRepeal.exe
[2009/10/27 10:10:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/10/27 10:03:55 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/10/27 10:02:04 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/10/27 10:02:04 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/10/27 10:02:04 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/10/27 10:02:04 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/10/27 10:01:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/10/27 10:00:09 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/10/27 07:36:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Bob Tan\Desktop\gmer
[2009/10/25 21:26:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Bob Tan\Desktop\RootRepeal
[2009/10/25 08:58:52 | 02,876,720 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Bob Tan\Desktop\mbam-setup.exe
[2009/10/14 19:12:23 | 00,000,000 | ---D | C] -- C:\Config.Msi
[2009/07/22 17:46:02 | 00,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Bob Tan\Application Data\pcouffin.sys

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2009/10/27 11:15:27 | 00,004,100 | -H-- | M] () -- C:\WINDOWS\System32\royiteze
[2009/10/27 11:12:37 | 00,521,728 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bob Tan\Desktop\OTL.exe
[2009/10/27 11:05:56 | 00,282,833 | ---- | M] () -- C:\Documents and Settings\Bob Tan\Desktop\gmer.zip
[2009/10/27 11:02:30 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Bob Tan\Desktop\settings.dat
[2009/10/27 11:02:15 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Bob Tan\Desktop\RootRepeal.exe
[2009/10/27 10:56:37 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/10/27 10:56:30 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/10/27 10:56:25 | 21,382,92224 | -HS- | M] () -- C:\hiberfil.sys
[2009/10/27 10:13:34 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/10/27 10:12:51 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/10/27 10:04:03 | 00,000,294 | RHS- | M] () -- C:\boot.ini
[2009/10/27 09:59:36 | 03,436,782 | R--- | M] () -- C:\Documents and Settings\Bob Tan\Desktop\ComboFix.exe
[2009/10/26 07:33:58 | 00,077,312 | ---- | M] () -- C:\mbr.exe
[2009/10/25 21:41:45 | 00,523,776 | ---- | M] () -- C:\Documents and Settings\Bob Tan\Desktop\dds.scr
[2009/10/25 08:58:52 | 02,876,720 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Bob Tan\Desktop\mbam-setup.exe
[2009/10/25 06:11:34 | 00,077,312 | ---- | M] () -- C:\WINDOWS\MBR.exe
[2009/10/21 19:47:00 | 00,129,258 | ---- | M] () -- C:\Documents and Settings\Bob Tan\Desktop\D_North_South_2009.pdf
[2009/10/21 13:34:04 | 00,057,344 | ---- | M] () -- C:\Documents and Settings\Bob Tan\Desktop\Kit Order Form_Janet1.doc
[2009/10/21 12:07:03 | 00,544,084 | ---- | M] () -- C:\Documents and Settings\Bob Tan\Desktop\Supplemental Fee Disclosure.pdf
[2009/10/21 12:05:58 | 00,080,949 | ---- | M] () -- C:\Documents and Settings\Bob Tan\Desktop\PLAN_LEVEL_PERF.pdf
[2009/10/21 12:04:11 | 00,427,923 | ---- | M] () -- C:\Documents and Settings\Bob Tan\Desktop\Ontario Enrollment Form.pdf
[2009/10/18 18:23:30 | 00,258,993 | ---- | M] () -- C:\Documents and Settings\Bob Tan\My Documents\scan0002.jpg
[2009/10/15 10:42:13 | 00,001,024 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VZAccess Manager.lnk
[2009/10/14 19:14:17 | 00,504,314 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/10/14 19:14:17 | 00,443,034 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/10/14 19:14:17 | 00,072,134 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/10/14 19:08:36 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/10/14 19:04:23 | 00,000,663 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/10/12 12:37:36 | 00,553,174 | ---- | M] () -- C:\Documents and Settings\Bob Tan\My Documents\wallace 1099.pdf
[2009/10/11 08:10:09 | 00,236,544 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/09/30 09:49:36 | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\System32\drivers\pcouffin.sys
[2009/09/30 09:49:36 | 00,047,360 | ---- | M] (VSO Software) -- C:\Documents and Settings\Bob Tan\Application Data\pcouffin.sys
[2009/09/30 09:49:36 | 00,007,887 | ---- | M] () -- C:\Documents and Settings\Bob Tan\Application Data\pcouffin.cat
[2009/09/30 09:49:36 | 00,001,144 | ---- | M] () -- C:\Documents and Settings\Bob Tan\Application Data\pcouffin.inf
[2009/09/29 14:09:54 | 00,059,168 | ---- | M] () -- C:\Documents and Settings\Bob Tan\Application Data\GDIPFONTCACHEV1.DAT

