Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32.TDSS.rtk [Solved]

Started by fireflypdp , May 04 2009 08:28 AM

  • This topic is locked This topic is locked

#1
fireflypdp
Posted 04 May 2009 - 08:28 AM

fireflypdp

    Member

  • Member
  • PipPip
  • 23 posts
Hi all, I'm having some trouble getting rid of this nasty Win32.TDSS.rtk trojan. I got it over the weekend and I can't seem to get rid of it. Spybot S&D will remove it, only to have it come back the next time I use my web browser. Malwarebytes doesn't detect it. Any help would be appreciated! :)

Malwarebytes' Anti-Malware 1.36
Database version: 2067
Windows 5.1.2600 Service Pack 3

5/4/2009 9:25:26 AM
mbam-log-2009-05-04 (09-25-26).txt

Scan type: Quick Scan
Objects scanned: 86457
Time elapsed: 3 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Here's my Rooter log:

Microsoft Windows XP Professional (5.1.2600) Service Pack 3

A:\ [Removable] (Total:0 Mo/Free:0 Mo)
C:\ [Fixed] - NTFS - (Total:76308 Mo/Free:1166 Mo)
D:\ [CD-Rom] (Total:620 Mo/Free:0 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
F:\ [Fixed] - NTFS - (Total:305242 Mo/Free:2250 Mo)
H:\ [CD-Rom] (Total:604 Mo/Free:0 Mo)

Mon 05/04/2009| 8:28

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Windows Defender\MsMpEng.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
---------- C:\Program Files\Alwil Software\Avast4\ashServ.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\msdtc.exe
---------- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
---------- C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
---------- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
---------- C:\WINDOWS\system32\cisvc.exe
---------- C:\WINDOWS\system32\CTsvcCDA.exe
---------- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
---------- C:\WINDOWS\system32\inetsrv\inetinfo.exe
---------- C:\WINDOWS\system32\lxdccoms.exe
---------- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
---------- C:\WINDOWS\system32\nvsvc32.exe
---------- C:\WINDOWS\system32\tcpsvcs.exe
---------- C:\WINDOWS\System32\snmp.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\MsPMSPSv.exe
---------- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
---------- C:\WINDOWS\system32\cidaemon.exe
---------- C:\WINDOWS\system32\mqsvc.exe
---------- C:\WINDOWS\system32\RunDll32.exe
---------- C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
---------- C:\WINDOWS\system32\cidaemon.exe
---------- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
---------- C:\Program Files\Windows Defender\MSASCui.exe
---------- C:\WINDOWS\system32\mqtgsvc.exe
---------- C:\Program Files\QuickTime\qttask.exe
---------- F:\iTunes\iTunesHelper.exe
---------- C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
---------- C:\WINDOWS\system32\CTHELPER.EXE
---------- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
---------- C:\Program Files\D-Link\AirPlus XtremeG DWL-G520\AirPlusCFG.exe
---------- C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
---------- C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
---------- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
---------- C:\Program Files\Messenger\msmsgs.exe
---------- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
---------- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
---------- C:\Program Files\iPod\bin\iPodService.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
---------- C:\Program Files\Internet Explorer\iexplore.exe
---------- C:\Program Files\Internet Explorer\iexplore.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - Mon 05/04/2009| 3:23
2 - "C:\Rooter$\Rooter_2.txt" - Mon 05/04/2009| 3:27
3 - "C:\Rooter$\Rooter_3.txt" - Mon 05/04/2009| 8:28


Here's the two OTLI logs I got:

OTListIt logfile created on: 5/4/2009 9:11:31 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.3 Folder = C:\Documents and Settings\Peter\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.12 Gb Available Physical Memory | 56.16% Memory free
3.85 Gb Paging File | 2.94 Gb Available in Paging File | 76.26% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 21.12 Gb Free Space | 28.34% Space Free | Partition Type: NTFS
Drive D: | 620.40 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
Drive F: | 298.09 Gb Total Space | 178.20 Gb Free Space | 59.78% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
Drive H: | 605.84 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
I: Drive not present or media not loaded

Computer Name: PETER-FIREFLY
Current User Name: Peter
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\TortoiseSVN\bin\TSVNCache.exe (http://tortoisesvn.net)
PRC - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (Symantec Corporation)
PRC - C:\WINDOWS\system32\CTsvcCDA.exe (Creative Technology Ltd)
PRC - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
PRC - C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\lxdccoms.exe ( )
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\WINDOWS\system32\tcpsvcs.exe (Microsoft Corporation)
PRC - C:\WINDOWS\System32\snmp.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\MsPMSPSv.exe (Microsoft Corporation)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\WINDOWS\system32\cidaemon.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\mqsvc.exe (Microsoft Corporation)
PRC - C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
PRC - C:\WINDOWS\system32\cidaemon.exe (Microsoft Corporation)
PRC - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\mqtgsvc.exe (Microsoft Corporation)
PRC - C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
PRC - F:\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE (Creative Technology Ltd)
PRC - C:\WINDOWS\system32\CTHELPER.EXE (Creative Technology Ltd)
PRC - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
PRC - C:\Program Files\D-Link\AirPlus XtremeG DWL-G520\AirPlusCFG.exe (D-Link)
PRC - C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe (Wireless Service)
PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
PRC - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
PRC - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
PRC - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
PRC - C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe (Safer Networking Limited)
PRC - C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\Peter\Desktop\RootkitRevealer\RootkitRevealer.exe (Sysinternals - www.sysinternals.com)
PRC - C:\Documents and Settings\Peter\Local Settings\Temp\A.exe (Sysinternals - www.sysinternals.com)
PRC - C:\Documents and Settings\Peter\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (6to4 [Auto | Running]) -- C:\WINDOWS\System32\6to4svc.dll (Microsoft Corporation)
SRV - (Adobe LM Service [Disabled | Stopped]) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe ()
SRV - (ANIWZCSdService [Auto | Stopped]) -- C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe (Wireless Service)
SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (aswUpdSv [Auto | Running]) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
SRV - (Automatic LiveUpdate Scheduler [Auto | Running]) -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (Symantec Corporation)
SRV - (avast! Antivirus [Auto | Running]) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
SRV - (avast! Mail Scanner [On_Demand | Running]) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
SRV - (avast! Web Scanner [On_Demand | Running]) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (Creative Service for CDROM Access [Auto | Running]) -- C:\WINDOWS\system32\CTsvcCDA.exe (Creative Technology Ltd)
SRV - (CVPND [Auto | Running]) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
SRV - (DXDebug [Disabled | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\DirectX Extensions\DXDebugService.exe (Microsoft Corporation)
SRV - (GoogleDesktopManager-061008-081103 [On_Demand | Stopped]) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
SRV - (gusvc [On_Demand | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- File not found
SRV - (IISADMIN [Auto | Running]) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (iPod Service [On_Demand | Running]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (Iprip [Auto | Running]) -- C:\WINDOWS\System32\iprip.dll (Microsoft Corporation)
SRV - (LiveUpdate [On_Demand | Stopped]) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE (Symantec Corporation)
SRV - (LPDSVC [On_Demand | Stopped]) -- C:\WINDOWS\system32\tcpsvcs.exe (Microsoft Corporation)
SRV - (lxdc_device [Auto | Running]) -- C:\WINDOWS\system32\lxdccoms.exe ( )
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
SRV - (MSMQ [Auto | Running]) -- C:\WINDOWS\system32\mqsvc.exe (Microsoft Corporation)
SRV - (MSMQTriggers [Auto | Running]) -- C:\WINDOWS\system32\mqtgsvc.exe (Microsoft Corporation)
SRV - (MSSQL$SQLEXPRESS [Disabled | Stopped]) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)
SRV - (MSSQLServerADHelper [Disabled | Stopped]) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe (Microsoft Corporation)
SRV - (NVSvc [Auto | Running]) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (ose [Disabled | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (p2pgasvc [On_Demand | Stopped]) -- C:\WINDOWS\system32\p2pgasvc.dll (Microsoft Corporation)
SRV - (PnkBstrA [Disabled | Stopped]) -- C:\WINDOWS\system32\PnkBstrA.exe ()
SRV - (PnkBstrB [Disabled | Stopped]) -- C:\WINDOWS\system32\PnkBstrB.exe ()
SRV - (SimpTcp [Auto | Running]) -- C:\WINDOWS\system32\tcpsvcs.exe (Microsoft Corporation)
SRV - (SMTPSVC [Auto | Running]) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (SNDSrvc [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (Symantec Corporation)
SRV - (SNMP [Auto | Running]) -- C:\WINDOWS\System32\snmp.exe (Microsoft Corporation)
SRV - (SQLBrowser [Disabled | Stopped]) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation)
SRV - (SQLWriter [Disabled | Stopped]) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files\MSN Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (W3SVC [Auto | Running]) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (WinDefend [Auto | Running]) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
SRV - (WMDM PMSP Service [Auto | Running]) -- C:\WINDOWS\system32\MsPMSPSv.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)
SRV - (YahooAUService [Auto | Running]) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
SRV - (A [On_Demand | Running]) -- C:\Documents and Settings\Peter\Local Settings\Temp\A.exe (Sysinternals - www.sysinternals.com)

