[knichols05]

I've recently gotten a virus that has caused random pages to open up when I click google links. I think the virus has also caused a slew of other problems too, such as disabling picture settings in my browser. There are probably many more problems like this but its difficult for me to tell. I've ran combofix and hijackthis.
combofix log:

ComboFix 10-05-13.03 - Owner 05/13/2010 23:54:44.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.81 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Application Data\Windows Server
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\uses32.dat
C:\feed.txt
c:\windows\Tasks.\dqycwnhb.job
D:\Autorun.inf
c:\windows\Tasks.\dqycwnhb.job . . . . failed to delete

Infected copy of c:\windows\system32\drivers\mraid35x.sys was found and disinfected
Restored copy from - Kitty had a snack
c:\windows\system32\ws2_32.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-04-14 to 2010-05-14 )))))))))))))))))))))))))))))))
.

2010-05-14 04:44 . 2010-05-14 05:04 -------- d-----w- \ComboFix
2010-05-14 04:10 . 2010-05-14 04:10 -------- d-sha-r- \cmdcons
2010-05-14 04:04 . 2010-05-14 05:00 -------- d---a-w- \Qoobox
2010-05-13 21:11 . 2010-05-13 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-13 21:11 . 2010-05-13 21:11 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-13 20:49 . 2010-05-13 20:49 -------- d-----w- c:\program files\Trend Micro
2010-05-13 20:31 . 2010-05-13 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-05-13 20:31 . 2010-05-13 20:31 -------- d-----w- c:\program files\Security Task Manager
2010-05-13 00:07 . 2010-05-13 00:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-12 03:31 . 2010-05-12 03:31 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\nkiwgvihw
2010-05-12 03:24 . 2010-05-12 03:24 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\qsmwqxdqd
2010-05-12 02:01 . 2010-05-12 02:01 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-05-11 23:46 . 2010-05-12 05:38 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\rhrwcdwpx
2010-05-05 23:35 . 2010-05-05 23:35 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\bfwujhoqr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-14 04:05 . 2010-01-17 03:31 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-05-13 21:45 . 2010-05-13 21:45 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_62766A54CB96B6647A4A21CFAB84387D.dll
2010-05-13 20:49 . 2010-05-13 20:49 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-13 20:31 . 2010-05-13 20:31 6926 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040110900063D11C8EF10054038389C.dll
2010-05-13 04:22 . 2010-01-31 03:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 07:57 . 2010-01-16 00:34 -------- d-----w- c:\program files\McAfee
2010-03-24 20:47 . 2010-01-17 03:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-03-24 02:10 . 2010-01-17 03:19 -------- d-----w- c:\program files\Trillian
2010-03-04 21:43 . 2010-01-19 21:37 232 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
.

------- Sigcheck -------

[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\user32.dll
[7] 2005-03-03 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2005-03-03 . 86EAE2E27368E0199B948A32124FC4CD . 577024 . . [5.1.2600.2622] . . c:\windows\system32\user32.dll

[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ws2_32.dll
[-] 2004-08-04 . 2D34087CD4A677F0B288086C5B94D94C . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-13 1121792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"RTHDCPL"="RTHDCPL.EXE" [2009-12-26 18789408]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-05-13 5937984]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"=

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/19/2010 5:20 PM 1691480]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [1/15/2010 6:59 PM 69692]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/13/2010 3:30 PM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\0job8ssk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-VirusScan Online - \mcvsshld.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-14 00:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84EF6EE4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7764fc3
\Driver\ACPI -> ACPI.sys @ 0xf7557cb8
\Driver\atapi -> atapi.sys @ 0xf74037b4
\Driver\iaStor -> IASTOR.SYS @ 0xf7427b58
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80577918
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80577918
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf72debc3
PacketIndicateHandler -> NDIS.sys @ 0xf72eab21
SendHandler -> NDIS.sys @ 0xf72ded33
user & kernel MBR OK

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\smss.exe
c:\windows\system32\csrss.exe
c:\windows\system32\winlogon.exe
c:\windows\system32\services.exe
c:\windows\system32\lsass.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\System32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\spoolsv.exe
c:\windows\system32\svchost.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\RTHDCPL.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\windows\System32\svchost.exe
c:\windows\System32\svchost.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\svchost.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\taskmgr.exe
c:\windows\system32\wuauclt.exe
c:\windows\system32\wbem\wmiprvse.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\System32\alg.exe
c:\windows\system32\wuauclt.exe
.
**************************************************************************
.
Completion time: 2010-05-14 00:10:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-14 05:09

Pre-Run: 127,459,074,048 bytes free
Post-Run: 127,988,023,296 bytes free

- - End Of File - - 1547F3F8B94813ADADCC63369C3879E8

Thank you for your help. This has been a major problem for the last few days and I've been having no luck in solving it.

[Advertisements]

Hello knichols05 and welcome to G2G!

My nick is maliprog and I'll will be your technical support on this issue. Before we start cleaning your PC you must print or save to Desktop (in .txt file) this instructions so you can access it in Safe Mode with no internet connection.

NOTE:

• Be advised that I am still in training, so there may be a delay between replies. Each reply must be approved by a resident expert before I will be allowed to post them to you.
• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.

Step 1

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
ws2_32.dll
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

Step 2

Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
• Click on this link to see a list of programs that should be disabled.
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
• Allow the driver to load if asked.
• You may be prompted to scan immediately if it detects rootkit activity.
• If you are prompted to scan your system click "No", save the log and post back the results.
• If not prompted, click the "Rootkit/Malware" tab.
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
• Select all drives that are connected to your system to be scanned.
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
• When the scan is finished, click Save to save the scan results to your Desktop.
• Save the file as Results.log and copy/paste the contents in your next reply.
• Exit the program and re-enable all active protection when done.

Step 3

Please make sure you include the following items:

• OTL log
• OTL Extras log
• GMER log

It would be helpful if you could post each log in separate post

[maliprog]

Hello knichols05 and welcome to G2G!

My nick is maliprog and I'll will be your technical support on this issue. Before we start cleaning your PC you must print or save to Desktop (in .txt file) this instructions so you can access it in Safe Mode with no internet connection.

NOTE:

• Be advised that I am still in training, so there may be a delay between replies. Each reply must be approved by a resident expert before I will be allowed to post them to you.
• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.

Step 1

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
ws2_32.dll
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

Step 2

Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
• Click on this link to see a list of programs that should be disabled.
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
• Allow the driver to load if asked.
• You may be prompted to scan immediately if it detects rootkit activity.
• If you are prompted to scan your system click "No", save the log and post back the results.
• If not prompted, click the "Rootkit/Malware" tab.
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
• Select all drives that are connected to your system to be scanned.
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
• When the scan is finished, click Save to save the scan results to your Desktop.
• Save the file as Results.log and copy/paste the contents in your next reply.
• Exit the program and re-enable all active protection when done.

Step 3

Please make sure you include the following items:

• OTL log
• OTL Extras log
• GMER log

It would be helpful if you could post each log in separate post

[knichols05]

Thank you so much for your help, I really needed this.
I've done everything you said to so I'll post results.
The OTL Log:

OTL logfile created on: 5/17/2010 12:56:07 AM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

446.00 Mb Total Physical Memory | 222.00 Mb Available Physical Memory | 50.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.93 Gb Total Space | 119.02 Gb Free Space | 79.92% Space Free | Partition Type: NTFS
Drive D: | 4.44 Gb Total Space | 1.92 Gb Free Space | 43.30% Space Free | Partition Type: FAT32
Unable to calculate disk information.
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BOROOM
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/17 00:54:00 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/29 07:54:44 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2004/08/04 14:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/05/17 00:54:00 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2004/08/04 14:00:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2004/08/04 14:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/01/15 19:19:27 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2009/11/04 17:53:34 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Stopped] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/11/04 16:59:50 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/10/29 07:54:44 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/10/28 12:50:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/07/08 21:22:22 | 000,068,112 | ---- | M] (McAfee) [On_Demand | Stopped] -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor)
SRV - [2009/07/08 12:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 20:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2005/07/12 21:10:18 | 000,963,072 | ---- | M] (McAfee Inc.) [Auto | Stopped] -- C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe -- (MskService)


========== Driver Services (SafeList) ==========

DRV - [2010/02/13 15:30:36 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2009/12/25 19:26:30 | 006,039,584 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/11/18 08:17:00 | 001,395,800 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2009/11/18 08:16:00 | 001,691,480 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2009/11/04 17:54:12 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/11/04 17:54:12 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/11/04 17:54:12 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/11/04 17:54:12 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/11/04 17:53:40 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 13:32:26 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2006/01/18 06:41:00 | 000,080,512 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2006/01/15 02:48:08 | 001,477,632 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/10/12 15:07:12 | 000,874,240 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS -- (iaStor)
DRV - [2005/09/23 00:26:40 | 001,094,751 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/01/07 20:07:18 | 000,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/08/04 14:00:00 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2004/08/04 14:00:00 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2004/08/04 14:00:00 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2004/08/04 14:00:00 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2004/08/04 14:00:00 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2004/08/04 14:00:00 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2004/08/04 14:00:00 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2004/08/04 14:00:00 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2004/08/04 14:00:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2004/08/04 14:00:00 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2004/08/04 14:00:00 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2004/08/04 14:00:00 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2004/08/04 14:00:00 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2004/08/04 14:00:00 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2004/08/04 14:00:00 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2004/08/04 01:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/08/04 00:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004/08/03 18:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/03 18:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2003/01/10 16:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 07:10:58 | 000,069,692 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\el575ND5.sys -- (el575nd5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..network.proxy.backup.ftp: "41.234.203.183"
FF - prefs.js..network.proxy.backup.ftp_port: 80
FF - prefs.js..network.proxy.backup.gopher: "41.234.203.183"
FF - prefs.js..network.proxy.backup.gopher_port: 80
FF - prefs.js..network.proxy.backup.socks: "41.234.203.183"
FF - prefs.js..network.proxy.backup.socks_port: 80
FF - prefs.js..network.proxy.backup.ssl: "41.234.203.183"
FF - prefs.js..network.proxy.backup.ssl_port: 80
FF - prefs.js..network.proxy.ftp: "41.234.203.183"
FF - prefs.js..network.proxy.ftp_port: 80
FF - prefs.js..network.proxy.gopher: "41.234.203.183"
FF - prefs.js..network.proxy.gopher_port: 80
FF - prefs.js..network.proxy.http: "41.234.203.183"
FF - prefs.js..network.proxy.http_port: 80
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "41.234.203.183"
FF - prefs.js..network.proxy.socks_port: 80
FF - prefs.js..network.proxy.ssl: "41.234.203.183"
FF - prefs.js..network.proxy.ssl_port: 80

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/08 17:44:01 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/02 11:57:29 | 000,000,000 | ---D | M]

[2010/01/16 21:41:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/05/16 04:18:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0job8ssk.default\extensions
[2010/01/30 17:37:46 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0job8ssk.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/01/16 21:16:34 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/05/14 00:03:12 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (McAfee Anti-Phishing Filter) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\Program Files\McAfee\SpamKiller\McApfBHO.dll (McAfee, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)
O4 - HKLM..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe (McAfee)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSKAGENTEXE] c:\Program Files\McAfee\SpamKiller\MSKAgent.exe (McAfee Inc.)
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe (McAfee, Inc.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\WINDOWS\creator\Remind_XP.exe (SoftThinks)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [Power2GoExpress] File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\Program Files\McAfee\SpamKiller\McApfBHO.dll (McAfee, Inc.)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.72.134 68.87.77.134
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Desktop Background.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/05/06 19:38:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003/08/08 17:24:26 | 000,000,045 | -HS- | M] () - D:\autorun.inf.aug.8 -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2010/01/15 18:59:58 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
Unable to start service SrService!

========== Files/Folders - Created Within 90 Days ==========

[2010/05/17 00:53:59 | 000,571,392 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/05/16 23:40:38 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/05/16 23:03:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Help
[2010/05/16 23:03:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Help
[2010/05/16 05:43:23 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/14 19:09:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Identities
[2010/05/14 19:09:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2010/05/14 00:10:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/05/13 23:10:27 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/05/13 23:07:47 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/13 23:07:41 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/13 23:07:40 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/13 23:07:40 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/13 23:06:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/13 23:04:20 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/13 16:11:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/05/13 16:11:18 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/05/13 15:49:01 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/05/13 15:31:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2010/05/13 15:31:32 | 000,000,000 | ---D | C] -- C:\Program Files\Security Task Manager
[2010/05/13 15:23:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/05/12 19:07:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/05/11 22:31:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\nkiwgvihw
[2010/05/11 22:24:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\qsmwqxdqd
[2010/05/11 19:12:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/11 19:11:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/11 18:46:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\rhrwcdwpx
[2010/05/05 21:18:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\New Folder
[2010/05/05 18:35:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\bfwujhoqr
[2010/03/25 19:30:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\chem
[2010/03/11 22:43:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\WinRAR
[2010/03/11 22:42:53 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2010/03/11 21:59:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\STDUViewer
[2010/03/11 21:58:55 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\STDUtility
[2010/03/11 21:58:55 | 000,000,000 | ---D | C] -- C:\Program Files\STDU Viewer
[2010/03/11 13:19:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\znes
[2010/03/07 20:42:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Identities
[2010/03/01 21:29:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\WMTools Downloaded Files
[2010/02/17 17:07:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\My Scans
[2010/02/16 16:56:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Downloads
[2 C:\Documents and Settings\Owner\Desktop\*.tmp files -> C:\Documents and Settings\Owner\Desktop\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/05/17 00:54:50 | 000,293,376 | ---- | M] () -- C:\b5ke6xil.exe
[2010/05/17 00:54:00 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/05/16 23:40:32 | 002,672,312 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\esetsmartinstaller_enu.exe
[2010/05/16 22:58:52 | 000,016,387 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/05/16 22:58:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/16 22:57:28 | 003,407,872 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/05/16 22:57:28 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/05/16 22:57:19 | 004,240,656 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/05/16 22:00:01 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\dqycwnhb.job
[2010/05/16 20:50:11 | 000,036,864 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\brinnneeerrrr.doc
[2010/05/15 17:46:40 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/05/15 17:35:35 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/05/15 17:29:16 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/15 01:20:41 | 000,000,340 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2010/05/14 00:03:51 | 000,000,282 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/14 00:03:12 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/13 23:10:34 | 000,000,270 | RHS- | M] () -- C:\boot.ini
[2010/05/13 17:47:24 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\resume.3.doc
[2010/05/13 16:13:37 | 000,001,663 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/05/13 15:49:03 | 000,001,984 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
[2010/05/12 03:03:48 | 000,000,176 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/11 17:07:05 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/05/09 20:13:04 | 005,420,032 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\A BRINNER WITH HISTORY.ppt
[2010/05/05 16:21:59 | 000,034,816 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Kevin NicholsDolphin Boy Part 2 Script.doc
[2010/05/04 16:05:50 | 000,000,674 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/01 12:40:41 | 000,121,465 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\indianapolis.jpg
[2010/05/01 01:00:13 | 000,000,318 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2010/04/30 06:30:25 | 000,034,816 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Kevin NicholsDolphin Boy Part 2 Script.doc
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 15:00:51 | 000,045,056 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\The Jen Zarate and Kevin Nichols Story.doc
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/24 22:50:04 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Owner\My Documents\~$e Jen Zarate and Kevin Nichols Story.doc
[2010/04/23 18:08:10 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Owner\My Documents\~$ifer 5.doc
[2010/04/23 15:07:57 | 000,028,672 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\nifer 5.doc
[2010/04/18 17:45:20 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/14 07:02:11 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/11 18:39:12 | 000,029,696 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\nifer.doc
[2010/04/10 22:14:38 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Owner\My Documents\~$nifer.doc
[2010/04/10 00:30:19 | 000,024,850 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\n626410056_6457816_4957072.jpg
[2010/04/06 21:12:44 | 000,033,792 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Mother to Son Related Song Parallels.doc
[2010/04/06 16:08:22 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Owner\My Documents\~$ther to Son Related Song Parallels.doc
[2010/04/05 22:38:43 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gov president thing.doc
[2010/04/04 17:12:44 | 000,025,600 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Mother T o Son Explication.doc
[2010/04/04 17:12:44 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Owner\My Documents\~$ther T o Son Explication.doc
[2010/04/04 16:42:56 | 000,010,752 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\New Microsoft Word Document (3).doc
[2010/03/29 19:55:47 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Attractive forces_types WS_ALL (Completed).xls
[2010/03/29 17:45:04 | 000,389,632 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\THIS MAN.doc
[2010/03/22 00:31:06 | 000,521,766 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/22 00:31:06 | 000,441,454 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/22 00:31:06 | 000,071,264 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/21 14:16:22 | 000,251,392 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\DOG FOUND.doc
[2010/03/18 23:54:59 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\inhalants paper.doc
[2010/03/17 21:11:51 | 000,026,624 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\inhalants poster.doc
[2010/03/16 23:47:37 | 000,027,648 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Inhalants work book.doc
[2010/03/16 17:38:30 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Inhalants Outline.doc
[2010/03/11 21:59:04 | 000,000,002 | ---- | M] () -- C:\WINDOWS\System32\C
[2010/03/09 20:55:25 | 000,031,232 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\anthem essay.doc
[2010/03/08 21:37:39 | 000,027,648 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\nazis and [bleep].doc
[2010/03/06 19:41:24 | 000,010,752 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\New Microsoft Word Document (2).doc
[2010/03/04 16:43:08 | 000,000,232 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\wklnhst.dat
[2010/03/01 21:30:06 | 000,018,944 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/01 21:27:17 | 106,414,110 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\236-1-Showtime12-11-09.wmv
[2010/02/25 20:52:51 | 000,432,963 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Richard O'Brien - Science Fiction Double Feature.pdf
[2010/02/20 01:51:08 | 001,481,382 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\ronny y giorgia.bmp
[2010/02/18 07:31:17 | 015,195,136 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\family.doc
[2010/02/17 21:43:33 | 000,832,291 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\4114746_794.jpg
[2010/02/16 23:01:33 | 000,027,648 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\countries [bleep].doc
[2 C:\Documents and Settings\Owner\Desktop\*.tmp files -> C:\Documents and Settings\Owner\Desktop\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\lemipuro
[2010/05/17 00:54:49 | 000,293,376 | ---- | C] () -- C:\b5ke6xil.exe
[2010/05/16 23:40:29 | 002,672,312 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\esetsmartinstaller_enu.exe
[2010/05/13 23:10:33 | 000,000,201 | ---- | C] () -- C:\Boot.bak
[2010/05/13 23:10:29 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/05/13 23:07:48 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/13 23:07:44 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/13 23:07:40 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/13 23:07:40 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/13 23:07:40 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/13 17:47:24 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\resume.3.doc
[2010/05/13 16:13:42 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/05/13 16:11:20 | 000,001,663 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/05/13 15:49:03 | 000,001,984 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
[2010/05/12 22:09:58 | 000,036,864 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\brinnneeerrrr.doc
[2010/05/12 03:03:48 | 000,000,176 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/09 20:13:03 | 005,420,032 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\A BRINNER WITH HISTORY.ppt
[2010/05/05 16:21:57 | 000,034,816 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Kevin NicholsDolphin Boy Part 2 Script.doc
[2010/05/01 12:40:38 | 000,121,465 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\indianapolis.jpg
[2010/04/30 06:30:22 | 000,034,816 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Kevin NicholsDolphin Boy Part 2 Script.doc
[2010/04/24 22:50:04 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Owner\My Documents\~$e Jen Zarate and Kevin Nichols Story.doc
[2010/04/24 22:50:03 | 000,045,056 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\The Jen Zarate and Kevin Nichols Story.doc
[2010/04/23 18:08:10 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Owner\My Documents\~$ifer 5.doc
[2010/04/19 21:56:57 | 000,028,672 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\nifer 5.doc
[2010/04/10 22:14:38 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Owner\My Documents\~$nifer.doc
[2010/04/10 15:07:43 | 000,029,696 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\nifer.doc
[2010/04/10 00:30:16 | 000,024,850 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\n626410056_6457816_4957072.jpg
[2010/04/06 16:08:22 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Owner\My Documents\~$ther to Son Related Song Parallels.doc
[2010/04/05 22:29:43 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gov president thing.doc
[2010/04/05 17:36:58 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Mother to Son Related Song Parallels.doc
[2010/04/04 17:12:44 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Owner\My Documents\~$ther T o Son Explication.doc
[2010/04/04 17:12:43 | 000,025,600 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Mother T o Son Explication.doc
[2010/04/04 16:42:56 | 000,010,752 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\New Microsoft Word Document (3).doc
[2010/03/29 19:55:47 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Attractive forces_types WS_ALL (Completed).xls
[2010/03/29 17:45:03 | 000,389,632 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\THIS MAN.doc
[2010/03/21 14:16:20 | 000,251,392 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\DOG FOUND.doc
[2010/03/18 23:18:45 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\inhalants paper.doc
[2010/03/17 21:11:50 | 000,026,624 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\inhalants poster.doc
[2010/03/16 23:47:36 | 000,027,648 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Inhalants work book.doc
[2010/03/16 17:38:26 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Inhalants Outline.doc
[2010/03/11 21:59:04 | 000,000,002 | ---- | C] () -- C:\WINDOWS\System32\C
[2010/03/08 21:37:38 | 000,027,648 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\nazis and [bleep].doc
[2010/03/06 19:41:24 | 000,010,752 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\New Microsoft Word Document (2).doc
[2010/03/06 16:49:28 | 000,031,232 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\anthem essay.doc
[2010/03/01 21:27:05 | 106,414,110 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\236-1-Showtime12-11-09.wmv
[2010/02/25 20:52:46 | 000,432,963 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Richard O'Brien - Science Fiction Double Feature.pdf
[2010/02/20 01:51:07 | 001,481,382 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ronny y giorgia.bmp
[2010/02/17 21:43:29 | 000,832,291 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\4114746_794.jpg
[2010/02/16 23:01:33 | 000,027,648 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\countries [bleep].doc
[2010/02/13 22:45:58 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2010/01/19 21:58:04 | 000,819,200 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/01/19 21:58:04 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/01/19 16:56:59 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2010/01/15 20:09:25 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2010/01/15 19:23:57 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/01/15 18:46:55 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2006/07/31 00:59:36 | 000,000,338 | ---- | C] () -- C:\WINDOWS\scrub2k.ini
[2006/07/01 01:01:25 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/05/06 19:24:27 | 000,001,422 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/05/06 19:24:27 | 000,000,486 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2003/01/07 18:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/02/13 15:29:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2010/05/13 16:11:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/01/16 21:45:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2010/05/16 23:35:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2010/01/16 21:47:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2010/01/16 22:06:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/02/13 23:23:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Atari
[2010/02/13 22:33:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\DAEMON Tools Lite
[2010/02/13 22:40:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Leadertech
[2010/01/15 19:39:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2010/01/19 16:37:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Template
[2010/01/16 22:20:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Trillian
[2010/05/16 19:08:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\uTorrent
[2010/05/16 22:00:01 | 000,000,294 | ---- | M] () -- C:\WINDOWS\Tasks\dqycwnhb.job
[2010/05/15 01:20:41 | 000,000,340 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2010/05/01 01:00:13 | 000,000,318 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%.exe >

< md5start >

< eventlog.dll >

< scecli.dll >

< netlogon.dll >

< cngaudit.dll >

< sceclt.dll >

< ntelogon.dll >

< logevent.dll >

< iaStor.sys >

< nvstor.sys >

< atapi.sys >

< IdeChnDr.sys >

< viasraid.sys >

< AGP440.sys >

< vaxscsi.sys >

< nvatabus.sys >

< viamraid.sys >

< nvata.sys >

< nvgts.sys >

< iastorv.sys >

< ViPrt.sys >

< eNetHook.dll >

< ahcix86.sys >

< KR10N.sys >

< nvstor32.sys >

< ahcix86s.sys >

< nvrd32.sys >

< symmpi.sys >

< adp3132.sys >

< ws2_32.dll >

< md5stop >

< %systemroot%. mp s >

< %systemroot%system32.dll lockedfiles >

< %systemroot%Tasks.job lockedfiles >

< %systemroot%system32drivers.sys lockedfiles >

< %systemroot%System32config.sav >
< End of report >

[knichols05]

OLT Extras Log:

I'm having trouble posting the full Log so I'll split in in half:

OTL Extras logfile created on: 5/17/2010 12:56:07 AM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

446.00 Mb Total Physical Memory | 222.00 Mb Available Physical Memory | 50.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.93 Gb Total Space | 119.02 Gb Free Space | 79.92% Space Free | Partition Type: NTFS
Drive D: | 4.44 Gb Total Space | 1.92 Gb Free Space | 43.30% Space Free | Partition Type: FAT32
Unable to calculate disk information.
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BOROOM
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader -- (America Online, Inc.)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Documents and Settings\Owner\Desktop\utorrent.exe" = C:\Documents and Settings\Owner\Desktop\utorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02C91E12-74A4-45E1-9D3F-C3DD7D6FECAE}" = 5700_Help
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0A55CDBB-0566-4AA2-A15B-24C7F27C6FF4}" = BPD_Scan
"{0E92A5AC-05AB-48c2-9227-9AD504EAF4EA}" = J5700
"{11655C91-EF58-4aab-BF09-E8F205324FBF}" = BPDSoftware
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{15377C3E-9655-400F-B441-E69F0A6BEAFE}" = Recovery Software Suite eMachines
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Solution
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3D30BAC1-C250-4F10-9C78-C379D05A445E}" = BPDSoftware_Ini
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = Browser Address Error Redirector
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 4.0
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant
"{5D95AD35-368F-47D5-B63A-A082DDF00111}" = Microsoft Digital Image Starter Edition 2006 Editor
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox
"{691F4068-81BF-49E3-B32E-FE3E16400111}" = Microsoft Digital Image Starter Edition 2006 Library
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6994491D-D491-48F1-AE1F-E179C1FFFC2F}" = HP Photosmart Essential
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{8A4CE7FD-9657-4B06-9943-E1819F3D5D67}" = DocProc
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet PCI NIC Driver
"{B929776E-7527-4F98-AE4D-BEBCF0BEA669}" = BPD_HPSU
"{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}" = HP Software Update
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE24344F-DFD8-40C8-8FD8-C9740B5F25AC}" = BPDfax
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp
"{E1B80DEE-A795-4258-8445-074C06AE3AB8}" = MarketResearch
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F2CA5A0D-5F2F-4d99-89F0-2D1358218A7A}" = ProductContext
"{F3760724-B29D-465B-BC53-E5D72095BCC4}" = Scan
"{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems PCI-SV92PP Soft Modem
"ATI Display Driver" = ATI Display Driver
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ESET Online Scanner" = ESET Online Scanner v3
"Guitar Pro 5_is1" = Guitar Pro 5.0
"HitmanPro35" = Hitman Pro 3.5
"HP Imaging Device Functions" = HP Imaging Device Functions 7.0
"HP Officejet All-In-One Series" = HP Officejet All-In-One Series
"HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0
"HPExtendedCapabilities" = HP Customer Participation Program 7.0
"HPOCR" = OCR Software by I.R.I.S 7.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Uninstall Utility" = McAfee Uninstall Wizard
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Money2006b" = Microsoft Money 2006
"Mozilla Firefox (3.5.9)" = Mozilla Firefox (3.5.9)
"MSC" = McAfee SecurityCenter
"PictureItSuiteTrial_v11" = Microsoft Digital Image Starter Edition 2006
"STDU Viewer_is1" = STDU Viewer version 1.5.382.0
"Trillian" = Trillian
"uTorrent" = µTorrent
"WGA" = Windows Genuine Advantage Validation Tool
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"WinRAR archiver" = WinRAR archiver
"Xvid_is1" = Xvid 1.2.2 final uninstall

Edited by knichols05, 17 May 2010 - 01:39 AM.

[knichols05]

I don't know why, but whenever I try to post the second half of the extras log the site keeps screwing up. How can I fix this?

Edited by knichols05, 17 May 2010 - 02:39 AM.

[knichols05]

Well the extras weren't working right but heres the GMER log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-17 02:17:16
Windows 5.1.2600 Service Pack 2
Running: b5ke6xil.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\ugtdqpog.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\mraid35x.sys entry point in ".rsrc" section [0xF7856D94]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[520] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007C000A
.text C:\WINDOWS\system32\svchost.exe[520] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007D000A
.text C:\WINDOWS\system32\svchost.exe[520] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007B000C
.text C:\WINDOWS\system32\svchost.exe[520] USER32.dll!GetCursorPos 77D4BD76 5 Bytes JMP 01C0000A
.text C:\WINDOWS\system32\svchost.exe[520] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 01BF000A
.text C:\WINDOWS\Explorer.EXE[712] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A8000A
.text C:\WINDOWS\Explorer.EXE[712] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A9000A
.text C:\WINDOWS\Explorer.EXE[712] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A7000C

---- Devices - GMER 1.0.15 ----

Device -> \Driver\atapi \Device\Harddisk0\DR0 84EE6EE4

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xED 0x84 0xE4 0xE4 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x2A 0x5F 0x06 0x6E ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDE 0xB4 0x3F 0x56 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x8C 0xA6 0x93 0x35 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x38 0xC7 0x2A 0xD3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x2A 0x5F 0x06 0x6E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDE 0xB4 0x3F 0x56 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x8C 0xA6 0x93 0x35 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x38 0xC7 0x2A 0xD3 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x2A 0x5F 0x06 0x6E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDE 0xB4 0x3F 0x56 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x8C 0xA6 0x93 0x35 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\mraid35x.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Edited by knichols05, 17 May 2010 - 01:52 AM.

[maliprog]

Hi knichols05

Can you please try to attach Extrass log if you can't post it.

[maliprog]

Hi knichols05,

Let's start with fix. Please follow steps in order they are posted.

Step 1

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  [2010/05/11 22:31:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\nkiwgvihw
  [2010/05/11 22:24:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\qsmwqxdqd
  [2010/05/11 18:46:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\rhrwcdwpx
  [2010/05/05 18:35:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\bfwujhoqr
  [2010/05/16 22:00:01 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\dqycwnhb.job
  [2010/03/04 16:43:08 | 000,000,232 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\wklnhst.dat
  [2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\lemipuro
  
  
  :Files
  c:\windows\system32\user32.dll|c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\user32.dll /replace
  c:\windows\system32\ws2_32.dll|c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ws2_32.dll /replace
  
  :Commands
  [purity]
  [emptytemp]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post the log it produces in your next reply.

Step 2

First you need to delete your version of Combofix. Download new copy of ComboFix from here:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
[/quote]


Step 3

Rerun OTL. Paste this in the custom scan box:

/md5start
mraid35x.sys
/md5stop

Click Run Scan button and post that log.

Step 4

Run GMER Rootkit Scanner.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

• Double click GMER.exe.
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
    
    Click the image to enlarge it
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

Step 5

Please make sure you include the following items:

• OTL log from Step 1
• Combofix log
• OTL log from Step 3
• GMER log

It would be helpful if you could post each log in separate post

[knichols05]

Hi knichols05

Can you please try to attach Extrass log if you can't post it.

It still wont post so heres the file.

Attached Files

•  Extras.Txt   35.25KB   139 downloads

[maliprog]

OK. Please continue with steps in my last post...

[knichols05]

I'm about to start your instructions but before I do could you tell me the best way for getting rid of combofix so i dont screw anything up?

[knichols05]

Here's the first OTL Log, let me know if its the wrong thing:

All processes killed
========== OTL ==========
C:\Documents and Settings\Owner\Local Settings\Application Data\nkiwgvihw folder moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\qsmwqxdqd folder moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\rhrwcdwpx folder moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\bfwujhoqr folder moved successfully.
C:\WINDOWS\tasks\dqycwnhb.job moved successfully.
C:\Documents and Settings\Owner\Application Data\wklnhst.dat moved successfully.
C:\WINDOWS\system32\lemipuro moved successfully.
========== FILES ==========
Unable to replace file: c:\windows\system32\user32.dll with c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\user32.dll without a reboot.
Unable to replace file: c:\windows\system32\ws2_32.dll with c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ws2_32.dll without a reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: Administrator.BOROOM
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41620 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 41620 bytes

User: LocalService
->Temp folder emptied: 65716 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 44995765 bytes
->Flash cache emptied: 23267 bytes

User: Owner
->Temp folder emptied: 3219135 bytes
->Temporary Internet Files folder emptied: 2705084 bytes
->Java cache emptied: 3275959 bytes
->FireFox cache emptied: 40110909 bytes
->Flash cache emptied: 101309 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7168 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 90.00 mb


OTL by OldTimer - Version 3.2.4.1 log created on 05172010_192425

[maliprog]

You did goog job. Follow these steps to uninstall Combofix and tools used in the removal of malware

• Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
• Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  
  
  
• Please follow the prompts to uninstall Combofix.
• You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

After you unistall it please continue with steps...

[knichols05]

Ok I ran combofix OTL and GMER.
however, while running combofix my computer restarted and mcafee antivirus turned on.
It didnt seem to do any damage but during step three of the scanning process mcafee popped up saying it had blocked something like "test.exe" or something similar. The rest of the scan when smoothly until I restarted the computer. Then, I got a message saying "One of the files containing the system's Registry data had to be recovered by use of a log or alternate copy. The recovery was successful." When I logged on, some of the files on my desktop were switched around but everything else seemed ok.
After that, I completed the remaining steps and saved the logs.

The combofix log:

ComboFix 10-05-16.02 - Owner 05/17/2010 21:50:39.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.52 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\feed.txt

Infected copy of c:\windows\system32\drivers\mraid35x.sys was found and disinfected
Restored copy from - Kitty had a snack
c:\windows\system32\ws2_32.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-04-18 to 2010-05-18 )))))))))))))))))))))))))))))))
.

2010-05-18 00:24 . 2010-05-18 00:24 -------- d-----w- C:\_OTL
2010-05-17 05:54 . 2010-05-17 05:54 293376 ----a-w- C:\b5ke6xil.exe
2010-05-17 04:40 . 2010-05-17 04:40 -------- d-----w- c:\program files\ESET
2010-05-17 04:03 . 2010-05-17 04:03 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Help
2010-05-15 00:09 . 2010-05-15 00:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-05-13 21:45 . 2010-05-13 21:45 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_62766A54CB96B6647A4A21CFAB84387D.dll
2010-05-13 21:13 . 2010-05-17 19:46 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-13 21:11 . 2010-05-13 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-13 21:11 . 2010-05-13 21:11 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-13 20:49 . 2010-05-13 20:49 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-13 20:49 . 2010-05-13 20:49 -------- d-----w- c:\program files\Trend Micro
2010-05-13 20:31 . 2010-05-13 20:31 6926 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040110900063D11C8EF10054038389C.dll
2010-05-13 00:07 . 2010-05-13 00:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-12 02:01 . 2010-05-12 02:01 -------- d-s---w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-17 04:35 . 2010-05-13 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-05-17 04:03 . 2010-05-13 20:31 -------- d-----w- c:\program files\Security Task Manager
2010-05-17 00:08 . 2010-01-17 03:31 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-05-15 22:29 . 2010-01-16 00:34 -------- d-----w- c:\program files\McAfee
2010-05-13 20:31 . 2010-05-13 20:31 42 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D510002.dll
2010-05-13 04:22 . 2010-01-31 03:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 20:39 . 2010-01-31 03:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2010-01-31 03:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-24 20:47 . 2010-01-17 03:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-03-24 02:10 . 2010-01-17 03:19 -------- d-----w- c:\program files\Trillian
2010-03-10 08:02 . 2010-01-15 23:47 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:05 . 2006-05-07 00:24 668672 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:05 . 2010-01-15 23:42 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 12:31 . 2006-05-07 00:24 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 16:57 . 2004-08-04 05:59 2063744 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

------- Sigcheck -------

[7] 2005-03-03 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2005-03-03 . 86EAE2E27368E0199B948A32124FC4CD . 577024 . . [5.1.2600.2622] . . c:\windows\system32\user32.dll

[-] 2004-08-04 . 2D34087CD4A677F0B288086C5B94D94C . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-13 1121792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"RTHDCPL"="RTHDCPL.EXE" [2009-12-26 18789408]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-05-13 5937984]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"=

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/19/2010 5:20 PM 1691480]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [1/15/2010 6:59 PM 69692]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [5/13/2010 4:13 PM 15944]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/30/2010 10:26 PM 38224]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/13/2010 3:30 PM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-05-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-16 18:22]

2010-05-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-16 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\0job8ssk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-RemoteControl - c:\program files\CyberLink\PowerDVD\PDVDServ.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-17 22:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84EF8EE4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7764fc3
\Driver\ACPI -> ACPI.sys @ 0xf7557cb8
\Driver\atapi -> atapi.sys @ 0xf74037b4
\Driver\iaStor -> IASTOR.SYS @ 0xf7427b58
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80577918
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80577918
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf72ccbc3
PacketIndicateHandler -> NDIS.sys @ 0xf72d8b21
SendHandler -> NDIS.sys @ 0xf72ccd33
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-05-17 22:08:41
ComboFix-quarantined-files.txt 2010-05-18 03:08
ComboFix2.txt 2010-05-14 05:10

Pre-Run: 127,601,471,488 bytes free
Post-Run: 127,599,833,088 bytes free

- - End Of File - - F50C93EFA7E610E44B1A933D71340775

[knichols05]

The OTL log from step 3:

OTL logfile created on: 5/17/2010 10:17:24 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

446.00 Mb Total Physical Memory | 271.00 Mb Available Physical Memory | 61.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.93 Gb Total Space | 118.86 Gb Free Space | 79.81% Space Free | Partition Type: NTFS
Drive D: | 4.44 Gb Total Space | 1.92 Gb Free Space | 43.30% Space Free | Partition Type: FAT32
Unable to calculate disk information.
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BOROOM
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/17 00:54:00 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/29 07:54:44 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2004/08/04 14:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/05/17 00:54:00 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2004/08/04 14:00:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2004/08/04 14:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/01/15 19:19:27 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2009/11/04 17:53:34 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Stopped] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/11/04 16:59:50 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/10/29 07:54:44 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/10/28 12:50:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/07/08 21:22:22 | 000,068,112 | ---- | M] (McAfee) [On_Demand | Stopped] -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor)
SRV - [2009/07/08 12:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 20:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2005/07/12 21:10:18 | 000,963,072 | ---- | M] (McAfee Inc.) [Auto | Stopped] -- C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe -- (MskService)


========== Driver Services (SafeList) ==========

DRV - [2010/05/17 14:46:41 | 000,015,944 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hitmanpro35.sys -- (hitmanpro35)
DRV - [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/02/13 15:30:36 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2009/12/25 19:26:30 | 006,039,584 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/11/18 08:17:00 | 001,395,800 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2009/11/18 08:16:00 | 001,691,480 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2009/11/04 17:54:12 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/11/04 17:54:12 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/11/04 17:54:12 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/11/04 17:54:12 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/11/04 17:53:40 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 13:32:26 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2006/01/18 06:41:00 | 000,080,512 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2006/01/15 02:48:08 | 001,477,632 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/10/12 15:07:12 | 000,874,240 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS -- (iaStor)
DRV - [2005/09/23 00:26:40 | 001,094,751 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/01/07 20:07:18 | 000,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/08/04 14:00:00 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2004/08/04 14:00:00 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2004/08/04 14:00:00 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2004/08/04 14:00:00 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2004/08/04 14:00:00 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2004/08/04 14:00:00 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2004/08/04 14:00:00 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2004/08/04 14:00:00 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2004/08/04 14:00:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2004/08/04 14:00:00 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2004/08/04 14:00:00 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2004/08/04 14:00:00 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2004/08/04 14:00:00 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2004/08/04 14:00:00 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2004/08/04 14:00:00 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2004/08/04 01:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/08/04 00:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004/08/03 18:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/03 18:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2003/01/10 16:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 07:10:58 | 000,069,692 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\el575ND5.sys -- (el575nd5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..network.proxy.backup.ftp: "41.234.203.183"
FF - prefs.js..network.proxy.backup.ftp_port: 80
FF - prefs.js..network.proxy.backup.gopher: "41.234.203.183"
FF - prefs.js..network.proxy.backup.gopher_port: 80
FF - prefs.js..network.proxy.backup.socks: "41.234.203.183"
FF - prefs.js..network.proxy.backup.socks_port: 80
FF - prefs.js..network.proxy.backup.ssl: "41.234.203.183"
FF - prefs.js..network.proxy.backup.ssl_port: 80
FF - prefs.js..network.proxy.ftp: "41.234.203.183"
FF - prefs.js..network.proxy.ftp_port: 80
FF - prefs.js..network.proxy.gopher: "41.234.203.183"
FF - prefs.js..network.proxy.gopher_port: 80
FF - prefs.js..network.proxy.http: "41.234.203.183"
FF - prefs.js..network.proxy.http_port: 80
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "41.234.203.183"
FF - prefs.js..network.proxy.socks_port: 80
FF - prefs.js..network.proxy.ssl: "41.234.203.183"
FF - prefs.js..network.proxy.ssl_port: 80

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/08 17:44:01 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/02 11:57:29 | 000,000,000 | ---D | M]

[2010/01/16 21:41:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/05/16 04:18:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0job8ssk.default\extensions
[2010/01/30 17:37:46 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0job8ssk.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/01/16 21:16:34 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/05/14 00:03:12 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (McAfee Anti-Phishing Filter) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\Program Files\McAfee\SpamKiller\McApfBHO.dll (McAfee, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)
O4 - HKLM..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe (McAfee)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSKAGENTEXE] C:\Program Files\McAfee\SpamKiller\MSKAgent.exe (McAfee Inc.)
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe (McAfee, Inc.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\WINDOWS\creator\Remind_XP.exe (SoftThinks)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [Power2GoExpress] File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\Program Files\McAfee\SpamKiller\McApfBHO.dll (McAfee, Inc.)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.72.134 68.87.77.134
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Desktop Background.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/05/06 19:38:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003/08/08 17:24:26 | 000,000,045 | -HS- | M] () - D:\autorun.inf.aug.8 -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/17 21:45:39 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/17 21:45:39 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/17 21:45:39 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/17 21:45:39 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/17 21:45:18 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/17 19:24:25 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/05/17 00:53:59 | 000,571,392 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/05/16 23:40:38 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/05/16 23:03:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Help
[2010/05/16 23:03:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Help
[2010/05/14 19:09:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Identities
[2010/05/14 19:09:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2010/05/14 00:10:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/05/13 23:10:27 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/05/13 23:06:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/13 16:11:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/05/13 16:11:18 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/05/13 15:49:01 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/05/13 15:31:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2010/05/13 15:31:32 | 000,000,000 | ---D | C] -- C:\Program Files\Security Task Manager
[2010/05/13 15:23:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/05/12 19:07:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/05/11 19:12:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/11 19:11:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/05 21:18:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\New Folder
[2 C:\Documents and Settings\Owner\Desktop\*.tmp files -> C:\Documents and Settings\Owner\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/17 22:11:07 | 000,016,387 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/05/17 22:10:41 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/17 22:08:45 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/17 22:03:47 | 000,000,282 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/17 21:47:51 | 003,407,872 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/05/17 21:47:51 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/05/17 21:43:46 | 003,690,041 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/05/17 14:46:41 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/05/17 01:05:12 | 006,291,456 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/05/17 00:54:50 | 000,293,376 | ---- | M] () -- C:\b5ke6xil.exe
[2010/05/17 00:54:00 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/05/16 23:40:32 | 002,672,312 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\esetsmartinstaller_enu.exe
[2010/05/16 20:50:11 | 000,036,864 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\brinnneeerrrr.doc
[2010/05/15 17:46:40 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/05/15 01:20:41 | 000,000,340 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2010/05/14 00:03:12 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/13 23:10:34 | 000,000,270 | RHS- | M] () -- C:\boot.ini
[2010/05/13 17:47:24 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\resume.3.doc
[2010/05/13 16:13:37 | 000,001,663 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/05/13 15:49:03 | 000,001,984 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
[2010/05/12 03:03:48 | 000,000,176 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/11 17:07:05 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/05/09 20:13:04 | 005,420,032 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\A BRINNER WITH HISTORY.ppt
[2010/05/05 16:21:59 | 000,034,816 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Kevin NicholsDolphin Boy Part 2 Script.doc
[2010/05/04 16:05:50 | 000,000,674 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/01 12:40:41 | 000,121,465 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\indianapolis.jpg
[2010/05/01 01:00:13 | 000,000,318 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2010/04/30 06:30:25 | 000,034,816 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Kevin NicholsDolphin Boy Part 2 Script.doc
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 15:00:51 | 000,045,056 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\The Jen Zarate and Kevin Nichols Story.doc
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/24 22:50:04 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Owner\My Documents\~$e Jen Zarate and Kevin Nichols Story.doc
[2010/04/23 18:08:10 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Owner\My Documents\~$ifer 5.doc
[2010/04/23 15:07:57 | 000,028,672 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\nifer 5.doc
[2010/04/18 17:45:20 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2 C:\Documents and Settings\Owner\Desktop\*.tmp files -> C:\Documents and Settings\Owner\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/17 21:45:39 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/17 21:45:39 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/17 21:45:39 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/17 21:45:39 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/17 21:45:39 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/17 21:43:46 | 003,690,041 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/05/17 00:54:49 | 000,293,376 | ---- | C] () -- C:\b5ke6xil.exe
[2010/05/16 23:40:29 | 002,672,312 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\esetsmartinstaller_enu.exe
[2010/05/13 23:10:33 | 000,000,201 | ---- | C] () -- C:\Boot.bak
[2010/05/13 23:10:29 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/05/13 17:47:24 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\resume.3.doc
[2010/05/13 16:13:42 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/05/13 16:11:20 | 000,001,663 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/05/13 15:49:03 | 000,001,984 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
[2010/05/12 22:09:58 | 000,036,864 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\brinnneeerrrr.doc
[2010/05/12 03:03:48 | 000,000,176 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/09 20:13:03 | 005,420,032 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\A BRINNER WITH HISTORY.ppt
[2010/05/05 16:21:57 | 000,034,816 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Kevin NicholsDolphin Boy Part 2 Script.doc
[2010/05/01 12:40:38 | 000,121,465 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\indianapolis.jpg
[2010/04/30 06:30:22 | 000,034,816 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Kevin NicholsDolphin Boy Part 2 Script.doc
[2010/04/24 22:50:04 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Owner\My Documents\~$e Jen Zarate and Kevin Nichols Story.doc
[2010/04/24 22:50:03 | 000,045,056 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\The Jen Zarate and Kevin Nichols Story.doc
[2010/04/23 18:08:10 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Owner\My Documents\~$ifer 5.doc
[2010/04/19 21:56:57 | 000,028,672 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\nifer 5.doc
[2010/02/13 22:45:58 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2010/01/19 21:58:04 | 000,819,200 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/01/19 21:58:04 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/01/19 16:56:59 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2010/01/15 20:09:25 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2010/01/15 19:23:57 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/01/15 18:46:55 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2006/07/31 00:59:36 | 000,000,338 | ---- | C] () -- C:\WINDOWS\scrub2k.ini
[2006/07/01 01:01:25 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/05/06 19:24:27 | 000,001,422 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/05/06 19:24:27 | 000,000,486 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2003/01/07 18:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Custom Scans ==========



< MD5 for: MRAID35X.SYS >
[2004/08/04 14:00:00 | 000,017,280 | ---- | M] (American Megatrends Inc.) MD5=3F4BB95E5A44F3BE34824E8E7CAF0737 -- C:\WINDOWS\system32\drivers\mraid35x.sys
< End of report >