========== Files - No Company Name ==========
[2009/10/27 11:05:50 | 00,282,833 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Desktop\gmer.zip
[2009/10/27 11:02:30 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Desktop\settings.dat
[2009/10/27 10:04:03 | 00,000,224 | ---- | C] () -- C:\Boot.bak
[2009/10/27 10:03:58 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/10/27 10:02:04 | 00,236,544 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/10/27 10:02:04 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/10/27 10:02:04 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/10/27 10:02:04 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/10/27 10:02:04 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/10/27 09:59:36 | 03,436,782 | R--- | C] () -- C:\Documents and Settings\Bob Tan\Desktop\ComboFix.exe
[2009/10/26 07:33:58 | 00,077,312 | ---- | C] () -- C:\mbr.exe
[2009/10/25 21:41:42 | 00,523,776 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Desktop\dds.scr
[2009/10/21 19:46:59 | 00,129,258 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Desktop\D_North_South_2009.pdf
[2009/10/21 12:07:03 | 00,544,084 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Desktop\Supplemental Fee Disclosure.pdf
[2009/10/21 12:05:58 | 00,080,949 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Desktop\PLAN_LEVEL_PERF.pdf
[2009/10/21 12:04:10 | 00,427,923 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Desktop\Ontario Enrollment Form.pdf
[2009/10/21 11:48:14 | 00,057,344 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Desktop\Kit Order Form_Janet1.doc
[2009/10/18 18:23:28 | 00,258,993 | ---- | C] () -- C:\Documents and Settings\Bob Tan\My Documents\scan0002.jpg
[2009/10/15 10:42:13 | 00,001,024 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VZAccess Manager.lnk
[2009/10/12 12:37:36 | 00,553,174 | ---- | C] () -- C:\Documents and Settings\Bob Tan\My Documents\wallace 1099.pdf
[2009/09/09 11:20:52 | 00,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[2009/08/13 15:08:25 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2009/07/26 21:04:07 | 00,051,200 | -HS- | C] () -- C:\WINDOWS\System32\lerajune.dll
[2009/07/26 21:03:33 | 00,051,200 | -HS- | C] () -- C:\WINDOWS\System32\tomavita.dll
[2009/07/22 17:46:02 | 00,007,887 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Application Data\pcouffin.cat
[2009/07/22 17:46:02 | 00,001,144 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Application Data\pcouffin.inf
[2009/07/22 17:46:02 | 00,000,034 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Application Data\pcouffin.log
[2009/04/01 18:05:34 | 00,008,704 | ---- | C] () -- C:\WINDOWS\System32\BHARegister.dll
[2009/01/26 23:23:04 | 00,000,240 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Application Data\wklnhst.dat
[2008/12/17 15:26:17 | 00,000,125 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2008/10/12 16:06:19 | 00,000,143 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/08/15 15:23:26 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS71.DLL
[2008/07/24 20:08:38 | 00,000,560 | ---- | C] () -- C:\WINDOWS\stbce.INI
[2008/05/27 16:50:18 | 00,009,255 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2008/05/27 16:37:32 | 00,000,770 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Installer.log
[2008/02/25 09:30:12 | 00,059,168 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Application Data\GDIPFONTCACHEV1.DAT
[2008/01/30 17:10:46 | 00,274,432 | ---- | C] () -- C:\WINDOWS\System32\libcurl.dll
[2007/12/02 18:55:05 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\USA19HPropPage.dll
[2007/12/02 18:55:02 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\k19hinst.dll
[2007/11/26 16:15:40 | 00,000,228 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2007/11/21 17:01:23 | 00,007,680 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/11/07 10:54:05 | 00,032,397 | ---- | C] () -- C:\WINDOWS\SGTBox.INI
[2007/10/31 10:39:54 | 00,059,904 | ---- | C] () -- C:\WINDOWS\System32\zlib1.dll
[2007/09/17 13:15:09 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\xmltok.dll
[2007/09/17 13:15:09 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\xmlparse.dll
[2007/09/07 20:50:27 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/09/07 20:44:11 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Bob Tan\Application Data\desktop.ini
[2007/09/07 20:44:10 | 00,035,536 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2007/09/07 20:44:10 | 00,000,130 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Local Settings\Application Data\fusioncache.dat
[2007/05/17 14:58:10 | 00,143,360 | ---- | C] () -- C:\WINDOWS\System32\libexpatw.dll
[2006/08/20 15:41:53 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/08/18 19:45:49 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006/08/18 19:45:49 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006/08/18 19:45:49 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006/08/18 19:45:49 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006/08/18 19:45:49 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006/08/18 19:45:49 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/08/18 19:40:31 | 00,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2006/08/18 19:38:00 | 00,036,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\CSIIDecoder_kern_i386.sys
[2006/08/18 19:38:00 | 00,029,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSXT_kern_i386.sys
[2006/08/18 19:05:13 | 00,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2006/08/18 19:05:13 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2006/08/18 19:05:13 | 00,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2006/08/18 19:05:13 | 00,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2006/08/18 17:44:41 | 00,000,594 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/08/18 17:28:48 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/08/18 16:53:12 | 00,000,330 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/08/18 16:48:33 | 00,000,663 | ---- | C] () -- C:\WINDOWS\win.ini
[2006/08/18 16:48:25 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2006/08/18 10:24:16 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2006/04/12 17:34:50 | 00,016,384 | ---- | C] () -- C:\WINDOWS\System32\Sgegina040C.Dll
[2006/04/12 17:34:46 | 00,016,384 | ---- | C] () -- C:\WINDOWS\System32\SgeGina0407.Dll
[2006/02/15 15:32:36 | 00,024,576 | R--- | C] () -- C:\WINDOWS\System32\loaddlln.dll
[2005/09/02 14:44:08 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2005/08/24 15:20:28 | 00,009,472 | ---- | C] () -- C:\WINDOWS\System32\drivers\tbiosdrv.sys
[2005/08/05 14:01:54 | 00,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/07/22 21:30:20 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2005/03/31 12:27:18 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\SGCleanLocalGPO.dll
[2004/07/20 17:04:02 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
[2004/01/15 14:43:28 | 00,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll
[2004/01/13 17:46:34 | 00,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll
[2003/03/09 22:31:04 | 00,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[1999/01/27 13:39:06 | 00,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 07:56:08 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
< End of report >

Step 5:

Machine is running a lot quicker. I haven't been getting anymore popups. Still am unable to run my malwarebytes software.
  • 0

#24
heir
Posted 27 October 2009 - 12:44 PM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Let's remove some of whats found

Step 1.
Uninstall unwanted software:

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Viewpoint Media Player


Step 2.
OTL-fix:

Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - [2007/01/04 14:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
SRV - [2007/01/04 14:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Running])
MOD - [2009/07/26 21:04:07 | 00,051,200 | -HS- | M] () -- C:\WINDOWS\System32\lerajune.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {0bebbed3-2118-400f-b8e5-378910ec78bc} - C:\WINDOWS\System32\lerajune.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O15 - HKLM\..Trusted Domains: antispyexpert.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: avsystemcare.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: imageservr.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: onerateld.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: safetydownload.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: spyguardpro.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: storageguardsoft.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: trustedantivirus.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: virusremover2008.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: virusschlacht.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: antispyexpert.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: avsystemcare.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: imageservr.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: onerateld.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: safetydownload.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: spyguardpro.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: storageguardsoft.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: trustedantivirus.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: virusremover2008.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: virusschlacht.com ([]* in Trusted sites)
O20 - AppInit_DLLs: (tapubanu.dll) - File not found
[2009/07/26 21:04:07 | 00,051,200 | -HS- | C] () -- C:\WINDOWS\System32\lerajune.dll
[2009/07/26 21:03:33 | 00,051,200 | -HS- | C] () -- C:\WINDOWS\System32\tomavita.dll
:Files
C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\Bob Tan\Application Data\Viewpoint
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL fixlog

Step 3.
OTL-scan:

Scan your computer with OTL again and post the content of OTL.txt in your reply.

Step 4.
Things I would like to see in your reply:

  • The content of the fixlog from OTL in step 2.
  • The content of OTL.txt from step 3.
  • Any change in the behavior of the computer?

