Jump to content

system restarts, browser redirects, and rootkits.


Recommended Posts

ive been trying to track down some random rebooting on my parents computer (i think its hardware related, partially) but i found a root kit and several other problems on it.

HJT.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:57:59 PM, on 8/19/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17080)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE

C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Google\Common\Google Updater\Goo

Link to post
Share on other sites

Hello ,

And ^_^ My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the runscanbutton.png button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
    gmer_zip.gif
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Link to post
Share on other sites

hi, sorry about all the new threads on this, i kept getting a connection reset error when i hit submit thread and didnt see the thread get posted. now that i see a thread got posted, let me start from scratch on this.

my parents computer has xp sp3 on it. something was triggering the system shut down procedure at random. there were also browser search redirects. as i coldnt post a thread from that computer, i emailed the logs from that computer to my self, so let me post those here.

HJT

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:57:15 PM, on 8/20/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17080)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE

C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (file missing)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1214279407537

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1214280741250

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

O23 - Service: EPSON V5 Service4(01) (EPSON_EB_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE

O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 6800 bytes

GMER

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-08-20 12:55:55

Windows 5.1.2600 Service Pack 3

Running: zo0zck77.exe; Driver: C:\DOCUME~1\lance\LOCALS~1\Temp\agpiyaod.sys

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\DRIVERS\ati2mtag.sys section is writeable [0xB510D000, 0x185EB2, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 0099000A

.text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 009A000A

.text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 0098000C

.text C:\WINDOWS\System32\svchost.exe[1164] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00F5000A

.text C:\WINDOWS\system32\wuauclt.exe[1940] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 0099000A

.text C:\WINDOWS\system32\wuauclt.exe[1940] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 009A000A

.text C:\WINDOWS\system32\wuauclt.exe[1940] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 0098000C

.text C:\WINDOWS\Explorer.EXE[2452] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00B7000A

.text C:\WINDOWS\Explorer.EXE[2452] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00C5000A

.text C:\WINDOWS\Explorer.EXE[2452] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00B6000C

---- EOF - GMER 1.0.15 ----

MBAM

i dont have a copy of the mbam log, but it showed that it was free and clear.

now with this all said and done, i installed win7 on a 2nd partition on their computer. when i scanned their xp drive with MSE i found about 30 trojan downloaders. ill get back with you tomorrow with a new gmer and otl log, when i have time to sit down and play around with the xp partition.

Link to post
Share on other sites

OTL LIST

MOD - [2010/08/22 01:51:10 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\lance\My Documents\Downloads\OTL.exe

MOD - [2008/04/14 05:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - [2009/09/23 16:37:30 | 000,051,168 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®

SRV - [2007/12/17 00:00:00 | 000,143,872 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE -- (EPSON_EB_RPCV4_01) EPSON V5 Service4(01)

SRV - [2007/01/11 00:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01)

SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)

SRV - [2006/12/19 19:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe -- (EpsonBidirectionalService)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\lance\LOCALS~1\Temp\ALSysIO.sys -- (ALSysIO)

DRV - [2010/08/20 13:15:26 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)

DRV - [2010/07/09 13:18:54 | 000,020,328 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\cpuz134_x32.sys -- (cpuz134)

DRV - [2008/12/22 12:06:02 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)

DRV - [2008/12/22 12:06:00 | 000,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)

DRV - [2008/12/22 12:05:58 | 000,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)

DRV - [2008/04/13 22:06:06 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)

DRV - [2008/02/08 23:58:34 | 002,857,984 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2007/12/17 05:14:05 | 000,012,400 | R--- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)

DRV - [2007/11/01 02:38:56 | 004,620,288 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)

DRV - [2007/10/31 20:56:00 | 000,036,864 | R--- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l151x86.sys -- (AtcL001)

DRV - [2007/10/11 21:40:12 | 000,009,096 | R--- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\amdide.sys -- (amdide)

DRV - [2007/07/20 18:40:10 | 000,084,992 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)

DRV - [2006/12/28 12:44:44 | 000,084,992 | R--- | M] (ATI Research Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AtiHdAud.sys -- (HdAudAddService)

DRV - [2004/08/12 22:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1482476501-1004336348-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/

IE - HKU\S-1-5-21-1482476501-1004336348-725345543-1003\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll File not found

IE - HKU\S-1-5-21-1482476501-1004336348-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1482476501-1004336348-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"

FF - prefs.js..browser.search.defaultenginename: "AOL Search"

FF - prefs.js..browser.search.defaulturl: "http://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=20100816013530796&tb_oid=16-08-2010&tb_mrud=16-08-2010"

FF - prefs.js..browser.search.order.1: "Ask.com"

FF - prefs.js..browser.search.selectedEngine: "Google"

FF - prefs.js..browser.search.useDBForOrder: true

FF - prefs.js..browser.startup.homepage: "msn.com"

FF - prefs.js..extensions.enabledItems: {46868735-c3fa-47ce-8ce7-cce51a66aceb}:1.2

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.2

FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=UTF-8&oe=UTF-8&q= "

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/18 16:15:53 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/15 21:35:17 | 000,000,000 | ---D | M]

[2009/02/11 00:39:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\lance\Application Data\Mozilla\Extensions

[2009/02/11 00:39:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\lance\Application Data\Mozilla\Extensions\mozswing@mozswing.org

[2010/08/19 15:05:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\lance\Application Data\Mozilla\Firefox\Profiles\hpc9de45.default\extensions

[2008/06/24 00:44:14 | 000,000,000 | ---D | M] (oldbar) -- C:\Documents and Settings\lance\Application Data\Mozilla\Firefox\Profiles\hpc9de45.default\extensions\{46868735-c3fa-47ce-8ce7-cce51a66aceb}

[2010/08/19 14:39:41 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\lance\Application Data\Mozilla\Firefox\Profiles\hpc9de45.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

[2010/04/30 21:56:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\lance\Application Data\Mozilla\Firefox\Profiles\hpc9de45.default\extensions\toolbar@ask.com

[2010/08/15 21:35:53 | 000,002,342 | ---- | M] () -- C:\Documents and Settings\lance\Application Data\Mozilla\Firefox\Profiles\hpc9de45.default\searchplugins\aol-search.xml

[2010/08/19 15:05:01 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2007/04/16 13:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2001/08/23 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)

O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [EEventManager] C:\Program Files\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)

O4 - HKLM..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)

O4 - HKU\S-1-5-21-1482476501-1004336348-725345543-1003..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)

O4 - HKU\S-1-5-21-1482476501-1004336348-725345543-1003..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)

O4 - HKU\S-1-5-21-1482476501-1004336348-725345543-1003..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe (AWS Convergence Technologies, Inc.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-1482476501-1004336348-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll (Sun Microsystems, Inc.)

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1214279407537 (WUWebControl Class)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1214280741250 (MUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_04)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_04)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_04)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.77.130 68.87.72.130

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O24 - Desktop WallPaper: C:\Documents and Settings\lance\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\lance\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2008/06/24 13:59:10 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/08/20 22:13:12 | 000,000,000 | -HSD | C] -- C:\Boot

[2010/08/20 21:21:12 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN

[2010/08/20 13:15:18 | 000,000,000 | ---D | C] -- C:\Program Files\DAEMON Tools Lite

[2010/08/20 13:15:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\lance\Application Data\DAEMON Tools Lite

[2010/08/20 13:14:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite

[2010/08/18 22:56:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData

[2010/08/17 22:41:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities

[2010/08/17 22:40:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\wrvyssakp

[2010/08/17 22:40:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun

[2010/08/17 20:17:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2010/08/17 20:17:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2010/08/15 21:53:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\lance\Application Data\Office Genuine Advantage

[2010/08/15 21:35:31 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Software Update Utility

[2010/08/15 21:35:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\lance\Local Settings\Application Data\AIM

[2010/08/15 21:35:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AIM

[2010/08/15 21:35:17 | 000,000,000 | ---D | C] -- C:\Program Files\AIM

[2010/08/08 21:18:18 | 001,165,800 | ---- | C] (CPUID) -- C:\Documents and Settings\lance\Desktop\HWMonitor.exe

[2010/08/08 15:18:31 | 000,020,328 | ---- | C] (Windows ® Win 7 DDK provider) -- C:\WINDOWS\System32\drivers\cpuz134_x32.sys

[2010/08/08 15:18:31 | 000,000,000 | ---D | C] -- C:\Program Files\CPUID

[2010/08/05 17:54:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\lance\Application Data\com.pandora.desktop.FB9956FD96E03239939108614098AD95535EE674.1

[2010/08/05 17:54:09 | 000,000,000 | ---D | C] -- C:\Program Files\Pandora

[2010/08/05 17:54:04 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR

[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/22 01:52:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2010/08/22 01:50:06 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job

[2010/08/22 01:50:00 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job

[2010/08/22 01:49:57 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/08/22 01:49:50 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2010/08/22 01:49:35 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/08/22 01:49:34 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/08/20 22:13:14 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK

[2010/08/20 22:13:12 | 000,000,355 | RHS- | M] () -- C:\boot.ini

[2010/08/20 18:30:50 | 000,001,048 | ---- | M] () -- C:\Documents and Settings\lance\My Documents - Shortcut.lnk

[2010/08/20 17:26:15 | 003,670,016 | ---- | M] () -- C:\Documents and Settings\lance\ntuser.dat

[2010/08/20 17:26:15 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\lance\ntuser.ini

[2010/08/20 17:01:00 | 000,000,234 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job

[2010/08/20 13:36:45 | 000,464,096 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/08/20 13:36:45 | 000,397,060 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/08/20 13:36:45 | 000,059,532 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/08/20 13:15:26 | 000,691,696 | ---- | M] () -- C:\WINDOWS\System32\drivers\sptd.sys

[2010/08/19 17:06:31 | 000,000,168 | ---- | M] () -- C:\Documents and Settings\lance\Desktop\hwmonitorw.ini

[2010/08/19 16:36:45 | 008,100,955 | ---- | M] () -- C:\WINDOWS\System32\BPGWGIIKCY

[2010/08/19 11:35:10 | 000,000,629 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/08/19 11:35:10 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/08/19 11:35:10 | 000,000,211 | -H-- | M] () -- C:\Boot.BAK

[2010/08/18 16:12:32 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

[2010/08/16 16:54:57 | 000,051,892 | ---- | M] () -- C:\Documents and Settings\lance\My Documents\facts agrement.pdf

[2010/08/15 21:53:53 | 000,010,483 | ---- | M] () -- C:\Documents and Settings\lance\My Documents\Grcc books.docx

[2010/08/15 21:35:32 | 000,001,327 | -H-- | M] () -- C:\IPH.PH

[2010/08/15 21:35:25 | 000,001,592 | ---- | M] () -- C:\Documents and Settings\lance\Application Data\Microsoft\Internet Explorer\Quick Launch\AIM.lnk

[2010/08/15 21:35:25 | 000,001,574 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AIM.lnk

[2010/08/13 23:26:37 | 000,199,344 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/08/13 23:15:11 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/07/27 02:30:35 | 008,462,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shell32.dll

[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/20 22:13:14 | 000,008,192 | RHS- | C] () -- C:\BOOTSECT.BAK

[2010/08/20 22:13:12 | 000,383,562 | RHS- | C] () -- C:\bootmgr

[2010/08/20 22:13:12 | 000,000,211 | -H-- | C] () -- C:\Boot.BAK

[2010/08/20 18:30:50 | 000,001,048 | ---- | C] () -- C:\Documents and Settings\lance\My Documents - Shortcut.lnk

[2010/08/20 13:15:26 | 000,691,696 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys

[2010/08/19 16:34:28 | 008,100,955 | ---- | C] () -- C:\WINDOWS\System32\BPGWGIIKCY

[2010/08/18 23:03:42 | 000,000,168 | ---- | C] () -- C:\Documents and Settings\lance\Desktop\hwmonitorw.ini

[2010/08/16 16:54:57 | 000,051,892 | ---- | C] () -- C:\Documents and Settings\lance\My Documents\facts agrement.pdf

[2010/08/15 21:53:53 | 000,010,483 | ---- | C] () -- C:\Documents and Settings\lance\My Documents\Grcc books.docx

[2010/08/15 21:35:25 | 000,001,592 | ---- | C] () -- C:\Documents and Settings\lance\Application Data\Microsoft\Internet Explorer\Quick Launch\AIM.lnk

[2010/08/15 21:35:25 | 000,001,574 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AIM.lnk

[2010/01/12 23:38:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\EEventManager.INI

[2010/01/10 15:30:57 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini

[2010/01/10 15:30:18 | 000,000,089 | ---- | C] () -- C:\WINDOWS\EPWF610.ini

[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll

[2009/01/10 02:00:35 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\lance\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008/12/20 12:30:57 | 000,000,313 | ---- | C] () -- C:\Documents and Settings\lance\Application Data\1c64-ec47-1438-983d_6279rc

[2008/10/12 00:50:39 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2008/10/08 19:20:28 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2008/08/09 18:11:57 | 001,265,664 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2A6.dll

[2008/08/09 18:11:57 | 001,228,800 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2M6.dll

[2008/08/09 18:11:57 | 001,200,128 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2M5.dll

[2008/08/09 18:11:57 | 001,073,152 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2P6.dll

[2008/08/09 18:11:57 | 001,028,096 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2P5.dll

[2008/08/09 18:11:57 | 000,000,002 | ---- | C] () -- C:\WINDOWS\PhotoSuite.ini

[2008/08/09 18:11:47 | 001,064,960 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2PX.dll

[2008/08/09 18:11:47 | 000,332,800 | ---- | C] () -- C:\WINDOWS\System32\FPXLIB.DLL

[2008/08/09 18:11:47 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\JPEGLIB.DLL

[2008/08/09 18:11:47 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2.dll

[2008/08/09 18:11:47 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\CPUINF32.DLL

[2008/06/30 16:31:01 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI

[2008/06/24 14:38:17 | 000,029,368 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini

[2008/06/24 14:38:16 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys

[2008/06/24 14:38:09 | 000,010,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS

[2008/06/24 12:51:42 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\CNMVS3g.DLL

[2008/06/24 01:14:43 | 000,024,576 | R--- | C] () -- C:\WINDOWS\System32\AsIO.dll

[2008/06/24 01:14:43 | 000,012,400 | R--- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys

[2008/06/24 01:14:40 | 000,011,832 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp64.sys

[2008/06/24 01:14:40 | 000,010,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp32.sys

< End of report >

EXTRAS

OTL Extras logfile created on: 8/22/2010 1:51:30 AM - Run 1

OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\lance\My Documents\Downloads

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 56.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 82.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 127.99 Gb Total Space | 81.67 Gb Free Space | 63.81% Space Free | Partition Type: NTFS

Drive D: | 170.10 Gb Total Space | 157.70 Gb Free Space | 92.71% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: LANCE-BI12ZZRL6

Current User Name: lance

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = SafariHTML] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLED.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1482476501-1004336348-725345543-1003\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Safari\Safari.exe" -url "%1" (Apple Inc.)

https [open] -- "C:\Program Files\Safari\Safari.exe" -url "%1" (Apple Inc.)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [OneNote.Open] -- C:\PROGRA~1\MI1933~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 1

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)

"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- File not found

"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)

"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

"C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- File not found

"C:\Program Files\Epson Software\Event Manager\EEventManager.exe" = C:\Program Files\Epson Software\Event Manager\EEventManager.exe:*:Enabled:EEventManager.exe -- (SEIKO EPSON CORPORATION)

"C:\Program Files\EpsonNet\EpsonNet Setup\tool09\ENEasyApp.exe" = C:\Program Files\EpsonNet\EpsonNet Setup\tool09\ENEasyApp.exe:*:Enabled:EpsonNet Setup -- (SEIKO EPSON CORPORATION)

"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AIM -- (AOL Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{08E80F46-1B6A-2DC2-5F61-F7CBB0AEC6F6}" = Catalyst Control Center Localization Turkish

"{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}" = Epson FAX Utility

"{0D5FD7C1-D08F-A0A0-F55A-9719041154B8}" = Catalyst Control Center Localization Spanish

"{0F3AC7DE-93F7-A578-96C7-1143DE38EBFD}" = CCC Help Czech

"{13B07661-B1E0-427E-3C3F-49E46AFBD233}" = CCC Help Russian

"{15F4319D-D6A8-5B67-6902-73EF5D12B29D}" = Catalyst Control Center Localization Chinese Traditional

"{1A6A6531-08FC-47AD-BAC4-C41497E71033}" = Nero 7 Essentials

"{1EB3AE55-982B-5629-8093-4F4AF472F9E9}" = Catalyst Control Center Localization Portuguese

"{1FF030B6-7B22-ADCF-D749-0FFCB43D33BB}" = Catalyst Control Center Localization Korean

"{2604C0F9-BFD3-4BA0-9EB5-22537C648F03}" = MobileMe Control Panel

"{289C26A9-11D4-FF0D-48C9-AEB28BCA987E}" = CCC Help Danish

"{291445E6-CA84-2065-1D3B-921CBC6525EA}" = Catalyst Control Center Localization Polish

"{2917ECC2-2F1E-038A-CC25-5DCBD80DBA47}" = Catalyst Control Center Localization Norwegian

"{2A051409-C003-8CD0-BC12-A216ABA33610}" = CCC Help Korean

"{2CD2C0DB-81C3-416B-9FA6-589B9235359B}" = OpenOffice.org 2.4

"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java 6 Update 4

"{337231A8-3424-3930-A4DC-2C1FB93370C6}" = Catalyst Control Center Graphics Light

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{36CDA33B-909B-4719-97D1-C4B99309BDC7}" = ATI Parental Control & Encoder

"{375072E6-25B1-1EDD-FCA1-75432746CFBF}" = CCC Help Italian

"{384743C4-161D-E41F-21EE-1A3487309F1C}" = Catalyst Control Center Localization Italian

"{3E31400D-274E-4647-916C-2CACC3741799}" = EpsonNet Print

"{4697C7C8-3720-AA99-EA1F-1502D5AF6655}" = CCC Help Portuguese

"{48F22622-1CC2-4A83-9C1E-644DD96F832D}" = Epson Event Manager

"{49600BF0-20E8-9135-F222-A771157A8A90}" = CCC Help Finnish

"{4B3C7094-414F-BAB8-4828-6F27CFA5BEDC}" = CCC Help German

"{52BD1DF5-BC41-6CD2-3D07-F1AC75886FAA}" = Catalyst Control Center Graphics Full Existing

"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml

"{57F80BD6-5D0B-4CA0-CE20-9531E77C15E5}" = CCC Help Swedish

"{582D2A53-F426-4C5E-A2E6-43C1AB36B907}" = Safari

"{61176FC2-E74A-6EC9-CE55-4F7A033C3F55}" = Catalyst Control Center Localization Dutch

"{64F1AB27-296E-54EF-6F2F-6BE14D27CD14}" = Catalyst Control Center Localization Hungarian

"{667DE56A-0FC1-32F6-C106-A08E048D7243}" = CCC Help Norwegian

"{67113718-4F9A-2B74-6DA2-46BAFF2CECC2}" = Catalyst Control Center Localization Czech

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{6BED8CAB-939C-6DEC-B952-E678C248B1F8}" = Catalyst Control Center Localization Finnish

"{6E19F210-3813-4002-B561-94D66AA182B6}" = Atheros Communications Inc.® L1 Gigabit Ethernet Driver

"{70A5C023-971E-218E-0C06-99188C747F25}" = Catalyst Control Center Graphics Previews Common

"{72B1D7AE-0980-8A11-5E56-C4376C61F7F5}" = CCC Help Spanish

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{7E5FDD0C-7DB5-3EF8-8342-D1C6DAB94758}" = ccc-utility

"{801DA3A1-9E07-6755-0309-A1FCC01492E3}" = Catalyst Control Center Graphics Full New

"{8355F970-601D-442D-A79B-1D7DB4F24CAD}" = Apple Mobile Device Support

"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar

"{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}" = ATI AVIVO Codecs

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8B40F17B-67E8-D57B-9B89-08A0DC1D527A}" = Catalyst Control Center Localization Japanese

"{8E4C392F-7290-1586-5F42-D0CC78AF2AA7}" = CCC Help Japanese

"{8F018A9E-56DE-4A79-A5EF-25F413F1D538}" = WeatherBug

"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{90273B5E-5FD7-F61C-289B-E15FE5F5251A}" = Catalyst Control Center Localization German

"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage

"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)

"{92146281-1594-32CA-06D2-EFFA2EA8EF6C}" = Catalyst Control Center Localization Thai

"{9C4C2ECE-CBDD-427D-C9A4-B694538B8236}" = CCC Help Chinese Traditional

"{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}" = Microsoft Works 6.0

"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AC43110D-FE77-2ECB-A01A-724B5EFC2EE3}" = Catalyst Control Center Localization Greek

"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2

"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR

"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0

"{B2762E75-4C28-5DF4-EEA9-1C536195ED71}" = Catalyst Control Center Localization Danish

"{B395BC1D-CC06-425E-9049-4CD985EFF004}" = LightScribe 1.8.15.1

"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy

"{B6BFEEFA-7F87-0045-3199-FFAACEF1CDB8}" = Catalyst Control Center Localization Chinese Standard

"{BB3F1641-0126-38AA-C34A-358A273B5A11}" = CCC Help Turkish

"{BD3DCAB0-3FE5-44FB-90DA-EFB0A2CD1387}" = Works Synchronization

"{BEE64C14-BEF1-4610-8A68-A16EAA47B882}" = Futuremark SystemInfo

"{C08FF9D0-1422-00EC-DC3B-F220F434DDB8}" = CCC Help English

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C2FDFB6F-003E-0432-DFBD-9A9FD65DC027}" = CCC Help Greek

"{C3A439E4-7303-491F-A678-CEA36A87D517}" = Microsoft Works Suite Add-in for Microsoft Word

"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime

"{CA6FDA2D-9C9E-F4FA-D658-B0E5CAD0EFB3}" = Catalyst Control Center Localization Russian

"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition

"{D1941AFA-6671-3F98-0F0C-2D37978554E3}" = ccc-core-preinstall

"{D87691C3-1183-1043-5CA7-11DFEAD6FFED}" = CCC Help Hungarian

"{DC19E750-988B-4005-A355-85EF66055EFE}" = Works Suite OS Pack

"{DEDF4354-6438-95E0-824E-071F798C0D3C}" = CCC Help French

"{E01A2B5F-8D98-AA9D-9BA6-03A1303C10E7}" = Catalyst Control Center Localization French

"{E1BF87F7-AC0D-26F1-7C63-E8EA40D469D9}" = ccc-core-static

"{E21C18F0-96FD-D7A9-0BD3-938E070447D9}" = Catalyst Control Center Core Implementation

"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager

"{E2A7C863-A3FC-1E40-7D58-89CC3C23ADBF}" = CCC Help Thai

"{E62A220A-1F92-A8E3-8A50-47A9882013B6}" = Catalyst Control Center Localization Swedish

"{EC79191F-7424-E913-3790-CD1573D992DE}" = CCC Help Chinese Standard

"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin

"{ED0B70E3-8980-4977-9545-E490655E111D}" = Cosmopolitan Virtual Makeover 3

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F1C8EAD0-CFF1-C61E-AC3B-F9E86FE912DE}" = Pandora

"{F5C63795-2708-4D15-BF18-5ABBFF7DFFC8}" = iTunes

"{F7338FA3-DAB5-49B2-900D-0AFB5760C166}" = PC Probe II

"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth

"{F9D6543E-5616-E302-2436-A746DBEAF4E0}" = Skins

"{FE86B64D-1D30-C6D3-274C-51DFFCD0E4F9}" = CCC Help Polish

"{FF24A100-18C4-6383-706E-0EADAD3AEA44}" = CCC Help Dutch

"{FFFAE01B-466F-4C07-9821-A94FD753BDDA}" = EpsonNet Setup

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"AIM_7" = AIM 7

"All ATI Software" = ATI - Software Uninstall Utility

"ATI Display Driver" = ATI Display Driver

"CANONBJ_Deinstall_CNMCP3g.DLL" = Canon S900

"com.pandora.desktop.FB9956FD96E03239939108614098AD95535EE674.1" = Pandora

"CPUID CPU-Z_is1" = CPUID CPU-Z 1.55

"EPSON PC-FAX Driver 2" = Epson PC-FAX Driver

"EPSON Scanner" = EPSON Scan

"EPSON WorkForce 610 Series" = EPSON WorkForce 610 Series Printer Uninstall

"EVEREST Ultimate Edition_is1" = EVEREST Ultimate Edition v5.02

"Google Updater" = Google Updater

"HijackThis" = HijackThis 2.0.2

"HOMESTUDENTR" = Microsoft Office Home and Student 2007

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"LimeWire" = LimeWire 5.5.8

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"MGI_PRISM_V1_0" = MGI PhotoSuite II (Remove Only)

"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"OpenAL" = OpenAL

"RaybanMirror" = Ray-Ban Virtual Mirror

"SoftwareUpdUtility" = Download Updater (AOL LLC)

"TuneXP_1.5" = TuneXP 1.5

"ViewpointMediaPlayer" = Viewpoint Media Player

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WinRAR archiver" = WinRAR archiver

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Works2002Setup" = Microsoft Works 2002 Setup Launcher

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 8/19/2010 2:35:54 PM | Computer Name = LANCE-BI12ZZRL6 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The connection with the server was terminated abnormally

Error - 8/19/2010 2:35:55 PM | Computer Name = LANCE-BI12ZZRL6 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

Error - 8/19/2010 4:37:50 PM | Computer Name = LANCE-BI12ZZRL6 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The connection with the server was terminated abnormally

Error - 8/19/2010 4:37:51 PM | Computer Name = LANCE-BI12ZZRL6 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

Error - 8/19/2010 5:23:49 PM | Computer Name = LANCE-BI12ZZRL6 | Source = Application Hang | ID = 1002

Description = Hanging application logon.scr, version 5.1.2600.5512, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/19/2010 11:00:21 PM | Computer Name = LANCE-BI12ZZRL6 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: A connection with the server could not be established

Error - 8/19/2010 11:00:21 PM | Computer Name = LANCE-BI12ZZRL6 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

Error - 8/19/2010 11:11:29 PM | Computer Name = LANCE-BI12ZZRL6 | Source = Application Hang | ID = 1002

Description = Hanging application wmplayer.exe, version 11.0.5721.5145, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/20/2010 12:57:16 PM | Computer Name = LANCE-BI12ZZRL6 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: A connection with the server could not be established

Error - 8/20/2010 12:57:16 PM | Computer Name = LANCE-BI12ZZRL6 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

[ Application Events ]

Error - 8/19/2010 2:35:54 PM | Computer Name = LANCE-BI12ZZRL6 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The connection with the server was terminated abnormally

Error - 8/19/2010 2:35:55 PM | Computer Name = LANCE-BI12ZZRL6 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

Error - 8/19/2010 4:37:50 PM | Computer Name = LANCE-BI12ZZRL6 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The connection with the server was terminated abnormally

Error - 8/19/2010 4:37:51 PM | Computer Name = LANCE-BI12ZZRL6 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

Error - 8/19/2010 5:23:49 PM | Computer Name = LANCE-BI12ZZRL6 | Source = Application Hang | ID = 1002

Description = Hanging application logon.scr, version 5.1.2600.5512, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/19/2010 11:00:21 PM | Computer Name = LANCE-BI12ZZRL6 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: A connection with the server could not be established

Error - 8/19/2010 11:00:21 PM | Computer Name = LANCE-BI12ZZRL6 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

Error - 8/19/2010 11:11:29 PM | Computer Name = LANCE-BI12ZZRL6 | Source = Application Hang | ID = 1002

Description = Hanging application wmplayer.exe, version 11.0.5721.5145, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/20/2010 12:57:16 PM | Computer Name = LANCE-BI12ZZRL6 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: A connection with the server could not be established

Error - 8/20/2010 12:57:16 PM | Computer Name = LANCE-BI12ZZRL6 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

[ System Events ]

Error - 8/20/2010 1:27:47 AM | Computer Name = LANCE-BI12ZZRL6 | Source = Service Control Manager | ID = 7001

Description = The DNS Client service depends on the TCP/IP Protocol Driver service

which failed to start because of the following error: %%31

Error - 8/20/2010 1:27:47 AM | Computer Name = LANCE-BI12ZZRL6 | Source = Service Control Manager | ID = 7001

Description = The TCP/IP NetBIOS Helper service depends on the AFD Networking Support

Environment service which failed to start because of the following error: %%31

Error - 8/20/2010 1:27:47 AM | Computer Name = LANCE-BI12ZZRL6 | Source = Service Control Manager | ID = 7001

Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver

service which failed to start because of the following error: %%31

Error - 8/20/2010 1:27:47 AM | Computer Name = LANCE-BI12ZZRL6 | Source = Service Control Manager | ID = 7001

Description = The Bonjour Service service depends on the TCP/IP Protocol Driver

service which failed to start because of the following error: %%31

Error - 8/20/2010 1:27:47 AM | Computer Name = LANCE-BI12ZZRL6 | Source = Service Control Manager | ID = 7001

Description = The IPSEC Services service depends on the IPSEC driver service which

failed to start because of the following error: %%31

Error - 8/20/2010 1:27:47 AM | Computer Name = LANCE-BI12ZZRL6 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

AFD AsIO Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss SASDIFSV SASKUTIL Tcpip

Error - 8/20/2010 3:13:09 AM | Computer Name = LANCE-BI12ZZRL6 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 8/20/2010 3:13:32 AM | Computer Name = LANCE-BI12ZZRL6 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service netman with

arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 8/20/2010 3:38:48 AM | Computer Name = LANCE-BI12ZZRL6 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 8/20/2010 12:54:08 PM | Computer Name = LANCE-BI12ZZRL6 | Source = System Error | ID = 1003

Description = Error code 1000007f, parameter1 0000000d, parameter2 00000000, parameter3

00000000, parameter4 00000000.

< End of report >

Link to post
Share on other sites

GMER (im not sure how much of this is actual rootkit, and how much is false posities from having daemon tools, as i just installed daemon tools 2 nights ago so i could burn my copy of win7)

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-08-22 02:10:28

Windows 5.1.2600 Service Pack 3

Running: zo0zck77.exe; Driver: C:\DOCUME~1\lance\LOCALS~1\Temp\agpiyaod.sys

---- System - GMER 1.0.15 ----

SSDT spvw.sys ZwCreateKey [0xB9EB50E0]

SSDT spvw.sys ZwEnumerateKey [0xB9ECDDA4]

SSDT spvw.sys ZwEnumerateValueKey [0xB9ECE132]

SSDT spvw.sys ZwOpenKey [0xB9EB50C0]

SSDT spvw.sys ZwQueryKey [0xB9ECE20A]

SSDT spvw.sys ZwQueryValueKey [0xB9ECE08A]

SSDT spvw.sys ZwSetValueKey [0xB9ECE29C]

INT 0x62 ? 8A417BF8

INT 0x73 ? 8A417BF8

INT 0x82 ? 8A417BF8

INT 0x83 ? 8A09DF00

INT 0x83 ? 8A09DF00

INT 0x83 ? 8A09DF00

INT 0xA4 ? 8A09DF00

INT 0xB4 ? 8A09DF00

INT 0xB4 ? 8A09DF00

INT 0xB4 ? 8A09DF00

---- Kernel code sections - GMER 1.0.15 ----

? spvw.sys The system cannot find the file specified. !

.text C:\WINDOWS\System32\DRIVERS\ati2mtag.sys section is writeable [0xB4BAA000, 0x185EB2, 0xE8000020]

.text USBPORT.SYS!DllUnload B4B3E8AC 5 Bytes JMP 8A09D4E0

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [b9EB6042] spvw.sys

IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [b9EB613E] spvw.sys

IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [b9EB60C0] spvw.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [b9EB6800] spvw.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [b9EB66D6] spvw.sys

IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [b9EC5B90] spvw.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A4161F8

Device \Driver\usbohci \Device\USBPDO-0 8A09C1F8

Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A3A61F8

Device \Driver\dmio \Device\DmControl\DmConfig 8A3A61F8

Device \Driver\dmio \Device\DmControl\DmPnP 8A3A61F8

Device \Driver\dmio \Device\DmControl\DmInfo 8A3A61F8

Device \Driver\usbohci \Device\USBPDO-1 8A09C1F8

Device \Driver\usbohci \Device\USBPDO-2 8A09C1F8

Device \Driver\usbehci \Device\USBPDO-3 8A0901F8

Device \Driver\usbohci \Device\USBPDO-4 8A09C1F8

Device \Driver\usbohci \Device\USBPDO-5 8A09C1F8

Device \Driver\usbehci \Device\USBPDO-6 8A0901F8

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A4181F8

Device \Driver\Ftdisk \Device\HarddiskVolume2 8A4181F8

Device \Driver\Cdrom \Device\CdRom0 8A0A0298

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [b9E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort0 [b9E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort1 [b9E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort2 [b9E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort3 [b9E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-12 [b9E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\NetBT \Device\NetBt_Wins_Export 8970B1F8

Device \Driver\NetBT \Device\NetbiosSmb 8970B1F8

Device \Driver\usbohci \Device\USBFDO-0 8A09C1F8

Device \Driver\usbohci \Device\USBFDO-1 8A09C1F8

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89E11500

Device \Driver\usbehci \Device\USBFDO-2 8A0901F8

Device \FileSystem\MRxSmb \Device\LanmanRedirector 89E11500

Device \Driver\usbohci \Device\USBFDO-3 8A09C1F8

Device \Driver\usbohci \Device\USBFDO-4 8A09C1F8

Device \Driver\Ftdisk \Device\FtControl 8A4181F8

Device \Driver\usbehci \Device\USBFDO-5 8A0901F8

Device \Driver\usbohci \Device\USBFDO-6 8A09C1F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{15F45687-E031-4062-BEC2-FCF38E5CB617} 8970B1F8

Device \FileSystem\Cdfs \Cdfs 89F01500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x78 0xA2 0xD1 0x9A ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD1 0xBB 0xD1 0x64 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x93 0xC6 0xE1 0x31 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x83 0xF1 0x60 0x8B ...

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hello, its quite possible the "connection reset" error was due to the infection on your system.

GMER (im not sure how much of this is actual rootkit, and how much is false posities from having daemon tools, as i just installed daemon tools 2 nights ago so i could burn my copy of win7)
The fact that you "burned a copy of win7" indicates that this is an illegal copy of windows. Do not be surprised you get infected by downloading illegal copies of windows or other copyrighted software.

Aside from the legal issues, such software often comes "preinstalled" with the latest malware. So if you install such a copy of windows on a system, big chance you are infected from the start.

Because you burned this DVD on a computer that is obviously infected, the risks are even bigger.

My advice: stay clean of all p2p/cracks/warez/otherwise illegal downloads if you indeed want to have a clean computer and keep it that way.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

i dont know if your aware of this, but MS/Digital River offer the win7 iso for download, direct from their own servers. thats where my copy came from.

COMBOFIX

ComboFix 10-08-21.06 - lance 08/22/2010 11:40:08.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1791.1179 [GMT -4:00]

Running from: c:\documents and settings\lance\My Documents\Downloads\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2010-07-22 to 2010-08-22 )))))))))))))))))))))))))))))))

.

2010-08-21 02:13 . 2010-08-21 02:13 -------- d-----w- C:\Boot

2010-08-20 17:15 . 2010-08-20 17:15 691696 ----a-w- c:\windows\system32\drivers\sptd.sys

2010-08-20 17:15 . 2010-08-20 17:17 -------- d-----w- c:\documents and settings\lance\Application Data\DAEMON Tools Lite

2010-08-20 17:14 . 2010-08-20 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite

2010-08-20 05:28 . 2010-08-20 05:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2010-08-20 03:20 . 2010-08-20 03:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-08-19 02:56 . 2010-08-19 02:56 -------- d-----w- c:\windows\system32\NtmsData

2010-08-18 02:40 . 2010-08-19 18:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\wrvyssakp

2010-08-16 01:53 . 2010-08-16 01:53 -------- d-----w- c:\documents and settings\lance\Application Data\Office Genuine Advantage

2010-08-16 01:34 . 2010-04-20 06:09 180824 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\dlupd.exe

2010-08-16 01:34 . 2010-04-20 06:09 97112 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\bsetutil.exe

2010-08-16 01:34 . 2010-04-20 06:09 245080 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\migrator.exe

2010-08-16 01:34 . 2010-04-20 06:09 10072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\imappver.dll

2010-08-16 01:34 . 2010-04-20 06:09 36704 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\postproc.exe

2010-08-16 01:34 . 2010-04-20 06:09 1062232 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\gui.dll

2010-08-16 01:34 . 2010-04-20 06:09 111960 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\AOLSearch.dll

2010-08-16 01:34 . 2010-04-20 06:09 2351472 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\AIMLang.exe

2010-08-16 01:34 . 2010-04-20 06:09 95792 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\AOLFirewallMgr.dll

2010-08-16 01:34 . 2009-12-16 12:07 136528 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\AOLSetup.exe

2010-08-08 19:18 . 2010-08-08 19:18 -------- d-----w- c:\program files\CPUID

2010-08-08 19:18 . 2010-07-09 17:18 20328 ----a-w- c:\windows\system32\drivers\cpuz134_x32.sys

2010-08-05 21:54 . 2010-08-05 21:54 -------- d-----w- c:\documents and settings\lance\Application Data\com.pandora.desktop.FB9956FD96E03239939108614098AD95535EE674.1

2010-08-05 21:54 . 2010-08-05 21:54 -------- d-----w- c:\program files\Pandora

2010-08-05 21:54 . 2010-08-05 21:53 53632 ----a-w- c:\documents and settings\lance\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-08-05 21:54 . 2010-08-05 21:54 -------- d-----w- c:\program files\Common Files\Adobe AIR

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-22 05:49 . 2008-09-07 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-08-16 01:35 . 2010-08-16 01:35 -------- d-----w- c:\program files\Common Files\Software Update Utility

2010-08-16 01:35 . 2010-08-16 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM

2010-08-16 01:35 . 2010-08-16 01:35 -------- d-----w- c:\program files\AIM

2010-08-16 01:35 . 2009-11-23 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads

2010-08-14 03:11 . 2009-02-02 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-08-05 21:53 . 2010-08-20 03:19 53632 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-06-30 12:31 . 2001-08-23 12:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-26 14:22 . 2008-11-26 06:17 -------- d-----w- c:\documents and settings\lance\Application Data\LimeWire

2010-06-24 12:15 . 2008-06-24 04:17 832512 ----a-w- c:\windows\system32\wininet.dll

2010-06-24 12:15 . 2008-06-24 04:29 78336 ------w- c:\windows\system32\ieencode.dll

2010-06-24 12:15 . 2001-08-23 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-06-23 13:44 . 2001-08-23 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2001-08-23 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2001-08-23 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2008-06-24 04:15 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

2010-06-14 07:41 . 2008-06-24 04:16 1172480 ----a-w- c:\windows\system32\msxml3.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-12-29 1653248]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 16855552]

"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-01-12 669520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk

backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^lance^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\lance\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^lance^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]

path=c:\documents and settings\lance\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk

backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FUFAXSTM]

2009-02-06 05:00 843776 ----a-w- c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=

"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool09\\ENEasyApp.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/22/2008 12:06 PM 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 12:05 PM 55024]

R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [8/8/2010 3:18 PM 20328]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/24/2008 12:50 AM 24652]

R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [6/24/2008 2:45 PM 36864]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/5/2010 10:12 PM 135664]

S3 ALSysIO;ALSysIO;\??\c:\docume~1\lance\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\lance\LOCALS~1\Temp\ALSysIO.sys [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 12:06 PM 7408]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/20/2010 1:15 PM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2007-07-18 21:53 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

2010-07-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2010-08-22 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-07 23:07]

2010-08-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 02:12]

2010-08-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 02:12]

2010-08-22 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://msn.com/

uInternet Settings,ProxyOverride = *.local

IE: Send Image to Photo Library

FF - ProfilePath - c:\documents and settings\lance\Application Data\Mozilla\Firefox\Profiles\hpc9de45.default\

FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=20100816013530796&tb_oid=16-08-2010&tb_mrud=16-08-2010

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - msn.com

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&q=

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: nglayout.initialpaint.delay - 100

FF - user.js: content.notify.ontimer - true

FF - user.js: content.notify.interval - 100000

FF - user.js: content.notify.backoffcount - 5

FF - user.js: network.http.pipelining - true

FF - user.js: network.http.proxy.pipelining - true

FF - user.js: network.http.pipelining.maxrequests - 8

FF - user.js: network.http.max-connections - 32

FF - user.js: network.http.max-connections-per-server - 8

FF - user.js: network.http.max-persistent-connections-per-proxy - 4

FF - user.js: network.http.max-persistent-connections-per-server - 2

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false

FF - user.js: browser.sessionstore.resume_from_crash - false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\Ask.com\GenericAskToolbar.dll

MSConfigStartUp-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe

MSConfigStartUp-Steam - c:\program files\Steam\Steam.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-22 11:43

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\

Link to post
Share on other sites

i dont know if your aware of this, but MS/Digital River offer the win7 iso for download, direct from their own servers. thats where my copy came from.
I'm aware of that, however, I was under the impression you don't need DT to burn that to a CD.

Sorry for any misunderstandings.

Based on the description you gave me, I still think we are dealing with a rootkit here, although Combofix doesn't seem to see it.

Please download Rootkit Unhooker and save it to your Desktop

  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth, and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Link to post
Share on other sites

going from bad to worse here. i just turned the xp computer back on, and i thought it locked up at the welcome screen. alt tabing showed two things running, the winodws logon, and restoring network connection. once it finally got into the desktop, i have no net connection at all. looking at the network connection it shows i sent 163 packets and received 0 packets in 3 mins, at which point the system restarted its self.

Link to post
Share on other sites

no, theres no error message when it shuts down. something is actually triggering the shutdown procedure, as if i click start/shutdown my self.

i did get the internet problem sorted out. i just installed a pci ethernet card, rather then continuing to use the onboard ethernet. i havnt checked it on xp yet, but im sending this from a fresh install of win7 (ya, reinstalling win7 from scratch didnt do any good)

Link to post
Share on other sites

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #2

==============================================

>Drivers

==============================================

0xA4427000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4796416 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)

0xB4BEC000 C:\WINDOWS\System32\DRIVERS\ati2mtag.sys 4333568 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)

0xBF17C000 C:\WINDOWS\System32\ati3duag.dll 3178496 bytes (ATI Technologies Inc. , ati3duag.dll)

0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2150400 bytes

0x804D7000 RAW 2150400 bytes

0x804D7000 WMIxWDM 2150400 bytes

0xBF800000 Win32k 1855488 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xBF484000 C:\WINDOWS\System32\ativvaxx.dll 1757184 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)

0xB9E35000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xBF05F000 C:\WINDOWS\System32\ati2cqag.dll 520192 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)

0xBF0DE000 C:\WINDOWS\System32\atikvmag.dll 458752 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)

0xA421F000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xB4AB3000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xA434B000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xA11AD000 C:\WINDOWS\System32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)

0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 315392 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)

0xA0C6C000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xB4B11000 C:\WINDOWS\System32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)

0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xBF14E000 C:\WINDOWS\System32\atiok3x2.dll 188416 bytes (ATI Technologies Inc., Ring 0 x2 component)

0xA1791000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0xB9E08000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xA428F000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xB4BB0000 C:\WINDOWS\System32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)

0xA4323000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)

0xA42FD000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)

0xA48FA000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xB4B69000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xB4B8D000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xA42DB000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0xA42BA000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys 135168 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)

0x806E4000 ACPI_HAL 134400 bytes

0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xB9EEB000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)

0xA491E000 C:\WINDOWS\system32\drivers\AtiHdAud.sys 106496 bytes (ATI Research Inc., Ati High Definition Audio Function Driver)

0xB9DEE000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xB9F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)

0xA413F000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes

0xB9EC2000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0xB4B52000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0xA14FC000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)

0xB4BD8000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)

0xA43A4000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)

0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)

0xB9ED9000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)

0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)

0xB4B41000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)

0xBA138000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)

0xB509E000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)

0xB507E000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)

0xBA2B8000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)

0xB508E000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)

0xA1691000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)

0xB500E000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)

0xBA0E8000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)

0xB506E000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)

0xB505E000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)

0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)

0xB503E000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)

0xBA2E8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)

0xBA278000 C:\WINDOWS\System32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)

0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)

0xB504E000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)

0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)

0xBA288000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)

0xB501E000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)

0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)

0xBA2F8000 C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)

0xB502E000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)

0xBA2D8000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)

0xA1244000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)

0xBA258000 C:\WINDOWS\System32\DRIVERS\processr.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)

0xBA308000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)

0xBA488000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)

0xBA498000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)

0xBA428000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)

0xBA430000 C:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)

0xBA470000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)

0xBA328000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)

0xBA490000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 28672 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)

0xBA458000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)

0xBA438000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)

0xBA3E8000 C:\WINDOWS\system32\DRIVERS\RTL8139.SYS 24576 bytes (Realtek Semiconductor Corporation, Realtek RTL8139 NDIS 5.0 Driver)

0xBA478000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)

0xBA460000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)

0xBA480000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)

0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)

0xBA448000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)

0xBA450000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)

0xBA440000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)

0xBA420000 C:\WINDOWS\System32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)

0xBA4A0000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)

0xA17D6000 C:\WINDOWS\system32\drivers\cpuz134_x32.sys 16384 bytes (Windows ® Win 7 DDK provider, CPUID Driver)

0xB4A7A000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)

0xB55B7000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)

0xA1A26000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)

0xB55DB000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)

0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)

0xA4423000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)

0xB5DAA000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 12288 bytes (GEAR Software Inc., CD DVD Filter)

0xB5DB6000 C:\WINDOWS\System32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)

0xB55D3000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)

0xBA5A4000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)

0xB55D7000 C:\WINDOWS\System32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)

0xBA5D0000 C:\WINDOWS\System32\DRIVERS\ASACPI.sys 8192 bytes (-, ATK0110 ACPI Utility)

0xBA5E2000 C:\WINDOWS\system32\drivers\AsIO.sys 8192 bytes

0xBA5DC000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)

0xBA5AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)

0xBA5E4000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes

0xBA5DA000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)

0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)

0xBA5DE000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)

0xBA5E0000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)

0xBA5D2000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)

0xBA5D4000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)

0xBA5AA000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)

0xBA671000 amdide.sys 4096 bytes (Advanced Micro Devices, AMD PCI SATA/IDE Bus Driver)

0xBA6D8000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)

0xBA6B7000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)

0xBA6A7000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)

0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

==============================================

>Stealth

==============================================

0x05100000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Wizard.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 102400 bytes

0x00C70000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x89D57860 ] PID: 264, 110592 bytes

0x01250000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 110592 bytes

0x05FF0000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Dashboard.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 110592 bytes

0x05010000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Dashboard.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 126976 bytes

0x04F90000 Hidden Image-->CLI.Aspect.Welcome.Graphics.Dashboard.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 143360 bytes

0x05970000 Hidden Image-->CLI.Component.Dashboard.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 1519616 bytes

0x052C0000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Wizard.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 1691648 bytes

0x05460000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Wizard.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 208896 bytes

0x04FC0000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Dashboard.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 225280 bytes

0x043C0000 Hidden Image-->CLI.Caste.Graphics.Runtime.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 266240 bytes

0x00E40000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x89D57860 ] PID: 264, 28672 bytes

0x01060000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0x89D57860 ] PID: 264, 28672 bytes

0x054C0000 Hidden Image-->atixclib.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x00CF0000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x00D10000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x038F0000 Hidden Image-->CLI.Component.Runtime.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x03940000 Hidden Image-->CLI.Component.Runtime.Extension.EEU.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x03980000 Hidden Image-->AEM.Plugin.EEU.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x03A90000 Hidden Image-->AEM.Server.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x03AD0000 Hidden Image-->AEM.Plugin.Hotkeys.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x03AB0000 Hidden Image-->AEM.Plugin.DPPE.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x03B00000 Hidden Image-->DEM.Foundation.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x03B10000 Hidden Image-->DEM.Graphics.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x04120000 Hidden Image-->DEM.OS.I0602.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x04130000 Hidden Image-->DEM.OS.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x04450000 Hidden Image-->AEM.Plugin.GD.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x04420000 Hidden Image-->DEM.Graphics.I0709.dll [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x04490000 Hidden Image-->AEM.Actions.CCAA.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x04630000 Hidden Image-->CLI.Caste.Graphics.Runtime.Shared.Private.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x04600000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Runtime.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x045F0000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x04680000 Hidden Image-->DEM.Graphics.I0706.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x047F0000 Hidden Image-->DEM.Graphics.I0712.dll [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x04840000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x04A30000 Hidden Image-->APM.Foundation.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x04F20000 Hidden Image-->CLI.Component.Wizard.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x04F10000 Hidden Image-->CLI.Component.Client.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x04F40000 Hidden Image-->CLI.Component.Dashboard.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x04F50000 Hidden Image-->CLI.Component.Dashboard.Shared.Private.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x04F80000 Hidden Image-->CLI.Caste.Graphics.Dashboard.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x05050000 Hidden Image-->CLI.Caste.Graphics.Wizard.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 28672 bytes

0x01080000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x89D57860 ] PID: 264, 307200 bytes

0x00D50000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x89DE0670 ] PID: 1888, 307200 bytes

0x05D50000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Dashboard.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 364544 bytes

0x03C00000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x89D57860 ] PID: 264, 36864 bytes

0x01270000 Hidden Image-->CLI.Foundation.XManifest.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 36864 bytes

0x03920000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 36864 bytes

0x03950000 Hidden Image-->AEM.Foundation.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 36864 bytes

0x04410000 Hidden Image-->ACE.Graphics.DisplaysManager.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 36864 bytes

0x04650000 Hidden Image-->CLI.Aspect.CustomFormats.Graphics.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 36864 bytes

0x04740000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 36864 bytes

0x04710000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 36864 bytes

0x047B0000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 36864 bytes

0x04820000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Runtime.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 36864 bytes

0x04F30000 Hidden Image-->CLI.Component.Wizard.Shared.Private.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 36864 bytes

0x03B30000 Hidden Image-->ATIDEMGX.dll [ EPROCESS 0x89DE0670 ] PID: 1888, 380928 bytes

0x05750000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Wizard.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 413696 bytes

0x05BF0000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Dashboard.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 446464 bytes

0x00CA0000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x89D57860 ] PID: 264, 45056 bytes

0x00D10000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x89D57860 ] PID: 264, 45056 bytes

0x00CC0000 Hidden Image-->CCC.Implementation.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 45056 bytes

0x00CE0000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 45056 bytes

0x00DB0000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 45056 bytes

0x03900000 Hidden Image-->ATICCCom.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 45056 bytes

0x04660000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Runtime.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 45056 bytes

0x04690000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 45056 bytes

0x04720000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Runtime.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 45056 bytes

0x047A0000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Runtime.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 45056 bytes

0x05CE0000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Dashboard.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 454656 bytes

0x05C60000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Dashboard.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 487424 bytes

0x05060000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Wizard.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 495616 bytes

0x04E80000 Hidden Image-->CLI.Component.Wizard.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 503808 bytes

0x03BE0000 Hidden Image-->AEM.Server.DLL [ EPROCESS 0x89D57860 ] PID: 264, 53248 bytes

0x04F00000 Hidden Image-->CLI.Component.Client.Shared.Private.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 53248 bytes

0x038E0000 Hidden Image-->CLI.Foundation.Private.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 53248 bytes

0x038D0000 Hidden Image-->CLI.Component.Runtime.Shared.Private.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 53248 bytes

0x03910000 Hidden Image-->AEM.Server.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 53248 bytes

0x03AA0000 Hidden Image-->AEM.Plugin.Source.Kit.Server.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 53248 bytes

0x03AF0000 Hidden Image-->DEM.Graphics.I0601.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 53248 bytes

0x04640000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 53248 bytes

0x04700000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Runtime.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 53248 bytes

0x04750000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Runtime.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 53248 bytes

0x047E0000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 53248 bytes

0x05040000 Hidden Image-->CLI.Caste.Graphics.Wizard.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 53248 bytes

0x054A0000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 53248 bytes

0x05DB0000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Dashboard.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 593920 bytes

0x00D00000 Hidden Image-->CLI.Foundation.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 61440 bytes

0x04090000 Hidden Image-->CLI.Caste.Graphics.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 61440 bytes

0x04760000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 61440 bytes

0x04880000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 61440 bytes

0x048E0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 61440 bytes

0x04A20000 Hidden Image-->APM.Server.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 61440 bytes

0x00D20000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x89D57860 ] PID: 264, 69632 bytes

0x00D20000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 69632 bytes

0x047C0000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Runtime.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 69632 bytes

0x04860000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Runtime.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 69632 bytes

0x04470000 Hidden Image-->ATIDEMOS.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 77824 bytes

0x04610000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Runtime.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 77824 bytes

0x046E0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Shared.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 77824 bytes

0x05F20000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Dashboard.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 815104 bytes

0x038B0000 Hidden Image-->CLI.Component.Runtime.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 86016 bytes

0x046B0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Runtime.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 86016 bytes

0x048C0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Runtime.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 86016 bytes

0x04F60000 Hidden Image-->CLI.Caste.Graphics.Dashboard.DLL [ EPROCESS 0x89DE0670 ] PID: 1888, 86016 bytes

!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

Link to post
Share on other sites

That looks clean, but to be completely on the safe side, lets also check the MBR.

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

Link 1
Link 2
Link 3

  • Double-click on MBRCheck.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  • It will open a black screen with some data on it...please do not fix anything (if it gives you an option).
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will be created on the desktop.
  • Copy and paste the contents of that log in your next reply.

Link to post
Share on other sites

Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0000001d

Kernel Drivers (total 121):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806E4000 \WINDOWS\system32\hal.dll

0xBA5A8000 \WINDOWS\system32\KDCOM.DLL

0xBA4B8000 \WINDOWS\system32\BOOTVID.dll

0xB9F79000 ACPI.sys

0xBA5AA000 \WINDOWS\System32\DRIVERS\WMILIB.SYS

0xB9F68000 pci.sys

0xBA0A8000 isapnp.sys

0xBA670000 pciide.sys

0xBA328000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS

0xBA0B8000 MountMgr.sys

0xB9F49000 ftdisk.sys

0xBA5AC000 dmload.sys

0xB9F23000 dmio.sys

0xBA330000 PartMgr.sys

0xBA671000 amdide.sys

0xBA0C8000 VolSnap.sys

0xB9F0B000 atapi.sys

0xBA0D8000 disk.sys

0xBA0E8000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS

0xB9EEB000 fltmgr.sys

0xB9ED9000 sr.sys

0xB9EC2000 KSecDD.sys

0xB9E35000 Ntfs.sys

0xB9E08000 NDIS.sys

0xB9DEE000 Mup.sys

0xBA258000 \SystemRoot\System32\DRIVERS\processr.sys

0xB4BEC000 \SystemRoot\System32\DRIVERS\ati2mtag.sys

0xB4BD8000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS

0xB4BB0000 \SystemRoot\System32\DRIVERS\HDAudBus.sys

0xBA268000 \SystemRoot\System32\DRIVERS\imapi.sys

0xBA278000 \SystemRoot\System32\DRIVERS\cdrom.sys

0xB509E000 \SystemRoot\System32\DRIVERS\redbook.sys

0xB4B8D000 \SystemRoot\System32\DRIVERS\ks.sys

0xB5DAA000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys

0xBA420000 \SystemRoot\System32\DRIVERS\usbohci.sys

0xB4B69000 \SystemRoot\System32\DRIVERS\USBPORT.SYS

0xBA428000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xB508E000 \SystemRoot\System32\DRIVERS\serial.sys

0xB55DB000 \SystemRoot\System32\DRIVERS\serenum.sys

0xBA430000 \SystemRoot\System32\DRIVERS\fdc.sys

0xBA5D0000 \SystemRoot\System32\DRIVERS\ASACPI.sys

0xB507E000 \SystemRoot\System32\DRIVERS\i8042prt.sys

0xBA438000 \SystemRoot\System32\DRIVERS\mouclass.sys

0xBA440000 \SystemRoot\system32\DRIVERS\RTL8139.SYS

0xB55D7000 \SystemRoot\System32\DRIVERS\wmiacpi.sys

0xBA6E2000 \SystemRoot\System32\DRIVERS\audstub.sys

0xB506E000 \SystemRoot\System32\DRIVERS\rasl2tp.sys

0xB55D3000 \SystemRoot\System32\DRIVERS\ndistapi.sys

0xB4B52000 \SystemRoot\System32\DRIVERS\ndiswan.sys

0xB505E000 \SystemRoot\System32\DRIVERS\raspppoe.sys

0xB504E000 \SystemRoot\System32\DRIVERS\raspptp.sys

0xBA448000 \SystemRoot\System32\DRIVERS\TDI.SYS

0xB4B41000 \SystemRoot\System32\DRIVERS\psched.sys

0xB503E000 \SystemRoot\System32\DRIVERS\msgpc.sys

0xBA450000 \SystemRoot\System32\DRIVERS\ptilink.sys

0xBA458000 \SystemRoot\System32\DRIVERS\raspti.sys

0xB4B11000 \SystemRoot\System32\DRIVERS\rdpdr.sys

0xB502E000 \SystemRoot\System32\DRIVERS\termdd.sys

0xBA460000 \SystemRoot\System32\DRIVERS\kbdclass.sys

0xBA5D2000 \SystemRoot\System32\DRIVERS\swenum.sys

0xB4AB3000 \SystemRoot\System32\DRIVERS\update.sys

0xB55B7000 \SystemRoot\System32\DRIVERS\mssmbios.sys

0xB501E000 \SystemRoot\System32\DRIVERS\usbhub.sys

0xBA5D4000 \SystemRoot\System32\DRIVERS\USBD.SYS

0xB500E000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xA491E000 \SystemRoot\system32\drivers\AtiHdAud.sys

0xA48FA000 \SystemRoot\system32\drivers\portcls.sys

0xBA2A8000 \SystemRoot\system32\drivers\drmk.sys

0xA4467000 \SystemRoot\system32\drivers\RtkHDAud.sys

0xBA468000 \SystemRoot\System32\DRIVERS\flpydisk.sys

0xBA5DA000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xBA6ED000 \SystemRoot\System32\Drivers\Null.SYS

0xBA5DC000 \SystemRoot\System32\Drivers\Beep.SYS

0xBA478000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0xBA480000 \SystemRoot\System32\drivers\vga.sys

0xBA5DE000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xBA5E0000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xBA488000 \SystemRoot\System32\Drivers\Msfs.SYS

0xBA490000 \SystemRoot\System32\Drivers\Npfs.SYS

0xBA5A4000 \SystemRoot\System32\DRIVERS\rasacd.sys

0xA43E4000 \SystemRoot\System32\DRIVERS\ipsec.sys

0xA438B000 \SystemRoot\System32\DRIVERS\tcpip.sys

0xA4363000 \SystemRoot\System32\DRIVERS\netbt.sys

0xA433D000 \SystemRoot\System32\DRIVERS\ipnat.sys

0xBA2C8000 \SystemRoot\System32\DRIVERS\wanarp.sys

0xA431B000 \SystemRoot\System32\drivers\afd.sys

0xBA2D8000 \SystemRoot\System32\DRIVERS\netbios.sys

0xA42FA000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

0xBA498000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

0xBA4A0000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0xA42CF000 \SystemRoot\System32\DRIVERS\rdbss.sys

0xA425F000 \SystemRoot\System32\DRIVERS\mrxsmb.sys

0xBA2E8000 \SystemRoot\System32\Drivers\Fips.SYS

0xBA5E2000 \SystemRoot\system32\drivers\AsIO.sys

0xB5DB6000 \SystemRoot\System32\DRIVERS\hidusb.sys

0xBA2F8000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS

0xB5DAE000 \SystemRoot\system32\DRIVERS\kbdhid.sys

0xBA318000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xA417F000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xBA5E4000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xB4A5E000 \SystemRoot\System32\drivers\Dxapi.sys

0xBA4A8000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xBA69A000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF012000 \SystemRoot\System32\ati2dvag.dll

0xBF05F000 \SystemRoot\System32\ati2cqag.dll

0xBF0DE000 \SystemRoot\System32\atikvmag.dll

0xBF14E000 \SystemRoot\System32\atiok3x2.dll

0xBF17C000 \SystemRoot\System32\ati3duag.dll

0xBF484000 \SystemRoot\System32\ativvaxx.dll

0xA1B0A000 \SystemRoot\System32\DRIVERS\ndisuio.sys

0xA17C1000 \SystemRoot\system32\drivers\wdmaud.sys

0xA1A6E000 \SystemRoot\system32\drivers\sysaudio.sys

0xA16D3000 \SystemRoot\system32\drivers\kmixer.sys

0xA158C000 \SystemRoot\System32\DRIVERS\mrxdav.sys

0xA15D1000 \??\C:\WINDOWS\system32\drivers\cpuz134_x32.sys

0xA12B5000 \SystemRoot\System32\DRIVERS\srv.sys

0xA0CAC000 \SystemRoot\System32\Drivers\HTTP.sys

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 36):

0 System Idle Process

4 System

492 C:\WINDOWS\system32\smss.exe

540 csrss.exe

572 C:\WINDOWS\system32\winlogon.exe

616 C:\WINDOWS\system32\services.exe

628 C:\WINDOWS\system32\lsass.exe

804 C:\WINDOWS\system32\ati2evxx.exe

824 C:\WINDOWS\system32\svchost.exe

872 svchost.exe

952 C:\WINDOWS\system32\svchost.exe

1040 svchost.exe

1096 svchost.exe

1248 C:\WINDOWS\system32\spoolsv.exe

1260 C:\WINDOWS\system32\ati2evxx.exe

1676 C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe

1832 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

1848 C:\Program Files\Bonjour\mDNSResponder.exe

1888 C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE

1936 C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

180 C:\Program Files\Common Files\LightScribe\LSSrvc.exe

432 C:\WINDOWS\system32\svchost.exe

772 C:\Program Files\Viewpoint\Common\ViewpointService.exe

1060 C:\WINDOWS\system32\wuauclt.exe

1984 C:\WINDOWS\explorer.exe

1996 alg.exe

2212 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

2224 C:\WINDOWS\RTHDCPL.exe

2232 C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

2264 C:\Program Files\AWS\WeatherBug\Weather.exe

2276 C:\WINDOWS\system32\ctfmon.exe

2332 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

2972 C:\WINDOWS\system32\svchost.exe

3312 C:\Program Files\Mozilla Firefox\firefox.exe

3596 wmiprvse.exe

3932 C:\Documents and Settings\lance\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000001f`ff588800 (NTFS)

PhysicalDrive0 Model Number: ST3320620A, Rev: 3.AAF

Size Device Name MBR Status

--------------------------------------------

298 GB \\.\PhysicalDrive0 Windows 7 MBR code detected

SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79

Done!

Link to post
Share on other sites

Okay, in the mean time lets do some updating and scanning for leftovers. ;)

UPDATE JAVA

------------------

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 21 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Now please launch MBAM, update it and run a full scan. Post me the resulting log.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.