1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Active Virus Warnings In Windows Security Trojans, Worms, Hijack

Discussion in 'Malware and Virus Removal Archive' started by Gideon, 2010/04/15.

Page 3 of 5
  1. 2010/05/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I'm glad to hear good news :)
    Take your time :)
     
    broni,
    #41
  2. 2010/05/20
    Gideon

    Gideon Inactive Thread Starter

    Joined:
    2006/08/23
    Messages:
    175
    Likes Received:
    0
    OK, small issue here. The scan took 5 hrs to complete and when it completed I made a mistake in saving it. The scan report was saved as an .html file because I didn't read the directions right and when I tried to correct it I started another scan on accident and could not access the previous report. I though I would give copying the text to a notepad a try but I don't know if this will help you or if I will need to do it again:(. Sorry about this. I will check back to see if you need another scan.

    Here is the scan I copied.

    Thursday, May 20, 2010
    Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Wednesday, May 19, 2010 23:30:03
    Records in database: 4139978
    Scan settings
    scan using the following database extended
    Scan archives yes
    Scan e-mail databases yes
    Scan area My Computer
    A:\
    C:\
    D:\
    E:\
    K:\
    L:\
    V:\
    W:\
    X:\
    Y:\
    Z:\
    Scan statistics
    Objects scanned 156293
    Threats found 5
    Infected objects found 8
    Suspicious objects found 0
    Scan duration 05:14:38

    File name Threat Threats count
    C:\WINDOWS\system32\winlogon.exe/C:\WINDOWS\system32\winlogon.exe Infected: Trojan-Downloader.Win32.Small.aply 1
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04B4000E.VBN Infected: Packed.Win32.PolyCrypt.b 1
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07880000.VBN Infected: Trojan-Downloader.Win32.Agent.nhf 1
    C:\Documents and Settings\Gideon\Desktop\Bullet Proof FTP Server SETUP.exe Infected: not-a-virus:Server-FTP.Win32.BulletProof.231 1
    C:\Program Files\Bullet Proof FTP Server\bpftpserver.exe Infected: not-a-virus:Server-FTP.Win32.BulletProof.231 1
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP653\A0156304.exe Infected: not-a-virus:AdWare.Win32.180Solutions.ao 1
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP664\A0157438.exe Infected: not-a-virus:AdWare.Win32.180Solutions.ao 1
    C:\WINDOWS\system32\winlogon.exe Infected: Trojan-Downloader.Win32.Small.aply 1
    Selected area has been scanned.



    Here is the Hjack this log

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 08:10, on 2010-05-20
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17023)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Application Updater\ApplicationUpdater.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\PnkBstrB.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\Program Files\Sandboxie\SbieSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
    C:\Program Files\Saitek\Software\ProfilerU.exe
    C:\Program Files\Saitek\Software\SaiMfd.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\QuickTime\QuickTimePlayer.exe
    C:\Program Files\Java\jre6\bin\java.exe
    C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=101760&l=dis
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
    O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
    O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Create Mobile Favorite - {2eaf5bb1-070f-11d3-9307-00c04fae2d4f} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2eaf5bb2-070f-11d3-9307-00c04fae2d4f} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2eaf5bb2-070f-11d3-9307-00c04fae2d4f} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
    O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
    O16 - DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} (isInstalled Class) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6-windows-i586.cab
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.putfile.com/includes/ImageUploader4-5.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/securityadvisor/virusinfo/webscan.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Application Updater - Spigot, Inc. - C:\Program Files\Application Updater\ApplicationUpdater.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
    O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
    O23 - Service: M-Audio Series II MIDI Installer (ma_cmidi_installerservice) - Unknown owner - C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
    O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Blaze Media Pro\NMSAccess32.exe (file missing)
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
    O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle_updater.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
    O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe

    --
    End of file - 10449 bytes
     
    Gideon,
    #42


  3. to hide this advert.

  4. 2010/05/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're fine, however we have an issue with winlogon.exe file, which I noticed before, but it slipped out of my mind.

    Please download OTM

    • Save it to your desktop.
    • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes

:Services
      
:Reg

:Files
c:\windows\system32\winlogon.exe|c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe /replace

:Commands
[purity]
[emptytemp]
[Reboot]
    • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

    Beside the above log...

    Please run a BitDefender Online Scan

    • Disable your antivirus program.
    • Click Start Scanner button.
    • Click Start scan button
    • Allow browser plug-in to be installed when prompted.
    • Click I Agree to agree to the EULA.
    • Please refrain from using the computer until the scan is finished.
    • When the scan is finished, click on View log.
    • Notepad will open with scan results.
    • Save the report to your desktop and post its content in your next reply.
     
    broni,
    #43
  5. 2010/05/25
    Gideon

    Gideon Inactive Thread Starter

    Joined:
    2006/08/23
    Messages:
    175
    Likes Received:
    0
    OK, when I ran OTM as soon as I selected move it my computer rebooted and on restart the first thing I saw was a log.

    This is the OTM log that presented itself upon restart.

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    Unable to replace file: c:\windows\system32\winlogon.exe with c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe without a reboot.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator.TELETRAN-A40479
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users.WINDOWS

    User: Default User.WINDOWS
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Gideon
    ->Temp folder emptied: 224194286 bytes
    ->Temporary Internet Files folder emptied: 15819007 bytes
    ->Java cache emptied: 128094 bytes
    ->FireFox cache emptied: 86074537 bytes
    ->Google Chrome cache emptied: 70139692 bytes
    ->Flash cache emptied: 50037 bytes

    User: HP_Administrator

    User: LocalService.NT AUTHORITY
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService.NT AUTHORITY
    ->Temp folder emptied: 75470 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: PAT
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 87960 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 6328315238 bytes

    Total Files Cleaned = 6,413.00 mb


    OTM by OldTimer - Version 3.1.12.0 log created on 05252010_094044

    Files moved on Reboot...

    Registry entries deleted on Reboot...


    Here is the bit Defender log

    QuickScan Beta 32-bit v0.9.9.22
    -------------------------------
    Scan date: Tue May 25 11:23:47 2010
    Machine ID: 7425B19B



    Found 1 infected file!
    ----------------------

    C:\WINDOWS\system32\winlogon.exe --> Backdoor.Generic.352522
    --> Process winlogon.exe (872)



    Processes
    ---------
    <unsigned> ActiveArmor Firewall 1540 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    <unsigned> Apache HTTP Server 720 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    <unsigned> Apache HTTP Server 1716 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    <unsigned> app_filter Module 2244 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    <unsigned> Application Updater 540 C:\Program Files\Application Updater\ApplicationUpdater.exe
    <unsigned> Bonjour 564 C:\Program Files\Bonjour\mDNSResponder.exe
    <unsigned> Configuration Software 2632 C:\Program Files\Saitek\Software\ProfilerU.exe
    <unsigned> Configuration Software 2556 C:\Program Files\Saitek\Software\SaiMfd.exe
    <unsigned> MA_CMIDI USB MIDI Installer Service 1312 C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
    <unsigned> Microsoft® Windows® Operating System 932 C:\WINDOWS\system32\lsass.exe
    <unsigned> Microsoft® Windows® Operating System 1400 C:\WINDOWS\System32\svchost.exe
    <unsigned> Microsoft® Windows® Operating System 492 C:\WINDOWS\system32\svchost.exe
    <unsigned> Microsoft® Windows® Operating System 2072 C:\WINDOWS\system32\svchost.exe
    <unsigned> Microsoft® Windows® Operating System 1748 C:\WINDOWS\system32\svchost.exe
    <unsigned> Microsoft® Windows® Operating System 1600 C:\WINDOWS\system32\svchost.exe
    <unsigned> Microsoft® Windows® Operating System 1168 C:\WINDOWS\system32\svchost.exe
    <unsigned> Microsoft® Windows® Operating System 1216 C:\WINDOWS\system32\svchost.exe
    <unsigned> Microsoft® Windows® Operating System 1448 C:\WINDOWS\system32\svchost.exe
    <unsigned> Microsoft® Windows® Operating System 3488 C:\WINDOWS\System32\svchost.exe
    <unsigned> Microsoft® Windows® Operating System 872 C:\WINDOWS\system32\winlogon.exe
    <unsigned> Network Access Manager 1616 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    <unsigned> OTM 3940 C:\Documents and Settings\Gideon\Desktop\OTM.exe
    <unsigned> PSIService 620 C:\WINDOWS\system32\PSIService.exe

    <verified> Firefox 812 C:\Program Files\Mozilla Firefox\firefox.exe
    <verified> Google Chrome 428 C:\Program Files\Google\Chrome\Application\chrome.exe
    <verified> Google Chrome 3088 C:\Program Files\Google\Chrome\Application\chrome.exe
    <verified> Google Chrome 2384 C:\Program Files\Google\Chrome\Application\chrome.exe
    <verified> Google Chrome 3552 C:\Program Files\Google\Chrome\Application\chrome.exe
    <verified> Google Chrome 3820 C:\Program Files\Google\Chrome\Application\chrome.exe
    <verified> Java(TM) Platform SE 6 U20 824 C:\Program Files\Java\jre6\bin\jqs.exe
    <verified> Java(TM) Platform SE Auto Updater 2 0 2976 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    <verified> Logitech SetPoint 112 C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    <verified> Logitech SetPoint 4024 C:\Program Files\Logitech\SetPoint\SetPoint.exe
    <verified> Microsoft ActiveSync 228 C:\Program Files\Microsoft ActiveSync\rapimgr.exe
    <verified> Microsoft ActiveSync 692 C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    <verified> Microsoft Malware Protection 1364 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    <verified> Microsoft Security Essentials 2996 C:\Program Files\Microsoft Security Essentials\msseces.exe
    <verified> Microsoft® Windows® Operating System 408 C:\WINDOWS\Explorer.EXE
    <verified> Microsoft® Windows® Operating System 2868 C:\WINDOWS\System32\alg.exe
    <verified> Microsoft® Windows® Operating System 848 C:\WINDOWS\system32\csrss.exe
    <verified> Microsoft® Windows® Operating System 2524 C:\WINDOWS\system32\ctfmon.exe
    <verified> Microsoft® Windows® Operating System 452 C:\WINDOWS\system32\RUNDLL32.EXE
    <verified> Microsoft® Windows® Operating System 1112 C:\WINDOWS\system32\rundll32.exe
    <verified> Microsoft® Windows® Operating System 920 C:\WINDOWS\system32\services.exe
    <verified> Microsoft® Windows® Operating System 788 C:\WINDOWS\System32\smss.exe
    <verified> Microsoft® Windows® Operating System 1972 C:\WINDOWS\system32\spoolsv.exe
    <verified> Microsoft® Windows® Operating System 3200 C:\WINDOWS\system32\wbem\wmiprvse.exe
    <verified> Microsoft® Windows® Operating System 3108 C:\WINDOWS\system32\wscntfy.exe
    <verified> NVIDIA Driver Helper Service, Version 1 1084 C:\WINDOWS\system32\nvsvc32.exe
    <verified> NVIDIA nTune 156 C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe
    <verified> NVIDIA nTune 1700 C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    <verified> NVIDIA nTune 2144 C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
    <verified> PnkBstrA.exe 328 C:\WINDOWS\system32\PnkBstrA.exe
    <verified> PnkBstrB.exe 144 C:\WINDOWS\system32\PnkBstrB.exe
    <verified> Sandboxie 1796 C:\Program Files\Sandboxie\SbieSvc.exe


    Network activity
    ----------------
    Process firefox.exe (812) connected on port 5050 (Yahoo Messenger) --> webcs109.msg.sp1.yahoo.com
    Process chrome.exe (2384) connected on port 443 (HTTP over SSL) --> 74.125.157.132
    Process chrome.exe (2384) connected on port 80 (HTTP) --> 24.143.192.42
    Process chrome.exe (2384) connected on port 80 (HTTP) --> 24.143.192.42
    Process chrome.exe (2384) connected on port 80 (HTTP) --> 74.125.47.102
    Process chrome.exe (2384) connected on port 80 (HTTP) --> 74.125.47.147
    Process chrome.exe (2384) connected on port 80 (HTTP) --> 24.143.192.42
    Process chrome.exe (2384) connected on port 80 (HTTP) --> 24.143.192.42
    Process chrome.exe (2384) connected on port 80 (HTTP) --> 74.125.47.147
    Process chrome.exe (2384) connected on port 80 (HTTP) --> 24.143.192.42
    Process chrome.exe (2384) connected on port 80 (HTTP) --> 24.143.192.42
    Process chrome.exe (2384) connected on port 80 (HTTP) --> 74.125.47.101
    Process chrome.exe (2384) connected on port 80 (HTTP) --> 74.125.65.156
    Process chrome.exe (2384) connected on port 80 (HTTP) --> 96.6.92.20
    Process chrome.exe (2384) connected on port 80 (HTTP) --> 74.125.65.156
    Process chrome.exe (2384) connected on port 80 (HTTP) --> 96.6.85.115
    Process chrome.exe (2384) connected on port 80 (HTTP) --> 74.125.65.156
    Process chrome.exe (2384) connected on port 80 (HTTP) --> 74.125.65.156
    Process chrome.exe (2384) connected on port 443 (HTTP over SSL) --> 74.125.47.102
    Process chrome.exe (3552) connected on port 80 (HTTP) --> 209.18.43.171
    Process chrome.exe (3552) connected on port 80 (HTTP) --> 64.18.25.38
    Process chrome.exe (3552) connected on port 80 (HTTP) --> 199.7.51.190
    Process chrome.exe (3552) connected on port 80 (HTTP) --> 24.143.192.49
    Process chrome.exe (3552) connected on port 80 (HTTP) --> 199.7.51.190
    Process chrome.exe (3552) connected on port 80 (HTTP) --> 199.7.52.190

    Process apache.exe (720) listens on ports: 3476
    Process svchost.exe (1216) listens on ports: 135 (RPC)
    Process svchost.exe (1748) listens on ports: 2869 (SSDP event notification, UPNP)


    Autoruns and critical files
    ---------------------------
    <unsigned> AMD Dual-Core Optimizer C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    <unsigned> Configuration Software C:\Program Files\Saitek\Software\ProfilerU.exe
    <unsigned> Configuration Software C:\Program Files\Saitek\Software\SaiMfd.exe
    <unsigned> QuickTime C:\Program Files\QuickTime\qttask.exe

    <verified> Adobe Reader and Acrobat Manager C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    <verified> Google Update C:\Program Files\Google\Update\GoogleUpdate.exe
    <verified> Java(TM) Platform SE Auto Updater 2 0 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    <verified> Logitech SetPoint C:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
    <verified> Logitech SetPoint C:\Program Files\Logitech\SetPoint\SetPoint.exe
    <verified> Logitech SetPoint C:\WINDOWS\KHALMNPR.EXE
    <verified> Microsoft ActiveSync C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    <verified> Microsoft Malware Protection C:\Program Files\Microsoft Security Essentials\MpCmdRun.exe
    <verified> Microsoft Security Essentials C:\Program Files\Microsoft Security Essentials\msseces.exe
    <verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\browseui.dll
    <verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\crypt32.dll
    <verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll
    <verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll
    <verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\ctfmon.exe
    <verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe
    <verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll
    <verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\shell32.dll
    <verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll
    <verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\upnpui.dll
    <verified> Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
    <verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\wlnotify.dll
    <verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\WPDShServiceObj.dll
    <verified> NVIDIA Compatible Windows 2000 Display C:\WINDOWS\system32\NvCpl.dll
    <verified> NVIDIA Media Center Library C:\WINDOWS\system32\nvmctray.dll
    <verified> nwiz.exe C:\Program Files\NVIDIA Corporation\nView\nwiz.exe
    <verified> Windows Genuine Advantage C:\WINDOWS\system32\WgaLogon.dll
    <verified> Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll


    Browser plugins
    ---------------
    <unsigned> Bonjour C:\Program Files\Bonjour\mdnsNSP.dll
    <unsigned> CA Web Scanner C:\WINDOWS\Downloaded Program Files\webscan.dll
    <unsigned> frozen.dll C:\Documents and Settings\Gideon\Application Data\Mozilla\Firefox\Profiles\6vmax83e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    <unsigned> googletoolbar-ff2.dll C:\Documents and Settings\Gideon\Application Data\Mozilla\Firefox\Profiles\6vmax83e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
    <unsigned> googletoolbar-ff3.dll C:\Documents and Settings\Gideon\Application Data\Mozilla\Firefox\Profiles\6vmax83e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
    <unsigned> googletoolbarloader.dll C:\Documents and Settings\Gideon\Application Data\Mozilla\Firefox\Profiles\6vmax83e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
    <unsigned> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.dll
    <unsigned> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.exe
    <unsigned> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\isusweb.dll
    <unsigned> InterTrust Redemption Wizard C:\Program Files\Internet Explorer\plugins\NPDocBox.dll
    <unsigned> MySpace Image Uploader C:\WINDOWS\Downloaded Program Files\MySpaceUploader.ocx
    <unsigned> npitunes.dll C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
    <unsigned> NVIDIA Application Filter C:\WINDOWS\system32\nvappfilter.dll
    <unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
    <unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
    <unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
    <unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
    <unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
    <unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
    <unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
    <unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
    <unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
    <unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
    <unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
    <unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
    <unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
    <unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
    <unsigned> Trend Micro HouseCall Server Edition C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll

    <verified> 2007 Microsoft Office system C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
    <verified> AcroIEHelperShim Library c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
    <verified> Adobe Acrobat C:\Program Files\Internet Explorer\plugins\nppdf32.dll
    <verified> Adobe Acrobat C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
    <verified> BitDefender QuickScan C:\Documents and Settings\Gideon\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pdnkcidphdcakpkheohlhocaicfamjie\0.9.9.22\npqscan.dll
    <verified> BitDefender QuickScan C:\Documents and Settings\Gideon\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pdnkcidphdcakpkheohlhocaicfamjie\0.9.9.22\npqslauncher.dll
    <verified> Download Manager IE Control C:\WINDOWS\Downloaded Program Files\CONFLICT.1\DLMControl.dll
    <verified> ewido anti-spyware C:\WINDOWS\Downloaded Program Files\ewidoOnlineScan.dll
    <verified> Google Toolbar for Internet Explorer c:\program files\google\google toolbar\googletoolbar_32.dll
    <verified> Google Update C:\Program Files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    <verified> GoogleToolbarNotifier c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
    <verified> InoculateIT C:\WINDOWS\Downloaded Program Files\arclib.dll
    <verified> InoculateIT C:\WINDOWS\Downloaded Program Files\vete.dll
    <verified> Java Deployment Toolkit 6.0.200.2 C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
    <verified> Java(TM) Platform SE 6 U20 c:\program files\java\jre6\bin\jp2ssv.dll
    <verified> Java(TM) Platform SE 6 U20 c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    <verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\mswsock.dll
    <verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll
    <verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\winrnr.dll
    <verified> Mozilla Default Plug-in C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
    <verified> NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
    <verified> System Requirements Lab C:\WINDOWS\Downloaded Program Files\sysreqlab2.dll
    <verified> Windows Presentation Foundation C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
    <verified> Windows® Internet Explorer C:\WINDOWS\system32\ieframe.dll


    Missing files
    -------------
    File not found: C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
    referenced in: HLKM\Software\MozillaPlugins\@divx.com/DivX Content Upload Plugin,version=1.0.0\ "Path "

    File not found: C:\WINDOWS\System32\appmgmts.dll
    referenced in: HKLM\System\ControlSet001\services\AppMgmt\Parameters\ "ServiceDll "


    Scan
    ----
    <unsigned> MD5: 9f5ad06d6565599d42880cfd6bc06599 C:\Documents and Settings\Gideon\Application Data\Mozilla\Firefox\Profiles\6vmax83e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    <unsigned> MD5: 826b6e50523526fc181813cc877a3ffe C:\Documents and Settings\Gideon\Application Data\Mozilla\Firefox\Profiles\6vmax83e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
    <unsigned> MD5: dd82ac3d4044085314a76cacfe22650f C:\Documents and Settings\Gideon\Application Data\Mozilla\Firefox\Profiles\6vmax83e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
    <unsigned> MD5: b915513d49997ac7c87872b511c9b0d2 C:\Documents and Settings\Gideon\Application Data\Mozilla\Firefox\Profiles\6vmax83e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
    <unsigned> MD5: 8b8e84568909c463a88fcab0be0b9a83 C:\Documents and Settings\Gideon\Desktop\OTM.exe
    <unsigned> MD5: 3fc634e7bdfd98d8b7bde0c919a16890 C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    <unsigned> MD5: 293e66aa529f0fba1aa56340e293a389 C:\Program Files\Application Updater\ApplicationUpdater.exe
    <unsigned> MD5: eddec321b128328bc370a5447f7f8d69 C:\Program Files\Bonjour\mdnsNSP.dll
    <unsigned> MD5: cfd4c3352e29a8b729536648466e8df5 C:\Program Files\Bonjour\mDNSResponder.exe
    <unsigned> MD5: 1cf03c69b49acb70c722df92755c0c8c C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    <unsigned> MD5: fc3dcb8a8aacf64e8dac0854cd0adb56 C:\Program Files\FileZilla FTP Client\fzshellext.dll
    <unsigned> MD5: 9d63f257e9cc6367692b92da4cb4ddac C:\Program Files\Internet Explorer\plugins\NPDocBox.dll
    <unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
    <unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
    <unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
    <unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
    <unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
    <unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
    <unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
    <unsigned> MD5: 0ea6140e578873053bffd37c9eb748ec C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
    <unsigned> MD5: 86f1895ae8c5e8b17d99ece768a70732 C:\Program Files\Java\jre6\bin\msvcr71.dll
    <unsigned> MD5: deb25766f9a107cc664e545950133e1b C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle_updater.exe
    <unsigned> MD5: 5f7ec18ee623494c44913df43d10784d C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
    <unsigned> MD5: 26b018758226a5dc06de45496c394d40 C:\Program Files\Mozilla Firefox\freebl3.dll
    <unsigned> MD5: 9dfb30f203999a3ae0f258a33fa598f9 C:\Program Files\Mozilla Firefox\nssdbm3.dll
    <unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
    <unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
    <unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
    <unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
    <unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
    <unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
    <unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
    <unsigned> MD5: 1fd6c03c0001a5e1eaf61596c2502f0c C:\Program Files\Mozilla Firefox\softokn3.dll
    <unsigned> MD5: b81f8778f5bb485f3b75114f0c99a49f C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    <unsigned> MD5: 005ff09ce9462bfa9002803654d4849f C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\libapr.dll
    <unsigned> MD5: 2783e1ec4e115f358f5430b30c6a7923 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\libapriconv.dll
    <unsigned> MD5: 365f65e70f5381162d085e7f6c2eec32 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\libaprutil.dll
    <unsigned> MD5: 38b0b1f97e2dd8afa73d36265a8a9c28 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\libeay32.dll
    <unsigned> MD5: a9a473a7024e043ce5c3a1115e892abe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\libhttpd.dll
    <unsigned> MD5: a016c1a03de731296eae9360a684234f C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\nv_common.dll
    <unsigned> MD5: 40dfd54076168caa1fbc95c1574a34fa C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\ssleay32.dll
    <unsigned> MD5: d3aea2f00b256ad5e8ba4d70369058c9 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\modules\mod_access.so
    <unsigned> MD5: 0c1304ae6fa935f224cfcfe71c2e53ed C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\modules\mod_actions.so
    <unsigned> MD5: 60a2f365067028125f4ba35141750aed C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\modules\mod_alias.so
    <unsigned> MD5: 14a9876b2f4f62c6d482485cb86d87a8 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\modules\mod_auth.so
    <unsigned> MD5: ba73a91f92d7bd1b7577b0ba0f8ff9e7 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\modules\mod_cgi.so
    <unsigned> MD5: b34fb7a0356db0d8300bd637ab215cfe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\modules\mod_env.so
    <unsigned> MD5: 08fbb23c474856b47c1159e64d95b6da C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\modules\mod_expires.so
    <unsigned> MD5: 50f2981213f32d6aa1e2413dcdf42937 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\modules\mod_headers.so
    <unsigned> MD5: d1a6bc81ecc9ce4b162ce14c719d8477 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\modules\mod_include.so
    <unsigned> MD5: b3e4a89017b115ab1b5850c3c8ba040e C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\modules\mod_log_config.so
    <unsigned> MD5: c555e1125c522e972626047c6779fccf C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\modules\mod_mime.so
    <unsigned> MD5: 8e4b76fb33783b1eb3da4972f5d67fa3 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\modules\mod_negotiation.so
    <unsigned> MD5: 29ef46651b3f3db9a25a8b14ff396607 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\modules\mod_rewrite.so
    <unsigned> MD5: 790d834c8c67305fd2cabf94f2a0bb0c C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\modules\mod_setenvif.so
    <unsigned> MD5: f9d1ba2b90a4c987e1017ca485fe0167 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\modules\mod_ssl.so
    <unsigned> MD5: 7d4eb7db664dca4917ca228f38abca18 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nmi.dll
    <unsigned> MD5: f13cee1967a80288538131e3122ae9e2 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nmp.dll
    <unsigned> MD5: 4c3bfa791fd498a494664ff16cc32ea6 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    <unsigned> MD5: da19e489e42061539baaa16c83930ae4 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    <unsigned> MD5: 035c12aff85f513ca0549a0feeebd4c6 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    <unsigned> MD5: a016c1a03de731296eae9360a684234f C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nv_common.dll
    <unsigned> MD5: 4374b74aff442b4db51c5b3cf72ff67c C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nv_common_firewall.dll
    <unsigned> MD5: 34ccb1c8ac0813efa2ce6c16705d616e C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nv_resource_L1033.dll
    <unsigned> MD5: 87e495235ef47ac819a4cf119145e5f5 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\SpecialCase.dll
    <unsigned> MD5: f35a584e947a5b401feb0fe01db4a0d7 C:\Program Files\NVIDIA Corporation\System Update\MFC71.dll
    <unsigned> MD5: 86f1895ae8c5e8b17d99ece768a70732 C:\Program Files\NVIDIA Corporation\System Update\msvcr71.dll
    <unsigned> MD5: f34eb5d4f145ed5fe50033ca3a41ed24 C:\Program Files\QuickTime\qttask.exe
    <unsigned> MD5: 78aa0d13f28dc26314fd55c8fcd1c3b0 C:\Program Files\Saitek\Software\ProfilerU.exe
    <unsigned> MD5: d6023ac7a71348d8d9a834e059701c08 C:\Program Files\Saitek\Software\SAICFG.dll
    <unsigned> MD5: a90ca8942f747090e37e47a77da21766 C:\Program Files\Saitek\Software\SAICMN.dll
    <unsigned> MD5: ac0238dadb6d7a1712bba508409895ee C:\Program Files\Saitek\Software\SAILNKU.dll
    <unsigned> MD5: 94ec0cf1e31169b0cced7224df8c7d5b C:\Program Files\Saitek\Software\SaiMfd.exe
    <unsigned> MD5: 7217fbdb03ede78d96b1aa651671b5a4 C:\Program Files\Saitek\Software\SAIPz31a.dll
    <unsigned> MD5: bb3b4439d39e58781a987dce7e27c463 C:\Program Files\Saitek\Software\SAIVSR.dll
    <unsigned> MD5: 3fea9d2edf23b0283c7a66c8dea380bd C:\WINDOWS\Downloaded Program Files\dwusplay.dll
    <unsigned> MD5: cdbe35ea59bc9223e4f800bd1db82d27 C:\WINDOWS\Downloaded Program Files\dwusplay.exe
    <unsigned> MD5: 10a86ab325ca1e17add3f0c39a081c9e C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
    <unsigned> MD5: b8f39c9e0f0b71e454dba431cf3b99c9 C:\WINDOWS\Downloaded Program Files\isusweb.dll
    <unsigned> MD5: d83307427d5bacf35742f70f5f144861 C:\WINDOWS\Downloaded Program Files\MySpaceUploader.ocx
    <unsigned> MD5: 76ea3abece61fba3c07f61e42bb0ca48 C:\WINDOWS\Downloaded Program Files\webscan.dll
    <unsigned> MD5: 438179abe9b7a922a21b8d6369ff52ff C:\WINDOWS\System32\BCM42RLY.SYS
    <unsigned> MD5: 82cd4f28228543173813475076891649 C:\WINDOWS\system32\drivers\ABIT-IO.sys
    <unsigned> MD5: c88593caa3919a08b2920eec52d088f6 C:\WINDOWS\system32\drivers\ALLOW-IO.sys
    <unsigned> MD5: 438179abe9b7a922a21b8d6369ff52ff C:\WINDOWS\system32\drivers\BCM42RLY.sys
    <unsigned> MD5: 248dfa5762dde38dfddbbd44149e9d7a C:\WINDOWS\system32\drivers\bvrpmpr5.sys
    <unsigned> MD5: a5e0b05cc1de91ae00e733165ac61506 C:\WINDOWS\system32\DRIVERS\deltafw.sys
    <unsigned> MD5: 23020385d34e35dfc2d6503fa67d3ffc C:\WINDOWS\system32\drivers\DsAudioDevice_286.sys
    <unsigned> MD5: 6d03a526eeded908759ca8c0e581494d C:\WINDOWS\system32\drivers\ma_cmidi.sys
    <unsigned> MD5: 57d0fb1b75420db651a71d5517afdf8a C:\WINDOWS\system32\drivers\NVTCP.sys
    <unsigned> MD5: 5b6c11de7e839c05248ced8825470fef C:\WINDOWS\System32\Drivers\pcouffin.sys
    <unsigned> MD5: 444f122e68db44c0589227781f3c8b3f C:\WINDOWS\system32\drivers\pfc.sys
    <unsigned> MD5: 70aeec67e87a2002e6b2cc353d56e222 C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
    <unsigned> MD5: 052d811342214d74ec0ac49a877a9088 C:\WINDOWS\system32\drivers\SaiBus.sys
    <unsigned> MD5: 9995b5fe8d026fbef8d31c3cef60aeaa C:\WINDOWS\system32\DRIVERS\SaiMini.sys
    <unsigned> MD5: 620ce857a21205399afc47e576a35884 C:\WINDOWS\system32\drivers\uks11ldr.sys
    <unsigned> MD5: 219e776dfadb932e7f82ac1d8e3f654e C:\WINDOWS\system32\drivers\usbkt1x1.sys
    <unsigned> MD5: bdcaacde931eb9f9eca1f9642ff5fa9e C:\WINDOWS\system32\GameMon.des
    <unsigned> MD5: 77ebf3e9386daa51551af429052d88d0 C:\WINDOWS\system32\giveio.sys
    <unsigned> MD5: bf2466b3e18e970d8a976fb95fc1ca85 C:\WINDOWS\system32\lsass.exe
    <unsigned> MD5: baf751e7061ff626aa60f56d1d5d1fdc C:\WINDOWS\system32\MFC71ENU.DLL
    <unsigned> MD5: 9131fe60adfab595c8da53ad6a06aa31 C:\WINDOWS\system32\npptNT2.sys
    <unsigned> MD5: 508296417c3ff2df5169c6b6b4439122 C:\WINDOWS\system32\nvappfilter.dll
    <unsigned> MD5: 64629b2b0e6b6b323c0c32dacd64e713 C:\WINDOWS\system32\nvwddi.dll
    <unsigned> MD5: 3a0f7d74187101b0dff01d5b460fdaf3 C:\WINDOWS\system32\PSIKey.dll
    <unsigned> MD5: 64e413ba0c529aa40c3924bbcc4153db C:\WINDOWS\system32\PSIService.exe
    <unsigned> MD5: 5d6401db90ec81b71f8e2c5c8f0fef23 C:\WINDOWS\system32\speedfan.sys
    <unsigned> MD5: 27c6d03bcdb8cfeb96b716f3d8be3e18 C:\WINDOWS\system32\svchost.exe
    <unsigned> MD5: 636279f3798d01adc0e8fcafa781705a C:\WINDOWS\system32\usbkt1x1.dll
    <unsigned> MD5: 6bdf6b80f3c6c37bef59637fa8a652f2 C:\WINDOWS\system32\winlogon.exe
    <unsigned> MD5: 3e9a33113d663d8bd5ed38858e669652 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
    <unsigned> MD5: 686b224b4987c22b153fbb545fee9657 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll
    <unsigned> MD5: d8584c7fb9a1ba8480f9000c1ca1b415 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll


    No file uploaded.

    Scan finished - communication took 4 sec
    Total traffic - 0.07 MB sent, 3.07 KB recvd
    Scanned 1137 files and modules - 230 seconds

    ==============================================================================
     
    Gideon,
    #44
  6. 2010/05/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    It looks like replacing winlogon.exe didn't work.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
winlogon.exe
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
    broni,
    #45
  7. 2010/05/26
    Gideon

    Gideon Inactive Thread Starter

    Joined:
    2006/08/23
    Messages:
    175
    Likes Received:
    0
    Here is the log as requested

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 13:20 on 26/05/2010 by Gideon (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "winlogon.exe "
    C:\WINDOWS\system32\winlogon.exe --a--- 505856 bytes [12:00 04/08/2004] [21:17 14/04/2010] 6BDF6B80F3C6C37BEF59637FA8A652F2

    -=End Of File=-
     
    Gideon,
    #46
  8. 2010/05/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Do you have Windows XP CD?
     
    broni,
    #47
  9. 2010/05/26
    Gideon

    Gideon Inactive Thread Starter

    Joined:
    2006/08/23
    Messages:
    175
    Likes Received:
    0
    The copy of windows I have was installed already when I bought this computer in 2005 and somewhere between then and now I must have lost it; I have moved about three or four times since then. My brother might have his disk, should I ask him?
     
    Gideon,
    #48
  10. 2010/05/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Hold on there. Let me grab my XP CD.
     
    broni,
    #49
  11. 2010/05/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Be very, very careful and follow all instructions to a dot.

    Attached is zipped winlogon.exe file.
    Download it and unzip it.
    Place unzipped winlogon.exe file into your root C:\ folder.

    When done...

    Please download OTM

    • Save it to your desktop.
    • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes

:Services

:Reg

:Files
C:\WINDOWS\system32\winlogon.exe|C:\winlogon.exe /replace
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
     
    broni,
    #50
  12. 2010/05/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Hold on. The file is too big to attach.
     
    broni,
    #51
  13. 2010/05/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    broni,
    #52
  14. 2010/05/27
    Gideon

    Gideon Inactive Thread Starter

    Joined:
    2006/08/23
    Messages:
    175
    Likes Received:
    0
    As before I was prompted to reboot and upon restart a log presented itself,; this is that log.



    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    Unable to replace file: C:\WINDOWS\system32\winlogon.exe with C:\winlogon.exe without a reboot.
    ========== COMMANDS ==========
    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    [EMPTYTEMP]

    User: Administrator.TELETRAN-A40479
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users.WINDOWS

    User: Default User.WINDOWS
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Gideon
    ->Temp folder emptied: 561912 bytes
    ->Temporary Internet Files folder emptied: 107479 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 87959307 bytes
    ->Google Chrome cache emptied: 78336824 bytes
    ->Flash cache emptied: 3154 bytes

    User: HP_Administrator

    User: LocalService.NT AUTHORITY
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService.NT AUTHORITY
    ->Temp folder emptied: 15640 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: PAT
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 1404428 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 1166147322 bytes

    Total Files Cleaned = 1,273.00 mb


    OTM by OldTimer - Version 3.1.12.0 log created on 05272010_123823

    Files moved on Reboot...

    Registry entries deleted on Reboot...
     
    Gideon,
    #53
  15. 2010/05/27
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    It didn't work.
    I assume, we'll have to replace that file from the outside.

    Let's see, if we can look at your computer booting from an external source.

    You will need USB flash drive to move information from bad computer to a working computer.

    You need to download two programs.

    First

    ISO Burner this will allow you to burn REATOGO-X-PE ISO to a cd and make it bootable. Just install the programm, from there on it's fairly automatic (Instructions)

    Second

    • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 270.3 MB in size so it may take some time to download.
    • When downloaded double click and this will then open ISOBurner to burn the file to CD
    • Reboot your system (Non working computer) using the boot CD you just created.
      • Note. If you do not know how to set your computer to boot from CD follow the steps HERE
    • Your system should now display a REATOGO-X-PE desktop.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users is checked and press OK
    • OTL should now start. Change the following settings
      • Change Drivers to All
      • Change Registry to All
      • Under Custom Scan box paste this in:

        netsvcs
        %SYSTEMDRIVE%\*.exe
        /md5start
        winlogon.exe
        /md5stop
        %systemroot%\*. /mp /s
        %systemroot%\system32\*.dll /lockedfiles
        %systemroot%\Tasks\*.job /lockedfiles
        %systemroot%\system32\drivers\*.sys /lockedfiles
        %systemroot%\System32\config\*.sav

    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive.
    • Please post the contents of the C:\OTL.txt file in your reply.
     
    broni,
    #54
  16. 2010/06/02
    Gideon

    Gideon Inactive Thread Starter

    Joined:
    2006/08/23
    Messages:
    175
    Likes Received:
    0
    Ok, I have been trying to get access to the laptop, however my brother has been using it and said I could come get it from him tomorrow. I will be able to carry out your last instructions tomorrow afternoon. I apologize for the delay.
     
    Gideon,
    #55
  17. 2010/06/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Not a problem :)
     
    broni,
    #56
  18. 2010/06/05
    Gideon

    Gideon Inactive Thread Starter

    Joined:
    2006/08/23
    Messages:
    175
    Likes Received:
    0
    I'm having issues. My ac is out and it is pretty hot in my house. I mention this because I'm not sure if the heat is what's causing my problem. I have been trying to acces my pc but the screen keeps blinking on and off and then it reboots after running for a little while. I this from overheating. At this point I am unable to access my computer because of this issue. This didn't happen utnil my house got up into the high 80's. i'm not sure what to do.
     
    Gideon,
    #57
  19. 2010/06/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You may want to get a can of compressed air (do NOT use any other method), open computer case and clean it well inside.

    Did you create OTLPE CD already?
     
    broni,
    #58
  20. 2010/06/06
    Gideon

    Gideon Inactive Thread Starter

    Joined:
    2006/08/23
    Messages:
    175
    Likes Received:
    0
    I have made the disc and believe I can keep my computer from shutting off due to overheating. I am attempting to boot from the disc now.
     
    Gideon,
    #59
  21. 2010/06/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Ok :)
     
    broni,
    #60
Page 3 of 5

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...