I'll need to investigate th info on the mbr rootkit a bit more - I'll get back to you about that.
  • 0

#25
Boboli3
Posted 27 October 2009 - 01:20 PM

Boboli3

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Step 1: Deleted

Step 2:

All processes killed
========== OTL ==========
Process explorer.exe killed successfully!
No active process named ViewpointService.exe was found!
Service\Driver Viewpoint Manager Service not found.
Service\Driver Viewpoint Manager Service not found.
File C:\Program Files\Viewpoint\Common\ViewpointService.exe not found.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\lerajune.dll
C:\WINDOWS\System32\lerajune.dll NOT unregistered.
C:\WINDOWS\System32\lerajune.dll moved successfully.
Releasing module C:\WINDOWS\system32\lerajune.dll
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0bebbed3-2118-400f-b8e5-378910ec78bc}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0bebbed3-2118-400f-b8e5-378910ec78bc}\ deleted successfully.
File C:\WINDOWS\System32\lerajune.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\antispyexpert.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\avsystemcare.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imageservr.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\onerateld.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\safetydownload.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\spyguardpro.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\storageguardsoft.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trustedantivirus.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\virusremover2008.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\virusschlacht.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\antispyexpert.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\avsystemcare.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imageservr.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\internet\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\onerateld.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\safetydownload.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\spyguardpro.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\storageguardsoft.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trustedantivirus.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\turbotax.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\virusremover2008.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\virusschlacht.com\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:tapubanu.dll deleted successfully.
File C:\WINDOWS\System32\lerajune.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\tomavita.dll
C:\WINDOWS\System32\tomavita.dll NOT unregistered.
C:\WINDOWS\System32\tomavita.dll moved successfully.
========== FILES ==========
File\Folder C:\Program Files\Viewpoint not found.
C:\Documents and Settings\All Users\Application Data\Viewpoint\AxMetaStream_Win moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint moved successfully.
File\Folder C:\Documents and Settings\Bob Tan\Application Data\Viewpoint not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Bob Tan
File delete failed. C:\Documents and Settings\Bob Tan\Local Settings\Temp\~DFDEA3.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Bob Tan\Local Settings\Temp\~WRD0000.doc scheduled to be deleted on reboot.
->Temp folder emptied: 807067 bytes
File delete failed. C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\Content.IE5\Q64TX1MQ\iframe[4].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\Content.IE5\Q64TX1MQ\o[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\Content.IE5\Q64TX1MQ\snap_keylinks[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\Content.IE5\GPDE11AG\afr[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\Content.IE5\GPDE11AG\Redirect-Virus-Malwarebytes-won-t-run-Unable-to-execute-file-err-t256620[3].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\Content.IE5\GPDE11AG\watch-wta-championships-doha[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\Content.IE5\F5EXK37E\aba[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\Content.IE5\F5EXK37E\iframe3[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\Content.IE5\F5EXK37E\pub[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\Content.IE5\F5EXK37E\st[1] scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 21527172 bytes
->Java cache emptied: 83522440 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\LMI1B.tmp folder deleted successfully.
%systemroot% .tmp files removed: 1844236 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_608.dat scheduled to be deleted on reboot.
Windows Temp folder emptied: 1952735 bytes
RecycleBin emptied: 650748 bytes

Total Files Cleaned = 105.23 mb


OTL by OldTimer - Version 3.0.22.1 log created on 10272009_120524

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Bob Tan\Local Settings\Temp\~DFDEA3.tmp not found!
File\Folder C:\Documents and Settings\Bob Tan\Local Settings\Temp\~WRD0000.doc not found!
C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\Content.IE5\Q64TX1MQ\iframe[4].htm moved successfully.
C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\Content.IE5\Q64TX1MQ\o[1].htm moved successfully.
C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\Content.IE5\Q64TX1MQ\snap_keylinks[1].htm moved successfully.
C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\Content.IE5\GPDE11AG\afr[1].htm moved successfully.
C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\Content.IE5\GPDE11AG\Redirect-Virus-Malwarebytes-won-t-run-Unable-to-execute-file-err-t256620[3].htm moved successfully.
C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\Content.IE5\GPDE11AG\watch-wta-championships-doha[1].htm moved successfully.
C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\Content.IE5\F5EXK37E\aba[1].htm moved successfully.
C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\Content.IE5\F5EXK37E\iframe3[1].htm moved successfully.
C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\Content.IE5\F5EXK37E\pub[1].htm moved successfully.
C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\Content.IE5\F5EXK37E\st[1] moved successfully.
C:\Documents and Settings\Bob Tan\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_608.dat not found!

Registry entries deleted on Reboot...

Step 3:

OTL logfile created on: 10/27/2009 12:16:17 PM - Run 3
OTL by OldTimer - Version 3.0.22.1 Folder = C:\Documents and Settings\Bob Tan\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.38 Gb Available Physical Memory | 69.40% Memory free
3.84 Gb Paging File | 3.38 Gb Available in Paging File | 88.03% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.60 Gb Total Space | 52.04 Gb Free Space | 46.63% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BOB
Current User Name: Bob Tan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/10/27 11:12:37 | 00,521,728 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bob Tan\Desktop\OTL.exe
PRC - [2009/08/26 22:18:44 | 00,634,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\internet explorer\iexplore.exe
PRC - [2009/06/05 11:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/03/09 05:19:15 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/11/09 13:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/13 17:12:29 | 00,069,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\notepad.exe
PRC - [2008/04/13 17:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
PRC - [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2007/06/14 19:57:42 | 00,145,504 | ---- | M] (B.H.A Corporation) -- C:\WINDOWS\System32\bgsvcgen.exe
PRC - [2006/05/25 18:30:16 | 00,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\System32\TODDSrv.exe
PRC - [2006/04/24 19:54:14 | 00,110,592 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\System32\TPSODDCtl.exe
PRC - [2006/04/24 19:54:12 | 00,315,392 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\System32\TPSMain.exe
PRC - [2006/04/24 19:54:04 | 00,045,056 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\System32\TPSBattM.exe
PRC - [2006/04/12 17:34:24 | 00,024,576 | ---- | M] (Utimaco Safeware AG) -- C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
PRC - [2006/04/12 17:33:08 | 00,090,112 | ---- | M] (Utimaco Safeware AG) -- C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
PRC - [2006/04/12 17:30:40 | 00,131,072 | ---- | M] () -- C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
PRC - [2006/04/12 17:26:54 | 00,147,456 | ---- | M] (Utimaco Safeware AG) -- C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
PRC - [2006/04/09 21:24:28 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehRecvr.exe
PRC - [2006/02/02 12:11:38 | 00,073,728 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Tvs\TvsTray.exe
PRC - [2005/12/20 12:46:20 | 00,176,128 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\System32\ThpSrv.exe
PRC - [2005/11/28 11:31:32 | 00,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2005/11/28 11:29:00 | 00,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2005/11/28 11:28:14 | 00,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2005/11/15 13:28:04 | 00,085,744 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2005/11/15 13:27:54 | 01,756,912 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2005/11/15 13:27:44 | 00,020,208 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2005/11/02 16:41:04 | 00,978,944 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
PRC - [2005/10/04 12:42:50 | 00,177,776 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2005/10/04 12:42:42 | 00,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2005/10/04 12:42:40 | 00,048,752 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2005/08/05 13:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehSched.exe
PRC - [2005/08/05 13:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe
PRC - [2005/07/12 17:14:42 | 00,040,960 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
PRC - [2005/05/17 11:42:02 | 00,049,152 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
PRC - [2005/03/31 12:27:00 | 00,061,440 | ---- | M] (Utimaco Safeware AG) -- C:\WINDOWS\System32\SgLogPlayer.exe
PRC - [2005/01/17 16:38:38 | 00,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2004/12/30 00:32:20 | 00,065,536 | ---- | M] (TOSHIBA) -- C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
PRC - [2004/08/28 00:37:00 | 00,155,648 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\WINDOWS\System32\RAMASST.exe
PRC - [2004/08/28 00:33:00 | 00,110,592 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\WINDOWS\System32\DVDRAMSV.exe
PRC - [2004/08/18 03:37:44 | 00,184,320 | ---- | M] (Agere Systems) -- C:\Program Files\ltmoh\Ltmoh.exe
PRC - [2004/03/23 22:40:42 | 00,196,608 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint2K\Apoint.exe
PRC - [2003/02/26 11:08:42 | 00,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint2K\Apntex.exe