========== Driver Services (SafeList) ==========

DRV - (A3AB [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\A3AB.sys (D-Link Corporation)
DRV - (Aavmker4 [System | Running]) -- C:\WINDOWS\System32\drivers\aavmker4.sys (ALWIL Software)
DRV - (ANIO [Auto | Running]) -- C:\WINDOWS\system32\ANIO.SYS (Alpha Networks Inc.)
DRV - (aswFsBlk [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys (ALWIL Software)
DRV - (aswMon2 [Auto | Running]) -- C:\WINDOWS\System32\drivers\aswmon2.sys (ALWIL Software)
DRV - (aswRdr [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\aswRdr.sys (ALWIL Software)
DRV - (aswSP [System | Running]) -- C:\WINDOWS\System32\drivers\aswSP.sys (ALWIL Software)
DRV - (aswTdi [System | Running]) -- C:\WINDOWS\System32\drivers\aswTdi.sys (ALWIL Software)
DRV - (cmudax [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\cmudax.sys (C-Media Inc.)
DRV - (COMMONFX [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\COMMONFX.SYS (Creative Technology Ltd)
DRV - (COMMONFX.DLL [On_Demand | Stopped]) -- C:\WINDOWS\system32\COMMONFX.DLL (Creative Technology Ltd)
DRV - (CT20XUT.DLL [On_Demand | Stopped]) -- C:\WINDOWS\system32\CT20XUT.DLL (Creative Technology Ltd.)
DRV - (ctac32k [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ctac32k.sys (Creative Technology Ltd)
DRV - (ctaud2k [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ctaud2k.sys (Creative Technology Ltd)
DRV - (CTAUDFX [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\CTAUDFX.SYS (Creative Technology Ltd)
DRV - (CTAUDFX.DLL [On_Demand | Stopped]) -- C:\WINDOWS\system32\CTAUDFX.DLL (Creative Technology Ltd)
DRV - (ctdvda2k [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\ctdvda2k.sys (Creative Technology Ltd)
DRV - (CTEAPSFX.DLL [On_Demand | Stopped]) -- C:\WINDOWS\system32\CTEAPSFX.DLL (Creative Technology Ltd)
DRV - (CTEDSPFX.DLL [On_Demand | Stopped]) -- C:\WINDOWS\system32\CTEDSPFX.DLL (Creative Technology Ltd)
DRV - (CTEDSPIO.DLL [On_Demand | Stopped]) -- C:\WINDOWS\system32\CTEDSPIO.DLL (Creative Technology Ltd)
DRV - (CTEDSPSY.DLL [On_Demand | Stopped]) -- C:\WINDOWS\system32\CTEDSPSY.DLL (Creative Technology Ltd)
DRV - (CTERFXFX [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\CTERFXFX.SYS (Creative Technology Ltd)
DRV - (CTERFXFX.DLL [On_Demand | Stopped]) -- C:\WINDOWS\system32\CTERFXFX.DLL (Creative Technology Ltd)
DRV - (CTEXFIFX.DLL [On_Demand | Stopped]) -- C:\WINDOWS\system32\CTEXFIFX.DLL (Creative Technology Ltd.)
DRV - (CTHWIUT.DLL [On_Demand | Stopped]) -- C:\WINDOWS\system32\CTHWIUT.DLL (Creative Technology Ltd.)
DRV - (ctprxy2k [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ctprxy2k.sys (Creative Technology Ltd)
DRV - (CTSBLFX [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\CTSBLFX.SYS (Creative Technology Ltd)
DRV - (CTSBLFX.DLL [On_Demand | Stopped]) -- C:\WINDOWS\system32\CTSBLFX.DLL (Creative Technology Ltd)
DRV - (ctsfm2k [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys (Creative Technology Ltd)
DRV - (CVirtA [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\CVirtA.sys (Cisco Systems, Inc.)
DRV - (CVPNDRVA [Auto | Running]) -- C:\WINDOWS\system32\Drivers\CVPNDRVA.sys (Cisco Systems, Inc.)
DRV - (d347bus [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\d347bus.sys ( )
DRV - (d347prt [Boot | Running]) -- C:\WINDOWS\System32\Drivers\d347prt.sys ( )
DRV - (DNE [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\dne2000.sys (Deterministic Networks, Inc.)
DRV - (emupia [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\emupia2k.sys (Creative Technology Ltd)
DRV - (gameenum [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\gameenum.sys (Microsoft Corporation)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (giveio [Boot | Running]) -- C:\WINDOWS\system32\giveio.sys ()
DRV - (GoProto [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\goprot51.sys (Gteko Ltd.)
DRV - (ha10kx2k [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys (Creative Technology Ltd)
DRV - (hap16v2k [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\hap16v2k.sys (Creative Technology Ltd)
DRV - (hap17v2k [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\hap17v2k.sys (Creative Technology Ltd)
DRV - (HdAudAddService [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\HdAudio.sys (Windows ® Server 2003 DDK provider)
DRV - (HDAudBus [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (Windows ® Server 2003 DDK provider)
DRV - (iteraid [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (LVUSBSta [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\lvusbsta.sys (Logitech Inc.)
DRV - (MQAC [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mqac.sys (Microsoft Corporation)
DRV - (MTsensor [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ASACPI.sys ()
DRV - (nv [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
DRV - (ossrv [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.)
DRV - (PID_0928 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\LV561AV.SYS (Logitech Inc.)
DRV - (PQNTDrv [System | Running]) -- C:\WINDOWS\System32\drivers\PQNTDRV.SYS ()
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (RMCAST [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\RMCast.sys (Microsoft Corporation)
DRV - (SASDIFSV [System | Running]) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASENUM [On_Demand | Running]) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL [System | Running]) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SDDMI2 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DDMI2.sys (Gteko Ltd.)
DRV - (Secdrv [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (sfdrv01 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfdrv01.sys (Protection Technology)
DRV - (sfhlp02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfhlp02.sys (Protection Technology)
DRV - (sfsync02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfsync02.sys (Protection Technology)
DRV - (speedfan [Boot | Running]) -- C:\WINDOWS\system32\speedfan.sys (Windows ® 2000 DDK provider)
DRV - (SymEvent [On_Demand | Running]) -- C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Corporation)
DRV - (SYMREDRV [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)
DRV - (SYMTDI [System | Running]) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS (Symantec Corporation)
DRV - (Tcpip6 [System | Running]) -- C:\WINDOWS\system32\DRIVERS\tcpip6.sys (Microsoft Corporation)
DRV - (USBAAPL [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\usbaapl.sys (Apple, Inc.)
DRV - (vmm [System | Running]) -- C:\WINDOWS\system32\Drivers\vmm.sys (Microsoft Corporation)
DRV - (VPCAppSv [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\VPCAppSv.sys (Connectix Corporation)
DRV - (VPCNetS2 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys (Microsoft Corporation)
DRV - (vsdatant [On_Demand | Stopped]) -- C:\WINDOWS\system32\vsdatant.sys (Zone Labs LLC)
DRV - (yukonwxp [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\yk51x86.sys (Marvell)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo....e...-8&fr=b1ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"

FF - HKLM\software\mozilla\Mozilla Firefox 1.0.7\Extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2008/10/03 01:17:06 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 1.0.7\Extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2008/10/03 01:18:46 | 00,000,000 | ---D | M]

[2007/06/15 00:30:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\mozilla\Firefox\Profiles\jrk2fc1e.default\extensions
[2007/06/15 00:30:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\mozilla\Firefox\Profiles\jrk2fc1e.default\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/05/02 15:43:09 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2007/06/16 00:05:07 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/05/02 15:43:09 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{9C027F37-1888-4286-8361-8260C10C9AA6}
[2008/01/05 17:23:47 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
[2008/04/02 21:17:33 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
[2007/06/15 00:30:20 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\defaults\profile\extensions
[2007/06/15 00:30:20 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\defaults\profile\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2005/09/15 20:26:00 | 00,041,573 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jar50.dll
[2005/09/15 20:26:00 | 00,048,223 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jsd3250.dll
[2005/09/15 20:26:00 | 00,160,871 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\xpinstal.dll
[2005/09/15 20:26:00 | 00,000,680 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.png
[2005/09/15 20:26:00 | 00,000,735 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.src
[2005/09/15 20:26:00 | 00,000,356 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.png
[2005/09/15 20:26:00 | 00,000,976 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.src
[2005/09/15 20:26:00 | 00,000,557 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\dictionary.png
[2005/09/15 20:26:00 | 00,000,692 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\dictionary.src
[2005/09/15 20:26:00 | 00,000,210 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.gif
[2005/09/15 20:26:00 | 00,001,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.src
[2005/09/15 20:26:00 | 00,001,076 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.gif
[2009/05/03 21:16:21 | 00,000,750 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.src
[2008/09/09 01:27:31 | 00,000,686 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\GoogleDesktopMozilla.png
[2008/09/09 01:27:31 | 00,000,531 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\GoogleDesktopMozilla.src
[2005/09/15 20:26:00 | 00,000,088 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.gif
[2005/09/15 20:26:00 | 00,001,098 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.src

O1 HOSTS File: (305826 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10530 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O2 - BHO: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O2 - BHO: (UberButton Class) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo!)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe (Wireless Service)
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd File not found
O4 - HKLM..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" (Creative Technology Ltd)
O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r (Creative Technology Ltd)
O4 - HKLM..\Run: [CTxfiHlp] CTXFIHLP.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [D-Link AirPlus XtremeG DWL-G520] C:\Program Files\D-Link\AirPlus XtremeG DWL-G520\AirPlusCFG.exe (D-Link)
O4 - HKLM..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup (Google)
O4 - HKLM..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [LXDCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16 (Lexmark International, Inc.)
O4 - HKLM..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /install ()
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r (Creative Technology Ltd)
O4 - HKLM..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide (Microsoft Corporation)
O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation)
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm File not found
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm File not found
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm File not found
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo!)
O9 - Extra Button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe File not found
O9 - Extra 'Tools' menuitem : EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [PNRP Cloud Namespace Provider] - C:\WINDOWS\system32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [PNRP Name Namespace Provider] - C:\WINDOWS\system32\pnrpnsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 93 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} http://www.ipix.com/viewers/ipixx.cab (iPIX ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} http://www.srtest.co...sreqlab_srl.cab (System Requirements Lab Class)
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} http://inst.c-wss.co...ll/gtdownlr.cab (Automatic Driver Installation Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} http://www.freerealm...onInstaller.cab (SonyOnlineInstallerX)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace....ploader1006.cab (MySpace Uploader Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1127503630281 (WUWebControl Class)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.systemreq.../sysreqlab2.cab (Reg Error: Key error.)
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} http://www.creative....101/CTSUEng.cab (Creative Software AutoUpdate)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1127503621609 (MUWebControl Class)
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://www.shockwave...mjolauncher.cab (MJLauncherCtrl Class)
O16 - DPF: {84B93AC6-A7F2-4420-9FED-EE6735EA9C8D} http://www.bigad.com.../vivid_ocx.jpeg (VPlayer Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} http://messenger.msn...pDownloader.cab (MsnMessengerSetupDownloadControl Class)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_03)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_05)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://www.creative....15106/CTPID.cab (Creative Software AutoUpdate Support Package)
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} http://dlm.tools.aka...vex-2.2.2.1.cab (DownloadManager Control)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - AppInit_DLLs: (MsgPlusLoader) - C:\WINDOWS\System32\MsgPlusLoader.dll (Patchou)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\yagerumu.dll) - C:\WINDOWS\system32\yagerumu.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\vinabino.dll) - c:\windows\system32\vinabino.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/09/10 14:17:54 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [1998/12/13 02:43:32 | 00,000,040 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2003/02/04 15:14:13 | 00,000,183 | R--- | M] () - H:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{c8cb70a8-fb83-11db-aa3a-ae28752133a0}\Shell\AutoRun\command - "" = G:\setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[10 C:\WINDOWS\*.tmp files]
[2009/05/04 09:11:07 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Peter\Desktop\OTListIt2.exe
[2009/05/04 08:53:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Peter\Desktop\RootkitRevealer
[2009/05/04 08:53:45 | 00,231,390 | ---- | C] () -- C:\Documents and Settings\Peter\Desktop\RootkitRevealer.zip
[2009/05/04 06:12:08 | 00,000,007 | ---- | C] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME
[2009/05/04 04:20:02 | 04,958,588 | ---- | C] () -- C:\WINDOWS\{00000001-00000000-0000000A-00001102-00000004-20021102}.BAK
[2009/05/04 04:18:39 | 00,051,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2009/05/04 04:18:39 | 00,023,152 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2009/05/04 04:18:39 | 00,001,709 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Antivirus.lnk
[2009/05/04 04:18:38 | 00,026,944 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2009/05/04 04:18:36 | 00,097,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[2009/05/04 04:18:35 | 00,114,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2009/05/04 04:18:35 | 00,094,032 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2009/05/04 04:18:35 | 00,093,296 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2009/05/04 04:18:35 | 00,020,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/05/04 04:18:19 | 01,256,296 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2009/05/04 04:18:19 | 00,380,928 | ---- | C] () -- C:\WINDOWS\System32\actskin4.ocx
[2009/05/04 04:18:17 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2009/05/04 04:15:59 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/05/04 04:11:40 | 32,793,088 | ---- | C] () -- C:\Documents and Settings\Peter\Desktop\setupeng.exe
[2009/05/04 03:49:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/05/04 03:49:10 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Peter\Desktop\NTREGOPT.lnk
[2009/05/04 03:49:10 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Peter\Desktop\ERUNT.lnk
[2009/05/04 03:49:09 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/05/04 03:48:31 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Peter\Desktop\erunt_setup.exe
[2009/05/04 03:47:45 | 00,021,504 | ---- | C] (Doug Knox) -- C:\Documents and Settings\Peter\Desktop\SysRestorePoint.exe
[2009/05/04 03:26:54 | 00,267,612 | ---- | C] () -- C:\Documents and Settings\Peter\Desktop\Rooter.exe
[2009/05/04 03:22:56 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/05/04 02:54:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Peter\Local Settings\Apps
[2009/05/04 01:55:35 | 00,001,731 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\D-Link AirPlus XtremeG DWL-G520 Utility.lnk
[2009/05/04 01:55:19 | 00,000,006 | ---- | C] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME{448E7590-AB46-411C-8970-E250B238A399}
[2009/05/04 01:55:08 | 01,327,189 | ---- | C] (Funk Software, Inc.) -- C:\WINDOWS\System32\odSupp_M.dll
[2009/05/04 01:55:08 | 00,667,648 | ---- | C] (Wireless Service) -- C:\WINDOWS\System32\ANIWZCS2.dll
[2009/05/04 01:55:08 | 00,249,856 | ---- | C] (Wireless Service) -- C:\WINDOWS\System32\wnicapi.dll
[2009/05/04 01:55:08 | 00,225,280 | ---- | C] (ANI ) -- C:\WINDOWS\System32\WlanApp.dll
[2009/05/04 01:55:08 | 00,204,800 | ---- | C] (Alpha Networks Inc.) -- C:\WINDOWS\System32\aIPH.dll
[2009/05/04 01:55:08 | 00,049,152 | ---- | C] (Alpha Networks Inc.) -- C:\WINDOWS\System32\AQCKGen.dll
[2009/05/04 01:55:08 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\JJAKEn.dll
[2009/05/04 01:55:08 | 00,045,115 | ---- | C] (Alpha Networks Inc.) -- C:\WINDOWS\System32\ANICtl.dll
[2009/05/04 01:54:51 | 00,048,128 | ---- | C] (Alpha Networks Inc.) -- C:\WINDOWS\System32\ANIO64.sys
[2009/05/04 01:54:51 | 00,036,864 | ---- | C] (Alpha Networks Inc.) -- C:\WINDOWS\System32\ANIOApi.dll
[2009/05/04 01:54:51 | 00,028,195 | ---- | C] (Alpha Networks Inc.) -- C:\WINDOWS\System32\ANIO.sys
[2009/05/04 01:54:51 | 00,016,997 | ---- | C] () -- C:\WINDOWS\System32\ANIO.VXD
[2009/05/04 01:54:51 | 00,011,904 | ---- | C] (ANI ) -- C:\WINDOWS\System32\anio4.sys
[2009/05/04 01:54:51 | 00,000,000 | ---D | C] -- C:\Program Files\ANI
[2009/05/04 01:54:41 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\InstallShield
[2009/05/04 01:54:10 | 00,000,000 | ---D | C] -- C:\Program Files\D-Link
[2009/05/04 01:53:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Peter\Desktop\dwlg520_revB_Drivers_450
[2009/05/04 01:53:23 | 15,338,940 | ---- | C] () -- C:\Documents and Settings\Peter\Desktop\dwlg520_revB_Drivers_450.zip
[2009/05/04 01:47:58 | 06,325,280 | ---- | C] () -- C:\Documents and Settings\Peter\Desktop\SUPERAntiSpyware.exe
[2009/05/04 01:18:06 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2009/05/04 00:27:06 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2009/05/04 00:26:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Peter\Application Data\Yahoo!
[2009/05/04 00:16:10 | 24,921,544 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/05/04 00:15:50 | 00,105,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iecompat.dll
[2009/05/03 23:25:28 | 20,098,288 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Peter\Desktop\ie8-setup-full.exe
[2009/05/03 21:50:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/05/03 21:50:43 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/05/03 21:50:42 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/05/03 21:50:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Peter\Application Data\SUPERAntiSpyware.com
[2009/05/03 21:11:02 | 00,000,000 | ---D | C] -- C:\Avenger
[2009/05/03 21:03:58 | 00,054,214 | ---- | C] () -- C:\Documents and Settings\Peter\Desktop\cc_20090503_210356.reg
[2009/05/03 20:50:15 | 00,000,164 | ---- | C] () -- C:\Documents and Settings\Peter\Desktop\cc_20090503_205013.reg
[2009/05/03 20:48:36 | 00,062,082 | ---- | C] () -- C:\Documents and Settings\Peter\Desktop\cc_20090503_204832.reg
[2009/05/03 20:47:21 | 01,514,956 | ---- | C] () -- C:\Documents and Settings\Peter\Desktop\cc_20090503_204713.reg
[2009/05/03 20:44:02 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/05/03 20:43:05 | 03,227,536 | ---- | C] (Piriform Ltd) -- C:\Documents and Settings\Peter\Desktop\ccsetup219.exe
[2009/05/02 17:41:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Peter\Application Data\Malwarebytes
[2009/05/02 17:40:58 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/05/02 17:40:58 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/02 17:40:56 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/02 17:40:55 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/05/02 17:40:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/05/02 16:22:03 | 00,022,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\userinit.exe
[2009/05/02 15:58:27 | 00,104,960 | ---- | C] () -- C:\WINDOWS\System32\dllcache\userinit.exe
[2009/04/29 23:33:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Peter\Application Data\SystemRequirementsLab
[2009/04/24 00:26:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Peter\Desktop\megamek
[2009/04/24 00:26:00 | 11,134,134 | ---- | C] () -- C:\Documents and Settings\Peter\Desktop\MegaMek-v0.32.2.zip
[2009/04/21 01:49:56 | 00,001,736 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Windows Live Messenger.lnk
[2009/04/19 17:43:41 | 00,001,582 | ---- | C] () -- C:\Documents and Settings\Peter\Desktop\LimeWire 4.14.10.lnk
[2009/04/15 22:24:51 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/15 22:24:51 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/15 22:24:50 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/15 22:24:49 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/15 22:24:49 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/15 22:24:48 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/15 22:24:48 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/15 22:24:47 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/15 22:24:47 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/15 22:23:27 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/15 22:23:26 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/15 22:23:26 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/11 05:28:46 | 00,000,268 | -H-- | C] () -- C:\sqmdata05.sqm
[2009/04/11 05:28:46 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt05.sqm
[2009/03/05 01:32:39 | 00,086,446 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2009/03/05 01:32:39 | 00,000,191 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2009/03/05 00:27:21 | 00,003,072 | ---- | C] () -- C:\WINDOWS\CTXFIRES.DLL
[2008/10/07 10:13:22 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 10:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 10:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 10:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 10:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 10:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 10:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 10:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 10:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/09/13 22:26:38 | 00,001,025 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008/08/10 15:15:37 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/07/20 00:20:26 | 00,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2008/06/05 09:58:26 | 00,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2007/11/09 19:55:07 | 00,022,328 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2007/07/16 12:58:10 | 00,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2007/07/16 12:58:00 | 00,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2007/07/01 12:47:05 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxdcvs.dll
[2007/07/01 12:47:04 | 00,344,064 | ---- | C] () -- C:\WINDOWS\System32\lxdccoin.dll
[2007/07/01 12:46:01 | 00,000,044 | ---- | C] () -- C:\WINDOWS\System32\lxdcrwrd.ini
[2007/07/01 12:45:45 | 00,999,424 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdcusb1.dll
[2007/07/01 12:45:45 | 00,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdcinpa.dll
[2007/07/01 12:45:45 | 00,397,312 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdciesc.dll
[2007/07/01 12:45:45 | 00,323,584 | ---- | C] ( ) -- C:\WINDOWS\System32\LXDChcp.dll
[2007/07/01 12:45:45 | 00,278,528 | ---- | C] () -- C:\WINDOWS\System32\LXDCinst.dll
[2007/07/01 12:45:44 | 01,232,896 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdcserv.dll
[2007/07/01 12:45:44 | 00,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdcpmui.dll
[2007/07/01 12:45:44 | 00,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdclmpm.dll
[2007/07/01 12:45:44 | 00,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdcprox.dll
[2007/07/01 12:45:44 | 00,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdcpplc.dll
[2007/07/01 12:45:43 | 00,696,320 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdchbn3.dll
[2007/07/01 12:45:43 | 00,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxdcgrd.dll
[2007/07/01 12:45:42 | 00,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdccomc.dll
[2007/07/01 12:45:42 | 00,425,984 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdccomm.dll
[2007/06/28 11:43:00 | 01,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/06/28 11:43:00 | 01,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/06/28 11:43:00 | 01,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/06/28 11:43:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/06/28 11:43:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/04/12 09:10:28 | 00,105,728 | ---- | C] () -- C:\WINDOWS\System32\APOMgrH.dll
[2007/02/13 22:49:09 | 03,423,744 | ---- | C] () -- C:\WINDOWS\System32\libfilefmt-1.1.0.dll
[2007/02/13 22:49:09 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\libavi-dd-1.2.0.dll
[2007/01/20 22:09:30 | 00,000,106 | ---- | C] () -- C:\WINDOWS\glview.INI
[2006/10/15 01:00:36 | 00,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2006/10/15 01:00:36 | 00,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2006/10/15 01:00:36 | 00,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2006/08/14 19:25:10 | 00,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS75.DLL
[2006/08/11 15:57:18 | 00,037,888 | ---- | C] () -- C:\WINDOWS\System32\CTBURST.DLL
[2006/06/17 04:15:22 | 00,006,812 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2006/05/23 13:40:34 | 00,000,269 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2006/04/12 04:18:04 | 00,000,000 | ---- | C] () -- C:\WINDOWS\ATIMMC.INI
[2006/04/06 15:23:22 | 00,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini
[2006/02/13 00:21:33 | 00,000,044 | ---- | C] () -- C:\WINDOWS\liveup.ini
[2006/01/24 13:08:29 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2006/01/22 02:40:35 | 00,026,335 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/01/20 01:38:40 | 00,922,745 | ---- | C] () -- C:\WINDOWS\System32\alleg40.dll
[2005/11/14 22:38:57 | 00,000,252 | ---- | C] () -- C:\WINDOWS\scummvm.ini
[2005/09/24 14:01:37 | 00,000,070 | ---- | C] () -- C:\WINDOWS\dbinside.ini
[2005/09/23 14:35:45 | 00,000,000 | ---- | C] () -- C:\WINDOWS\frontpg.ini
[2005/09/23 14:34:55 | 00,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2005/09/23 14:34:55 | 00,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2005/09/23 14:34:27 | 00,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2005/09/23 14:34:26 | 00,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2005/09/23 14:34:24 | 00,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2005/09/19 14:27:09 | 00,000,162 | ---- | C] () -- C:\WINDOWS\W2W.ini
[2005/09/19 03:16:34 | 00,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/09/18 21:01:29 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\WIN.INI
[2005/09/18 21:01:29 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\SYSTEM.INI
[2005/09/12 17:51:47 | 00,155,136 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347bus.sys
[2005/09/12 17:51:47 | 00,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347prt.sys
[2005/09/12 16:16:34 | 00,000,520 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/09/11 19:37:52 | 00,000,484 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2005/09/11 14:37:13 | 00,000,155 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2005/09/10 15:21:15 | 00,000,032 | ---- | C] () -- C:\WINDOWS\CD-Start.INI
[2005/09/10 15:03:25 | 00,003,252 | ---- | C] () -- C:\WINDOWS\System32\drivers\PQNTDRV.SYS
[2005/09/10 14:50:06 | 00,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2005/09/10 14:49:24 | 00,043,517 | ---- | C] () -- C:\WINDOWS\System32\e10kxwdm.ini
[2005/09/10 14:49:13 | 00,005,515 | ---- | C] () -- C:\WINDOWS\System32\ENSDEF.INI
[2005/09/10 14:49:07 | 00,033,792 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2005/09/10 14:47:33 | 00,000,136 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2005/09/10 14:27:58 | 00,028,672 | R--- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
[2005/09/10 14:23:55 | 00,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2005/09/10 14:23:43 | 00,006,085 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2005/09/10 14:23:40 | 00,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2005/08/12 16:57:09 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/06/16 19:17:16 | 00,071,680 | ---- | C] () -- C:\WINDOWS\System32\CTMMACTL.DLL
[2004/08/22 19:04:56 | 00,069,120 | ---- | C] () -- C:\WINDOWS\daemon.dll
[2003/01/07 17:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/23 07:00:00 | 00,000,906 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 07:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[1999/01/27 15:39:06 | 00,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1996/04/03 14:33:26 | 00,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Files - Modified Within 30 Days ==========

[7 C:\WINDOWS\System32\*.tmp files]
[10 C:\WINDOWS\*.tmp files]
[2 C:\Documents and Settings\Peter\My Documents\*.tmp files]
[2009/05/04 09:11:15 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Peter\Desktop\OTListIt2.exe
[2009/05/04 09:11:00 | 00,000,366 | ---- | M] () -- C:\WINDOWS\tasks\Symantec NetDetect.job
[2009/05/04 08:53:49 | 00,231,390 | ---- | M] () -- C:\Documents and Settings\Peter\Desktop\RootkitRevealer.zip
[2009/05/04 06:15:37 | 00,697,764 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/05/04 06:15:37 | 00,565,234 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/05/04 06:15:37 | 00,116,566 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/05/04 06:13:56 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/05/04 06:12:41 | 00,013,668 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/04 06:12:36 | 00,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2009/05/04 06:12:30 | 04,958,588 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-0000000A-00001102-00000004-20021102}.CDF
[2009/05/04 06:12:29 | 00,000,006 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME{448E7590-AB46-411C-8970-E250B238A399}
[2009/05/04 06:12:08 | 00,000,007 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME
[2009/05/04 06:11:59 | 00,204,626 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/05/04 06:10:58 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/04 06:10:34 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Peter\Local Settings\desktop.ini
[2009/05/04 06:10:21 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/04 04:20:46 | 00,030,888 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000001-00000000-0000000A-00001102-00000004-20021102}.rfx
[2009/05/04 04:20:46 | 00,030,888 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000001-00000000-0000000A-00001102-00000004-20021102}.rfx
[2009/05/04 04:20:46 | 00,030,528 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000001-00000000-0000000A-00001102-00000004-20021102}.rfx
[2009/05/04 04:20:46 | 00,030,528 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000001-00000000-0000000A-00001102-00000004-20021102}.rfx
[2009/05/04 04:20:46 | 00,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000001-00000000-0000000A-00001102-00000004-20021102}.rfx
[2009/05/04 04:20:46 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2009/05/04 04:20:46 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2009/05/04 04:20:02 | 04,958,588 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-0000000A-00001102-00000004-20021102}.BAK
[2009/05/04 04:18:39 | 00,001,709 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Antivirus.lnk
[2009/05/04 04:18:35 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/05/04 04:14:14 | 32,793,088 | ---- | M] () -- C:\Documents and Settings\Peter\Desktop\setupeng.exe
[2009/05/04 03:49:10 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Peter\Desktop\NTREGOPT.lnk
[2009/05/04 03:49:10 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Peter\Desktop\ERUNT.lnk
[2009/05/04 03:48:47 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Peter\Desktop\erunt_setup.exe
[2009/05/04 03:47:49 | 00,021,504 | ---- | M] (Doug Knox) -- C:\Documents and Settings\Peter\Desktop\SysRestorePoint.exe
[2009/05/04 03:27:00 | 00,267,612 | ---- | M] () -- C:\Documents and Settings\Peter\Desktop\Rooter.exe
[2009/05/04 02:48:35 | 00,001,025 | ---- | M] () -- C:\WINDOWS\WININIT.INI
[2009/05/04 01:55:35 | 00,001,731 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\D-Link AirPlus XtremeG DWL-G520 Utility.lnk
[2009/05/04 01:53:29 | 15,338,940 | ---- | M] () -- C:\Documents and Settings\Peter\Desktop\dwlg520_revB_Drivers_450.zip
[2009/05/04 01:48:02 | 06,325,280 | ---- | M] () -- C:\Documents and Settings\Peter\Desktop\SUPERAntiSpyware.exe
[2009/05/04 01:22:18 | 00,000,076 | -HS- | M] () -- C:\Documents and Settings\Peter\My Documents\desktop.ini
[2009/05/03 23:52:28 | 20,098,288 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Peter\Desktop\ie8-setup-full.exe
[2009/05/03 21:50:43 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/05/03 21:11:33 | 00,254,272 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/05/03 21:04:02 | 00,054,214 | ---- | M] () -- C:\Documents and Settings\Peter\Desktop\cc_20090503_210356.reg
[2009/05/03 20:50:18 | 00,000,164 | ---- | M] () -- C:\Documents and Settings\Peter\Desktop\cc_20090503_205013.reg
[2009/05/03 20:49:45 | 00,062,082 | ---- | M] () -- C:\Documents and Settings\Peter\Desktop\cc_20090503_204832.reg
[2009/05/03 20:47:45 | 01,514,956 | ---- | M] () -- C:\Documents and Settings\Peter\Desktop\cc_20090503_204713.reg
[2009/05/03 20:43:34 | 03,227,536 | ---- | M] (Piriform Ltd) -- C:\Documents and Settings\Peter\Desktop\ccsetup219.exe
[2009/05/02 20:26:50 | 00,305,826 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/05/02 17:40:58 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/02 16:35:49 | 00,305,692 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090502-202650.backup
[2009/05/02 16:23:05 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\favalomo
[2009/05/02 15:58:22 | 00,104,960 | ---- | M] () -- C:\WINDOWS\System32\dllcache\userinit.exe
[2009/05/02 15:49:27 | 00,050,688 | -HS- | M] () -- C:\WINDOWS\System32\nobupize.exe
[2009/04/26 14:11:41 | 00,305,692 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090502-163549.backup
[2009/04/26 14:11:13 | 00,305,692 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090426-141141.backup
[2009/04/24 00:26:22 | 11,134,134 | ---- | M] () -- C:\Documents and Settings\Peter\Desktop\MegaMek-v0.32.2.zip
[2009/04/22 20:35:40 | 00,000,580 | ---- | M] () -- C:\Documents and Settings\Peter\My Documents\My Sharing Folders.lnk
[2009/04/21 01:49:56 | 00,001,736 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Windows Live Messenger.lnk
[2009/04/19 17:43:41 | 00,001,582 | ---- | M] () -- C:\Documents and Settings\Peter\Desktop\LimeWire 4.14.10.lnk
[2009/04/11 05:28:46 | 00,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2009/04/11 05:28:46 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/06 07:57:26 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
< End of report >

OTListIt Extras logfile created on: 5/4/2009 9:11:31 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.3 Folder = C:\Documents and Settings\Peter\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.12 Gb Available Physical Memory | 56.16% Memory free
3.85 Gb Paging File | 2.94 Gb Available in Paging File | 76.26% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 21.12 Gb Free Space | 28.34% Space Free | Partition Type: NTFS
Drive D: | 620.40 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
Drive F: | 298.09 Gb Total Space | 178.20 Gb Free Space | 59.78% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
Drive H: | 605.84 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
I: Drive not present or media not loaded

Computer Name: PETER-FIREFLY
Current User Name: Peter
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
"139:TCP" = 139:TCP:*:Enabled:NetBIOS Session Service
"445:TCP" = 445:TCP:*:Enabled:SMB over TCP
"137:UDP" = 137:UDP:*:Enabled:NetBIOS Name Service
"138:UDP" = 138:UDP:*:Enabled:NetBIOS Datagram Service
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3587:TCP" = 3587:TCP:*:Enabled:Windows Peer-to-Peer Grouping
"3540:UDP" = 3540:UDP:*:Enabled:Peer Name Resolution Protocol (PNRP)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:SSDP
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:UPnP framework over TCP
"139:TCP" = 139:TCP:LocalSubNet:Enabled:NetBIOS Session Service
"445:TCP" = 445:TCP:LocalSubNet:Enabled:SMB over TCP
"137:UDP" = 137:UDP:LocalSubNet:Enabled:NetBIOS Name Service
"138:UDP" = 138:UDP:LocalSubNet:Enabled:NetBIOS Datagram Service
"3587:TCP" = 3587:TCP:*:Enabled:Windows Peer-to-Peer Grouping
"3540:UDP" = 3540:UDP:*:Enabled:Peer Name Resolution Protocol (PNRP)
"135:TCP" = 135:TCP:*:Enabled:TCP Port 135
"5000:TCP" = 5000:TCP:*:Enabled:TCP Port 5000
"5001:TCP" = 5001:TCP:*:Enabled:TCP Port 5001
"5002:TCP" = 5002:TCP:*:Enabled:TCP Port 5002
"5003:TCP" = 5003:TCP:*:Enabled:TCP Port 5003
"5004:TCP" = 5004:TCP:*:Enabled:TCP Port 5004
"5005:TCP" = 5005:TCP:*:Enabled:TCP Port 5005
"5006:TCP" = 5006:TCP:*:Enabled:TCP Port 5006
"5007:TCP" = 5007:TCP:*:Enabled:TCP Port 5007
"5008:TCP" = 5008:TCP:*:Enabled:TCP Port 5008
"5009:TCP" = 5009:TCP:*:Enabled:TCP Port 5009
"5010:TCP" = 5010:TCP:*:Enabled:TCP Port 5010
"5011:TCP" = 5011:TCP:*:Enabled:TCP Port 5011
"5012:TCP" = 5012:TCP:*:Enabled:TCP Port 5012
"5013:TCP" = 5013:TCP:*:Enabled:TCP Port 5013
"5014:TCP" = 5014:TCP:*:Enabled:TCP Port 5014
"5015:TCP" = 5015:TCP:*:Enabled:TCP Port 5015
"5016:TCP" = 5016:TCP:*:Enabled:TCP Port 5016
"5017:TCP" = 5017:TCP:*:Enabled:TCP Port 5017
"5018:TCP" = 5018:TCP:*:Enabled:TCP Port 5018
"5019:TCP" = 5019:TCP:*:Enabled:TCP Port 5019
"5020:TCP" = 5020:TCP:*:Enabled:TCP Port 5020
"3724:TCP" = 3724:TCP:*:Enabled:WoW

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
C:\WINDOWS\system32\mqsvc.exe:*:Enabled:Message Queuing (Microsoft Corporation)
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)
C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger (America Online, Inc.)
C:\Program Files\Lexmark 1300 Series\app4r.exe:*:Enabled:BorgListener ()
C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 (Microsoft Corporation)
C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
F:\Program Files\Tom Clancy's Splinter Cell Chaos Theory\System\SPLINTERCELL3.EXE:*:Enabled:SPLINTERCELL3 File not found
F:\Program Files\Steam\Steam.exe:*:Enabled:Steam File not found
C:\Program Files\messenger\msmsgs.exe:*:Enabled:Windows Messenger (Microsoft Corporation)
C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer (Microsoft Corporation)
F:\Program Files\Microsoft Games\Freelancer\EXE\Freelancer.exe:*:Enabled:Freelancer File not found
F:\Program Files\Microsoft Games\Freelancer\EXE\flserver.exe:*:Enabled:Freelancer File not found
C:\WINDOWS\system32\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server (Microsoft Corporation)
C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test (Microsoft Corporation)
C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer (LimeWire)
C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire (Lime Wire, LLC)
F:\Program Files\Steam\SteamApps\firefly_pdp\day of defeat source\hl2.exe:*:Enabled:hl2 File not found
F:\Program Files\UT2k4\System\UT2004.exe:*:Enabled:UT2004 File not found
C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger ()
C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server (Yahoo! Inc.)
F:\Program Files\Steam\SteamApps\firefly_pdp\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2 File not found
F:\Program Files\Steam\SteamApps\firefly_pdp\half-life 2\hl2.exe:*:Enabled:hl2 File not found
F:\Program Files\Steam\SteamApps\firefly_pdp\lostcoast\hl2.exe:*:Enabled:hl2 File not found
F:\Program Files\Starcraft\StarCraft.exe:*:Enabled:Starcraft File not found
F:\Program Files\KotOR\swupdate.exe:*:Enabled:Star Wars: Knights of the old Republic Update Program File not found
F:\Program Files\KotOR 2\swupdate.exe:*:Enabled:Star Wars: Knights of the Old Republic II: The Sith Lords Update Program File not found
C:\Program Files\Shareaza\Shareaza.exe:*:Enabled:Shareaza (Shareaza Development Team)
F:\Program Files\World of Warcraft\WoW-1.5.1.4449-to-1.8.4.4878-enUS-downloader.exe:*:Enabled:Blizzard Downloader File not found
F:\Program Files\World of Warcraft\WoW-1.8.4.4878-to-1.9.0.4937-enUS-downloader.exe:*:Enabled:Blizzard Downloader File not found
F:\Program Files\World of Warcraft\WoW-1.9.2.4996-to-1.9.3.5059-enUS-downloader.exe:*:Enabled:Blizzard Downloader File not found
C:\Borland\JBuilder2005\bin\JBuilderw.exe:*:Enabled:JBuilderw ()
F:\Program Files\Call of Duty 2\CoD2MP_s.exe:*:Enabled:CoD2MP_s File not found
F:\Program Files\Jedi Academy\GameData\jamp.exe:*:Enabled:Jedi Academy MultiPlayer File not found
F:\Program Files\World of Warcraft\WoW-1.9.4.5086-to-1.10.0.5195-enUS-downloader.exe:*:Enabled:Blizzard Downloader File not found
F:\Program Files\World of Warcraft\WoW.exe:*:Enabled:World of Warcraft File not found
F:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader File not found
C:\WINDOWS\system32\mqsvc.exe:*:Enabled:Message Queuing (Microsoft Corporation)
F:\Program Files\World of Warcraft\WoW-1.10.2.5302-to-1.11.0.5428-enUS-downloader.exe:*:Enabled:Blizzard Downloader File not found
C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes File not found
F:\Program Files\World of Warcraft\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe:*:Enabled:Blizzard Downloader File not found
C:\SIERRA\Lords2\LORDS2.EXE:*:Enabled:LORDS2 File not found
C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper (Microsoft Corporation)
F:\Program Files\World of Warcraft\WoW-1.11.2.5464-to-1.12.0.5595-enUS-downloader.exe:*:Enabled:Blizzard Downloader File not found
F:\Program Files\World of Warcraft\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe:*:Enabled:Blizzard Downloader File not found
C:\Program Files\Microsoft XNA\XNA Game Studio Express\v1.0\Bin\XnaTrans.exe:LocalSubNet:Enabled:XNA Game Studio Transport (Microsoft Corporation)
F:\Program Files\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader File not found
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)
C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger (America Online, Inc.)
F:\Program Files\World of Warcraft\WoW-2.0.3-enUS-downloader.exe:*:Enabled:Blizzard Downloader File not found
F:\Program Files\World of Warcraft\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe:*:Enabled:Blizzard Downloader File not found
F:\Program Files\World of Warcraft\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe:*:Enabled:Blizzard Downloader File not found
F:\Program Files\World of Warcraft\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe:*:Enabled:Blizzard Downloader File not found
C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0 (SmartSoft Ltd.)
F:\Program Files\Supreme Commander\GPGNet\GPG.Multiplayer.Client.exe:*:Enabled:GPGNet - Supreme Commander File not found
F:\Program Files\World of Warcraft\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe:*:Enabled:Blizzard Downloader File not found
F:\Program Files\World of Warcraft\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe:*:Enabled:Blizzard Downloader File not found
F:\Program Files\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI) File not found
F:\Program Files\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV) File not found
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe:*:Enabled:Lexmark Device Monitor (Lexmark)
C:\Program Files\Lexmark 1300 Series\App4R.exe:*:Enabled:Lexmark Imaging Studio ()
C:\WINDOWS\system32\lxdccoms.exe:*:Enabled:Lexmark Communications System ( )
F:\Starcraft\StarCraft.exe:*:Enabled:Starcraft (Blizzard Entertainment)
C:\Program Files\TightVNC\WinVNC.exe:*:Enabled:TightVNC Win32 Server (TightVNC Group)
C:\Program Files\Turbine\The Lord of the Rings Online\lotroclient.exe:*:Enabled:lotroclient File not found
F:\Call of Duty 4\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™ ()
F:\Freelancer\EXE\flserver.exe:*:Enabled:Freelancer (Microsoft Corporation)
F:\Dungeon Siege\dungeonsiege.exe:*:Enabled:Dungeon Siege Game Executable File not found
F:\Dungeon Siege\DSLOA.exe:*:Enabled:Dungeon Siege: Legends of Aranna Game Executable File not found
C:\eclipse\eclipse.exe:*:Enabled:eclipse ()
F:\Diablo II\Diablo II.exe:*:Enabled:Diablo II (Tsinghua Unversity)
C:\Program Files\Java\jre1.6.0_03\bin\java.exe:*:Enabled:Java™ Platform SE binary (Sun Microsystems, Inc.)
C:\Program Files\Java\jdk1.5.0_06\bin\java.exe:*:Enabled:Java™ 2 Platform Standard Edition binary (Sun Microsystems, Inc.)
C:\Program Files\Java\jdk1.5.0_06\jre\bin\java.exe:*:Enabled:Java™ 2 Platform Standard Edition binary (Sun Microsystems, Inc.)
F:\Battle for Middle Earth\game.dat:*:Enabled:The Battle for Middle-earth ™ ()
F:\Microsoft Games\Freelancer\EXE\Freelancer.exe:*:Enabled:Freelancer (Microsoft Corporation)
F:\Microsoft Games\Freelancer\EXE\flserver.exe:*:Enabled:Freelancer (Microsoft Corporation)
C:\Program Files\Winamp Remote\bin\Orb.exe:*:Enabled:Orb (Orb Networks, Inc.)
C:\Program Files\Winamp Remote\bin\OrbTray.exe:*:Enabled:OrbTray (Orb Networks)
C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:*:Enabled:Orb Stream Client (Orb Networks)
C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice (Microsoft Corporation)
F:\World of Warcraft\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader (Blizzard Entertainment)
F:\iTunes\iTunes.exe:*:Enabled:iTunes (Apple Inc.)
C:\Documents and Settings\Peter\Local Settings\Temp\Blizzard Launcher Temporary - 6a2fc2f8\Launcher.exe:*:Enabled:Blizzard Launcher File not found
C:\Documents and Settings\Peter\Local Settings\Temp\Blizzard Launcher Temporary - 1b216fb0\Launcher.exe:*:Enabled:Blizzard Launcher File not found
F:\Call of Duty World at War\CoDWaWmp.exe:*:Enabled:Call of Duty® - World at War™ (Activision Blizzard, Inc.)
F:\Call of Duty World at War\CoDWaW.exe:*:Enabled:Call of Duty® - World at War™ (Activision Blizzard, Inc.)
F:\World of Warcraft\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher (Blizzard Entertainment)
F:\World of Warcraft\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe:*:Enabled:Blizzard Downloader (Blizzard Entertainment)
C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 (Microsoft Corporation)
C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) (Microsoft Corporation)
F:\Steam\SteamApps\common\left 4 dead\left4dead.exe:*:Enabled:Left 4 Dead ()

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = Lexmark Toolbar
"{12FFD00F-4D56-11D7-AE1F-005056400DC0}" = Elementary Linear Algebra 5th Edition Learning Tools
"{1485ABFA-12D7-4107-9148-54EE30CDBA67}" = Samsung USB Driver (MCCI 4.16)
"{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}" = Cisco Systems VPN Client 5.0.01.0600
"{17B66E83-1BC9-11D5-A54A-0090278A1BB8}" = Microsoft FrontPage Client - English
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1
"{1CBE3804-20DF-48DA-B048-895C206E80A5}" = Microsoft SQL Server VSS Writer
"{20610409-CA18-41A6-9E21-A93AE82EE7C5}" = Visual Studio .NET Professional 2003 - English
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23E5C72C-CC08-4EE0-9CC2-D925B232B331}" = Microsoft MSDN 2005 Express Edition - ENU
"{26DBF096-6283-43E2-B7A3-4C36785C635C}" = Microsoft XNA Game Studio Express (Beta)
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{3248F0A8-6813-11D6-A77B-00B0D0150030}" = J2SE Runtime Environment 5.0 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0150050}" = J2SE Runtime Environment 5.0 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{32A3A4F4-B792-11D6-A78A-00B0D0150060}" = J2SE Development Kit 5.0 Update 6
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}" = DAEMON Tools
"{41EBA469-1E70-4ACE-AD30-1186F06D8BC5}" = Microsoft DirectX SDK (August 2006)
"{47C9D713-25E9-4262-9358-7763BCE67F33}" = eMbedded Visual C++ 4.0 SP4
"{49389932-51FA-4D26-8B4F-CE86B24302C2}" = TortoiseSVN 1.5.5.14361 (32 bit)
"{4BA6C9AC-B6BA-4B0D-AB8D-71B2B19D4AA3}" = Microsoft Pocket PC 2003 SDK
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
"{4C590030-7469-453E-8589-D15DA9D03F52}" = ANIWZCS2 Service
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56F3E1FF-54FE-4384-A153-6CCABA097814}" = Creative MediaSource
"{571700F0-DB9D-4B3A-B03D-35A14BB5939F}" = Windows Live Messenger
"{5757AE1A-1DB4-4898-9806-09F77FBD5E57}" = MSDN Library for Visual Studio .NET 2003
"{5F8E2CBB-949D-4175-AC98-5ADE7F6C9697}" = PlayNC Launcher
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}" = ANIO Service
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7E7D7935-B0C8-4032-80BA-2CDC9E43C3B8}" = Microsoft Visual C# 2005 Express Edition - ENU
"{8795CBED-55E2-4693-9F14-84EC446935BE}" = SpeechRedist
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{962E05CF-3394-496D-0091-850CF1762F6B}" = The Battle for Middle-earth ™
"{966A491F-8970-44E0-AC4E-9C845D9013EC}" = Microsoft DirectX 9.0 SDK Update (August 2005)
"{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}" = Apple Mobile Device Support
"{9A3EABC0-CA06-11D4-BF77-00104B130C19}" = EPSON TWAIN 5
"{9E2514D9-DC24-4634-B348-61F3EF0F1628}" = Sound Blaster Audigy 2 ZS
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9
"{AC76BA86-7AD7-5464-3428-7050000000A7}" = Adobe Reader 7.0.5 Language Support
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{B9426885-7EAB-4d29-9324-F9F9FBD5D2C2}" = Microsoft Windows CE Platform Manager 4.0
"{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5
"{BF251EAF-8697-4E89-BF09-C998F97BBC40}" = Microsoft SQL Server Native Client
"{C169D3BB-9A27-43F5-9979-09A0D65FE95C}" = SmartFTP Client 2.0
"{C194D333-B84A-4BB7-B35E-060732D98DC4}" = GPGNet
"{C43048A9-742C-4DAD-90D2-E3B53C9DB825}" = Logitech QuickCam Software
"{C77900DE-73B8-47F3-804A-F07A90C1589D}" = Station Launcher
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
"{C9D96682-5A4D-45FA-BA3E-DDCB2B0CB868}" = Safari
"{CA0A1E54-CE0F-4366-B09C-A87B61DC5633}" = Symantec Network Drivers Update
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE7CB214-DB11-4B5D-A6AF-3B4ED47C68B7}" = Microsoft Game Studios Common Redistributables Pack 1
"{D4D24FE5-FAB3-4FE2-AFFC-623955F4DF3A}" = Visual Studio.NET Baseline - English
"{D6DBDC2A-E72C-4284-B6AD-6B3B61B4DABC}" = Far Cry
"{D80A6A73-E58A-4673-AFF5-F12D7110661F}" = Call of Duty® - World at War™
"{DD1865F0-AD73-40FB-B23E-1822E02396FF}" = NVIDIA PhysX
"{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}" = iTunes
"{DDEDAF6C-488E-4CDA-8276-1CCF5F3C5C32}" = Command & Conquer 3
"{E144A786-D2DD-428B-9C1A-0EE3FA3515EA}" = Rappelz_USA
"{E280923D-C5D9-4728-8C79-AC9A0DC75875}" = BioShock
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E39C74DF-58FD-4E52-9888-2CC59DFB0B34}" = PowerQuest PartitionMagic Pro 7.0
"{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty® 4 - Modern Warfare™
"{EE3A1D30-B97D-4EC0-BA65-EEE4131ECA9A}" = AirPlus XtremeG DWL-G520
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{F7963BA0-EE1C-11D4-9FA5-00A0C9E6A342}" = Commandos 2: Men of Courage
"{FC6AAE10-A081-42C7-9CD3-ED1D80C30941}" = ITE IT8212 ATA RAID Controller
"ACF7324C-8AB9-4b4c-A761-D22EBD9D1A7B_is1" = Digg's Top Stories Plugin 1.2
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"AOL Instant Messenger" = AOL Instant Messenger
"AudioConSole" = Creative Audio Console
"avast!" = avast! Antivirus
"AVI to MPEG Converter" = AVI to MPEG Converter
"BitTorrent" = BitTorrent 4.0.4
"Borland JBuilder 2005 Foundation" = Borland JBuilder 2005 Foundation
"CCleaner" = CCleaner (remove only)
"C-Media Audio Driver" = C-Media High Definition Audio Driver
"Creative MediaSource DVD-Audio Player" = Creative MediaSource DVD-Audio Player
"Diablo II" = Diablo II
"DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5_is1" = DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.0.9.8 Be
"EasyLinkAdvisor" = Linksys EasyLink Advisor 1.5 (1044)
"ERUNT_is1" = ERUNT 1.1j
"Fraps" = Fraps
"Freelancer 1.0" = Freelancer
"Google Desktop" = Google Desktop
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{1485ABFA-12D7-4107-9148-54EE30CDBA67}" = Samsung USB Driver (MCCI 4.16)
"InstallShield_{D80A6A73-E58A-4673-AFF5-F12D7110661F}" = Call of Duty® - World at War™
"InstallShield_{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty® 4 - Modern Warfare™
"Lexmark 1300 Series" = Lexmark 1300 Series
"LimeWire" = LimeWire 4.14.10
"LiveUpdate" = LiveUpdate 3.0 (Symantec Corporation)
"Logitech Print Service" = Logitech Print Service
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Max Media Creator_is1" = Max Media Creator
"MaxDrive PS2" = MaxDrive PS2
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft eMbedded Visual C++ 4.0" = Microsoft eMbedded Visual C++ 4.0
"Microsoft MSDN 2005 Express Edition - ENU" = Microsoft MSDN 2005 Express Edition - ENU
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual C# 2005 Express Edition - ENU" = Microsoft Visual C# 2005 Express Edition - ENU
"Mozilla Firefox (1.0.7)" = Mozilla Firefox (1.0.7)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MsgPlus! Plugin" = Messenger Plus! 3
"MSN Music Assistant" = MSN Music Assistant
"nbi-nb-base-6.0.0.0.200711261600" = NetBeans IDE 6.0
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Orb" = Winamp Remote
"PuTTY_is1" = PuTTY version 0.60
"QcDrv" = Logitech® Camera Driver
"RealPlayer 6.0" = RealPlayer
"Shareaza_is1" = Shareaza version 2.2.1.0
"Shockwave" = Shockwave
"Sierra Utilities" = Sierra Utilities
"SmartFTP Client 2.0 Setup Files" = SmartFTP Client 2.0 Setup Files (remove only)
"SpeedFan" = SpeedFan (remove only)
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"Starcraft" = Starcraft
"Station Installer" = Station Installer 1.0.3.43
"Steam App 220" = Half-Life 2
"Steam App 340" = Half-Life 2: Lost Coast
"Steam App 380" = Half-Life 2: Episode One
"Steam App 400" = Portal
"Steam App 420" = Half-Life 2: Episode Two
"Steam App 440" = Team Fortress 2
"Steam App 500" = Left 4 Dead
"Steam App 530" = Left 4 Dead Demo
"SysInfo" = Creative System Information
"SystemRequirementsLab" = System Requirements Lab
"The Game Of Life" = The Game Of Life
"TightVNC_is1" = TightVNC 1.3.9
"VDMSound" = VDMSound
"Visual Studio .NET Professional 2003 - English" = Microsoft Visual Studio .NET Professional 2003 - English
"VLC media player" = VideoLAN VLC media player 0.8.6a
"WaveStudio 7" = Creative WaveStudio 7
"Winamp" = Winamp
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinMerge_is1" = WinMerge 2.10.2.0
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"World of Warcraft" = World of Warcraft
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Customizations" = Yahoo! extras
"Yahoo! Internet Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update
"YInstHelper" = Yahoo! Install Manager
"You Don't Know Jack The Ride" = You Don't Know Jack The Ride

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ButtonDemo" = ButtonDemo
"Combo Box" = Combo Box
"GridLayoutDemo" = GridLayoutDemo
"Popup Menu Demo" = Popup Menu Demo
"Radio Button Demo" = Radio Button Demo

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/4/2009 1:48:32 AM | Computer Name = PETER-FIREFLY | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 5/4/2009 1:48:32 AM | Computer Name = PETER-FIREFLY | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 5/4/2009 1:48:32 AM | Computer Name = PETER-FIREFLY | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 5/4/2009 1:53:34 AM | Computer Name = PETER-FIREFLY | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error Internet connection not detected.

Error - 5/4/2009 2:14:47 AM | Computer Name = PETER-FIREFLY | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 5/4/2009 2:14:48 AM | Computer Name = PETER-FIREFLY | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 5/4/2009 2:14:48 AM | Computer Name = PETER-FIREFLY | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 5/4/2009 2:14:48 AM | Computer Name = PETER-FIREFLY | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 5/4/2009 2:19:49 AM | Computer Name = PETER-FIREFLY | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error Internet connection not detected.

Error - 5/4/2009 5:14:11 AM | Computer Name = PETER-FIREFLY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This operation returned because the timeout period expired.

[ System Events ]
Error - 5/2/2009 4:43:10 PM | Computer Name = PETER-FIREFLY | Source = Service Control Manager | ID = 7031
Description = The Print Spooler service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 5/2/2009 5:13:34 PM | Computer Name = PETER-FIREFLY | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service gusvc with
arguments "" in order to run the server: {89DAE4CD-9F17-4980-902A-99BA84A8F5C8}

Error - 5/2/2009 5:13:35 PM | Computer Name = PETER-FIREFLY | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service gusvc with
arguments "" in order to run the server: {89DAE4CD-9F17-4980-902A-99BA84A8F5C8}

Error - 5/2/2009 7:45:11 PM | Computer Name = PETER-FIREFLY | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IntelIde

Error - 5/2/2009 9:31:58 PM | Computer Name = PETER-FIREFLY | Source = WinDefend | ID = 3006
Description = %%827 Real-Time Protection agent has encountered an error when taking
action on spyware or other potentially unwanted software. For more information please
see the following: http://go.microsoft....threatid=132837

Scan
ID: {C7C7D338-E5BB-49AE-B209-AA8B64221E39} User: PETER-FIREFLY\Peter Name: Trojan:Win32/Fakeinit

ID:
132837 Severity: Severe Category: Trojan Path: Alert Type: %%805 Action: %%811 Error
Code: 0x80508022 Error description: To finish removing spyware and other potentially
unwanted software, restart the computer.

Error - 5/3/2009 8:19:36 PM | Computer Name = PETER-FIREFLY | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IntelIde

Error - 5/3/2009 10:11:56 PM | Computer Name = PETER-FIREFLY | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IntelIde

Error - 5/3/2009 11:55:45 PM | Computer Name = PETER-FIREFLY | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the NVSvc service.

Error - 5/4/2009 2:22:19 AM | Computer Name = PETER-FIREFLY | Source = Print | ID = 19
Description = Sharing printer failed + 1722, Printer Lexmark 1300 Series share name
OurLexmark.

Error - 5/4/2009 7:12:24 AM | Computer Name = PETER-FIREFLY | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IntelIde

[ WinCe Log Events ]
Error - 5/4/2009 1:48:32 AM | Computer Name = PETER-FIREFLY | Source = Userenv | ID = 1041
Description =

Error - 5/4/2009 1:48:32 AM | Computer Name = PETER-FIREFLY | Source = Userenv | ID = 1041
Description =

Error - 5/4/2009 1:48:32 AM | Computer Name = PETER-FIREFLY | Source = Userenv | ID = 1041
Description =

Error - 5/4/2009 1:53:34 AM | Computer Name = PETER-FIREFLY | Source = Automatic LiveUpdate Scheduler | ID = 101
Description =

Error - 5/4/2009 2:14:47 AM | Computer Name = PETER-FIREFLY | Source = Userenv | ID = 1041
Description =

Error - 5/4/2009 2:14:48 AM | Computer Name = PETER-FIREFLY | Source = Userenv | ID = 1041
Description =

Error - 5/4/2009 2:14:48 AM | Computer Name = PETER-FIREFLY | Source = Userenv | ID = 1041
Description =

Error - 5/4/2009 2:14:48 AM | Computer Name = PETER-FIREFLY | Source = Userenv | ID = 1041
Description =

Error - 5/4/2009 2:19:49 AM | Computer Name = PETER-FIREFLY | Source = Automatic LiveUpdate Scheduler | ID = 101
Description =

Error - 5/4/2009 5:14:11 AM | Computer Name = PETER-FIREFLY | Source = crypt32 | ID = 131080
Description =


< End of report >
  • 0

Advertisements

#2
CatByte
Posted 08 May 2009 - 06:55 AM

CatByte

    GeekU Teacher

  • GeekU Moderator
  • 2,705 posts
  • MVP
Hi,

Please do the following:

Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image
  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#3
fireflypdp
Posted 08 May 2009 - 08:41 AM

fireflypdp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I downloaded ComboFix.exe but when I double-clicked it, I got the following prompt:

\Utilities\Bin\x86";C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\P
rogram Files\Microsoft DirectX 9.0 SDK (August 2005)\Utilities\Bin\x86;c:\Progra
m Files\Microsoft SQL Server\90\Tools\binn\;;F:\VDMSound;F:\VDMSound;F:\VDMSound
;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTim
e\QTSystem\;C:\Program Files\TortoiseSVN\bin" was unexpected at this time.

It won't do anything after that.
  • 0

#4
CatByte
Posted 08 May 2009 - 11:40 AM

CatByte

    GeekU Teacher

  • GeekU Moderator
  • 2,705 posts
  • MVP
Hi,

Delete the copy of Combofix that is already on your desk top.

I am going to have you down load a fresh copy, but rename it as instructed:

Please download ComboFix from Here or Here to your Desktop.
**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image
  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.  
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  • 0

#5
fireflypdp
Posted 08 May 2009 - 05:34 PM

fireflypdp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I get the same result as before. :)

\Utilities\Bin\x86";C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\P
rogram Files\Microsoft DirectX 9.0 SDK (August 2005)\Utilities\Bin\x86;c:\Progra
m Files\Microsoft SQL Server\90\Tools\binn\;;F:\VDMSound;F:\VDMSound;F:\VDMSound
;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTim
e\QTSystem\;C:\Program Files\TortoiseSVN\bin" was unexpected at this time.

Am I doing something wrong? I tried going through all my anti-virus/anti-spyware programs and closing/disabling them. Even closed my Windows Firewall just in case.

Please help!
  • 0

#6
CatByte
Posted 08 May 2009 - 05:39 PM

CatByte

    GeekU Teacher

  • GeekU Moderator
  • 2,705 posts
  • MVP
I'm not sure why that is happening...the infection must be interfering

try this tool instead:

Download OTScanit2 to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Check the box that says Scan All Users
  • Check the Radio button for Rootkit check YES
  • Under Additional Scans check the following:
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EventViewer Errors/Warnings (last 10)
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#7
fireflypdp
Posted 08 May 2009 - 05:54 PM

fireflypdp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Okay here's my log... thanks for your help so far!

Attached File  OTScanIt.Txt   280.28KB   173 downloads
  • 0

#8
CatByte
Posted 08 May 2009 - 06:24 PM

CatByte

    GeekU Teacher

  • GeekU Moderator
  • 2,705 posts
  • MVP
Hi,

Please do the following:

Start OTScanIt2. Copy/Paste the information inside the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1659004503-492894223-725345543-1003\] > -> HKEY_USERS\S-1-5-21-1659004503-492894223-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{44226DFF-747E-4edc-B30C-78752E50CD0C}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{44226DFF-747E-4edc-B30C-78752E50CD0C}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-1659004503-492894223-725345543-1003\] > -> HKEY_USERS\S-1-5-21-1659004503-492894223-725345543-1003\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{44226DFF-747E-4edc-B30C-78752E50CD0C}" [HKLM] -> [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY -> 8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> ovfsthqtkcpuwnmuydenkdylkfhblyaboyxdje.dat -> %SystemRoot%\System32\ovfsthqtkcpuwnmuydenkdylkfhblyaboyxdje.dat
NY -> JJAKEn.dll -> %SystemRoot%\System32\JJAKEn.dll
NY -> ovfsthlog.dat -> %SystemRoot%\System32\ovfsthlog.dat
NY -> ovfsthobibojhtekqiparbxtbyvqmweivsehaj.dat -> %SystemRoot%\System32\ovfsthobibojhtekqiparbxtbyvqmweivsehaj.dat
NY -> ovfsthltlebpenvituiofnkmdfabuallyxiraj.dat -> %SystemRoot%\System32\ovfsthltlebpenvituiofnkmdfabuallyxiraj.dat
[Files/Folders - Modified Within 30 Days]
NY -> 8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> 2 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp
NY -> 2 C:\Documents and Settings\Peter\My Documents\*.tmp files -> C:\Documents and Settings\Peter\My Documents\*.tmp
NY -> 22 C:\Documents and Settings\Peter\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Peter\Local Settings\Temp\*.tmp
NY -> 22 C:\Documents and Settings\Peter\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Peter\Local Settings\Temp\*.tmp
NY -> ovfsthqtkcpuwnmuydenkdylkfhblyaboyxdje.dat -> %SystemRoot%\System32\ovfsthqtkcpuwnmuydenkdylkfhblyaboyxdje.dat
NY -> ovfsthltlebpenvituiofnkmdfabuallyxiraj.dat -> %SystemRoot%\System32\ovfsthltlebpenvituiofnkmdfabuallyxiraj.dat
NY -> ovfsthobibojhtekqiparbxtbyvqmweivsehaj.dat -> %SystemRoot%\System32\ovfsthobibojhtekqiparbxtbyvqmweivsehaj.dat
NY -> ovfsthlog.dat -> %SystemRoot%\System32\ovfsthlog.dat
NY -> favalomo -> %SystemRoot%\System32\favalomo
[Purity]
[Empty Temp Folders]
[Start Explorer]
[Reboot]


The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.


NEXT

Download the GMER Rootkit Scanner. Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.
  • 0

#9
fireflypdp
Posted 08 May 2009 - 10:22 PM

fireflypdp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Okay, I finished both just now (the second scan took quite a while)!

Here's the OTScanIt2 output:

[Registry - Safe List]
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-1659004503-492894223-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{44226DFF-747E-4edc-B30C-78752E50CD0C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44226DFF-747E-4edc-B30C-78752E50CD0C}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{44226DFF-747E-4edc-B30C-78752E50CD0C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44226DFF-747E-4edc-B30C-78752E50CD0C}\ not found.
Registry value HKEY_USERS\S-1-5-21-1659004503-492894223-725345543-1003\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{44226DFF-747E-4edc-B30C-78752E50CD0C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44226DFF-747E-4edc-B30C-78752E50CD0C}\ not found.
[Files/Folders - Created Within 30 Days]
C:\WINDOWS\msdownld.tmp folder deleted successfully.
C:\WINDOWS\NV18683244.TMP folder deleted successfully.
C:\WINDOWS\NV3456988.TMP folder deleted successfully.
C:\WINDOWS\NV39323652.TMP folder deleted successfully.
C:\WINDOWS\System32\ovfsthqtkcpuwnmuydenkdylkfhblyaboyxdje.dat moved successfully.
C:\WINDOWS\System32\JJAKEn.dll moved successfully.
C:\WINDOWS\System32\ovfsthlog.dat moved successfully.
C:\WINDOWS\System32\ovfsthobibojhtekqiparbxtbyvqmweivsehaj.dat moved successfully.
C:\WINDOWS\System32\ovfsthltlebpenvituiofnkmdfabuallyxiraj.dat moved successfully.
[Files/Folders - Modified Within 30 Days]
File delete failed. C:\Documents and Settings\Peter\Local Settings\Temp\~DF1930.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Peter\Local Settings\Temp\~DF2875.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Peter\Local Settings\Temp\~DF7E9A.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Peter\Local Settings\Temp\~DFA8D0.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Peter\Local Settings\Temp\~DF1930.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Peter\Local Settings\Temp\~DF2875.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Peter\Local Settings\Temp\~DF7E9A.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Peter\Local Settings\Temp\~DFA8D0.tmp scheduled to be deleted on reboot.
File C:\WINDOWS\System32\ovfsthqtkcpuwnmuydenkdylkfhblyaboyxdje.dat not found!
File C:\WINDOWS\System32\ovfsthltlebpenvituiofnkmdfabuallyxiraj.dat not found!
File C:\WINDOWS\System32\ovfsthobibojhtekqiparbxtbyvqmweivsehaj.dat not found!
File C:\WINDOWS\System32\ovfsthlog.dat not found!
C:\WINDOWS\System32\favalomo moved successfully.
[Purity]
Purity scan complete.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Peter\Local Settings\Temp\~DF1930.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Peter\Local Settings\Temp\~DF2875.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Peter\Local Settings\Temp\~DF7E9A.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Peter\Local Settings\Temp\~DFA8D0.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7f0.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_d0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.14.0 fix logfile created on 05082009_192809

Files moved on Reboot...
C:\Documents and Settings\Peter\Local Settings\Temp\~DF1930.tmp moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temp\~DF2875.tmp moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temp\~DF7E9A.tmp moved successfully.
File C:\Documents and Settings\Peter\Local Settings\Temp\~DFA8D0.tmp not found!
File C:\WINDOWS\temp\Perflib_Perfdata_7f0.dat not found!
C:\WINDOWS\temp\Perflib_Perfdata_d0.dat moved successfully.

Registry entries deleted on Reboot...

And here's the GMer.txt output

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-08 23:20:49
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB6DC06B8]
SSDT 898F9D60 ZwConnectPort
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB6DC0574]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xF7583A20]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB6DC0A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB6DC014C]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF75842A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF758F910]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB6DC064E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB6DC008C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB6DC00F0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xF75842C8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB6DC076E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB6DC072E]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xF758F0B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB6DC08AE]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB6E7CDF0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 19A 804E49D4 2 Bytes [10, F9] {ADC CL, BH}

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2728] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 05052422 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2728] USER32.dll!MessageBoxA 7E4507EA 5 Bytes JMP 050523CC C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2728] USER32.dll!MessageBoxW 7E466534 5 Bytes JMP 050523F7 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[1112] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[1112] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AA389F0

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)

Device \Driver\Cdrom \Device\CdRom0 8A5F5F00
Device \FileSystem\Rdbss \Device\FsWrap 8926AE70
Device \Driver\Cdrom \Device\CdRom1 8A5F5F00
Device \Driver\atapi \Device\Ide\IdePort0 8A6B6BD8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 8A6B6BD8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-22 8A6B6BD8
Device \Driver\atapi \Device\Ide\IdePort1 8A6B6BD8
Device \Driver\atapi \Device\Ide\IdePort2 8A6B6BD8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 8A6B6BD8
Device \Driver\atapi \Device\Ide\IdePort3 8A6B6BD8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-17 8A6B6BD8
Device \Driver\Cdrom \Device\CdRom2 8A5F5F00
Device \FileSystem\Srv \Device\LanmanServer 8A8F5030

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88DAA2B8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88DAA2B8
Device \FileSystem\Npfs \Device\NamedPipe 8A5A6D08
Device \FileSystem\Msfs \Device\Mailslot 8981FB30
Device \Driver\d347prt \Device\Scsi\d347prt1Port4Path0Target0Lun0 8A391848
Device \Driver\d347prt \Device\Scsi\d347prt1 8A391848
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 8A237D20
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 8A237D20
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 8A237D20
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 8A237D20
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 8A237D20
Device \FileSystem\Cdfs \Cdfs 88DB5FB0

---- Modules - GMER 1.0.15 ----

Module _________ F7474000-F748C000 (98304 bytes)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z0 0xA1 0xE9 0x79 0x26 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs MsgPlusLoader C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\yagerumu.dll c:\windows\system32\vinabino.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----
  • 0

#10
CatByte
Posted 09 May 2009 - 03:59 AM

CatByte

    GeekU Teacher

  • GeekU Moderator
  • 2,705 posts
  • MVP
Hi,

Please do the following:

Please download OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please click OTMoveIt3 and then click >> run.
  • Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes
explorer.exe

:Services

:Reg

:Files
C:\WINDOWS\system32\yagerumu.dll 
c:\windows\system32\vinabino.dll

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Please advise how your computer is running now.
  • 0

Advertisements

#11
fireflypdp
Posted 09 May 2009 - 11:55 AM

fireflypdp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Well for a second there I got scared, because I had turned off my computer yesterday and when I turned it on today I couldn't connect to the Internet! My girlfriend's computer is also hooked up to the same network, so I was able to download OTMoveIt3 through her machine and run it. After I did that and rebooted, my connection was back. Maybe it was a fluke? Seemed strange, though, because I tried restarting beforehand and that didn't work.

As for how my computer is running, it has always run fine even with the infection, but I think that's because I noticed it early and kept trying to clean up what it was trying to add. The only real problems I've had lately are occasional crappy Internet connections, so that's why my connection issues had me worried. I ran Spybot S&D and Malwarebytes after all of this just to see if it detected anything after OTMoveIt3, and nothing was found! Thanks so much! :)

Anyway, here's the OTMoveIt3 log.

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder C:\WINDOWS\system32\yagerumu.dll not found.
File/Folder c:\windows\system32\vinabino.dll not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Peter\LOCALS~1\Temp\~DF3369.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Peter\LOCALS~1\Temp\~DFFB66.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7f8.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_c90.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05092009_121320

Files moved on Reboot...
File C:\DOCUME~1\Peter\LOCALS~1\Temp\~DF3369.tmp not found!
C:\DOCUME~1\Peter\LOCALS~1\Temp\~DFFB66.tmp moved successfully.
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_7f8.dat not found!
C:\WINDOWS\temp\Perflib_Perfdata_c90.dat moved successfully.
  • 0

#12
CatByte
Posted 09 May 2009 - 12:18 PM

CatByte

    GeekU Teacher

  • GeekU Moderator
  • 2,705 posts
  • MVP
Hi,

Please do the following:

Run an on-line scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.


  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.
  • 0

#13
fireflypdp
Posted 09 May 2009 - 11:52 PM

fireflypdp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Looks like there's still a couple of infected files... although it's listing userinit.exe as one. Isn't that the file that contains user login info or something like that?

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, May 10, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, May 10, 2009 02:57:13
Records in database: 2153049
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\

Scan statistics:
Files scanned: 246754
Threat name: 3
Infected objects: 9
Suspicious objects: 0
Duration of the scan: 04:12:36


File name / Threat name / Threats count
C:\Dev-Cpp\bin\addr2line.exe Infected: not-a-virus:NetTool.Win32.Scan.k 1
C:\Dev-Cpp\bin\ar.exe Infected: not-a-virus:NetTool.Win32.Scan.j 1
C:\Dev-Cpp\mingw32\bin\ar.exe Infected: not-a-virus:NetTool.Win32.Scan.j 1
C:\GAM327\devcpp4980\devcpp4980.exe Infected: not-a-virus:NetTool.Win32.Scan.j 1
C:\GAM327\devcpp4980\devcpp4980.exe Infected: not-a-virus:NetTool.Win32.Scan.k 1
C:\GAM327\devcpp4980.zip Infected: not-a-virus:NetTool.Win32.Scan.j 1
C:\GAM327\devcpp4980.zip Infected: not-a-virus:NetTool.Win32.Scan.k 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0PUNGLAZ\lsp[1].exe Infected: Trojan.Win32.Agent.cemi 1
C:\WINDOWS\system32\dllcache\userinit.exe Infected: Trojan.Win32.Agent.cemi 1
  • 0

#14
CatByte
Posted 10 May 2009 - 05:46 AM

CatByte

    GeekU Teacher

  • GeekU Moderator
  • 2,705 posts
  • MVP
Hi,

Please do the following:

Please download ATF Cleaner by Atribune.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
    • If you use Firefox browser
    • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

I would like you to upload a file to be scanned
  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    • C:\WINDOWS\system32\dllcache\userinit.exe
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.


Next

delete the copy of combofix you have from your desktop. re-download from the link I gave you previously to RENAME Combofix - make sure you rename it before saving it.

Then run Combo-fix in SAFEMODE -


(to get into safe mode reboot - tap F8 repeatedly as it boots up - arrow up to 'safe mode' > enter - use your usual account to run the tool)

Paste the virscan results and the combofix log in your next reply

Edited by CatByte, 10 May 2009 - 12:47 PM.

  • 0

#15
fireflypdp
Posted 10 May 2009 - 10:51 AM

fireflypdp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Here you go!

VirSCAN.org Scanned Report :
Scanned time : 2009/05/10 11:40:44 (CDT)
Scanner results: 74% Scanner(28/38) found malware!
File Name : userinit.exe
File Size : 104960 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 377d30af393874b63e4c9029f304e693
SHA1 : 4eb36aacbdedd78d4d283a9b8e872c15975cf541
Online report : http://virscan.org/r...a7fc6048c0.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090510154251 2009-05-10 9.26 Trojan.Crypt!IK
AhnLab V3 2009.05.10.00 2009.05.10 2009-05-10 13.26 Win-Trojan/Agent.104960.CM
AntiVir 8.2.0.166 7.1.3.179 2009-05-10 0.15 TR/Crypt.XPACK.Gen
Antiy 2.0.18 20090510.2386484 2009-05-10 0.12 Trojan/Win32.Agent.cedh
Arcavir 2009 200905101202 2009-05-10 0.04 Trojan.Agent.Cemi
Authentium 5.1.1 200905091542 2009-05-09 1.11 -
AVAST! 4.7.4 090505-0 2009-05-05 0.01 Win32:Trojan-gen {Other}
AVG 8.5.286 270.12.24/2107 2009-05-10 3.22 Win32/Cryptor
BitDefender 7.81008.2902590 7.25315 2009-05-10 2.71 -
CA (VET) 9.0.0.143 31.6.6496 2009-05-09 16.18 Win32/FakeAlert.AHZ trojan.
ClamAV 0.95 9349 2009-05-09 0.02 -
Comodo 3.8 1157 2009-05-08 1.90 TrojWare.Win32.Agent.cemi
CP Secure 1.1.0.715 2009.05.10 2009-05-10 8.97 -
Dr.Web 4.44.0.9170 2009.05.10 2009-05-10 4.49 Trojan.DownLoad.33511
F-Prot 4.4.4.56 20090509 2009-05-09 1.11 -
F-Secure 5.51.6100 2009.05.09.02 2009-05-09 0.07 Trojan.Win32.Agent.cemi [AVP]
Fortinet 2.81-3.117 10.373 2009-05-10 0.95 PossibleThreat
GData 19.5135/19.325 20090510 2009-05-10 15.88 Trojan.Win32.Agent.cemi [Engine:A]
ViRobot 20090509 2009.05.09 2009-05-09 1.67 -
Ikarus T3.1.01.49 2009.05.10.72694 2009-05-10 2.84 Trojan.Crypt
JiangMin 11.0.706 2009.05.10 2009-05-10 6.41 Trojan/Agent.cikw
Kaspersky 5.5.10 2009.05.10 2009-05-10 0.04 Trojan.Win32.Agent.cemi
KingSoft 2009.2.5.15 2009.5.10.21 2009-05-10 12.72 Win32.Troj.Agent.104960
McAfee 5.3.00 5610 2009-05-09 2.89 FakeAlert-CK
Microsoft 1.4602 2009.05.10 2009-05-10 19.31 Trojan:Win32/Fakeinit
mks_vir 2.01 2009.05.10 2009-05-10 2.76 -
Norman 6.01.05 6.01.00 2009-05-08 4.01 W32/Smalltroj.dam
Panda 9.05.01 2009.05.10 2009-05-10 6.29 Adware/AntivirusXPPro
Trend Micro 8.700-1004 6.120.28 2009-05-10 0.02 TROJ_FAKEINIT.U
Quick Heal 10.00 2009.05.09 2009-05-09 8.23 Trojan.Agent.cemi
Rising 20.0 21.28.62.00 2009-05-10 5.77 Trojan.Win32.FakeInit.a
Sophos 2.86.0 4.41 2009-05-10 2.34 Mal/FakeVirPk-A
Sunbelt 5128 5128 2009-05-08 11.21 -
Symantec 1.3.0.24 20090509.003 2009-05-09 0.05 Trojan.Fakeavalert
nProtect 20090510.01 3595619 2009-05-10 30.04 -
The Hacker 6.3.4.1 v00324 2009-05-09 11.13 Trojan/Agent.cehk
VBA32 3.12.10.4 20090509.1027 2009-05-09 2.02 Trojan.Win32.Agent.cemi
VirusBuster 4.5.11.10 10.105.22/1344615 2009-05-10 1.68 -
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP