View Full Version : Debugger detected [97]
Hi and thanks for taking my problem.
I have read the stickies and cannot include a HJT scan as the program does not work. I was able to install it but when I go to run it I get a Windows Error "windows cannot access the specified device, path, or file, you may not have the appropriate permission to access the item" which of course is not true. I am the owner of the Laptop.
Now on to the problem
The infected machines OS is Vista Home Ed. I have tried Malwarebytes Anti Malware in safe mode and this does not work. When I start my machine I receive about 20 Debugger detected [97] warnings. I can close all of those and anytime I click to run an application I get the Debugger detected [97] error and the application shuts down. I can right click and start the app as an administrator, but still can't get programs like anti virus and malware removers to work.
McAfee and Super Anti spy ware can not be started and are/were up to date with the latest patches.
The machine will close everything whenever, reboot sometimes on its own, go to Safe Mode on its own, and a lot of other very strange behavior. I am using another PC in the house to write this and work on a fix.
Thanks for the help,
Hi Jim,
Please save this (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe) file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
Hi blade,
Here is the log
Log file is located at: C:\Users\Jim's Laptop\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\Windows'...
Found mount point : C:\Windows\AppPatch\Custom\Custom
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB4AE.tmp\ZAPB4AE.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\Windows\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Cannot access: C:\Windows\bthservsdp.dat
Hi,
I'm not sure but that log looks a bit short. Could you attach the file as an attachment? I want to make sure whole log gets included.
Hi,
Sure here it is.
I am in Safe Mode FYI, since I can't log in normally. If I try and start Vista normally I get an errer that my machine will restart in 1 min. Sometimes I just get a blue screen, as well.
Thanks
Ok. Looks like it was complete log after all.
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
dir /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >c:\LogIt.txt
start c:\LogIt.txt
Double-click on fixes.bat file to execute it. LogIt.txt file should open up. Copy-paste contents to your reply.
Hi,
Here is the LogIt.txt
Volume in drive C is OS
Volume Serial Number is 66B3-F6AE
Directory of C:\WINDOWS\System32
01/19/2008 02:36 AM 177,152 scecli.dll
Directory of C:\WINDOWS\System32
01/19/2008 02:35 AM 592,384 netlogon.dll
Directory of C:\WINDOWS\System32
11/02/2006 04:46 AM 61,952 cngaudit.dll
3 File(s) 831,488 bytes
Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6
11/02/2006 04:46 AM 11,776 cngaudit.dll
1 File(s) 11,776 bytes
Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e
11/02/2006 04:46 AM 176,640 scecli.dll
1 File(s) 176,640 bytes
Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12
01/19/2008 02:36 AM 177,152 scecli.dll
1 File(s) 177,152 bytes
Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783
11/02/2006 04:46 AM 559,616 netlogon.dll
1 File(s) 559,616 bytes
Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857
01/19/2008 02:35 AM 592,384 netlogon.dll
1 File(s) 592,384 bytes
Total Files Listed:
8 File(s) 2,349,056 bytes
0 Dir(s) 68,522,024,960 bytes free
Hi,
Download The Avenger by Swandog46 from here (http://swandog46.geekstogo.com/avenger2/download.php).
Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
Files to move:
C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll|C:\WINDOWS\System32\cngaudit.dll
In the avenger window, click the Paste Script from Clipboard, http://img220.imageshack.us/img220/8923/pastets4.png button.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
Please post this log in your next reply.
Hi and thanks
Just so I don't mess things up. Usually when I reboot normally I get and error that the PC will reboot in a minute and then it will.
In order to do everything I am doing now I have to be in safe mode.
So, when I Execute and it reboots should I let it go or should I Safe Mode it?
Thanks
Try to let it boot into normal mode.
Hi,
I ran the program and let it restart the machine in normal mode. the log file opened and a Windows box popped up and stated that I was infected by malware. Something started to download that stated that it was Windows downloading it. It didn't look like a normal Windows update. The PC crashed with a blue screen and restarted by itself. I let it go to normal mode again and it crashed before I saw the welcome screen. I am now back in safe mode and here is the log.
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows Vista
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
Hidden driver "ax6wpfrx" found!
Start Type: 3 (Manual)
Rootkit scan completed.
File move operation "C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll|C:\WINDOWS\System32\cngaudit.dll" completed successfully.
Completed script processing.
*******************
Finished! Terminate.
Thanks
Jim,
Please run Win32kDiag again and attach its report.
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Hi Blade,
Thanks again for the help.
DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by Jim's Laptop at 10:15:38.19 on Tue 09/15/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3581.2807 [GMT -5:00]
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Users\JIM'SL~1\AppData\Local\Temp\spoolsv.exe
C:\Users\JIM'SL~1\AppData\Local\Temp\setup.exe
C:\Users\JIM'SL~1\AppData\Local\Temp\taskmgr.exe
C:\Users\JIM'SL~1\AppData\Local\Temp\system.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\JIM'SL~1\AppData\Local\Temp\winamp.exe
C:\Users\JIM'SL~1\AppData\Local\Temp\win.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Jim's Laptop\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com
uWindow Title = Internet Explorer provided by Dell
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: c:\windows\system32\tajf83ikdmf.dll: {bf56a325-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\tajf83ikdmf.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AdobeBridge] "c:\program files\adobe\adobe bridge cs4\Bridge.exe" -stealth
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Windows System Recover!] c:\users\jim'sl~1\appdata\local\temp\win.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [<NO NAME>]
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Turbine Download Manager Tray Icon] "c:\program files\turbine\turbine download manager - preview\TurbineDownloadManagerIcon.exe"
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdcBase.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
mRun: [RDVCHG] "c:\program files\sprint\sprint smartview\RDVCHG.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [bacstray] c:\program files\broadcom\bacs\BacsTray.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [winupdate.exe] c:\windows\system32\winupdate.exe
mRun: [braviax] c:\windows\system32\braviax.exe
mRun: [Antivirus Pro 2010] "c:\program files\antiviruspro_2010\AntivirusPro_2010.exe" /hide
dRun: [autochk] rundll32.exe c:\windows\system32\config\system~1\protect.dll,_IWMPEvents@16
dRun: [AntiSpyware Service] c:\windows\temp\n9257qf0.exe
dRun: [WIndows Rescue Disk] c:\windows\temp\spoolsv.exe
dRun: [Advanced Virus Remover] c:\program files\advancedvirusremover\PAVRM.exe
dRun: [braviax] c:\windows\system32\braviax.exe
dRun: [Login Software 2009] c:\windows\temp\z5l35dh.exe
dRun: [Windows System Recover!] c:\windows\temp\setup.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mic273~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: evga.com\www
Trusted Zone: redlegion.com\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://dev.srtest.com/srl_bin/sysreqlab3.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
STS: c:\windows\system32\tajf83ikdmf.dll: {bf56a325-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\tajf83ikdmf.dll
STS: c:\windows\system32\ygsuhdf83id.dll: {ba603215-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\ygsuhdf83id.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: {24daafb8-b7f5-463f-88c1-d497611fc253} - c:\windows\system32\fCrrrsTK.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\xxyyvTKa
============= SERVICES / DRIVERS ===============
S1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2009-7-17 54776]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-5-28 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 74480]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-5-27 73728]
S2 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe -k netsvcs [2008-6-4 21504]
S2 PreviewTurbineMessageService;Turbine Message Service - Preview;c:\program files\turbine\turbine download manager - preview\TurbineMessageService.exe [2008-9-29 255472]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-9-11 1153368]
S2 Synergy Client;Synergy Client;c:\program files\synergy\synergyc.exe [2006-4-2 446464]
S3 CASprint;Sprint Con App Svc;c:\program files\sprint\sprint smartview\ConAppsSvc.exe [2009-3-6 124160]
S3 mndisk;mndisk;c:\windows\system32\mndisk.sys [2008-6-4 2304]
S3 PreviewTurbineNetworkService;Turbine Network Service - Preview;c:\program files\turbine\turbine download manager - preview\TurbineNetworkService.exe [2008-9-29 218608]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]
S4 AntipPro2009_100;AntipyProex;c:\windows\svchasts.exe --> c:\windows\svchasts.exe [?]
S4 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [2006-11-2 93184]
=============== Created Last 30 ================
2009-09-15 06:06 132,096 a------- c:\windows\system32\wiwow64.exe
2009-09-15 05:32 0 a------- c:\windows\system32\491.exe
2009-09-15 04:32 0 a------- c:\windows\system32\9961.exe
2009-09-15 03:32 0 a------- c:\windows\system32\16827.exe
2009-09-15 02:32 0 a------- c:\windows\system32\23281.exe
2009-09-15 01:32 0 a------- c:\windows\system32\28145.exe
2009-09-15 00:32 0 a------- c:\windows\system32\5705.exe
2009-09-14 23:32 0 a------- c:\windows\system32\24464.exe
2009-09-14 22:32 0 a------- c:\windows\system32\26962.exe
2009-09-14 21:32 0 a------- c:\windows\system32\29358.exe
2009-09-14 20:32 0 a------- c:\windows\system32\11478.exe
2009-09-14 19:32 0 a------- c:\windows\system32\15724.exe
2009-09-14 14:37 15,000 a------- c:\windows\system32\ygsuhdf83id.dll
2009-09-14 14:32 831 a------- c:\windows\system32\critical_warning.html
2009-09-12 07:40 0 a------- c:\windows\system32\19169.exe
2009-09-12 06:39 0 a------- c:\windows\system32\26500.exe
2009-09-12 05:39 0 a------- c:\windows\system32\6334.exe
2009-09-12 04:51 19,965 a------- c:\program files\common files\wykoja.bin
2009-09-12 04:51 18,412 a------- c:\windows\haxivel.ban
2009-09-12 04:51 18,390 a------- c:\program files\common files\apogotu.dll
2009-09-12 04:51 16,082 a------- c:\windows\system32\hafecyc.vbs
2009-09-12 04:51 12,681 a------- c:\windows\system32\kero.dat
2009-09-12 04:51 11,633 a------- c:\program files\common files\inojyx.pif
2009-09-12 04:51 11,486 a------- c:\windows\system32\afavywosyx.vbs
2009-09-12 04:51 10,154 a------- c:\programdata\lumenyxisu.reg
2009-09-12 04:51 10,154 a------- c:\progra~2\lumenyxisu.reg
2009-09-12 04:51 10,038 a------- c:\windows\ygezimiji.dl
2009-09-12 04:50 <DIR> --d----- c:\program files\AntivirusPro_2010
2009-09-12 04:45 188,016 a------- c:\windows\system32\wisdstr.exe
2009-09-12 04:45 10,752 a------- c:\windows\system32\braviax.exe
2009-09-12 04:39 0 a------- c:\windows\system32\18467.exe
2009-09-12 03:43 <DIR> --d----- c:\program files\AdvancedVirusRemover
2009-09-12 03:39 0 a------- c:\windows\system32\41.exe
2009-09-12 03:39 206 a------- c:\windows\system32\winhelper.dll
2009-09-12 03:39 24,490 a------- c:\windows\system32\winupdate.exe
2009-09-12 03:39 15,000 a------- c:\windows\system32\tajf83ikdmf.dll
2009-09-11 20:13 318,976 a------- c:\windows\system32\cmd.execf
2009-09-11 17:38 <DIR> --d-h--- c:\windows\PIF
2009-09-11 15:08 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-09-11 15:08 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-09-11 15:08 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-09-11 14:52 <DIR> a-d----- c:\programdata\TEMP
2009-09-11 14:52 <DIR> --d----- c:\program files\SpywareBlaster
2009-09-10 07:46 <DIR> --d----- c:\programdata\Windows Genuine Advantage
2009-09-09 07:43 20,992 a--sh--- c:\windows\system32\autochk.dll
2009-09-08 23:38 40,448 a------- c:\windows\system32\lkod.dll
2009-09-08 23:38 320 a------- c:\windows\system32\jlksf
2009-09-08 17:09 <DIR> --d----- c:\users\jim'sl~1\appdata\roaming\Malwarebytes
2009-09-08 17:09 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 17:09 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-08 17:09 <DIR> --d----- c:\programdata\Malwarebytes
2009-09-08 17:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 17:09 <DIR> --d----- c:\progra~2\Malwarebytes
2009-09-08 17:09 <DIR> --d----- c:\program files\Trend Micro
2009-09-08 09:55 <DIR> --d----- C:\Root
2009-09-08 09:55 <DIR> --d----- c:\program files\Activision
2009-09-07 21:10 <DIR> --d----- c:\windows\system32\xlive
2009-09-07 21:10 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2009-09-07 20:49 <DIR> --d----- c:\program files\Eidos
2009-09-07 13:35 <DIR> --d----- c:\program files\THQ
2009-09-07 08:56 <DIR> --d----- c:\program files\Paradox Interactive
2009-08-19 23:20 <DIR> --d----- c:\programdata\FLEXnet
2009-08-19 23:15 <DIR> --d----- c:\programdata\ALM
2009-08-19 23:15 <DIR> --d----- c:\progra~2\ALM
2009-08-19 23:06 <DIR> --d----- c:\program files\common files\Macrovision Shared
==================== Find3M ====================
2009-09-15 06:06 65,816 a------- c:\programdata\nvModes.dat
2009-09-15 06:06 65,816 a------- c:\progra~2\nvModes.dat
2009-09-12 04:51 17,023 a------- c:\program files\common files\aluci._sy
2009-08-08 19:11 733,782 a------- C:\lynx_v283.zip
2009-07-20 09:34 70,936 a------- c:\windows\system32\PhysXLoader.dll
2009-07-14 17:17 15,308,440 a------- c:\windows\system32\xlive.dll
2009-07-14 17:17 13,642,888 a------- c:\windows\system32\xlivefnt.dll
2009-06-19 20:06 288,024 a------- c:\windows\system32\PhysXCplUI.exe
2009-06-19 20:06 288,024 a------- c:\windows\system32\PhysXCompatCplUI.exe
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelTraditionalChinese.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelSwedish.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelSpanish.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelSimplifiedChinese.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelPortugese.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelKorean.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelJapanese.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelGerman.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelFrench.dll
2009-06-19 20:06 24,344 a------- c:\windows\system32\PhysXDevice.dll
2009-06-08 06:56 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-08 06:56 143,360 a------- c:\windows\inf\infstor.dat
2009-06-08 06:56 86,016 a------- c:\windows\inf\infpub.dat
2008-06-11 06:40 665,600 a------- c:\windows\inf\drvindex.dat
2008-06-04 21:34 174 a--sh--- c:\program files\desktop.ini
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
============= FINISH: 10:16:18.34 ===============
and the Attach file
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-07-30.01)
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 5/27/2008 1:23:24 AM
System Uptime: 9/15/2009 6:10:20 AM (4 hours ago)
Motherboard: Dell Inc. | | 0UK437
Processor: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 1995/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 286 GiB total, 63.829 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 5.543 GiB free.
E: is CDROM ()
F: is CDROM ()
Y: is NetworkDisk (FAT) - 0 GiB total, 0 GiB free.
==== Disabled Device Manager Items =============
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0002
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter #3
PNP Device ID: ROOT\*ISATAP\0002
Service: tunnel
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0004
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter #4
PNP Device ID: ROOT\*ISATAP\0004
Service: tunnel
==== System Restore Points ===================
No restore point in system.
==== Installed Programs ======================
7-Zip 4.57
AC3Filter (remove only)
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Fonts All
Adobe Illustrator CS4
Adobe Linguistics CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Reader 8.1.6
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player 11
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Antivirus Pro 2010
Apple Mobile Device Support
Apple Software Update
AutoUpdate
Banctec Service Agreement
Batman: Arkham Asylum
Bonjour
Broadcom Management Programs
Browser Address Error Redirector
Butler Advantage XE 6.3
CDDRV_Installer
Company of Heroes
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Connect
Dell DataSafe Online
Dell Getting Started Guide
Dell Support Center (Support Software)
Dell Touchpad
Digital Line Detect
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Easy Thumbnails (Remove only)
EDocs
EPSON Artisan 800 Series Printer Uninstall
EPSON Scan
EpsonNet Print
ffdshow [rev 1685] [2007-12-06]
FileZilla Client 3.1.0.1
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Google Updater
GoToAssist 8.0.0.514
Haali Media Splitter
HijackThis 2.0.2
HTC Touch Pro™ User Guide
Intel(R) PROSet/Wireless Software
iTunes
Java(TM) SE Runtime Environment 6
KhalSetup
kuler
LightScribe System Software 1.10.16.1
Malwarebytes' Anti-Malware
McAfee SecurityCenter
mCore
MediaDirect
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft Expression Web
Microsoft Expression Web MUI (English)
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Managed DirectX (1126)
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard Edition 2003
Microsoft Publisher 2002
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
mMHouse
MobileMe Control Panel
Modem Diagnostic Tool
MozyHome Remote Backup
mPfMgr
Music, Photos & Videos Launcher
mWMI
Nero 8 Essentials
neroxml
NetWaiting
NVIDIA Drivers
NVIDIA PhysX
OutlookAddinSetup
PDF Settings CS4
Photoshop Camera Raw
PHP 5.3.0
Picasa 3
Product Documentation Launcher
Prototype(TM)
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
SetPoint
Sprint SmartView
Spybot - Search & Destroy
SpywareBlaster 4.2
Suite Shared Configuration CS4
SUPERAntiSpyware Free Edition
Synergy
System Requirements Lab
The Lord of the Rings - Conquest™
The Lord of the Rings Online™: Shadows of Angmar™ v07.12.30.54
The Rosetta Stone
TotalAudioConverter
Turbine Download Manager - Preview 1.0.3191.15414
VCRedistSetup
Ventrilo Client
VideoLAN VLC media player 0.8.6f
WIDCOMM Bluetooth Software 6.0.1.3100
WinRAR
==== Event Viewer Messages From Past Week ========
9/9/2009 8:26:29 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wcncsvc with arguments "" in order to run the server: {375FF000-DD27-11D9-8F9C-0002B3988E81}
9/9/2009 8:26:29 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
9/9/2009 7:51:22 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B68-F52A-11D8-B9A5-505054503030}
9/9/2009 2:43:34 PM, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001F3B889927. The following error occurred: The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
9/9/2009 2:34:38 PM, Error: EventLog [6008] - The previous system shutdown at 2:32:52 PM on 9/9/2009 was unexpected.
9/8/2009 6:03:06 PM, Error: EventLog [6008] - The previous system shutdown at 6:01:10 PM on 9/8/2009 was unexpected.
9/8/2009 6:00:16 PM, Error: EventLog [6008] - The previous system shutdown at 5:58:26 PM on 9/8/2009 was unexpected.
9/8/2009 5:57:33 PM, Error: EventLog [6008] - The previous system shutdown at 5:55:18 PM on 9/8/2009 was unexpected.
9/8/2009 5:32:47 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: mozyFilter SASDIFSV SASKUTIL spldr Wanarpv6
9/8/2009 5:32:03 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\IWMSSvc.dll Error Code: 21
9/8/2009 5:31:37 PM, Error: EventLog [6008] - The previous system shutdown at 5:29:04 PM on 9/8/2009 was unexpected.
9/8/2009 5:29:04 PM, Error: EventLog [6008] - The previous system shutdown at 5:25:31 PM on 9/8/2009 was unexpected.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC mozyFilter MPFP NetBIOS netbt nsiproxy PSched RasAcd rdbss SASDIFSV SASKUTIL Smb spldr Tcpip tdx Wanarpv6
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/8/2009 5:14:32 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
9/8/2009 5:14:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
9/8/2009 5:14:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
9/8/2009 5:14:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
9/8/2009 5:14:26 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/8/2009 5:14:14 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
9/8/2009 5:14:06 PM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .
9/8/2009 5:14:06 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
9/8/2009 5:12:18 PM, Error: Service Control Manager [7034] - The AntipyProex service terminated unexpectedly. It has done this 1 time(s).
9/8/2009 4:21:13 PM, Error: EventLog [6008] - The previous system shutdown at 4:19:21 PM on 9/8/2009 was unexpected.
9/8/2009 4:18:28 PM, Error: EventLog [6008] - The previous system shutdown at 4:16:08 PM on 9/8/2009 was unexpected.
9/8/2009 4:16:08 PM, Error: EventLog [6008] - The previous system shutdown at 4:14:14 PM on 9/8/2009 was unexpected.
9/8/2009 4:13:44 PM, Error: EventLog [6008] - The previous system shutdown at 4:11:10 PM on 9/8/2009 was unexpected.
9/8/2009 4:11:10 PM, Error: EventLog [6008] - The previous system shutdown at 4:08:47 PM on 9/8/2009 was unexpected.
9/8/2009 4:08:47 PM, Error: EventLog [6008] - The previous system shutdown at 4:06:38 PM on 9/8/2009 was unexpected.
9/8/2009 4:04:27 PM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was The remote procedure call failed. .
9/8/2009 4:04:27 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1726" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
9/8/2009 3:30:16 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
9/8/2009 3:26:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
9/8/2009 3:25:05 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
9/8/2009 11:44:48 PM, Error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/8/2009 11:44:23 PM, Error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Run the configured recovery program.
9/8/2009 11:43:29 PM, Error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/8/2009 11:31:27 PM, Error: EventLog [6008] - The previous system shutdown at 11:28:46 PM on 9/8/2009 was unexpected.
9/8/2009 11:28:46 PM, Error: EventLog [6008] - The previous system shutdown at 11:26:30 PM on 9/8/2009 was unexpected.
9/15/2009 6:11:10 AM, Error: EventLog [6008] - The previous system shutdown at 6:09:27 AM on 9/15/2009 was unexpected.
9/14/2009 7:47:40 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
9/11/2009 3:37:38 PM, Error: EventLog [6008] - The previous system shutdown at 3:35:07 PM on 9/11/2009 was unexpected.
9/11/2009 3:01:58 PM, Error: Service Control Manager [7000] - The McAfee Scanner service failed to start due to the following error: Access is denied.
9/11/2009 3:01:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "5" attempting to start the service MCODS with arguments "" in order to run the server: {C98F04D7-CD30-4BB0-B7D7-8DD7448520F2}
9/11/2009 2:48:07 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McShield with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
9/11/2009 2:42:26 PM, Error: EventLog [6008] - The previous system shutdown at 2:39:50 PM on 9/11/2009 was unexpected.
9/10/2009 5:01:26 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.104 for the Network Card with network address 001F3B889927 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
9/10/2009 3:43:09 PM, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001F3B889927. The following error occurred: The semaphore timeout period has expired.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
9/10/2009 3:34:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
==== End Of File ===========================
Hi,
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds.txt log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Run also Win32kDiag again after ComboFix run is done.
ComboFix is claiming that I still have Spybot and Super Antispyware still running. I have disabled them in msconfig and rebooted.
Should I uninstall the prorgams or ignore the ComboFix warning that states it is not responsible for any damage it may cause :)
Thanks
Just FYI
I'm in safe mode and I can't launch Spybot or Super AntiSpyware. I get the path error that was in my original post. That is why I disabled them in msconfig
Thanks
Hi,
Ignore ComboFix warning and let it run.
Hi Blaze,
Ok I ran Combofix the first time and got an error "The instruction at 0x00c4cdfb referenced memory at 0x0000000. The memory could not be read. I had to click to terminate. ComboFix continued and found the rootkit file rotscxkoxxveis.sys.
ComboFix completed with all 50 stages and deleted some files, the PC rebooted itself.