========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (getPlus® Helper [On_Demand | Stopped])
SRV - [2009/07/13 14:02:50 | 00,542,496 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
SRV - [2009/06/05 11:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2009/03/09 05:19:15 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/11/09 13:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService [Auto | Running])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2007/08/16 08:56:16 | 00,309,744 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9 [Auto | Stopped])
SRV - [2007/08/16 08:56:14 | 00,166,384 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- (RoxWatch9 [Auto | Stopped])
SRV - [2007/08/16 08:56:10 | 01,092,080 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9 [On_Demand | Stopped])
SRV - [2007/07/24 05:14:08 | 00,088,560 | ---- | M] (Sonic Solutions) -- C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe -- (Roxio UPnP Renderer 9 [On_Demand | Stopped])
SRV - [2007/07/24 05:14:06 | 00,358,896 | ---- | M] (Sonic Solutions) -- C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe -- (Roxio Upnp Server 9 [Auto | Stopped])
SRV - [2007/06/14 19:57:42 | 00,145,504 | ---- | M] (B.H.A Corporation) -- C:\WINDOWS\System32\bgsvcgen.exe -- (bgsvcgen [Auto | Running])
SRV - [2006/05/25 18:30:16 | 00,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\System32\TODDSrv.exe -- (TODDSrv [Auto | Running])
SRV - [2006/04/12 17:33:08 | 00,090,112 | ---- | M] (Utimaco Safeware AG) -- C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe -- (SgeCtl [Auto | Running])
SRV - [2006/04/12 17:30:40 | 00,131,072 | ---- | M] () -- C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe -- (SgeClient [Auto | Running])
SRV - [2006/04/12 17:26:54 | 00,147,456 | ---- | M] (Utimaco Safeware AG) -- C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe -- (WksCfgSrv [Auto | Running])
SRV - [2006/04/09 21:24:28 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehRecvr.exe -- (ehRecvr [Auto | Running])
SRV - [2005/12/20 12:46:20 | 00,176,128 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\System32\ThpSrv.exe -- (Thpsrv [Auto | Running])
SRV - [2005/11/28 11:31:32 | 00,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor [Auto | Running])
SRV - [2005/11/28 11:29:00 | 00,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng [Auto | Running])
SRV - [2005/11/28 11:28:14 | 00,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc [Auto | Running])
SRV - [2005/11/15 13:27:56 | 00,169,200 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam [On_Demand | Stopped])
SRV - [2005/11/15 13:27:54 | 01,756,912 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [Auto | Running])
SRV - [2005/11/15 13:27:44 | 00,020,208 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch [Auto | Running])
SRV - [2005/10/19 17:39:34 | 00,214,672 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [On_Demand | Stopped])
SRV - [2005/10/04 12:42:50 | 00,177,776 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr [Auto | Running])
SRV - [2005/10/04 12:42:48 | 00,083,568 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc [On_Demand | Stopped])
SRV - [2005/10/04 12:42:42 | 00,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr [Auto | Running])
SRV - [2005/08/05 13:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehSched.exe -- (ehSched [Auto | Running])
SRV - [2005/08/05 13:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe -- (McrdSvc [Auto | Running])
SRV - [2005/08/03 18:29:52 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wdfmgr.exe -- (UMWdf [On_Demand | Stopped])
SRV - [2005/07/12 17:14:42 | 00,040,960 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr [Auto | Running])
SRV - [2005/03/31 12:27:00 | 00,061,440 | ---- | M] (Utimaco Safeware AG) -- C:\WINDOWS\System32\SgLogPlayer.exe -- (SgLogPlayer [Auto | Running])
SRV - [2005/03/30 21:48:22 | 00,992,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc [On_Demand | Stopped])
SRV - [2005/01/17 16:38:38 | 00,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs [Auto | Running])
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2004/08/28 00:33:00 | 00,110,592 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\WINDOWS\System32\DVDRAMSV.exe -- (DVD-RAM_Service [Auto | Running])
SRV - [2004/08/10 04:11:50 | 00,085,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mhn.dll -- (MHN [On_Demand | Stopped])
SRV - [2003/03/09 22:31:02 | 00,065,795 | ---- | M] (HP) -- C:\WINDOWS\System32\HPZipm12.exe -- (Pml Driver HPZ12 [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2009/09/30 09:49:36 | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\System32\Drivers\pcouffin.sys -- (pcouffin [On_Demand | Running])
DRV - [2009/08/27 01:00:00 | 01,323,568 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091026.007\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
DRV - [2009/08/27 01:00:00 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2009/08/27 01:00:00 | 00,102,448 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
DRV - [2009/08/27 01:00:00 | 00,084,912 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091026.007\NAVENG.SYS -- (NAVENG [On_Demand | Running])
DRV - [2009/06/05 11:42:38 | 00,039,424 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2009/05/13 23:25:06 | 00,214,024 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys -- (mfehidk [System | Running])
DRV - [2009/05/13 23:25:06 | 00,079,816 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Stopped])
DRV - [2009/05/13 23:25:06 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys -- (mfesmfk [On_Demand | Stopped])
DRV - [2009/05/13 23:25:06 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Stopped])
DRV - [2009/05/13 23:24:34 | 00,034,248 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys -- (mferkdk [On_Demand | Stopped])
DRV - [2009/03/20 19:03:36 | 00,032,408 | ---- | M] (Smith Micro Inc.) -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys -- (SMSIVZAM5 [On_Demand | Stopped])
DRV - [2009/03/19 16:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2009/01/09 17:18:02 | 00,027,136 | R--- | M] (Research in Motion Ltd) -- C:\WINDOWS\System32\DRIVERS\RimSerial.sys -- (RimVSerPort [On_Demand | Running])
DRV - [2008/05/21 09:26:40 | 00,049,904 | R--- | M] (Avanquest Software) -- C:\WINDOWS\System32\drivers\BVRPMPR5.SYS -- (BVRPMPR5 [On_Demand | Stopped])
DRV - [2008/05/20 19:33:50 | 00,022,784 | ---- | M] (Research In Motion Limited) -- C:\WINDOWS\System32\Drivers\RimUsb.sys -- (RimUsb [On_Demand | Stopped])
DRV - [2008/04/13 11:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
DRV - [2008/04/13 09:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2007/09/07 20:42:46 | 00,021,275 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\System32\DRIVERS\AegisP.sys -- (AegisP [Auto | Running])
DRV - [2007/05/01 03:00:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2006/06/30 13:21:30 | 01,169,980 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2006/06/28 11:50:00 | 00,098,816 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\System32\DRIVERS\tdudf.sys -- (tdudf [Auto | Running])
DRV - [2006/05/30 16:42:52 | 00,045,696 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\System32\DRIVERS\Tvs.sys -- (Tvs [On_Demand | Running])
DRV - [2006/05/05 18:00:02 | 00,013,568 | ---- | M] (UPEK Inc.) -- C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys -- (FdRedir [Auto | Running])
DRV - [2006/05/05 17:59:52 | 00,033,024 | ---- | M] (UPEK Inc.) -- C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys -- (FileDisk2 [Auto | Running])
DRV - [2006/05/05 17:43:38 | 00,028,800 | ---- | M] (UPEK Inc.) -- C:\WINDOWS\System32\Drivers\tcusb.sys -- (TcUsb [On_Demand | Running])
DRV - [2006/05/05 17:33:04 | 00,003,456 | ---- | M] (UPEK Inc.) -- C:\Program Files\Protector Suite QL\smihlp.sys -- (smihlp [Auto | Running])
DRV - [2006/04/12 17:34:42 | 00,061,466 | ---- | M] (Utimaco Safeware AG) -- C:\WINDOWS\SYSTEM32\DRIVERS\SGEFLT.SYS -- (SgeFlt [Boot | Running])
DRV - [2006/04/12 17:32:24 | 00,018,464 | ---- | M] (Utimaco Safeware AG) -- C:\WINDOWS\SYSTEM32\DRIVERS\AES256.SYS -- (AES-256 [Boot | Running])
DRV - [2006/04/01 17:46:28 | 00,471,264 | ---- | M] (Atheros Communications, Inc.) -- C:\WINDOWS\System32\DRIVERS\ar5211.sys -- (AR5211 [On_Demand | Stopped])
DRV - [2006/03/21 17:18:58 | 00,179,200 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\e1e5132.sys -- (e1express [On_Demand | Stopped])
DRV - [2006/03/02 18:49:00 | 00,015,360 | ---- | M] (TOSHIBA Corporation.) -- C:\WINDOWS\System32\DRIVERS\tdcmdpst.sys -- (tdcmdpst [On_Demand | Running])
DRV - [2006/02/28 13:36:20 | 00,176,128 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\System32\drivers\ADIHdAud.sys -- (ADIHdAudAddService [On_Demand | Running])
DRV - [2006/02/20 02:17:40 | 00,033,408 | ---- | M] (B.H.A Corporation) -- C:\WINDOWS\System32\drivers\cdrbsdrv.sys -- (cdrbsdrv [System | Running])
DRV - [2005/12/26 14:33:26 | 00,016,768 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\DRIVERS\TVALZ.SYS -- (TVALZ [Boot | Running])
DRV - [2005/12/13 09:08:44 | 01,124,097 | ---- | M] (Agere Systems) -- C:\WINDOWS\System32\DRIVERS\AGRSM.sys -- (AgereSoftModem [On_Demand | Running])
DRV - [2005/12/05 01:55:30 | 01,428,096 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\w39n51.sys -- (w39n51 [On_Demand | Running])
DRV - [2005/11/30 10:12:36 | 00,162,560 | ---- | M] (Texas Instruments) -- C:\WINDOWS\System32\drivers\tifm21.sys -- (tifm21 [On_Demand | Running])
DRV - [2005/11/28 12:09:26 | 00,013,568 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\s24trans.sys -- (s24trans [Auto | Running])
DRV - [2005/10/19 17:39:04 | 00,195,728 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI [System | Running])
DRV - [2005/10/19 17:38:58 | 00,024,720 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV [On_Demand | Running])
DRV - [2005/10/10 16:31:42 | 00,163,328 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Running])
DRV - [2005/09/17 00:20:06 | 00,108,168 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
DRV - [2005/09/09 14:47:10 | 00,009,344 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\System32\DRIVERS\tosrfec.sys -- (tosrfec [On_Demand | Stopped])
DRV - [2005/08/26 14:22:50 | 00,053,896 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL [System | Running])
DRV - [2005/08/26 14:22:48 | 00,334,984 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT [System | Running])
DRV - [2005/08/24 15:20:28 | 00,009,472 | ---- | M] () -- C:\WINDOWS\System32\DRIVERS\tbiosdrv.sys -- (tbiosdrv [On_Demand | Running])
DRV - [2005/06/02 03:33:00 | 00,102,384 | ---- | M] (Matsushita Electric Industrial Co.,Ltd.) -- C:\WINDOWS\System32\Drivers\meiudf.sys -- (meiudf [System | Running])
DRV - [2005/05/27 02:46:22 | 00,913,280 | R--- | M] (Logitech Inc.) -- C:\WINDOWS\System32\DRIVERS\LV302AV.SYS -- (PID_08A0 [On_Demand | Stopped])
DRV - [2005/05/27 02:38:00 | 00,007,136 | R--- | M] (Logitech Inc.) -- C:\WINDOWS\System32\DRIVERS\lv302af.sys -- (pepifilter [On_Demand | Stopped])
DRV - [2005/05/27 02:31:28 | 00,022,016 | R--- | M] (Logitech Inc.) -- C:\WINDOWS\System32\drivers\lvusbsta.sys -- (LVUSBSta [On_Demand | Stopped])
DRV - [2005/03/30 21:48:20 | 00,372,832 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [On_Demand | Stopped])
DRV - [2005/03/04 19:53:00 | 00,127,872 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\System32\drivers\AEAudio.sys -- (AEAudioService [On_Demand | Running])
DRV - [2004/12/27 23:31:50 | 00,016,384 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\DRIVERS\thpdrv.sys -- (Thpdrv [Boot | Running])
DRV - [2004/11/13 12:24:52 | 00,006,144 | R--- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\DRIVERS\Thpevm.SYS -- (Thpevm [Boot | Running])
DRV - [2004/08/10 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2004/08/10 05:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\Drivers\RootMdm.sys -- (ROOTMODEM [On_Demand | Running])
DRV - [2004/05/08 20:38:06 | 00,101,833 | ---- | M] (Alps Electric Co., Ltd.) -- C:\WINDOWS\System32\DRIVERS\Apfiltr.sys -- (ApfiltrService [On_Demand | Running])
DRV - [2003/09/19 01:47:00 | 00,010,368 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\System32\drivers\pfc.sys -- (Pfc [On_Demand | Running])
DRV - [2003/09/10 23:36:54 | 00,021,060 | ---- | M] (InterVideo, Inc.) -- C:\WINDOWS\System32\drivers\iviaspi.sys -- (Iviaspi [On_Demand | Running])
DRV - [2003/06/24 21:30:18 | 00,727,908 | ---- | M] (Keyspan) -- C:\WINDOWS\System32\DRIVERS\USA19H2k.sys -- (USA19H [On_Demand | Stopped])
DRV - [2003/06/24 21:21:20 | 00,044,928 | ---- | M] (Keyspan) -- C:\WINDOWS\System32\DRIVERS\USA19H2kp.SYS -- (USA19H2KP [On_Demand | Stopped])
DRV - [2003/03/09 22:31:02 | 00,021,456 | ---- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
DRV - [2003/03/09 22:31:02 | 00,016,080 | ---- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
DRV - [2003/03/09 22:31:00 | 00,051,024 | ---- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
DRV - [2003/01/29 14:35:00 | 00,012,032 | ---- | M] (TOSHIBA Corporation.) -- C:\WINDOWS\System32\DRIVERS\netdevio.sys -- (Netdevio [Auto | Running])
DRV - [2003/01/10 13:13:04 | 00,033,588 | R--- | M] (America Online, Inc.) -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys -- (wanatw [On_Demand | Stopped])
DRV - [2001/08/17 14:56:16 | 00,007,552 | ---- | M] (Sony Corporation) -- C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS -- (SONYPVU1 [On_Demand | Stopped])

========== Modules (SafeList) ==========

MOD - [2009/10/27 11:12:37 | 00,521,728 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bob Tan\Desktop\OTL.exe
MOD - [2008/04/13 17:12:51 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2006/04/12 17:33:06 | 00,024,576 | ---- | M] (Utimaco Safeware AG) -- C:\Program Files\Utimaco\SafeGuard Easy\SgMsgBhk.dll

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.c...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo....e...-8&fr=b1ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/07/07 22:42:27 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2008/12/23 18:27:22 | 00,000,000 | ---D | M]


O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (EWPBrowseObject Class) - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll ()
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [EdWizard] C:\Program Files\Utimaco\SafeGuard Easy\EdWizard.exe (Utimaco Safeware AG)
O4 - HKLM..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe (Agere Systems)
O4 - HKLM..\Run: [NDSTray.exe] File not found
O4 - HKLM..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SgeEcView] C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe (Utimaco Safeware AG)
O4 - HKLM..\Run: [ThpSrv] C:\WINDOWS\System32\thpsrv.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe (TOSHIBA CORPORATION)
O4 - HKLM..\Run: [TPSMain] C:\WINDOWS\System32\TPSMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TPSODDCtl] C:\WINDOWS\System32\TPSODDCtl.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - HKCU..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (TOSHIBA)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk = C:\WINDOWS\System32\RAMASST.exe (Matsushita Electric Industrial Co., Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe File not found
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} https://supportcente...oad/tgctlcm.cab (Reg Error: Key error.)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.micr...veX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zon...kr.cab56986.cab (Checkers Class)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.micr...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} http://dl.tvunetworks.com/TVUAx.cab (CTVUAxCtrl Object)
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zon...wn.cab56986.cab (Solitaire Showdown Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zon...1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase6662.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2....re/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://messenger.zon...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zon...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} http://upload.facebo...Uploader4_5.cab (Facebook Photo Uploader 4)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: CabBuilder http://kiw.imgag.com...llerControl.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\flowto {C7101FB0-28FB-11D5-883A-204C4F4F5021} - C:\Program Files\NetExchange Pro3.0\FlowHook.dll ()
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (SGGINA.DLL) - C:\WINDOWS\System32\SGGINA.DLL (Utimaco Safeware AG)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\System32\NavLogon.dll (Symantec Corporation)
O20 - Winlogon\Notify\NotLog: DllName - SGLogEx.dll - C:\WINDOWS\System32\SGLogEx.dll (Utimaco Safeware AG)
O20 - Winlogon\Notify\psfus: DllName - psqlpwd.dll - C:\WINDOWS\System32\psqlpwd.dll (UPEK Inc.)
O20 - Winlogon\Notify\SGLogNotification: DllName - SGLogNotification.dll - C:\WINDOWS\System32\SGLogNotification.dll (Utimaco Safeware AG)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/08/18 17:34:15 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/10/15 10:42:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Verizon Wireless
[2009/10/15 21:14:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Bob Tan\Application Data\Verizon Wireless
[2009/10/25 09:13:42 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware1
[2009/09/30 19:48:55 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2009/10/15 10:41:59 | 00,000,000 | ---D | C] -- C:\Program Files\Verizon Wireless
[2009/09/30 19:48:41 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live SkyDrive
[2009/10/27 12:05:24 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/10/27 11:12:34 | 00,521,728 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Bob Tan\Desktop\OTL.exe
[2009/10/27 11:02:12 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Bob Tan\Desktop\RootRepeal.exe
[2009/10/27 10:10:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/10/27 10:03:55 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/10/27 10:02:04 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/10/27 10:02:04 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/10/27 10:02:04 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/10/27 10:02:04 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/10/27 10:01:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/10/27 10:00:09 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/10/27 07:36:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Bob Tan\Desktop\gmer
[2009/10/25 21:26:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Bob Tan\Desktop\RootRepeal
[2009/10/25 08:58:52 | 02,876,720 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Bob Tan\Desktop\mbam-setup.exe
[2009/10/14 19:12:23 | 00,000,000 | ---D | C] -- C:\Config.Msi
[2009/07/22 17:46:02 | 00,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Bob Tan\Application Data\pcouffin.sys

========== Files - Modified Within 30 Days ==========

[2009/10/27 12:10:50 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/10/27 12:10:42 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/10/27 12:10:38 | 21,382,92224 | -HS- | M] () -- C:\hiberfil.sys
[2009/10/27 12:07:07 | 00,004,100 | -H-- | M] () -- C:\WINDOWS\System32\royiteze
[2009/10/27 11:12:37 | 00,521,728 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bob Tan\Desktop\OTL.exe
[2009/10/27 11:05:56 | 00,282,833 | ---- | M] () -- C:\Documents and Settings\Bob Tan\Desktop\gmer.zip
[2009/10/27 11:02:30 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Bob Tan\Desktop\settings.dat
[2009/10/27 11:02:15 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Bob Tan\Desktop\RootRepeal.exe
[2009/10/27 10:13:34 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/10/27 10:12:51 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/10/27 10:04:03 | 00,000,294 | RHS- | M] () -- C:\boot.ini
[2009/10/27 09:59:36 | 03,436,782 | R--- | M] () -- C:\Documents and Settings\Bob Tan\Desktop\ComboFix.exe
[2009/10/26 07:33:58 | 00,077,312 | ---- | M] () -- C:\mbr.exe
[2009/10/25 21:41:45 | 00,523,776 | ---- | M] () -- C:\Documents and Settings\Bob Tan\Desktop\dds.scr
[2009/10/25 08:58:52 | 02,876,720 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Bob Tan\Desktop\mbam-setup.exe
[2009/10/25 06:11:34 | 00,077,312 | ---- | M] () -- C:\WINDOWS\MBR.exe
[2009/10/21 19:47:00 | 00,129,258 | ---- | M] () -- C:\Documents and Settings\Bob Tan\Desktop\D_North_South_2009.pdf
[2009/10/21 13:34:04 | 00,057,344 | ---- | M] () -- C:\Documents and Settings\Bob Tan\Desktop\Kit Order Form_Janet1.doc
[2009/10/21 12:07:03 | 00,544,084 | ---- | M] () -- C:\Documents and Settings\Bob Tan\Desktop\Supplemental Fee Disclosure.pdf
[2009/10/21 12:05:58 | 00,080,949 | ---- | M] () -- C:\Documents and Settings\Bob Tan\Desktop\PLAN_LEVEL_PERF.pdf
[2009/10/21 12:04:11 | 00,427,923 | ---- | M] () -- C:\Documents and Settings\Bob Tan\Desktop\Ontario Enrollment Form.pdf
[2009/10/18 18:23:30 | 00,258,993 | ---- | M] () -- C:\Documents and Settings\Bob Tan\My Documents\scan0002.jpg
[2009/10/15 10:42:13 | 00,001,024 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VZAccess Manager.lnk
[2009/10/14 19:14:17 | 00,504,314 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/10/14 19:14:17 | 00,443,034 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/10/14 19:14:17 | 00,072,134 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/10/14 19:08:36 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/10/14 19:04:23 | 00,000,663 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/10/12 12:37:36 | 00,553,174 | ---- | M] () -- C:\Documents and Settings\Bob Tan\My Documents\wallace 1099.pdf
[2009/10/11 08:10:09 | 00,236,544 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/09/30 09:49:36 | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\System32\drivers\pcouffin.sys
[2009/09/30 09:49:36 | 00,047,360 | ---- | M] (VSO Software) -- C:\Documents and Settings\Bob Tan\Application Data\pcouffin.sys
[2009/09/30 09:49:36 | 00,007,887 | ---- | M] () -- C:\Documents and Settings\Bob Tan\Application Data\pcouffin.cat
[2009/09/30 09:49:36 | 00,001,144 | ---- | M] () -- C:\Documents and Settings\Bob Tan\Application Data\pcouffin.inf
[2009/09/29 14:09:54 | 00,059,168 | ---- | M] () -- C:\Documents and Settings\Bob Tan\Application Data\GDIPFONTCACHEV1.DAT

========== Files - No Company Name ==========
[2009/10/27 11:05:50 | 00,282,833 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Desktop\gmer.zip
[2009/10/27 11:02:30 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Desktop\settings.dat
[2009/10/27 10:04:03 | 00,000,224 | ---- | C] () -- C:\Boot.bak
[2009/10/27 10:03:58 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/10/27 10:02:04 | 00,236,544 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/10/27 10:02:04 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/10/27 10:02:04 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/10/27 10:02:04 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/10/27 10:02:04 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/10/27 09:59:36 | 03,436,782 | R--- | C] () -- C:\Documents and Settings\Bob Tan\Desktop\ComboFix.exe
[2009/10/26 07:33:58 | 00,077,312 | ---- | C] () -- C:\mbr.exe
[2009/10/25 21:41:42 | 00,523,776 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Desktop\dds.scr
[2009/10/21 19:46:59 | 00,129,258 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Desktop\D_North_South_2009.pdf
[2009/10/21 12:07:03 | 00,544,084 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Desktop\Supplemental Fee Disclosure.pdf
[2009/10/21 12:05:58 | 00,080,949 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Desktop\PLAN_LEVEL_PERF.pdf
[2009/10/21 12:04:10 | 00,427,923 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Desktop\Ontario Enrollment Form.pdf
[2009/10/21 11:48:14 | 00,057,344 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Desktop\Kit Order Form_Janet1.doc
[2009/10/18 18:23:28 | 00,258,993 | ---- | C] () -- C:\Documents and Settings\Bob Tan\My Documents\scan0002.jpg
[2009/10/15 10:42:13 | 00,001,024 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VZAccess Manager.lnk
[2009/10/12 12:37:36 | 00,553,174 | ---- | C] () -- C:\Documents and Settings\Bob Tan\My Documents\wallace 1099.pdf
[2009/09/09 11:20:52 | 00,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[2009/08/13 15:08:25 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2009/07/22 17:46:02 | 00,007,887 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Application Data\pcouffin.cat
[2009/07/22 17:46:02 | 00,001,144 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Application Data\pcouffin.inf
[2009/07/22 17:46:02 | 00,000,034 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Application Data\pcouffin.log
[2009/04/01 18:05:34 | 00,008,704 | ---- | C] () -- C:\WINDOWS\System32\BHARegister.dll
[2009/01/26 23:23:04 | 00,000,240 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Application Data\wklnhst.dat
[2008/12/17 15:26:17 | 00,000,125 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2008/10/12 16:06:19 | 00,000,143 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/08/15 15:23:26 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS71.DLL
[2008/07/24 20:08:38 | 00,000,560 | ---- | C] () -- C:\WINDOWS\stbce.INI
[2008/05/27 16:50:18 | 00,009,255 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2008/05/27 16:37:32 | 00,000,770 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Installer.log
[2008/02/25 09:30:12 | 00,059,168 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Application Data\GDIPFONTCACHEV1.DAT
[2008/01/30 17:10:46 | 00,274,432 | ---- | C] () -- C:\WINDOWS\System32\libcurl.dll
[2007/12/02 18:55:05 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\USA19HPropPage.dll
[2007/12/02 18:55:02 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\k19hinst.dll
[2007/11/26 16:15:40 | 00,000,228 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2007/11/21 17:01:23 | 00,007,680 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/11/07 10:54:05 | 00,032,397 | ---- | C] () -- C:\WINDOWS\SGTBox.INI
[2007/10/31 10:39:54 | 00,059,904 | ---- | C] () -- C:\WINDOWS\System32\zlib1.dll
[2007/09/17 13:15:09 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\xmltok.dll
[2007/09/17 13:15:09 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\xmlparse.dll
[2007/09/07 20:50:27 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/09/07 20:44:11 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Bob Tan\Application Data\desktop.ini
[2007/09/07 20:44:10 | 00,035,536 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2007/09/07 20:44:10 | 00,000,130 | ---- | C] () -- C:\Documents and Settings\Bob Tan\Local Settings\Application Data\fusioncache.dat
[2007/05/17 14:58:10 | 00,143,360 | ---- | C] () -- C:\WINDOWS\System32\libexpatw.dll
[2006/08/20 15:41:53 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/08/18 19:45:49 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006/08/18 19:45:49 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006/08/18 19:45:49 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006/08/18 19:45:49 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006/08/18 19:45:49 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006/08/18 19:45:49 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/08/18 19:40:31 | 00,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2006/08/18 19:38:00 | 00,036,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\CSIIDecoder_kern_i386.sys
[2006/08/18 19:38:00 | 00,029,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSXT_kern_i386.sys
[2006/08/18 19:05:13 | 00,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2006/08/18 19:05:13 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2006/08/18 19:05:13 | 00,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2006/08/18 19:05:13 | 00,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2006/08/18 17:44:41 | 00,000,594 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/08/18 17:28:48 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/08/18 16:53:12 | 00,000,330 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/08/18 16:48:33 | 00,000,663 | ---- | C] () -- C:\WINDOWS\win.ini
[2006/08/18 16:48:25 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2006/08/18 10:24:16 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2006/04/12 17:34:50 | 00,016,384 | ---- | C] () -- C:\WINDOWS\System32\Sgegina040C.Dll
[2006/04/12 17:34:46 | 00,016,384 | ---- | C] () -- C:\WINDOWS\System32\SgeGina0407.Dll
[2006/02/15 15:32:36 | 00,024,576 | R--- | C] () -- C:\WINDOWS\System32\loaddlln.dll
[2005/09/02 14:44:08 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2005/08/24 15:20:28 | 00,009,472 | ---- | C] () -- C:\WINDOWS\System32\drivers\tbiosdrv.sys
[2005/08/05 14:01:54 | 00,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/07/22 21:30:20 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2005/03/31 12:27:18 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\SGCleanLocalGPO.dll
[2004/07/20 17:04:02 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
[2004/01/15 14:43:28 | 00,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll
[2004/01/13 17:46:34 | 00,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll
[2003/03/09 22:31:04 | 00,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[1999/01/27 13:39:06 | 00,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 07:56:08 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
< End of report >

Step 4:

Machine seems to be running fine now. No pop ups. Haven't tried running the malwarebytes software again.
  • 0

Advertisements

#26
Boboli3
Posted 27 October 2009 - 02:18 PM

Boboli3

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Heir,

I am able to run malwarebytes now. It is scanning my machine as we speak. You have saved me a lot of work on this and I appreciate it.
  • 0

#27
heir
Posted 27 October 2009 - 11:55 PM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Good!

Please post the report from it in your next reply. (It can be found under the tab logs)

There is still that mbr rootkit that need to be addressed. Will get back about that.
  • 0

#28
heir
Posted 28 October 2009 - 02:24 AM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Can you also please scan a file:

  • Using Internet Explorer please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    • C:\WINDOWS\System32\royiteze
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

  • 0

#29
Boboli3
Posted 28 October 2009 - 12:20 PM

Boboli3

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

10/27/2009 3:08:51 PM
mbam-log-2009-10-27 (15-08-51).txt

Scan type: Full Scan (C:\|)
Objects scanned: 205910
Time elapsed: 1 hour(s), 55 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Step 2

Scanner results : Scanners did not find malware!
Time : 2009/10/28 11:05:15 (PDT)
Scanner Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.5.0.8 20091028200248 2009-10-28 - 4.092
AhnLab V3 2009.10.29.00 2009.10.29 2009-10-29 - 0.932
AntiVir 8.2.1.50 7.1.6.162 2009-10-28 - 0.544
Antiy 2.0.18 20091028.3102810 2009-10-28 - 0.121
Arcavir 2009 200910280915 2009-10-28 - 0.022
Authentium 5.1.1 200910281538 2009-10-28 - 1.343
AVAST! 4.7.4 091028-0 2009-10-28 - 0.003
AVG 8.5.288 270.14.36/2465 2009-10-28 - 0.331
BitDefender 7.81008.4468070 7.28621 2009-10-29 - 3.913
CA (VET) 35.1.0 7086 2009-10-27 - 8.005
ClamAV 0.95.2 9955 2009-10-28 - 0.006
Comodo 3.12 2757 2009-10-28 - 0.901
CP Secure 1.3.0.5 2009.10.28 2009-10-28 - 0.002
Dr.Web 4.44.0.9170 2009.10.28 2009-10-28 - 6.025
F-Prot 4.4.4.56 20091028 2009-10-28 - 1.183
F-Secure 7.02.73807 2009.10.28.18 2009-10-28 - 0.046
Fortinet 2.81-3.120 10.995 2009-10-28 - 0.190
GData 19.8620/19.526 20091028 2009-10-28 - 5.938
Ikarus T3.1.01.72 2009.10.28.74305 2009-10-28 - 4.296
JiangMin 11.0.800 2009.10.26 2009-10-26 - 4.017
Kaspersky 5.5.10 2009.10.28 2009-10-28 - 0.023
KingSoft 2009.2.5.15 2009.10.28.21 2009-10-28 - 1.729
McAfee 5.3.00 5784 2009-10-27 - 3.352
Microsoft 1.5202 2009.10.28 2009-10-28 - 6.276
Norman 6.01.09 6.01.00 2009-10-27 - 4.006
nProtect 20091028.01 6034135 2009-10-28 - 7.861
Panda 9.05.01 2009.10.28 2009-10-28 - 2.903
Quick Heal 10.00 2009.10.28 2009-10-28 - 1.365
Rising 20.0 21.53.24.00 2009-10-28 - 0.283
Sophos 3.00.1 4.46 2009-10-29 - 2.911
Sunbelt 5472 5472 2009-10-27 - 2.670
Symantec 1.3.0.24 20091028.006 2009-10-28 - 0.216
The Hacker 6.5.0.2 v00056 2009-10-28 - 0.682
Trend Micro 8.700-1004 6.582.02 2009-10-28 - 0.024
VBA32 3.12.10.11 20091027.1255 2009-10-27 - 2.001
ViRobot 20091028 2009.10.28 2009-10-28 - 0.567
VirusBuster 4.5.11.10 10.112.82/2011851 2009-10-28 - 2.385
  • 0

#30
heir
Posted 28 October 2009 - 01:04 PM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

When you ran Combix your antivirus software were not disabled.

Please disable your antivirus software here is how to disable some security programs.

Delete ComboFix.exe from your desktop.

Download a new copy of ComboFix from one of these locations:

Link 2
Link 3

Double click on ComboFix.exe

Please post the content of C:\ComboFix.txt in your reply.

Edited by heir, 28 October 2009 - 01:06 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP