PDA

View Full Version : No internet - Self inflected wound


nenotgmb
2009-04-26, 06:40
Greeting,

Spy-bot warned me but I clicked "Yes" instead of "No", now no internet.
The trojan disabled Spybot so I downloaded and installed the manual updates from my laptop to the infected desktop and it found the trojan, but had no info on it, fixed that but now no internet and system restore does not work it just sits in idle.

You can add this to the "How did I get infected in the first place" sticky.

"When your really tired and surfing the net shut down your computer and go to bed."

I need your help on this one.
Here's my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:49 PM, on 4/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\123 hjthis exe folder\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WinInet Class - {39fc2065-c9c7-49cd-8942-44cc2dedc844} - C:\WINDOWS\ieocx.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209407146265
O23 - Service: Roxio File Backup Service (CEEBC40A-FDED-4C59-B354-939132350B01) - Unknown owner - c:\Program Files\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: NVIDIA Performance Driver Service - Unknown owner - C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 3942 bytes
peku006
2009-04-27, 21:53
Hello and welcome to Safer Networking

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:


I f you don't know or understand something please don't hesitate to ask
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.

1 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to a convenient location.
Double click on mbam-setup.exe to install it.
Before clicking the Finish button, make sure that these 2 boxes are checked (ticked): Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
Select the Scanner tab. Click on Perform full scan, then click on Scan.
Leave the default options as it is and click on Start Scan.
When done, you will be prompted. Click OK, then click on Show Results.
Checked (ticked) all items except items in the System Volume Information folder and click on Remove Selected.

http://i35.photobucket.com/albums/d165/ndmmxiaomayi/mayi/mbam1.png


After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

2 - download and run RSIT

Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)

3 - Status Check
Please reply with

1.the logs from RSIT (log.txt ,info.txt)
2. the Malwarebytes' Anti-Malware Log

Thanks peku006
nenotgmb
2009-04-27, 23:09
Peku006,

First off thanks for helping me.

When I started the infected desktop, this message came up:

"Windows could not start because the following file is missing or corrupt:
\windows\system32\config\system

You can attempt to repair this file by starting windows setup using the
original setup -cd-rom.
Select 'r' at the first screen to start repair."

I assume I should use my setup cd to try to boot up.
Then follow your instructions.......is this correct?

Thanks
nenotgmb
peku006
2009-04-28, 10:17
Hi nenotgmb

Have you tried the "Last Known Good Configuration" bootup option?

To load the last known good configuration:

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears.
(If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.)
Use your arrow keys to move to "Last Known Good Configuration" and press your Enter key.



Thanks peku006
nenotgmb
2009-04-28, 18:31
Peku006

After 3 attempts with same error message your method worked, thanks.

However, after installing Malwarebytes, Malwarebytes will not run.

I also tried reinstalling in it's own new folder along with the manual update, the installation seemed to work, but it still did not run.

Is there a work-around?

Thanks

nenotgmb

PS The computer has been powered on 24/7 since the good boot up.
At this point I a hesitant to shut it down.
peku006
2009-04-28, 19:48
Hi nenotgmb

If MBAM does not start, go to C:\Program Files\Malwarebytes' Anti-Malware and find the file mbam.exe, right-click on the file and select Rename. Rename the file to nenotgmb.exe and double-click on it to see if it will run.

Thanks peku006
nenotgmb
2009-04-29, 00:45
Peku006

I changed the name of mbam exe clicked on it and nothing, but then the message " Malwarbytes is already running" came up.
Then the main Mbam screen came up and I ran the scan.
(This desktop must be running in super slowmo!)

Anyway, I got another little problem I think.
In the scan results page malware was found, however there is information for
"C:system Volume Information" folder.

I have NOT clicked "removed Selected" yet.

What next?

Thanks

nenotgmb
nenotgmb
2009-04-29, 00:54
Sorry

Correction:

I meant to say there is NO System Volume Information in the item list.

Thanks

nenotgmb
peku006
2009-04-29, 08:40
Hi nenotgmb
good if the system restore is clean....:D:

Be sure that everyone else is checked, and click Remove Selected.


Thanks peku006
nenotgmb
2009-04-29, 19:19
Peku006

Malwarebytes instructed me to reboot to remove the "uacint.dll" and I got the "Windows counld not start because the following file is missing or corrupt: \windows\system32\config\system You can attemt to repair this file by staring windows set using the original setup-cd-rom." message again.

I tried rebooting using LAST KNOWN GOOD CONFIGURATION 6 times but it the same error message came up.
I then used the setup CD and it loaded the set-up files and asked "Do you want to install windows set-up?" I F3 exited the install at that point.

Removed the set-up CD and tried rebooting again and this time Windows rebooted.
I then opened Malwarebytes log which is posted.

I saw the "uacint.dll: delete on reboot." in the log.
I looked in system 32 & did a search for "uacint" and it apperars to be gone.
Do you now want the RSIT logs or did I screw something up by using the Set-up CD to reboot?

Thanks for your patience.

nenotgmb
nenotgmb
2009-04-29, 19:24
Here's the log:
Malwarebytes' Anti-Malware 1.36
Database version: 2043
Windows 5.1.2600 Service Pack 3

4/29/2009 10:31:09 AM
mbam-log-2009-04-29 (10-31-09).txt

Scan type: Full Scan (C:\|)
Objects scanned: 167355
Time elapsed: 22 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACpinevsaksecfetc.dll (Spyware.OnlineGames) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\wininetapp.wininet (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\wininetapp.wininet.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b360243e-09e8-402f-8721-00b6798089ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{39fc2065-c9c7-49cd-8942-44cc2dedc844} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39fc2065-c9c7-49cd-8942-44cc2dedc844} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\UACpinevsaksecfetc.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\Art\My Documents\key generator xp\XP Key Gen\XPKey.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Art\My Documents\My Documents\key generator xp\XP Key Gen\XPKey.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-842739394-13865410-688336352-1006\Dc67.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\ieocx.doc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
peku006
2009-04-29, 19:36
Hi nenotgmb

send RSIT logs also........
starts the computer without any problems ?

Thanks peku006
nenotgmb
2009-04-29, 23:57
Peku006

The message "can't find C\ programs" came up, but after about 20 seconds it was fine.

Here the RSIT logs:
Logfile of random's system information tool 1.06 (written by random/random)
Run by Art at 2009-04-29 16:32:45
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 104 GB (68%) free of 153 GB
Total RAM: 1014 MB (64% free)

HijackThis download failed

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
""= []
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-01-15 13680640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2008-02-15 208896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-19 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\setup\HPZnui01.exe"="D:\setup\HPZnui01.exe:*:Enabled:hpznui01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"
"C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe"="C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe:*:Enabled:hpqpsapp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe:*:Enabled:hpqpse.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe:*:Enabled:hpqsudi.exe"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\setup\HPZnui01.exe"="D:\setup\HPZnui01.exe:*:Enabled:hpznui01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"
"C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe"="C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe:*:Enabled:hpqpsapp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe:*:Enabled:hpqpse.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe:*:Enabled:hpqsudi.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8c8529d-b4a9-11dd-a5d6-001cc08f36a6}]
shell\AutoRun\command - E:\Programs\nu2menu\nu2menu.exe


======List of files/folders created in the last 1 months======

2009-04-29 16:32:46 ----D---- C:\Program Files\trend micro
2009-04-29 16:32:45 ----D---- C:\rsit
2009-04-28 16:55:01 ----D---- C:\Documents and Settings\Art\Application Data\Malwarebytes
2009-04-28 10:57:48 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-28 10:47:45 ----D---- C:\Program Files\123 Malb
2009-04-25 21:30:03 ----D---- C:\WINDOWS\ERDNT
2009-04-25 21:26:33 ----D---- C:\Program Files\ERUNT
2009-04-25 00:49:27 ----D---- C:\Avenger
2009-04-24 13:21:08 ----D---- C:\Program Files\mySafer Networking
2009-04-23 21:05:19 ----A---- C:\WINDOWS\ntbtlog.txt
2009-04-23 00:42:32 ----D---- C:\Documents and Settings\Art\Application Data\VSRevoGroup
2009-04-23 00:33:58 ----D---- C:\Program Files\VS Revo Group
2009-04-22 21:18:05 ----A---- C:\WINDOWS\av_affiliate.ini
2009-04-22 21:18:04 ----A---- C:\WINDOWS\as_affiliate.ini
2009-04-05 00:38:42 ----A---- C:\WINDOWS\NeroDigital.ini

======List of files/folders modified in the last 1 months======

2009-04-29 16:32:46 ----RD---- C:\Program Files
2009-04-29 12:58:03 ----D---- C:\WINDOWS\Temp
2009-04-29 12:56:58 ----D---- C:\WINDOWS\Prefetch
2009-04-29 10:52:12 ----D---- C:\WINDOWS\system32\drivers
2009-04-29 10:52:12 ----D---- C:\WINDOWS\system32
2009-04-29 10:33:53 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-29 10:31:09 ----D---- C:\WINDOWS
2009-04-29 00:44:03 ----D---- C:\Program Files\Mozilla Firefox
2009-04-26 13:26:46 ----D---- C:\Program Files\Mozilla Thunderbird
2009-04-25 08:28:28 ----D---- C:\WINDOWS\Network Diagnostic
2009-04-25 00:50:07 ----D---- C:\Documents and Settings
2009-04-24 16:52:22 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-04-24 16:52:17 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-24 16:30:26 ----HD---- C:\WINDOWS\inf
2009-04-23 23:08:57 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-04-23 23:02:39 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-23 22:59:20 ----D---- C:\WINDOWS\security
2009-04-23 21:27:12 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-04-22 23:56:02 ----A---- C:\WINDOWS\imsins.BAK
2009-04-22 21:18:01 ----A---- C:\WINDOWS\win.ini
2009-04-22 21:15:46 ----RSD---- C:\WINDOWS\assembly
2009-04-22 20:35:46 ----D---- C:\Program Files\Online Services
2009-04-22 18:21:59 ----D---- C:\WINDOWS\system32\ReinstallBackups

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2008-06-20 225856]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-14 88320]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2008-04-14 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2008-04-14 55936]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-09-18 4816896]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-01-15 6301248]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2008-07-01 108800]
R3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2008-04-14 12288]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
S1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2008-04-14 37760]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter; C:\WINDOWS\system32\DRIVERS\AN983.sys [2008-04-14 36224]
S3 CDAVFS;CDAVFS; C:\WINDOWS\system32\DRIVERS\CDAVFS.sys [2009-04-22 67424]
S3 Dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\system32\DRIVERS\Dot4.sys [2008-04-14 206976]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 Dot4Scan;Scan Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Scan.sys [2001-08-17 8704]
S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2008-02-15 5854752]
S3 MXOPSWD;Maxtor OneTouch Security Driver; C:\WINDOWS\system32\DRIVERS\mxopswd.sys [2007-05-03 22152]
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2008-04-14 40320]
S3 S3SavageNB;S3SavageNB; C:\WINDOWS\system32\DRIVERS\s3gnbm.sys [2008-04-14 166912]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-14 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-14 44928]
S4 ahcix86;ahcix86; C:\WINDOWS\system32\DRIVERS\ahcix86.sys [2006-10-27 120832]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-14 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-14 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 iaStor;Intel RAID Controller; C:\WINDOWS\system32\DRIVERS\iaStor.sys [2007-09-30 308248]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-14 5504]
S4 nvgts;nvgts; C:\WINDOWS\system32\DRIVERS\nvgts.sys [2008-01-17 102400]
S4 nvrd32;NVIDIA nForce RAID Driver; C:\WINDOWS\system32\DRIVERS\nvrd32.sys [2008-01-17 128000]
S4 RxFilter;RxFilter; C:\WINDOWS\system32\DRIVERS\RxFilter.sys [2008-07-18 57328]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-14 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-14 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 6to4;IPv6 Helper Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 CEEBC40A-FDED-4C59-B354-939132350B01;Roxio File Backup Service; c:\Program Files\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe [2008-02-12 76272]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 HPSLPSVC;HP Network Devices Support; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-04-24 73728]
R2 Maxtor Sync Service;Maxtor Service; C:\Program Files\Maxtor\Sync\SyncServices.exe [2007-09-28 156976]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service; C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2008-12-11 3575808]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-01-15 163908]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S2 RoxLiveShare10;LiveShare P2P Server 10; c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2008-07-18 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10; c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2008-07-18 166384]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 RoxMediaDB10;RoxMediaDB10; c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-07-18 1120752]
S3 stllssvr;stllssvr; c:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2008-03-24 74384]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

-----------------EOF-----------------


-----------------EOF-----------------
info.txt logfile of random's system information tool 1.06 2009-04-29 16:32:50

======Uninstall list======

-->"C:\Program Files\Ubi Soft\Cyan Worlds\Uru - Ages Beyond Myst\UninstUru.exe"
-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNNMP.exe /UNINSTALL
-->MsiExec /X{8AAB4176-A747-493A-A42C-B63CFADFD8E3}
-->MsiExec.exe /I{219B0DA4-8F1A-499D-8795-4A07C632521E}
-->MsiExec.exe /I{644B991F-B109-4360-9DA3-40CDAD13961C}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
32 Bit HP CIO Components Installer-->MsiExec.exe /I{2614F54E-A828-49FA-93BA-45A3F756BFAA}
7-Zip 4.65-->"C:\Program Files\7-Zip\Uninstall.exe"
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
FileAlyzer-->"C:\Program Files\Safer Networking\FileAlyzer\unins000.exe"
Google Earth-->MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HijackThis 2.0.2-->"E:\123 hjthis exe folder\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Imaging Device Functions 11.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart C6300 All-In-One Driver Software 11.0 Rel .4-->C:\Program Files\HP\Digital Imaging\{C8732DC3-1736-44b2-B741-2D636DE58605}\setup\hpzscr01.exe -datfile hposcr31.dat -onestop
HP Photosmart Essential 3.0-->C:\Program Files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat -forcereboot
Intel(R) Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
Malwarebytes' Anti-Malware-->"C:\Program Files\123 Malb\Malwarebytes' Anti-Malware\unins000.exe"
Maxtor Manager-->"C:\Program Files\InstallShield Installation Information\{B8281D46-D846-4BB9-BC84-F1115A7BF820}\setup.exe" -runfromtemp -l0x0409 -removeonly
Maxtor Manager-->MsiExec.exe /I{B8281D46-D846-4BB9-BC84-F1115A7BF820}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft English TTS Engine-->MsiExec.exe /I{94824ADD-8F26-43D2-84DB-22E11F377E5E}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Streets & Trips 2007-->MsiExec.exe /I{C82185E8-C27B-4EF4-2007-4444BC2C2B6D}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (3.0.8)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.21)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Myst Uru - The Path of the Shell-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{69BA7792-853B-45A3-A29F-539C0D7A2A62}\setup.exe" -l0x9
Nero Suite-->C:\Program Files\Common Files\Nero\Uninstall\setupx.exe /uninstall ExtraUninstallID=""
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA Performance Drivers-->MsiExec.exe /I{4C0A8D65-4286-4B58-87FE-18AD24289285}
NVIDIA PhysX-->MsiExec.exe /X{8AAB4176-A747-493A-A42C-B63CFADFD8E3}
OCR Software by I.R.I.S. 11.0-->C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
REALTEK GbE & FE Ethernet PCI-E NIC Driver-->C:\Program Files\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\setup.exe -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Revo Uninstaller 1.80-->C:\Program Files\VS Revo Group\Revo Uninstaller\uninst.exe
Roxio Activation Module-->MsiExec.exe /I{EC877639-07AB-495C-BFD1-D63AF9140810}
Roxio BackOnTrack-->MsiExec.exe /I{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}
Roxio Central Audio-->MsiExec.exe /I{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}
Roxio Central Copy-->MsiExec.exe /I{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}
Roxio Central Core-->MsiExec.exe /I{ED439A64-F018-4DD4-8BA5-328D85AB09AB}
Roxio Central Data-->MsiExec.exe /I{08E81ABD-79F7-49C2-881F-FD6CB0975693}
Roxio Central Tools-->MsiExec.exe /I{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}
Roxio CinePlayer-->MsiExec.exe /I{1B683082-8791-4D00-8ADE-6C8986FCCC68}
Roxio Creator XE-->C:\Documents and Settings\All Users\Application Data\Uninstall\{537BF16E-7412-448C-95D8-846E85A1D817}\setup.exe /x {537BF16E-7412-448C-95D8-846E85A1D817}
Roxio Creator XE-->MsiExec.exe /I{67CA389E-E759-4181-99FA-CD8B63853FB1}
Roxio Express Labeler 3-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio File Backup-->MsiExec.exe /I{60B2315F-680F-4EB3-B8DD-CCDC86A7CCAB}
Roxio Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Sonic CinePlayer Decoder Pack-->MsiExec.exe /I{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TeleChart 2007-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8F899627-1EA1-484D-91EA-7B22C05358DB}\setup.exe" -l0x9 -removeonly
TTS Wrapper-->MsiExec.exe /I{97D0C0A1-7E64-4B05-A2EE-61D2CE23F154}
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: CyberDefender Internet Security

======System event log======


Computer Name: YOUR-5EE06FCAA0
Event Code: 7000
Message: The TCP/IP Protocol Driver service failed to start due to the following error:
The system cannot find the file specified.


Record Number: 33321
Source Name: Service Control Manager
Time Written: 20090427112600.000000-300
Event Type: error
User:

Computer Name: YOUR-5EE06FCAA0
Event Code: 7001
Message: The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
The system cannot find the file specified.


Record Number: 33320
Source Name: Service Control Manager
Time Written: 20090427112030.000000-300
Event Type: error
User:

Computer Name: YOUR-5EE06FCAA0
Event Code: 7000
Message: The TCP/IP Protocol Driver service failed to start due to the following error:
The system cannot find the file specified.


Record Number: 33319
Source Name: Service Control Manager
Time Written: 20090427112030.000000-300
Event Type: error
User:

Computer Name: YOUR-5EE06FCAA0
Event Code: 7001
Message: The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
The system cannot find the file specified.


Record Number: 33318
Source Name: Service Control Manager
Time Written: 20090427111920.000000-300
Event Type: error
User:

Computer Name: YOUR-5EE06FCAA0
Event Code: 7000
Message: The TCP/IP Protocol Driver service failed to start due to the following error:
The system cannot find the file specified.


Record Number: 33317
Source Name: Service Control Manager
Time Written: 20090427111920.000000-300
Event Type: error
User:

=====Application event log=====

Computer Name: YOUR-5EE06FCAA0
Event Code: 485
Message: wuauclt (1628) An attempt to delete the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb" failed with system error 1392 (0x00000570): "The file or directory is corrupted and unreadable. ". The delete file operation will fail with error -1022 (0xfffffc02).

Record Number: 4056
Source Name: ESENT
Time Written: 20090424192928.000000-300
Event Type: error
User:

Computer Name: YOUR-5EE06FCAA0
Event Code: 439
Message: wuauclt (1584) Unable to write a shadowed header for file C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb. Error -1022.

Record Number: 4055
Source Name: ESENT
Time Written: 20090424192927.000000-300
Event Type: error
User:

Computer Name: YOUR-5EE06FCAA0
Event Code: 490
Message: wuauclt (1584) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb" for read / write access failed with system error 1392 (0x00000570): "The file or directory is corrupted and unreadable. ". The open file operation will fail with error -1022 (0xfffffc02).

Record Number: 4054
Source Name: ESENT
Time Written: 20090424192927.000000-300
Event Type: error
User:

Computer Name: YOUR-5EE06FCAA0
Event Code: 485
Message: wuauclt (1584) An attempt to delete the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb" failed with system error 1392 (0x00000570): "The file or directory is corrupted and unreadable. ". The delete file operation will fail with error -1022 (0xfffffc02).

Record Number: 4053
Source Name: ESENT
Time Written: 20090424192927.000000-300
Event Type: error
User:

Computer Name: YOUR-5EE06FCAA0
Event Code: 439
Message: wuauclt (1968) Unable to write a shadowed header for file C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb. Error -1022.

Record Number: 4052
Source Name: ESENT
Time Written: 20090424192927.000000-300
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"EMC_AUTOPLAY"=c:\Program Files\Common Files\Roxio Shared\
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=2
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\Common Files\Roxio Shared\10.0\DLLShared\;c:\Program Files\Common Files\Roxio Shared\DLLShared\;c:\Program Files\Common Files\Roxio Shared\DLLShared\;c:\Program Files\Common Files\Roxio Shared\10.0\DLLShared\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 28 Stepping 2, GenuineIntel
"PROCESSOR_LEVEL"=6
"PROCESSOR_REVISION"=1c02
"RoxioCentral"=c:\Program Files\Common Files\Roxio Shared\10.0\Roxio Central36\
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%

-----------------EOF-----------------
Thanks
nenotgmb
peku006
2009-04-30, 08:46
Hi nenotgmb

1 - Download and Run ComboFix

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.

Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs (http://www.bleepingcomputer.com/forums/topic114351.html#)

Double click on ComboFix.exe and follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Combofix should never take more that 20 minutes including the reboot if malware is detected.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log

Thanks peku006
nenotgmb
2009-05-03, 20:40
Peku006,

Here are the logs:

ComboFix 09-05-02.4 - Art 05/03/2009 12:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.750 [GMT -5:00]
Running from: c:\documents and settings\Art\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\UACdkpamtusrnvspma.sys
c:\windows\system32\UACdkfcmwelruyvalt.log
c:\windows\system32\UACdudqxekxmybyuwe.log
c:\windows\system32\UACjotxxvhosrmmbpf.dll
c:\windows\system32\UACmlixttsesivsonm.dll
c:\windows\system32\UACnbpcbxiquxwbwfm.dll
c:\windows\system32\UACnkievnfovpexart.log
c:\windows\system32\UACpinevsaksecfetc.dll
c:\windows\system32\UACspaulqeexubrflo.dll
c:\windows\system32\UACyqxjgyfrqoqipay.dat
c:\windows\system32\x64

----- BITS: Possible infected sites -----

hxxp://litetubevideoz.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 )))))))))))))))))))))))))))))))
.

2009-04-29 21:32 . 2009-04-29 21:32 -------- d-----w c:\program files\trend micro
2009-04-29 21:32 . 2009-04-29 21:32 -------- d-----w C:\rsit
2009-04-28 21:55 . 2009-04-28 21:55 -------- d-----w c:\documents and settings\Art\Application Data\Malwarebytes
2009-04-28 15:57 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-28 15:57 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-28 15:57 . 2009-04-28 15:57 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-28 15:47 . 2009-04-28 15:57 -------- d-----w c:\program files\123 Malb
2009-04-26 02:26 . 2009-04-26 02:27 -------- d-----w c:\program files\ERUNT
2009-04-25 06:12 . 2009-04-25 06:12 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-25 06:10 . 2009-04-25 06:10 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-04-24 18:21 . 2009-04-24 18:21 -------- d-----w c:\program files\mySafer Networking
2009-04-23 05:42 . 2009-04-23 05:42 -------- d-----w c:\documents and settings\Art\Application Data\VSRevoGroup
2009-04-23 05:33 . 2009-04-23 05:33 -------- d-----w c:\program files\VS Revo Group
2009-04-23 02:15 . 2009-04-23 02:14 67424 ----a-w c:\windows\system32\drivers\CDAVFS.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 17:37 . 2008-04-28 22:05 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-04-26 18:26 . 2009-01-10 02:58 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-24 21:52 . 2008-04-28 21:23 361600 ----a-w c:\windows\system32\drivers\tcpip.sys
2009-04-24 02:27 . 2009-01-08 04:35 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-20 15:26 . 2009-03-01 00:58 629 ----a-w C:\TempVer.tmp
2009-02-16 04:50 . 2009-01-06 05:53 83824 ----a-w c:\documents and settings\Art\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-14 02:04 . 2009-02-14 01:23 165728 ----a-w c:\windows\hpoins31.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0"
"UpdatesDisableNotify"="0"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"427:UDP"= 427:UDP:SLP_Port(427)

R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2008-07-18 309744]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2008-07-18 166384]
R3 CDAVFS;CDAVFS;c:\windows\system32\DRIVERS\CDAVFS.sys [2009-04-23 67424]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-07-18 1120752]
R4 ahcix86;ahcix86;c:\windows\system32\DRIVERS\ahcix86.sys [2006-10-27 120832]
S2 CEEBC40A-FDED-4C59-B354-939132350B01;Roxio File Backup Service;c:\program files\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe [2008-02-13 76272]
S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2008-12-11 3575808]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPNAT

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8c8529d-b4a9-11dd-a5d6-001cc08f36a6}]
\Shell\AutoRun\command - e:\programs\nu2menu\nu2menu.exe
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 12:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-03 12:43
ComboFix-quarantined-files.txt 2009-05-03 17:43

Pre-Run: 100,090,351,616 bytes free
Post-Run: 117,699,399,680 bytes free

117


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:51 PM, on 5/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\remame firefox.exe
C:\Documents and Settings\Art\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209407146265
O23 - Service: Roxio File Backup Service (CEEBC40A-FDED-4C59-B354-939132350B01) - Unknown owner - c:\Program Files\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: NVIDIA Performance Driver Service - Unknown owner - C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 4251 bytes

Thanks

nenotgmb
peku006
2009-05-03, 20:57
Hi nenotgmb

The Recovery Console has not been installed on your machine. We will manually install it now in case something gets broken. With tools as powerful as ComboFix around you wouldn't want to risk it. Installing the Recovery Console only takes a few minutes of your time.
Please click here (http://support.microsoft.com/kb/310994)

Now please download the correct Setup Disks for your version of Windows XP. Please put the file on your desktop.

http://i51.photobucket.com/albums/f387/Katana_1970/KB310994.gif

Disconnect from the internet and disable ALL protection software! ComboFix is about to modify some critical system files and no protection software will ever allow that to happen.
Next, drag the Microsoft executable into ComboFix.
http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif

Please follow the instructions ComboFix gives you. When asked whether to continue scanning for malware, click Yes

When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt

Thanks peku006
nenotgmb
2009-05-04, 08:05
Peku006

Combofix dectected a realtime scanner:
*Cyberdefender Internet Security

Before I contacted you for help I thought I uninstalled this piece of junk but it appears to be in two places:

1) In the System Configuration Utility "WIN.IN" tab.
I unchecked the box [CybDefKeepSafe] and restarted, but same Combofix warning.

2) In the windows Registry Editor.

How should I disable or delete this so I can run Combofix safely?

Thanks,

nenotgmb
peku006
2009-05-04, 08:39
Hi nenotgmb

it´s not visible in your Uninstall list.........:scratch:
it is not necessary to disable it
nenotgmb
2009-05-04, 17:34
Peku006

That's what I thought as well.....just wanted to check with you first.
Here's the Combofix log:
ComboFix 09-05-02.4 - Art 05/04/2009 10:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.739 [GMT -5:00]
Running from: c:\documents and settings\Art\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Art\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: CyberDefender Internet Security *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.

2009-04-26 02:26 . 2009-04-26 02:27 -------- d-----w c:\program files\ERUNT
2009-04-25 06:12 . 2009-04-25 06:12 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-25 06:10 . 2009-04-25 06:10 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-04-24 18:21 . 2009-04-24 18:21 -------- d-----w c:\program files\mySafer Networking
2009-04-23 05:42 . 2009-04-23 05:42 -------- d-----w c:\documents and settings\Art\Application Data\VSRevoGroup
2009-04-23 05:33 . 2009-04-23 05:33 -------- d-----w c:\program files\VS Revo Group
2009-04-23 02:15 . 2009-04-23 02:14 67424 ----a-w c:\windows\system32\drivers\CDAVFS.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 15:11 . 2008-04-28 22:05 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-04-29 21:32 . 2009-04-29 21:32 -------- d-----w c:\program files\trend micro
2009-04-28 15:57 . 2009-04-28 15:47 -------- d-----w c:\program files\123 Malb
2009-04-26 18:26 . 2009-01-10 02:58 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-24 21:52 . 2008-04-28 21:23 361600 ----a-w c:\windows\system32\drivers\tcpip.sys
2009-04-24 02:27 . 2009-01-08 04:35 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-06 20:32 . 2009-04-28 15:57 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2009-04-28 15:57 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-20 15:26 . 2009-03-01 00:58 629 ----a-w C:\TempVer.tmp
2009-02-16 04:50 . 2009-01-06 05:53 83824 ----a-w c:\documents and settings\Art\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-14 02:04 . 2009-02-14 01:23 165728 ----a-w c:\windows\hpoins31.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-05-03_17.41.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-28 21:23 . 2009-05-04 04:43 63528 c:\windows\system32\perfc009.dat
- 2008-04-28 21:23 . 2009-05-03 17:39 63528 c:\windows\system32\perfc009.dat
+ 2008-04-28 21:23 . 2009-05-04 04:43 406328 c:\windows\system32\perfh009.dat
- 2008-04-28 21:23 . 2009-05-03 17:39 406328 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"427:UDP"= 427:UDP:SLP_Port(427)

R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2008-07-18 309744]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2008-07-18 166384]
R3 CDAVFS;CDAVFS;c:\windows\system32\DRIVERS\CDAVFS.sys [2009-04-23 67424]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-07-18 1120752]
R4 ahcix86;ahcix86;c:\windows\system32\DRIVERS\ahcix86.sys [2006-10-27 120832]
S2 CEEBC40A-FDED-4C59-B354-939132350B01;Roxio File Backup Service;c:\program files\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe [2008-02-13 76272]
S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2008-12-11 3575808]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8c8529d-b4a9-11dd-a5d6-001cc08f36a6}]
\Shell\AutoRun\command - e:\programs\nu2menu\nu2menu.exe
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 10:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(400)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-04 10:16
ComboFix-quarantined-files.txt 2009-05-04 15:16
ComboFix2.txt 2009-05-03 17:43

Pre-Run: 117,650,063,360 bytes free
Post-Run: 117,645,803,520 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

113
Nenotgmb
peku006
2009-05-04, 17:45
Hi nenotgmb

1 - Clean temp files

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

if you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

if you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Click Exit on the Main menu to close the program


2 - F-Secure Online Scan

F-Secure Online Scan


Note: You will need to use Internet explorer for this scan
Go here (http://support.f-secure.com/enu/home/ols.shtml) to run an online scan from F-Secure
Click on Start scanning
This will open a new internet explorer window
It will require an activex control, please install it
Click Accept
Click Full System Scan
It will now download the scanner, this may take a while, please be patient
It will then start scanning, wait for the scan to finish
Click Automatic cleaning (recommended)
Wait for it finish the cleaning process
Click show report
This will open up a window with the results of the scan, copy and paste those results as a reply to this topic


3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the F-Secure online scanner report
2. a fresh HijackThis log
How's the computer running now? Any problems?

Thanks peku006
nenotgmb
2009-05-04, 19:38
Peku006

So far so good. I have not restarted the computer yet, but I do now have intenet access with IE and mozilla.

A small clitch thou....safer-networking.org is blocked when I use Mozilla's browser.
IE however,goes to safer-networking with no problem.

Here's the logs:

Scanning Report
Monday, May 04, 2009 11:14:31 - 12:08:37

Computer name: YOUR-5EE06FCAA0
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 4 malware found
TrackingCookie.2o7 (spyware)

* System

TrackingCookie.Questionmarket (spyware)

* System

Trojan.Win32.Genome.ite (virus)

* C:\DOCUMENTS AND SETTINGS\ART\MY DOCUMENTS\MY DOCUMENTS\DSS\WINEXP50\WINEXPLORER.EXE (Renamed & Submitted)
* C:\DOCUMENTS AND SETTINGS\ART\MY DOCUMENTS\DSS\WINEXP50\WINEXPLORER.EXE (Renamed & Submitted)

Statistics
Scanned:

* Files: 19504
* System: 3097
* Not scanned: 8

Actions:

* Disinfected: 0
* Renamed: 2
* Deleted: 0
* None: 2
* Submitted: 2

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\ART\LOCAL SETTINGS\TEMP\ETILQS_PPRMYVIMDTHBTGAABT4J
* C:\DOCUMENTS AND SETTINGS\ART\APPLICATION DATA\THUNDERBIRD\PROFILES\Y24S0YSE.DEFAULT\MAIL\MAIL.COMCAST.NET\INBOX

Options
Scanning engines:

* F-Secure USS: 3.0.0
* F-Secure Hydra: 3.8.9080, 2009-05-04
* F-Secure AVP: 7.0.171, 2009-05-04
* F-Secure Pegasus: 1.20.0, 1969-11-31
* F-Secure Blacklight: 0.0.0

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:16 PM, on 5/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Art\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209407146265
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Roxio File Backup Service (CEEBC40A-FDED-4C59-B354-939132350B01) - Unknown owner - c:\Program Files\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: NVIDIA Performance Driver Service - Unknown owner - C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 4323 bytes

Thanks,
nenotgmb
peku006
2009-05-04, 19:49
Hi nenotgmb

I have not restarted the computer yet
you should try to restart the computer :D:

safer-networking.org is blocked when I use Mozilla's browser.
strange that only firefox will do it, is it updated
Let us take a deeper look..........

Please download OTScanIt2 (http://oldtimer.geekstogo.com/OTScanIt2.exe) from Geeks to Go by OldTimer. Alternate download site (http://download.bleepingcomputer.com/oldtimer/OTScanIt2.exe).
Save it to your desktop.
Double click on OTScanIt2.exe to run it.
Click on Extract. Once done, when prompted. Click OK and click Close.
This is a self-extracting file...It will create a folder named OTScanIt2 on your desktop.
Double click on the OTScanIt2 folder to open... then double click on OTScanIt2.exe to run it.
Under Rookit Search, select Yes.
Click on Run Scan at the top left hand corner. It may take a few minutes...be patient, let it run.
When done, Notepad will open with the log file "OTScanIt.Txt" contents.
Please post the contents of the OTScanIt.Txt Notepad file in your next reply.

Thanks peku006
nenotgmb
2009-05-04, 21:02
Peku006

I restarted and message " You have changed configuration utility to make changes to the way windows starts. Choose normal startup mode to sart windows normally." I choose normal mode and computer restarted again.

Started Mozzila again and got same message as before the restart " firefox is not currently your default browser. Would you like to make your default browser?" This time I clicked "NO".
Firefox message:
"firefox can't find the file at http:\\www.safer-networking. org/en/home/index.html.".

I clicked on firefox start page help tab and "Downloading firefox 3.0.10...." is shown, but nothing is downloading.

The OTScanIt2 scan was run BEFORE I restarted the compter.



OTScanIt2 logfile created on: 5/4/2009 1:06:08 PM - Run 1
OTScanIt2 by OldTimer - Version 1.0.14.0 Folder = C:\Documents and Settings\Art\Desktop\OTScanIt2
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.76 Mb Total Physical Memory | 657.32 Mb Available Physical Memory | 64.84% Memory free
2.38 Gb Paging File | 2.17 Gb Available in Paging File | 91.17% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 109.43 Gb Free Space | 73.42% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-5EE06FCAA0
Current User Name: Art
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

[Processes - Safe List]
explorer.exe -> %SystemRoot%\explorer.exe -> [2008/04/14 08:00:00 | 01,033,728 | ---- | M] (Microsoft Corporation)
filebackupsvc.exe -> %ProgramFiles%\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe -> [2008/02/12 22:12:16 | 00,076,272 | ---- | M] ()
iexplore.exe -> %ProgramFiles%\internet explorer\iexplore.exe -> [2008/04/14 08:00:00 | 00,093,184 | -HS- | M] (Microsoft Corporation)
lssrvc.exe -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> [2006/04/24 15:25:44 | 00,073,728 | ---- | M] (Hewlett-Packard Company)
nvpdsvc.exe -> %ProgramFiles%\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe -> [2008/12/11 08:08:52 | 03,575,808 | ---- | M] ()
nvsvc32.exe -> %SystemRoot%\system32\nvsvc32.exe -> [2009/01/15 09:19:00 | 00,163,908 | ---- | M] (NVIDIA Corporation)
otscanit2.exe -> %UserProfile%\Desktop\OTScanIt2\OTScanIt2.exe -> [2009/04/11 16:32:52 | 00,494,080 | ---- | M] (OldTimer Tools)
syncservices.exe -> %ProgramFiles%\Maxtor\Sync\SyncServices.exe -> [2007/09/28 12:24:36 | 00,156,976 | ---- | M] (Seagate Technology LLC)
wscntfy.exe -> %SystemRoot%\system32\wscntfy.exe -> [2008/04/14 08:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation)

[Win32 Services - Safe List]
(6to4) IPv6 Helper Service [Win32_Shared | Auto | Running] -> %SystemRoot%\System32\6to4svc.dll -> [2008/04/14 08:00:00 | 00,100,352 | ---- | M] (Microsoft Corporation)
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -> [2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation)
(CEEBC40A-FDED-4C59-B354-939132350B01) Roxio File Backup Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe -> [2008/02/12 22:12:16 | 00,076,272 | ---- | M] ()
(clr_optimization_v2.0.50727_32) .NET Runtime Optimization Service v2.0.50727_X86 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -> [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation)
(helpsvc) Help and Support [Win32_Shared | Auto | Running] -> %SystemRoot%\PCHealth\HelpCtr\Binaries\pchsvc.dll -> [2008/04/14 08:00:00 | 00,038,400 | ---- | M] (Microsoft Corporation)
(hpqcxs08) hpqcxs08 [Win32_Shared | On_Demand | Running] -> %ProgramFiles%\HP\Digital Imaging\bin\hpqcxs08.dll -> [2008/03/25 21:38:24 | 00,217,088 | ---- | M] (Hewlett-Packard Co.)
(hpqddsvc) HP CUE DeviceDiscovery Service [Win32_Shared | Auto | Running] -> %ProgramFiles%\HP\Digital Imaging\bin\hpqddsvc.dll -> [2008/03/25 22:27:36 | 00,135,168 | ---- | M] (Hewlett-Packard Co.)
(HPSLPSVC) HP Network Devices Support [Win32_Shared | Auto | Running] -> %ProgramFiles%\HP\Digital Imaging\bin\HPSLPSVC32.DLL -> [2008/03/25 22:25:50 | 00,630,784 | ---- | M] (Hewlett-Packard Co.)
(LightScribeService) LightScribeService Direct Disc Labeling Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> [2006/04/24 15:25:44 | 00,073,728 | ---- | M] (Hewlett-Packard Company)
(Maxtor Sync Service) Maxtor Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Maxtor\Sync\SyncServices.exe -> [2007/09/28 12:24:36 | 00,156,976 | ---- | M] (Seagate Technology LLC)
(Net Driver HPZ12) Net Driver HPZ12 [Win32_Own | Auto | Running] -> %SystemRoot%\system32\HPZinw12.dll -> [2008/07/18 14:13:20 | 00,044,032 | ---- | M] (Hewlett-Packard)
(NVIDIA Performance Driver Service) NVIDIA Performance Driver Service [Win32_Own | Auto | Running] -> %ProgramFiles%\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe -> [2008/12/11 08:08:52 | 03,575,808 | ---- | M] ()
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\nvsvc32.exe -> [2009/01/15 09:19:00 | 00,163,908 | ---- | M] (NVIDIA Corporation)
(ose) Office Source Engine [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Microsoft Shared\Source Engine\OSE.EXE -> [2006/10/26 15:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation)
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | Auto | Running] -> %SystemRoot%\system32\HPZipm12.dll -> [2008/07/18 14:13:20 | 00,053,760 | ---- | M] (Hewlett-Packard)
(RoxLiveShare10) LiveShare P2P Server 10 [Win32_Own | Auto | Stopped] -> %CommonProgramFiles%\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe -> [2008/07/18 08:43:38 | 00,309,744 | ---- | M] (Sonic Solutions)
(RoxMediaDB10) RoxMediaDB10 [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -> [2008/07/18 08:43:02 | 01,120,752 | ---- | M] (Sonic Solutions)
(RoxWatch10) Roxio Hard Drive Watcher 10 [Win32_Own | Auto | Stopped] -> %CommonProgramFiles%\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe -> [2008/07/18 08:43:32 | 00,166,384 | ---- | M] (Sonic Solutions)
(stllssvr) stllssvr [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\SureThing Shared\stllssvr.exe -> [2008/03/24 07:35:22 | 00,074,384 | R--- | M] (MicroVision Development, Inc.)
(WMPNetworkSvc) Windows Media Player Network Sharing Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Windows Media Player\WMPNetwk.exe -> [2006/10/18 23:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation)

[Driver Services - Safe List]
(ahcix86) ahcix86 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ahcix86.sys -> [2006/10/27 08:12:32 | 00,120,832 | ---- | M] (ATI Technologies Inc.)
(AliIde) AliIde [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\aliide.sys -> [2001/08/17 16:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.)
(amdagp) AMD AGP Bus Filter Driver [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\amdagp.sys -> [2008/04/14 03:06:40 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.)
(AN983) ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\AN983.sys -> [2008/04/14 01:05:30 | 00,036,224 | ---- | M] (ADMtek Incorporated.)
(asc) asc [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\asc.sys -> [2001/08/17 16:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.)
(asc3550) asc3550 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\asc3550.sys -> [2001/08/17 16:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.)
(CDAVFS) CDAVFS [File_System | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\CDAVFS.sys -> [2009/04/22 21:14:50 | 00,067,424 | ---- | M] (CyberDefender Corp.)
(CmdIde) CmdIde [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\cmdide.sys -> [2001/08/17 16:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.)
(dac2w2k) dac2w2k [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\dac2w2k.sys -> [2001/08/17 16:52:16 | 00,179,584 | ---- | M] (Mylex Corporation)
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\HDAudBus.sys -> [2008/04/14 08:00:00 | 00,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider)
(ialm) ialm [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\igxpmp32.sys -> [2008/02/15 13:12:06 | 05,854,752 | ---- | M] (Intel Corporation)
(iaStor) Intel RAID Controller [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\iaStor.sys -> [2007/09/30 03:03:12 | 00,308,248 | ---- | M] (Intel Corporation)
(IntcAzAudAddService) Service for Realtek HD Audio (WDM) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\RtkHDAud.sys -> [2008/09/18 18:48:58 | 04,816,896 | ---- | M] (Realtek Semiconductor Corp.)
(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\mraid35x.sys -> [2001/08/17 16:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.)
(MXOPSWD) Maxtor OneTouch Security Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\mxopswd.sys -> [2007/05/03 13:37:08 | 00,022,152 | ---- | M] (Maxtor Corp.)
(nm) Network Monitor Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\NMnt.sys -> [2008/04/14 08:00:00 | 00,040,320 | ---- | M] (Microsoft Corporation)
(nv) nv [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\nv4_mini.sys -> [2009/01/15 09:19:00 | 06,301,248 | ---- | M] (NVIDIA Corporation)
(nvgts) nvgts [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\nvgts.sys -> [2008/01/17 14:51:30 | 00,102,400 | ---- | M] (NVIDIA Corporation)
(nvrd32) NVIDIA nForce RAID Driver [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\nvrd32.sys -> [2008/01/17 14:51:24 | 00,128,000 | ---- | M] (NVIDIA Corporation)
(NwlnkIpx) NWLink IPX/SPX/NetBIOS Compatible Transport Protocol [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\nwlnkipx.sys -> [2008/04/14 08:00:00 | 00,088,320 | ---- | M] (Microsoft Corporation)
(NwlnkNb) NWLink NetBIOS [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\nwlnknb.sys -> [2008/04/14 08:00:00 | 00,063,232 | ---- | M] (Microsoft Corporation)
(NwlnkSpx) NWLink SPX/SPXII Protocol [Kernel | Auto | Running] -> %SystemRoot%\system32\DRIVERS\nwlnkspx.sys -> [2008/04/14 08:00:00 | 00,055,936 | ---- | M] (Microsoft Corporation)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\ptilink.sys -> [2008/04/14 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\System32\Drivers\PxHelp20.sys -> [2008/06/16 03:00:00 | 00,044,944 | ---- | M] (Sonic Solutions)
(ql1080) ql1080 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ql1080.sys -> [2001/08/17 16:52:20 | 00,040,320 | ---- | M] (QLogic Corporation)
(ql12160) ql12160 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ql12160.sys -> [2001/08/17 16:52:20 | 00,045,312 | ---- | M] (QLogic Corporation)
(ql1280) ql1280 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ql1280.sys -> [2001/08/17 16:52:18 | 00,049,024 | ---- | M] (QLogic Corporation)
(RTLE8023xp) Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DRIVERS\Rtenicxp.sys -> [2008/07/01 10:27:44 | 00,108,800 | ---- | M] (Realtek Semiconductor Corporation )
(RxFilter) RxFilter [File_System | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\RxFilter.sys -> [2008/07/18 10:11:40 | 00,057,328 | ---- | M] (Sonic Solutions)
(S3SavageNB) S3SavageNB [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\s3gnbm.sys -> [2008/04/14 01:04:34 | 00,166,912 | ---- | M] (S3 Graphics, Inc.)
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\secdrv.sys -> [2008/04/14 08:00:00 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(sisagp) SIS AGP Bus Filter [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sisagp.sys -> [2008/04/14 03:06:40 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation)
(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sparrow.sys -> [2001/08/17 17:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.)
(StillCam) Still Serial Digital Camera Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\DRIVERS\serscan.sys -> [2001/08/17 14:53:32 | 00,006,784 | ---- | M] (Microsoft Corporation)
(symc810) symc810 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\symc810.sys -> [2001/08/17 17:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.)
(symc8xx) symc8xx [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\symc8xx.sys -> [2001/08/17 17:07:36 | 00,032,640 | ---- | M] (LSI Logic)
(sym_hi) sym_hi [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sym_hi.sys -> [2001/08/17 17:07:40 | 00,028,384 | ---- | M] (LSI Logic)
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\sym_u3.sys -> [2001/08/17 17:07:42 | 00,030,688 | ---- | M] (LSI Logic)
(Tcpip6) Microsoft IPv6 Protocol Driver [Kernel | System | Running] -> %SystemRoot%\system32\DRIVERS\tcpip6.sys -> [2008/06/20 06:08:27 | 00,225,856 | ---- | M] (Microsoft Corporation)
(ultra) ultra [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\DRIVERS\ultra.sys -> [2001/08/17 16:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.)

[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Search_URL" -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home ->
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
HKEY_CURRENT_USER\: SearchURL\\"provider" -> ->
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 ->
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Art\Application Data\Mozilla\FireFox\Profiles\1vpys44u.default\prefs.js ->
extensions.enabledItems -> {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.8 ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions -> ->
HKLM\software\mozilla\Mozilla Firefox 3.0.8\extensions -> ->
HKLM\software\mozilla\Mozilla Firefox 3.0.8\extensions\\Components -> %ProgramFiles%\MOZILLA FIREFOX\COMPONENTS [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2009/04/22 18:37:22 | 00,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 3.0.8\extensions\\Plugins -> %ProgramFiles%\MOZILLA FIREFOX\PLUGINS [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2009/04/25 12:10:52 | 00,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions -> ->
HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions\\Components -> %ProgramFiles%\MOZILLA THUNDERBIRD\COMPONENTS [C:\PROGRAM FILES\MOZILLA THUNDERBIRD\COMPONENTS] -> [2009/03/21 23:55:18 | 00,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions\\Plugins -> C:\PROGRAM FILES\MOZILLA THUNDERBIRD\PLUGINS ->
< FireFox Extensions [User Folders] > ->
-> C:\Documents and Settings\Art\Application Data\mozilla\Extensions -> [2009/01/09 21:58:32 | 00,000,335 | ---- | M] ()
-> C:\Documents and Settings\Art\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} -> [2009/01/09 21:58:32 | 00,000,335 | ---- | M] ()
-> C:\Documents and Settings\Art\Application Data\mozilla\Firefox\Profiles\1vpys44u.default\extensions -> [2009/03/29 14:15:30 | 00,096,148 | ---- | M] ()
< FireFox Extensions [Program Folders] > ->
-> C:\PROGRAM FILES\MOZILLA FIREFOX\extensions -> [2009/03/29 02:03:13 | 09,732,600 | ---- | M] (Mozilla Foundation)
-> C:\PROGRAM FILES\MOZILLA FIREFOX\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} -> [2009/03/29 02:03:13 | 09,732,600 | ---- | M] (Mozilla Foundation)
< FireFox Components [Program Folders] > ->
C:\PROGRAM FILES\MOZILLA FIREFOX\components\ -> C:\PROGRAM FILES\MOZILLA FIREFOX\components -> [2009/04/22 18:37:22 | 00,000,000 | ---D | M]
browserdirprovider.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\components\browserdirprovider.dll -> [2009/03/29 02:03:09 | 00,023,032 | ---- | M] (Mozilla Foundation)
brwsrcmp.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\components\brwsrcmp.dll -> [2009/03/29 02:03:09 | 00,134,648 | ---- | M] (Mozilla Foundation)
< FireFox Plugins [Program Folders] > ->
C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\ -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins -> [2009/04/25 12:10:52 | 00,000,000 | ---D | M]
npnul32.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\npnul32.dll -> [2009/03/29 02:03:11 | 00,065,528 | ---- | M] (mozilla.org)
NPOFFICE.DLL -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\NPOFFICE.DLL -> [2003/07/14 23:56:52 | 00,013,888 | ---- | M] (Microsoft Corporation)
< FireFox SearchPlugins [Program Folders] > ->
C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\ -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins -> [2009/01/07 23:12:46 | 00,000,000 | ---D | M]
amazondotcom.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\amazondotcom.xml -> [2008/12/02 03:04:40 | 00,001,394 | ---- | M] ()
answers.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\answers.xml -> [2008/12/02 03:04:40 | 00,002,193 | ---- | M] ()
creativecommons.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\creativecommons.xml -> [2008/12/02 03:04:40 | 00,001,534 | ---- | M] ()
eBay.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\eBay.xml -> [2008/12/02 03:04:40 | 00,002,343 | ---- | M] ()
google.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\google.xml -> [2008/12/02 03:04:40 | 00,001,706 | ---- | M] ()
wikipedia.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\wikipedia.xml -> [2008/12/02 03:04:40 | 00,001,178 | ---- | M] ()
yahoo.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\yahoo.xml -> [2008/12/02 03:04:40 | 00,000,792 | ---- | M] ()
< HOSTS File > (292253 bytes and 10113 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
First 25 entries...
Reset Hosts
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 www.1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.1-2005-search.com
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2006/10/23 02:08:42 | 00,062,080 | ---- | M] (Adobe Systems Incorporated)
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> [2009/01/26 15:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"MSConfig" -> %SystemRoot%\pchealth\helpctr\Binaries\MSCONFIG.EXE [C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto] -> [2008/04/14 08:00:00 | 00,169,984 | ---- | M] (Microsoft Corporation)
"NvCplDaemon" -> %SystemRoot%\system32\NvCpl.DLL [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> [2009/01/15 09:19:00 | 13,680,640 | ---- | M] (NVIDIA Corporation)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
< Art Startup Folder > -> C:\Documents and Settings\Art\Start Menu\Programs\Startup ->
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer ->
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDrives" -> [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"dontdisplaylastusername" -> [0] -> File not found
\\"legalnoticecaption" -> [] -> File not found
\\"legalnoticetext" -> [] -> File not found
\\"shutdownwithoutlogon" -> [1] -> File not found
\\"undockwithoutlogon" -> [1] -> File not found
\\"DisableRegistryTools" -> [0] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDrives" -> [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel -> %ProgramFiles%\Microsoft Office\OFFICE11\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000] -> [2003/08/13 03:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Menu: Spybot - Search & Destroy Configuration] -> [2009/01/26 15:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
{e2e2dd38-d088-4134-82b7-f2ba38496583}:Exec [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [Menu: @xpsp3res.dll,-20001] -> [2008/04/14 08:00:00 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Button: Messenger] -> [2008/04/14 08:42:30 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Menu: Windows Messenger] -> [2008/04/14 08:42:30 | 01,695,232 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{2670000A-7350-4f3c-8081-5663EE0C6C49}" [HKLM] -> [Reg Error: Key error.] -> File not found
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.] -> File not found
CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> [2009/01/26 15:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
CmdMapping\\"{e2e2dd38-d088-4134-82b7-f2ba38496583}" [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/14 08:00:00 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 08:42:30 | 01,695,232 | ---- | M] (Microsoft Corporation)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5259 domain(s) found. ->
49 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5260 domain(s) found. ->
48 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{6414512B-B978-451D-A0D8-FCFDF33E833C} [HKLM] -> http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209407146265 [WUWebControl Class] ->
{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} [HKLM] -> http://support.f-secure.com/ols/fscax.cab [F-Secure Online Scanner 3.3] ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{29A0C18A-E16C-43FF-9C52-BF3018730BFF} -> (Realtek RTL8102E Family PCI-E Fast Ethernet NIC) ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> %SystemRoot%\Explorer.exe -> [2008/04/14 08:00:00 | 01,033,728 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
igfxcui -> %SystemRoot%\system32\igfxdev.dll -> [2008/02/15 11:45:40 | 00,208,896 | ---- | M] (Intel Corporation)
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List ->
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> [2008/04/14 08:00:00 | 00,558,080 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2008/04/14 08:00:00 | 00,141,312 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe" -> C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe [C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe] -> [2008/03/20 10:36:30 | 00,550,312 | ---- | M] (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe [C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe] -> [2008/03/16 13:14:04 | 01,556,480 | ---- | M] (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe [C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe] -> [2008/05/28 02:36:20 | 00,075,096 | ---- | M] (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" -> C:\Program Files\HP\Digital Imaging\bin\hposid01.exe [C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe] -> [2008/05/28 02:36:20 | 00,107,864 | ---- | M] (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe [C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe] -> [2008/03/16 13:14:00 | 00,167,936 | ---- | M] (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe [C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe:*:Enabled:hpqpsapp.exe] -> [2008/03/20 10:36:38 | 03,782,048 | ---- | M] (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe [C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe:*:Enabled:hpqpse.exe] -> [2008/03/13 10:34:26 | 00,087,456 | ---- | M] (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe [C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe] -> [2008/03/25 21:49:02 | 00,184,320 | ---- | M] (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe [C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe:*:Enabled:hpqsudi.exe] -> [2008/03/20 10:36:40 | 00,135,168 | ---- | M] (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe] -> [2008/03/25 21:40:42 | 00,214,360 | ---- | M] (Hewlett-Packard Co.)
"D:\setup\HPZnui01.exe" -> D:\setup\HPZnui01.exe [D:\setup\HPZnui01.exe:*:Enabled:hpznui01.exe] -> File not found
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ->
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> [2008/04/14 08:00:00 | 00,558,080 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2008/04/14 08:00:00 | 00,141,312 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe" -> C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe [C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe] -> [2008/03/20 10:36:30 | 00,550,312 | ---- | M] (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe [C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe] -> [2008/03/16 13:14:04 | 01,556,480 | ---- | M] (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe [C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe] -> [2008/05/28 02:36:20 | 00,075,096 | ---- | M] (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" -> C:\Program Files\HP\Digital Imaging\bin\hposid01.exe [C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe] -> [2008/05/28 02:36:20 | 00,107,864 | ---- | M] (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe [C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe] -> [2008/03/16 13:14:00 | 00,167,936 | ---- | M] (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe [C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe:*:Enabled:hpqpsapp.exe] -> [2008/03/20 10:36:38 | 03,782,048 | ---- | M] (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe [C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe:*:Enabled:hpqpse.exe] -> [2008/03/13 10:34:26 | 00,087,456 | ---- | M] (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe [C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe] -> [2008/03/25 21:49:02 | 00,184,320 | ---- | M] (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe [C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe:*:Enabled:hpqsudi.exe] -> [2008/03/20 10:36:40 | 00,135,168 | ---- | M] (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe] -> [2008/03/25 21:40:42 | 00,214,360 | ---- | M] (Hewlett-Packard Co.)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot ->
"AlternateShell" -> cmd.exe ->
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 ->
"DisplayName" -> CD-ROM Driver ->
"ImagePath" -> %SystemRoot%\system32\DRIVERS\cdrom.sys [system32\DRIVERS\cdrom.sys] -> [2008/04/14 08:00:00 | 00,062,976 | ---- | M] (Microsoft Corporation)
< Drives with AutoRun files > -> ->
C:\AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] -> [2008/04/28 16:59:16 | 00,000,000 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ->
\{a8c8529d-b4a9-11dd-a5d6-001cc08f36a6}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a8c8529d-b4a9-11dd-a5d6-001cc08f36a6}\Shell\AutoRun\command
\{a8c8529d-b4a9-11dd-a5d6-001cc08f36a6}\Shell\AutoRun\command\\"" -> E:\Programs\nu2menu\nu2menu.exe [E:\Programs\nu2menu\nu2menu.exe] -> File not found


[Files/Folders - Created Within 30 Days]
1 C:\*.tmp files -> C:\*.tmp ->
OTScanIt2 -> %UserProfile%\Desktop\OTScanIt2 -> [2009/05/04 13:02:25 | 00,000,000 | ---D | C]
fsaua.data -> %SystemDrive%\fsaua.data -> [2009/05/04 11:09:41 | 00,000,000 | ---D | C]
F Secure online scan logs -> %UserProfile%\My Documents\F Secure online scan logs -> [2009/05/04 11:01:05 | 00,000,000 | ---D | C]
Combofix logs -> %UserProfile%\My Documents\Combofix logs -> [2009/05/04 10:21:35 | 00,000,000 | ---D | C]
Boot.bak -> %SystemDrive%\Boot.bak -> [2009/05/04 10:12:10 | 00,000,211 | ---- | C] ()
cmldr -> %SystemDrive%\cmldr -> [2009/05/04 10:12:08 | 00,260,272 | ---- | C] ()
cmdcons -> %SystemDrive%\cmdcons -> [2009/05/04 10:12:04 | 00,000,000 | RHSD | C]
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe -> %UserProfile%\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe -> [2009/05/03 21:27:53 | 04,614,888 | ---- | C] (Microsoft Corporation)
Hijackthis logs -> %UserProfile%\My Documents\Hijackthis logs -> [2009/05/03 13:30:42 | 00,000,000 | ---D | C]
HiJackThis.exe -> %UserProfile%\Desktop\HiJackThis.exe -> [2009/05/03 13:27:50 | 00,401,720 | ---- | C] (Trend Micro Inc.)
SWXCACLS.exe -> %SystemRoot%\SWXCACLS.exe -> [2009/05/03 12:19:08 | 00,212,480 | ---- | C] (SteelWerX)
SWREG.exe -> %SystemRoot%\SWREG.exe -> [2009/05/03 12:19:08 | 00,161,792 | ---- | C] (SteelWerX)
SWSC.exe -> %SystemRoot%\SWSC.exe -> [2009/05/03 12:19:08 | 00,136,704 | ---- | C] (SteelWerX)
vFind.exe -> %SystemRoot%\vFind.exe -> [2009/05/03 12:19:08 | 00,117,248 | ---- | C] ()
sed.exe -> %SystemRoot%\sed.exe -> [2009/05/03 12:19:08 | 00,098,816 | ---- | C] ()
grep.exe -> %SystemRoot%\grep.exe -> [2009/05/03 12:19:08 | 00,080,412 | ---- | C] ()
zip.exe -> %SystemRoot%\zip.exe -> [2009/05/03 12:19:08 | 00,068,096 | ---- | C] ()
NIRCMD.exe -> %SystemRoot%\NIRCMD.exe -> [2009/05/03 12:19:08 | 00,029,696 | ---- | C] (NirSoft)
pss -> %SystemRoot%\pss -> [2009/05/03 11:49:23 | 00,000,000 | ---D | C]
Qoobox -> %SystemDrive%\Qoobox -> [2009/05/03 10:46:20 | 00,000,000 | ---D | C]
ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe -> [2009/05/03 10:12:40 | 03,012,596 | R--- | C] ()
trend micro -> %ProgramFiles%\trend micro -> [2009/04/29 16:32:46 | 00,000,000 | ---D | C]
rsit -> %SystemDrive%\rsit -> [2009/04/29 16:32:45 | 00,000,000 | ---D | C]
RSIT.exe -> %UserProfile%\Desktop\RSIT.exe -> [2009/04/29 16:31:11 | 00,781,909 | ---- | C] ()
Mbam logs -> %UserProfile%\My Documents\Mbam logs -> [2009/04/29 11:04:38 | 00,000,000 | ---D | C]
Malwarebytes -> %AppData%\Malwarebytes -> [2009/04/28 16:55:01 | 00,000,000 | ---D | C]
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> [2009/04/28 10:57:52 | 00,015,504 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware.lnk -> %AllUsersProfile%\Desktop\Malwarebytes' Anti-Malware.lnk -> [2009/04/28 10:57:52 | 00,000,797 | ---- | C] ()
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> [2009/04/28 10:57:49 | 00,038,496 | ---- | C] (Malwarebytes Corporation)
Malwarebytes -> %AllUsersProfile%\Application Data\Malwarebytes -> [2009/04/28 10:57:48 | 00,000,000 | ---D | C]
123 Malb -> %ProgramFiles%\123 Malb -> [2009/04/28 10:47:45 | 00,000,000 | ---D | C]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [2009/04/26 11:38:30 | 10,630,75840 | -HS- | C] ()
ERDNT -> %SystemRoot%\ERDNT -> [2009/04/25 21:30:03 | 00,000,000 | ---D | C]
ERUNT.lnk -> %UserProfile%\Desktop\ERUNT.lnk -> [2009/04/25 21:26:34 | 00,000,602 | ---- | C] ()
ERUNT -> %ProgramFiles%\ERUNT -> [2009/04/25 21:26:33 | 00,000,000 | ---D | C]
d3d9caps.dat -> %SystemRoot%\System32\d3d9caps.dat -> [2009/04/25 01:12:47 | 00,000,664 | ---- | C] ()
mySafer Networking -> %ProgramFiles%\mySafer Networking -> [2009/04/24 13:21:08 | 00,000,000 | ---D | C]
VSRevoGroup -> %AppData%\VSRevoGroup -> [2009/04/23 00:42:32 | 00,000,000 | ---D | C]
Revo Uninstaller.lnk -> %UserProfile%\Desktop\Revo Uninstaller.lnk -> [2009/04/23 00:33:58 | 00,000,927 | ---- | C] ()
VS Revo Group -> %ProgramFiles%\VS Revo Group -> [2009/04/23 00:33:58 | 00,000,000 | ---D | C]
av_affiliate.ini -> %SystemRoot%\av_affiliate.ini -> [2009/04/22 21:18:05 | 00,000,043 | ---- | C] ()
as_affiliate.ini -> %SystemRoot%\as_affiliate.ini -> [2009/04/22 21:18:04 | 00,000,043 | ---- | C] ()
CDAVFS.sys -> %SystemRoot%\System32\drivers\CDAVFS.sys -> [2009/04/22 21:15:35 | 00,067,424 | ---- | C] (CyberDefender Corp.)
Spybot - Search & Destroy.lnk -> %UserProfile%\Desktop\Spybot - Search & Destroy.lnk -> [2009/04/22 16:27:51 | 00,000,993 | ---- | C] ()
Recent -> %UserProfile%\Recent -> [2009/04/22 00:31:48 | 00,000,000 | RH-D | C]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [2009/04/05 00:38:42 | 00,000,069 | ---- | C] ()
Smokes -> %UserProfile%\My Documents\Smokes -> [2009/04/05 00:34:43 | 00,000,000 | ---D | C]
ODBC.INI -> %SystemRoot%\ODBC.INI -> [2009/02/14 02:39:36 | 00,000,376 | ---- | C] ()
nvwdmcpl.dll -> %SystemRoot%\System32\nvwdmcpl.dll -> [2009/01/15 09:19:00 | 01,724,416 | ---- | C] ()
nview.dll -> %SystemRoot%\System32\nview.dll -> [2009/01/15 09:19:00 | 01,507,328 | ---- | C] ()
nvwimg.dll -> %SystemRoot%\System32\nvwimg.dll -> [2009/01/15 09:19:00 | 01,101,824 | ---- | C] ()
nvshell.dll -> %SystemRoot%\System32\nvshell.dll -> [2009/01/15 09:19:00 | 00,466,944 | ---- | C] ()
smscfg.ini -> %SystemRoot%\smscfg.ini -> [2008/11/17 14:00:12 | 00,000,061 | ---- | C] ()
igfxCoIn_v4926.dll -> %SystemRoot%\System32\igfxCoIn_v4926.dll -> [2008/11/17 11:39:58 | 00,147,456 | ---- | C] ()
physxcudart_20.dll -> %SystemRoot%\System32\physxcudart_20.dll -> [2008/10/07 10:13:30 | 00,197,912 | ---- | C] ()
AgCPanelTraditionalChinese.dll -> %SystemRoot%\System32\AgCPanelTraditionalChinese.dll -> [2008/10/07 10:13:22 | 00,058,648 | ---- | C] ()
AgCPanelSwedish.dll -> %SystemRoot%\System32\AgCPanelSwedish.dll -> [2008/10/07 10:13:20 | 00,058,648 | ---- | C] ()
AgCPanelSpanish.dll -> %SystemRoot%\System32\AgCPanelSpanish.dll -> [2008/10/07 10:13:20 | 00,058,648 | ---- | C] ()
AgCPanelSimplifiedChinese.dll -> %SystemRoot%\System32\AgCPanelSimplifiedChinese.dll -> [2008/10/07 10:13:20 | 00,058,648 | ---- | C] ()
AgCPanelPortugese.dll -> %SystemRoot%\System32\AgCPanelPortugese.dll -> [2008/10/07 10:13:20 | 00,058,648 | ---- | C] ()
AgCPanelKorean.dll -> %SystemRoot%\System32\AgCPanelKorean.dll -> [2008/10/07 10:13:20 | 00,058,648 | ---- | C] ()
AgCPanelJapanese.dll -> %SystemRoot%\System32\AgCPanelJapanese.dll -> [2008/10/07 10:13:20 | 00,058,648 | ---- | C] ()
AgCPanelGerman.dll -> %SystemRoot%\System32\AgCPanelGerman.dll -> [2008/10/07 10:13:20 | 00,058,648 | ---- | C] ()
AgCPanelFrench.dll -> %SystemRoot%\System32\AgCPanelFrench.dll -> [2008/10/07 10:13:20 | 00,058,648 | ---- | C] ()
px.ini -> %SystemRoot%\System32\px.ini -> [2008/07/17 09:17:30 | 00,000,000 | ---- | C] ()
oeminfo.ini -> %SystemRoot%\System32\oeminfo.ini -> [2008/04/28 16:23:33 | 00,000,507 | ---- | C] ()
win.ini -> %SystemRoot%\win.ini -> [2008/04/28 16:23:12 | 00,000,603 | ---- | C] ()
system.ini -> %SystemRoot%\system.ini -> [2008/04/28 16:23:09 | 00,000,227 | ---- | C] ()

[Files/Folders - Modified Within 30 Days]
1 C:\*.tmp files -> C:\*.tmp ->
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
perf.dat -> %UserProfile%\Local Settings\temp\OnlineScanner\Anti-Virus\perf.dat -> [2009/05/04 12:14:10 | 00,000,128 | ---- | M] ()
fssm32.exe -> %UserProfile%\Local Settings\temp\OnlineScanner\updates\fsav_beta\fssm32.exe -> [2009/05/04 11:14:16 | 00,561,280 | ---- | M] (F-Secure Corp.)
fssm32.exe -> %UserProfile%\Local Settings\temp\OnlineScanner\Anti-Virus\fssm32.exe -> [2009/05/04 11:14:16 | 00,561,280 | ---- | M] (F-Secure Corp.)
fm4av.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\updates\fsav_beta\fm4av.dll -> [2009/05/04 11:14:16 | 00,482,448 | ---- | M] ()
fm4av.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\Anti-Virus\fm4av.dll -> [2009/05/04 11:14:16 | 00,482,448 | ---- | M] ()
fsgk32.exe -> %UserProfile%\Local Settings\temp\OnlineScanner\updates\fsav_beta\fsgk32.exe -> [2009/05/04 11:14:16 | 00,440,960 | ---- | M] (F-Secure Corp.)
fsgk32.exe -> %UserProfile%\Local Settings\temp\OnlineScanner\Anti-Virus\fsgk32.exe -> [2009/05/04 11:14:16 | 00,440,960 | ---- | M] (F-Secure Corp.)
AVPFPI0.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\updates\fsav_beta\AVPFPI0.dll -> [2009/05/04 11:14:16 | 00,154,304 | ---- | M] (Kaspersky Lab)
AVPFPI0.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\Anti-Virus\AVPFPI0.dll -> [2009/05/04 11:14:16 | 00,154,304 | ---- | M] (Kaspersky Lab)
fsepx32.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\updates\fsav_beta\fsepx32.dll -> [2009/05/04 11:14:16 | 00,150,144 | ---- | M] (F-Secure Corporation)
fsepx32.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\Anti-Virus\fsepx32.dll -> [2009/05/04 11:14:16 | 00,150,144 | ---- | M] (F-Secure Corporation)
fpinor.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\updates\fsav_beta\fpinor.dll -> [2009/05/04 11:14:16 | 00,120,456 | ---- | M] (F-Secure Corporation)
fpinor.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\Anti-Virus\fpinor.dll -> [2009/05/04 11:14:16 | 00,120,456 | ---- | M] (F-Secure Corporation)
fsuss.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\updates\fsav_beta\fsuss.dll -> [2009/05/04 11:14:16 | 00,113,288 | ---- | M] (F-Secure Corporation)
fsuss.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\Anti-Virus\fsuss.dll -> [2009/05/04 11:14:16 | 00,113,288 | ---- | M] (F-Secure Corporation)
fsgkiapi.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\updates\fsav_beta\fsgkiapi.dll -> [2009/05/04 11:14:16 | 00,100,456 | ---- | M] (F-Secure Corp.)
fsgkiapi.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\Anti-Virus\fsgkiapi.dll -> [2009/05/04 11:14:16 | 00,100,456 | ---- | M] (F-Secure Corp.)
avpproxy.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\updates\fsav_beta\avpproxy.dll -> [2009/05/04 11:14:16 | 00,084,672 | ---- | M] (F-Secure Corporation)
avpproxy.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\Anti-Virus\avpproxy.dll -> [2009/05/04 11:14:16 | 00,084,672 | ---- | M] (F-Secure Corporation)
fsbl.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\updates\fsav_beta\fsbl.dll -> [2009/05/04 11:14:16 | 00,068,224 | ---- | M] (F-Secure Corporation)
fsbl.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\Anti-Virus\fsbl.dll -> [2009/05/04 11:14:16 | 00,068,224 | ---- | M] (F-Secure Corporation)
fsusscr.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\updates\mlcwin\fsusscr.dll -> [2009/05/04 11:14:11 | 01,026,696 | ---- | M] (F-Secure Corporation)
fsusscr.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\Anti-Virus\fsusscr.dll -> [2009/05/04 11:14:11 | 01,026,696 | ---- | M] (F-Secure Corporation)
fsedb.dat -> %UserProfile%\Local Settings\temp\OnlineScanner\updates\hydrawin\fsedb.dat -> [2009/05/04 11:14:08 | 02,358,402 | ---- | M] ()
fsedb.dat -> %UserProfile%\Local Settings\temp\OnlineScanner\Anti-Virus\fsedb.dat -> [2009/05/04 11:14:08 | 02,358,402 | ---- | M] ()
fsecr32.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\updates\hydrawin\fsecr32.dll -> [2009/05/04 11:14:08 | 01,747,592 | ---- | M] (F-Secure Corporation)
fsecr32.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\Anti-Virus\fsecr32.dll -> [2009/05/04 11:14:08 | 01,747,592 | ---- | M] (F-Secure Corporation)
fsupdllb.dat -> %UserProfile%\Local Settings\temp\OnlineScanner\updates\hydrawin\fsupdllb.dat -> [2009/05/04 11:14:08 | 00,422,594 | ---- | M] ()
fsupdllb.dat -> %UserProfile%\Local Settings\temp\OnlineScanner\Anti-Virus\fsupdllb.dat -> [2009/05/04 11:14:08 | 00,422,594 | ---- | M] ()
fsblu.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\updates\ols_bl\fsblu.dll -> [2009/05/04 11:13:59 | 00,731,784 | ---- | M] (F-Secure Corporation)
fsbld.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\Anti-Virus\fsbld.dll -> [2009/05/04 11:13:59 | 00,731,784 | ---- | M] (F-Secure Corporation)
fssubmit.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\updates\ols_33_bin\fssubmit.dll -> [2009/05/04 11:13:57 | 00,651,264 | ---- | M] (F-Secure Corporation)
fssubmit.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\Anti-Virus\fssubmit.dll -> [2009/05/04 11:13:57 | 00,651,264 | ---- | M] (F-Secure Corporation)
Nse_w32.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\updates\ols_30_pegdb\Nse_w32.dll -> [2009/05/04 11:13:55 | 00,588,856 | ---- | M] (Norman ASA)
Nse_w32.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\Anti-Virus\Nse_w32.dll -> [2009/05/04 11:13:55 | 00,588,856 | ---- | M] (Norman ASA)
sai.dat -> %UserProfile%\Local Settings\temp\OnlineScanner\updates\avmisc\sai.dat -> [2009/05/04 11:13:50 | 00,001,348 | ---- | M] ()
sai.dat -> %UserProfile%\Local Settings\temp\OnlineScanner\Anti-Virus\sai.dat -> [2009/05/04 11:13:50 | 00,001,348 | ---- | M] ()
ext.dat -> %UserProfile%\Local Settings\temp\OnlineScanner\updates\avmisc\ext.dat -> [2009/05/04 11:13:50 | 00,000,449 | ---- | M] ()
ext.dat -> %UserProfile%\Local Settings\temp\OnlineScanner\Anti-Virus\ext.dat -> [2009/05/04 11:13:50 | 00,000,449 | ---- | M] ()
sae.dat -> %UserProfile%\Local Settings\temp\OnlineScanner\updates\avmisc\sae.dat -> [2009/05/04 11:13:50 | 00,000,243 | ---- | M] ()
sae.dat -> %UserProfile%\Local Settings\temp\OnlineScanner\Anti-Virus\sae.dat -> [2009/05/04 11:13:50 | 00,000,243 | ---- | M] ()
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [2009/05/04 10:16:52 | 00,000,006 | -H-- | M] ()
system.ini -> %SystemRoot%\system.ini -> [2009/05/04 10:15:14 | 00,000,227 | ---- | M] ()
boot.ini -> %SystemDrive%\boot.ini -> [2009/05/04 10:12:10 | 00,000,281 | RHS- | M] ()
win.ini -> %SystemRoot%\win.ini -> [2009/05/04 10:09:49 | 00,000,603 | ---- | M] ()
Boot.bak -> %SystemDrive%\Boot.bak -> [2009/05/04 10:09:49 | 00,000,211 | ---- | M] ()
nvapps.xml -> %SystemRoot%\System32\nvapps.xml -> [2009/05/04 10:09:22 | 00,206,530 | ---- | M] ()
bootstat.dat -> %SystemRoot%\bootstat.dat -> [2009/05/04 10:09:10 | 00,002,048 | --S- | M] ()
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [2009/05/04 10:09:04 | 10,630,75840 | -HS- | M] ()
NTUSER.DAT -> %UserProfile%\NTUSER.DAT -> [2009/05/04 02:14:43 | 06,291,456 | -H-- | M] ()
ntuser.ini -> %UserProfile%\ntuser.ini -> [2009/05/04 00:28:46 | 00,000,178 | -HS- | M] ()
IconCache.db -> %UserProfile%\Local Settings\Application Data\IconCache.db -> [2009/05/04 00:25:28 | 06,945,196 | -H-- | M] ()
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI -> [2009/05/03 23:43:54 | 00,476,636 | ---- | M] ()
perfh009.dat -> %SystemRoot%\System32\perfh009.dat -> [2009/05/03 23:43:54 | 00,406,328 | ---- | M] ()
perfc009.dat -> %SystemRoot%\System32\perfc009.dat -> [2009/05/03 23:43:54 | 00,063,528 | ---- | M] ()
wpa.dbl -> %SystemRoot%\System32\wpa.dbl -> [2009/05/03 23:32:00 | 00,001,158 | ---- | M] ()
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe -> %UserProfile%\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe -> [2009/05/03 21:28:33 | 04,614,888 | ---- | M] (Microsoft Corporation)
HiJackThis.exe -> %UserProfile%\Desktop\HiJackThis.exe -> [2009/05/03 13:27:50 | 00,401,720 | ---- | M] (Trend Micro Inc.)
imsins.BAK -> %SystemRoot%\imsins.BAK -> [2009/05/03 11:09:05 | 00,001,891 | ---- | M] ()
ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe -> [2009/05/03 10:09:02 | 03,012,596 | R--- | M] ()
vFind.exe -> %SystemRoot%\vFind.exe -> [2009/05/01 15:36:46 | 00,117,248 | ---- | M] ()
RSIT.exe -> %UserProfile%\Desktop\RSIT.exe -> [2009/04/29 16:29:12 | 00,781,909 | ---- | M] ()
Malwarebytes' Anti-Malware.lnk -> %AllUsersProfile%\Desktop\Malwarebytes' Anti-Malware.lnk -> [2009/04/28 10:57:52 | 00,000,797 | ---- | M] ()
ERUNT.lnk -> %UserProfile%\Desktop\ERUNT.lnk -> [2009/04/25 21:26:34 | 00,000,602 | ---- | M] ()
d3d9caps.dat -> %SystemRoot%\System32\d3d9caps.dat -> [2009/04/25 01:12:47 | 00,000,664 | ---- | M] ()
tcpip.sys -> %SystemRoot%\System32\drivers\tcpip.sys -> [2009/04/24 16:52:17 | 00,361,600 | ---- | M] (Microsoft Corporation)
tcpip.sys -> %SystemRoot%\System32\dllcache\tcpip.sys -> [2009/04/24 16:52:17 | 00,361,600 | ---- | M] (Microsoft Corporation)
Spybot - Search & Destroy.lnk -> %UserProfile%\Desktop\Spybot - Search & Destroy.lnk -> [2009/04/24 10:55:11 | 00,000,993 | ---- | M] ()
Mozilla Firefox.lnk -> %AllUsersProfile%\Desktop\Mozilla Firefox.lnk -> [2009/04/23 22:39:08 | 00,001,649 | ---- | M] ()
hosts -> %SystemRoot%\System32\drivers\etc\hosts -> [2009/04/23 21:42:53 | 00,292,253 | R--- | M] ()
Revo Uninstaller.lnk -> %UserProfile%\Desktop\Revo Uninstaller.lnk -> [2009/04/23 00:33:58 | 00,000,927 | ---- | M] ()
av_affiliate.ini -> %SystemRoot%\av_affiliate.ini -> [2009/04/22 21:18:05 | 00,000,043 | ---- | M] ()
as_affiliate.ini -> %SystemRoot%\as_affiliate.ini -> [2009/04/22 21:18:04 | 00,000,043 | ---- | M] ()
CDAVFS.sys -> %SystemRoot%\System32\drivers\CDAVFS.sys -> [2009/04/22 21:14:50 | 00,067,424 | ---- | M] (CyberDefender Corp.)
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [2009/04/13 23:22:34 | 00,000,069 | ---- | M] ()
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> [2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation)
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> [2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation)
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %UserProfile%\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [2009/04/05 00:38:41 | 00,005,632 | ---- | M] ()
opa11.dat -> %AllUsersProfile%\Application Data\Microsoft\OFFICE\DATA\opa11.dat -> [2009/02/14 02:52:34 | 00,008,206 | ---- | M] ()
opa12.dat -> %AllUsersProfile%\Application Data\Microsoft\OFFICE\DATA\opa12.dat -> [2009/01/15 00:24:59 | 00,008,206 | ---- | M] ()
daas_s.dll -> %UserProfile%\Local Settings\temp\OnlineScanner\Anti-Virus\daas_s.dll -> [2008/02/27 15:59:28 | 00,495,616 | ---- | M] (F-Secure Corporation)
[CatchMe Rootkit Scan by GMER]
< Windows folder & sub-folders >
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\UACdkpamtusrnvspma.sys"
"group"="file system"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys\modules]
"UACd"="\\?\globalroot\systemroot\system32\drivers\UACdkpamtusrnvspma.sys"
"UACc"="\\?\globalroot\systemroot\system32\UACspaulqeexubrflo.dll"
"uacsr"="\\?\globalroot\systemroot\system32\UACyqxjgyfrqoqipay.dat"
"uaclog"="\\?\globalroot\systemroot\system32\UACnbpcbxiquxwbwfm.dll"
"uacmask"="\\?\globalroot\systemroot\system32\UACjotxxvhosrmmbpf.dll"
"uacserf"="\\?\globalroot\systemroot\system32\UACmlixttsesivsonm.dll"
"uacbbr"="\\?\globalroot\systemroot\system32\UACpinevsaksecfetc.dll"
"UACproc"="\\?\globalroot\systemroot\system32\UACnkievnfovpexart.log"
"uacurls"="\\?\globalroot\systemroot\system32\UACdkfcmwelruyvalt.log"
"uacerrors"="\\?\globalroot\systemroot\system32\UACdudqxekxmybyuwe.log"
scanning hidden registry entries ...
scanning hidden files ...
C:\WINDOWS\system32\drivers\tcpip.sys:SummaryInformation 88 bytes
C:\WINDOWS\system32\drivers\tcpip.sys:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\WINDOWS\DirectX.log:SummaryInformation 88 bytes
C:\WINDOWS\DirectX.log:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 5
< Document and Settings folder & sub folders >
scanning hidden files ...
scan completed successfully
hidden files: 60


[Alternate Data Streams]
@Alternate Data Stream - 0 bytes -> %SystemRoot%\DirectX.log:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
@Alternate Data Stream - 0 bytes -> %SystemRoot%\system32\DRIVERS\tcpip.sys:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
@Alternate Data Stream - 88 bytes -> %SystemRoot%\DirectX.log:SummaryInformation
@Alternate Data Stream - 88 bytes -> %SystemRoot%\system32\DRIVERS\tcpip.sys:SummaryInformation
< End of report >


I known we're getting very close to clean.
Thanks,
nenotgmb
peku006
2009-05-04, 22:04
Hi nenotgmb

I'm afraid I have some bad news for you. Your computer is infected with BACKDOOR TROJAN. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

Disconnect the computer from the Internet and from any networked computers until it is cleaned.
Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all youraccount numbers.
From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so. As long as you remember this: I can offer no assurances that the system will be secure afterwards.

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous (http://www.microsoft.com/technet/security/alerts/info/virusrat.mspx)
How do I respond to a possible identity theft and how do I prevent it (http://www.dslreports.com/faq/10451)
When should do a reformat and reinstallation of my OS (http://www.dslreports.com/faq/10063)
Where to backup your files (http://www.microsoft.com/athome/security/update/wherebackup.mspx)
How to backup your files in Windows XP (http://www.microsoft.com/athome/security/update/howbackup.mspx)
Restoring your backups (http://support.microsoft.com/kb/309340)

Should you have any questions please feel free to ask.

Please let me know what you have decided to do in your next post.
nenotgmb
2009-05-07, 04:36
Peku006,

Yes, I will reformat and reinstall the OS. There's really no other option.

Does this trojan have a name?

Thanks so very much for your help and guidance.

Been busy changing accounts and passwords.

I'll let you know how the reformat went.

Best Regards,

nenothmb
peku006
2009-05-13, 17:30
This thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.