« previous next »
Pages: [1] 2

Author Topic: Rootkit.TDSS  (Read 2221 times)

Offline Ryugata

  • Newbie
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Rootkit.TDSS
« on: January 20, 2010, 04:38:53 PM »
I am unable to remove this malware from my computer. I have tried Malwarebytes but it does not work. I looked it up and it seems to be a dangerous infection so I really would appreciate any help, for I do not want to do a full system recovery.  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />

Thank you in advance.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Rootkit.TDSS
« Reply #1 on: January 20, 2010, 07:39:43 PM »
Quote
I am unable to remove this malware from my computer. I have tried Malwarebytes but it does not work

Did you get Malwarebyte's to run?
If you did, reopen Malwarebytes, under the LOGS tab, double click to open the latest logfile
Copy/paste back here the whole contents

In addition:
Download [color=\"#FF0000\"]OTL.exe[/color][/url] by OldTimer to your Desktop.
  • Close all windows and double click on OTL.exe to run it
  • Click Run Scan and let the program run uninterrupted.
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.

NOTE: If you have trouble, or an error message trying to post the logs
Can you upload it to a reply box
In a Reply, select "Browse..." on the bottom right and then navigate to the file and select it
Then click "Upload"
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Ryugata

  • Newbie
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Rootkit.TDSS
« Reply #2 on: January 21, 2010, 01:20:36 AM »
Yes, I am able to run Malwarebytes, after some trial. But here is the latest log:

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 7.0.5730.11

1/20/2010 10:00:47 PM
mbam-log-2010-01-20 (22-00-47).txt

Scan type: Quick Scan
Objects scanned: 112347
Time elapsed: 9 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



And this is the OTL.txt:

OTL logfile created on: 1/20/2010 10:10:05 PM - Run 1
OTL by OldTimer - Version 3.1.25.2     Folder = F:\
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
479.00 Mb Total Physical Memory | 261.00 Mb Available Physical Memory | 54.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 103.96 Gb Free Space | 69.75% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 120.73 Mb Total Space | 42.80 Mb Free Space | 35.45% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: MY-COMPUTER
Current User Name: ngo
Logged in as Administrator.
 
Current Boot Mode: SafeMode
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
 
[color=\"#E56717\"]========== Processes (SafeList) ==========[/color]
 
PRC - [2010/01/21 13:29:40 | 00,547,328 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
PRC - [2007/06/13 02:23:08 | 01,423,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/30 04:31:10 | 00,312,880 | ---- | M] (GRISOFT s.r.o.) -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
 
 
[color=\"#E56717\"]========== Modules (SafeList) ==========[/color]
 
MOD - [2010/01/21 13:29:40 | 00,547,328 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
MOD - [2006/08/25 07:45:55 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
 
 
[color=\"#E56717\"]========== Win32 Services (SafeList) ==========[/color]
 
SRV - File not found [On_Demand | Stopped] --  -- (ose)
SRV - [2009/09/04 12:17:00 | 00,447,216 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2009/09/04 12:16:54 | 05,893,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2009/09/04 12:16:54 | 00,058,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2009/01/26 14:13:52 | 00,303,104 | ---- | M] (Motive Communications, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Motive\McciCMService.exe -- (McciCMService)
SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2007/10/25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/10/18 11:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2007/05/30 04:31:10 | 00,312,880 | ---- | M] (GRISOFT s.r.o.) [Auto | Running] -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe -- (AVG Anti-Spyware Guard)
SRV - [2005/05/17 14:40:42 | 00,072,704 | ---- | M] (Adobe Systems) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2002/04/12 00:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd) [Auto | Stopped] -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service)
 
 
[color=\"#E56717\"]========== Driver Services (SafeList) ==========[/color]
 
DRV - [2009/09/01 23:28:46 | 00,040,832 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\zumbus.sys -- (zumbus)
DRV - [2009/01/26 14:13:41 | 00,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2009/01/26 14:13:39 | 00,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2007/11/13 02:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/06/08 19:59:19 | 00,163,712 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\vidstub.sys -- (BootScreen)
DRV - [2007/05/30 04:10:42 | 00,011,000 | ---- | M] () [Kernel | System | Stopped] -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys -- (AVG Anti-Spyware Driver)
DRV - [2007/05/30 04:10:42 | 00,010,872 | ---- | M] (GRISOFT, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AvgAsCln.sys -- (AvgAsCln)
DRV - [2007/04/14 16:01:30 | 00,062,592 | ---- | M] (Chic Tech.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\moufiltr.sys -- (moufiltr)
DRV - [2007/04/09 08:56:22 | 00,021,248 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbdiag.sys -- (UsbDiag)
DRV - [2007/04/09 08:55:08 | 00,022,912 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbmodem.sys -- (USBModem)
DRV - [2007/04/09 08:53:24 | 00,012,672 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbbus.sys -- (usbbus)
DRV - [2007/03/07 15:51:00 | 00,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\PxHelp20.sys -- (PxHelp20)
DRV - [2006/11/02 06:00:08 | 00,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2004/10/31 08:19:31 | 00,004,682 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\npptNT2.sys -- (NPPTNT2)
DRV - [2004/10/09 01:51:08 | 00,503,507 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\V0080Dev.sys -- (V0080Dev)
DRV - [2004/08/04 04:00:00 | 00,063,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mf.sys -- (mf)
DRV - [2004/08/04 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/04 04:00:00 | 00,012,672 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usb8023.sys -- (USB_RNDIS)
DRV - [2004/08/04 04:00:00 | 00,012,160 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fsvga.sys -- (FsVga)
DRV - [2004/08/03 22:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004/08/02 08:32:48 | 00,073,600 | ---- | M] (VIA Technologies inc,.ltd) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\viamraid.sys -- (viamraid)
DRV - [2004/08/02 08:32:46 | 00,818,496 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\cmuda.sys -- (cmuda)
DRV - [2004/08/02 08:32:46 | 00,149,120 | ---- | M] (Copyright © VIA/S3 Graphics Co, Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vtmini.sys -- (viagfx)
DRV - [2004/02/04 09:27:56 | 00,049,536 | ---- | M] (Texas Instruments Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tiehdusb.sys -- (TIEHDUSB)
DRV - [2003/07/02 01:42:00 | 00,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2003/03/31 10:29:00 | 00,625,537 | ---- | M] (LT) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ltmdmnt.sys -- (ltmodem5)
DRV - [2003/01/09 20:13:16 | 00,236,981 | ---- | M] (Jungo) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\windrvr.sys -- (WinDriver)
DRV - [2002/10/02 01:22:32 | 00,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (Pfc)
DRV - [2002/02/19 16:02:54 | 00,007,157 | ---- | M] (Beyond Logic http://www.beyondlogic.org) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\porttalk.sys -- (PortTalk)
DRV - [2001/10/18 09:00:00 | 00,006,234 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viaide.sys -- (ViaIde)
DRV - [2001/08/23 05:03:54 | 00,025,434 | ---- | M] (Realtek Semiconductor Corporation                                                ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139)
DRV - [2001/08/17 13:12:22 | 00,010,368 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrUsbScn.sys -- (BrUsbScn)
DRV - [2001/08/17 13:12:20 | 00,060,416 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrSerWdm.sys -- (BrSerWDM)
DRV - [2001/08/17 13:12:20 | 00,011,008 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2001/08/17 13:12:12 | 00,002,944 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrFilt.sys -- (brfilt)
DRV - [1999/09/10 03:06:00 | 00,025,244 | ---- | M] (Adaptec) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\aspi32.sys -- (Aspi32)
 
 
[color=\"#E56717\"]========== Standard Registry (SafeList) ==========[/color]
 
 
[color=\"#E56717\"]========== Internet Explorer ==========[/color]
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig?hl=en&source=iglk
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
[color=\"#E56717\"]========== FireFox ==========[/color]
 
FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig?hl=en"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0.%(version)s
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/13 21:32:13 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/13 21:32:13 | 00,000,000 | ---D | M]
 
[2008/09/13 20:13:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ngo\Application Data\Mozilla\Extensions
[2010/01/13 21:13:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ngo\Application Data\Mozilla\Firefox\Profiles\h1ooj7gl.default\extensions
[2008/09/20 23:10:17 | 00,000,000 | ---D | M] (Azerty III) -- C:\Documents and Settings\ngo\Application Data\Mozilla\Firefox\Profiles\h1ooj7gl.default\extensions\{04CA07AB-7FC3-4110-A83F-EF1E6B75D5B0}
[2008/09/20 23:12:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ngo\Application Data\Mozilla\Firefox\Profiles\h1ooj7gl.default\extensions\CrystalFox_Qute@BigRedBrent
[2006/03/07 20:29:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ngo\Application Data\Mozilla\Firefox\Profiles\h1ooj7gl.default\extensions\temp
[2008/02/17 11:25:27 | 00,001,877 | ---- | M] () -- C:\Documents and Settings\ngo\Application Data\Mozilla\Firefox\Profiles\h1ooj7gl.default\searchplugins\aolsearch.xml
[2010/01/13 21:13:04 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
 
O1 HOSTS File: ([2008/08/02 18:33:55 | 00,000,736 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (StylerToolBar) - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll (StyleFantasist)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [!AVG Anti-Spyware] C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe (GRISOFT s.r.o.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe ()
O4 - HKLM..\Run: [BootSkin Startup Jobs] C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe ()
O4 - HKLM..\Run: [Cmaudio]  File not found
O4 - HKLM..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\moffice.exe ()
O4 - HKLM..\Run: [Glass2k] C:\Documents and Settings\ngo\My Documents\Downloads\Glass2k.exe (Chime Softwares)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [KernelFaultCheck]  File not found
O4 - HKLM..\Run: [LClock] C:\Program Files\LClock\LClock.exe ()
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [VTTrayp] C:\WINDOWS\System32\VTTrayp.exe (S3 Graphics Co., Ltd.)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKLM..\Run: [Zune Launcher] c:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Aim6]  File not found
O4 - HKCU..\Run: [BitTorrent DNA] C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
O4 - HKCU..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe ( )
O4 - HKCU..\Run: [EPSON WorkForce 500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEQA.EXE (SEIKO EPSON CORPORATION)
O4 - HKCU..\Run: [LClock] C:\Program Files\LClock\LClock.exe ()
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - HKCU..\Run: [twunk_32x.exe] C:\DOCUME~1\ngo\LOCALS~1\Temp\twunk_32x.exe File not found
O4 - HKCU..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe (Lee-Soft.com)
O4 - HKCU..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe (Lee Matthew Chantrey & Windows X)
O4 - Startup: C:\Documents and Settings\Anh Pham\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowLegacyWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowUnhashedWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 84 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0B96BF84-DA5C-46F4-A7FC-5319CFF74163} http://player.mnet.com/package/cjmuset.cab (MnetLauncher Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll (Installation Support)
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab (TTestGenXInstallObject)
O16 - DPF: {882A7CC6-0163-4BC1-8BC1-505E36C9FFA2} http://www.mnet.com/Ver2/App/totalApp/maxh...r/maxhelper.cab (MaxHelper Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab (Pearson Installation Assistant 2)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} http://asp.mathxl.com/books/_Players/MathPlayer.cab (Pearson MathXL Player)
O16 - DPF: {F0320816-41D9-49DD-B2F3-8E7B0AE32796} http://live.pdbox.co.kr:8057/AFCStarter.cab (AFCStarter Control)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.76.182 68.87.78.134
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\system32\msdxm.ocx ()
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (vistaui.exe) - C:\WINDOWS\System32\vistaui.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\ngo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\ngo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {57B86673-276A-48B2-BAE7-C6DBB3020EB8} - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (GRISOFT s.r.o.)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*
 
[color=\"#E56717\"]========== Files/Folders - Created Within 30 Days ==========[/color]
 
[2010/01/14 22:23:47 | 00,000,000 | ---D | C] -- C:\VundoFix Backups
[2010/01/14 21:26:44 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\ngo\Recent
[2010/01/14 00:34:43 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/14 00:34:39 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/14 00:34:38 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/13 22:59:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ngo\Application Data\Grisoft
[2010/01/13 22:59:12 | 00,010,872 | ---- | C] (GRISOFT, s.r.o.) -- C:\WINDOWS\System32\drivers\AvgAsCln.sys
[2010/01/13 22:59:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Grisoft
[2010/01/13 22:59:07 | 00,000,000 | ---D | C] -- C:\Program Files\Grisoft
[2010/01/12 15:58:49 | 00,470,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2010/01/06 14:36:13 | 00,000,000 | ---D | C] -- C:\Program Files\VisualTooltip
[2010/01/06 14:36:13 | 00,000,000 | ---D | C] -- C:\Program Files\ViStart
[2010/01/06 14:36:13 | 00,000,000 | ---D | C] -- C:\Program Files\ViOrb
[2010/01/06 14:36:11 | 00,000,000 | ---D | C] -- C:\Program Files\Vista Sidebar
[2010/01/06 14:36:10 | 06,181,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vistaui.exe
[2010/01/06 14:36:10 | 00,000,000 | ---D | C] -- C:\Program Files\LClock
[2010/01/06 14:23:11 | 00,000,000 | ---D | C] -- C:\Program Files\Red Kawa
[2010/01/06 14:23:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ngo\Application Data\Red Kawa
[2010/01/06 13:59:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ngo\Application Data\ViGlance
[2010/01/06 13:57:43 | 00,000,000 | ---D | C] -- C:\Program Files\ViSplore
[2010/01/06 13:57:41 | 00,000,000 | ---D | C] -- C:\Program Files\ViStart(2)
[2010/01/06 13:57:40 | 00,000,000 | ---D | C] -- C:\Program Files\Vista Rainbar
[2010/01/06 13:57:40 | 00,000,000 | ---D | C] -- C:\Program Files\ViGlance
[2010/01/06 13:57:39 | 00,000,000 | ---D | C] -- C:\Program Files\Vista Drive Icon
[2009/12/28 14:48:07 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2008/08/15 17:15:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/12/01 00:06:54 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2007/11/24 01:10:41 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2004/08/23 11:29:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
[color=\"#E56717\"]========== Files - Modified Within 30 Days ==========[/color]
 
[2010/01/20 21:48:38 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/20 13:35:35 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/20 13:34:42 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\ngo\ntuser.ini
[2010/01/20 13:34:41 | 09,961,472 | ---- | M] () -- C:\Documents and Settings\ngo\ntuser.dat
[2010/01/20 13:13:00 | 04,314,324 | -H-- | M] () -- C:\Documents and Settings\ngo\Local Settings\Application Data\IconCache.db
[2010/01/20 12:59:50 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/14 13:13:13 | 00,000,687 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes.lnk
[2010/01/14 12:11:20 | 00,000,000 | -HS- | M] () -- C:\WINDOWS\nvDrv.sy
[2010/01/13 21:54:15 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/01/13 21:53:22 | 00,000,008 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/06 23:25:17 | 00,356,203 | ---- | M] () -- C:\Documents and Settings\ngo\My Documents\Burnt_By_Summer_by_Eresh_Kigal.jpg
[2010/01/06 14:31:32 | 00,078,942 | ---- | M] () -- C:\WINDOWS\Icon_9.ico
[2009/12/22 22:05:08 | 00,000,262 | ---- | M] () -- C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
[color=\"#E56717\"]========== Files Created - No Company Name ==========[/color]
 
[2010/01/14 00:34:46 | 00,000,687 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes.lnk
[2010/01/13 21:53:22 | 00,000,008 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2010/01/06 23:25:14 | 00,356,203 | ---- | C] () -- C:\Documents and Settings\ngo\My Documents\Burnt_By_Summer_by_Eresh_Kigal.jpg
[2010/01/06 14:36:11 | 00,172,032 | ---- | C] () -- C:\WINDOWS\System32\LClock.cpl
[2010/01/06 14:36:10 | 00,049,208 | ---- | C] () -- C:\WINDOWS\System32\vistartup.bmp
[2010/01/06 14:31:32 | 00,078,942 | ---- | C] () -- C:\WINDOWS\Icon_9.ico
[2010/01/02 23:04:32 | 09,961,472 | ---- | C] () -- C:\Documents and Settings\ngo\ntuser.dat
[2009/12/28 14:25:30 | 00,000,000 | -HS- | C] () -- C:\WINDOWS\nvDrv.sy
[2009/12/15 20:54:46 | 00,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/09/07 21:01:37 | 00,000,035 | ---- | C] () -- C:\WINDOWS\A5W.INI
[2008/09/21 14:57:24 | 00,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2008/08/30 21:11:56 | 00,000,211 | ---- | C] () -- C:\WINDOWS\Exorcist.INI
[2008/08/15 17:16:31 | 00,870,128 | ---- | C] () -- C:\Documents and Settings\ngo\Application Data\mcs.rma
[2008/08/15 17:16:31 | 00,000,004 | ---- | C] () -- C:\Documents and Settings\ngo\Application Data\E5503F
[2007/11/24 22:37:50 | 00,356,352 | ---- | C] () -- C:\WINDOWS\System32\p3max.dll
[2007/11/24 13:50:37 | 00,000,024 | ---- | C] () -- C:\WINDOWS\psnetwork.ini
[2007/10/27 21:23:01 | 00,000,000 | ---- | C] () -- C:\WINDOWS\AlbumExe.INI
[2007/10/27 21:18:14 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PanelExe.INI
[2007/06/06 15:13:45 | 00,163,712 | ---- | C] () -- C:\WINDOWS\System32\drivers\vidstub.sys
[2006/11/26 20:52:06 | 00,000,021 | ---- | C] () -- C:\WINDOWS\CC_SETUP.ini
[2006/05/23 15:54:35 | 00,000,126 | ---- | C] () -- C:\Documents and Settings\ngo\Local Settings\Application Data\fusioncache.dat
[2005/10/14 01:56:50 | 00,921,600 | ---- | C] () -- C:\WINDOWS\System32\VorbisEnc.dll
[2005/10/14 01:56:50 | 00,344,064 | ---- | C] () -- C:\WINDOWS\System32\xvid.dll
[2005/10/14 01:56:50 | 00,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2005/10/14 01:56:50 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2005/10/14 01:56:50 | 00,155,136 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2005/10/14 01:56:50 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[2005/10/14 01:56:48 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\MMSwitch.dll
[2005/08/24 22:48:10 | 00,000,067 | ---- | C] () -- C:\WINDOWS\IDMan.INI
[2005/08/18 13:29:54 | 00,002,638 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/08/16 15:30:27 | 00,000,171 | ---- | C] () -- C:\WINDOWS\System Updat Tool.INI
[2005/04/02 18:52:57 | 00,000,238 | ---- | C] () -- C:\WINDOWS\mafosav.INI
[2005/01/22 20:21:49 | 00,000,729 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2005/01/06 16:02:43 | 00,000,023 | ---- | C] () -- C:\WINDOWS\System32\sysmwwod.dll
[2005/01/06 16:01:52 | 00,233,472 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2004/11/29 21:04:14 | 00,000,457 | ---- | C] () -- C:\Program Files\INSTALL.LOG
[2004/11/21 14:55:50 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/11/15 15:36:27 | 00,098,304 | ---- | C] () -- C:\Documents and Settings\ngo\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/11/11 17:23:13 | 00,000,155 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2004/11/09 19:27:07 | 00,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2004/11/08 17:13:03 | 00,000,051 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2004/11/08 17:10:39 | 00,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2004/11/08 17:10:18 | 00,002,652 | ---- | C] () -- C:\WINDOWS\BRMFBIDI.INI
[2004/11/08 17:06:07 | 00,000,454 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2004/11/08 17:06:07 | 00,000,310 | ---- | C] () -- C:\WINDOWS\Brpcfx.ini
[2004/11/08 17:06:07 | 00,000,079 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2004/11/08 17:04:05 | 00,000,806 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2004/11/08 12:36:55 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2004/08/23 12:31:52 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/23 11:30:57 | 00,000,806 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/23 11:13:58 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
[2004/08/23 11:13:47 | 00,001,836 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/08/12 08:19:42 | 00,101,376 | ---- | C] () -- C:\WINDOWS\System32\Welsof32.dll
[2002/07/05 06:12:06 | 00,027,136 | ---- | C] () -- C:\WINDOWS\System32\authdvd.dll
[2002/01/08 16:57:34 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
 
[color=\"#E56717\"]========== Alternate Data Streams ==========[/color]
 
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AC6124CA
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0CE7F3C9
< End of report >
Logged

Offline Ryugata

  • Newbie
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Rootkit.TDSS
« Reply #3 on: January 21, 2010, 01:23:08 AM »
And this is Extra.txt:

OTL Extras logfile created on: 1/20/2010 10:10:05 PM - Run 1
OTL by OldTimer - Version 3.1.25.2     Folder = F:\
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
479.00 Mb Total Physical Memory | 261.00 Mb Available Physical Memory | 54.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 103.96 Gb Free Space | 69.75% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 120.73 Mb Total Space | 42.80 Mb Free Space | 35.45% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: MY-COMPUTER
Current User Name: ngo
Logged in as Administrator.
 
Current Boot Mode: SafeMode
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
 
[color=\"#E56717\"]========== Extra Registry (SafeList) ==========[/color]
 
 
[color=\"#E56717\"]========== File Associations ==========[/color]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found
 
[color=\"#E56717\"]========== Shell Spawning ==========[/color]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)
 
[color=\"#E56717\"]========== Security Center Settings ==========[/color]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5000:UDP" = 5000:UDP:*:Enabled:Yahoo Voice
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
 
[color=\"#E56717\"]========== Authorized Applications List ==========[/color]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- File not found
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YPager.exe" = C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger -- File not found
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- File not found
"C:\Program Files\mIRC\mirc.exe" = C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC -- File not found
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" = C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Disabled:Internet Explorer -- (Microsoft Corporation)
"C:\Program Files\BitTornado\btdownloadgui.exe" = C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui -- File not found
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe" = C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice -- (Microsoft Corporation)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- (AOL LLC)
"C:\Program Files\TVAnts\Tvants.exe" = C:\Program Files\TVAnts\Tvants.exe:*:Enabled:TVAnts -- (Zhejiang University)
"C:\WINDOWS\system32\P3MxSvr.exe" = C:\WINDOWS\system32\P3MxSvr.exe:*:Enabled:Maxmp3 AoD Control -- ()
"C:\WINDOWS\system32\p3mxvsvr.exe" = C:\WINDOWS\system32\p3mxvsvr.exe:*:Enabled:MAXMP3 VOD Control -- (Maxmp3)
"C:\WINDOWS\system32\mnetasvr.exe" = C:\WINDOWS\system32\mnetasvr.exe:*:Enabled:MNet AoD Server -- (PeeringPortal)
"C:\WINDOWS\system32\mnetvsvr.exe" = C:\WINDOWS\system32\mnetvsvr.exe:*:Enabled:MNet VoD Server -- (PeeringPortal)
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)
"C:\Documents and Settings\ngo\Local Settings\Temp\WZSE0.TMP\SymNRT.exe" = C:\Documents and Settings\ngo\Local Settings\Temp\WZSE0.TMP\SymNRT.exe:*:Enabled:Symantec Removal Utility -- File not found
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:Enabled:DNA -- (BitTorrent, Inc.)
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"D:\Phys_4A\Run.exe" = D:\Phys_4A\Run.exe:*:Enabled:Authorware Runtime -- File not found
"C:\Program Files\Ventrilo\Ventrilo.exe" = C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- (Flagship Industries, Inc.)
 
 
[color=\"#E56717\"]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}" = Zune Language Pack (FR)
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 2.5.3
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{3248F0A8-6813-11D6-A77B-00B0D0160060}" = Java(tm) 6 Update 6
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{394BE3D9-7F57-4638-A8D1-1D88671913B7}" = Microsoft AppLocale
"{3FBC5FCA-F989-4D5D-93F6-B185EEE1EC76}" = IIS6 Manager
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{80FC797D-FDC4-4585-9551-E00A39274CD0}" = ArcSoft Collage Creator
"{888FFC82-688D-46AB-A776-B417885432B6}" = Zune
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders  (English) 12
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91A4AD99-69CE-4745-97B7-0E0DFBECFDE5}" = Adobe Illustrator CS
"{9692FD03-6662-4E62-B08C-30DFF51651E1}" = Actiontec Gateway
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{A8B94669-8654-4126-BD28-D0D2412CDED6}" = TI Connect 1.6
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{AEF2D1F3-0696-11D5-8E6A-00C04F7FA234}" = PaperPort 8.0 SE
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb" = Microsoft Windows Application Compatibility Database
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{EE4ACABF-531E-419A-9225-B8E0FA4955AF}" = Zune Language Pack (ES)
"{FA61D601-A0FC-48BD-AE7A-54946BCD7FB6}_is1" = BitPim 1.0.6.20080811
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"Adobe Shockwave Player" = Adobe Shockwave Player
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"AIM_6" = AIM 6
"ATT-PRT22" = ATT-PRT22
"AVGAntiSpyware75" = AVG Anti-Spyware 7.5
"AVIcodec" = AVIcodec (remove only)
"AviSynth" = AviSynth 2.5
"BootSkin" = BootSkin
"BroadJump Client Foundation" = BroadJump Client Foundation
"Browser Mouse" = Browser Mouse
"CCleaner" = CCleaner (remove only)
"CDisplay_is1" = CDisplay 1.8
"C-Media Audio Driver" = C-Media WDM Audio Driver
"Cool's_Codec_pack_4.12" = Codec Pack - All In 1 6.0.3.0
"Creative VF0080" = Creative WebCam Live! Pro Driver (1.01.01.1011)
"Creative WebCam Center" = Creative WebCam Center
"Creative WebCam Live! Pro User's Guide English" = Creative WebCam Live! Pro User's Guide (English)
"CursorXP" = CursorXP
"EPSON Scanner" = EPSON Scan
"EPSON WorkForce 500 Series" = EPSON WorkForce 500 Series Printer Uninstall
"ffdshow" = ffdshow (remove only)
"GSpot" = GSpot Codec Information Appliance
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"IE Help" = IE Help
"ie7" = Windows Internet Explorer 7
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1  (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"MP30x Tools_is1" = MP30x Tools1.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"RealPlayer 6.0" = RealPlayer
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"SpywareBlaster_is1" = SpywareBlaster 4.2
"Synapse" = Synapse Media Player
"TI-Winamp Control_is1" = Winamp TI-Control 0.9
"TrustSiteX Control" = TrustSiteX 1.0 Control
"TVAnts 1.0" = TVAnts 1.0
"Tweak UI 2.10" = Tweak UI
"V CAST Music with Rhapsody" = V CAST Music with Rhapsody
"Videora iPod Converter" = Videora iPod Converter 5.03
"Vista Transformation Pack" = Vista Transformation Pack 8.0
"VobSub" = VobSub v2.23 (Remove Only)
"VTChromo" = S3 S3Chromo
"VTConfig3D" = S3 S3Config3D
"VTDisplay" = S3 S3Display
"VTGamma2" = S3 S3Gamma2
"VTInfo2" = S3 S3Info2
"VTOverlay" = S3 S3Overlay
"VTRefreshLock" = S3 S3RefreshLock
"VTTrayPlus" = S3 S3TrayPlus
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"WIC" = Windows Imaging Component
"Winamp" = Winamp (remove only)
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"WinRAR archiver" = WinRAR archiver
"winusb0100" = Microsoft WinUsb 1.0
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"Wudf01009" = Microsoft User-Mode Driver Framework Feature Pack 1.9
"Yahoo! Messenger" = Yahoo! Messenger
"YouTube Downloader App" = YouTube Downloader App 2.03
"Zune" = Zune
 
[color=\"#E56717\"]========== HKEY_CURRENT_USER Uninstall List ==========[/color]
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent
"BitTorrent DNA" = DNA
"Move Media Player" = Move Media Player
 
[color=\"#E56717\"]========== Last 10 Event Log Errors ==========[/color]
 
Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!
 
< End of report >
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Rootkit.TDSS
« Reply #4 on: January 21, 2010, 01:42:18 AM »
Can you try the next couple tools for me please

  • Download [color=\"#0000FF\"]TDSSKiller[/color] and save it to your Desktop.
       
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
       
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

          [color=\"#FF0000\"]"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v[/color]

       
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
       
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.
If prompted to reboot, do so before posting that log

ComboFix
1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

From this [color=\"#FF0000\"]LINK[/color] Download ComboFix

2. During the download, rename Combofix to Combo-Fix as follows:



  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in another reply

NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will/may run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Ryugata

  • Newbie
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Rootkit.TDSS
« Reply #5 on: January 22, 2010, 05:04:57 PM »
OK, so I ran TDSSKiller but the run prompt says that there is a driver error, or something. The log for it is this:

14:01:10:000 1548   TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
14:01:10:000 1548   ================================================================================
14:01:10:000 1548   SystemInfo:

14:01:10:000 1548   OS Version: 5.1.2600 ServicePack: 2.0
14:01:10:000 1548   Product type: Workstation
14:01:10:000 1548   ComputerName: MY-COMPUTER
14:01:10:000 1548   UserName: ngo
14:01:10:000 1548   Windows directory: C:\WINDOWS
14:01:10:000 1548   Processor architecture: Intel x86
14:01:10:000 1548   Number of processors: 2
14:01:10:000 1548   Page size: 0x1000
14:01:10:000 1548   Boot type: Safe boot
14:01:10:000 1548   ================================================================================
14:01:10:000 1548   UnloadDriverW: NtUnloadDriver error 2
14:01:10:000 1548   ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
14:01:10:015 1548   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
14:01:10:015 1548   UtilityInit: KLMD drop and load success
14:01:10:015 1548   KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
14:01:10:015 1548   KLMD_OpenDevice: CreateFileW(KLMD201000) error 2
14:01:10:015 1548   Driver load error!
14:01:10:015 1548   UnloadDriverW: NtUnloadDriver error 2
14:01:10:015 1548   KLMD_Unload: UnloadDriverW(klmd21) error 2
14:01:10:015 1548   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
14:01:10:015 1548   UtilityDeinit: KLMD(ARK) unloaded successfully
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Rootkit.TDSS
« Reply #6 on: January 23, 2010, 04:11:10 PM »
Carry on and try running ComboFix as I instructed and post it's log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Ryugata

  • Newbie
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Rootkit.TDSS
« Reply #7 on: January 25, 2010, 04:30:55 PM »
Combofix freaked me out a bit because I ran it on safemode without internet and was unable to install windows recovery console. It also froze in the middle of log-making process. Nevertheless, I got it http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

ComboFix 10-01-25.01 - ngo 01/25/2010  13:15:18.3.2 - x86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.479.212 [GMT -8:00]
Running from: c:\documents and settings\ngo\Desktop\Combo-Fix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents
c:\program files\INSTALL.LOG
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\nvDrv.sy
c:\windows\system32\drivers\H8SRToqxmbavmcy.sys
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\H8SRTqsbyqxtyrg.dat
c:\windows\system32\h8srtshsyst.dll
c:\windows\system32\H8SRTvnssrhspcb.dll
c:\windows\system32\H8SRTxtevdkeqti.dll
c:\windows\system32\H8SRTyemshiexbf.dll
c:\windows\system32\H8SRTypibegcmyl.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys
-------\Service_WinDriver


(((((((((((((((((((((((((   Files Created from 2009-12-25 to 2010-01-25  )))))))))))))))))))))))))))))))
.

2010-01-15 06:23 . 2010-01-15 06:23   --------   d-----w-   C:\VundoFix Backups
2010-01-14 08:34 . 2010-01-08 00:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-14 08:34 . 2010-01-08 00:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-14 08:34 . 2010-01-14 20:24   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-01-14 06:59 . 2010-01-14 06:59   --------   d-----w-   c:\documents and settings\ngo\Application Data\Grisoft
2010-01-14 06:59 . 2007-05-30 12:10   10872   ----a-w-   c:\windows\system32\drivers\AvgAsCln.sys
2010-01-14 06:59 . 2010-01-14 06:59   --------   d-----w-   c:\documents and settings\All Users\Application Data\Grisoft
2010-01-12 23:58 . 2009-11-21 16:36   470528   -c----w-   c:\windows\system32\dllcache\aclayers.dll
2010-01-06 22:36 . 2010-01-20 21:35   --------   d-----w-   c:\program files\ViStart
2010-01-06 22:36 . 2010-01-06 22:36   --------   d-----w-   c:\program files\VisualTooltip
2010-01-06 22:36 . 2010-01-06 22:36   --------   d-----w-   c:\program files\ViOrb
2010-01-06 22:36 . 2010-01-06 22:36   --------   d-----w-   c:\program files\Vista Sidebar
2010-01-06 22:36 . 2010-01-06 22:36   --------   d-----w-   c:\program files\LClock
2010-01-06 22:36 . 2007-04-15 09:30   6181376   ----a-w-   c:\windows\system32\vistaui.exe
2010-01-06 22:23 . 2010-01-06 22:23   --------   d-----w-   c:\windows\system32\wbem\Repository
2010-01-06 22:23 . 2010-01-06 22:23   --------   d-----w-   c:\program files\Red Kawa
2010-01-06 22:23 . 2010-01-06 22:23   --------   d-----w-   c:\documents and settings\ngo\Application Data\Red Kawa
2010-01-06 21:59 . 2010-01-06 21:59   --------   d-----w-   c:\documents and settings\ngo\Application Data\ViGlance
2010-01-06 21:57 . 2010-01-06 22:23   --------   d-----w-   c:\program files\ViSplore
2010-01-06 21:57 . 2010-01-06 22:23   --------   d-----w-   c:\program files\ViStart(2)
2010-01-06 21:57 . 2010-01-06 22:23   --------   d-----w-   c:\program files\Vista Rainbar
2010-01-06 21:57 . 2010-01-06 22:23   --------   d-----w-   c:\program files\ViGlance
2010-01-06 21:57 . 2010-01-06 22:23   --------   d-----w-   c:\program files\Vista Drive Icon
2009-12-28 22:48 . 2009-12-28 22:48   --------   d--h--w-   c:\windows\PIF

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-20 21:35 . 2009-05-24 19:36   --------   d-----w-   c:\program files\DNA
2010-01-20 21:35 . 2009-05-24 19:36   --------   d-----w-   c:\documents and settings\ngo\Application Data\DNA
2010-01-14 21:17 . 2005-03-19 06:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-14 08:11 . 2007-06-15 03:10   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-01-14 08:06 . 2006-05-27 21:07   --------   d-----w-   c:\program files\SpywareBlaster
2010-01-14 06:46 . 2006-10-01 06:37   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-01-14 06:46 . 2005-03-19 06:35   --------   d-----w-   c:\program files\Lavasoft
2010-01-14 06:27 . 2005-03-19 06:03   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-01-14 05:54 . 2007-11-25 06:39   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-01-06 22:36 . 2008-09-20 23:32   --------   d-----w-   c:\program files\TrueTransparency
2010-01-06 22:36 . 2008-09-20 23:32   --------   d-----w-   c:\program files\WinFlip
2010-01-06 22:36 . 2008-09-20 23:32   --------   d-----w-   c:\program files\Styler
2010-01-06 21:59 . 2008-09-20 23:35   --------   d-----w-   c:\documents and settings\ngo\Application Data\ViStart
2009-12-29 07:54 . 2009-08-31 23:20   --------   d-----w-   c:\documents and settings\ngo\Application Data\BitTorrent
2009-12-26 19:07 . 2008-09-21 08:28   --------   d-----w-   c:\documents and settings\ngo\Application Data\Move Networks
2009-12-26 09:52 . 2009-12-26 09:52   144160   ----a-w-   c:\documents and settings\ngo\Application Data\Move Networks\uninstall.exe
2009-12-26 09:52 . 2009-12-10 19:26   4187512   ----a-w-   c:\documents and settings\ngo\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-12-26 09:52 . 2009-12-26 09:52   1438976   ----a-w-   c:\documents and settings\ngo\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
2009-12-16 04:58 . 2009-12-16 04:55   --------   d-----w-   c:\documents and settings\ngo\Application Data\Ventrilo
2009-12-16 04:54 . 2009-12-16 04:54   --------   d-----w-   c:\program files\Ventrilo
2009-12-10 19:27 . 2009-12-10 19:27   97144   ----a-w-   c:\documents and settings\ngo\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-09 23:17 . 2008-09-20 05:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-21 16:36 . 2004-08-23 19:13   470528   ----a-w-   c:\windows\AppPatch\aclayers.dll
2009-10-29 07:46 . 2004-08-23 19:13   832512   ----a-w-   c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-23 19:13   78336   ----a-w-   c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-23 19:13   17408   ----a-w-   c:\windows\system32\corpol.dll
1999-07-07 00:00 . 1999-07-07 00:00   6   -csh--r-   c:\windows\@@desktop.dat
1999-07-07 00:00 . 1999-07-07 00:00   6   -csh--r-   c:\windows\@[email protected]
.

------- Sigcheck -------

[-] 2010-01-05 . 3B8259EF10C0F1425395981E40ED0EAA . 3599360 . . [7.00.6000.16981] . . c:\windows\SoftwareDistribution\Download\72187e1a9593df853aa7db379edb1348\sp3gdr\mshtml.dll
[-] 2010-01-05 . 1673677DBD70142DB1294F1B6FC3323E . 3602944 . . [7.00.6000.21183] . . c:\windows\SoftwareDistribution\Download\72187e1a9593df853aa7db379edb1348\sp3qfe\mshtml.dll
[-] 2009-10-29 . 481C18143B26747E28779822D7520363 . 3807232 . . [7.00.6000.16945] . . c:\windows\system32\mshtml.dll
[7] 2009-10-29 . 89A9658515A18E673034369E043FAB01 . 3598336 . . [7.00.6000.16945] . . c:\windows\system32\VITrans\mshtml.dll
[7] 2009-10-29 . 89A9658515A18E673034369E043FAB01 . 3598336 . . [7.00.6000.16945] . . c:\windows\system32\dllcache\mshtml.dll
[7] 2009-10-29 . 8B48737260C273C9B0DACA84EA1CCDBD . 3602432 . . [7.00.6000.21148] . . c:\windows\$hf_mig$\KB976325-IE7\SP3QFE\mshtml.dll
[7] 2009-10-21 . 36145D2D908FB8A24772F04842366918 . 3598336 . . [7.00.6000.16939] . . c:\windows\ie7updates\KB976325-IE7\mshtml.dll
[7] 2009-10-21 . E6453EE08B283419171889786D057A75 . 3602432 . . [7.00.6000.21142] . . c:\windows\$hf_mig$\KB976749-IE7\SP3QFE\mshtml.dll
[7] 2009-08-29 . E52A845DCE011D56B12B8F3F4606F956 . 3598336 . . [7.00.6000.16915] . . c:\windows\ie7updates\KB976749-IE7\mshtml.dll
[7] 2009-08-29 . EDAD55105DDD067AE3906011F297267C . 3600384 . . [7.00.6000.21115] . . c:\windows\$hf_mig$\KB974455-IE7\SP3QFE\mshtml.dll
[7] 2009-07-19 . 758C8BEDAB7CE5F9070C85E2E57CBD80 . 3597824 . . [7.00.6000.16890] . . c:\windows\ie7updates\KB974455-IE7\mshtml.dll
[7] 2009-07-19 . F6098CC1B1C3858D53F20F3CB5774F3B . 3600384 . . [7.00.6000.21089] . . c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\mshtml.dll
[7] 2009-04-29 . 2B4315EC9E3124408A2A5074C4B97700 . 3596288 . . [7.00.6000.16850] . . c:\windows\ie7updates\KB972260-IE7\mshtml.dll
[7] 2009-04-29 . C6FD770D518FB024245A0EE217D72BC1 . 3598336 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\mshtml.dll
[7] 2009-02-21 . 1BB754AB47B327DE8DBF2FA18C36357C . 3596800 . . [7.00.6000.21015] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\mshtml.dll
[7] 2009-02-20 . C7C3E41CC2F6EB4A629FE2184136C098 . 3595264 . . [7.00.6000.16825] . . c:\windows\ie7updates\KB969897-IE7\mshtml.dll
[7] 2009-01-17 . 3B413267DA8AE71C20E5EF3E54F74728 . 3594752 . . [7.00.6000.16809] . . c:\windows\ie7updates\KB963027-IE7\mshtml.dll
[7] 2009-01-16 . CC9D001B7370B292C35B366CA05B12B4 . 3596288 . . [7.00.6000.20996] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\mshtml.dll
[7] 2008-12-13 . 121EC39A64D64205A88C2C45B034B455 . 3593216 . . [7.00.6000.16788] . . c:\windows\ie7updates\KB961260-IE7\mshtml.dll
[7] 2008-12-13 . C79FAD61CD4A26ED5AA8C16D991C6FBD . 3594752 . . [7.00.6000.20973] . . c:\windows\$hf_mig$\KB960714-IE7\SP2QFE\mshtml.dll
[7] 2008-10-17 . EACAEDEF6FA2A969DE5B36190D45396F . 3593216 . . [7.00.6000.16762] . . c:\windows\ie7updates\KB960714-IE7\mshtml.dll
[7] 2008-10-16 . B74F31A4BD83797D7A083F922169287D . 3595264 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\mshtml.dll
[7] 2008-08-27 . 1AD035E04A7068EC2820B055A3131ED8 . 3593216 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB958215-IE7\mshtml.dll
[7] 2008-08-26 . 25CC085720EE3617FD1F8AB9E2F7CAB2 . 3594752 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\mshtml.dll
[-] 2008-06-24 . F321AD4A3FB4A196A34AC103BC52A3D2 . 3801088 . . [7.00.6000.16705] . . c:\windows\ie7updates\KB956390-IE7\mshtml.dll
[7] 2008-06-23 . 28B8231CA8D55FC85E027A57C90F5C88 . 3594240 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\mshtml.dll
[7] 2008-04-24 . 8976CAB317105F7431B08EA32AB73C65 . 3591680 . . [7.00.6000.16674] . . c:\windows\ie7updates\KB953838-IE7\mshtml.dll
[7] 2008-04-23 . 4D612FF5D3B7EEF200595AE6F95D5E68 . 3593728 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\mshtml.dll
[7] 2008-04-14 . A706E122B398FE1AB85CB9B75D044223 . 3066880 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\mshtml.dll
[7] 2008-03-02 . AB2C88167D78D71D93558ACECB24CC7A . 3591680 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB950759-IE7\mshtml.dll
[7] 2008-03-01 . 4EE273E2B09317C1217EF0DB91F93534 . 3593216 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\mshtml.dll
[7] 2007-12-08 . A097C36412455F0C7E42377FAF8809B7 . 3592192 . . [7.00.6000.16608] . . c:\windows\ie7updates\KB947864-IE7\mshtml.dll
[7] 2007-12-07 . 976C46ED4A75FC66D9C596778898CE1E . 3593216 . . [7.00.6000.20733] . . c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\mshtml.dll
[7] 2007-10-30 . 54D8B404F17AA74C666F7F3AEF2AE459 . 3593216 . . [7.00.6000.20710] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\mshtml.dll
[7] 2007-10-30 . 8AB7ECF59D6EBBE986277B65ED4A40A1 . 3590656 . . [7.00.6000.16587] . . c:\windows\ie7updates\KB944533-IE7\mshtml.dll
[7] 2007-08-20 . E267EE248CDA7667C19001C069DE867B . 3584512 . . [7.00.6000.16544] . . c:\windows\ie7updates\KB942615-IE7\mshtml.dll
[7] 2007-08-20 . AA8A4BD78D24FCDB96DDAEE3756AA372 . 3592192 . . [7.00.6000.20661] . . c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\mshtml.dll
[7] 2007-07-19 . BD609A26B683332A0E0E1445C5724851 . 3583488 . . [7.00.6000.16525] . . c:\windows\ie7updates\KB939653-IE7\mshtml.dll
[7] 2007-07-18 . 7CE243CFD47AD0DC431586CB8C542A11 . 3584000 . . [7.00.6000.20641] . . c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\mshtml.dll
[7] 2007-05-08 . 1D4E3B86C601A2497C99790CC4D7DF26 . 3584000 . . [7.00.6000.20591] . . c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\mshtml.dll
[7] 2007-05-08 . 5D90A7200F72DACE663EE78DE234FCC7 . 3583488 . . [7.00.6000.16481] . . c:\windows\ie7updates\KB937143-IE7\mshtml.dll
[7] 2007-03-07 . DA297A862E5F093A07D37C05F608C686 . 3582976 . . [7.00.6000.20544] . . c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\mshtml.dll
[-] 2007-03-07 . DA1F163730850E4901C72C2D8D4EA0DD . 3790848 . . [7.00.6000.16441] . . c:\windows\ie7updates\KB933566-IE7\mshtml.dll
[-] 2007-01-12 . BE795BAF50B026D0822F45E050C307D3 . 3789312 . . [7.00.6000.16414] . . c:\windows\ie7updates\KB931768-IE7\mshtml.dll
[7] 2007-01-04 . 1C45525574EF206346FBAFCAAC7CC4A5 . 3062272 . . [6.00.2900.3059] . . c:\windows\$hf_mig$\KB928090\SP2QFE\mshtml.dll
[7] 2007-01-04 . 1C45525574EF206346FBAFCAAC7CC4A5 . 3062272 . . [6.00.2900.3059] . . c:\windows\ie7\mshtml.dll
[7] 2007-01-04 . F31274D7667D83E73C6EE16D2206B76C . 3056640 . . [6.00.2900.3059] . . c:\windows\$NtUninstallKB928090$\mshtml.dll
[7] 2006-11-08 . CBF04597F9CF7739E572276A2698FDD3 . 3577856 . . [7.00.5730.11] . . c:\windows\ie7updates\KB928090-IE7\mshtml.dll
[7] 2006-10-23 . 88E1C15BB1A9ED3CBA4D6F2F408D5010 . 3061248 . . [6.00.2900.3020] . . c:\windows\$hf_mig$\KB925454\SP2QFE\mshtml.dll
[7] 2006-10-23 . 5FC7DE1195C8E9B5360FD65DBE95E5B0 . 3055104 . . [6.00.2900.3020] . . c:\windows\$NtUninstallKB928090_0$\mshtml.dll
[7] 2006-09-14 . BE45460D1453B7342E01EAE79BFBC681 . 3054592 . . [6.00.2900.2995] . . c:\windows\$NtUninstallKB925454$\mshtml.dll
[7] 2006-09-14 . CEFEA1C301139A817931BE132F0359FE . 3058688 . . [6.00.2900.2995] . . c:\windows\$hf_mig$\KB922760\SP2QFE\mshtml.dll
[-] 2006-07-28 . D251679BD9EF0250201FB899EC40FD32 . 3058176 . . [6.00.2900.2963] . . c:\windows\$hf_mig$\KB918899\SP2QFE\mshtml.dll
[-] 2006-07-28 . C7074DA3D8F8C0F6C03874BA0B05069C . 3054080 . . [6.00.2900.2963] . . c:\windows\$NtUninstallKB922760$\mshtml.dll
[-] 2006-07-28 . C7074DA3D8F8C0F6C03874BA0B05069C . 3054080 . . [6.00.2900.2963] . . c:\windows\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\mshtml.dll
[7] 2006-05-19 . 284CE76B71DD5260B42A3CCF0135AF67 . 3052544 . . [6.00.2900.2912] . . c:\windows\$NtUninstallKB918899$\mshtml.dll
[7] 2006-05-19 . 8687E029BE63C77D4919485068C54D77 . 3055104 . . [6.00.2900.2912] . . c:\windows\$hf_mig$\KB916281\SP2QFE\mshtml.dll
[7] 2006-03-23 . DEAA438EA31095E14A196FF647E38D13 . 3053568 . . [6.00.2900.2873] . . c:\windows\$NtUninstallKB916281$\mshtml.dll
[7] 2006-03-23 . ABCD123F888E4E97C8751378CCCC4F26 . 3055616 . . [6.00.2900.2873] . . c:\windows\$hf_mig$\KB912812\SP2QFE\mshtml.dll
[7] 2005-11-24 . D3F037F5DA702AE9DDD7663EC9D78BA7 . 3018240 . . [6.00.2900.2802] . . c:\windows\$hf_mig$\KB905915\SP2QFE\mshtml.dll
[7] 2005-11-24 . 5E7A39950EA133BB54719A6E08C544A7 . 3015680 . . [6.00.2900.2802] . . c:\windows\$NtUninstallKB912812$\mshtml.dll
[7] 2005-10-05 . 3394299FBF1CD0B24089FC762611360B . 3017728 . . [6.00.2900.2769] . . c:\windows\$hf_mig$\KB896688\SP2QFE\mshtml.dll
[7] 2005-10-05 . 042AC20E084D21DD6BEE99B89CC30FB7 . 3015168 . . [6.00.2900.2769] . . c:\windows\$NtUninstallKB905915$\mshtml.dll
[7] 2005-07-20 . A14A7A206AE22DE4FE563E44CFC7DDF5 . 3016192 . . [6.00.2900.2722] . . c:\windows\$hf_mig$\KB896727\SP2QFE\mshtml.dll
[7] 2005-07-20 . 31E7520E58E5E4DFA93215A6D5603AF2 . 3014144 . . [6.00.2900.2722] . . c:\windows\$NtUninstallKB896688$\mshtml.dll
[7] 2005-05-02 . DCC5C79B99F02EEF8C826B074DBFC222 . 3014144 . . [6.00.2900.2668] . . c:\windows\$hf_mig$\KB883939\SP2QFE\mshtml.dll
[7] 2005-05-02 . DCFAC5470EE0A159EC4222BC28AE3EE6 . 3012608 . . [6.00.2900.2668] . . c:\windows\$NtUninstallKB896727$\mshtml.dll
[7] 2005-03-10 . 84A1B9B0C362051E68BB131F14C6DAAD . 3010560 . . [6.00.2900.2627] . . c:\windows\$NtUninstallKB883939$\mshtml.dll
[7] 2005-03-10 . 255C2CE965543ABDC3E0A25A5DA1874A . 3011072 . . [6.00.2900.2627] . . c:\windows\$hf_mig$\KB890923\SP2QFE\mshtml.dll
[7] 2005-01-27 . FAE3CA9B2459581C45B3A8845BE3077C . 3006976 . . [6.00.2900.2604] . . c:\windows\$NtUninstallKB890923$\mshtml.dll
[7] 2005-01-27 . 91C5ADE25BC4E3322577854FA2E7B58B . 3008000 . . [6.00.2900.2604] . . c:\windows\$hf_mig$\KB867282\SP2QFE\mshtml.dll
[7] 2004-09-29 . 087FF7C54E7EBE4A59BD4DFC1D0EE9B8 . 3004928 . . [6.00.2900.2524] . . c:\windows\$hf_mig$\KB834707\SP2QFE\mshtml.dll
[7] 2004-09-29 . D94E6405E420373161467ACD3DA65640 . 3004928 . . [6.00.2900.2523] . . c:\windows\$NtUninstallKB867282$\mshtml.dll
[7] 2004-08-04 . 376E0843B2356CA91CEC8D9837A56FF7 . 3003392 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB834707$\mshtml.dll

[7] 2009-08-05 . 8415D9C7C050E7022AED8ABF281BE4A6 . 2189184 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3GDR\ntoskrnl.exe
[7] 2009-08-04 . D6B537A639D623ED85B73AF3E3BE4B94 . 2180352 . . [5.1.2600.3610] . . c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2009-08-04 . D6B537A639D623ED85B73AF3E3BE4B94 . 2180352 . . [5.1.2600.3610] . . c:\windows\system32\dllcache\ntoskrnl.exe
[-] 2009-08-04 . 039B9E1E31DAEE0018B2779C8BF65C89 . 2147840 . . [5.1.2600.3610] . . c:\windows\system32\ntoskrnl.exe
[7] 2009-08-04 . 11CDD81560E766101F0032EB05872C1B . 2136064 . . [5.1.2600.3610] . . c:\windows\system32\VITrans\ntoskrnl.exe
[7] 2009-08-04 . FDE779EA1A564EBFE16F4E0F82B61BAD . 2189312 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3QFE\ntoskrnl.exe
[7] 2009-08-04 . 8DF112C341425F29DB4566B8D2A96A7F . 2185984 . . [5.1.2600.3610] . . c:\windows\$hf_mig$\KB971486\SP2QFE\ntoskrnl.exe
[7] 2009-02-08 . EFE8EACE83EAAD5849A7A548FB75B584 . 2189184 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2009-02-06 . 16B5EBE97F243441264A8F8694C2F2AA . 2136064 . . [5.1.2600.3520] . . c:\windows\$NtUninstallKB971486$\ntoskrnl.exe
[7] 2009-02-06 . 7A95B10A73737EBF24139AAA63F5212B . 2189056 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\ntoskrnl.exe
[7] 2009-02-06 . 6A936E9D7BADAF3CAAEED1E1966EC1B0 . 2186112 . . [5.1.2600.3520] . . c:\windows\$hf_mig$\KB956572\SP2QFE\ntoskrnl.exe
[7] 2008-08-14 . 31914172342BFF330063F343AC6958FE . 2189184 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 . EEAF32F8E15A24F62BECB1BD403BB5C5 . 2189184 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
[7] 2008-08-14 . DD31AB4B91C2605601A3C108AF57A0C9 . 2136064 . . [5.1.2600.3427] . . c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[7] 2008-08-14 . CE69DBD54221F2D40E49FF6DB77C6507 . 2185984 . . [5.1.2600.3427] . . c:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe
[7] 2008-04-13 . 0C89243C7C3EE199B96FCC16990E0679 . 2188928 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ntoskrnl.exe
[7] 2007-02-28 . 5A5C8DB4AA962C714C8371FBDF189FC9 . 2182144 . . [5.1.2600.3093] . . c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 . 5FB20CABC9A81BAAABBE63F30FFC5284 . 2147840 . . [5.1.2600.3093] . . c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[7] 2006-12-19 . CEF243F6DEFD20BE4ADDE26C7ECACB54 . 2182016 . . [5.1.2600.3051] . . c:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
[-] 2006-12-19 . 612C427014BB443153DCA528A4D37D13 . 2146816 . . [5.1.2600.3051] . . c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[7] 2005-03-02 . 28187802B7C368C0D3AEF7D4C382AABB . 2179456 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[7] 2005-03-02 . 48B3E89AF7074CEE0314A3E0C7FAFFDB . 2135552 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
[7] 2004-08-04 . 626309040459C3915997EF98EC1C8D40 . 2148352 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
[7] 2004-08-04 . CE218BC7088681FAA06633E218596CA7 . 2180992 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\ntoskrnl.exe

[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 7159508EEBB8E80DE73A0A48D581ED50 . 1423360 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[7] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\system32\VITrans\explorer.exe
[-] 2004-08-04 . 4B0011B8E35843966A3CE5685058420F . 1422336 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe

[7] 2009-08-05 . 363B2BBEE0AEDC9E5433616D0AD0236A . 2066176 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3QFE\ntkrnlpa.exe
[7] 2009-08-04 . 7437BA6F538E89381A2E3643AED296C7 . 2066048 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3GDR\ntkrnlpa.exe
[-] 2009-08-04 . 2A7AA4C4FC05B819E56045F4856D92B6 . 2027520 . . [5.1.2600.3610] . . c:\windows\system32\ntkrnlpa.exe
[7] 2009-08-04 . E832C72D32FA117CB0D033C5EA95B58F . 2015744 . . [5.1.2600.3610] . . c:\windows\system32\VITrans\ntkrnlpa.exe
[7] 2009-08-04 . B0BD27AA04C1B8E857C1DADEF4EF2159 . 2057728 . . [5.1.2600.3610] . . c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2009-08-04 . B0BD27AA04C1B8E857C1DADEF4EF2159 . 2057728 . . [5.1.2600.3610] . . c:\windows\system32\dllcache\ntkrnlpa.exe
[7] 2009-08-04 . 97E912E94CCED4064F5DEEE5C25A9278 . 2062976 . . [5.1.2600.3610] . . c:\windows\$hf_mig$\KB971486\SP2QFE\ntkrnlpa.exe
[7] 2009-02-08 . 5BA7F2141BC6DB06100D0E5A732C617A . 2066048 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\ntkrnlpa.exe
[7] 2009-02-06 . B238AB60093BABFE76AEC8F34B4D399D . 2015744 . . [5.1.2600.3520] . . c:\windows\$NtUninstallKB971486$\ntkrnlpa.exe
[7] 2009-02-06 . 607352B9CB3D708C67F6039097801B5A . 2066176 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2009-02-06 . 9D832AF3FD1917DB0E1E8B2F000A2E3A . 2062976 . . [5.1.2600.3520] . . c:\windows\$hf_mig$\KB956572\SP2QFE\ntkrnlpa.exe
[7] 2008-08-14 . A25E9B86EFFB2AF33BF51E676B68BFB0 . 2066048 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 . 4AC58F03EB94A72809949D757FC39D80 . 2066048 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[7] 2008-08-14 . DC097A896A03B8277457D228FD12D4E6 . 2015744 . . [5.1.2600.3427] . . c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[7] 2008-08-14 . 63EC865DFF6CCFC7BEF94B5C50297CAD . 2062976 . . [5.1.2600.3427] . . c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe
[7] 2008-04-13 . 109F8E3E3C82E337BB71B6BC9B895D61 . 2065792 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ntkrnlpa.exe
[7] 2007-02-28 . 4D3DBDCCBF97F5BA1E74F322B155C3BA . 2059392 . . [5.1.2600.3093] . . c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[-] 2007-02-28 . 54A8B9806027049F8B19F1274A63C7B4 . 2027520 . . [5.1.2600.3093] . . c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[7] 2006-12-19 . BA4B97C00A437C1CC3DA365D93EE1E9D . 2059392 . . [5.1.2600.3051] . . c:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
[-] 2006-12-19 . 44B54761A335D89C0CFB7364B23B0128 . 2026496 . . [5.1.2600.3051] . . c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
[7] 2005-03-02 . D8ABA3EAB509627E707A3B14F00FBB6B . 2056832 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[7] 2005-03-02 . 3CD941E472DDF3534E53038535719771 . 2015232 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
[7] 2004-08-04 . FB142B7007CA2EEA76966C6C5CC12150 . 2015232 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
[7] 2004-08-04 . 947FB1D86D14AFCFFDB54BF837EC25D0 . 2056832 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\ntkrnlpa.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CursorXP"="c:\program files\CursorXP\CursorXP.exe" [2005-01-20 128000]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-20 65536]
"ViStart"="c:\program files\ViStart\ViStart.exe" [2007-11-27 593920]
"ViOrb"="c:\program files\ViOrb\ViOrb.exe" [2007-11-19 163840]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-14 323392]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-08-02 49152]
"VTTrayp"="VTtrayp.exe" [2004-08-02 143360]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-20 65536]
"FLMOFFICE4DMOUSE"="c:\program files\Browser Mouse\moffice.exe" [2007-04-15 806912]
"BootSkin Startup Jobs"="c:\program files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 270336]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"Glass2k"="c:\documents and settings\ngo\My Documents\Downloads\Glass2k.exe" [2007-04-06 56325]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2009-09-04 158448]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\Anh Pham\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-8 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo Scheduler server.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo Scheduler server.lnk
backup=c:\windows\pss\InterVideo Scheduler server.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Glass2k]
2007-04-06 01:24   56325   ----a-w-   c:\documents and settings\ngo\My Documents\Downloads\Glass2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2002-08-12 18:07   36864   ----a-w-   c:\program files\Scansoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2008-09-20 00:34   4347120   ----a-w-   c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2002-08-12 17:33   45108   ----a-w-   c:\program files\Scansoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vista Sidebar]
2007-11-20 21:51   524288   ----a-w-   c:\program files\Vista Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\WINDOWS\\system32\\P3MxSvr.exe"=
"c:\\WINDOWS\\system32\\p3mxvsvr.exe"=
"c:\\WINDOWS\\system32\\mnetasvr.exe"=
"c:\\WINDOWS\\system32\\mnetvsvr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5000:UDP"= 5000:UDP:Yahoo Voice

S0 daiua;daiua;c:\windows\system32\drivers\lyvj.sys --> c:\windows\system32\drivers\lyvj.sys [?]
S0 epcjlr;epcjlr;c:\windows\system32\drivers\ssww.sys --> c:\windows\system32\drivers\ssww.sys [?]
S2 PortTalk;PortTalk;

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [11/8/2004 5:10 PM 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [11/8/2004 5:10 PM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [11/8/2004 5:10 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [11/8/2004 5:10 PM 10368]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
uDefault_Search_URL = hxxp://ie.search.msn.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0B96BF84-DA5C-46F4-A7FC-5319CFF74163} - hxxp://player.mnet.com/package/cjmuset.cab
DPF: {882A7CC6-0163-4BC1-8BC1-505E36C9FFA2} - hxxp://www.mnet.com/Ver2/App/totalApp/maxhelper/maxhelper.cab
DPF: {F0320816-41D9-49DD-B2F3-8E7B0AE32796} - hxxp://live.pdbox.co.kr:8057/AFCStarter.cab
FF - ProfilePath - c:\documents and settings\ngo\Application Data\Mozilla\Firefox\Profiles\h1ooj7gl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\ngo\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-Cmaudio - cmicnfg.cpl
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-AOL Instant Messanger - aim.exe
AddRemove-IE Help - c:\program files\se\v11\se.EXE
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-25 13:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2946896428-4015859676-2471532444-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(448)
c:\windows\system32\cscui.dll

- - - - - - - > 'explorer.exe'(388)
c:\windows\system32\WININET.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\msi.dll
.
Completion time: 2010-01-25  13:23:36
ComboFix-quarantined-files.txt  2010-01-25 21:23
ComboFix2.txt  2008-06-06 23:05

Pre-Run: 111,995,052,032 bytes free
Post-Run: 111,967,109,120 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 2ABD6027BA93AE3FE7E6406A01FE5BB9
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Rootkit.TDSS
« Reply #8 on: January 25, 2010, 11:08:30 PM »
Delete your copy of TDSKiller.exe and do the following please
  • Download [color=\"#0000FF\"]TDSSKiller[/color] and save it to your Desktop.
       
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
       
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

          [color=\"#FF0000\"]"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v[/color]

       
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
       
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.
If prompted to reboot, do so before posting that log

In addition: Reopen Malwarybytes AntiMalware
CHECK FOR UPDATES>>IMPORTANT
Then run a Quick scan and post it's new log too
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Ryugata

  • Newbie
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Rootkit.TDSS
« Reply #9 on: January 26, 2010, 01:21:08 AM »
No, it didn't work, it still says "Driver load error".
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Rootkit.TDSS
« Reply #10 on: January 27, 2010, 08:07:28 PM »
Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the Desktop.

Open the program - you should see the Rootkit / Malware tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Important: Close any open programs/windows!
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Ryugata

  • Newbie
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Rootkit.TDSS
« Reply #11 on: January 29, 2010, 02:10:09 AM »
No, it says there are no change/modification or something, so nothing popped up.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Rootkit.TDSS
« Reply #12 on: January 29, 2010, 10:08:03 PM »
Can we double check the following
Delete your copy of ComboFix on desktop
Then REDownload ComboFix From this [color=\"#FF0000\"]LINK[/color]
SAVE only to your desktop
run it again and post it's new log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Ryugata

  • Newbie
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Rootkit.TDSS
« Reply #13 on: January 30, 2010, 01:49:59 AM »
Here it is.

ComboFix 10-01-29.05 - ngo 01/29/2010  22:38:10.4.2 - x86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.479.206 [GMT -8:00]
Running from: c:\documents and settings\ngo\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((   Files Created from 2009-12-28 to 2010-01-30  )))))))))))))))))))))))))))))))
.

2010-01-25 21:13 . 2010-01-25 21:23   --------   d-----w-   C:\Combo-Fix
2010-01-15 06:23 . 2010-01-15 06:23   --------   d-----w-   C:\VundoFix Backups
2010-01-14 08:34 . 2010-01-08 00:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-14 08:34 . 2010-01-08 00:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-14 08:34 . 2010-01-14 20:24   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-01-14 06:59 . 2010-01-14 06:59   --------   d-----w-   c:\documents and settings\ngo\Application Data\Grisoft
2010-01-14 06:59 . 2007-05-30 12:10   10872   ----a-w-   c:\windows\system32\drivers\AvgAsCln.sys
2010-01-14 06:59 . 2010-01-14 06:59   --------   d-----w-   c:\documents and settings\All Users\Application Data\Grisoft
2010-01-12 23:58 . 2009-11-21 16:36   470528   -c----w-   c:\windows\system32\dllcache\aclayers.dll
2010-01-06 22:36 . 2010-01-26 06:08   --------   d-----w-   c:\program files\ViStart
2010-01-06 22:36 . 2010-01-06 22:36   --------   d-----w-   c:\program files\VisualTooltip
2010-01-06 22:36 . 2010-01-06 22:36   --------   d-----w-   c:\program files\ViOrb
2010-01-06 22:36 . 2010-01-06 22:36   --------   d-----w-   c:\program files\Vista Sidebar
2010-01-06 22:36 . 2010-01-06 22:36   --------   d-----w-   c:\program files\LClock
2010-01-06 22:36 . 2007-04-15 09:30   6181376   ----a-w-   c:\windows\system32\vistaui.exe
2010-01-06 22:23 . 2010-01-06 22:23   --------   d-----w-   c:\windows\system32\wbem\Repository
2010-01-06 22:23 . 2010-01-06 22:23   --------   d-----w-   c:\program files\Red Kawa
2010-01-06 22:23 . 2010-01-06 22:23   --------   d-----w-   c:\documents and settings\ngo\Application Data\Red Kawa
2010-01-06 21:59 . 2010-01-06 21:59   --------   d-----w-   c:\documents and settings\ngo\Application Data\ViGlance
2010-01-06 21:57 . 2010-01-06 22:23   --------   d-----w-   c:\program files\ViSplore
2010-01-06 21:57 . 2010-01-06 22:23   --------   d-----w-   c:\program files\ViStart(2)
2010-01-06 21:57 . 2010-01-06 22:23   --------   d-----w-   c:\program files\Vista Rainbar
2010-01-06 21:57 . 2010-01-06 22:23   --------   d-----w-   c:\program files\ViGlance
2010-01-06 21:57 . 2010-01-06 22:23   --------   d-----w-   c:\program files\Vista Drive Icon

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 06:08 . 2009-05-24 19:36   --------   d-----w-   c:\program files\DNA
2010-01-26 06:08 . 2009-05-24 19:36   --------   d-----w-   c:\documents and settings\ngo\Application Data\DNA
2010-01-14 21:17 . 2005-03-19 06:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-14 08:11 . 2007-06-15 03:10   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-01-14 08:06 . 2006-05-27 21:07   --------   d-----w-   c:\program files\SpywareBlaster
2010-01-14 06:46 . 2006-10-01 06:37   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-01-14 06:46 . 2005-03-19 06:35   --------   d-----w-   c:\program files\Lavasoft
2010-01-14 06:27 . 2005-03-19 06:03   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-01-14 05:54 . 2007-11-25 06:39   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-01-06 22:36 . 2008-09-20 23:32   --------   d-----w-   c:\program files\TrueTransparency
2010-01-06 22:36 . 2008-09-20 23:32   --------   d-----w-   c:\program files\WinFlip
2010-01-06 22:36 . 2008-09-20 23:32   --------   d-----w-   c:\program files\Styler
2010-01-06 21:59 . 2008-09-20 23:35   --------   d-----w-   c:\documents and settings\ngo\Application Data\ViStart
2009-12-29 07:54 . 2009-08-31 23:20   --------   d-----w-   c:\documents and settings\ngo\Application Data\BitTorrent
2009-12-26 19:07 . 2008-09-21 08:28   --------   d-----w-   c:\documents and settings\ngo\Application Data\Move Networks
2009-12-26 09:52 . 2009-12-26 09:52   144160   ----a-w-   c:\documents and settings\ngo\Application Data\Move Networks\uninstall.exe
2009-12-26 09:52 . 2009-12-10 19:26   4187512   ----a-w-   c:\documents and settings\ngo\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-12-26 09:52 . 2009-12-26 09:52   1438976   ----a-w-   c:\documents and settings\ngo\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
2009-12-16 04:58 . 2009-12-16 04:55   --------   d-----w-   c:\documents and settings\ngo\Application Data\Ventrilo
2009-12-16 04:54 . 2009-12-16 04:54   --------   d-----w-   c:\program files\Ventrilo
2009-12-10 19:27 . 2009-12-10 19:27   97144   ----a-w-   c:\documents and settings\ngo\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-09 23:17 . 2008-09-20 05:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-21 16:36 . 2004-08-23 19:13   470528   ----a-w-   c:\windows\AppPatch\aclayers.dll
1999-07-07 00:00 . 1999-07-07 00:00   6   -csh--r-   c:\windows\@@desktop.dat
1999-07-07 00:00 . 1999-07-07 00:00   6   -csh--r-   c:\windows\@[email protected]
.

------- Sigcheck -------

[-] 2010-01-05 . 3B8259EF10C0F1425395981E40ED0EAA . 3599360 . . [7.00.6000.16981] . . c:\windows\SoftwareDistribution\Download\72187e1a9593df853aa7db379edb1348\sp3gdr\mshtml.dll
[-] 2010-01-05 . 1673677DBD70142DB1294F1B6FC3323E . 3602944 . . [7.00.6000.21183] . . c:\windows\SoftwareDistribution\Download\72187e1a9593df853aa7db379edb1348\sp3qfe\mshtml.dll
[-] 2009-10-29 . 481C18143B26747E28779822D7520363 . 3807232 . . [7.00.6000.16945] . . c:\windows\system32\mshtml.dll
[7] 2009-10-29 . 89A9658515A18E673034369E043FAB01 . 3598336 . . [7.00.6000.16945] . . c:\windows\system32\VITrans\mshtml.dll
[7] 2009-10-29 . 89A9658515A18E673034369E043FAB01 . 3598336 . . [7.00.6000.16945] . . c:\windows\system32\dllcache\mshtml.dll
[7] 2009-10-29 . 8B48737260C273C9B0DACA84EA1CCDBD . 3602432 . . [7.00.6000.21148] . . c:\windows\$hf_mig$\KB976325-IE7\SP3QFE\mshtml.dll
[7] 2009-10-21 . 36145D2D908FB8A24772F04842366918 . 3598336 . . [7.00.6000.16939] . . c:\windows\ie7updates\KB976325-IE7\mshtml.dll
[7] 2009-10-21 . E6453EE08B283419171889786D057A75 . 3602432 . . [7.00.6000.21142] . . c:\windows\$hf_mig$\KB976749-IE7\SP3QFE\mshtml.dll
[7] 2009-08-29 . E52A845DCE011D56B12B8F3F4606F956 . 3598336 . . [7.00.6000.16915] . . c:\windows\ie7updates\KB976749-IE7\mshtml.dll
[7] 2009-08-29 . EDAD55105DDD067AE3906011F297267C . 3600384 . . [7.00.6000.21115] . . c:\windows\$hf_mig$\KB974455-IE7\SP3QFE\mshtml.dll
[7] 2009-07-19 . 758C8BEDAB7CE5F9070C85E2E57CBD80 . 3597824 . . [7.00.6000.16890] . . c:\windows\ie7updates\KB974455-IE7\mshtml.dll
[7] 2009-07-19 . F6098CC1B1C3858D53F20F3CB5774F3B . 3600384 . . [7.00.6000.21089] . . c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\mshtml.dll
[7] 2009-04-29 . 2B4315EC9E3124408A2A5074C4B97700 . 3596288 . . [7.00.6000.16850] . . c:\windows\ie7updates\KB972260-IE7\mshtml.dll
[7] 2009-04-29 . C6FD770D518FB024245A0EE217D72BC1 . 3598336 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\mshtml.dll
[7] 2009-02-21 . 1BB754AB47B327DE8DBF2FA18C36357C . 3596800 . . [7.00.6000.21015] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\mshtml.dll
[7] 2009-02-20 . C7C3E41CC2F6EB4A629FE2184136C098 . 3595264 . . [7.00.6000.16825] . . c:\windows\ie7updates\KB969897-IE7\mshtml.dll
[7] 2009-01-17 . 3B413267DA8AE71C20E5EF3E54F74728 . 3594752 . . [7.00.6000.16809] . . c:\windows\ie7updates\KB963027-IE7\mshtml.dll
[7] 2009-01-16 . CC9D001B7370B292C35B366CA05B12B4 . 3596288 . . [7.00.6000.20996] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\mshtml.dll
[7] 2008-12-13 . 121EC39A64D64205A88C2C45B034B455 . 3593216 . . [7.00.6000.16788] . . c:\windows\ie7updates\KB961260-IE7\mshtml.dll
[7] 2008-12-13 . C79FAD61CD4A26ED5AA8C16D991C6FBD . 3594752 . . [7.00.6000.20973] . . c:\windows\$hf_mig$\KB960714-IE7\SP2QFE\mshtml.dll
[7] 2008-10-17 . EACAEDEF6FA2A969DE5B36190D45396F . 3593216 . . [7.00.6000.16762] . . c:\windows\ie7updates\KB960714-IE7\mshtml.dll
[7] 2008-10-16 . B74F31A4BD83797D7A083F922169287D . 3595264 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\mshtml.dll
[7] 2008-08-27 . 1AD035E04A7068EC2820B055A3131ED8 . 3593216 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB958215-IE7\mshtml.dll
[7] 2008-08-26 . 25CC085720EE3617FD1F8AB9E2F7CAB2 . 3594752 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\mshtml.dll
[-] 2008-06-24 . F321AD4A3FB4A196A34AC103BC52A3D2 . 3801088 . . [7.00.6000.16705] . . c:\windows\ie7updates\KB956390-IE7\mshtml.dll
[7] 2008-06-23 . 28B8231CA8D55FC85E027A57C90F5C88 . 3594240 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\mshtml.dll
[7] 2008-04-24 . 8976CAB317105F7431B08EA32AB73C65 . 3591680 . . [7.00.6000.16674] . . c:\windows\ie7updates\KB953838-IE7\mshtml.dll
[7] 2008-04-23 . 4D612FF5D3B7EEF200595AE6F95D5E68 . 3593728 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\mshtml.dll
[7] 2008-04-14 . A706E122B398FE1AB85CB9B75D044223 . 3066880 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\mshtml.dll
[7] 2008-03-02 . AB2C88167D78D71D93558ACECB24CC7A . 3591680 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB950759-IE7\mshtml.dll
[7] 2008-03-01 . 4EE273E2B09317C1217EF0DB91F93534 . 3593216 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\mshtml.dll
[7] 2007-12-08 . A097C36412455F0C7E42377FAF8809B7 . 3592192 . . [7.00.6000.16608] . . c:\windows\ie7updates\KB947864-IE7\mshtml.dll
[7] 2007-12-07 . 976C46ED4A75FC66D9C596778898CE1E . 3593216 . . [7.00.6000.20733] . . c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\mshtml.dll
[7] 2007-10-30 . 54D8B404F17AA74C666F7F3AEF2AE459 . 3593216 . . [7.00.6000.20710] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\mshtml.dll
[7] 2007-10-30 . 8AB7ECF59D6EBBE986277B65ED4A40A1 . 3590656 . . [7.00.6000.16587] . . c:\windows\ie7updates\KB944533-IE7\mshtml.dll
[7] 2007-08-20 . E267EE248CDA7667C19001C069DE867B . 3584512 . . [7.00.6000.16544] . . c:\windows\ie7updates\KB942615-IE7\mshtml.dll
[7] 2007-08-20 . AA8A4BD78D24FCDB96DDAEE3756AA372 . 3592192 . . [7.00.6000.20661] . . c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\mshtml.dll
[7] 2007-07-19 . BD609A26B683332A0E0E1445C5724851 . 3583488 . . [7.00.6000.16525] . . c:\windows\ie7updates\KB939653-IE7\mshtml.dll
[7] 2007-07-18 . 7CE243CFD47AD0DC431586CB8C542A11 . 3584000 . . [7.00.6000.20641] . . c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\mshtml.dll
[7] 2007-05-08 . 1D4E3B86C601A2497C99790CC4D7DF26 . 3584000 . . [7.00.6000.20591] . . c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\mshtml.dll
[7] 2007-05-08 . 5D90A7200F72DACE663EE78DE234FCC7 . 3583488 . . [7.00.6000.16481] . . c:\windows\ie7updates\KB937143-IE7\mshtml.dll
[7] 2007-03-07 . DA297A862E5F093A07D37C05F608C686 . 3582976 . . [7.00.6000.20544] . . c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\mshtml.dll
[-] 2007-03-07 . DA1F163730850E4901C72C2D8D4EA0DD . 3790848 . . [7.00.6000.16441] . . c:\windows\ie7updates\KB933566-IE7\mshtml.dll
[-] 2007-01-12 . BE795BAF50B026D0822F45E050C307D3 . 3789312 . . [7.00.6000.16414] . . c:\windows\ie7updates\KB931768-IE7\mshtml.dll
[7] 2007-01-04 . 1C45525574EF206346FBAFCAAC7CC4A5 . 3062272 . . [6.00.2900.3059] . . c:\windows\$hf_mig$\KB928090\SP2QFE\mshtml.dll
[7] 2007-01-04 . 1C45525574EF206346FBAFCAAC7CC4A5 . 3062272 . . [6.00.2900.3059] . . c:\windows\ie7\mshtml.dll
[7] 2007-01-04 . F31274D7667D83E73C6EE16D2206B76C . 3056640 . . [6.00.2900.3059] . . c:\windows\$NtUninstallKB928090$\mshtml.dll
[7] 2006-11-08 . CBF04597F9CF7739E572276A2698FDD3 . 3577856 . . [7.00.5730.11] . . c:\windows\ie7updates\KB928090-IE7\mshtml.dll
[7] 2006-10-23 . 88E1C15BB1A9ED3CBA4D6F2F408D5010 . 3061248 . . [6.00.2900.3020] . . c:\windows\$hf_mig$\KB925454\SP2QFE\mshtml.dll
[7] 2006-10-23 . 5FC7DE1195C8E9B5360FD65DBE95E5B0 . 3055104 . . [6.00.2900.3020] . . c:\windows\$NtUninstallKB928090_0$\mshtml.dll
[7] 2006-09-14 . BE45460D1453B7342E01EAE79BFBC681 . 3054592 . . [6.00.2900.2995] . . c:\windows\$NtUninstallKB925454$\mshtml.dll
[7] 2006-09-14 . CEFEA1C301139A817931BE132F0359FE . 3058688 . . [6.00.2900.2995] . . c:\windows\$hf_mig$\KB922760\SP2QFE\mshtml.dll
[-] 2006-07-28 . D251679BD9EF0250201FB899EC40FD32 . 3058176 . . [6.00.2900.2963] . . c:\windows\$hf_mig$\KB918899\SP2QFE\mshtml.dll
[-] 2006-07-28 . C7074DA3D8F8C0F6C03874BA0B05069C . 3054080 . . [6.00.2900.2963] . . c:\windows\$NtUninstallKB922760$\mshtml.dll
[-] 2006-07-28 . C7074DA3D8F8C0F6C03874BA0B05069C . 3054080 . . [6.00.2900.2963] . . c:\windows\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\mshtml.dll
[7] 2006-05-19 . 284CE76B71DD5260B42A3CCF0135AF67 . 3052544 . . [6.00.2900.2912] . . c:\windows\$NtUninstallKB918899$\mshtml.dll
[7] 2006-05-19 . 8687E029BE63C77D4919485068C54D77 . 3055104 . . [6.00.2900.2912] . . c:\windows\$hf_mig$\KB916281\SP2QFE\mshtml.dll
[7] 2006-03-23 . DEAA438EA31095E14A196FF647E38D13 . 3053568 . . [6.00.2900.2873] . . c:\windows\$NtUninstallKB916281$\mshtml.dll
[7] 2006-03-23 . ABCD123F888E4E97C8751378CCCC4F26 . 3055616 . . [6.00.2900.2873] . . c:\windows\$hf_mig$\KB912812\SP2QFE\mshtml.dll
[7] 2005-11-24 . D3F037F5DA702AE9DDD7663EC9D78BA7 . 3018240 . . [6.00.2900.2802] . . c:\windows\$hf_mig$\KB905915\SP2QFE\mshtml.dll
[7] 2005-11-24 . 5E7A39950EA133BB54719A6E08C544A7 . 3015680 . . [6.00.2900.2802] . . c:\windows\$NtUninstallKB912812$\mshtml.dll
[7] 2005-10-05 . 3394299FBF1CD0B24089FC762611360B . 3017728 . . [6.00.2900.2769] . . c:\windows\$hf_mig$\KB896688\SP2QFE\mshtml.dll
[7] 2005-10-05 . 042AC20E084D21DD6BEE99B89CC30FB7 . 3015168 . . [6.00.2900.2769] . . c:\windows\$NtUninstallKB905915$\mshtml.dll
[7] 2005-07-20 . A14A7A206AE22DE4FE563E44CFC7DDF5 . 3016192 . . [6.00.2900.2722] . . c:\windows\$hf_mig$\KB896727\SP2QFE\mshtml.dll
[7] 2005-07-20 . 31E7520E58E5E4DFA93215A6D5603AF2 . 3014144 . . [6.00.2900.2722] . . c:\windows\$NtUninstallKB896688$\mshtml.dll
[7] 2005-05-02 . DCC5C79B99F02EEF8C826B074DBFC222 . 3014144 . . [6.00.2900.2668] . . c:\windows\$hf_mig$\KB883939\SP2QFE\mshtml.dll
[7] 2005-05-02 . DCFAC5470EE0A159EC4222BC28AE3EE6 . 3012608 . . [6.00.2900.2668] . . c:\windows\$NtUninstallKB896727$\mshtml.dll
[7] 2005-03-10 . 84A1B9B0C362051E68BB131F14C6DAAD . 3010560 . . [6.00.2900.2627] . . c:\windows\$NtUninstallKB883939$\mshtml.dll
[7] 2005-03-10 . 255C2CE965543ABDC3E0A25A5DA1874A . 3011072 . . [6.00.2900.2627] . . c:\windows\$hf_mig$\KB890923\SP2QFE\mshtml.dll
[7] 2005-01-27 . FAE3CA9B2459581C45B3A8845BE3077C . 3006976 . . [6.00.2900.2604] . . c:\windows\$NtUninstallKB890923$\mshtml.dll
[7] 2005-01-27 . 91C5ADE25BC4E3322577854FA2E7B58B . 3008000 . . [6.00.2900.2604] . . c:\windows\$hf_mig$\KB867282\SP2QFE\mshtml.dll
[7] 2004-09-29 . 087FF7C54E7EBE4A59BD4DFC1D0EE9B8 . 3004928 . . [6.00.2900.2524] . . c:\windows\$hf_mig$\KB834707\SP2QFE\mshtml.dll
[7] 2004-09-29 . D94E6405E420373161467ACD3DA65640 . 3004928 . . [6.00.2900.2523] . . c:\windows\$NtUninstallKB867282$\mshtml.dll
[7] 2004-08-04 . 376E0843B2356CA91CEC8D9837A56FF7 . 3003392 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB834707$\mshtml.dll

[7] 2009-08-05 . 8415D9C7C050E7022AED8ABF281BE4A6 . 2189184 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3GDR\ntoskrnl.exe
[7] 2009-08-04 . D6B537A639D623ED85B73AF3E3BE4B94 . 2180352 . . [5.1.2600.3610] . . c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2009-08-04 . D6B537A639D623ED85B73AF3E3BE4B94 . 2180352 . . [5.1.2600.3610] . . c:\windows\system32\dllcache\ntoskrnl.exe
[-] 2009-08-04 . 039B9E1E31DAEE0018B2779C8BF65C89 . 2147840 . . [5.1.2600.3610] . . c:\windows\system32\ntoskrnl.exe
[7] 2009-08-04 . 11CDD81560E766101F0032EB05872C1B . 2136064 . . [5.1.2600.3610] . . c:\windows\system32\VITrans\ntoskrnl.exe
[7] 2009-08-04 . FDE779EA1A564EBFE16F4E0F82B61BAD . 2189312 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3QFE\ntoskrnl.exe
[7] 2009-08-04 . 8DF112C341425F29DB4566B8D2A96A7F . 2185984 . . [5.1.2600.3610] . . c:\windows\$hf_mig$\KB971486\SP2QFE\ntoskrnl.exe
[7] 2009-02-08 . EFE8EACE83EAAD5849A7A548FB75B584 . 2189184 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2009-02-06 . 16B5EBE97F243441264A8F8694C2F2AA . 2136064 . . [5.1.2600.3520] . . c:\windows\$NtUninstallKB971486$\ntoskrnl.exe
[7] 2009-02-06 . 7A95B10A73737EBF24139AAA63F5212B . 2189056 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\ntoskrnl.exe
[7] 2009-02-06 . 6A936E9D7BADAF3CAAEED1E1966EC1B0 . 2186112 . . [5.1.2600.3520] . . c:\windows\$hf_mig$\KB956572\SP2QFE\ntoskrnl.exe
[7] 2008-08-14 . 31914172342BFF330063F343AC6958FE . 2189184 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 . EEAF32F8E15A24F62BECB1BD403BB5C5 . 2189184 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
[7] 2008-08-14 . DD31AB4B91C2605601A3C108AF57A0C9 . 2136064 . . [5.1.2600.3427] . . c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[7] 2008-08-14 . CE69DBD54221F2D40E49FF6DB77C6507 . 2185984 . . [5.1.2600.3427] . . c:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe
[7] 2008-04-13 . 0C89243C7C3EE199B96FCC16990E0679 . 2188928 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ntoskrnl.exe
[7] 2007-02-28 . 5A5C8DB4AA962C714C8371FBDF189FC9 . 2182144 . . [5.1.2600.3093] . . c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 . 5FB20CABC9A81BAAABBE63F30FFC5284 . 2147840 . . [5.1.2600.3093] . . c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[7] 2006-12-19 . CEF243F6DEFD20BE4ADDE26C7ECACB54 . 2182016 . . [5.1.2600.3051] . . c:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
[-] 2006-12-19 . 612C427014BB443153DCA528A4D37D13 . 2146816 . . [5.1.2600.3051] . . c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[7] 2005-03-02 . 28187802B7C368C0D3AEF7D4C382AABB . 2179456 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[7] 2005-03-02 . 48B3E89AF7074CEE0314A3E0C7FAFFDB . 2135552 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
[7] 2004-08-04 . 626309040459C3915997EF98EC1C8D40 . 2148352 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
[7] 2004-08-04 . CE218BC7088681FAA06633E218596CA7 . 2180992 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\ntoskrnl.exe

[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 7159508EEBB8E80DE73A0A48D581ED50 . 1423360 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[7] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\system32\VITrans\explorer.exe
[-] 2004-08-04 . 4B0011B8E35843966A3CE5685058420F . 1422336 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe

[7] 2009-08-05 . 363B2BBEE0AEDC9E5433616D0AD0236A . 2066176 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3QFE\ntkrnlpa.exe
[7] 2009-08-04 . 7437BA6F538E89381A2E3643AED296C7 . 2066048 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3GDR\ntkrnlpa.exe
[-] 2009-08-04 . 2A7AA4C4FC05B819E56045F4856D92B6 . 2027520 . . [5.1.2600.3610] . . c:\windows\system32\ntkrnlpa.exe
[7] 2009-08-04 . E832C72D32FA117CB0D033C5EA95B58F . 2015744 . . [5.1.2600.3610] . . c:\windows\system32\VITrans\ntkrnlpa.exe
[7] 2009-08-04 . B0BD27AA04C1B8E857C1DADEF4EF2159 . 2057728 . . [5.1.2600.3610] . . c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2009-08-04 . B0BD27AA04C1B8E857C1DADEF4EF2159 . 2057728 . . [5.1.2600.3610] . . c:\windows\system32\dllcache\ntkrnlpa.exe
[7] 2009-08-04 . 97E912E94CCED4064F5DEEE5C25A9278 . 2062976 . . [5.1.2600.3610] . . c:\windows\$hf_mig$\KB971486\SP2QFE\ntkrnlpa.exe
[7] 2009-02-08 . 5BA7F2141BC6DB06100D0E5A732C617A . 2066048 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\ntkrnlpa.exe
[7] 2009-02-06 . B238AB60093BABFE76AEC8F34B4D399D . 2015744 . . [5.1.2600.3520] . . c:\windows\$NtUninstallKB971486$\ntkrnlpa.exe
[7] 2009-02-06 . 607352B9CB3D708C67F6039097801B5A . 2066176 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2009-02-06 . 9D832AF3FD1917DB0E1E8B2F000A2E3A . 2062976 . . [5.1.2600.3520] . . c:\windows\$hf_mig$\KB956572\SP2QFE\ntkrnlpa.exe
[7] 2008-08-14 . A25E9B86EFFB2AF33BF51E676B68BFB0 . 2066048 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 . 4AC58F03EB94A72809949D757FC39D80 . 2066048 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[7] 2008-08-14 . DC097A896A03B8277457D228FD12D4E6 . 2015744 . . [5.1.2600.3427] . . c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[7] 2008-08-14 . 63EC865DFF6CCFC7BEF94B5C50297CAD . 2062976 . . [5.1.2600.3427] . . c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe
[7] 2008-04-13 . 109F8E3E3C82E337BB71B6BC9B895D61 . 2065792 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ntkrnlpa.exe
[7] 2007-02-28 . 4D3DBDCCBF97F5BA1E74F322B155C3BA . 2059392 . . [5.1.2600.3093] . . c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[-] 2007-02-28 . 54A8B9806027049F8B19F1274A63C7B4 . 2027520 . . [5.1.2600.3093] . . c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[7] 2006-12-19 . BA4B97C00A437C1CC3DA365D93EE1E9D . 2059392 . . [5.1.2600.3051] . . c:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
[-] 2006-12-19 . 44B54761A335D89C0CFB7364B23B0128 . 2026496 . . [5.1.2600.3051] . . c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
[7] 2005-03-02 . D8ABA3EAB509627E707A3B14F00FBB6B . 2056832 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[7] 2005-03-02 . 3CD941E472DDF3534E53038535719771 . 2015232 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
[7] 2004-08-04 . FB142B7007CA2EEA76966C6C5CC12150 . 2015232 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
[7] 2004-08-04 . 947FB1D86D14AFCFFDB54BF837EC25D0 . 2056832 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\ntkrnlpa.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CursorXP"="c:\program files\CursorXP\CursorXP.exe" [2005-01-20 128000]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-20 65536]
"ViStart"="c:\program files\ViStart\ViStart.exe" [2007-11-27 593920]
"ViOrb"="c:\program files\ViOrb\ViOrb.exe" [2007-11-19 163840]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-14 323392]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-08-02 49152]
"VTTrayp"="VTtrayp.exe" [2004-08-02 143360]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-20 65536]
"FLMOFFICE4DMOUSE"="c:\program files\Browser Mouse\moffice.exe" [2007-04-15 806912]
"BootSkin Startup Jobs"="c:\program files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 270336]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"Glass2k"="c:\documents and settings\ngo\My Documents\Downloads\Glass2k.exe" [2007-04-06 56325]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2009-09-04 158448]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\Anh Pham\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-8 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo Scheduler server.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo Scheduler server.lnk
backup=c:\windows\pss\InterVideo Scheduler server.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Glass2k]
2007-04-06 01:24   56325   ----a-w-   c:\documents and settings\ngo\My Documents\Downloads\Glass2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2002-08-12 18:07   36864   ----a-w-   c:\program files\Scansoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2008-09-20 00:34   4347120   ----a-w-   c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2002-08-12 17:33   45108   ----a-w-   c:\program files\Scansoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vista Sidebar]
2007-11-20 21:51   524288   ----a-w-   c:\program files\Vista Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\WINDOWS\\system32\\P3MxSvr.exe"=
"c:\\WINDOWS\\system32\\p3mxvsvr.exe"=
"c:\\WINDOWS\\system32\\mnetasvr.exe"=
"c:\\WINDOWS\\system32\\mnetvsvr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5000:UDP"= 5000:UDP:Yahoo Voice

S0 daiua;daiua;c:\windows\system32\drivers\lyvj.sys --> c:\windows\system32\drivers\lyvj.sys [?]
S0 epcjlr;epcjlr;c:\windows\system32\drivers\ssww.sys --> c:\windows\system32\drivers\ssww.sys [?]
S2 PortTalk;PortTalk;

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [11/8/2004 5:10 PM 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [11/8/2004 5:10 PM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [11/8/2004 5:10 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [11/8/2004 5:10 PM 10368]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
uDefault_Search_URL = hxxp://ie.search.msn.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0B96BF84-DA5C-46F4-A7FC-5319CFF74163} - hxxp://player.mnet.com/package/cjmuset.cab
DPF: {882A7CC6-0163-4BC1-8BC1-505E36C9FFA2} - hxxp://www.mnet.com/Ver2/App/totalApp/maxhelper/maxhelper.cab
DPF: {F0320816-41D9-49DD-B2F3-8E7B0AE32796} - hxxp://live.pdbox.co.kr:8057/AFCStarter.cab
FF - ProfilePath - c:\documents and settings\ngo\Application Data\Mozilla\Firefox\Profiles\h1ooj7gl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-29 22:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2946896428-4015859676-2471532444-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(440)
c:\windows\system32\cscui.dll

- - - - - - - > 'explorer.exe'(1188)
c:\windows\system32\WININET.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\msi.dll
.
Completion time: 2010-01-29  22:47:13
ComboFix-quarantined-files.txt  2010-01-30 06:47
ComboFix2.txt  2010-01-25 21:23
ComboFix3.txt  2008-06-06 23:05

Pre-Run: 111,972,597,760 bytes free
Post-Run: 111,948,505,088 bytes free

- - End Of File - - 5950B3E7F3F34BFD40E3B46FEEEA9FCA
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Rootkit.TDSS
« Reply #14 on: January 30, 2010, 01:31:01 PM »
Can you scan 2 files for me
Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Then proceed to http://www.virustotal.com/flash/index_en.html

Use the browse button and navigate to this file on your hard disk
c:\windows\system32\drivers\lyvj.sys<--this file

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Or better yet, post the link to the results
Do the same for the following file
c:\windows\system32\drivers\ssww.sys
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Ryugata

  • Newbie
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Rootkit.TDSS
« Reply #15 on: January 30, 2010, 05:17:48 PM »
Ok, I did what you instructed but neither of the two showed up.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Rootkit.TDSS
« Reply #16 on: January 30, 2010, 09:55:12 PM »
Can you do the following
As Spybot 1.4 and AVG AntiSpyware is terribly outdated, Let's remove them
First:
disable SpybotSD TeaTimer:

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon.
Uncheck Teatimer box.
Click Allow Change box if prompted
Close Spybot

Access your Add and Remove programs and remove
Both
Spybot - Search & Destroy 1.4
AVG Anti-Spyware 7.5

Reboot the computer

Back in Windows
Your version of Sun Java is outdated
Close down all browser windows, again access your Add and Remove programs and remove
Javaâ„¢ 6 Update 6

After it's removed, come back here
Double  click on OTL.exe and Run it
  • Under the [color=\"#0000FF\"]Custom Scans/Fixes[/color] box at the bottom, copy/paste in the following in the quote box below. don't include the word Quote please
    Quote
    :OTL
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
    O4 - HKLM..\Run: [KernelFaultCheck] File not found
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BJCFD"=-
    "Adobe Reader Speed Launcher"=-
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\mIRC\mirc.exe"=-
    "C:\Program Files\BitTornado\btdownloadgui.exe"=-
    "C:\Documents and Settings\ngo\Local Settings\Temp\WZSE0.TMP\SymNRT.exe"=-
    :Files
    C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
    :Commands
    [EmptyTemp]
    [Reboot]

  • Then click the [color=\"#FF0000\"]Run Fix[/color] button at the top
  • Let the program run unhindered, reboot the PC when it is done

On startup, Allow OTL to run if prompted
A log should open, can you post it later please
A copy of this log can also be found in
C:\_OTL\Moved Files folder

[color=\"blue\"]Updating Java:[/color]
  • Download the latest version of  Java Runtime Environment (JRE) .
  • Scroll down to where it says "JDK 6 Update 18 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • In the Window that opens, select Windows,>>Check the "agree" box and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe that you downloaded to install the newest version.
[color=\"#2E8B57\"]Temporarily Disable your AntiVirus/AntiSpyware applications as you did earlier, so there is no interference
[/color]

Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work

[color=\"#0000FF\"]
File::
c:\windows\system32\drivers\lyvj.sys
c:\windows\system32\drivers\ssww.sys
Driver::
daiua
epcjlr

[/color]
Save this as txtfile on your desktop, with the exact name of
CFScript

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When finished, it shall produce a log for you  with the same name C:\ComboFix.txt..
I'll need to see that log again later

One last request
Then, Go to the following link [color=\"#0000FF\"]ESET Online Scanner[/color][/url]
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
       
  • Click Start
       
  • When asked, allow the ActiveX control to install
  • Click Start
       
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
       
  • Click Scan (This scan can take awhile, so please be patient)
       
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
       
  • Copy and paste that log as a reply to this topic

Recap: Can you post back all the following
1. The log from Eset Online Scanner
2. The log from OTL fix that you ran, the log is found at >>C:\_OTL\Moved Files folder
3. The log from ComboFix again>>C:\ComboFix.txt

Also, keep me informed how things are now running
« Last Edit: January 30, 2010, 10:10:14 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Ryugata

  • Newbie
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Rootkit.TDSS
« Reply #17 on: February 02, 2010, 03:25:55 AM »
Ok, here are the logs:
ESET:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16981 (vista_gdr.091215-2244)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=46741b9b224c804283064dd39b5fe66b
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-02 08:20:41
# local_time=2010-02-02 12:20:41 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 51544910 51544910 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=76189
# found=8
# cleaned=8
# scan_time=2142
C:\QooBox\Quarantine\C\WINDOWS\system32\H8SRTvnssrhspcb.dll.vir   a variant of Win32/Kryptik.BXQ trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\QooBox\Quarantine\C\WINDOWS\system32\H8SRTyemshiexbf.dll.vir   Win32/Olmarik.SX trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\QooBox\Quarantine\C\WINDOWS\system32\H8SRTypibegcmyl.dll.vir   a variant of Win32/Kryptik.BXQ trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\H8SRToqxmbavmcy.sys.vir   a variant of Win32/Olmarik.SR trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{7D607B74-8182-4A0E-99A6-1FF5338755DA}\RP360\A0071443.sys   a variant of Win32/Olmarik.SR trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{7D607B74-8182-4A0E-99A6-1FF5338755DA}\RP360\A0071445.dll   Win32/Olmarik.SX trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{7D607B74-8182-4A0E-99A6-1FF5338755DA}\RP360\A0071446.dll   a variant of Win32/Kryptik.BXQ trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\System Volume Information\_restore{7D607B74-8182-4A0E-99A6-1FF5338755DA}\RP360\A0071447.dll   a variant of Win32/Kryptik.BXQ trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C

OTL:
All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{1017A80C-6F09-4548-A84D-EDD6AC9525F0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1017A80C-6F09-4548-A84D-EDD6AC9525F0}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{855F3B16-6D32-4FE6-8A56-BBB695989046} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{855F3B16-6D32-4FE6-8A56-BBB695989046}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck not found.
File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\\DisableMonitoring deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BJCFD deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Adobe Reader Speed Launcher deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\mIRC\mirc.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\BitTornado\btdownloadgui.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\ngo\Local Settings\Temp\WZSE0.TMP\SymNRT.exe not found.
========== FILES ==========
File\Folder C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->FireFox cache emptied: 2516490 bytes
 
User: All Users
 
User: ap
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: ngo
->Temp folder emptied: 577593 bytes
->Temporary Internet Files folder emptied: 140044697 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 38686324 bytes
->Opera cache emptied: 45330489 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 5567505 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 222.00 mb
 
 
OTL by OldTimer - Version 3.1.25.2 log created on 02012010_231337

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

And ComboFix:
ComboFix 10-01-29.05 - ngo 02/01/2010  23:26:02.5.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.479.162 [GMT -8:00]
Running from: c:\documents and settings\ngo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ngo\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\drivers\lyvj.sys"
"c:\windows\system32\drivers\ssww.sys"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_daiua
-------\Service_epcjlr


(((((((((((((((((((((((((   Files Created from 2010-01-02 to 2010-02-02  )))))))))))))))))))))))))))))))
.