I got a blue screen with a memory dump.
PC restarted into mormal again.
Blue screen with memory dump
PC restarted and I restarted in safe mode.
ComboFix.txt didn't generate, but I did get a bug.txt file added to C:\
I reran ComboFix and basically got the same thing as above.
Thanks
Hi,
Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.
Hi Blade, sorry about the "z" above
Ran program in safe mode, I still can't boot normally. Here is the log
GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-16 07:00:35
Windows 6.0.6001 Service Pack 1
Running: 254evpvq.exe; Driver: C:\Users\JIM'SL~1\AppData\Local\Temp\kwloikoc.sys
---- System - GMER 1.0.15 ----
INT 0x52 ? 86BA1BF8
INT 0x52 ? 86BA1BF8
INT 0x52 ? 86BA1BF8
INT 0x62 ? 86BA1BF8
INT 0x72 ? 86BA1BF8
INT 0x72 ? 86BA1BF8
INT 0x72 ? 86BA1BF8
INT 0x72 ? 86BA1BF8
INT 0x92 ? 84F19BF8
INT 0xB2 ? 85CCDBF8
Code 8954C070 ZwEnumerateKey
Code 89694A78 ZwFlushInstructionCache
Code 8960F336 ZwSaveKey
Code 896A9CE6 ZwSaveKeyEx
Code 89548135 IofCallDriver
Code 8954E01E IofCompleteRequest
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!IofCompleteRequest 82072FBA 5 Bytes JMP 8954E023
.text ntkrnlpa.exe!IofCallDriver 820F4FEF 5 Bytes JMP 8954813A
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 821EB30B 5 Bytes JMP 89694A7C
PAGE ntkrnlpa.exe!ZwEnumerateKey 82240BB4 5 Bytes JMP 8954C074
PAGE ntkrnlpa.exe!ZwSaveKey 8228E523 5 Bytes JMP 8960F33A
PAGE ntkrnlpa.exe!ZwSaveKeyEx 8228E62A 5 Bytes JMP 896A9CEA
? System32\Drivers\spcb.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8BB4C46F 5 Bytes JMP 86BA11D8
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[1784] USER32.dll!DialogBoxIndirectParamW 75DBBD25 5 Bytes JMP 71635ACB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1784] USER32.dll!DialogBoxParamW 75DD1FD5 5 Bytes JMP 71635A55 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1784] USER32.dll!DialogBoxParamA 75DF80B2 5 Bytes JMP 71635A90 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1784] USER32.dll!DialogBoxIndirectParamA 75DF83DD 5 Bytes JMP 71635B06 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1784] USER32.dll!MessageBoxIndirectA 75E0D471 5 Bytes JMP 71635A11 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1784] USER32.dll!MessageBoxIndirectW 75E0D56B 5 Bytes JMP 716359CD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1784] USER32.dll!MessageBoxExA 75E0D5D1 5 Bytes JMP 71635993 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1784] USER32.dll!MessageBoxExW 75E0D5F5 5 Bytes JMP 71635959 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [806936D2] \SystemRoot\System32\Drivers\spcb.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80693040] \SystemRoot\System32\Drivers\spcb.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [806937FC] \SystemRoot\System32\Drivers\spcb.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [806930BE] \SystemRoot\System32\Drivers\spcb.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8069313C] \SystemRoot\System32\Drivers\spcb.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [806A3048] \SystemRoot\System32\Drivers\spcb.sys
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 85CCF1F8
Device \Driver\volmgr \Device\VolMgrControl 84F1B1F8
Device \Driver\usbuhci \Device\USBPDO-0 86AF81F8
Device \Driver\usbuhci \Device\USBPDO-1 86AF81F8
Device \Driver\usbehci \Device\USBPDO-2 86AF91F8
Device \Driver\usbuhci \Device\USBPDO-3 86AF81F8
Device \Driver\usbuhci \Device\USBPDO-4 86AF81F8
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
Device \Driver\usbuhci \Device\USBPDO-5 86AF81F8
Device \Driver\usbehci \Device\USBPDO-6 86AF91F8
Device \Driver\volmgr \Device\HarddiskVolume1 84F1B1F8
Device \Driver\volmgr \Device\HarddiskVolume2 84F1B1F8
Device \Driver\cdrom \Device\CdRom0 86B481F8
Device \Driver\volmgr \Device\HarddiskVolume3 84F1B1F8
Device \Driver\cdrom \Device\CdRom1 86B481F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 85CCE1F8
Device \Driver\atapi \Device\Ide\IdePort0 85CCE1F8
Device \Driver\sptd \Device\3345995432 spcb.sys
Device \Driver\volmgr \Device\HarddiskVolume4 84F1B1F8
Device \Driver\netbt \Device\NetBt_Wins_Export 897FA1F8
Device \Driver\Smb \Device\NetbiosSmb 897AF1F8
Device \Driver\iScsiPrt \Device\RaidPort0 86B671F8
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
Device \Driver\netbt \Device\NetBT_Tcpip_{E8630708-6774-4261-8816-48F364D0765D} 897FA1F8
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
Device \Driver\usbuhci \Device\USBFDO-0 86AF81F8
Device \Driver\usbuhci \Device\USBFDO-1 86AF81F8
Device \Driver\PCI_PNP3415 \Device\0000007b spcb.sys
Device \Driver\usbehci \Device\USBFDO-2 86AF91F8
Device \Driver\usbuhci \Device\USBFDO-3 86AF81F8
Device \Driver\usbuhci \Device\USBFDO-4 86AF81F8
Device \Driver\netbt \Device\NetBT_Tcpip_{3DB87139-8809-44D9-A754-182AB7C47D2C} 897FA1F8
Device \Driver\usbuhci \Device\USBFDO-5 86AF81F8
Device \Driver\usbehci \Device\USBFDO-6 86AF91F8
Device \Driver\aiywpziq \Device\Scsi\aiywpziq1Port3Path0Target0Lun0 86B631F8
Device \Driver\aiywpziq \Device\Scsi\aiywpziq1 86B631F8
Device \FileSystem\fastfat \Fat 89D8D1F8
Device \FileSystem\fastfat \Fat 8BA8945E
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\cdfs \Cdfs 89D3D1F8
---- Services - GMER 1.0.15 ----
Service C:\Windows\System32\alg.exe? (*** hidden *** ) [MANUAL] ALG <-- ROOTKIT !!!
Service C:\Windows\system32\drivers\rotscxkoxxvels.sys (*** hidden *** ) [SYSTEM] rotscxqyxxxucd <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001fe1effe99 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd@imagepath \systemroot\system32\drivers\rotscxkoxxvels.sys
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd\main@aid 10094
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd\main\injector@* rotscxwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd\main\tasks\0000000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd\main\tasks\0000000001@fn (null)
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd\main\tasks\0000000001@url http://top1959.cn/PC_protect.exe
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd\main\tasks\0000000001@knock (null)
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd\main\tasks\0000000001@timeout 300
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd\main\tasks\0000000001@type 0
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd\main\tasks\0000000001@count 1
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd\modules@rotscxrk.sys \systemroot\system32\drivers\rotscxkoxxvels.sys
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd\modules@rotscxcmd.dll \systemroot\system32\rotscxnwvwpvgt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd\modules@rotscxlog.dat \systemroot\system32\rotscxtvencebp.dat
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd\modules@rotscxwsp.dll \systemroot\system32\rotscxqpooewnk.dll
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxqyxxxucd\modules@rotscx.dat \systemroot\system32\rotscxgbjmeqjq.dat
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCD 0x33 0xB8 0x1E ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x60 0xFC 0x2C 0x22 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA7 0x08 0x99 0xCA ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x8F 0x71 0xBB 0x08 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001fe1effe99 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxqyxxxucd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxqyxxxucd@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxqyxxxucd@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxqyxxxucd@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxqyxxxucd@imagepath \systemroot\system32\drivers\rotscxkoxxvels.sys
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxqyxxxucd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxqyxxxucd\main@aid 10094
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxqyxxxucd\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxqyxxxucd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxqyxxxucd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxqyxxxucd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxqyxxxucd\main\injector@* rotscxwsp8.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxqyxxxucd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxqyxxxucd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxqyxxxucd\modules@rotscxrk.sys \systemroot\system32\drivers\rotscxkoxxvels.sys
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxqyxxxucd\modules@rotscxcmd.dll \systemroot\system32\rotscxnwvwpvgt.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxqyxxxucd\modules@rotscxlog.dat \systemroot\system32\rotscxtvencebp.dat
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxqyxxxucd\modules@rotscxwsp.dll \systemroot\system32\rotscxqpooewnk.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxqyxxxucd\modules@rotscx.dat \systemroot\system32\rotscxgbjmeqjq.dat
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxqyxxxucd\modules@rotscxwsp8.dll \systemroot\system32\rotscxpxuesfcq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCD 0x33 0xB8 0x1E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x60 0xFC 0x2C 0x22 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA7 0x08 0x99 0xCA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x8F 0x71 0xBB 0x08 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe1effe99
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxqyxxxucd
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxqyxxxucd@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxqyxxxucd@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxqyxxxucd@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxqyxxxucd@imagepath \systemroot\system32\drivers\rotscxkoxxvels.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxqyxxxucd\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxqyxxxucd\main@aid 10094
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxqyxxxucd\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxqyxxxucd\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxqyxxxucd\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxqyxxxucd\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxqyxxxucd\main\injector@* rotscxwsp8.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxqyxxxucd\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxqyxxxucd\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxqyxxxucd\modules@rotscxrk.sys \systemroot\system32\drivers\rotscxkoxxvels.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxqyxxxucd\modules@rotscxcmd.dll \systemroot\system32\rotscxnwvwpvgt.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxqyxxxucd\modules@rotscxlog.dat \systemroot\system32\rotscxtvencebp.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxqyxxxucd\modules@rotscxwsp.dll \systemroot\system32\rotscxqpooewnk.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxqyxxxucd\modules@rotscx.dat \systemroot\system32\rotscxgbjmeqjq.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxqyxxxucd\modules@rotscxwsp8.dll \systemroot\system32\rotscxpxuesfcq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCD 0x33 0xB8 0x1E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x60 0xFC 0x2C 0x22 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA7 0x08 0x99 0xCA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x8F 0x71 0xBB 0x08 ...
Reg HKLM\SOFTWARE\Microsoft\Windows Mobile Getting Started Disc\AppInstalled@HTC Touch Pro\x2122 User Guide_Installed 4
Reg HKLM\SOFTWARE\Microsoft\Windows Mobile Getting Started Disc\AppInstalled@Windows Mobile\xae Device Center_Installed 4
---- Files - GMER 1.0.15 ----
File C:\Qoobox\Quarantine\C\Windows\System32\drivers\rotscxkoxxvels.sys.vir 71168 bytes
File C:\Users\Jim's Laptop\AppData\Local\Temp\rotscx000 0 bytes
File C:\Users\Jim's Laptop\AppData\Local\Temp\rotscxhlkwxotkgs.tmp 680448 bytes executable
File C:\Windows\System32\drivers\rotscxkoxxvels.sys 71168 bytes <-- ROOTKIT !!!
File C:\Windows\System32\rotscxgbjmeqjq.dat 43 bytes
File C:\Windows\System32\rotscxnwvwpvgt.dll 45568 bytes
File C:\Windows\System32\rotscxpxuesfcq.dll 19456 bytes executable
File C:\Windows\System32\rotscxqpooewnk.dll 20480 bytes executable
File C:\Windows\System32\rotscxtvencebp.dat 70624 bytes
File C:\Windows\temp\rotscxcdyiknvahr.tmp 19456 bytes executable
File C:\Windows\temp\rotscxyjdprtctta.tmp 43 bytes
---- EOF - GMER 1.0.15 ----
Hi,
1. Start GMER and do a quick scan. It should give a message about rootkit activity.
2. If it asks for full scan, select "no".
3. Right click rotscx******** and select "disable service". You'll be most likely asked to reboot system. Please, let it do so.
4. After reboot, open GMER again and see if the corresponding service is in disabled state.
If it is in disabled state, try to run ComboFix again.
Hi,
I think you are getting close. I am in normal mode right now. YAY
Here is the log
ComboFix 09-09-14.02 - Jim's Laptop 09/16/2009 9:27.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3581.2660 [GMT -5:00]
Running from: c:\users\Jim's Laptop\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\rotscxgbjmeqjq.dat
c:\windows\system32\rotscxnwvwpvgt.dll
c:\windows\system32\rotscxpxuesfcq.dll
c:\windows\system32\rotscxqpooewnk.dll
c:\windows\system32\rotscxtvencebp.dat
c:\windows\TEMP\mta104851.dll
.
---- Previous Run -------
.
c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-3084967135-3038832120-1763337499-500
c:\program files\AdvancedVirusRemover
c:\program files\AdvancedVirusRemover\PAVRM.exe
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\AntivirusPro_2010\AVEngn.dll
c:\program files\AntivirusPro_2010\data\daily.cvd
c:\program files\AntivirusPro_2010\htmlayout.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\AntivirusPro_2010\pthreadVC2.dll
c:\program files\AntivirusPro_2010\Uninstall.exe
c:\program files\AntivirusPro_2010\wscui.cpl
c:\program files\Common Files\apogotu.dll
c:\program files\Common Files\inojyx.pif
c:\program files\Common Files\wykoja.bin
c:\programdata\lumenyxisu.reg
c:\users\Jim's Laptop\AppData\Roaming\Microsoft\dtsc
c:\users\Jim's Laptop\AppData\Roaming\Microsoft\dtsc\3DStudio Max v6.0.torrent
c:\users\Jim's Laptop\AppData\Roaming\Microsoft\dtsc\s
c:\windows\haxivel.ban
c:\windows\Installer\79d58a8.msi
c:\windows\irc.txt
c:\windows\sslzdlt.dll
c:\windows\System32\11478.exe
c:\windows\System32\15724.exe
c:\windows\system32\16827.exe
c:\windows\System32\18467.exe
c:\windows\System32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\System32\26500.exe
c:\windows\System32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\System32\41.exe
c:\windows\system32\491.exe
c:\windows\System32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9961.exe
c:\windows\system32\afavywosyx.vbs
c:\windows\system32\aKTvyyxx.ini
c:\windows\system32\autochk.dll
c:\windows\system32\braviax.exe
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\critical_warning.html
c:\windows\system32\drivers\rotscxkoxxvels.sys
c:\windows\system32\FInstall.sys
c:\windows\system32\hafecyc.vbs
c:\windows\system32\Install.txt
c:\windows\system32\mndisk.sys
c:\windows\system32\pqgmxofl.ini
c:\windows\system32\sdra64.exe
c:\windows\system32\tajf83ikdmf.dll
c:\windows\system32\wiawow32.sys
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wisdstr.exe
c:\windows\system32\wiwow64.exe
c:\windows\system32\ygsuhdf83id.dll
c:\windows\Temp\1514891511.exe
c:\windows\Temp\2116309704.exe
c:\windows\Temp\2221693127.exe
c:\windows\Temp\2412021431.exe
c:\windows\Temp\3118823047.exe
c:\windows\Temp\3307405351.exe
c:\windows\Temp\4015796967.exe
c:\windows\Temp\617959591.exe
c:\windows\Temp\702532712.exe
c:\windows\TEMP\mta45304.dll
c:\windows\ygezimiji.dl
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MNDISK
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_AntipPro2009_100
-------\Service_mndisk
-------\Service_rotscxqyxxxucd
-------\Service_rotscxqyxxxucd
((((((((((((((((((((((((( Files Created from 2009-08-16 to 2009-09-16 )))))))))))))))))))))))))))))))
.
2009-09-16 14:38 . 2009-09-16 14:41 -------- d-----w- c:\users\Jim's Laptop\AppData\Local\temp
2009-09-12 09:51 . 2009-09-12 09:51 12681 ----a-w- c:\windows\system32\kero.dat
2009-09-11 22:38 . 2009-09-11 22:54 -------- d--h--w- c:\windows\PIF
2009-09-11 20:08 . 2009-09-11 20:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-11 20:08 . 2009-09-11 20:08 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-11 19:52 . 2009-09-11 19:57 -------- d-----w- c:\program files\SpywareBlaster
2009-09-09 04:38 . 2009-09-09 04:38 40448 ----a-w- c:\windows\system32\lkod.dll
2009-09-08 22:09 . 2009-09-08 22:09 -------- d-----w- c:\users\Jim's Laptop\AppData\Roaming\Malwarebytes
2009-09-08 22:09 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 22:09 . 2009-09-12 00:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 22:09 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 22:09 . 2009-09-08 22:09 -------- d-----w- c:\programdata\Malwarebytes
2009-09-08 22:09 . 2009-09-08 22:09 -------- d-----w- c:\program files\Trend Micro
2009-09-08 20:00 . 2009-09-15 18:57 71168 ----a-w- c:\windows\system32\drivers\rotscxkoxxvels.sys
2009-09-08 14:55 . 2009-09-08 15:52 -------- d-----w- C:\Root
2009-09-08 14:55 . 2009-09-08 14:55 -------- d-----w- c:\program files\Activision
2009-09-08 02:10 . 2009-09-08 02:10 -------- d-----w- c:\windows\system32\xlive
2009-09-08 02:10 . 2009-09-08 02:11 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-09-08 01:49 . 2009-09-08 01:49 -------- d-----w- c:\program files\Eidos
2009-09-07 18:35 . 2009-09-07 18:35 -------- d-----w- c:\program files\THQ
2009-09-07 13:56 . 2009-09-07 18:25 -------- d-----w- c:\program files\Paradox Interactive
2009-08-20 04:20 . 2009-08-20 04:20 -------- d-----w- c:\programdata\FLEXnet
2009-08-20 04:15 . 2009-08-20 04:15 -------- d-----w- c:\programdata\ALM
2009-08-20 04:10 . 2009-08-20 04:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-20 04:06 . 2009-08-20 04:06 -------- d-----w- c:\program files\Common Files\Macrovision Shared
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-16 14:42 . 2008-09-01 21:55 -------- d-----w- c:\programdata\Google Updater
2009-09-16 14:41 . 2008-06-25 02:43 65816 ----a-w- c:\programdata\nvModes.dat
2009-09-16 14:38 . 2008-05-27 06:22 836 ----a-w- c:\windows\bthservsdp.dat
2009-09-16 12:53 . 2008-06-30 22:21 1356 ----a-w- c:\users\Jim's Laptop\AppData\Local\d3d9caps.dat
2009-09-12 09:51 . 2009-09-12 09:51 17023 ----a-w- c:\program files\Common Files\aluci._sy
2009-09-11 17:13 . 2008-11-08 23:55 -------- d-----w- c:\program files\PokerStars
2009-09-11 17:12 . 2008-06-13 17:35 -------- d-----w- c:\users\Jim's Laptop\AppData\Roaming\uTorrent
2009-09-08 20:22 . 2008-05-27 06:45 -------- d-----w- c:\program files\McAfee
2009-09-08 15:52 . 2008-05-27 06:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-08 02:09 . 2008-07-29 13:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-08 02:09 . 2009-01-08 19:05 -------- d-----w- c:\program files\AGEIA Technologies
2009-09-05 15:19 . 2008-07-29 13:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-01 11:51 . 2008-06-12 11:23 -------- d-----w- c:\users\Jim's Laptop\AppData\Roaming\FileZilla
2009-08-20 04:21 . 2008-05-30 22:36 101856 ----a-w- c:\users\Jim's Laptop\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-20 04:14 . 2008-06-24 14:26 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-19 11:18 . 2008-06-05 14:54 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-10 19:02 . 2009-08-10 19:02 -------- d-----w- c:\program files\PHP
2009-08-09 00:11 . 2009-08-09 00:11 733782 ----a-w- C:\lynx_v283.zip
2009-08-06 04:04 . 2009-07-21 18:30 -------- d-----w- c:\programdata\Microsoft Help
2009-07-30 22:11 . 2009-07-30 22:06 -------- d-----w- c:\users\Jim's Laptop\AppData\Roaming\Easy Thumbnails
2009-07-30 22:06 . 2009-07-30 22:06 -------- d-----w- c:\program files\Easy Thumbnails
2009-07-21 18:32 . 2009-07-21 18:32 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-07-21 18:32 . 2009-07-21 18:30 -------- d-----w- c:\program files\Microsoft Expression
2009-07-20 14:34 . 2009-07-20 14:34 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
2009-07-14 22:17 . 2009-07-14 22:17 15308440 ----a-w- c:\windows\system32\xlive.dll
2009-07-14 22:17 . 2009-07-14 22:17 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-06-24 20:03 . 2009-07-17 17:00 54776 ----a-w- c:\windows\system32\drivers\mozy.sys
2009-06-20 01:06 . 2009-06-20 01:06 58648 ----a-w- c:\windows\system32\AgCPanelTraditionalChinese.dll
2009-06-20 01:06 . 2009-06-20 01:06 58648 ----a-w- c:\windows\system32\AgCPanelSwedish.dll
2009-06-20 01:06 . 2009-06-20 01:06 58648 ----a-w- c:\windows\system32\AgCPanelSpanish.dll
2009-06-20 01:06 . 2009-06-20 01:06 58648 ----a-w- c:\windows\system32\AgCPanelSimplifiedChinese.dll
2009-06-20 01:06 . 2009-06-20 01:06 58648 ----a-w- c:\windows\system32\AgCPanelPortugese.dll
2009-06-20 01:06 . 2009-06-20 01:06 58648 ----a-w- c:\windows\system32\AgCPanelKorean.dll
2009-06-20 01:06 . 2009-06-20 01:06 58648 ----a-w- c:\windows\system32\AgCPanelJapanese.dll
2009-06-20 01:06 . 2009-06-20 01:06 58648 ----a-w- c:\windows\system32\AgCPanelGerman.dll
2009-06-20 01:06 . 2009-06-20 01:06 58648 ----a-w- c:\windows\system32\AgCPanelFrench.dll
2009-06-20 01:06 . 2009-06-20 01:06 288024 ----a-w- c:\windows\system32\PhysXCplUI.exe
2009-06-20 01:06 . 2009-06-20 01:06 288024 ----a-w- c:\windows\system32\PhysXCompatCplUI.exe
2009-06-20 01:06 . 2009-06-20 01:06 24344 ----a-w- c:\windows\system32\PhysXDevice.dll
2008-05-27 14:09 . 2008-05-27 13:57 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-06-24 20:03 2835256 ----a-w- c:\program files\MozyHome\mozyshell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-06-24 20:03 2835256 ----a-w- c:\program files\MozyHome\mozyshell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-27 68856]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-09-20 455968]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [2008-08-29 13145448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-12 101136]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-27 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-01-02 405504]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Turbine Download Manager Tray Icon"="c:\program files\Turbine\Turbine Download Manager - Preview\TurbineDownloadManagerIcon.exe" [2008-09-26 468472]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-08 13601312]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-08 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2008-12-08 96800]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2009-03-09 75008]
"RDVCHG"="c:\program files\Sprint\Sprint SmartView\RDVCHG.exe" [2009-03-07 316672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"bacstray"="c:\program files\Broadcom\BACS\BacsTray.exe" [2007-02-14 124488]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-01-12 101136]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-5-27 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2009-6-24 2876216]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-7-20 1180952]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2008-5-27 679936]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-05 15:19 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-27 06:53 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3084967135-3038832120-1763337499-1000]
"EnableNotificationsRef"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{CE84CBC5-F93C-46B8-9202-233E5F1EED3C}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{4D9D0324-4459-443D-BE21-15A890182068}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{CED74689-F482-4C18-A913-0DA7C1709CF6}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{DE230269-2C38-4DF1-B70E-E4EAB8836085}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{2AE869B9-6C9B-47A1-AF04-0356A118A620}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{C6B40FF2-BBD7-47A9-A6D0-1FC7C19B0333}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{8F7D0627-D0D2-42BF-AE3C-48D7A09EBF45}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{BF0DEC8A-0265-4F42-ABA8-61307EC68AB7}"= UDP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineNetworkService.exe:TurbineNetworkService
"{B11143BF-E808-4D2B-ADFE-4D3900BC2B67}"= TCP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineNetworkService.exe:TurbineNetworkService
"{967969BB-353C-401B-A774-5C1E94301F55}"= UDP:990:LocalSubnet:LocalSubnet|IF={23F757CE-01BD-490B-9857-37CB844CE054}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{08A36910-F113-4ADC-BC48-1955C8C3086A}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{94F2EC27-B2B4-4285-A85F-EBC68786409C}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{4078B395-D7FB-4E61-AE80-4757EC73B23F}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{B8031410-630E-4EDD-B42B-56C7F2D6C2D0}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{8B4C4D89-834D-4284-B519-691473AC2335}"= UDP:5353:Adobe CSI CS4
"{3ED057A5-A674-417B-8646-FEEDD09EBF6B}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{8AB875E7-7B33-4875-9D50-195C768DECD5}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{9B151F95-93AF-4A44-9D0F-C0C7E5B02607}"= UDP:c:\program files\Eidos\Batman Arkham Asylum\Binaries\ShippingPC-BmGame.exe:Batman: Arkham Asylum
"{314B0B85-D9D5-4759-BA60-020532161007}"= TCP:c:\program files\Eidos\Batman Arkham Asylum\Binaries\ShippingPC-BmGame.exe:Batman: Arkham Asylum
"{2C79DE66-0987-4DF9-B167-1BF72BBCE03E}"= UDP:c:\program files\Activision\Prototype\prototypef.exe:Prototype(TM)
"{7E74F5C9-B6D4-443A-9752-B40AFC2263C6}"= TCP:c:\program files\Activision\Prototype\prototypef.exe:Prototype(TM)
"{D2C5B66C-1A8D-4729-81B9-18978EF10C0B}"= UDP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineMessageService.exe:TurbineMessageService
"{BA45EF1E-BA96-4773-9717-7BC889FA6DC9}"= TCP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineMessageService.exe:TurbineMessageService
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\Sprint\\Sprint SmartView\\SwiApiMux.exe"= c:\program files\Sprint\Sprint SmartView\SwiApiMux.exe:*:Enabled:SwiApiMux
R1 mozyFilter;mozyFilter;c:\windows\System32\drivers\mozy.sys [7/17/2009 12:00 PM 54776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/28/2008 10:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33 AM 74480]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [5/27/2008 1:21 AM 73728]
S3 CASprint;Sprint Con App Svc;c:\program files\Sprint\Sprint SmartView\ConAppsSvc.exe [3/6/2009 11:28 PM 124160]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 10:33 AM 7408]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-09-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-27 19:03]
2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-15 15:53]
2009-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-15 15:53]
2009-09-16 c:\windows\Tasks\User_Feed_Synchronization-{AB68BE68-CA4B-4671-A5F6-D884A313B9BC}.job
- c:\windows\system32\msfeedssync.exe [2008-06-05 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: evga.com\www
Trusted Zone: redlegion.com\www
.
- - - - ORPHANS REMOVED - - - -
BHO-{BA603215-23F2-42AD-F4E4-00AAC39CAA53} - c:\windows\system32\ygsuhdf83id.dll
HKU-Default-Run-autochk - c:\windows\system32\config\SYSTEM~1\protect.dll
HKU-Default-Run-Advanced Virus Remover - c:\program files\AdvancedVirusRemover\PAVRM.exe
SharedTaskScheduler-{BA603215-23F2-42AD-F4E4-00AAC39CAA53} - c:\windows\system32\ygsuhdf83id.dll
ShellExecuteHooks-{24DAAFB8-B7F5-463F-88C1-D497611FC253} - c:\windows\system32\fCrrrsTK.dll
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-16 09:40
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxqyxxxucd]
"imagepath"="\systemroot\system32\drivers\rotscxkoxxvels.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\rotscxqyxxxucd]
@DACL=(02 0000)
"start"=dword:00000004
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\rotscxkoxxvels.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(860)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'Explorer.exe'(1116)
c:\program files\SetPoint\lgscroll.dll
c:\program files\MozyHome\mozyshell.dll
c:\windows\system32\btncopy.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\wlanext.exe
c:\program files\Common Files\EPSON\eEBAPI\eEBSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
c:\program files\MozyHome\mozybackup.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Turbine\Turbine Download Manager - Preview\TurbineMessageService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\System32\stacsv.exe
c:\program files\MozyHome\mozybackup.exe
c:\program files\Spybot - Search & Destroy\SDWinSec.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\DellTPad\hidfind.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehmsas.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\windows\System32\wiwow64.exe
c:\windows\System32\RacAgent.exe
c:\windows\System32\lsm32.sys
.
**************************************************************************
.
Completion time: 2009-09-16 9:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-16 14:55
Pre-Run: 64,446,926,848 bytes free
Post-Run: 64,275,935,232 bytes free
447 --- E O F --- 2008-07-25 21:54
Good. Please run DDS and post back its fresh log too :)
Here is the First
DDS (Ver_09-07-30.01) - NTFSx86
Run by Jim's Laptop at 10:44:23.08 on Wed 09/16/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3581.2215 [GMT -5:00]
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
C:\Windows\system32\aestsrv.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MozyHome\mozybackup.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Turbine\Turbine Download Manager - Preview\TurbineMessageService.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Synergy\synergyc.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\UI0Detect.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\UI0Detect.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Turbine\Turbine Download Manager - Preview\TurbineDownloadManagerIcon.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Sprint\Sprint SmartView\RDVCHG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Broadcom\BACS\BacsTray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Explorer.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Jim's Laptop\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AdobeBridge] "c:\program files\adobe\adobe bridge cs4\Bridge.exe" -stealth
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Turbine Download Manager Tray Icon] "c:\program files\turbine\turbine download manager - preview\TurbineDownloadManagerIcon.exe"
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdcBase.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
mRun: [RDVCHG] "c:\program files\sprint\sprint smartview\RDVCHG.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [bacstray] c:\program files\broadcom\bacs\BacsTray.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mic273~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: evga.com\www
Trusted Zone: redlegion.com\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://dev.srtest.com/srl_bin/sysreqlab3.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: c:\progra~1\google\google~2\GoogleDesktopNetwork3.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
============= SERVICES / DRIVERS ===============
R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2009-7-17 54776]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-5-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 74480]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-5-27 73728]
R2 PreviewTurbineMessageService;Turbine Message Service - Preview;c:\program files\turbine\turbine download manager - preview\TurbineMessageService.exe [2008-9-29 255472]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-9-11 1153368]
R2 Synergy Client;Synergy Client;c:\program files\synergy\synergyc.exe [2006-4-2 446464]
S3 CASprint;Sprint Con App Svc;c:\program files\sprint\sprint smartview\ConAppsSvc.exe [2009-3-6 124160]
S3 PreviewTurbineNetworkService;Turbine Network Service - Preview;c:\program files\turbine\turbine download manager - preview\TurbineNetworkService.exe [2008-9-29 218608]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]
S4 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [2006-11-2 93696]
=============== Created Last 30 ================
2009-09-16 09:48 41,631 a------- c:\windows\system32\certstore.dat
2009-09-15 11:19 229,888 a------- c:\windows\PEV.exe
2009-09-15 11:19 161,792 a------- c:\windows\SWREG.exe
2009-09-15 11:19 98,816 a------- c:\windows\sed.exe
2009-09-12 04:51 12,681 a------- c:\windows\system32\kero.dat
2009-09-11 17:38 <DIR> --d-h--- c:\windows\PIF
2009-09-11 15:08 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-09-11 15:08 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-09-11 15:08 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-09-11 14:52 <DIR> a-d----- c:\programdata\TEMP
2009-09-11 14:52 <DIR> --d----- c:\program files\SpywareBlaster
2009-09-10 07:46 <DIR> --d----- c:\programdata\Windows Genuine Advantage
2009-09-08 23:38 40,448 a------- c:\windows\system32\lkod.dll
2009-09-08 23:38 320 a------- c:\windows\system32\jlksf
2009-09-08 17:09 <DIR> --d----- c:\users\jim'sl~1\appdata\roaming\Malwarebytes
2009-09-08 17:09 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 17:09 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-08 17:09 <DIR> --d----- c:\programdata\Malwarebytes
2009-09-08 17:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 17:09 <DIR> --d----- c:\progra~2\Malwarebytes
2009-09-08 17:09 <DIR> --d----- c:\program files\Trend Micro
2009-09-08 15:00 71,168 a------- c:\windows\system32\drivers\rotscxkoxxvels.sys
2009-09-08 09:55 <DIR> --d----- C:\Root
2009-09-08 09:55 <DIR> --d----- c:\program files\Activision
2009-09-07 21:10 <DIR> --d----- c:\windows\system32\xlive
2009-09-07 21:10 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2009-09-07 20:49 <DIR> --d----- c:\program files\Eidos
2009-09-07 13:35 <DIR> --d----- c:\program files\THQ
2009-09-07 08:56 <DIR> --d----- c:\program files\Paradox Interactive
2009-08-19 23:20 <DIR> --d----- c:\programdata\FLEXnet
2009-08-19 23:15 <DIR> --d----- c:\programdata\ALM
2009-08-19 23:15 <DIR> --d----- c:\progra~2\ALM
2009-08-19 23:06 <DIR> --d----- c:\program files\common files\Macrovision Shared
==================== Find3M ====================
2009-09-16 10:39 65,816 a------- c:\programdata\nvModes.dat
2009-09-16 10:39 65,816 a------- c:\progra~2\nvModes.dat
2009-09-12 04:51 17,023 a------- c:\program files\common files\aluci._sy
2009-08-08 19:11 733,782 a------- C:\lynx_v283.zip
2009-07-20 09:34 70,936 a------- c:\windows\system32\PhysXLoader.dll
2009-07-14 17:17 15,308,440 a------- c:\windows\system32\xlive.dll
2009-07-14 17:17 13,642,888 a------- c:\windows\system32\xlivefnt.dll
2009-06-19 20:06 288,024 a------- c:\windows\system32\PhysXCplUI.exe
2009-06-19 20:06 288,024 a------- c:\windows\system32\PhysXCompatCplUI.exe
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelTraditionalChinese.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelSwedish.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelSpanish.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelSimplifiedChinese.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelPortugese.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelKorean.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelJapanese.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelGerman.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelFrench.dll
2009-06-19 20:06 24,344 a------- c:\windows\system32\PhysXDevice.dll
2009-06-08 06:56 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-08 06:56 143,360 a------- c:\windows\inf\infstor.dat
2009-06-08 06:56 86,016 a------- c:\windows\inf\infpub.dat
2008-06-11 06:40 665,600 a------- c:\windows\inf\drvindex.dat
2008-06-04 21:34 174 a--sh--- c:\program files\desktop.ini
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
============= FINISH: 10:45:00.51 ===============
And the Attach File
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-07-30.01)
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 5/27/2008 1:23:24 AM
System Uptime: 9/16/2009 10:03:08 AM (0 hours ago)
Motherboard: Dell Inc. | | 0UK437
Processor: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 2001/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 286 GiB total, 59.688 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 5.543 GiB free.
E: is CDROM ()
F: is CDROM ()
Y: is NetworkDisk (FAT) - 0 GiB total, 0 GiB free.
==== Disabled Device Manager Items =============
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0002
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter #3
PNP Device ID: ROOT\*ISATAP\0002
Service: tunnel
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0004
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter #4
PNP Device ID: ROOT\*ISATAP\0004
Service: tunnel
==== System Restore Points ===================
RP534: 9/15/2009 1:39:47 PM - ComboFix created restore point
==== Installed Programs ======================
7-Zip 4.57
AC3Filter (remove only)
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Fonts All
Adobe Illustrator CS4
Adobe Linguistics CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Reader 8.1.6
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player 11
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Apple Mobile Device Support
Apple Software Update
AutoUpdate
Banctec Service Agreement
Batman: Arkham Asylum
Bonjour
Broadcom Management Programs
Browser Address Error Redirector
Butler Advantage XE 6.3
CDDRV_Installer
Company of Heroes
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Connect
Dell DataSafe Online
Dell Getting Started Guide
Dell Support Center (Support Software)
Dell Touchpad
Digital Line Detect
DivX Converter
DivX Player
DivX Web Player
Easy Thumbnails (Remove only)
EDocs
EPSON Artisan 800 Series Printer Uninstall
EPSON Scan
EpsonNet Print
ffdshow [rev 1685] [2007-12-06]
FileZilla Client 3.1.0.1
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Google Updater
GoToAssist 8.0.0.514
Haali Media Splitter
HijackThis 2.0.2
HTC Touch Pro™ User Guide
Intel(R) PROSet/Wireless Software
iTunes
Java(TM) SE Runtime Environment 6
KhalSetup
kuler
LightScribe System Software 1.10.16.1
Malwarebytes' Anti-Malware
McAfee SecurityCenter
mCore
MediaDirect
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft Expression Web
Microsoft Expression Web MUI (English)
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Managed DirectX (1126)
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard Edition 2003
Microsoft Publisher 2002
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
mMHouse
MobileMe Control Panel
Modem Diagnostic Tool
MozyHome Remote Backup
mPfMgr
Music, Photos & Videos Launcher
mWMI
Nero 8 Essentials
neroxml
NetWaiting
NVIDIA Drivers
NVIDIA PhysX
OutlookAddinSetup
PDF Settings CS4
Photoshop Camera Raw
PHP 5.3.0
Picasa 3
Product Documentation Launcher
Prototype(TM)
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
SetPoint
Sprint SmartView
Spybot - Search & Destroy
SpywareBlaster 4.2
Suite Shared Configuration CS4
SUPERAntiSpyware Free Edition
Synergy
System Requirements Lab
The Lord of the Rings - Conquest™
The Lord of the Rings Online™: Shadows of Angmar™ v07.12.30.54
The Rosetta Stone
TotalAudioConverter
Turbine Download Manager - Preview 1.0.3191.15414
VCRedistSetup
Ventrilo Client
VideoLAN VLC media player 0.8.6f
WIDCOMM Bluetooth Software 6.0.1.3100
WinRAR
==== Event Viewer Messages From Past Week ========
9/9/2009 8:26:29 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wcncsvc with arguments "" in order to run the server: {375FF000-DD27-11D9-8F9C-0002B3988E81}
9/9/2009 8:26:29 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
9/9/2009 7:51:22 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B68-F52A-11D8-B9A5-505054503030}
9/9/2009 2:43:34 PM, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001F3B889927. The following error occurred: The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
9/9/2009 2:37:10 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
9/9/2009 2:35:45 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: mozyFilter SASDIFSV SASKUTIL spldr Wanarpv6
9/9/2009 2:35:45 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
9/9/2009 2:35:36 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
9/9/2009 2:35:26 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
9/9/2009 2:35:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
9/9/2009 2:35:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/9/2009 2:35:05 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\IWMSSvc.dll Error Code: 21
9/9/2009 2:35:05 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
9/9/2009 2:34:54 PM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .
9/9/2009 2:34:54 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
9/9/2009 2:34:38 PM, Error: EventLog [6008] - The previous system shutdown at 2:32:52 PM on 9/9/2009 was unexpected.
9/9/2009 2:30:44 PM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was The remote procedure call failed. .
9/9/2009 2:30:44 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1726" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
9/16/2009 9:31:50 AM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
9/16/2009 9:29:42 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the McAfee Network Agent service to connect.
9/16/2009 9:29:42 AM, Error: Service Control Manager [7000] - The McAfee Network Agent service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/16/2009 9:28:42 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Google Software Updater service to connect.
9/16/2009 9:28:12 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the McAfee SystemGuards service to connect.
9/16/2009 9:28:12 AM, Error: Service Control Manager [7000] - The McAfee SystemGuards service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/15/2009 6:11:10 AM, Error: EventLog [6008] - The previous system shutdown at 6:09:27 AM on 9/15/2009 was unexpected.
9/15/2009 2:03:46 PM, Error: EventLog [6008] - The previous system shutdown at 2:01:49 PM on 9/15/2009 was unexpected.
9/15/2009 2:01:49 PM, Error: EventLog [6008] - The previous system shutdown at 2:00:24 PM on 9/15/2009 was unexpected.
9/15/2009 1:51:23 PM, Error: Service Control Manager [7034] - The McAfee Anti-Spam Service service terminated unexpectedly. It has done this 1 time(s).
9/15/2009 1:51:23 PM, Error: Service Control Manager [7031] - The McAfee SystemGuards service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/15/2009 1:43:29 PM, Error: Service Control Manager [7034] - The Synergy Client service terminated unexpectedly. It has done this 1 time(s).
9/15/2009 1:40:26 PM, Error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
9/15/2009 1:24:50 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
9/15/2009 1:24:50 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the PEVSystemStart service to connect.
9/14/2009 7:47:40 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
9/11/2009 3:37:38 PM, Error: EventLog [6008] - The previous system shutdown at 3:35:07 PM on 9/11/2009 was unexpected.
9/11/2009 3:01:58 PM, Error: Service Control Manager [7000] - The McAfee Scanner service failed to start due to the following error: Access is denied.
9/11/2009 3:01:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "5" attempting to start the service MCODS with arguments "" in order to run the server: {C98F04D7-CD30-4BB0-B7D7-8DD7448520F2}
9/11/2009 2:48:07 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McShield with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
9/11/2009 2:42:26 PM, Error: EventLog [6008] - The previous system shutdown at 2:39:50 PM on 9/11/2009 was unexpected.
9/11/2009 12:14:51 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
9/10/2009 5:01:26 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.104 for the Network Card with network address 001F3B889927 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
9/10/2009 3:43:09 PM, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001F3B889927. The following error occurred: The semaphore timeout period has expired.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
9/10/2009 3:34:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
==== End Of File ===========================
Hi,
Open notepad and copy/paste the text in the quotebox below into it:
http://forums.spybot.info/showthread.php?p=336588#post336588
Driver::
rotscxqyxxxucd
Collect::
c:\windows\system32\kero.dat
c:\windows\system32\lkod.dll
c:\windows\system32\jlksf
c:\windows\system32\drivers\rotscxkoxxvels.sys
c:\program files\Common Files\aluci._sy
Folder::
c:\users\Jim's Laptop\AppData\Roaming\uTorrent
c:\program files\uTorrent
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C6B40FF2-BBD7-47A9-A6D0-1FC7C19B0333}"=-
"{8F7D0627-D0D2-42BF-AE3C-48D7A09EBF45}"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe. You'll be asked to submit some samples.
Then post the resultant log.
Uninstall your current Adobe shockwave player and get the fresh one here (http://get.adobe.com/shockwave/) if needed.
Check here (http://www.adobe.com/software/flash/about/) to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 16 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
Hi,
Here is the log file, and I am doing everything else now
ComboFix 09-09-14.02 - Jim's Laptop 09/16/2009 11:41.3.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3581.2223 [GMT -5:00]
Running from: c:\users\Jim's Laptop\Desktop\ComboFix.exe
Command switches used :: c:\users\Jim's Laptop\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active
file zipped: c:\program files\Common Files\aluci._sy
file zipped: c:\windows\system32\drivers\rotscxkoxxvels.sys
file zipped: c:\windows\system32\jlksf
file zipped: c:\windows\system32\kero.dat
file zipped: c:\windows\system32\lkod.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Common Files\aluci._sy
c:\users\Jim's Laptop\AppData\Roaming\uTorrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\2nd season.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Adobe Illustrator CS4 [CLEAN] [blaze69].7z.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Areeya's World - Double Dildo - HD.wmv.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Ass Toyed Shemales - Adriana Rodrigues & Chelsiea.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\AutoCAD 2009(VF).torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\AutoCAD 2009.iso.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Batman.Arkham.Asylum.READNFO.Direct2Drive-TL.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Battlestar Galactica.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Bionic Woman - Season 1.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Blood ties season 2.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Boston legal season 2.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Boston.Legal.Season.1.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Britney Spears - All Music Videos.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Britney Spears Sex Tape BRAND NEW XXX.wmv.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Bruce Springsteen-Tunnel of Love-1987-kl.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Bruce Springsteen-Tunnel of Love(Darkside_RG).1.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Bruce Springsteen - 1987 - Tunnel Of Love.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Bruce Springsteen - Tunnel Of Love (MP3@320Kbps) H33T.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Cathouse Season 2.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Cathouse.Season1.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Chess for Dummies.iso.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Damages.S01.Complete.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Dark Angel.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\dht.dat
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\dht.dat.old
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Diamond TV 2.1.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Duke Nukem 3D - xxthugxx.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\eminem.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Erin Andrews ESPN nude.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Eureka.S01.DVDRip.XviD-TOPAZ.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Eureka.S02.DVDRip_XviD-FoV.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Extras.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Generation.Kill.S01E01.HDTV.XviD-0TV.avi.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Generation.Kill.S01E02.HDTV.XviD-0TV.avi.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Generation.Kill.S01E03.HDTV.XviD-0TV.avi.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Generation.Kill.S01E04.HDTV.XviD-0TV.avi.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Generation.Kill.S01E05.HDTV.XviD-0TV.avi.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Generation.Kill.S01E06.HDTV.XviD-0TV.avi.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Generation.Kill.S01E07.HDTV.XviD-0TV.avi.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Heroes S1 - S3 full 3 season collection.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Heroes Season 2 HDTV XviD.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Hollow Man.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\House MD Season 1.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Jericho - Season 2 - Complete.1.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Jericho - Season 2 - Complete.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Jericho Season1 (XviD asd) EnglishV+NapisyPL.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Kamikaze.Girls.Vol.58-tna.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Keeley Hazell Full Sextape.wmv.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Kid Rock-Rock And Roll Jesus.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Kid Rock - All Summer Long [ipod touch - iphone].mp4.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\KILL SWITCH [ENG] (NAMCO).torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\LadyBoy69 - Bambi - Totally Adorable - HD.wmv.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Long Mint - School Teacher - HD.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Long Mint - Sex Slave - HD.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Lynyrd Skynyrd - Simple Man.mp3.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Maria Ozawa & Asahi Miura - W Cast Premium Lesbian.avi.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Mass.Effect-DETONATiON.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Men in Trees S01- E01 - E17.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Mother's Milk of Wife - Misa and Ran [1h59m34s 640x480 DivX52+MP3].avi.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\nathcapricavalli_large.mpg.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\NATIONAL LAMPOONS DORM DAZE 2[2006][ENG][AC3 5.1][DVDRip]-FLAWL3SS.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\nbwjennilee_large.mpg.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\noariannaarmani_large.mpg.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Open.Water.2.Adrift.RETAIL.DVDRip.XviD-OGTXViD.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Panzer Command Kharkov [PC][English][www.newpct.com].torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Perfect_World_International.exe.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Power AMR MP3 WAV WMA M4A AC3 Audio Converter.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\PowerISO.v4.1.Incl.Keymaker-AGAiN.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\PRECRAcked-WinRAR.3.71.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Private Love Story.ISO.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Project Gotham Racing 3D - xxThugxx.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Prototype-Razor1911.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Psych S01 Season 1 Complete English.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Psych S02 Season 2 Complete English DVD.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Quake Mobile v1.20 - xxthugxx.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Reaper.S01.HDTV.XviD-hibocbii.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Reaper.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Red School Girls Free for all.avi.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\resume.dat
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\resume.dat.old
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Rise.[Blood.Hunter].2007.DvDRip.Eng-FxM.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Rosetta Stone Compressed.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Rosetta Stone Spanish - Latin America Level 1-2 [h33t PC CD IMAGE].torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\ROSETTADVD.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\rss.dat
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\rss.dat.old
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\RTL.Winter.Sports.2009.EUR.[CienPorCienGames.com].torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Scrubs - Season 1 - High Quality - Dvd Rip + Extras.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Scrubs - Season 2 - High Quality - Dvd Rip + Extras.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Scrubs Season 3.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\sd4hide11-skl.rar.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Season 02.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Season 1.1.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Season 1.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\season3.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Secret.Diary.Of.A.Call.Girl.S01.WS.DVDRip.XviD-RiVER.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\settings.dat
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\settings.dat.old
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Shinedown - Leave A Whisper [The Raven].torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Sins Of A Solar Empire ISO.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Sports.Illustrated.Swimsuit.2008.720p.AC3.HDTV.XviD-Mc5.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Swat 4 Gold Edition [FULL] + Crack.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Terminator - The Sarah Connor Chronicles season 2.1.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Terminator - The Sarah Connor Chronicles season 2.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Terminator.The.Sarah.Connor.Chronicles.S01.COMPLETE.VOSTFR.HDTV.XviD-PM4.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\The Life of David Gale.avi.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\The Rosetta Stone - Spanish - Level I+II.ISO.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\The Shield [seasons 1 - 5].torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\The Wire - season 3 complete.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\The Wire - Season 4.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\The Wire - Season 5.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\The.L.Word.Season 3 complete LOL.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\The.Wire.S05E04.DIRFIX.REPACK.PDTV.XviD-2HD.avi.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\The_Lord_Of_The_Rings_Conquest-Razor1911.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Total Audio Converter 2.6 With Serial.rar.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\utorrent-help.zip
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\utorrent.chm
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\utorrent.lng
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Veronica Mars Season 1.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Veronica Mars Season 2.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Veronica Mars season 3.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Veronica.Mars.T2.[DVDRip].[www.tensiontorrent.com].torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\VIDEOOT-TIENERSEXFILMS.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Wargames.The.Dead.Code.[2008.Eng].DVDRip.DivX-LTT.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\WhiteTeensBlackCocks - Henessy.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\wild_party_girls_41-tna.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\WinRAR 3.71 Final FULL Extreme Edition (Pre-PATCHED - TESTED!) ~ WORKS 100%.torrent
c:\users\Jim's Laptop\AppData\Roaming\uTorrent\Wolfenstein 3D - xxthugxx.torrent
c:\windows\Install.txt
c:\windows\system32\certstore.dat
c:\windows\system32\drivers\rotscxkoxxvels.sys
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\jlksf
c:\windows\system32\kero.dat
c:\windows\system32\lkod.dll
c:\windows\system32\wiwow64.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_rotscxqyxxxucd
-------\Service_rotscxqyxxxucd
((((((((((((((((((((((((( Files Created from 2009-08-16 to 2009-09-16 )))))))))))))))))))))))))))))))
.
2009-09-16 16:52 . 2009-09-16 16:55 -------- d-----w- c:\users\Jim's Laptop\AppData\Local\temp
2009-09-16 16:52 . 2009-09-16 16:52 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-09-16 16:52 . 2009-09-16 16:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-11 22:38 . 2009-09-11 22:54 -------- d--h--w- c:\windows\PIF
2009-09-11 20:08 . 2009-09-11 20:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-11 20:08 . 2009-09-11 20:08 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-11 19:52 . 2009-09-11 19:57 -------- d-----w- c:\program files\SpywareBlaster
2009-09-08 22:09 . 2009-09-08 22:09 -------- d-----w- c:\users\Jim's Laptop\AppData\Roaming\Malwarebytes
2009-09-08 22:09 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 22:09 . 2009-09-12 00:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 22:09 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 22:09 . 2009-09-08 22:09 -------- d-----w- c:\programdata\Malwarebytes
2009-09-08 22:09 . 2009-09-08 22:09 -------- d-----w- c:\program files\Trend Micro
2009-09-08 14:55 . 2009-09-08 15:52 -------- d-----w- C:\Root
2009-09-08 14:55 . 2009-09-08 14:55 -------- d-----w- c:\program files\Activision
2009-09-08 02:10 . 2009-09-08 02:10 -------- d-----w- c:\windows\system32\xlive
2009-09-08 02:10 . 2009-09-08 02:11 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-09-08 01:49 . 2009-09-08 01:49 -------- d-----w- c:\program files\Eidos
2009-09-07 18:35 . 2009-09-07 18:35 -------- d-----w- c:\program files\THQ
2009-09-07 13:56 . 2009-09-07 18:25 -------- d-----w- c:\program files\Paradox Interactive
2009-08-20 04:20 . 2009-08-20 04:20 -------- d-----w- c:\programdata\FLEXnet
2009-08-20 04:15 . 2009-08-20 04:15 -------- d-----w- c:\programdata\ALM
2009-08-20 04:10 . 2009-08-20 04:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-20 04:06 . 2009-08-20 04:06 -------- d-----w- c:\program files\Common Files\Macrovision Shared
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-16 16:53 . 2008-05-27 06:22 836 ----a-w- c:\windows\bthservsdp.dat
2009-09-16 15:48 . 2008-06-25 02:43 65816 ----a-w- c:\programdata\nvModes.dat
2009-09-16 14:42 . 2008-09-01 21:55 -------- d-----w- c:\programdata\Google Updater
2009-09-16 12:53 . 2008-06-30 22:21 1356 ----a-w- c:\users\Jim's Laptop\AppData\Local\d3d9caps.dat
2009-09-11 17:13 . 2008-11-08 23:55 -------- d-----w- c:\program files\PokerStars
2009-09-08 20:22 . 2008-05-27 06:45 -------- d-----w- c:\program files\McAfee
2009-09-08 15:52 . 2008-05-27 06:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-08 02:09 . 2008-07-29 13:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-08 02:09 . 2009-01-08 19:05 -------- d-----w- c:\program files\AGEIA Technologies
2009-09-05 15:19 . 2008-07-29 13:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-01 11:51 . 2008-06-12 11:23 -------- d-----w- c:\users\Jim's Laptop\AppData\Roaming\FileZilla
2009-08-20 04:21 . 2008-05-30 22:36 101856 ----a-w- c:\users\Jim's Laptop\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-20 04:14 . 2008-06-24 14:26 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-19 11:18 . 2008-06-05 14:54 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-10 19:02 . 2009-08-10 19:02 -------- d-----w- c:\program files\PHP
2009-08-09 00:11 . 2009-08-09 00:11 733782 ----a-w- C:\lynx_v283.zip
2009-08-06 04:04 . 2009-07-21 18:30 -------- d-----w- c:\programdata\Microsoft Help
2009-07-30 22:11 . 2009-07-30 22:06 -------- d-----w- c:\users\Jim's Laptop\AppData\Roaming\Easy Thumbnails
2009-07-30 22:06 . 2009-07-30 22:06 -------- d-----w- c:\program files\Easy Thumbnails
2009-07-21 18:32 . 2009-07-21 18:32 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-07-21 18:32 . 2009-07-21 18:30 -------- d-----w- c:\program files\Microsoft Expression
2009-07-20 14:34 . 2009-07-20 14:34 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
2009-07-14 22:17 . 2009-07-14 22:17 15308440 ----a-w- c:\windows\system32\xlive.dll
2009-07-14 22:17 . 2009-07-14 22:17 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-06-24 20:03 . 2009-07-17 17:00 54776 ----a-w- c:\windows\system32\drivers\mozy.sys
2009-06-20 01:06 . 2009-06-20 01:06 58648 ----a-w- c:\windows\system32\AgCPanelTraditionalChinese.dll
2009-06-20 01:06 . 2009-06-20 01:06 58648 ----a-w- c:\windows\system32\AgCPanelSwedish.dll
2009-06-20 01:06 . 2009-06-20 01:06 58648 ----a-w- c:\windows\system32\AgCPanelSpanish.dll
2009-06-20 01:06 . 2009-06-20 01:06 58648 ----a-w- c:\windows\system32\AgCPanelSimplifiedChinese.dll
2009-06-20 01:06 . 2009-06-20 01:06 58648 ----a-w- c:\windows\system32\AgCPanelPortugese.dll
2009-06-20 01:06 . 2009-06-20 01:06 58648 ----a-w- c:\windows\system32\AgCPanelKorean.dll
2009-06-20 01:06 . 2009-06-20 01:06 58648 ----a-w- c:\windows\system32\AgCPanelJapanese.dll
2009-06-20 01:06 . 2009-06-20 01:06 58648 ----a-w- c:\windows\system32\AgCPanelGerman.dll
2009-06-20 01:06 . 2009-06-20 01:06 58648 ----a-w- c:\windows\system32\AgCPanelFrench.dll
2009-06-20 01:06 . 2009-06-20 01:06 288024 ----a-w- c:\windows\system32\PhysXCplUI.exe
2009-06-20 01:06 . 2009-06-20 01:06 288024 ----a-w- c:\windows\system32\PhysXCompatCplUI.exe
2009-06-20 01:06 . 2009-06-20 01:06 24344 ----a-w- c:\windows\system32\PhysXDevice.dll
2008-05-27 14:09 . 2008-05-27 13:57 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((( SnapShot@2009-09-16_14.41.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-27 06:32 . 2009-09-16 15:05 57624 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-09-16 15:05 88954 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-05-31 00:52 . 2009-09-16 15:05 10562 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3084967135-3038832120-1763337499-1000_UserData.bin
+ 2006-11-02 09:46 . 2006-11-02 09:46 93696 c:\windows\System32\sofatnet.exe
+ 2006-11-02 09:46 . 2006-11-02 09:46 40960 c:\windows\System32\lsm32.sys
+ 2006-11-02 09:46 . 2006-11-02 09:46 46592 c:\windows\System32\EvdoServer.dll
+ 2008-05-30 22:32 . 2009-09-16 16:54 98304 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-05-30 22:32 . 2009-09-16 14:41 98304 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 10:33 . 2009-09-16 14:33 634976 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-09-16 15:40 634976 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-09-16 14:33 113246 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-09-16 15:40 113246 c:\windows\System32\perfc009.dat
+ 2009-09-16 14:42 . 2009-09-16 14:42 131584 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WKO55PDR\w[2].bin
+ 2008-05-30 22:32 . 2009-09-16 16:54 376832 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-05-30 22:32 . 2009-09-16 14:41 376832 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-05-30 22:32 . 2009-09-16 14:41 2654208 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-30 22:32 . 2009-09-16 16:54 2654208 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-06-24 20:03 2835256 ----a-w- c:\program files\MozyHome\mozyshell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-06-24 20:03 2835256 ----a-w- c:\program files\MozyHome\mozyshell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-27 68856]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-09-20 455968]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [2008-08-29 13145448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-12 101136]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-27 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-01-02 405504]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Turbine Download Manager Tray Icon"="c:\program files\Turbine\Turbine Download Manager - Preview\TurbineDownloadManagerIcon.exe" [2008-09-26 468472]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-08 13601312]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-08 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2008-12-08 96800]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2009-03-09 75008]
"RDVCHG"="c:\program files\Sprint\Sprint SmartView\RDVCHG.exe" [2009-03-07 316672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"bacstray"="c:\program files\Broadcom\BACS\BacsTray.exe" [2007-02-14 124488]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-01-12 101136]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-5-27 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2009-6-24 2876216]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-7-20 1180952]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2008-5-27 679936]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-05 15:19 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-27 06:53 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3084967135-3038832120-1763337499-1000]
"EnableNotificationsRef"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{CE84CBC5-F93C-46B8-9202-233E5F1EED3C}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{4D9D0324-4459-443D-BE21-15A890182068}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{CED74689-F482-4C18-A913-0DA7C1709CF6}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{DE230269-2C38-4DF1-B70E-E4EAB8836085}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{2AE869B9-6C9B-47A1-AF04-0356A118A620}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{BF0DEC8A-0265-4F42-ABA8-61307EC68AB7}"= UDP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineNetworkService.exe:TurbineNetworkService
"{B11143BF-E808-4D2B-ADFE-4D3900BC2B67}"= TCP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineNetworkService.exe:TurbineNetworkService
"{967969BB-353C-401B-A774-5C1E94301F55}"= UDP:990:LocalSubnet:LocalSubnet|IF={23F757CE-01BD-490B-9857-37CB844CE054}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{08A36910-F113-4ADC-BC48-1955C8C3086A}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{94F2EC27-B2B4-4285-A85F-EBC68786409C}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{4078B395-D7FB-4E61-AE80-4757EC73B23F}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{B8031410-630E-4EDD-B42B-56C7F2D6C2D0}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{8B4C4D89-834D-4284-B519-691473AC2335}"= UDP:5353:Adobe CSI CS4
"{3ED057A5-A674-417B-8646-FEEDD09EBF6B}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{8AB875E7-7B33-4875-9D50-195C768DECD5}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{9B151F95-93AF-4A44-9D0F-C0C7E5B02607}"= UDP:c:\program files\Eidos\Batman Arkham Asylum\Binaries\ShippingPC-BmGame.exe:Batman: Arkham Asylum
"{314B0B85-D9D5-4759-BA60-020532161007}"= TCP:c:\program files\Eidos\Batman Arkham Asylum\Binaries\ShippingPC-BmGame.exe:Batman: Arkham Asylum
"{2C79DE66-0987-4DF9-B167-1BF72BBCE03E}"= UDP:c:\program files\Activision\Prototype\prototypef.exe:Prototype(TM)
"{7E74F5C9-B6D4-443A-9752-B40AFC2263C6}"= TCP:c:\program files\Activision\Prototype\prototypef.exe:Prototype(TM)
"{07AA713F-452C-4126-B557-A07965FE98E0}"= UDP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineMessageService.exe:TurbineMessageService
"{71442164-2461-4930-9D87-ED9244E540F9}"= TCP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineMessageService.exe:TurbineMessageService
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\Sprint\\Sprint SmartView\\SwiApiMux.exe"= c:\program files\Sprint\Sprint SmartView\SwiApiMux.exe:*:Enabled:SwiApiMux
R1 mozyFilter;mozyFilter;c:\windows\System32\drivers\mozy.sys [7/17/2009 12:00 PM 54776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/28/2008 10:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33 AM 74480]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [5/27/2008 1:21 AM 73728]
R2 PreviewTurbineMessageService;Turbine Message Service - Preview;c:\program files\Turbine\Turbine Download Manager - Preview\TurbineMessageService.exe [9/29/2008 6:01 PM 255472]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [9/11/2009 3:08 PM 1153368]
S2 Synergy Client;Synergy Client;c:\program files\Synergy\synergyc.exe [4/2/2006 3:19 PM 446464]
S3 CASprint;Sprint Con App Svc;c:\program files\Sprint\Sprint SmartView\ConAppsSvc.exe [3/6/2009 11:28 PM 124160]
S3 PreviewTurbineNetworkService;Turbine Network Service - Preview;c:\program files\Turbine\Turbine Download Manager - Preview\TurbineNetworkService.exe [9/29/2008 6:01 PM 218608]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 10:33 AM 7408]
S4 sofatnet;sofatnet Service;c:\windows\System32\sofatnet.exe [11/2/2006 4:46 AM 93696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-09-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-27 19:03]
2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-15 15:53]
2009-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-15 15:53]
2009-09-16 c:\windows\Tasks\User_Feed_Synchronization-{AB68BE68-CA4B-4671-A5F6-D884A313B9BC}.job
- c:\windows\system32\msfeedssync.exe [2008-06-05 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: evga.com\www
Trusted Zone: redlegion.com\www
.
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(720)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'Explorer.exe'(604)
c:\program files\SetPoint\lgscroll.dll
c:\program files\MozyHome\mozyshell.dll
c:\windows\system32\btncopy.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\wlanext.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\EPSON\eEBAPI\eEBSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
c:\program files\MozyHome\mozybackup.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\MozyHome\mozybackup.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\System32\stacsv.exe
c:\windows\System32\UI0Detect.exe
c:\windows\System32\rundll32.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\DellTPad\hidfind.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2009-09-16 12:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-16 17:01
ComboFix2.txt 2009-09-16 14:57
Pre-Run: 64,045,273,088 bytes free
Post-Run: 63,898,939,392 bytes free
494 --- E O F --- 2008-07-25 21:54
Upload was successful
KAS File
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, September 16, 2009
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, September 16, 2009 23:53:53
Records in database: 2836457
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
Y:\
Scan statistics:
Objects scanned: 184749
Threats found: 9
Infected objects found: 16
Suspicious objects found: 0
Scan duration: 03:14:35
File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir Infected: Trojan.Win32.Vilsel.cnb 1
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\Uninstall.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fmm 1
C:\Qoobox\Quarantine\C\Windows\System32\autochk.dll.vir Infected: Trojan.Win32.Scar.ef 1
C:\Qoobox\Quarantine\C\Windows\System32\config\systemprofile\protect.dll.vir Infected: Trojan.Win32.Scar.ef 1
C:\Qoobox\Quarantine\C\Windows\System32\drivers\rotscxkoxxvels.sys.vir Infected: Packed.Win32.TDSS.z 1
C:\Qoobox\Quarantine\C\Windows\System32\drivers\_rotscxkoxxvels_.sys.zip Infected: Packed.Win32.TDSS.z 1
C:\Qoobox\Quarantine\C\Windows\System32\rotscxnwvwpvgt.dll.vir Infected: Packed.Win32.TDSS.z 1
C:\Qoobox\Quarantine\C\Windows\System32\rotscxpxuesfcq.dll.vir Infected: Packed.Win32.TDSS.z 1
C:\Qoobox\Quarantine\C\Windows\System32\rotscxqpooewnk.dll.vir Infected: Packed.Win32.TDSS.z 1
C:\Qoobox\Quarantine\C\Windows\System32\sdra64.exe.vir Infected: Trojan-Spy.Win32.Zbot.aauk 1
C:\Qoobox\Quarantine\C\Windows\System32\tajf83ikdmf.dll.vir Infected: Trojan-Downloader.Win32.Agent.cpql 1
C:\Qoobox\Quarantine\C\Windows\System32\winupdate.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fms 1
C:\Qoobox\Quarantine\C\Windows\System32\wisdstr.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fmm 1
C:\Qoobox\Quarantine\[4]-Submit_2009-09-16_11.40.57.zip Infected: Packed.Win32.TDSS.z 1
C:\Qoobox\Quarantine\[4]-Submit_2009-09-16_11.40.57.zip Infected: Trojan-Spy.Win32.Amber.cu 1
C:\Users\Jim's Laptop\Documents\Downloads\Chess for Dummies.iso Infected: Trojan-Dropper.Win32.VB.bix 1
Selected area has been scanned.
DDS File
DDS (Ver_09-07-30.01) - NTFSx86
Run by Jim's Laptop at 20:57:55.72 on Wed 09/16/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3581.2027 [GMT -5:00]
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
C:\Windows\system32\aestsrv.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Turbine\Turbine Download Manager - Preview\TurbineMessageService.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Synergy\synergyc.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\system32\taskeng.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\UI0Detect.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Turbine\Turbine Download Manager - Preview\TurbineDownloadManagerIcon.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Sprint\Sprint SmartView\RDVCHG.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Broadcom\BACS\BacsTray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Explorer.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Users\Jim's Laptop\AppData\Local\temp\jkos-Jim's Laptop\binaries\ScanningProcess.exe
C:\Users\Jim's Laptop\AppData\Local\temp\jkos-Jim's Laptop\binaries\ScanningProcess.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\RacAgent.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Jim's Laptop\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AdobeBridge] "c:\program files\adobe\adobe bridge cs4\Bridge.exe" -stealth
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Turbine Download Manager Tray Icon] "c:\program files\turbine\turbine download manager - preview\TurbineDownloadManagerIcon.exe"
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdcBase.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
mRun: [RDVCHG] "c:\program files\sprint\sprint smartview\RDVCHG.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [bacstray] c:\program files\broadcom\bacs\BacsTray.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mic273~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: evga.com\www
Trusted Zone: redlegion.com\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://dev.srtest.com/srl_bin/sysreqlab3.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: c:\progra~1\google\google~2\GoogleDesktopNetwork3.dll
============= SERVICES / DRIVERS ===============
R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2009-7-17 54776]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-5-27 73728]
R2 PreviewTurbineMessageService;Turbine Message Service - Preview;c:\program files\turbine\turbine download manager - preview\TurbineMessageService.exe [2008-9-29 255472]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-9-11 1153368]
R2 Synergy Client;Synergy Client;c:\program files\synergy\synergyc.exe [2006-4-2 446464]
S3 CASprint;Sprint Con App Svc;c:\program files\sprint\sprint smartview\ConAppsSvc.exe [2009-3-6 124160]
S3 PreviewTurbineNetworkService;Turbine Network Service - Preview;c:\program files\turbine\turbine download manager - preview\TurbineNetworkService.exe [2008-9-29 218608]
S4 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [2006-11-2 93696]
=============== Created Last 30 ================
2009-09-16 15:22 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-16 14:36 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-09-16 14:36 83,456 a------- c:\windows\system32\wudriver.dll
2009-09-16 14:36 162,064 a------- c:\windows\system32\wuwebv.dll
2009-09-16 14:36 31,232 a------- c:\windows\system32\wuapp.exe
2009-09-16 12:03 41,631 a------- c:\windows\system32\certstore.dat
2009-09-15 11:19 229,888 a------- c:\windows\PEV.exe
2009-09-15 11:19 161,792 a------- c:\windows\SWREG.exe
2009-09-15 11:19 98,816 a------- c:\windows\sed.exe
2009-09-11 17:38 <DIR> --d-h--- c:\windows\PIF
2009-09-11 15:08 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-09-11 15:08 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-09-11 15:08 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-09-11 14:52 <DIR> a-d----- c:\programdata\TEMP
2009-09-11 14:52 <DIR> --d----- c:\program files\SpywareBlaster
2009-09-10 07:46 <DIR> --d----- c:\programdata\Windows Genuine Advantage
2009-09-08 17:09 <DIR> --d----- c:\users\jim'sl~1\appdata\roaming\Malwarebytes
2009-09-08 17:09 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 17:09 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-08 17:09 <DIR> --d----- c:\programdata\Malwarebytes
2009-09-08 17:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 17:09 <DIR> --d----- c:\progra~2\Malwarebytes
2009-09-08 17:09 <DIR> --d----- c:\program files\Trend Micro
2009-09-08 09:55 <DIR> --d----- C:\Root
2009-09-08 09:55 <DIR> --d----- c:\program files\Activision
2009-09-07 21:10 <DIR> --d----- c:\windows\system32\xlive
2009-09-07 21:10 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2009-09-07 20:49 <DIR> --d----- c:\program files\Eidos
2009-09-07 13:35 <DIR> --d----- c:\program files\THQ
2009-09-07 08:56 <DIR> --d----- c:\program files\Paradox Interactive
2009-08-19 23:20 <DIR> --d----- c:\programdata\FLEXnet
2009-08-19 23:15 <DIR> --d----- c:\programdata\ALM
2009-08-19 23:15 <DIR> --d----- c:\progra~2\ALM
2009-08-19 23:06 <DIR> --d----- c:\program files\common files\Macrovision Shared
==================== Find3M ====================
2009-09-16 19:29 65,816 a------- c:\programdata\nvModes.dat
2009-09-16 19:29 65,816 a------- c:\progra~2\nvModes.dat
2009-08-08 19:11 733,782 a------- C:\lynx_v283.zip
2009-07-20 09:34 70,936 a------- c:\windows\system32\PhysXLoader.dll
2009-07-14 17:17 15,308,440 a------- c:\windows\system32\xlive.dll
2009-07-14 17:17 13,642,888 a------- c:\windows\system32\xlivefnt.dll
2009-06-19 20:06 288,024 a------- c:\windows\system32\PhysXCplUI.exe
2009-06-19 20:06 288,024 a------- c:\windows\system32\PhysXCompatCplUI.exe
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelTraditionalChinese.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelSwedish.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelSpanish.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelSimplifiedChinese.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelPortugese.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelKorean.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelJapanese.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelGerman.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelFrench.dll
2009-06-19 20:06 24,344 a------- c:\windows\system32\PhysXDevice.dll
2009-06-08 06:56 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-08 06:56 143,360 a------- c:\windows\inf\infstor.dat
2009-06-08 06:56 86,016 a------- c:\windows\inf\infpub.dat
2008-06-11 06:40 665,600 a------- c:\windows\inf\drvindex.dat
2008-06-04 21:34 174 a--sh--- c:\program files\desktop.ini
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
============= FINISH: 20:58:33.05 ===============
Attach File
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-07-30.01)
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 5/27/2008 1:23:24 AM
System Uptime: 9/16/2009 2:38:26 PM (6 hours ago)
Motherboard: Dell Inc. | | 0UK437
Processor: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 2001/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 286 GiB total, 47.799 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 5.543 GiB free.
E: is CDROM ()
F: is CDROM ()
Y: is NetworkDisk (FAT) - 0 GiB total, 0 GiB free.
==== Disabled Device Manager Items =============
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0002
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter #3
PNP Device ID: ROOT\*ISATAP\0002
Service: tunnel
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0004
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter #4
PNP Device ID: ROOT\*ISATAP\0004
Service: tunnel
==== System Restore Points ===================
RP534: 9/15/2009 1:39:47 PM - ComboFix created restore point
RP536: 9/16/2009 1:44:20 PM - Scheduled Checkpoint
RP538: 9/16/2009 2:35:59 PM - Windows Update
RP540: 9/16/2009 3:16:58 PM - Removed Java(TM) SE Runtime Environment 6
RP542: 9/16/2009 3:18:42 PM - Removed SUPERAntiSpyware Professional
RP544: 9/16/2009 3:21:56 PM - Installed Java(TM) 6 Update 16
==== Installed Programs ======================
7-Zip 4.57
AC3Filter (remove only)
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Fonts All
Adobe Illustrator CS4
Adobe Linguistics CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Reader 8.1.6
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Apple Mobile Device Support
Apple Software Update
AutoUpdate
Banctec Service Agreement
Batman: Arkham Asylum
Bonjour
Broadcom Management Programs
Browser Address Error Redirector
Butler Advantage XE 6.3
CDDRV_Installer
Company of Heroes
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Connect
Dell DataSafe Online
Dell Getting Started Guide
Dell Support Center (Support Software)
Dell Touchpad
Digital Line Detect
DivX Converter
DivX Player
DivX Web Player
Easy Thumbnails (Remove only)
EDocs
EPSON Artisan 800 Series Printer Uninstall
EPSON Scan
EpsonNet Print
ffdshow [rev 1685] [2007-12-06]
FileZilla Client 3.1.0.1
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Google Updater
GoToAssist 8.0.0.514
Haali Media Splitter
HijackThis 2.0.2
HTC Touch Pro™ User Guide
Intel(R) PROSet/Wireless Software
iTunes
Java(TM) 6 Update 16
KhalSetup
kuler
LightScribe System Software 1.10.16.1
Malwarebytes' Anti-Malware
McAfee SecurityCenter
mCore
MediaDirect
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft Expression Web
Microsoft Expression Web MUI (English)
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Managed DirectX (1126)
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard Edition 2003
Microsoft Publisher 2002
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
mMHouse
MobileMe Control Panel
Modem Diagnostic Tool
MozyHome Remote Backup
mPfMgr
Music, Photos & Videos Launcher
mWMI
Nero 8 Essentials
neroxml
NetWaiting
NVIDIA Drivers
NVIDIA PhysX
OutlookAddinSetup
PDF Settings CS4
Photoshop Camera Raw
PHP 5.3.0
Picasa 3
Product Documentation Launcher
Prototype(TM)
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
SetPoint
Sprint SmartView
Spybot - Search & Destroy
SpywareBlaster 4.2
Suite Shared Configuration CS4
Synergy
System Requirements Lab
The Lord of the Rings - Conquest™
The Lord of the Rings Online™: Shadows of Angmar™ v07.12.30.54
The Rosetta Stone
TotalAudioConverter
Turbine Download Manager - Preview 1.0.3191.15414
VCRedistSetup
Ventrilo Client
VideoLAN VLC media player 0.8.6f
WIDCOMM Bluetooth Software 6.0.1.3100
WinRAR
==== Event Viewer Messages From Past Week ========
9/9/2009 8:26:29 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wcncsvc with arguments "" in order to run the server: {375FF000-DD27-11D9-8F9C-0002B3988E81}
9/9/2009 8:26:29 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
9/9/2009 7:51:22 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B68-F52A-11D8-B9A5-505054503030}
9/9/2009 2:43:34 PM, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001F3B889927. The following error occurred: The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
9/9/2009 2:37:10 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
9/9/2009 2:35:45 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: mozyFilter SASDIFSV SASKUTIL spldr Wanarpv6
9/9/2009 2:35:45 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
9/9/2009 2:35:36 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
9/9/2009 2:35:26 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
9/9/2009 2:35:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
9/9/2009 2:35:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/9/2009 2:35:05 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\IWMSSvc.dll Error Code: 21
9/9/2009 2:35:05 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
9/9/2009 2:34:54 PM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .
9/9/2009 2:34:54 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
9/9/2009 2:34:38 PM, Error: EventLog [6008] - The previous system shutdown at 2:32:52 PM on 9/9/2009 was unexpected.
9/9/2009 2:30:44 PM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was The remote procedure call failed. .
9/9/2009 2:30:44 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1726" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
9/15/2009 6:11:10 AM, Error: EventLog [6008] - The previous system shutdown at 6:09:27 AM on 9/15/2009 was unexpected.
9/15/2009 2:03:46 PM, Error: EventLog [6008] - The previous system shutdown at 2:01:49 PM on 9/15/2009 was unexpected.
9/15/2009 2:01:49 PM, Error: EventLog [6008] - The previous system shutdown at 2:00:24 PM on 9/15/2009 was unexpected.
9/15/2009 1:51:23 PM, Error: Service Control Manager [7034] - The McAfee Anti-Spam Service service terminated unexpectedly. It has done this 1 time(s).
9/15/2009 1:51:23 PM, Error: Service Control Manager [7031] - The McAfee SystemGuards service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/15/2009 1:43:29 PM, Error: Service Control Manager [7034] - The Synergy Client service terminated unexpectedly. It has done this 1 time(s).
9/15/2009 1:40:26 PM, Error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
9/15/2009 1:24:50 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
9/15/2009 1:24:50 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the PEVSystemStart service to connect.
9/14/2009 7:47:40 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
9/11/2009 3:37:38 PM, Error: EventLog [6008] - The previous system shutdown at 3:35:07 PM on 9/11/2009 was unexpected.
9/11/2009 3:01:58 PM, Error: Service Control Manager [7000] - The McAfee Scanner service failed to start due to the following error: Access is denied.
9/11/2009 3:01:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "5" attempting to start the service MCODS with arguments "" in order to run the server: {C98F04D7-CD30-4BB0-B7D7-8DD7448520F2}
9/11/2009 2:48:07 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McShield with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
9/11/2009 2:42:26 PM, Error: EventLog [6008] - The previous system shutdown at 2:39:50 PM on 9/11/2009 was unexpected.
9/11/2009 12:14:51 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
9/10/2009 5:01:26 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.104 for the Network Card with network address 001F3B889927 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
9/10/2009 3:43:09 PM, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001F3B889927. The following error occurred: The semaphore timeout period has expired.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
9/10/2009 3:34:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
==== End Of File ===========================
Hi,
Please update Malwarebytes' Anti-Malware definitions and run full scan with it. Post back its report.
Also, delete C:\Users\Jim's Laptop\Documents\Downloads\Chess for Dummies.iso file unless you're sure about its origin.
Here is the log. Malwarebytes is asking to remove files, should I?
Malwarebytes' Anti-Malware 1.41
Database version: 2815
Windows 6.0.6001 Service Pack 1
9/17/2009 10:42:22 AM
mbam-log-2009-09-17 (10-42-13).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 278988
Time elapsed: 1 hour(s), 35 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 17
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sofatnet (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sofatnet (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sofatnet (Backdoor.Bot) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mEv (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Trojan.Ambler) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Trojan.Ambler) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Trojan.Ambler) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Trojan.Ambler) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Trojan.Ambler) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Trojan.Ambler) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\Program Files\AdvancedVirusRemover\PAVRM.exe.vir (Rogue.Installer) -> No action taken.
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir (Rogue.AntivirusPro) -> No action taken.
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\Uninstall.exe.vir (Rogue.AntivirusPro) -> No action taken.
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\wscui.cpl.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\Windows\System32\autochk.dll.vir (Trojan.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\Windows\System32\rotscxpxuesfcq.dll.vir (Rootkit.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\Windows\System32\rotscxqpooewnk.dll.vir (Rootkit.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\Windows\System32\winupdate.exe.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\Windows\System32\wisdstr.exe.vir (Rogue.AntivirusPro) -> No action taken.
C:\Qoobox\Quarantine\C\Windows\System32\wiwow64.exe.vir (Backdoor.Bot) -> No action taken.
C:\Qoobox\Quarantine\C\Windows\System32\config\systemprofile\protect.dll.vir (Trojan.Agent) -> No action taken.
C:\Windows\System32\sofatnet.exe (Backdoor.Bot) -> No action taken.
C:\Windows\System32\EvdoServer.dll (Trojan.Agent) -> No action taken.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WKO55PDR\w[1].bin (Backdoor.Bot) -> No action taken.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WKO55PDR\w[2].bin (Backdoor.Bot) -> No action taken.
C:\Windows\System32\certstore.dat (Trojan.Agent) -> No action taken.
C:\Users\Jim's Laptop\Desktop\sVCHost.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
Yes, let it remove all findings. Then post new report & fresh dds.txt log.
New log after deletion
Malwarebytes' Anti-Malware 1.41
Database version: 2815
Windows 6.0.6001 Service Pack 1
9/17/2009 12:57:02 PM
mbam-log-2009-09-17 (12-56-55).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 278856
Time elapsed: 1 hour(s), 34 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Windows\System32\certstore.dat (Trojan.Agent) -> No action taken.
DDS File
DDS (Ver_09-07-30.01) - NTFSx86
Run by Jim's Laptop at 13:06:13.26 on Thu 09/17/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3581.2377 [GMT -5:00]
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
C:\Windows\system32\aestsrv.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Turbine\Turbine Download Manager - Preview\TurbineMessageService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SDistTest\SDistTestSvc.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Turbine\Turbine Download Manager - Preview\TurbineDownloadManagerIcon.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Sprint\Sprint SmartView\RDVCHG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Broadcom\BACS\BacsTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Jim's Laptop\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AdobeBridge] "c:\program files\adobe\adobe bridge cs4\Bridge.exe" -stealth
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Turbine Download Manager Tray Icon] "c:\program files\turbine\turbine download manager - preview\TurbineDownloadManagerIcon.exe"
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdcBase.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
mRun: [RDVCHG] "c:\program files\sprint\sprint smartview\RDVCHG.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [bacstray] c:\program files\broadcom\bacs\BacsTray.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mic273~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: evga.com\www
Trusted Zone: redlegion.com\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://dev.srtest.com/srl_bin/sysreqlab3.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: c:\progra~1\google\google~2\GoogleDesktopNetwork3.dll
============= SERVICES / DRIVERS ===============
R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2009-7-17 54776]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-5-27 73728]
R2 PreviewTurbineMessageService;Turbine Message Service - Preview;c:\program files\turbine\turbine download manager - preview\TurbineMessageService.exe [2008-9-29 255472]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-9-11 1153368]
R2 SDisTestService;SpybotSnD Distributed Testing;c:\program files\sdisttest\SDistTestSvc.exe [2009-9-17 907680]
S3 CASprint;Sprint Con App Svc;c:\program files\sprint\sprint smartview\ConAppsSvc.exe [2009-3-6 124160]
S3 PreviewTurbineNetworkService;Turbine Network Service - Preview;c:\program files\turbine\turbine download manager - preview\TurbineNetworkService.exe [2008-9-29 218608]
=============== Created Last 30 ================
2009-09-17 07:51 <DIR> --d----- c:\program files\SDistTest
2009-09-16 15:22 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-16 14:36 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-09-16 14:36 83,456 a------- c:\windows\system32\wudriver.dll
2009-09-16 14:36 162,064 a------- c:\windows\system32\wuwebv.dll
2009-09-16 14:36 31,232 a------- c:\windows\system32\wuapp.exe
2009-09-15 11:19 229,888 a------- c:\windows\PEV.exe
2009-09-15 11:19 161,792 a------- c:\windows\SWREG.exe
2009-09-15 11:19 98,816 a------- c:\windows\sed.exe
2009-09-11 17:38 <DIR> --d-h--- c:\windows\PIF
2009-09-11 15:08 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-09-11 15:08 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-09-11 15:08 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-09-11 14:52 <DIR> a-d----- c:\programdata\TEMP
2009-09-11 14:52 <DIR> --d----- c:\program files\SpywareBlaster
2009-09-10 07:46 <DIR> --d----- c:\programdata\Windows Genuine Advantage
2009-09-08 17:09 <DIR> --d----- c:\users\jim'sl~1\appdata\roaming\Malwarebytes
2009-09-08 17:09 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 17:09 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-08 17:09 <DIR> --d----- c:\programdata\Malwarebytes
2009-09-08 17:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 17:09 <DIR> --d----- c:\progra~2\Malwarebytes
2009-09-08 17:09 <DIR> --d----- c:\program files\Trend Micro
2009-09-08 09:55 <DIR> --d----- C:\Root
2009-09-08 09:55 <DIR> --d----- c:\program files\Activision
2009-09-07 21:10 <DIR> --d----- c:\windows\system32\xlive
2009-09-07 21:10 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2009-09-07 20:49 <DIR> --d----- c:\program files\Eidos
2009-09-07 08:56 <DIR> --d----- c:\program files\Paradox Interactive
2009-08-19 23:20 <DIR> --d----- c:\programdata\FLEXnet
2009-08-19 23:15 <DIR> --d----- c:\programdata\ALM
2009-08-19 23:15 <DIR> --d----- c:\progra~2\ALM
2009-08-19 23:06 <DIR> --d----- c:\program files\common files\Macrovision Shared
==================== Find3M ====================
2009-09-17 13:04 65,816 a------- c:\programdata\nvModes.dat
2009-09-17 13:04 65,816 a------- c:\progra~2\nvModes.dat
2009-08-08 19:11 733,782 a------- C:\lynx_v283.zip
2009-07-20 09:34 70,936 a------- c:\windows\system32\PhysXLoader.dll
2009-07-14 17:17 15,308,440 a------- c:\windows\system32\xlive.dll
2009-07-14 17:17 13,642,888 a------- c:\windows\system32\xlivefnt.dll
2009-06-19 20:06 288,024 a------- c:\windows\system32\PhysXCplUI.exe
2009-06-19 20:06 288,024 a------- c:\windows\system32\PhysXCompatCplUI.exe
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelTraditionalChinese.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelSwedish.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelSpanish.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelSimplifiedChinese.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelPortugese.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelKorean.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelJapanese.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelGerman.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelFrench.dll
2009-06-19 20:06 24,344 a------- c:\windows\system32\PhysXDevice.dll
2009-06-08 06:56 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-08 06:56 143,360 a------- c:\windows\inf\infstor.dat
2009-06-08 06:56 86,016 a------- c:\windows\inf\infpub.dat
2008-06-11 06:40 665,600 a------- c:\windows\inf\drvindex.dat
2008-06-04 21:34 174 a--sh--- c:\program files\desktop.ini
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
============= FINISH: 13:06:50.80 ===============
Attach File
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-07-30.01)
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 5/27/2008 1:23:24 AM
System Uptime: 9/17/2009 12:58:17 PM (1 hours ago)
Motherboard: Dell Inc. | | 0UK437
Processor: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 2001/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 286 GiB total, 54.083 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 5.543 GiB free.
E: is CDROM ()
F: is CDROM ()
Y: is NetworkDisk (FAT) - 0 GiB total, 0 GiB free.
==== Disabled Device Manager Items =============
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0002
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter #3
PNP Device ID: ROOT\*ISATAP\0002
Service: tunnel
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0004
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter #4
PNP Device ID: ROOT\*ISATAP\0004
Service: tunnel
==== System Restore Points ===================
==== Installed Programs ======================
7-Zip 4.57
AC3Filter (remove only)
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Fonts All
Adobe Illustrator CS4
Adobe Linguistics CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Reader 8.1.6
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Apple Mobile Device Support
Apple Software Update
AutoUpdate
Banctec Service Agreement
Batman: Arkham Asylum
Bonjour
Broadcom Management Programs
Browser Address Error Redirector
Butler Advantage XE 6.3
CDDRV_Installer
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Connect
Dell DataSafe Online
Dell Getting Started Guide
Dell Support Center (Support Software)
Dell Touchpad
Digital Line Detect
DivX Converter
DivX Player
DivX Web Player
Easy Thumbnails (Remove only)
EDocs
EPSON Artisan 800 Series Printer Uninstall
EPSON Scan
EpsonNet Print
ffdshow [rev 1685] [2007-12-06]
FileZilla Client 3.1.0.1
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Google Updater
GoToAssist 8.0.0.514
Haali Media Splitter
HijackThis 2.0.2
HTC Touch Pro™ User Guide
Intel(R) PROSet/Wireless Software
iTunes
Java(TM) 6 Update 16
KhalSetup
kuler
LightScribe System Software 1.10.16.1
Malwarebytes' Anti-Malware
McAfee SecurityCenter
mCore
MediaDirect
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft Expression Web
Microsoft Expression Web MUI (English)
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Managed DirectX (1126)
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard Edition 2003
Microsoft Publisher 2002
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
mMHouse
MobileMe Control Panel
Modem Diagnostic Tool
MozyHome Remote Backup
mPfMgr
Music, Photos & Videos Launcher
mWMI
Nero 8 Essentials
neroxml
NetWaiting
NVIDIA Drivers
NVIDIA PhysX
OutlookAddinSetup
PDF Settings CS4
Photoshop Camera Raw
PHP 5.3.0
Picasa 3
Product Documentation Launcher
Prototype(TM)
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
SetPoint
Sprint SmartView
Spybot-S&D Distributed Testing Client
Spybot - Search & Destroy
SpywareBlaster 4.2
Suite Shared Configuration CS4
Synergy
System Requirements Lab
The Lord of the Rings - Conquest™
The Lord of the Rings Online™: Shadows of Angmar™ v07.12.30.54
The Rosetta Stone
TotalAudioConverter
Turbine Download Manager - Preview 1.0.3191.15414
VCRedistSetup
Ventrilo Client
VideoLAN VLC media player 0.8.6f
WIDCOMM Bluetooth Software 6.0.1.3100
WinRAR
==== End Of File ===========================
C:\Windows\System32\certstore.dat (Trojan.Agent) -> No action taken.
Hi,
I assume that was deleted too. How's the system running now?
yes it was deleted and everything seems to be working now.
certstore.dat seems to be reproducing itself
Malwarebytes' Anti-Malware 1.41
Database version: 2819
Windows 6.0.6001 Service Pack 1
9/18/2009 6:59:40 AM
mbam-log-2009-09-18 (06-59-40).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 304930
Time elapsed: 2 hour(s), 33 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
Hi,
Reboot and run ComboFix again. Post back its report.
The file is quite large for some reason. I had to zip it
I ran it again and this is more managable.
ComboFix 09-09-17.04 - Jim's Laptop 09/18/2009 10:48.5.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3581.2193 [GMT -5:00]
Running from: c:\users\Jim's Laptop\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\certstore.dat
.
((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.
2009-09-18 15:58 . 2009-09-18 15:59 -------- d-----w- c:\users\Jim's Laptop\AppData\Local\temp
2009-09-18 15:58 . 2009-09-18 15:58 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-09-18 15:58 . 2009-09-18 15:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-17 22:08 . 2009-03-08 11:32 72704 ----a-w- c:\windows\system32\admparse.dll
2009-09-17 21:54 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-09-17 21:54 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-09-17 21:54 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-09-17 21:54 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2009-09-17 21:54 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-09-17 21:54 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-09-17 21:53 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-09-17 21:46 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-09-17 21:46 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-09-17 21:46 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-09-17 21:45 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-09-17 21:45 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2009-09-17 21:44 . 2009-08-14 17:07 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-17 21:44 . 2009-08-14 16:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-17 21:44 . 2009-08-14 14:16 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-17 21:44 . 2009-08-14 14:16 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-17 21:44 . 2009-08-14 14:16 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-17 21:44 . 2009-08-14 14:16 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-17 21:44 . 2009-08-14 14:16 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-17 21:44 . 2009-08-14 14:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-17 21:44 . 2009-08-14 14:16 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-17 21:44 . 2009-08-14 16:29 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-17 21:41 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-09-17 21:41 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-09-17 21:41 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-09-17 21:41 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-17 21:40 . 2008-08-27 01:05 212480 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-09-17 21:39 . 2008-10-21 05:25 296960 ----a-w- c:\windows\system32\gdi32.dll
2009-09-17 21:39 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-09-17 21:39 . 2008-08-28 03:40 712704 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-17 21:39 . 2008-08-28 03:40 347136 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-17 21:39 . 2008-08-28 03:40 425472 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-17 21:39 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-09-17 21:39 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-09-17 21:39 . 2008-08-12 03:39 443392 ----a-w- c:\windows\system32\win32spl.dll
2009-09-17 21:38 . 2009-03-17 03:38 13824 ----a-w- c:\windows\system32\apilogen.dll
2009-09-17 21:38 . 2009-03-17 03:38 24064 ----a-w- c:\windows\system32\amxread.dll
2009-09-17 21:38 . 2008-08-02 03:26 36864 ----a-w- c:\windows\system32\cdd.dll
2009-09-17 21:38 . 2008-08-02 01:01 625152 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-17 21:38 . 2008-06-26 03:29 565248 ----a-w- c:\windows\system32\emdmgmt.dll
2009-09-17 21:38 . 2008-06-26 03:29 45056 ----a-w- c:\windows\system32\dataclen.dll
2009-09-17 21:38 . 2008-05-20 02:07 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2009-09-17 21:34 . 2009-09-17 21:34 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-09-17 21:20 . 2009-06-22 10:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-09-17 21:09 . 2009-09-17 21:09 -------- d-----w- c:\program files\MSXML 4.0
2009-09-17 21:09 . 2009-09-17 21:09 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2009-09-17 18:27 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-09-17 18:25 . 2009-04-23 12:43 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-09-17 18:25 . 2009-06-10 12:07 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-09-17 18:24 . 2009-04-23 12:42 636928 ----a-w- c:\windows\system32\localspl.dll
2009-09-17 18:24 . 2009-08-28 12:39 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-17 18:24 . 2009-08-28 10:15 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-17 18:24 . 2008-10-22 03:57 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-09-17 18:24 . 2008-10-21 05:25 1645568 ----a-w- c:\windows\system32\connect.dll
2009-09-17 18:24 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-09-17 18:24 . 2008-09-18 04:56 125952 ----a-w- c:\windows\system32\wersvc.dll
2009-09-17 18:24 . 2008-09-18 04:56 147456 ----a-w- c:\windows\system32\Faultrep.dll
2009-09-17 18:24 . 2008-06-19 03:31 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-09-17 18:24 . 2008-04-10 05:12 738304 ----a-w- c:\windows\system32\inetcomm.dll
2009-09-17 18:24 . 2008-04-18 05:48 269312 ----a-w- c:\windows\system32\es.dll
2009-09-17 18:24 . 2008-06-26 03:29 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-09-17 18:19 . 2008-09-10 03:40 1334272 ----a-w- c:\windows\system32\msxml6.dll
2009-09-17 16:12 . 2009-09-17 16:12 -------- d-----w- c:\users\Jim's Laptop\AppData\Local\Apple Computer
2009-09-17 12:51 . 2009-09-18 15:31 -------- d-----w- c:\program files\SDistTest
2009-09-17 12:40 . 2009-09-17 16:12 -------- d-----w- c:\users\Jim's Laptop\AppData\Local\Adobe
2009-09-16 20:22 . 2009-09-16 20:22 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-16 19:36 . 2008-10-16 21:09 51224 ----a-w- c:\windows\system32\wuauclt.exe
2009-09-16 19:36 . 2008-10-16 21:09 43544 ----a-w- c:\windows\system32\wups2.dll
2009-09-16 19:36 . 2008-10-16 20:56 1524736 ----a-w- c:\windows\system32\wucltux.dll
2009-09-16 19:36 . 2008-10-16 21:13 1809944 ----a-w- c:\windows\system32\wuaueng.dll
2009-09-16 19:36 . 2008-10-16 21:12 561688 ----a-w- c:\windows\system32\wuapi.dll
2009-09-16 19:36 . 2008-10-16 21:08 34328 ----a-w- c:\windows\system32\wups.dll
2009-09-16 19:36 . 2008-10-16 20:55 83456 ----a-w- c:\windows\system32\wudriver.dll
2009-09-16 19:36 . 2008-10-16 19:08 162064 ----a-w- c:\windows\system32\wuwebv.dll
2009-09-16 19:36 . 2008-10-16 18:56 31232 ----a-w- c:\windows\system32\wuapp.exe
2009-09-11 22:38 . 2009-09-11 22:54 -------- d--h--w- c:\windows\PIF
2009-09-11 20:08 . 2009-09-11 20:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-11 20:08 . 2009-09-11 20:08 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-11 19:52 . 2009-09-11 19:57 -------- d-----w- c:\program files\SpywareBlaster
2009-09-08 22:09 . 2009-09-08 22:09 -------- d-----w- c:\users\Jim's Laptop\AppData\Roaming\Malwarebytes
2009-09-08 22:09 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 22:09 . 2009-09-17 14:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 22:09 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 22:09 . 2009-09-08 22:09 -------- d-----w- c:\programdata\Malwarebytes
2009-09-08 22:09 . 2009-09-08 22:09 -------- d-----w- c:\program files\Trend Micro
2009-09-08 14:55 . 2009-09-08 15:52 -------- d-----w- C:\Root
2009-09-08 14:55 . 2009-09-08 14:55 -------- d-----w- c:\program files\Activision
2009-09-08 02:10 . 2009-09-08 02:10 -------- d-----w- c:\windows\system32\xlive
2009-09-08 02:10 . 2009-09-08 02:11 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-09-08 01:49 . 2009-09-08 01:49 -------- d-----w- c:\program files\Eidos
2009-09-07 13:56 . 2009-09-07 18:25 -------- d-----w- c:\program files\Paradox Interactive
2009-08-20 04:20 . 2009-08-20 04:20 -------- d-----w- c:\programdata\FLEXnet
2009-08-20 04:15 . 2009-08-20 04:15 -------- d-----w- c:\programdata\ALM
2009-08-20 04:10 . 2009-08-20 04:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-20 04:06 . 2009-08-20 04:06 -------- d-----w- c:\program files\Common Files\Macrovision Shared
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-18 15:31 . 2008-06-25 02:43 65816 ----a-w- c:\programdata\nvModes.dat
2009-09-18 15:28 . 2008-05-27 06:22 836 ----a-w- c:\windows\bthservsdp.dat
2009-09-17 22:32 . 2009-07-21 18:30 -------- d-----w- c:\programdata\Microsoft Help
2009-09-17 22:19 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-17 21:18 . 2008-05-27 06:50 -------- d-----w- c:\program files\Microsoft Works
2009-09-17 21:11 . 2008-06-05 14:54 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-17 15:43 . 2008-09-01 21:55 -------- d-----w- c:\programdata\Google Updater
2009-09-16 20:22 . 2008-05-27 06:33 -------- d-----w- c:\program files\Java
2009-09-16 20:18 . 2008-07-29 13:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-16 20:18 . 2008-07-29 13:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-16 12:53 . 2008-06-30 22:21 1356 ----a-w- c:\users\Jim's Laptop\AppData\Local\d3d9caps.dat
2009-09-11 17:13 . 2008-11-08 23:55 -------- d-----w- c:\program files\PokerStars
2009-09-08 20:22 . 2008-05-27 06:45 -------- d-----w- c:\program files\McAfee
2009-09-08 15:52 . 2008-05-27 06:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-08 02:09 . 2009-01-08 19:05 -------- d-----w- c:\program files\AGEIA Technologies
2009-09-01 11:51 . 2008-06-12 11:23 -------- d-----w- c:\users\Jim's Laptop\AppData\Roaming\FileZilla
2009-08-20 04:21 . 2008-05-30 22:36 101856 ----a-w- c:\users\Jim's Laptop\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-20 04:14 . 2008-06-24 14:26 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-10 19:02 . 2009-08-10 19:02 -------- d-----w- c:\program files\PHP
2009-08-09 00:11 . 2009-08-09 00:11 733782 ----a-w- C:\lynx_v283.zip
2009-08-08 00:51 . 2009-08-08 00:51 15308424 ----a-w- c:\windows\system32\xlive.dll
2009-08-08 00:51 . 2009-08-08 00:51 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-08-03 20:07 . 2009-08-03 20:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 20:07 . 2009-08-03 20:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 20:07 . 2009-08-03 20:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-30 22:11 . 2009-07-30 22:06 -------- d-----w- c:\users\Jim's Laptop\AppData\Roaming\Easy Thumbnails
2009-07-30 22:06 . 2009-07-30 22:06 -------- d-----w- c:\program files\Easy Thumbnails
2009-07-21 21:52 . 2009-09-17 22:09 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-09-17 22:09 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-09-17 22:09 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-09-17 22:09 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-21 18:32 . 2009-07-21 18:32 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-07-21 18:32 . 2009-07-21 18:30 -------- d-----w- c:\program files\Microsoft Expression
2009-07-20 14:34 . 2009-07-20 14:34 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
2009-07-11 19:32 . 2009-09-17 18:27 513024 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:32 . 2009-09-17 18:27 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:32 . 2009-09-17 18:27 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:29 . 2009-09-17 18:27 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2009-06-24 20:03 . 2009-07-17 17:00 54776 ----a-w- c:\windows\system32\drivers\mozy.sys
2008-05-27 14:09 . 2008-05-27 13:57 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((( SnapShot_2009-09-18_15.16.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-27 06:32 . 2009-09-18 15:33 58786 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-09-18 15:33 89482 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-05-31 00:52 . 2009-09-18 15:33 11244 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3084967135-3038832120-1763337499-1000_UserData.bin
+ 2008-05-30 22:32 . 2009-09-18 15:47 98304 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-05-30 22:32 . 2009-09-18 15:16 98304 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-09-18 12:10 . 2009-09-18 12:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-09-18 15:30 . 2009-09-18 15:30 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-09-18 12:10 . 2009-09-18 12:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-09-18 15:30 . 2009-09-18 15:30 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2006-11-02 10:33 . 2009-09-18 12:17 634976 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-09-18 15:36 634976 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-09-18 12:17 113246 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-09-18 15:36 113246 c:\windows\System32\perfc009.dat
+ 2008-05-30 22:32 . 2009-09-18 15:47 376832 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-05-30 22:32 . 2009-09-18 15:16 376832 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-05-30 22:32 . 2009-09-18 15:16 2654208 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-30 22:32 . 2009-09-18 15:47 2654208 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-06-24 20:03 2835256 ----a-w- c:\program files\MozyHome\mozyshell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-06-24 20:03 2835256 ----a-w- c:\program files\MozyHome\mozyshell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-27 68856]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-09-20 455968]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [2008-08-29 13145448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-12 101136]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-27 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-01-02 405504]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Turbine Download Manager Tray Icon"="c:\program files\Turbine\Turbine Download Manager - Preview\TurbineDownloadManagerIcon.exe" [2008-09-26 468472]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-08 13601312]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-08 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2008-12-08 96800]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2009-03-09 75008]
"RDVCHG"="c:\program files\Sprint\Sprint SmartView\RDVCHG.exe" [2009-03-07 316672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"bacstray"="c:\program files\Broadcom\BACS\BacsTray.exe" [2007-02-14 124488]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-16 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-01-12 101136]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-5-27 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2009-6-24 2876216]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-7-20 1180952]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2008-5-27 679936]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-27 06:53 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3084967135-3038832120-1763337499-1000]
"EnableNotificationsRef"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{CE84CBC5-F93C-46B8-9202-233E5F1EED3C}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{4D9D0324-4459-443D-BE21-15A890182068}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{CED74689-F482-4C18-A913-0DA7C1709CF6}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{DE230269-2C38-4DF1-B70E-E4EAB8836085}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{2AE869B9-6C9B-47A1-AF04-0356A118A620}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{BF0DEC8A-0265-4F42-ABA8-61307EC68AB7}"= UDP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineNetworkService.exe:TurbineNetworkService
"{B11143BF-E808-4D2B-ADFE-4D3900BC2B67}"= TCP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineNetworkService.exe:TurbineNetworkService
"{967969BB-353C-401B-A774-5C1E94301F55}"= UDP:990:LocalSubnet:LocalSubnet|IF={23F757CE-01BD-490B-9857-37CB844CE054}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{08A36910-F113-4ADC-BC48-1955C8C3086A}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{94F2EC27-B2B4-4285-A85F-EBC68786409C}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{4078B395-D7FB-4E61-AE80-4757EC73B23F}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{B8031410-630E-4EDD-B42B-56C7F2D6C2D0}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{8B4C4D89-834D-4284-B519-691473AC2335}"= UDP:5353:Adobe CSI CS4
"{3ED057A5-A674-417B-8646-FEEDD09EBF6B}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{8AB875E7-7B33-4875-9D50-195C768DECD5}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{9B151F95-93AF-4A44-9D0F-C0C7E5B02607}"= UDP:c:\program files\Eidos\Batman Arkham Asylum\Binaries\ShippingPC-BmGame.exe:Batman: Arkham Asylum
"{314B0B85-D9D5-4759-BA60-020532161007}"= TCP:c:\program files\Eidos\Batman Arkham Asylum\Binaries\ShippingPC-BmGame.exe:Batman: Arkham Asylum
"{2C79DE66-0987-4DF9-B167-1BF72BBCE03E}"= UDP:c:\program files\Activision\Prototype\prototypef.exe:Prototype(TM)
"{7E74F5C9-B6D4-443A-9752-B40AFC2263C6}"= TCP:c:\program files\Activision\Prototype\prototypef.exe:Prototype(TM)
"{DA10F685-190F-4A8E-802D-3B8A4C6DEA6E}"= UDP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineMessageService.exe:TurbineMessageService
"{99982A2B-1417-4AA4-8FD7-83DD7AB0E6AA}"= TCP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineMessageService.exe:TurbineMessageService
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\Sprint\\Sprint SmartView\\SwiApiMux.exe"= c:\program files\Sprint\Sprint SmartView\SwiApiMux.exe:*:Enabled:SwiApiMux
R1 mozyFilter;mozyFilter;c:\windows\System32\drivers\mozy.sys [7/17/2009 12:00 PM 54776]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [5/27/2008 1:21 AM 73728]
R2 PreviewTurbineMessageService;Turbine Message Service - Preview;c:\program files\Turbine\Turbine Download Manager - Preview\TurbineMessageService.exe [9/29/2008 6:01 PM 255472]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [9/11/2009 3:08 PM 1153368]
R2 SDisTestService;SpybotSnD Distributed Testing;c:\program files\SDistTest\SDistTestSvc.exe [9/17/2009 7:51 AM 907680]
S3 CASprint;Sprint Con App Svc;c:\program files\Sprint\Sprint SmartView\ConAppsSvc.exe [3/6/2009 11:28 PM 124160]
S3 PreviewTurbineNetworkService;Turbine Network Service - Preview;c:\program files\Turbine\Turbine Download Manager - Preview\TurbineNetworkService.exe [9/29/2008 6:01 PM 218608]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-09-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-27 19:03]
2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-15 15:53]
2009-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-15 15:53]
2009-09-18 c:\windows\Tasks\User_Feed_Synchronization-{3CB618B7-6EFC-4281-9D80-D5CD6BDE8C16}.job
- c:\windows\system32\msfeedssync.exe [2009-09-17 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: evga.com\www
Trusted Zone: redlegion.com\www
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-18 10:59
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(912)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-09-18 11:03
ComboFix-quarantined-files.txt 2009-09-18 16:02
ComboFix2.txt 2009-09-18 15:21
ComboFix3.txt 2009-09-16 19:35
ComboFix4.txt 2009-09-16 14:57
Pre-Run: 54,724,177,920 bytes free
Post-Run: 54,130,978,816 bytes free
383 --- E O F --- 2009-09-17 22:34
Hi,
Open notepad and copy/paste the text in the quotebox below into it:
DirLook::
c:\users\Jim's Laptop\AppData\Local\temp
c:\users\Public\AppData\Local\temp
c:\users\Default\AppData\Local\temp
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log as an attachment.
Hi,
Delete these files:
c:\users\Jim's Laptop\AppData\Local\temp\catchme.dll
c:\users\Jim's Laptop\AppData\Local\temp\Jim's Laptop.bmp
How's the system running?
Hi,
I could not find catchme.dll, but I go the other one.
It seems to be running much better. There are a few files like qhj8nnlk.exe and z4q4sbsr.exe that are on my desktop that I can't delete, stating I need permission. any ideas on that?
ComboFix is still showing cerstore.dll being made somehow.
ComboFix 09-09-18.02 - Jim's Laptop 09/19/2009 6:56.8.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3581.2339 [GMT -5:00]
Running from: c:\users\Jim's Laptop\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\certstore.dat
.
((((((((((((((((((((((((( Files Created from 2009-08-19 to 2009-09-19 )))))))))))))))))))))))))))))))
.
2009-09-19 12:02 . 2009-09-19 12:02 -------- d-----w- c:\users\Jim's Laptop\AppData\Local\temp
2009-09-19 12:02 . 2009-09-19 12:02 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-09-19 12:02 . 2009-09-19 12:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-17 22:08 . 2009-03-08 11:32 72704 ----a-w- c:\windows\system32\admparse.dll
2009-09-17 21:54 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-09-17 21:54 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-09-17 21:54 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-09-17 21:54 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2009-09-17 21:54 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-09-17 21:54 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-09-17 21:53 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-09-17 21:46 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-09-17 21:46 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-09-17 21:46 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-09-17 21:45 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-09-17 21:45 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2009-09-17 21:44 . 2009-08-14 17:07 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-17 21:44 . 2009-08-14 16:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-17 21:44 . 2009-08-14 14:16 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-17 21:44 . 2009-08-14 14:16 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-17 21:44 . 2009-08-14 14:16 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-17 21:44 . 2009-08-14 14:16 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-17 21:44 . 2009-08-14 14:16 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-17 21:44 . 2009-08-14 14:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-17 21:44 . 2009-08-14 14:16 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-17 21:44 . 2009-08-14 16:29 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-17 21:41 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-09-17 21:41 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-09-17 21:41 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-09-17 21:41 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-17 21:40 . 2008-08-27 01:05 212480 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-09-17 21:39 . 2008-10-21 05:25 296960 ----a-w- c:\windows\system32\gdi32.dll
2009-09-17 21:39 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-09-17 21:39 . 2008-08-28 03:40 712704 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-17 21:39 . 2008-08-28 03:40 347136 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-17 21:39 . 2008-08-28 03:40 425472 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-17 21:39 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-09-17 21:39 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-09-17 21:39 . 2008-08-12 03:39 443392 ----a-w- c:\windows\system32\win32spl.dll
2009-09-17 21:38 . 2009-03-17 03:38 13824 ----a-w- c:\windows\system32\apilogen.dll
2009-09-17 21:38 . 2009-03-17 03:38 24064 ----a-w- c:\windows\system32\amxread.dll
2009-09-17 21:38 . 2008-08-02 03:26 36864 ----a-w- c:\windows\system32\cdd.dll
2009-09-17 21:38 . 2008-08-02 01:01 625152 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-17 21:38 . 2008-06-26 03:29 565248 ----a-w- c:\windows\system32\emdmgmt.dll
2009-09-17 21:38 . 2008-06-26 03:29 45056 ----a-w- c:\windows\system32\dataclen.dll
2009-09-17 21:38 . 2008-05-20 02:07 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2009-09-17 21:34 . 2009-09-17 21:34 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-09-17 21:20 . 2009-06-22 10:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-09-17 21:09 . 2009-09-17 21:09 -------- d-----w- c:\program files\MSXML 4.0
2009-09-17 21:09 . 2009-09-17 21:09 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2009-09-17 18:27 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-09-17 18:25 . 2009-04-23 12:43 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-09-17 18:25 . 2009-06-10 12:07 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-09-17 18:24 . 2009-04-23 12:42 636928 ----a-w- c:\windows\system32\localspl.dll
2009-09-17 18:24 . 2009-08-28 12:39 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-17 18:24 . 2009-08-28 10:15 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-17 18:24 . 2008-10-22 03:57 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-09-17 18:24 . 2008-10-21 05:25 1645568 ----a-w- c:\windows\system32\connect.dll
2009-09-17 18:24 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-09-17 18:24 . 2008-09-18 04:56 125952 ----a-w- c:\windows\system32\wersvc.dll
2009-09-17 18:24 . 2008-09-18 04:56 147456 ----a-w- c:\windows\system32\Faultrep.dll
2009-09-17 18:24 . 2008-06-19 03:31 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-09-17 18:24 . 2008-04-10 05:12 738304 ----a-w- c:\windows\system32\inetcomm.dll
2009-09-17 18:24 . 2008-04-18 05:48 269312 ----a-w- c:\windows\system32\es.dll
2009-09-17 18:24 . 2008-06-26 03:29 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-09-17 18:19 . 2008-09-10 03:40 1334272 ----a-w- c:\windows\system32\msxml6.dll
2009-09-17 16:12 . 2009-09-17 16:12 -------- d-----w- c:\users\Jim's Laptop\AppData\Local\Apple Computer
2009-09-17 12:51 . 2009-09-18 16:36 -------- d-----w- c:\program files\SDistTest
2009-09-17 12:40 . 2009-09-17 16:12 -------- d-----w- c:\users\Jim's Laptop\AppData\Local\Adobe
2009-09-16 20:22 . 2009-09-16 20:22 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-16 19:36 . 2008-10-16 21:09 51224 ----a-w- c:\windows\system32\wuauclt.exe
2009-09-16 19:36 . 2008-10-16 21:09 43544 ----a-w- c:\windows\system32\wups2.dll
2009-09-16 19:36 . 2008-10-16 20:56 1524736 ----a-w- c:\windows\system32\wucltux.dll
2009-09-16 19:36 . 2008-10-16 21:13 1809944 ----a-w- c:\windows\system32\wuaueng.dll
2009-09-16 19:36 . 2008-10-16 21:12 561688 ----a-w- c:\windows\system32\wuapi.dll
2009-09-16 19:36 . 2008-10-16 21:08 34328 ----a-w- c:\windows\system32\wups.dll
2009-09-16 19:36 . 2008-10-16 20:55 83456 ----a-w- c:\windows\system32\wudriver.dll
2009-09-16 19:36 . 2008-10-16 19:08 162064 ----a-w- c:\windows\system32\wuwebv.dll
2009-09-16 19:36 . 2008-10-16 18:56 31232 ----a-w- c:\windows\system32\wuapp.exe
2009-09-11 22:38 . 2009-09-11 22:54 -------- d--h--w- c:\windows\PIF
2009-09-11 20:08 . 2009-09-18 19:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-11 20:08 . 2009-09-18 19:29 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-11 19:52 . 2009-09-11 19:57 -------- d-----w- c:\program files\SpywareBlaster
2009-09-08 22:09 . 2009-09-08 22:09 -------- d-----w- c:\users\Jim's Laptop\AppData\Roaming\Malwarebytes
2009-09-08 22:09 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 22:09 . 2009-09-17 14:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 22:09 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 22:09 . 2009-09-08 22:09 -------- d-----w- c:\programdata\Malwarebytes
2009-09-08 22:09 . 2009-09-08 22:09 -------- d-----w- c:\program files\Trend Micro
2009-09-08 14:55 . 2009-09-08 15:52 -------- d-----w- C:\Root
2009-09-08 14:55 . 2009-09-08 14:55 -------- d-----w- c:\program files\Activision
2009-09-08 02:10 . 2009-09-08 02:10 -------- d-----w- c:\windows\system32\xlive
2009-09-08 02:10 . 2009-09-08 02:11 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-09-08 01:49 . 2009-09-08 01:49 -------- d-----w- c:\program files\Eidos
2009-09-07 13:56 . 2009-09-07 18:25 -------- d-----w- c:\program files\Paradox Interactive
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-19 11:42 . 2008-06-25 02:43 65816 ----a-w- c:\programdata\nvModes.dat
2009-09-18 23:04 . 2008-05-27 06:22 836 ----a-w- c:\windows\bthservsdp.dat
2009-09-18 16:44 . 2008-09-01 21:55 -------- d-----w- c:\programdata\Google Updater
2009-09-17 22:32 . 2009-07-21 18:30 -------- d-----w- c:\programdata\Microsoft Help
2009-09-17 22:19 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-17 21:18 . 2008-05-27 06:50 -------- d-----w- c:\program files\Microsoft Works
2009-09-17 21:11 . 2008-06-05 14:54 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-16 20:22 . 2008-05-27 06:33 -------- d-----w- c:\program files\Java
2009-09-16 20:18 . 2008-07-29 13:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-16 12:53 . 2008-06-30 22:21 1356 ----a-w- c:\users\Jim's Laptop\AppData\Local\d3d9caps.dat
2009-09-11 17:13 . 2008-11-08 23:55 -------- d-----w- c:\program files\PokerStars
2009-09-08 20:22 . 2008-05-27 06:45 -------- d-----w- c:\program files\McAfee
2009-09-08 15:52 . 2008-05-27 06:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-08 02:09 . 2009-01-08 19:05 -------- d-----w- c:\program files\AGEIA Technologies
2009-09-01 11:51 . 2008-06-12 11:23 -------- d-----w- c:\users\Jim's Laptop\AppData\Roaming\FileZilla
2009-08-20 04:21 . 2008-05-30 22:36 101856 ----a-w- c:\users\Jim's Laptop\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-20 04:20 . 2009-08-20 04:20 -------- d-----w- c:\programdata\FLEXnet
2009-08-20 04:15 . 2009-08-20 04:15 -------- d-----w- c:\programdata\ALM
2009-08-20 04:14 . 2008-06-24 14:26 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-20 04:10 . 2009-08-20 04:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-20 04:06 . 2009-08-20 04:06 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-08-10 19:02 . 2009-08-10 19:02 -------- d-----w- c:\program files\PHP
2009-08-09 00:11 . 2009-08-09 00:11 733782 ----a-w- C:\lynx_v283.zip
2009-08-08 00:51 . 2009-08-08 00:51 15308424 ----a-w- c:\windows\system32\xlive.dll
2009-08-08 00:51 . 2009-08-08 00:51 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-08-03 20:07 . 2009-08-03 20:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 20:07 . 2009-08-03 20:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 20:07 . 2009-08-03 20:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-30 22:11 . 2009-07-30 22:06 -------- d-----w- c:\users\Jim's Laptop\AppData\Roaming\Easy Thumbnails
2009-07-30 22:06 . 2009-07-30 22:06 -------- d-----w- c:\program files\Easy Thumbnails
2009-07-21 21:52 . 2009-09-17 22:09 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-09-17 22:09 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-09-17 22:09 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-09-17 22:09 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-21 18:32 . 2009-07-21 18:32 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-07-21 18:32 . 2009-07-21 18:30 -------- d-----w- c:\program files\Microsoft Expression
2009-07-20 14:34 . 2009-07-20 14:34 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
2009-07-11 19:32 . 2009-09-17 18:27 513024 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:32 . 2009-09-17 18:27 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:32 . 2009-09-17 18:27 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:29 . 2009-09-17 18:27 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2009-06-24 20:03 . 2009-07-17 17:00 54776 ----a-w- c:\windows\system32\drivers\mozy.sys
2008-05-27 14:09 . 2008-05-27 13:57 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((( SnapShot_2009-09-18_15.16.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-27 06:32 . 2009-09-18 23:07 59186 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-09-18 23:07 89746 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-05-31 00:52 . 2009-09-18 23:07 11654 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3084967135-3038832120-1763337499-1000_UserData.bin
- 2008-05-30 22:32 . 2009-09-18 15:16 98304 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-05-30 22:32 . 2009-09-19 11:54 98304 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-09-18 21:15 . 2009-09-18 21:15 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-09-18 21:15 . 2009-09-18 21:15 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-09-18 21:15 . 2009-09-18 21:15 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-09-18 23:05 . 2009-09-18 23:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-09-18 12:10 . 2009-09-18 12:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-09-18 12:10 . 2009-09-18 12:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-09-18 23:05 . 2009-09-18 23:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-09-18 23:11 634976 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-09-18 12:17 634976 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-09-18 23:11 113246 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-09-18 12:17 113246 c:\windows\System32\perfc009.dat
- 2008-05-30 22:32 . 2009-09-18 15:16 376832 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-05-30 22:32 . 2009-09-19 11:54 376832 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-09-18 21:15 . 2009-09-18 21:15 245760 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2008-05-30 22:32 . 2009-09-19 11:54 2654208 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-30 22:32 . 2009-09-18 15:16 2654208 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-06-24 20:03 2835256 ----a-w- c:\program files\MozyHome\mozyshell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-06-24 20:03 2835256 ----a-w- c:\program files\MozyHome\mozyshell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-27 68856]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-09-20 455968]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [2008-08-29 13145448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-12 101136]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-27 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-01-02 405504]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Turbine Download Manager Tray Icon"="c:\program files\Turbine\Turbine Download Manager - Preview\TurbineDownloadManagerIcon.exe" [2008-09-26 468472]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-08 13601312]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-08 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2008-12-08 96800]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2009-03-09 75008]
"RDVCHG"="c:\program files\Sprint\Sprint SmartView\RDVCHG.exe" [2009-03-07 316672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"bacstray"="c:\program files\Broadcom\BACS\BacsTray.exe" [2007-02-14 124488]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-16 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-01-12 101136]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-5-27 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2009-6-24 2876216]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-7-20 1180952]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2008-5-27 679936]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-27 06:53 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3084967135-3038832120-1763337499-1000]
"EnableNotificationsRef"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{CE84CBC5-F93C-46B8-9202-233E5F1EED3C}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{4D9D0324-4459-443D-BE21-15A890182068}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{CED74689-F482-4C18-A913-0DA7C1709CF6}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{DE230269-2C38-4DF1-B70E-E4EAB8836085}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{2AE869B9-6C9B-47A1-AF04-0356A118A620}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{BF0DEC8A-0265-4F42-ABA8-61307EC68AB7}"= UDP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineNetworkService.exe:TurbineNetworkService
"{B11143BF-E808-4D2B-ADFE-4D3900BC2B67}"= TCP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineNetworkService.exe:TurbineNetworkService
"{967969BB-353C-401B-A774-5C1E94301F55}"= UDP:990:LocalSubnet:LocalSubnet|IF={23F757CE-01BD-490B-9857-37CB844CE054}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{08A36910-F113-4ADC-BC48-1955C8C3086A}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{94F2EC27-B2B4-4285-A85F-EBC68786409C}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{4078B395-D7FB-4E61-AE80-4757EC73B23F}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{B8031410-630E-4EDD-B42B-56C7F2D6C2D0}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{8B4C4D89-834D-4284-B519-691473AC2335}"= UDP:5353:Adobe CSI CS4
"{3ED057A5-A674-417B-8646-FEEDD09EBF6B}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{8AB875E7-7B33-4875-9D50-195C768DECD5}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{9B151F95-93AF-4A44-9D0F-C0C7E5B02607}"= UDP:c:\program files\Eidos\Batman Arkham Asylum\Binaries\ShippingPC-BmGame.exe:Batman: Arkham Asylum
"{314B0B85-D9D5-4759-BA60-020532161007}"= TCP:c:\program files\Eidos\Batman Arkham Asylum\Binaries\ShippingPC-BmGame.exe:Batman: Arkham Asylum
"{2C79DE66-0987-4DF9-B167-1BF72BBCE03E}"= UDP:c:\program files\Activision\Prototype\prototypef.exe:Prototype(TM)
"{7E74F5C9-B6D4-443A-9752-B40AFC2263C6}"= TCP:c:\program files\Activision\Prototype\prototypef.exe:Prototype(TM)
"{0A8BBCF9-ACD1-4345-B912-33212D00CFCF}"= UDP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineMessageService.exe:TurbineMessageService
"{8BC8272A-F57E-431E-8814-E13CCB0BCCF1}"= TCP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineMessageService.exe:TurbineMessageService
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\Sprint\\Sprint SmartView\\SwiApiMux.exe"= c:\program files\Sprint\Sprint SmartView\SwiApiMux.exe:*:Enabled:SwiApiMux
R1 mozyFilter;mozyFilter;c:\windows\System32\drivers\mozy.sys [7/17/2009 12:00 PM 54776]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [5/27/2008 1:21 AM 73728]
R2 PreviewTurbineMessageService;Turbine Message Service - Preview;c:\program files\Turbine\Turbine Download Manager - Preview\TurbineMessageService.exe [9/29/2008 6:01 PM 255472]
S3 CASprint;Sprint Con App Svc;c:\program files\Sprint\Sprint SmartView\ConAppsSvc.exe [3/6/2009 11:28 PM 124160]
S3 PreviewTurbineNetworkService;Turbine Network Service - Preview;c:\program files\Turbine\Turbine Download Manager - Preview\TurbineNetworkService.exe [9/29/2008 6:01 PM 218608]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-09-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-27 19:03]
2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-15 15:53]
2009-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-15 15:53]
2009-09-18 c:\windows\Tasks\User_Feed_Synchronization-{3CB618B7-6EFC-4281-9D80-D5CD6BDE8C16}.job
- c:\windows\system32\msfeedssync.exe [2009-09-17 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: evga.com\www
Trusted Zone: redlegion.com\www
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-19 07:02
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(848)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-09-19 7:05
ComboFix-quarantined-files.txt 2009-09-19 12:04
ComboFix2.txt 2009-09-18 23:02
ComboFix3.txt 2009-09-18 22:46
ComboFix4.txt 2009-09-18 16:03
ComboFix5.txt 2009-09-19 11:55
Pre-Run: 53,851,344,896 bytes free
Post-Run: 53,489,401,856 bytes free
383 --- E O F --- 2009-09-17 22:34
Hi,
Download this (http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe) file to your desktop and then drag'n'drop problematic two files to it. You should be able to delete them after that.
Please run a scan with GMER like you did earlier and attach its log to your post.
GMER vanishes before it finishes, so I can't copy to clipboard
Please delete current GMER version and get a fresh one using download exe -button on GMER site. Then try to run scan again. If it still fails see if you're able to run it in safe mode.
Hi,
It won't run there either. Crashed to blue screen memory error
Download RootRepeal from the following location and save it to your desktop.
Direct Download (Recommended)
Primary Mirror (http://ad13.geekstogo.com/RootRepeal.exe)
Secondary Mirror (http://download.bleepingcomputer.com/rootrepeal/RootRepeal.exe)
Secondary Mirror (http://rootrepeal.psikotick.com/RootRepeal.exe)
Secondary Mirror (http://ad13.geekstogo.com/RootRepeal.exe)
Open http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png on your desktop.
Click the http://billy-oneal.com/forums/rootRepeal/reportTab.png tab.
Click the http://billy-oneal.com/forums/rootRepeal/btnScan.png button.
Check all seven boxes: http://billy-oneal.com/forums/rootRepeal/checkBoxes2.png
Push Ok
Check the box for your main system drive (Usually C:), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the http://billy-oneal.com/forums/rootRepeal/saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Not sure if you wanted it posted or attached, but here it is.
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/20 06:54
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP1
==================================================
Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x8C039000 Size: 778240 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x9BDE8000 Size: 49152 File Visible: No Signed: -
Status: -
Name: spbf.sys
Image Path: C:\Windows\System32\Drivers\spbf.sys
Address: 0x80693000 Size: 1048576 File Visible: No Signed: -
Status: -
Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{6e0edb60-a3d8-11de-b9a4-a96092ec8b96}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{6e0edb79-a3d8-11de-b9a4-a96092ec8b96}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{b77d38bd-a546-11de-b8db-e1e113775b5e}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{c5caa923-a4a7-11de-9b0f-9425fec545d9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\Windows\System32\GATHER~1.VBS
Status: Locked to the Windows API!
Path: C:\Windows\PIF\PIF
Status: Locked to the Windows API!
Path: C:\$Recycle.Bin\S-1-5-21-3084967135-3038832120-1763337499-1000\$RILV5HK\Globalization
Status: Locked to the Windows API!
Path: C:\Windows\AppPatch\Custom\Custom
Status: Locked to the Windows API!
Path: C:\Windows\assembly\tmp\tmp
Status: Locked to the Windows API!
Path: C:\Windows\Microsoft.NET\authman\authman
Status: Locked to the Windows API!
Path: c:\windows\microsoft.net\framework\netfxsbs12.hkf
Status: Allocation size mismatch (API: 36864, Raw: 45056)
Path: C:\Windows\nap\configuration\configuration
Status: Locked to the Windows API!
Path: C:\Windows\registration\CRMLog\CRMLog
Status: Locked to the Windows API!
Path: C:\Windows\security\templates\templates
Status: Locked to the Windows API!
Path: C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache
Status: Locked to the Windows API!
Path: C:\Windows\SoftwareDistribution\ScanFile\ScanFile
Status: Locked to the Windows API!
Path: C:\Windows\System32\wbem\PORTAB~3.MOF
Status: Locked to the Windows API!
Path: C:\Windows\System32\wbem\PORTAB~2.MOF
Status: Locked to the Windows API!
Path: C:\Windows\System32\wbem\PORTAB~1.MOF
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_7658964504b9f3b6.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc0ea08098.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_45e008191e507087.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a2.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003bc63e949f6.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c11df268b7c6d9.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_10b3ea459bfee365.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d1c738ec43578ea1.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_91949b06671d08ae.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c2866332652.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0e9c2a8d74fd3ce6.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_58843c41d2730d3f.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_4ddfc6cd11929a02.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cda6db.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\InstallTemp\InstallTemp
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_microsoft-windows-e..emorydevicesservice_31bf3856ad364e35_6.0.6001.18069_none_9e540f60f6e2ecf1\$$DeleteMe.emdmgmt.dll.01ca37e4f8567c58.0012
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.0.6001.18000_none_93bde541564b88ae\$$DeleteMe.kernel32.dll.01ca37e4fa57f1a8.001a
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18000_none_a64a8ac25ccb3836\$$DeleteMe.lsasrv.dll.01ca37e4fa14ce28.0018
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18000_none_a64a8ac25ccb3836\$$DeleteMe.secur32.dll.01ca37e4fa4294e8.0019
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.0.6001.18000_none_0278b57e8399bfdb\MI2095~1.MAN
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18000_none_0b69c31f4f19b995\$$DeleteMe.wmp.dll.01ca37e4f7c70d98.0010
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18000_none_0b69c31f4f19b995\$$DeleteMe.wmploc.DLL.01ca37e4f7eeb9d8.0011
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6001.18000_none_39733ab970ea03f2\$$DeleteMe.win32spl.dll.01ca37e4f8c39608.0013
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_microsoft-windows-propsys_31bf3856ad364e35_6.0.6001.18000_none_025d66bd2e6eb866\$$DeleteMe.propsys.dll.01c8ed9383de6240.0007
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6001.18000_none_e6d6dd2bb0cd8ff8\$$DeleteMe.kerberos.dll.01ca37e4fad203a8.001d
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6001.18175_none_21cf9ef255771632\$$DeleteMe.schannel.dll.01ca37e4fae08298.001e
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_microsoft-windows-workstationservice_31bf3856ad364e35_6.0.6001.18000_none_cc3a17edd6d1c174\$$DeleteMe.wkssvc.dll.01ca37e4fdfc4188.0021
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6000.16720_none_7c654fdc62654993\ASPNET~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6000.20883_none_659d66807c078e86\ASPNET~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6001.18111_none_7c40349262b75634\ASPNET~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6001.22230_none_6574a52e7c5ccf47\ASPNET~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6000.16720_none_04c87b54ba4ac535\UNINST~1.SQL
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6000.20883_none_ee0091f8d3ed0a28\UNINST~1.SQL
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6001.18111_none_04a3600aba9cd1d6\UNINST~1.SQL
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6001.22230_none_edd7d0a6d4424ae9\UNINST~1.SQL
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\APPCON~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\APPSET~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\CREATE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\DEBUGA~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\DEFINE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\EDITAP~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\MANAGE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\SMTPSE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\APPCON~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\APPSET~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\CREATE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\DEBUGA~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\DEFINE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\EDITAP~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\MANAGE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\SMTPSE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\APPCON~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\APPSET~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\CREATE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\DEBUGA~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\DEFINE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\EDITAP~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\MANAGE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\SMTPSE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\APPCON~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\APPSET~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\CREATE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\DEBUGA~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\DEFINE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\EDITAP~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\MANAGE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\SMTPSE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.16720_none_4ef4fbb8699d6b09\CREATE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.16720_none_4ef4fbb8699d6b09\DEFINE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.16720_none_4ef4fbb8699d6b09\MANAGE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.20883_none_382d125c833faffc\CREATE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.20883_none_382d125c833faffc\DEFINE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.20883_none_382d125c833faffc\MANAGE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6001.18111_none_4ecfe06e69ef77aa\CREATE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6001.18111_none_4ecfe06e69ef77aa\DEFINE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6001.18111_none_4ecfe06e69ef77aa\MANAGE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6000.16720_none_950a4e2fda3ee0ba\CREATE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6000.16720_none_950a4e2fda3ee0ba\MANAGE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6000.20883_none_7e4264d3f3e125ad\CREATE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6000.20883_none_7e4264d3f3e125ad\MANAGE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6001.18111_none_94e532e5da90ed5b\CREATE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6001.18111_none_94e532e5da90ed5b\MANAGE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6001.22230_none_7e19a381f436666e\CREATE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6001.22230_none_7e19a381f436666e\MANAGE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4cb2b120b7498755\CREATE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4cb2b120b7498755\MANAGE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000.20883_none_35eac7c4d0ebcc48\CREATE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000.20883_none_35eac7c4d0ebcc48\MANAGE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4c8d95d6b79b93f6\CREATE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4c8d95d6b79b93f6\MANAGE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001.22230_none_35c20672d1410d09\CREATE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001.22230_none_35c20672d1410d09\MANAGE~1.RES
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\CHOOSE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\MANAGE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\MANAGE~2.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\CHOOSE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\MANAGE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\MANAGE~2.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\CHOOSE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\MANAGE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\MANAGE~2.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_web_config_b03f5f7f11d50a3a_6.0.6000.16720_none_9e3e9a071d8dacdd\WEBCON~1.DEF
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_web_config_b03f5f7f11d50a3a_6.0.6000.20883_none_8776b0ab372ff1d0\WEBCON~1.DEF
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_web_config_b03f5f7f11d50a3a_6.0.6001.18000_none_9e18955f1de08635\WEBCON~1.DEF
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6000.16720_none_9b01a5fdd9371aff\GACUTI~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6000.20883_none_9b4d641ef282ae74\GACUTI~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6001.18111_none_9cf3b4d9d654a956\GACUTI~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6001.22230_none_9d66b182ef8367ab\GACUTI~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6000.16720_none_7081409dee51e2d7\MICROS~1.XSD
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6000.20883_none_59b9574207f427ca\MICROS~1.XSD
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6001.18111_none_705c2553eea3ef78\MICROS~1.XSD
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6001.22230_none_599095f00849688b\MICROS~1.XSD
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6000.16720_none_b462fc0cbe880bcb\MICROS~1.XSD
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6000.20883_none_9d9b12b0d82a50be\MICROS~1.XSD
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6001.18111_none_b43de0c2beda186c\MICROS~1.XSD
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6001.22230_none_9d72515ed87f917f\MICROS~1.XSD
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.22230_none_5c351db9f11f9ec4\CHOOSE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.22230_none_5c351db9f11f9ec4\MANAGE~1.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.22230_none_5c351db9f11f9ec4\MANAGE~2.ASP
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-aspnet_web_config_b03f5f7f11d50a3a_6.0.6001.18111_none_9e197ebd1ddfb97e\WEBCON~1.DEF
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-clr_ilasm_exe_b03f5f7f11d50a3a_6.0.6001.18111_none_03110f538dcda3f4\ILASME~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-mscoree_dll_31bf3856ad364e35_6.0.6001.18000_none_b55ffc255629a804\$$DeleteMe.mscoree.dll.01ca37e4e2c9aba8.0000
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-mscorsvw_exe_b03f5f7f11d50a3a_6.0.6001.18000_none_1ff6260de878daa7\$$DeleteMe.mscorsvw.exe.01ca37e4ebd901a8.0006
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6000.16720_none_7b4eba45cecd6936\IEEXEC~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6000.20883_none_6486d0e9e86fae29\IEEXEC~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6001.18111_none_7b299efbcf1f75d7\IEEXEC~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6001.22230_none_645e0f97e8c4eeea\IEEXEC~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-webhightrust_config_b03f5f7f11d50a3a_6.0.6000.16720_none_a05f40e791345747\WEB_HI~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-webhightrust_config_b03f5f7f11d50a3a_6.0.6000.20883_none_8997578baad69c3a\WEB_HI~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-webhightrust_config_b03f5f7f11d50a3a_6.0.6001.18111_none_a03a259d918663e8\WEB_HI~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-webhightrust_config_b03f5f7f11d50a3a_6.0.6001.22230_none_896e9639ab2bdcfb\WEB_HI~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_netfx-mscorrc_res_dll_b03f5f7f11d50a3a_6.0.6001.18000_none_f0272add9c4990ad\$$DeleteMe.mscorrc.dll.01ca37e4e9dff0c8.0004
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_regasm_b03f5f7f11d50a3a_6.0.6000.16720_none_173a294b153205b9\REGASM~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_regasm_b03f5f7f11d50a3a_6.0.6000.20883_none_00723fef2ed44aac\REGASM~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_regasm_b03f5f7f11d50a3a_6.0.6001.18000_none_171424a31584df11\REGASM~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_regasm_b03f5f7f11d50a3a_6.0.6001.18111_none_17150e011584125a\REGASM~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_regasm_b03f5f7f11d50a3a_6.0.6001.22230_none_00497e9d2f298b6d\REGASM~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_regsvcs_b03f5f7f11d50a3a_6.0.6000.16720_none_ea5553f167a4fe69\REGSVC~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_regsvcs_b03f5f7f11d50a3a_6.0.6000.20883_none_d38d6a958147435c\REGSVC~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_regsvcs_b03f5f7f11d50a3a_6.0.6001.18000_none_ea2f4f4967f7d7c1\REGSVC~1.CON
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_ini_31bf3856ad364e35_6.0.6000.16708_none_325856a50f01ab0d\_SMSVC~1.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_ini_31bf3856ad364e35_6.0.6000.20864_none_329d12c028538d21\_SMSVC~1.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_ini_31bf3856ad364e35_6.0.6001.18096_none_33db43850c7307a2\_SMSVC~1.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_ini_31bf3856ad364e35_6.0.6001.22208_none_34c832162545dbc8\_SMSVC~1.INI
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_ini_31bf3856ad364e35_6.0.6000.16708_none_c8df4fb390304286\_SERVI~1.INI
Status: Locked toProcesses
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!
Path: C:\Windows\System32\audiodg.exe
PID: 1220 Status: Locked to the Windows API!
Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x860d01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x860d01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x860d01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x860d01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x860d01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x860d01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x860d01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x860d01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x860d01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x860d01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x860d01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x860d01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x860d01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x860d01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x860d01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x860d01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x860d01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x860d01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x860d01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x860d01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x860d01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x860d01f8 Size: 121
Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_CREATE]
Process: System Address: 0x8b75c1f8 Size: 121
Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_CLOSE]
Process: System Address: 0x8b75c1f8 Size: 121
Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_READ]
Process: System Address: 0x8b75c1f8 Size: 121
Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_WRITE]
Process: System Address: 0x8b75c1f8 Size: 121
Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8b75c1f8 Size: 121
Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8b75c1f8 Size: 121
Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_QUERY_EA]
Process: System Address: 0x8b75c1f8 Size: 121
Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_SET_EA]
Process: System Address: 0x8b75c1f8 Size: 121
Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8b75c1f8 Size: 121
Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8b75c1f8 Size: 121
Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8b75c1f8 Size: 121
Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8b75c1f8 Size: 121
Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8b75c1f8 Size: 121
Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8b75c1f8 Size: 121
Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8b75c1f8 Size: 121
Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8b75c1f8 Size: 121
Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_CLEANUP]
Process: System Address: 0x8b75c1f8 Size: 121
Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_PNP]
Process: System Address: 0x8b75c1f8 Size: 121
Object: Hidden Code [Driver: iaStorV, IRP_MJ_CREATE]
Process: System Address: 0x860cd1f8 Size: 121
Object: Hidden Code [Driver: iaStorV, IRP_MJ_CLOSE]
Process: System Address: 0x860cd1f8 Size: 121
Object: Hidden Code [Driver: iaStorV, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x860cd1f8 Size: 121
Object: Hidden Code [Driver: iaStorV, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x860cd1f8 Size: 121
Object: Hidden Code [Driver: iaStorV, IRP_MJ_POWER]
Process: System Address: 0x860cd1f8 Size: 121
Object: Hidden Code [Driver: iaStorV, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x860cd1f8 Size: 121
Object: Hidden Code [Driver: iaStorV, IRP_MJ_PNP]
Process: System Address: 0x860cd1f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x860cf1f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x860cf1f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x860cf1f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x860cf1f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x860cf1f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x860cf1f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x860cf1f8 Size: 121
Object: Hidden Code [Driver: cdrom€, IRP_MJ_CREATE]
Process: System Address: 0x87ca11f8 Size: 121
Object: Hidden Code [Driver: cdrom€, IRP_MJ_CLOSE]
Process: System Address: 0x87ca11f8 Size: 121
Object: Hidden Code [Driver: cdrom€, IRP_MJ_READ]
Process: System Address: 0x87ca11f8 Size: 121
Object: Hidden Code [Driver: cdrom€, IRP_MJ_WRITE]
Process: System Address: 0x87ca11f8 Size: 121
Object: Hidden Code [Driver: cdrom€, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x87ca11f8 Size: 121
Object: Hidden Code [Driver: cdrom€, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87ca11f8 Size: 121
Object: Hidden Code [Driver: cdrom€, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87ca11f8 Size: 121
Object: Hidden Code [Driver: cdrom€, IRP_MJ_SHUTDOWN]
Process: System Address: 0x87ca11f8 Size: 121
Object: Hidden Code [Driver: cdrom€, IRP_MJ_POWER]
Process: System Address: 0x87ca11f8 Size: 121
Object: Hidden Code [Driver: cdrom€, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87ca11f8 Size: 121
Object: Hidden Code [Driver: cdrom€, IRP_MJ_PNP]
Process: System Address: 0x87ca11f8 Size: 121
Object: Hidden Code [Driver: usbuhci牃П牄婸貆熸貒, IRP_MJ_CREATE]
Process: System Address: 0x87ae11f8 Size: 121
Object: Hidden Code [Driver: usbuhci牃П牄婸貆熸貒, IRP_MJ_CLOSE]
Process: System Address: 0x87ae11f8 Size: 121
Object: Hidden Code [Driver: usbuhci牃П牄婸貆熸貒, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87ae11f8 Size: 121
Object: Hidden Code [Driver: usbuhci牃П牄婸貆熸貒, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87ae11f8 Size: 121
Object: Hidden Code [Driver: usbuhci牃П牄婸貆熸貒, IRP_MJ_POWER]
Process: System Address: 0x87ae11f8 Size: 121
Object: Hidden Code [Driver: usbuhci牃П牄婸貆熸貒, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87ae11f8 Size: 121
Object: Hidden Code [Driver: usbuhci牃П牄婸貆熸貒, IRP_MJ_PNP]
Process: System Address: 0x87ae11f8 Size: 121
Object: Hidden Code [Driver: affwrtmyЍ䵆汳`뮤載뮤載瀈螀뭸載͜评, IRP_MJ_CREATE]
Process: System Address: 0x87c1a1f8 Size: 121
Object: Hidden Code [Driver: affwrtmyЍ䵆汳`뮤載뮤載瀈螀뭸載͜评, IRP_MJ_CLOSE]
Process: System Address: 0x87c1a1f8 Size: 121
Object: Hidden Code [Driver: affwrtmyЍ䵆汳`뮤載뮤載瀈螀뭸載͜评, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87c1a1f8 Size: 121
Object: Hidden Code [Driver: affwrtmyЍ䵆汳`뮤載뮤載瀈螀뭸載͜评, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87c1a1f8 Size: 121
Object: Hidden Code [Driver: affwrtmyЍ䵆汳`뮤載뮤載瀈螀뭸載͜评, IRP_MJ_POWER]
Process: System Address: 0x87c1a1f8 Size: 121
Object: Hidden Code [Driver: affwrtmyЍ䵆汳`뮤載뮤載瀈螀뭸載͜评, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87c1a1f8 Size: 121
Object: Hidden Code [Driver: affwrtmyЍ䵆汳`뮤載뮤載瀈螀뭸載͜评, IRP_MJ_PNP]
Process: System Address: 0x87c1a1f8 Size: 121
Object: Hidden Code [Driver: Smb, IRP_MJ_CREATE]
Process: System Address: 0x8aa431f8 Size: 121
Object: Hidden Code [Driver: Smb, IRP_MJ_CLOSE]
Process: System Address: 0x8aa431f8 Size: 121
Object: Hidden Code [Driver: Smb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa431f8 Size: 121
Object: Hidden Code [Driver: Smb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa431f8 Size: 121
Object: Hidden Code [Driver: Smb, IRP_MJ_CLEANUP]
Process: System Address: 0x8aa431f8 Size: 121
Object: Hidden Code [Driver: Smb, IRP_MJ_PNP]
Process: System Address: 0x8aa431f8 Size: 121
Object: Hidden Code [Driver: netbtY, IRP_MJ_CREATE]
Process: System Address: 0x8a9fe1f8 Size: 121
Object: Hidden Code [Driver: netbtY, IRP_MJ_CLOSE]
Process: System Address: 0x8a9fe1f8 Size: 121
Object: Hidden Code [Driver: netbtY, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a9fe1f8 Size: 121
Object: Hidden Code [Driver: netbtY, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a9fe1f8 Size: 121
Object: Hidden Code [Driver: netbtY, IRP_MJ_CLEANUP]
Process: System Address: 0x8a9fe1f8 Size: 121
Object: Hidden Code [Driver: netbtY, IRP_MJ_PNP]
Process: System Address: 0x8a9fe1f8 Size: 121
Object: Hidden Code [Driver: iScsiPrtП牄婸貆ᑐ載, IRP_MJ_CREATE]
Process: System Address: 0x87cb61f8 Size: 121
Object: Hidden Code [Driver: iScsiPrtП牄婸貆ᑐ載, IRP_MJ_CLOSE]
Process: System Address: 0x87cb61f8 Size: 121
Object: Hidden Code [Driver: iScsiPrtП牄婸貆ᑐ載, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87cb61f8 Size: 121
Object: Hidden Code [Driver: iScsiPrtП牄婸貆ᑐ載, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87cb61f8 Size: 121
Object: Hidden Code [Driver: iScsiPrtП牄婸貆ᑐ載, IRP_MJ_POWER]
Process: System Address: 0x87cb61f8 Size: 121
Object: Hidden Code [Driver: iScsiPrtП牄婸貆ᑐ載, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87cb61f8 Size: 121
Object: Hidden Code [Driver: iScsiPrtП牄婸貆ᑐ載, IRP_MJ_PNP]
Process: System Address: 0x87cb61f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_CREATE]
Process: System Address: 0x853151f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_READ]
Process: System Address: 0x853151f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_WRITE]
Process: System Address: 0x853151f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x853151f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x853151f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x853151f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_SHUTDOWN]
Process: System Address: 0x853151f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_CLEANUP]
Process: System Address: 0x853151f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_POWER]
Process: System Address: 0x853151f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x853151f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_PNP]
Process: System Address: 0x853151f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x87b651f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x87b651f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87b651f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87b651f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x87b651f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87b651f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x87b651f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CREATE]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CLOSE]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_READ]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_WRITE]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_EA]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CLEANUP]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_POWER]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb, IRP_MJ_PNP]
Process: System Address: 0x87a8f1f8 Size: 121
Object: Hidden Code [Driver: cdfsЇ慖ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_CREATE]
Process: System Address: 0xa65181f8 Size: 121
Object: Hidden Code [Driver: cdfsЇ慖ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_CLOSE]
Process: System Address: 0xa65181f8 Size: 121
Object: Hidden Code [Driver: cdfsЇ慖ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_READ]
Process: System Address: 0xa65181f8 Size: 121
Object: Hidden Code [Driver: cdfsЇ慖ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_WRITE]
Process: System Address: 0xa65181f8 Size: 121
Object: Hidden Code [Driver: cdfsЇ慖ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0xa65181f8 Size: 121
Object: Hidden Code [Driver: cdfsЇ慖ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_SET_INFORMATION]
Process: System Address: 0xa65181f8 Size: 121
Object: Hidden Code [Driver: cdfsЇ慖ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0xa65181f8 Size: 121
Object: Hidden Code [Driver: cdfsЇ慖ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0xa65181f8 Size: 121
Object: Hidden Code [Driver: cdfsЇ慖ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0xa65181f8 Size: 121
Object: Hidden Code [Driver: cdfsЇ慖ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xa65181f8 Size: 121
Object: Hidden Code [Driver: cdfsЇ慖ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_SHUTDOWN]
Process: System Address: 0xa65181f8 Size: 121
Object: Hidden Code [Driver: cdfsЇ慖ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0xa65181f8 Size: 121
Object: Hidden Code [Driver: cdfsЇ慖ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_CLEANUP]
Process: System Address: 0xa65181f8 Size: 121
Object: Hidden Code [Driver: cdfsЇ慖ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_PNP]
Process: System Address: 0xa65181f8 Size: 121
==EOF==
Nothing that I see there. Please delete that c:\windows\system32\certstore.dat file, disconnect network cable (or wireless connection), reboot (keep system offline) and see if the file appears after boot.
Hi
I disconected from the internet and the file did not reappear
But once I connected to the net it downloaded it within 5 mins. :confused:
Hi,
Could you upload the certstore.dat file to my channel here (http://www.bleepingcomputer.com/submit-malware.php?channel=76)? Kindly include a link to this topic.
Hi,
I checked the file with some scanners and none of them flagged it. Let's see if the latest MBAM definitions still find it bad.
Reboot system. Then please update MBAM definitions (current version is 2831 at the moment) and then run scan with it again.
Hi,
Here is the log
Malwarebytes' Anti-Malware 1.41
Database version: 2831
Windows 6.0.6001 Service Pack 1
9/20/2009 4:13:41 PM
mbam-log-2009-09-20 (16-13-37).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 304414
Time elapsed: 1 hour(s), 56 minute(s), 48 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Windows\System32\certstore.dat (Trojan.Agent) -> No action taken.
I deleted the file again
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Attach these logs to your post.
Hi,
Here you go, again :)
Hi,
Download & extract this file to it's own folder - Registry Search (http://www.xs4all.nl/~fstaal01/downloads/regsearch.zip)
Launch Registry Search
In the search box, enter (on separate lines)
certstore.dat
Under Search, make sure only the Value box is checked in the first row of checkboxes. All other checkboxes should be checked.
& click Ok.
Notepad will open with some text in it (the file will also be saved in the program's folder as well).
Post this text in your next reply.
Locate if present the following file & delete it:
C:\windows\ntbtlog.txt
Restart the computer
Just before the OS loading screen starts hit F8 as if going to safe mode.
From the advanced boot menu choose enable boot logging then hit enter.
Post the following file:
C:\windows\ntbtlog.txt
Hi,
Reg search log:
Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0
; Results at 9/21/2009 1:15:34 PM for strings:
; 'certstore.dat'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
;
; End Of The Log...
C:\windows\ntbtlog.txt log:
Service Pack 1 9 21 2009 13:19:29.375
Loaded driver \SystemRoot\system32\ntkrnlpa.exe
Loaded driver \SystemRoot\system32\hal.dll
Loaded driver \SystemRoot\system32\kdcom.dll
Loaded driver \SystemRoot\system32\mcupdate_GenuineIntel.dll
Loaded driver \SystemRoot\system32\PSHED.dll
Loaded driver \SystemRoot\system32\BOOTVID.dll
Loaded driver \SystemRoot\system32\CLFS.SYS
Loaded driver \SystemRoot\system32\CI.dll
Loaded driver \SystemRoot\system32\drivers\Wdf01000.sys
Loaded driver \SystemRoot\system32\drivers\WDFLDR.SYS
Loaded driver \SystemRoot\System32\Drivers\sptd.sys
Loaded driver \SystemRoot\System32\Drivers\WMILIB.SYS
Loaded driver \SystemRoot\System32\Drivers\SCSIPORT.SYS
Loaded driver \SystemRoot\system32\drivers\acpi.sys
Loaded driver \SystemRoot\system32\drivers\msisadrv.sys
Loaded driver \SystemRoot\system32\drivers\pci.sys
Loaded driver \SystemRoot\System32\drivers\partmgr.sys
Loaded driver \SystemRoot\system32\DRIVERS\compbatt.sys
Loaded driver \SystemRoot\system32\DRIVERS\BATTC.SYS
Loaded driver \SystemRoot\system32\drivers\volmgr.sys
Loaded driver \SystemRoot\System32\drivers\volmgrx.sys
Loaded driver \SystemRoot\system32\DRIVERS\intelide.sys
Loaded driver \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
Loaded driver \SystemRoot\system32\drivers\pciide.sys
Loaded driver \SystemRoot\System32\drivers\mountmgr.sys
Loaded driver \SystemRoot\system32\drivers\iastorv.sys
Loaded driver \SystemRoot\system32\drivers\iastor.sys
Loaded driver \SystemRoot\system32\drivers\atapi.sys
Loaded driver \SystemRoot\system32\drivers\ataport.SYS
Loaded driver \SystemRoot\system32\drivers\fltmgr.sys
Loaded driver \SystemRoot\system32\drivers\fileinfo.sys
Loaded driver \SystemRoot\System32\Drivers\PxHelp20.sys
Loaded driver \SystemRoot\System32\Drivers\ksecdd.sys
Loaded driver \SystemRoot\system32\drivers\ndis.sys
Loaded driver \SystemRoot\system32\drivers\msrpc.sys
Loaded driver \SystemRoot\system32\drivers\NETIO.SYS
Loaded driver \SystemRoot\System32\Drivers\Ntfs.sys
Loaded driver \SystemRoot\system32\drivers\volsnap.sys
Loaded driver \SystemRoot\System32\Drivers\spldr.sys
Loaded driver \SystemRoot\System32\Drivers\mup.sys
Loaded driver \SystemRoot\System32\drivers\ecache.sys
Loaded driver \SystemRoot\system32\drivers\disk.sys
Loaded driver \SystemRoot\system32\drivers\CLASSPNP.SYS
Loaded driver \SystemRoot\system32\drivers\crcdisk.sys
Loaded driver \SystemRoot\system32\DRIVERS\tunnel.sys
Loaded driver \SystemRoot\system32\DRIVERS\tunmp.sys
Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys
Loaded driver \SystemRoot\System32\drivers\dxgkrnl.sys
Loaded driver \SystemRoot\system32\DRIVERS\nvlddmkm.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys
Loaded driver \SystemRoot\system32\DRIVERS\NETw4v32.sys
Loaded driver \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
Loaded driver \SystemRoot\system32\DRIVERS\ohci1394.sys
Loaded driver \SystemRoot\system32\DRIVERS\sdbus.sys
Loaded driver \SystemRoot\system32\DRIVERS\rimmptsk.sys
Loaded driver \SystemRoot\system32\DRIVERS\rimsptsk.sys
Loaded driver \SystemRoot\system32\DRIVERS\rixdptsk.sys
Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\system32\DRIVERS\Apfiltr.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\Drivers\GEARAspiWDM.sys
Loaded driver \SystemRoot\System32\Drivers\a245o4lt.SYS
Loaded driver \SystemRoot\system32\DRIVERS\CmBatt.sys
Loaded driver \SystemRoot\system32\DRIVERS\wmiacpi.sys
Loaded driver \SystemRoot\system32\DRIVERS\msiscsi.sys
Loaded driver \SystemRoot\System32\Drivers\RootMdm.sys
Loaded driver \SystemRoot\system32\drivers\modem.sys
Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\system32\DRIVERS\rassstp.sys
Loaded driver \SystemRoot\system32\DRIVERS\pctnullport.sys
Loaded driver \SystemRoot\system32\DRIVERS\RimSerial.sys
Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\NWADIenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\system32\DRIVERS\umbus.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\system32\drivers\stwrt.sys
Loaded driver \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
Loaded driver \SystemRoot\system32\DRIVERS\HSX_DPV.sys
Loaded driver \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
Loaded driver \SystemRoot\system32\DRIVERS\mozy.sys
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Did not load driver \SystemRoot\system32\DRIVERS\kbdhid.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\system32\drivers\rdpencdd.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\System32\drivers\tcpip.sys
Loaded driver \SystemRoot\system32\DRIVERS\tdx.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipfltdrv.sys
Loaded driver \SystemRoot\System32\Drivers\Mpfp.sys
Loaded driver \SystemRoot\system32\DRIVERS\smb.sys
Loaded driver \SystemRoot\system32\drivers\afd.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\system32\DRIVERS\pacer.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys
Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys
Did not load driver \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Did not load driver \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\system32\drivers\nsiproxy.sys
Loaded driver \SystemRoot\system32\DRIVERS\hidusb.sys
Loaded driver \SystemRoot\system32\drivers\mfehidk.sys
Loaded driver \SystemRoot\System32\Drivers\dfsc.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouhid.sys
Loaded driver \SystemRoot\System32\Drivers\BTHUSB.sys
Loaded driver \SystemRoot\system32\DRIVERS\rfcomm.sys
Loaded driver \SystemRoot\system32\DRIVERS\BthEnum.sys
Loaded driver \SystemRoot\system32\DRIVERS\bthpan.sys
Loaded driver \SystemRoot\system32\DRIVERS\hidbth.sys
Loaded driver \SystemRoot\system32\drivers\btwavdt.sys
Loaded driver \SystemRoot\system32\drivers\btwaudio.sys
Loaded driver \SystemRoot\system32\DRIVERS\btwrchid.sys
Loaded driver \SystemRoot\system32\DRIVERS\LHidFilt.Sys
Loaded driver \SystemRoot\system32\DRIVERS\LMouFilt.Sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdhid.sys
Loaded driver \SystemRoot\system32\DRIVERS\monitor.sys
Loaded driver \SystemRoot\system32\drivers\luafv.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\system32\DRIVERS\lltdio.sys
Loaded driver \SystemRoot\system32\DRIVERS\nwifi.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys
Loaded driver \SystemRoot\system32\DRIVERS\rspndr.sys
Loaded driver \SystemRoot\system32\drivers\HTTP.sys
Loaded driver \SystemRoot\System32\DRIVERS\srvnet.sys
Loaded driver \SystemRoot\system32\DRIVERS\bowser.sys
Loaded driver \SystemRoot\System32\drivers\mpsdrv.sys
Loaded driver \SystemRoot\system32\drivers\mrxdav.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb10.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb20.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv2.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Did not load driver \SystemRoot\System32\DRIVERS\srv.sys
Did not load driver \SystemRoot\system32\drivers\parport.sys
Loaded driver \SystemRoot\System32\Drivers\adfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\atksgt.sys
Loaded driver \SystemRoot\system32\DRIVERS\lirsgt.sys
Loaded driver \SystemRoot\system32\DRIVERS\mdmxsdk.sys
Loaded driver \SystemRoot\system32\drivers\peauth.sys
Loaded driver \SystemRoot\System32\Drivers\secdrv.SYS
Loaded driver \SystemRoot\System32\Drivers\fastfat.SYS
Loaded driver \SystemRoot\System32\drivers\tcpipreg.sys
Loaded driver \SystemRoot\system32\DRIVERS\xaudio.sys
Loaded driver \SystemRoot\system32\drivers\tdtcp.sys
Loaded driver \SystemRoot\System32\DRIVERS\tssecsrv.sys
Loaded driver \SystemRoot\System32\Drivers\RDPWD.SYS
Loaded driver \SystemRoot\system32\DRIVERS\cdfs.sys
Hi,
Show hidden files (Vista)
-----------------
1. Open Folder Options by clicking the Start button, clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.
2. Click the View tab.
3. Under Advanced settings, click Show hidden files and folders, and then click OK.
Upload following files to http://www.virustotal.com, if found (re-scan if the file has been scanned earlier) and post back links to the results:
c:\windows\System32\Drivers\a245o4lt.SYS
c:\windows\System32\Drivers\Beep.SYS
This is for Beep.SYS
http://www.virustotal.com/reanalisis.html?3b07243970cab4e93a858bea6e31f56ad0157c42d624f3feb469e68eeef65669-1253567284
The other file is not on my machine.
Not sure, maybe this is the page you need. This is after a rescan
http://www.virustotal.com/analisis/3b07243970cab4e93a858bea6e31f56ad0157c42d624f3feb469e68eeef65669-1253567284
Hi,
Unfortunately, these weren't much help. I'll need to ask my colleagues' opinion on this. Shall get back asap.
Hi,
Haven't heard any opinions but we can attempt one more thing.
Double click on avenger.exe to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
Files to replace with dummy:
c:\windows\system32\certstore.dat
In the avenger window, click the Paste Script from Clipboard, http://img220.imageshack.us/img220/8923/pastets4.png button.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
Please post this log in your next reply.
Here you go
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows Vista
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "c:\windows\system32\certstore.dat" replaced with dummy successfully.
Completed script processing.
*******************
Finished! Terminate.
That part went successfully. Now I have to know if the problem still returns.
The file was replace and I rebooted. The file has not changed since the reboot about 6 hours ago. So I think the rename has stuck.
Good. Let's uninstall ComboFix and OTL at this point :)
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /u in the runbox and click OK
Next we remove some other used tools.
Double-click OTL.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTL attempting to contact the internet, please allow it to do so.
How's the system running?
Everything seems to be working like it should. I had to uninstall McAfee then reinstall it to get it to work. The .dat file still hasn't changed, so that is good. I don't see any errors when I restart, that is good, as well.
Just a few follow up questions, if you can.
I am going to use Spywarebot and Malwarebytes.
I am going to use McAfee for an antivirus and PC Tools for my firewall. I will turn off all other firewalls.
I have also installed SpywareBlaster; I think this is for Java.
Can you recommend anything else or do you know if there are any compatibility issues with any of these products?
Thanks again for your help
I am going to use Spywarebot and Malwarebytes.
Hopefully you meant Spybot there :)
I am going to use McAfee for an antivirus and PC Tools for my firewall. I will turn off all other firewalls.
Ok.
I have also installed SpywareBlaster; I think this is for Java.
SpywareBlaster is designed to block malicious ActiveX controls from installing. SpywareBlaster tutorial can be found here (http://www.bleepingcomputer.com/forums/tutorial49.html).
Can you recommend anything else or do you know if there are any compatibility issues with any of these products?
Those should work well together :)
Hopefully you meant Spybot there :)
LOL, yeah that is what I ment.
Thanks again for the help!!
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.