Solved iexplore.exe problem! (Black Internet rootkit case)

juturna · 2010/06/24

[Resolved] iexplore.exe problem! (Black Internet rootkit case)

Hello, I've seen previous posts about the iexplore.exe problem here at windowsbbs.com. I've been experiencing the same problem, where iexplore.exe runs upon boot and respawns instantaneously when deleted. I have also been experiencing very slow browsing and startup load (probably due to the virus). Thank you very much for the help and support!

I have Symantec Endpoint Protection on my computer, my college *REQUIRES* us to use that and only that. I have not yet attempted to fix the problem myself, nor am I requesting any help from another party.

I will post the DDS/Attach below.

juturna · 2010/06/24

DDS (Ver_10-03-17.01) - NTFSx86
Run by Andrew at 17:50:43.55 on Thu 06/24/2010
Internet Explorer: 8.0.6001.18928
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1864 [GMT -4:00]

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec Endpoint Protection *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Windows\System32\rpcnet.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Razer\Lachesis\razerhid.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Razer\Lachesis\OSD.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Razer\Lachesis\razerofa.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Andrew\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [Aim6]
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Owofoxicedojo] rundll32.exe "c:\users\andrew\appdata\local\Syplscs.dll ",Startup
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103472 - "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; MDDC; .NET CLR 3.5.30729; .NET CLR 3.0.30729)" - "http://www.habbo.com/shockwave_client "
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [Launch LCDMon] "c:\program files\common files\logitech\lcd manager\LCDMon.exe "
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe "
mRun: [LoJackForLaptops] c:\program files\lflinstall\InstallManager.exe /d60 /dd1 /bd0
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe "
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Lachesis] c:\program files\razer\lachesis\razerhid.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe "
mRun: [Tjazene] rundll32.exe "c:\users\andrew\appdata\local\ixedidaki.dll ",Startup
StartupFolder: c:\users\andrew\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\andrew\appdata\roaming\mozilla\firefox\profiles\gqziblmo.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\andrew\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {53B52843-0496-4367-A1DA-A04F226F5F33} - c:\users\andrew\appdata\local\{53B52843-0496-4367-A1DA-A04F226F5F33}

juturna · 2010/06/24

============= SERVICES / DRIVERS ===============

R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2009-2-14 73728]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-9-24 155648]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-1-28 2477304]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-2-18 24652]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-2-14 179712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448]
R3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2010-1-9 12032]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 physX32;physX32;c:\windows\system32\drivers\physX32.sys [2007-9-13 120320]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-8-18 23888]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 LiveTurbineMessageService;Turbine Message Service - Live; "c:\program files\turbine\turbine download manager\turbinemessageservice.exe" --> c:\program files\turbine\turbine download manager\TurbineMessageService.exe [?]
S3 LiveTurbineNetworkService;Turbine Network Service - Live; "c:\program files\turbine\turbine download manager\turbinenetworkservice.exe" --> c:\program files\turbine\turbine download manager\TurbineNetworkService.exe [?]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe --> c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe [?]

=============== Created Last 30 ================

2010-06-23 06:29:24 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-23 06:29:24 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-23 06:29:24 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-23 06:29:24 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-23 06:29:23 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 04:48:24 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-23 04:48:24 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-23 03:41:54 0 d-----w- c:\program files\MSECache
2010-06-15 09:45:54 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-06-15 09:43:06 0 d-----r- c:\program files\Skype
2010-06-15 09:42:57 0 d-----w- c:\programdata\Skype
2010-06-12 03:41:51 0 d-----w- c:\program files\NCH Software
2010-06-12 03:33:47 0 d-----w- c:\programdata\NCH Swift Sound
2010-06-12 03:33:41 0 d-----w- c:\program files\NCH Swift Sound
2010-05-26 14:56:27 2048 ----a-w- c:\windows\system32\tzres.dll

==================== Find3M ====================

2010-06-24 18:23:54 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-06-23 06:48:53 57752 ----a-w- c:\windows\system32\rpcnet.dll
2010-06-23 06:48:53 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-06-11 19:42:44 27430 ----a-w- c:\users\andrew\appdata\roaming\nvModes.dat
2010-05-26 17:06:41 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47:41 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-04 05:59:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13:48 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-13 06:36:46 57752 ------w- c:\windows\system32\rpcnet.exe
2010-04-05 17:01:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-04-04 20:34:22 62074 ----a-w- c:\windows\War3Unin.dat
2010-01-28 14:51:58 51200 ----a-w- c:\windows\inf\infpub.dat
2010-01-28 14:51:58 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-01-28 14:51:58 143360 ----a-w- c:\windows\inf\infstor.dat
2009-11-17 08:21:14 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-02-14 10:48:39 74 --sh--r- c:\windows\CT4CET.bin
2009-10-19 13:53:19 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-06-21 03:59:21 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-06-21 03:59:21 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-06-21 03:59:21 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-06-21 03:59:21 278528 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
2009-08-31 02:51:39 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-08-31 02:51:39 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-08-31 02:51:39 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2009-02-14 11:06:24 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 17:51:15.82 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 2/13/2009 11:20:44 PM
System Uptime: 6/23/2010 4:37:13 PM (25 hours ago)

Motherboard: Dell Inc. | | 0KX412
Processor: Intel(R) Core(TM)2 Extreme CPU X9000 @ 2.80GHz | Microprocessor | 1200/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 584 GiB total, 198.897 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 3.735 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0000
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter
PNP Device ID: ROOT\*6TO4MP\0000
Service: tunnel

==== System Restore Points ===================

RP492: 6/6/2010 8:47:35 PM - Scheduled Checkpoint
RP493: 6/8/2010 3:38:12 PM - Scheduled Checkpoint
RP494: 6/11/2010 7:06:10 PM - Scheduled Checkpoint
RP495: 6/12/2010 3:00:41 AM - Windows Update
RP496: 6/13/2010 2:24:03 PM - Scheduled Checkpoint
RP497: 6/16/2010 9:57:22 PM - Scheduled Checkpoint
RP498: 6/19/2010 11:31:27 PM - Scheduled Checkpoint
RP500: 6/22/2010 7:42:00 PM - Scheduled Checkpoint
RP501: 6/22/2010 11:24:07 PM - Removed Skype Toolbars
RP502: 6/23/2010 2:28:54 AM - Windows Update

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Adobe Shockwave Player 11
Advanced Audio FX Engine
Advanced Video FX Engine
AGEIA PhysX v7.11.13
AIM 6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Broadcom Management Programs
BufferChm
Complete Care Consumer Service Agreement
Counter-Strike: Source
D1500
D1500_Help
Dell Dock
Dell Getting Started Guide
Dell Touchpad
Dell Webcam Center
Dell Webcam Manager
DeviceDiscovery
DeviceManagementQFolder
DJ_SF_03_D1500_ProductContext
DJ_SF_03_D1500_Software
DJ_SF_03_D1500_Software_Min
eSupportQFolder
GPBaseService
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Deskjet D1500 Printer Driver Software 10.0 Rel .3
HP Imaging Device Functions 10.0
HP Photosmart Essential 2.5
HP Smart Web Printing
HP Solution Center 10.0
HPProductAssistant
Intel(R) PROSet/Wireless Software
Intel® Matrix Storage Manager
iTunes
Java(TM) 6 Update 7
Junk Mail filter update
Laptop Integrated Webcam Driver (1.04.01.1011)
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
LiveUpdate 3.3 (Symantec Corporation)
Logitech Gaming LCD Software 1.04
ManyCam 2.4 (remove only)
mCore
MediaDirect
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
mMHouse
Mozilla Firefox (3.0.6)
mPfMgr
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
mWMI
NVIDIA Drivers
OGA Notifier 2.0.0048.0
OpenAL
PandoraSaver 1.005 (standalone)
PSSWCORE
QualXServ Service Agreement
QuickSet
QuickTime
Razer Lachesis
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
Skype™ 4.2
SmartWebPrintingOC
SolutionCenter
StarCraft
Status
Steam
StreamTransport version: 1.0.2.1559
SUPER © Version 2010.bld.38 (May 2, 2010)
Symantec Endpoint Protection
The KMPlayer (remove only)
Toolbox
TrayApp
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VideoToolkit01
VLC media player 0.9.8a
Warcraft III
Warcraft III: All Products
WavePad Sound Editor
WebReg
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
WinRAR archiver

==== Event Viewer Messages From Past Week ========

6/24/2010 5:32:59 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume OS.
6/23/2010 2:50:25 AM, Error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
6/23/2010 2:31:11 AM, Error: Service Control Manager [7034] - The Dell Internal Network Card Power Management service terminated unexpectedly. It has done this 1 time(s).
6/21/2010 9:34:34 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.2.3 for the Network Card with network address 0023AE12B7E1 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
6/21/2010 9:22:59 PM, Error: EventLog [6008] - The previous system shutdown at 8:06:18 PM on 6/21/2010 was unexpected.
6/20/2010 12:49:31 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 0023AE12B7E1 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
6/19/2010 7:22:21 PM, Error: EventLog [6008] - The previous system shutdown at 7:16:09 PM on 6/19/2010 was unexpected.
6/19/2010 7:10:27 PM, Error: EventLog [6008] - The previous system shutdown at 6:25:05 PM on 6/19/2010 was unexpected.
6/19/2010 6:23:24 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
6/19/2010 6:23:04 PM, Error: Service Control Manager [7034] - The Remote Procedure Call (RPC) Net service terminated unexpectedly. It has done this 1 time(s).
6/19/2010 6:22:44 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
6/19/2010 6:21:34 PM, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
6/19/2010 6:21:33 PM, Error: Service Control Manager [7034] - The Andrea ST Filters Service service terminated unexpectedly. It has done this 1 time(s).
6/18/2010 6:42:48 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer JESSICA-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{C2447238-055C-4EC6-91E4-DEC174F. The master browser is stopping or an election is being forced.

==== End Of File ===========================

broni · 2010/06/24

STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

RESTART COMPUTER

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

juturna · 2010/06/24

Step 1

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4236

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

6/24/2010 10:47:03 PM
mbam-log-2010-06-24 (22-47-03).txt

Scan type: Quick scan
Objects scanned: 140793
Time elapsed: 12 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Users\Andrew\AppData\Local\ixedidaki.dll (Trojan.Hiloti) -> Delete on reboot.
C:\Users\Andrew\AppData\Local\Syplscs.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tjazene (Trojan.Hiloti) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\owofoxicedojo (Trojan.Hiloti) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Andrew\AppData\Local\ixedidaki.dll (Trojan.Hiloti) -> Delete on reboot.
C:\Users\Andrew\AppData\Local\Syplscs.dll (Trojan.Hiloti) -> Delete on reboot.

... will proceed to step 2 upon reboot.

juturna · 2010/06/24

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4236

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

6/24/2010 10:47:03 PM
mbam-log-2010-06-24 (22-47-03).txt

Scan type: Quick scan
Objects scanned: 140793
Time elapsed: 12 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Users\Andrew\AppData\Local\ixedidaki.dll (Trojan.Hiloti) -> Delete on reboot.
C:\Users\Andrew\AppData\Local\Syplscs.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tjazene (Trojan.Hiloti) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\owofoxicedojo (Trojan.Hiloti) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Andrew\AppData\Local\ixedidaki.dll (Trojan.Hiloti) -> Delete on reboot.
C:\Users\Andrew\AppData\Local\Syplscs.dll (Trojan.Hiloti) -> Delete on reboot.

Upon reboot, I recieved 2 Error messages:
RunDLL
Error loading C:\Users\Andrew\AppData\Local\ixedidaki.dll
The specific module could not be found.

RunDLL
Error loading C:\Users\Andrew\AppData\Local\Syplscs.dll
The specific module could not be found.

broni · 2010/06/24

That's fine. Go on...

juturna · 2010/06/24

My first attempt at GMER, I got blue-screened.
This is the log I received after scanning in Safe Mode.
Sorry the scan took a very long time.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-25 00:00:06
Windows 6.0.6002 Service Pack 2
Running: 2xq6cx38.exe; Driver: C:\Users\Andrew\AppData\Local\Temp\uwryqpob.sys

---- System - GMER 1.0.15 ----

INT 0x52 ? 85D24F00
INT 0x62 ? 85D24F00
INT 0x62 ? 85D24F00
INT 0x62 ? 85D24F00
INT 0x72 ? 85D24F00
INT 0x72 ? 85D24F00
INT 0x72 ? 85D24F00
INT 0x72 ? 85D24F00
INT 0x82 ? 8436BBF8
INT 0x92 ? 8436BBF8
INT 0xB2 ? 8512ABF8

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\spky.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8E71C41B 5 Bytes JMP 85D244E0

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8069A6D6] \SystemRoot\System32\Drivers\spky.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8069A042] \SystemRoot\System32\Drivers\spky.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8069A800] \SystemRoot\System32\Drivers\spky.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [8069A0C0] \SystemRoot\System32\Drivers\spky.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8069A13E] \SystemRoot\System32\Drivers\spky.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [806A9E9C] \SystemRoot\System32\Drivers\spky.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73B37817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73B8A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73B3BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73B2F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73B375E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73B2E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73B68395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73B3DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73B2FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73B2FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73B271CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73BBCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73B5C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73B2D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73B26853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73B2687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73B32AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8512C1F8

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\volmgr \Device\VolMgrControl 851281F8
Device \Driver\usbuhci \Device\USBPDO-0 85E301F8
Device \Driver\usbuhci \Device\USBPDO-1 85E301F8
Device \Driver\usbehci \Device\USBPDO-2 85C461F8
Device \Driver\usbuhci \Device\USBPDO-3 85E301F8
Device \Driver\usbuhci \Device\USBPDO-4 85E301F8
Device \Driver\usbuhci \Device\USBPDO-5 85E301F8
Device \Driver\usbehci \Device\USBPDO-6 85C461F8
Device \Driver\volmgr \Device\HarddiskVolume1 851281F8
Device \Driver\volmgr \Device\HarddiskVolume2 851281F8
Device \Driver\cdrom \Device\CdRom0 85DF0500
Device \Driver\volmgr \Device\HarddiskVolume3 851281F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8512B1F8
Device \Driver\iaStor \Device\Ide\iaStor0 [8A0E3A60] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 8512B1F8
Device \Driver\atapi \Device\Ide\IdePort1 8512B1F8
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [8A0E3A60] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\volmgr \Device\HarddiskVolume4 851281F8
Device \Driver\iScsiPrt \Device\RaidPort0 85DF81F8
Device \Driver\usbuhci \Device\USBFDO-0 85E301F8
Device \Driver\usbuhci \Device\USBFDO-1 85E301F8
Device \Driver\usbehci \Device\USBFDO-2 85C461F8
Device \Driver\usbuhci \Device\USBFDO-3 85E301F8
Device \Driver\usbuhci \Device\USBFDO-4 85E301F8
Device \Driver\usbuhci \Device\USBFDO-5 85E301F8
Device \Driver\usbehci \Device\USBFDO-6 85C461F8
Device \FileSystem\fastfat \Fat 872151F8
Device \FileSystem\fastfat \Fat 8EBD045E

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\cdfs \Cdfs 860A3500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA8 0xCC 0x66 0xEE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA8 0xCC 0x66 0xEE ...

---- EOF - GMER 1.0.15 ----

broni · 2010/06/25

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

juturna · 2010/06/25

When I attempted to run combofix, my computer automatically restarted. Upon reboot none of my programs ran (black screen) but a single "Administrator: AutoScan" process began. Is this ok? Also was my gmer scan sufficient?

broni · 2010/06/25

GMER log looks clean.

but a single "Administrator: AutoScan" process began
Click to expand...

Be patient there and keep me updated on progress (if any).

juturna · 2010/06/25

ComboFix 10-06-25.01 - Andrew 06/25/2010 14:01:12.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1958 [GMT -4:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec Endpoint Protection *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Andrew\AppData\Local\{53B52843-0496-4367-A1DA-A04F226F5F33}
c:\users\Andrew\AppData\Local\{53B52843-0496-4367-A1DA-A04F226F5F33}\chrome.manifest
c:\users\Andrew\AppData\Local\{53B52843-0496-4367-A1DA-A04F226F5F33}\chrome\content\_cfg.js
c:\users\Andrew\AppData\Local\{53B52843-0496-4367-A1DA-A04F226F5F33}\chrome\content\overlay.xul
c:\users\Andrew\AppData\Local\{53B52843-0496-4367-A1DA-A04F226F5F33}\install.rdf
c:\users\Andrew\AppData\Roaming\install.dat
c:\windows\system32\st325614.dll
c:\windows\xpsp1hfm.log

Infected copy of c:\windows\System32\autochk.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6001.18000_none_e1f3ed49c1c122ef\autochk.exe

.
((((((((((((((((((((((((( Files Created from 2010-05-25 to 2010-06-25 )))))))))))))))))))))))))))))))
.

2010-06-25 18:11 . 2010-06-25 18:16 -------- d-----w- c:\users\Andrew\AppData\Local\temp
2010-06-25 18:11 . 2010-06-25 18:11 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-06-25 18:11 . 2010-06-25 18:11 -------- d-----w- c:\users\RA Media Server\AppData\Local\temp
2010-06-25 18:11 . 2010-06-25 18:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-25 02:33 . 2010-06-25 02:33 -------- d-----w- c:\users\Andrew\AppData\Roaming\Malwarebytes
2010-06-25 02:33 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-25 02:33 . 2010-06-25 02:33 -------- d-----w- c:\programdata\Malwarebytes
2010-06-25 02:33 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-25 02:33 . 2010-06-25 02:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-23 06:29 . 2009-11-08 14:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-23 06:29 . 2009-11-08 14:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-23 06:29 . 2009-11-08 14:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-23 06:29 . 2009-11-08 14:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-23 06:29 . 2009-11-08 14:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 04:48 . 2010-04-16 16:43 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-23 04:48 . 2010-04-16 14:39 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-23 03:41 . 2010-06-23 03:41 -------- d-----w- c:\program files\MSECache
2010-06-15 09:45 . 2010-06-15 09:45 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-06-15 09:45 . 2010-06-24 22:12 -------- d-----w- c:\users\Andrew\AppData\Roaming\skypePM
2010-06-15 09:44 . 2010-06-25 02:29 -------- d-----w- c:\users\Andrew\AppData\Roaming\Skype
2010-06-15 09:43 . 2010-06-15 09:43 -------- d-----w- c:\program files\Common Files\Skype
2010-06-15 09:43 . 2010-06-23 03:24 -------- d-----r- c:\program files\Skype
2010-06-15 09:42 . 2010-06-15 09:43 -------- d-----w- c:\programdata\Skype
2010-06-12 03:41 . 2010-06-12 03:41 -------- d-----w- c:\program files\NCH Software
2010-06-12 03:33 . 2010-06-12 03:33 -------- d-----w- c:\users\Andrew\AppData\Roaming\NCH Swift Sound
2010-06-12 03:33 . 2010-06-12 03:33 -------- d-----w- c:\programdata\NCH Swift Sound
2010-06-12 03:33 . 2010-06-12 03:33 -------- d-----w- c:\program files\NCH Swift Sound
2010-06-04 19:55 . 2010-06-24 04:29 0 ----a-w- c:\users\Andrew\AppData\Local\Qnedofeho.bin
2010-06-04 19:55 . 2010-06-24 21:24 120 ----a-w- c:\users\Andrew\AppData\Local\Umavagecaguhimu.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-25 18:15 . 2009-03-03 17:55 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-06-25 18:15 . 2009-02-24 19:07 57752 ----a-w- c:\windows\system32\rpcnet.dll
2010-06-25 17:54 . 2009-03-03 17:55 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-06-12 07:16 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-12 07:12 . 2009-02-14 10:57 -------- d-----w- c:\programdata\Microsoft Help
2010-06-11 19:42 . 2009-02-18 20:36 27430 ----a-w- c:\users\Andrew\AppData\Roaming\nvModes.dat
2010-06-03 20:00 . 2009-02-18 23:09 -------- d-----w- c:\program files\Viewpoint
2010-06-03 19:58 . 2009-02-14 10:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-03 19:55 . 2009-04-25 19:53 -------- d-----w- c:\programdata\eMule
2010-06-03 19:55 . 2009-03-24 19:47 -------- d-----w- c:\program files\Chameleon
2010-06-01 02:02 . 2009-02-18 22:40 -------- d-----w- c:\program files\Steam
2010-05-26 17:06 . 2010-06-11 19:49 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-11 19:49 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-14 04:50 . 2010-05-14 04:50 -------- d-----w- c:\program files\AviSynth 2.5
2010-05-14 04:45 . 2010-05-14 04:45 -------- d-----w- c:\program files\eRightSoft
2010-05-04 05:59 . 2010-06-11 19:49 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-11 19:49 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-11 19:49 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-11 19:49 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13 . 2010-06-11 19:49 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-23 14:13 . 2010-05-26 14:56 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-16 16:43 . 2010-06-23 04:48 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-04-16 16:43 . 2010-06-23 04:48 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-04-16 16:43 . 2010-06-23 04:48 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-04-16 16:43 . 2010-06-23 04:48 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-04-13 06:36 . 2009-02-24 19:06 57752 ------w- c:\windows\system32\rpcnet.exe
2010-04-05 17:01 . 2010-06-11 19:49 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-04-04 20:34 . 2010-01-18 03:07 62074 ----a-w- c:\windows\War3Unin.dat
2009-02-14 10:48 . 2009-02-14 10:48 74 --sh--r- c:\windows\CT4CET.bin
2006-05-03 09:06 . 2010-05-14 04:46 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 10:47 . 2010-05-14 04:46 31232 --sh--r- c:\windows\System32\msfDX.dll
2008-03-16 12:30 . 2010-05-14 04:46 216064 --sh--r- c:\windows\System32\nbDX.dll
2009-02-14 11:06 . 2009-02-14 10:52 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe "= "c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1029416]
"OEM02Mon.exe "= "c:\windows\OEM02Mon.exe" [2007-12-03 36864]
"NvSvc "= "c:\windows\system32\nvsvc.dll" [2007-11-06 86016]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2007-11-06 8497696]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2007-11-06 81920]
"NVHotkey "= "c:\windows\system32\nvHotkey.dll" [2007-11-06 81920]
"IAAnotif "= "c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-20 182808]
"Launch LCDMon "= "c:\program files\Common Files\Logitech\LCD Manager\LCDMon.exe" [2007-07-18 775952]
"PCMService "= "c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SigmatelSysTrayApp "= "c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-01-02 405504]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-01-28 115560]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"hpqSRMon "= "c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"Lachesis "= "c:\program files\Razer\Lachesis\razerhid.exe" [2007-09-12 172032]

c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-24 1295656]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA "= 0 (0x0)
"EnableUIADesktopToggle "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer "=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2 "=hex(b):d1,19,d4,bf,31,17,ca,01

R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2009-08-18 23888]
R3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [x]
R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [x]
R3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [x]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-06-25 721904]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2008-01-02 73728]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-24 155648]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-07-18 179712]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-28 102448]
S3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2007-08-08 12032]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [2008-01-14 21632]
S3 physX32;physX32;c:\windows\system32\DRIVERS\physX32.sys [2007-09-13 120320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\gqziblmo.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-LoJackForLaptops - c:\program files\LFLInstall\InstallManager.exe
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
SafeBoot-Symantec Antvirus

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-25 14:17
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,92,22,09,c6,4d,f9,30,4b,96,7f,e8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,92,22,09,c6,4d,f9,30,4b,96,7f,e8,\

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial "=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(660)
c:\windows\SYSTEM32\SYSFER.DLL

- - - - - - - > 'Explorer.exe'(5596)
c:\windows\SYSTEM32\SYSFER.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\system volume information\Microsoft\services.exe
c:\windows\system32\AUDIODG.EXE
c:\system volume information\Microsoft\smss.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Symantec\Symantec Endpoint Protection\SNAC.EXE
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\System32\rpcnet.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\STacSV.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Windows Live\Toolbar\wltuser.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2010-06-25 14:24:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-25 18:24

Pre-Run: 317,502,611,456 bytes free
Post-Run: 315,014,680,576 bytes free

- - End Of File - - 878EB75765AB873BAEFEFA811860978C

broni · 2010/06/25

Unless you installed Viewpoint Manager knowledgeably...
Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
Uninstall any of the following programs associated with Viewpoint:
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ( "drive-by-install ") as it is installed without your consent through programs like AOl, AIM, Compuserve, etc.

=============================================================

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\windows\system32\ezsidmv.dat
c:\users\Andrew\AppData\Local\Qnedofeho.bin
c:\users\Andrew\AppData\Local\Umavagecaguhimu.dat


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
 "DisableMonitoring "=-
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

juturna · 2010/06/25

For some reason, I can't locate any of the Viewpoint programs under Programs and Features...

Anyways, working on step 2 now.

juturna · 2010/06/25

The scan finished and produced this log without prompting reboot. I noticed that the iexplore.exe programs were no longer running and all seemed fine; I then decided to restart my computer just in case it was needed for everything to work properly. When my computer came back on, I checked to see if the iexplore.exe problem was permanently gone, but it came back... Just thought I'd mention that.

ComboFix 10-06-25.01 - Andrew 06/25/2010 15:47:26.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1603 [GMT -4:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\users\Andrew\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec Endpoint Protection *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\Andrew\AppData\Local\Qnedofeho.bin "
"c:\users\Andrew\AppData\Local\Umavagecaguhimu.dat "
"c:\windows\system32\ezsidmv.dat "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Andrew\AppData\Local\Qnedofeho.bin
c:\users\Andrew\AppData\Local\Umavagecaguhimu.dat
c:\windows\system32\ezsidmv.dat

.
((((((((((((((((((((((((( Files Created from 2010-05-25 to 2010-06-25 )))))))))))))))))))))))))))))))
.

2010-06-25 19:55 . 2010-06-25 19:56 -------- d-----w- c:\users\Andrew\AppData\Local\temp
2010-06-25 19:55 . 2010-06-25 19:55 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-06-25 19:55 . 2010-06-25 19:55 -------- d-----w- c:\users\RA Media Server\AppData\Local\temp
2010-06-25 19:55 . 2010-06-25 19:55 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-25 19:55 . 2010-06-25 19:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-25 02:33 . 2010-06-25 02:33 -------- d-----w- c:\users\Andrew\AppData\Roaming\Malwarebytes
2010-06-25 02:33 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-25 02:33 . 2010-06-25 02:33 -------- d-----w- c:\programdata\Malwarebytes
2010-06-25 02:33 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-25 02:33 . 2010-06-25 02:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-23 06:29 . 2009-11-08 14:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-23 06:29 . 2009-11-08 14:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-23 06:29 . 2009-11-08 14:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-23 06:29 . 2009-11-08 14:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-23 06:29 . 2009-11-08 14:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 04:48 . 2010-04-16 16:43 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-23 04:48 . 2010-04-16 14:39 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-23 03:41 . 2010-06-23 03:41 -------- d-----w- c:\program files\MSECache
2010-06-15 09:45 . 2010-06-24 22:12 -------- d-----w- c:\users\Andrew\AppData\Roaming\skypePM
2010-06-15 09:44 . 2010-06-25 02:29 -------- d-----w- c:\users\Andrew\AppData\Roaming\Skype
2010-06-15 09:43 . 2010-06-15 09:43 -------- d-----w- c:\program files\Common Files\Skype
2010-06-15 09:43 . 2010-06-23 03:24 -------- d-----r- c:\program files\Skype
2010-06-15 09:42 . 2010-06-15 09:43 -------- d-----w- c:\programdata\Skype
2010-06-12 03:41 . 2010-06-12 03:41 -------- d-----w- c:\program files\NCH Software
2010-06-12 03:33 . 2010-06-12 03:33 -------- d-----w- c:\users\Andrew\AppData\Roaming\NCH Swift Sound
2010-06-12 03:33 . 2010-06-12 03:33 -------- d-----w- c:\programdata\NCH Swift Sound
2010-06-12 03:33 . 2010-06-12 03:33 -------- d-----w- c:\program files\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-25 18:15 . 2009-03-03 17:55 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-06-25 18:15 . 2009-02-24 19:07 57752 ----a-w- c:\windows\system32\rpcnet.dll
2010-06-25 17:54 . 2009-03-03 17:55 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-06-12 07:16 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-12 07:12 . 2009-02-14 10:57 -------- d-----w- c:\programdata\Microsoft Help
2010-06-11 19:42 . 2009-02-18 20:36 27430 ----a-w- c:\users\Andrew\AppData\Roaming\nvModes.dat
2010-06-03 20:00 . 2009-02-18 23:09 -------- d-----w- c:\program files\Viewpoint
2010-06-03 19:58 . 2009-02-14 10:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-03 19:55 . 2009-04-25 19:53 -------- d-----w- c:\programdata\eMule
2010-06-03 19:55 . 2009-03-24 19:47 -------- d-----w- c:\program files\Chameleon
2010-06-01 02:02 . 2009-02-18 22:40 -------- d-----w- c:\program files\Steam
2010-05-26 17:06 . 2010-06-11 19:49 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-11 19:49 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-14 04:50 . 2010-05-14 04:50 -------- d-----w- c:\program files\AviSynth 2.5
2010-05-14 04:45 . 2010-05-14 04:45 -------- d-----w- c:\program files\eRightSoft
2010-05-04 05:59 . 2010-06-11 19:49 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-11 19:49 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-11 19:49 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-11 19:49 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13 . 2010-06-11 19:49 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-23 14:13 . 2010-05-26 14:56 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-16 16:43 . 2010-06-23 04:48 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-04-16 16:43 . 2010-06-23 04:48 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-04-16 16:43 . 2010-06-23 04:48 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-04-16 16:43 . 2010-06-23 04:48 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-04-13 06:36 . 2009-02-24 19:06 57752 ------w- c:\windows\system32\rpcnet.exe
2010-04-05 17:01 . 2010-06-11 19:49 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-04-04 20:34 . 2010-01-18 03:07 62074 ----a-w- c:\windows\War3Unin.dat
2009-02-14 10:48 . 2009-02-14 10:48 74 --sh--r- c:\windows\CT4CET.bin
2006-05-03 09:06 . 2010-05-14 04:46 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 10:47 . 2010-05-14 04:46 31232 --sh--r- c:\windows\System32\msfDX.dll
2008-03-16 12:30 . 2010-05-14 04:46 216064 --sh--r- c:\windows\System32\nbDX.dll
2009-02-14 11:06 . 2009-02-14 10:52 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe "= "c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1029416]
"OEM02Mon.exe "= "c:\windows\OEM02Mon.exe" [2007-12-03 36864]
"NvSvc "= "c:\windows\system32\nvsvc.dll" [2007-11-06 86016]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2007-11-06 8497696]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2007-11-06 81920]
"NVHotkey "= "c:\windows\system32\nvHotkey.dll" [2007-11-06 81920]
"IAAnotif "= "c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-20 182808]
"Launch LCDMon "= "c:\program files\Common Files\Logitech\LCD Manager\LCDMon.exe" [2007-07-18 775952]
"PCMService "= "c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SigmatelSysTrayApp "= "c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-01-02 405504]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-01-28 115560]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"hpqSRMon "= "c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"Lachesis "= "c:\program files\Razer\Lachesis\razerhid.exe" [2007-09-12 172032]

c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-24 1295656]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA "= 0 (0x0)
"EnableUIADesktopToggle "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer "=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2 "=hex(b):d1,19,d4,bf,31,17,ca,01

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-06-25 721904]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2009-08-18 23888]
R3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [x]
R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [x]
R3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [x]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2008-01-02 73728]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-24 155648]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-07-18 179712]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-28 102448]
S3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2007-08-08 12032]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [2008-01-14 21632]
S3 physX32;physX32;c:\windows\system32\DRIVERS\physX32.sys [2007-09-13 120320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\gqziblmo.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-25 15:56
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,92,22,09,c6,4d,f9,30,4b,96,7f,e8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,92,22,09,c6,4d,f9,30,4b,96,7f,e8,\

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid "= "IE.AssocFile.HTM "

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid "= "IE.AssocFile.HTM "

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid "= "IE.AssocFile.MHT "

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid "= "IE.AssocFile.MHT "

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (LocalSystem)
"Progid "= "IE.AssocFile.URL "

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial "=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(660)
c:\windows\SYSTEM32\SYSFER.DLL
.
Completion time: 2010-06-25 15:59:55
ComboFix-quarantined-files.txt 2010-06-25 19:59
ComboFix2.txt 2010-06-25 18:24

Pre-Run: 314,147,102,720 bytes free
Post-Run: 313,129,832,448 bytes free

- - End Of File - - ABA43321B8308615B1A31F5AA0C24D6C

broni · 2010/06/25

How is your computer doing at the moment?

Uninstall Combofix:
Go Start > Run [Vista users, go Start> "Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall "
Click OK (Vista users - press Enter).
Restart computer.

==============================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:

netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

juturna · 2010/06/25

Update

"juturna said: ↑

The scan finished and produced this log without prompting reboot. I noticed that the iexplore.exe programs were no longer running and all seemed fine; I then decided to restart my computer just in case it was needed for everything to work properly. When my computer came back on, I checked to see if the iexplore.exe problem was permanently gone, but it came back... Just thought I'd mention that.
Click to expand...

Do you want me to proceed? When I first ran the script for ComboFix, iexplore.exe was gone. After reboot iexplore.exe returned.

broni · 2010/06/25

Go ahead with OTL

juturna · 2010/06/25

OTL logfile created on: 6/25/2010 6:10:20 PM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Users\Andrew\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 58.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 583.59 Gb Total Space | 294.59 Gb Free Space | 50.48% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 3.73 Gb Free Space | 37.35% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANDREW-PC
Current User Name: Andrew
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/06/25 18:09:05 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\Andrew\Desktop\OTL.exe
PRC - [2010/06/25 18:05:26 | 000,031,372 | ---- | M] (Black Internet) -- C:\System Volume Information\Microsoft\smss.exe
PRC - [2010/06/25 18:05:16 | 000,025,318 | ---- | M] (Black Internet) -- C:\System Volume Information\Microsoft\services.exe
PRC - [2010/04/13 02:36:46 | 000,057,752 | ---- | M] (Absolute Software Corp.) -- C:\Windows\System32\rpcnet.exe
PRC - [2010/01/28 10:45:05 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2010/01/28 10:45:03 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2010/01/28 10:44:52 | 001,864,888 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2010/01/28 10:44:52 | 001,455,432 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2010/01/28 10:44:50 | 000,341,320 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
PRC - [2010/01/28 10:44:49 | 002,477,304 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/04/11 02:28:15 | 000,117,248 | ---- | M] () -- \\?\C:\Windows\System32\wbem\WMIADAP.EXE
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/04/11 02:27:20 | 000,088,576 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\audiodg.exe
PRC - [2008/09/24 00:09:52 | 001,295,656 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DellDock.exe
PRC - [2008/09/24 00:09:52 | 000,155,648 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe
PRC - [2008/07/20 19:45:06 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/07/20 19:45:06 | 000,182,808 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2008/02/22 19:01:38 | 001,193,240 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2008/02/22 18:54:34 | 000,390,424 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
PRC - [2008/01/01 23:44:38 | 000,405,504 | ---- | M] (IDT, Inc.) -- C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
PRC - [2008/01/01 23:44:32 | 000,102,400 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\stacsv.exe
PRC - [2008/01/01 23:44:26 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEstSrv.exe
PRC - [2007/12/21 12:58:06 | 000,184,320 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\MediaDirect\PCMService.exe
PRC - [2007/12/03 01:58:54 | 000,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\OEM02Mon.exe
PRC - [2007/10/15 16:59:14 | 000,143,360 | ---- | M] () -- C:\Program Files\Razer\Lachesis\razertra.exe
PRC - [2007/09/12 12:52:18 | 000,172,032 | ---- | M] () -- C:\Program Files\Razer\Lachesis\razerhid.exe
PRC - [2007/08/16 18:05:16 | 000,274,432 | ---- | M] (razercfg MFC Application) -- C:\Program Files\Razer\Lachesis\OSD.exe
PRC - [2007/07/25 18:41:42 | 000,647,168 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2007/07/25 18:22:44 | 000,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2007/07/18 09:26:42 | 000,775,952 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe
PRC - [2007/07/18 09:26:26 | 000,374,032 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
PRC - [2007/07/18 09:26:24 | 000,203,024 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
PRC - [2007/06/05 11:37:12 | 000,163,840 | ---- | M] (Razer Inc.) -- C:\Program Files\Razer\Lachesis\razerofa.exe
PRC - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe

========== Modules (SafeList) ==========

MOD - [2010/06/25 18:09:05 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\Andrew\Desktop\OTL.exe
MOD - [2010/01/28 10:45:09 | 000,357,704 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\sysfer.dll
MOD - [2009/04/11 02:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2008/02/22 18:55:54 | 000,103,704 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\dadkeyb.dll
MOD - [2008/01/20 22:24:37 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (Smcinst)
SRV - File not found [On_Demand | Stopped] -- -- (LiveTurbineNetworkService)
SRV - File not found [On_Demand | Stopped] -- -- (LiveTurbineMessageService)
SRV - [2010/04/13 02:36:46 | 000,057,752 | ---- | M] (Absolute Software Corp.) [Auto | Running] -- C:\Windows\System32\rpcnet.exe -- (rpcnet) Remote Procedure Call (RPC)
SRV - [2010/01/28 10:45:05 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2010/01/28 10:45:05 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2010/01/28 10:44:52 | 001,864,888 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2010/01/28 10:44:50 | 000,341,320 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2010/01/28 10:44:49 | 002,477,304 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2009/12/12 21:41:31 | 000,321,320 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/09/24 21:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/13 13:06:15 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2008/09/24 00:09:52 | 000,155,648 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
SRV - [2008/07/20 19:45:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)
SRV - [2008/02/22 18:54:34 | 000,390,424 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (nicconfigsvc)
SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/01 23:44:32 | 000,102,400 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\stacsv.exe -- (STacSV)
SRV - [2008/01/01 23:44:26 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEstSrv.exe -- (AESTFilters)
SRV - [2007/07/25 18:41:42 | 000,647,168 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel(R)
SRV - [2007/07/25 18:22:44 | 000,327,680 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel(R)
SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)

========== Driver Services (SafeList) ==========

DRV - [2010/05/10 19:41:24 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20100510.025\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/05/10 19:41:24 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20100510.025\NAVENG.SYS -- (NAVENG)
DRV - [2010/04/29 13:15:55 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/02/17 14:20:20 | 000,162,048 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\wpshelper.sys -- (WpsHelper)
DRV - [2010/01/28 10:49:16 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/01/28 10:45:10 | 000,042,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\WPSDRVnt.sys -- (WPS)
DRV - [2010/01/28 10:45:08 | 000,320,560 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2010/01/28 10:45:08 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2010/01/28 10:45:07 | 000,281,648 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\System32\drivers\srtsp.sys -- (SRTSP)
DRV - [2010/01/28 10:44:54 | 000,092,488 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SYSTEM32\Drivers\SysPlant.sys -- (SysPlant)
DRV - [2010/01/28 10:44:54 | 000,050,064 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Teefer2.sys -- (Teefer2)
DRV - [2010/01/28 10:44:43 | 000,188,080 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2010/01/28 10:44:43 | 000,026,416 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2010/01/28 10:44:41 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2009/08/28 16:18:14 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/08/18 12:58:28 | 000,023,888 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\COH_Mon.sys -- (COH_Mon)
DRV - [2009/06/25 04:26:56 | 000,721,904 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\sptd.sys -- (sptd)
DRV - [2008/10/27 06:26:54 | 000,324,120 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iastor.sys -- (iaStor)
DRV - [2008/10/27 06:18:08 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2008/10/27 06:18:04 | 000,046,592 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2008/10/27 06:17:58 | 000,043,008 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2008/03/27 09:27:32 | 000,193,456 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2008/01/20 22:23:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/20 22:23:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/20 22:23:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/20 22:23:26 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/20 22:23:26 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/20 22:23:26 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/20 22:23:25 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/20 22:23:25 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
DRV - [2008/01/20 22:23:25 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/20 22:23:24 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/20 22:23:24 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel(R)
DRV - [2008/01/20 22:23:24 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/20 22:23:23 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/20 22:23:23 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/20 22:23:23 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/20 22:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/20 22:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/20 22:23:23 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/20 22:23:22 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/20 22:23:21 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/20 22:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/20 22:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/20 22:23:20 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/20 22:23:00 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/20 22:23:00 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/20 22:23:00 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2008/01/14 06:06:32 | 000,021,632 | ---- | M] (ManyCam LLC.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ManyCam.sys -- (ManyCam)
DRV - [2008/01/01 23:44:40 | 000,330,240 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/12/03 01:59:06 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Vfx.sys -- (OEM02Vfx)
DRV - [2007/12/03 01:58:50 | 000,235,648 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Dev.sys -- (OEM02Dev)
DRV - [2007/11/06 05:38:10 | 007,619,968 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007/09/13 07:43:00 | 000,120,320 | ---- | M] (AGEIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\physX32.sys -- (physX32)
DRV - [2007/08/13 05:44:26 | 002,226,688 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel(R)
DRV - [2007/08/08 12:04:16 | 000,012,032 | ---- | M] (Razer (Asia-Pacific) Pte Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Lachesis.sys -- (LachesisFltr)
DRV - [2007/07/18 09:30:28 | 000,179,712 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2006/11/02 05:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 05:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 05:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 05:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 05:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 05:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 05:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 05:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 05:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 05:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 04:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 04:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 04:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 04:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 04:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 04:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 03:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 03:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2006/07/24 16:05:00 | 000,005,632 | ---- | M] () [File_System | System | Running] -- C:\Windows\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2005/08/17 07:46:26 | 000,093,872 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2005/08/17 07:46:20 | 000,008,272 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV - [2005/08/17 07:45:00 | 000,058,352 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Yahoo "
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial "
FF - prefs.js..extensions.enabledItems: artur.dubovoy@gmail.com:1.9.96
FF - prefs.js..extensions.enabledItems: {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}:3.72
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q= "

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/20 02:01:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/03 16:00:23 | 000,000,000 | ---D | M]

[2009/02/18 17:28:46 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Mozilla\Extensions
[2010/06/25 16:46:09 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\gqziblmo.default\extensions
[2010/01/06 02:05:35 | 000,000,000 | ---D | M] (ReloadEvery) -- C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\gqziblmo.default\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
[2010/01/06 02:05:35 | 000,000,000 | ---D | M] (Noia 2.0 (eXtreme)) -- C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\gqziblmo.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
[2010/01/06 02:05:35 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\gqziblmo.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/01/07 02:54:23 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\gqziblmo.default\extensions\artur.dubovoy@gmail.com
[2010/06/23 02:16:22 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/01/13 18:46:00 | 000,063,488 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

O1 HOSTS File: ([2010/06/25 15:56:16 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll File not found
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll File not found
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [Lachesis] C:\Program Files\Razer\Lachesis\razerhid.exe ()
O4 - HKLM..\Run: [Launch LCDMon] C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe (Logitech Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\Windows\System32\nvHotkey.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\MediaDirect\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103472 -Mozilla\4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident\4.0; File not found
O4 - Startup: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008/01/20 22:34:27 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

Drivers32: midi - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\Windows\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.imaadpcm - C:\Windows\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\Windows\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\Windows\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\Windows\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.siren - C:\Windows\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.i420 - C:\Windows\System32\i420vfw.dll (www.helixcommunity.org)
Drivers32: VIDC.IYUV - C:\Windows\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.mrle - C:\Windows\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\Windows\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: VIDC.UYVY - C:\Windows\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YUY2 - C:\Windows\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yv12 - C:\Windows\System32\yv12vfw.dll (www.helixcommunity.org)
Drivers32: VIDC.YVU9 - C:\Windows\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YVYU - C:\Windows\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\Windows\System32\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 90 Days ==========

[2010/06/25 18:08:58 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Users\Andrew\Desktop\OTL.exe
[2010/06/25 18:03:25 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/06/25 18:02:35 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/06/25 16:29:54 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/06/25 16:00:03 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/06/25 15:59:58 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Local\temp
[2010/06/25 15:55:43 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/06/25 13:54:47 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/06/24 22:33:48 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Roaming\Malwarebytes
[2010/06/24 22:33:37 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/06/24 22:33:35 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/06/24 22:33:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/06/24 22:33:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/06/24 03:29:39 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\IU Pinkygirl 2
[2010/06/24 03:29:08 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\IU Pinkygirl 1
[2010/06/22 23:41:54 | 000,000,000 | ---D | C] -- C:\Program Files\MSECache
[2010/06/18 12:02:24 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\music
[2010/06/16 03:46:27 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\pix
[2010/06/15 05:45:51 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Roaming\skypePM
[2010/06/15 05:44:19 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Roaming\Skype
[2010/06/15 05:43:07 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2010/06/15 05:43:06 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2010/06/15 05:42:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Skype
[2010/06/13 02:01:32 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\Family Outing S2
[2010/06/12 08:28:03 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\SNSD Clips
[2010/06/12 03:04:38 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\Short SNSD Clips
[2010/06/11 23:41:51 | 000,000,000 | ---D | C] -- C:\Program Files\NCH Software
[2010/06/11 23:33:47 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Roaming\NCH Swift Sound
[2010/06/11 23:33:47 | 000,000,000 | ---D | C] -- C:\ProgramData\NCH Swift Sound
[2010/06/11 23:33:41 | 000,000,000 | ---D | C] -- C:\Program Files\NCH Swift Sound
[2010/06/06 02:22:32 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\to do
[2010/06/02 19:28:32 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\Family Outing S1
[2010/05/15 03:32:17 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\Personal Taste
[2010/05/15 00:15:47 | 000,000,000 | R--D | C] -- C:\Users\Andrew\Desktop\idol
[2010/05/14 22:41:48 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\Desktop
[2010/05/14 00:50:29 | 000,719,872 | ---- | C] (Abysmal Software) -- C:\Windows\System32\devil.dll
[2010/05/14 00:50:29 | 000,369,152 | ---- | C] (The Public) -- C:\Windows\System32\avisynth.dll
[2010/05/14 00:50:29 | 000,070,656 | ---- | C] (www.helixcommunity.org) -- C:\Windows\System32\yv12vfw.dll
[2010/05/14 00:50:29 | 000,070,656 | ---- | C] (www.helixcommunity.org) -- C:\Windows\System32\i420vfw.dll
[2010/05/14 00:50:28 | 000,000,000 | ---D | C] -- C:\Program Files\AviSynth 2.5
[2010/05/14 00:46:05 | 000,186,880 | RHS- | C] (RadLight) -- C:\Windows\System32\RLOgg.ax
[2010/05/14 00:46:05 | 000,161,792 | RHS- | C] (Gabest) -- C:\Windows\System32\RealMediaDX.ax
[2010/05/14 00:46:05 | 000,092,672 | RHS- | C] (RadLight) -- C:\Windows\System32\RLVorbisDec.ax
[2010/05/14 00:46:05 | 000,090,112 | RHS- | C] (-) -- C:\Windows\System32\TTADSSplitter.ax
[2010/05/14 00:46:05 | 000,090,112 | RHS- | C] (-) -- C:\Windows\System32\TTADSDecoder.ax
[2010/05/14 00:46:05 | 000,067,584 | RHS- | C] (RadLight, LLC) -- C:\Windows\System32\RLTheoraDec.ax
[2010/05/14 00:46:04 | 000,278,528 | ---- | C] (Real Networks, Inc) -- C:\Windows\System32\pncrt.dll
[2010/05/14 00:46:04 | 000,216,064 | RHS- | C] (MONOGRAM Multimedia, s.r.o.) -- C:\Windows\System32\nbDX.dll
[2010/05/14 00:46:04 | 000,179,200 | RHS- | C] (Gabest) -- C:\Windows\System32\DiracSplitter.ax
[2010/05/14 00:46:04 | 000,169,472 | RHS- | C] (Gabest) -- C:\Windows\System32\MatroskaDX.ax
[2010/05/14 00:46:04 | 000,163,328 | RHS- | C] (Gabest) -- C:\Windows\System32\flvDX.dll
[2010/05/14 00:46:04 | 000,031,232 | RHS- | C] (Hans Mayerl) -- C:\Windows\System32\msfDX.dll
[2010/05/14 00:46:03 | 000,123,904 | RHS- | C] (CoreCodec) -- C:\Windows\System32\AVCDX.ax
[2010/05/14 00:45:32 | 000,000,000 | ---D | C] -- C:\Program Files\eRightSoft
[2010/05/02 01:42:41 | 000,000,000 | R--D | C] -- C:\Users\Andrew\Desktop\Manga
[2010/04/28 11:27:32 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Local\Microsoft Help
[2010/04/20 01:44:54 | 000,000,000 | ---D | C] -- C:\Program Files\Aixcoustic
[2010/04/18 00:16:08 | 000,000,000 | R--D | C] -- C:\Users\Andrew\Desktop\Korean
[2010/04/11 03:10:18 | 000,000,000 | ---D | C] -- C:\Program Files\StreamTransport

juturna · 2010/06/25

========== Files - Modified Within 90 Days ==========

[2010/06/25 18:12:57 | 000,704,434 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/06/25 18:12:57 | 000,604,452 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/06/25 18:12:57 | 000,105,376 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/06/25 18:10:19 | 006,553,600 | -HS- | M] () -- C:\Users\Andrew\ntuser.dat
[2010/06/25 18:09:05 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\Andrew\Desktop\OTL.exe
[2010/06/25 18:08:04 | 000,027,430 | ---- | M] () -- C:\Users\Andrew\AppData\Roaming\nvModes.001
[2010/06/25 18:06:08 | 000,524,288 | -HS- | M] () -- C:\Users\Andrew\ntuser.dat{b1eab854-cfb1-11de-8a70-0023ae12b7e1}.TMContainer00000000000000000001.regtrans-ms
[2010/06/25 18:06:08 | 000,065,536 | -HS- | M] () -- C:\Users\Andrew\ntuser.dat{b1eab854-cfb1-11de-8a70-0023ae12b7e1}.TM.blf
[2010/06/25 18:05:58 | 000,017,408 | ---- | M] () -- C:\Windows\System32\rpcnetp.exe
[2010/06/25 18:05:56 | 000,057,752 | ---- | M] (Absolute Software Corp.) -- C:\Windows\System32\rpcnet.dll
[2010/06/25 18:05:47 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/06/25 18:05:47 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/06/25 18:05:45 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/06/25 18:05:25 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/06/25 18:04:27 | 003,629,940 | -H-- | M] () -- C:\Users\Andrew\AppData\Local\IconCache.db
[2010/06/25 17:14:31 | 000,002,231 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/06/25 16:57:02 | 000,000,056 | -H-- | M] () -- C:\Windows\System32\ezsidmv.dat
[2010/06/25 16:56:39 | 000,002,377 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[2010/06/25 15:56:30 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/06/25 15:56:16 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/06/25 13:54:39 | 000,017,408 | ---- | M] () -- C:\Windows\System32\rpcnetp.dll
[2010/06/25 04:16:46 | 000,121,856 | ---- | M] () -- C:\Users\Andrew\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/25 00:09:28 | 413,990,263 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/06/25 00:01:53 | 000,270,576 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/06/24 23:02:36 | 000,293,376 | ---- | M] () -- C:\Users\Andrew\Desktop\2xq6cx38.exe
[2010/06/24 22:33:40 | 000,000,820 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/24 17:57:33 | 000,000,179 | ---- | M] () -- C:\Users\Andrew\Desktop\iexplore.exe problem!.url
[2010/06/22 23:54:37 | 000,525,824 | ---- | M] () -- C:\Users\Andrew\Desktop\dds.scr
[2010/06/18 12:06:43 | 000,000,192 | ---- | M] () -- C:\Users\Andrew\Desktop\ssfsubs3.url
[2010/06/17 21:12:01 | 000,007,009 | -HS- | M] () -- C:\Users\Andrew\Desktop\Folder.jpg
[2010/06/17 21:12:01 | 000,001,977 | -HS- | M] () -- C:\Users\Andrew\Desktop\AlbumArtSmall.jpg
[2010/06/11 23:59:06 | 000,000,000 | ---- | M] () -- C:\ProgramData\LauncherAccess.dt
[2010/06/11 15:42:44 | 000,027,430 | ---- | M] () -- C:\Users\Andrew\AppData\Roaming\nvModes.dat
[2010/06/11 01:12:31 | 000,008,928 | -HS- | M] () -- C:\Users\Andrew\Desktop\AlbumArt_{F9CC6C58-8349-4BF5-8CD3-9D292E52E007}_Large.jpg
[2010/06/11 01:12:31 | 000,002,232 | -HS- | M] () -- C:\Users\Andrew\Desktop\AlbumArt_{F9CC6C58-8349-4BF5-8CD3-9D292E52E007}_Small.jpg
[2010/06/03 15:42:11 | 000,000,154 | ---- | M] () -- C:\Users\Andrew\Desktop\index12.url
[2010/05/31 23:24:58 | 000,009,144 | -HS- | M] () -- C:\Users\Andrew\Desktop\AlbumArt_{6FCB81A9-B5ED-46F3-83C8-7BBA4C97BDCA}_Large.jpg
[2010/05/31 23:24:58 | 000,002,605 | -HS- | M] () -- C:\Users\Andrew\Desktop\AlbumArt_{6FCB81A9-B5ED-46F3-83C8-7BBA4C97BDCA}_Small.jpg
[2010/05/09 20:57:28 | 000,532,092 | ---- | M] () -- C:\Users\Andrew\Documents\youth ministries.pptx
[2010/05/09 17:32:42 | 000,027,648 | ---- | M] () -- C:\Users\Andrew\Documents\my interview.doc
[2010/05/03 00:12:55 | 000,006,136 | -HS- | M] () -- C:\Users\Andrew\Desktop\AlbumArt_{B73FCE55-2A61-4CED-85DB-C2EF3A859D00}_Large.jpg
[2010/05/03 00:12:55 | 000,001,816 | -HS- | M] () -- C:\Users\Andrew\Desktop\AlbumArt_{B73FCE55-2A61-4CED-85DB-C2EF3A859D00}_Small.jpg
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/25 03:10:38 | 000,010,283 | -HS- | M] () -- C:\Users\Andrew\Desktop\AlbumArt_{E0A12966-9EB0-42C4-BC33-A794A40C1170}_Large.jpg
[2010/04/25 03:10:38 | 000,002,666 | -HS- | M] () -- C:\Users\Andrew\Desktop\AlbumArt_{E0A12966-9EB0-42C4-BC33-A794A40C1170}_Small.jpg
[2010/04/16 10:25:52 | 000,033,792 | ---- | M] () -- C:\Users\Andrew\Documents\essay3.doc
[2010/04/13 02:36:46 | 000,057,752 | ---- | M] (Absolute Software Corp.) -- C:\Windows\System32\rpcnet.exe
[2010/04/06 02:26:54 | 000,027,136 | ---- | M] () -- C:\Users\Andrew\Documents\assignment 3 proposal.doc
[2010/04/04 16:34:22 | 000,062,074 | ---- | M] () -- C:\Windows\War3Unin.dat
[2010/03/29 01:03:16 | 000,019,065 | ---- | M] () -- C:\Users\Andrew\Documents\midterm.docx

========== Files Created - No Company Name ==========

[2010/06/25 16:57:02 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
[2010/06/24 23:02:35 | 000,293,376 | ---- | C] () -- C:\Users\Andrew\Desktop\2xq6cx38.exe
[2010/06/24 22:33:40 | 000,000,820 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/24 17:57:33 | 000,000,179 | ---- | C] () -- C:\Users\Andrew\Desktop\iexplore.exe problem!.url
[2010/06/22 23:54:34 | 000,525,824 | ---- | C] () -- C:\Users\Andrew\Desktop\dds.scr
[2010/06/15 05:43:07 | 000,002,377 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk
[2010/06/11 01:12:31 | 000,008,928 | -HS- | C] () -- C:\Users\Andrew\Desktop\AlbumArt_{F9CC6C58-8349-4BF5-8CD3-9D292E52E007}_Large.jpg
[2010/06/11 01:12:31 | 000,002,232 | -HS- | C] () -- C:\Users\Andrew\Desktop\AlbumArt_{F9CC6C58-8349-4BF5-8CD3-9D292E52E007}_Small.jpg
[2010/06/07 02:19:46 | 000,000,192 | ---- | C] () -- C:\Users\Andrew\Desktop\ssfsubs3.url
[2010/06/03 15:42:11 | 000,000,154 | ---- | C] () -- C:\Users\Andrew\Desktop\index12.url
[2010/05/31 23:24:58 | 000,009,144 | -HS- | C] () -- C:\Users\Andrew\Desktop\AlbumArt_{6FCB81A9-B5ED-46F3-83C8-7BBA4C97BDCA}_Large.jpg
[2010/05/31 23:24:58 | 000,002,605 | -HS- | C] () -- C:\Users\Andrew\Desktop\AlbumArt_{6FCB81A9-B5ED-46F3-83C8-7BBA4C97BDCA}_Small.jpg
[2010/05/14 00:50:29 | 000,027,648 | ---- | C] () -- C:\Windows\System32\AVSredirect.dll
[2010/05/14 00:46:05 | 000,107,520 | RHS- | C] () -- C:\Windows\System32\RLMPCDec.ax
[2010/05/14 00:46:05 | 000,070,656 | RHS- | C] () -- C:\Windows\System32\RLAPEDec.ax
[2010/05/14 00:46:05 | 000,051,712 | RHS- | C] () -- C:\Windows\System32\RLSpeexDec.ax
[2010/05/14 00:46:04 | 000,175,104 | RHS- | C] () -- C:\Windows\System32\CoreAAC.ax
[2010/05/14 00:46:04 | 000,120,832 | RHS- | C] () -- C:\Windows\System32\MPCDx.ax
[2010/05/14 00:46:04 | 000,097,280 | RHS- | C] () -- C:\Windows\System32\FLACDX.ax
[2010/05/14 00:46:03 | 000,227,328 | RHS- | C] () -- C:\Windows\System32\ac3DX.ax
[2010/05/14 00:46:03 | 000,081,920 | RHS- | C] () -- C:\Windows\System32\aac_parser.ax
[2010/05/09 17:32:53 | 000,532,092 | ---- | C] () -- C:\Users\Andrew\Documents\youth ministries.pptx
[2010/05/09 17:32:41 | 000,027,648 | ---- | C] () -- C:\Users\Andrew\Documents\my interview.doc
[2010/05/03 00:12:55 | 000,006,136 | -HS- | C] () -- C:\Users\Andrew\Desktop\AlbumArt_{B73FCE55-2A61-4CED-85DB-C2EF3A859D00}_Large.jpg
[2010/05/03 00:12:55 | 000,001,816 | -HS- | C] () -- C:\Users\Andrew\Desktop\AlbumArt_{B73FCE55-2A61-4CED-85DB-C2EF3A859D00}_Small.jpg
[2010/04/25 03:10:38 | 000,010,283 | -HS- | C] () -- C:\Users\Andrew\Desktop\AlbumArt_{E0A12966-9EB0-42C4-BC33-A794A40C1170}_Large.jpg
[2010/04/25 03:10:38 | 000,002,666 | -HS- | C] () -- C:\Users\Andrew\Desktop\AlbumArt_{E0A12966-9EB0-42C4-BC33-A794A40C1170}_Small.jpg
[2010/04/08 02:10:53 | 000,033,792 | ---- | C] () -- C:\Users\Andrew\Documents\essay3.doc
[2010/04/06 02:26:54 | 000,027,136 | ---- | C] () -- C:\Users\Andrew\Documents\assignment 3 proposal.doc
[2010/03/29 01:03:16 | 000,019,065 | ---- | C] () -- C:\Users\Andrew\Documents\midterm.docx
[2009/08/07 02:40:39 | 000,005,632 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys
[2009/08/04 15:03:22 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/06/29 02:13:28 | 000,000,000 | ---- | C] () -- C:\Windows\ACTIVEJP.INI
[2009/03/03 13:55:58 | 000,017,408 | ---- | C] () -- C:\Windows\System32\rpcnetp.dll
[2009/02/14 08:05:50 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2007/07/25 18:40:02 | 000,999,424 | ---- | C] () -- C:\Windows\System32\WLIHVUI.dll
[2007/04/20 09:57:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2007/04/20 09:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2007/04/20 09:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2007/04/20 09:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2007/04/20 09:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2007/04/20 09:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2007/04/20 09:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2007/04/20 09:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2007/04/20 09:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 06:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== LOP Check ==========

[2009/02/24 15:01:36 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Absolute
[2009/02/18 19:10:38 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\acccore
[2010/01/05 03:43:49 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\ManyCam
[2010/06/11 23:33:47 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\NCH Swift Sound
[2009/10/09 01:43:07 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\ooVoo Details
[2009/03/20 21:10:00 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\PeerNetworking
[2009/05/20 01:21:43 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\RenPy
[2009/08/07 02:58:38 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Samsung
[2009/10/09 01:46:34 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\tmp
[2010/06/25 18:04:29 | 000,032,634 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2006/09/18 17:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2009/04/11 02:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
[2010/06/10 12:09:28 | 000,000,074 | ---- | M] () -- C:\CMLoader.log
[2010/06/25 15:59:56 | 000,014,304 | ---- | M] () -- C:\ComboFix.txt
[2006/09/18 17:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2009/02/14 08:07:01 | 000,005,437 | RH-- | M] () -- C:\dell.sdr
[2009/02/18 19:09:46 | 000,000,367 | -H-- | M] () -- C:\IPH.PH
[2010/06/25 18:05:16 | 3532,804,096 | -HS- | M] () -- C:\pagefile.sys
[2009/12/29 11:02:33 | 000,000,000 | ---- | M] () -- C:\t1h0.2

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2007/10/20 18:21:50 | 000,278,016 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\hpzpp5mu.dll
[2006/11/02 08:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll
[2006/10/26 21:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\msonpppr.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2010/01/28 10:45:09 | 000,087,368 | ---- | M] (Symantec Corporation) Unable to obtain MD5 -- C:\Windows\System32\FwsVpn.dll
[2009/03/08 07:22:37 | 000,156,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\msls31.dll
[2009/04/11 02:28:23 | 000,286,720 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rasapi32.dll
[2008/01/20 22:24:11 | 000,071,168 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rasman.dll
[2009/04/11 02:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2009/04/11 02:28:24 | 000,036,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rtutils.dll
[2006/11/02 05:46:12 | 000,008,704 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SensApi.dll
[2009/04/11 02:28:23 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll
[2008/01/20 22:24:13 | 000,376,832 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\sxs.dll
[2010/01/28 10:45:09 | 000,107,848 | ---- | M] (Symantec Corporation) Unable to obtain MD5 -- C:\Windows\System32\SymVPN.dll
[2010/01/28 10:45:09 | 000,357,704 | ---- | M] (Symantec Corporation) Unable to obtain MD5 -- C:\Windows\System32\sysfer.dll
[2006/11/02 05:46:13 | 000,191,488 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\tapi32.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/01/20 23:14:18 | 016,846,848 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2008/01/20 23:14:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2008/01/20 23:14:18 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 06:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 06:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemroot%\system32\user32.dll /md5 >
[2009/04/11 02:28:25 | 000,627,712 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\user32.dll

< %systemroot%\system32\ws2_32.dll /md5 >
[2008/01/20 22:24:48 | 000,179,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\ws2_32.dll

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

========== Alternate Data Streams ==========

@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:5D432CE3
< End of report >

Log in or Sign up

Solved iexplore.exe problem! (Black Internet rootkit case)

juturna Inactive Thread Starter

juturna Inactive Thread Starter

juturna Inactive Thread Starter

broni Moderator Malware Analyst

juturna Inactive Thread Starter

juturna Inactive Thread Starter

broni Moderator Malware Analyst

juturna Inactive Thread Starter

broni Moderator Malware Analyst

juturna Inactive Thread Starter

broni Moderator Malware Analyst

juturna Inactive Thread Starter

broni Moderator Malware Analyst

juturna Inactive Thread Starter

juturna Inactive Thread Starter

broni Moderator Malware Analyst

juturna Inactive Thread Starter

broni Moderator Malware Analyst

juturna Inactive Thread Starter

juturna Inactive Thread Starter

Share This Page

Log in or Sign up

Solved iexplore.exe problem! (Black Internet rootkit case)

juturna Inactive Thread Starter

juturna Inactive Thread Starter

juturna Inactive Thread Starter

broni Moderator Malware Analyst

juturna Inactive Thread Starter

juturna Inactive Thread Starter

broni Moderator Malware Analyst

juturna Inactive Thread Starter

broni Moderator Malware Analyst

juturna Inactive Thread Starter

broni Moderator Malware Analyst

juturna Inactive Thread Starter

broni Moderator Malware Analyst

juturna Inactive Thread Starter

juturna Inactive Thread Starter

broni Moderator Malware Analyst

juturna Inactive Thread Starter

broni Moderator Malware Analyst

juturna Inactive Thread Starter

juturna Inactive Thread Starter

Share This Page

Useful Searches