2010-02-02 07:22 . 2010-02-02 07:22   --------   d-----w-   c:\program files\Common Files\Java
2010-02-02 07:22 . 2010-02-02 07:22   61440   ----a-w-   c:\documents and settings\ngo\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-28ee7280-n\decora-sse.dll
2010-02-02 07:22 . 2010-02-02 07:22   503808   ----a-w-   c:\documents and settings\ngo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-168f725d-n\msvcp71.dll
2010-02-02 07:22 . 2010-02-02 07:22   499712   ----a-w-   c:\documents and settings\ngo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-168f725d-n\jmc.dll
2010-02-02 07:22 . 2010-02-02 07:22   348160   ----a-w-   c:\documents and settings\ngo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-168f725d-n\msvcr71.dll
2010-02-02 07:22 . 2010-02-02 07:22   12800   ----a-w-   c:\documents and settings\ngo\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-28ee7280-n\decora-d3d.dll
2010-02-02 07:21 . 2010-02-02 07:21   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-02-02 07:21 . 2010-02-02 07:21   --------   d-----w-   c:\program files\Java
2010-01-25 21:13 . 2010-01-25 21:23   --------   d-----w-   C:\Combo-Fix
2010-01-15 06:23 . 2010-01-15 06:23   --------   d-----w-   C:\VundoFix Backups
2010-01-14 08:34 . 2010-01-08 00:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-14 08:34 . 2010-01-08 00:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-14 08:34 . 2010-01-14 20:24   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-01-14 06:59 . 2010-01-14 06:59   --------   d-----w-   c:\documents and settings\All Users\Application Data\Grisoft
2010-01-12 23:58 . 2009-11-21 16:36   470528   -c----w-   c:\windows\system32\dllcache\aclayers.dll
2010-01-06 22:36 . 2010-02-02 07:32   --------   d-----w-   c:\program files\ViStart
2010-01-06 22:36 . 2010-01-06 22:36   --------   d-----w-   c:\program files\VisualTooltip
2010-01-06 22:36 . 2010-01-06 22:36   --------   d-----w-   c:\program files\ViOrb
2010-01-06 22:36 . 2010-01-06 22:36   --------   d-----w-   c:\program files\Vista Sidebar
2010-01-06 22:36 . 2010-01-06 22:36   --------   d-----w-   c:\program files\LClock
2010-01-06 22:36 . 2007-04-15 09:30   6181376   ----a-w-   c:\windows\system32\vistaui.exe
2010-01-06 22:23 . 2010-01-06 22:23   --------   d-----w-   c:\windows\system32\wbem\Repository
2010-01-06 21:59 . 2010-01-06 21:59   --------   d-----w-   c:\documents and settings\ngo\Application Data\ViGlance
2010-01-06 21:57 . 2010-01-06 22:23   --------   d-----w-   c:\program files\ViSplore
2010-01-06 21:57 . 2010-01-06 22:23   --------   d-----w-   c:\program files\ViStart(2)
2010-01-06 21:57 . 2010-01-06 22:23   --------   d-----w-   c:\program files\Vista Rainbar
2010-01-06 21:57 . 2010-01-06 22:23   --------   d-----w-   c:\program files\ViGlance
2010-01-06 21:57 . 2010-01-06 22:23   --------   d-----w-   c:\program files\Vista Drive Icon
2010-01-05 10:00 . 2010-01-05 10:00   192512   -c----w-   c:\windows\system32\dllcache\iepeers.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-02 07:32 . 2009-05-24 19:36   --------   d-----w-   c:\program files\DNA
2010-02-02 07:32 . 2009-05-24 19:36   --------   d-----w-   c:\documents and settings\ngo\Application Data\DNA
2010-02-02 07:04 . 2005-03-19 06:03   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-02-02 07:02 . 2005-03-19 06:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-14 08:11 . 2007-06-15 03:10   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-01-14 08:06 . 2006-05-27 21:07   --------   d-----w-   c:\program files\SpywareBlaster
2010-01-14 06:46 . 2006-10-01 06:37   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-01-14 06:46 . 2005-03-19 06:35   --------   d-----w-   c:\program files\Lavasoft
2010-01-14 05:54 . 2007-11-25 06:39   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-01-06 22:36 . 2008-09-20 23:32   --------   d-----w-   c:\program files\TrueTransparency
2010-01-06 22:36 . 2008-09-20 23:32   --------   d-----w-   c:\program files\WinFlip
2010-01-06 22:36 . 2008-09-20 23:32   --------   d-----w-   c:\program files\Styler
2010-01-06 21:59 . 2008-09-20 23:35   --------   d-----w-   c:\documents and settings\ngo\Application Data\ViStart
2010-01-05 10:00 . 2004-08-23 19:13   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-23 19:13   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-23 19:13   17408   ----a-w-   c:\windows\system32\corpol.dll
2009-12-29 07:54 . 2009-08-31 23:20   --------   d-----w-   c:\documents and settings\ngo\Application Data\BitTorrent
2009-12-26 19:07 . 2008-09-21 08:28   --------   d-----w-   c:\documents and settings\ngo\Application Data\Move Networks
2009-12-26 09:52 . 2009-12-26 09:52   144160   ----a-w-   c:\documents and settings\ngo\Application Data\Move Networks\uninstall.exe
2009-12-26 09:52 . 2009-12-10 19:26   4187512   ----a-w-   c:\documents and settings\ngo\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-12-26 09:52 . 2009-12-26 09:52   1438976   ----a-w-   c:\documents and settings\ngo\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
2009-12-16 04:58 . 2009-12-16 04:55   --------   d-----w-   c:\documents and settings\ngo\Application Data\Ventrilo
2009-12-16 04:54 . 2009-12-16 04:54   --------   d-----w-   c:\program files\Ventrilo
2009-12-10 19:27 . 2009-12-10 19:27   97144   ----a-w-   c:\documents and settings\ngo\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-09 23:17 . 2008-09-20 05:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-21 16:36 . 2004-08-23 19:13   470528   ----a-w-   c:\windows\AppPatch\aclayers.dll
1999-07-07 00:00 . 1999-07-07 00:00   6   -csh--r-   c:\windows\@@desktop.dat
1999-07-07 00:00 . 1999-07-07 00:00   6   -csh--r-   c:\windows\@[email protected]
.

------- Sigcheck -------

[7] 2009-08-05 . 8415D9C7C050E7022AED8ABF281BE4A6 . 2189184 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3GDR\ntoskrnl.exe
[7] 2009-08-04 . D6B537A639D623ED85B73AF3E3BE4B94 . 2180352 . . [5.1.2600.3610] . . c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2009-08-04 . D6B537A639D623ED85B73AF3E3BE4B94 . 2180352 . . [5.1.2600.3610] . . c:\windows\system32\dllcache\ntoskrnl.exe
[-] 2009-08-04 . 039B9E1E31DAEE0018B2779C8BF65C89 . 2147840 . . [5.1.2600.3610] . . c:\windows\system32\ntoskrnl.exe
[7] 2009-08-04 . 11CDD81560E766101F0032EB05872C1B . 2136064 . . [5.1.2600.3610] . . c:\windows\system32\VITrans\ntoskrnl.exe
[7] 2009-08-04 . FDE779EA1A564EBFE16F4E0F82B61BAD . 2189312 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3QFE\ntoskrnl.exe
[7] 2009-08-04 . 8DF112C341425F29DB4566B8D2A96A7F . 2185984 . . [5.1.2600.3610] . . c:\windows\$hf_mig$\KB971486\SP2QFE\ntoskrnl.exe
[7] 2009-02-08 . EFE8EACE83EAAD5849A7A548FB75B584 . 2189184 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2009-02-06 . 16B5EBE97F243441264A8F8694C2F2AA . 2136064 . . [5.1.2600.3520] . . c:\windows\$NtUninstallKB971486$\ntoskrnl.exe
[7] 2009-02-06 . 7A95B10A73737EBF24139AAA63F5212B . 2189056 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\ntoskrnl.exe
[7] 2009-02-06 . 6A936E9D7BADAF3CAAEED1E1966EC1B0 . 2186112 . . [5.1.2600.3520] . . c:\windows\$hf_mig$\KB956572\SP2QFE\ntoskrnl.exe
[7] 2008-08-14 . 31914172342BFF330063F343AC6958FE . 2189184 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 . EEAF32F8E15A24F62BECB1BD403BB5C5 . 2189184 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
[7] 2008-08-14 . DD31AB4B91C2605601A3C108AF57A0C9 . 2136064 . . [5.1.2600.3427] . . c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[7] 2008-08-14 . CE69DBD54221F2D40E49FF6DB77C6507 . 2185984 . . [5.1.2600.3427] . . c:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe
[7] 2008-04-13 . 0C89243C7C3EE199B96FCC16990E0679 . 2188928 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ntoskrnl.exe
[7] 2007-02-28 . 5A5C8DB4AA962C714C8371FBDF189FC9 . 2182144 . . [5.1.2600.3093] . . c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 . 5FB20CABC9A81BAAABBE63F30FFC5284 . 2147840 . . [5.1.2600.3093] . . c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[7] 2006-12-19 . CEF243F6DEFD20BE4ADDE26C7ECACB54 . 2182016 . . [5.1.2600.3051] . . c:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
[-] 2006-12-19 . 612C427014BB443153DCA528A4D37D13 . 2146816 . . [5.1.2600.3051] . . c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[7] 2005-03-02 . 28187802B7C368C0D3AEF7D4C382AABB . 2179456 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[7] 2005-03-02 . 48B3E89AF7074CEE0314A3E0C7FAFFDB . 2135552 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
[7] 2004-08-04 . 626309040459C3915997EF98EC1C8D40 . 2148352 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
[7] 2004-08-04 . CE218BC7088681FAA06633E218596CA7 . 2180992 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\ntoskrnl.exe

[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 7159508EEBB8E80DE73A0A48D581ED50 . 1423360 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[7] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\system32\VITrans\explorer.exe
[-] 2004-08-04 . 4B0011B8E35843966A3CE5685058420F . 1422336 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe

[7] 2009-08-05 . 363B2BBEE0AEDC9E5433616D0AD0236A . 2066176 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3QFE\ntkrnlpa.exe
[7] 2009-08-04 . 7437BA6F538E89381A2E3643AED296C7 . 2066048 . . [5.1.2600.5857] . . c:\windows\$hf_mig$\KB971486\SP3GDR\ntkrnlpa.exe
[-] 2009-08-04 . 2A7AA4C4FC05B819E56045F4856D92B6 . 2027520 . . [5.1.2600.3610] . . c:\windows\system32\ntkrnlpa.exe
[7] 2009-08-04 . E832C72D32FA117CB0D033C5EA95B58F . 2015744 . . [5.1.2600.3610] . . c:\windows\system32\VITrans\ntkrnlpa.exe
[7] 2009-08-04 . B0BD27AA04C1B8E857C1DADEF4EF2159 . 2057728 . . [5.1.2600.3610] . . c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2009-08-04 . B0BD27AA04C1B8E857C1DADEF4EF2159 . 2057728 . . [5.1.2600.3610] . . c:\windows\system32\dllcache\ntkrnlpa.exe
[7] 2009-08-04 . 97E912E94CCED4064F5DEEE5C25A9278 . 2062976 . . [5.1.2600.3610] . . c:\windows\$hf_mig$\KB971486\SP2QFE\ntkrnlpa.exe
[7] 2009-02-08 . 5BA7F2141BC6DB06100D0E5A732C617A . 2066048 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\ntkrnlpa.exe
[7] 2009-02-06 . B238AB60093BABFE76AEC8F34B4D399D . 2015744 . . [5.1.2600.3520] . . c:\windows\$NtUninstallKB971486$\ntkrnlpa.exe
[7] 2009-02-06 . 607352B9CB3D708C67F6039097801B5A . 2066176 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2009-02-06 . 9D832AF3FD1917DB0E1E8B2F000A2E3A . 2062976 . . [5.1.2600.3520] . . c:\windows\$hf_mig$\KB956572\SP2QFE\ntkrnlpa.exe
[7] 2008-08-14 . A25E9B86EFFB2AF33BF51E676B68BFB0 . 2066048 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 . 4AC58F03EB94A72809949D757FC39D80 . 2066048 . . [5.1.2600.5657] . . c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[7] 2008-08-14 . DC097A896A03B8277457D228FD12D4E6 . 2015744 . . [5.1.2600.3427] . . c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[7] 2008-08-14 . 63EC865DFF6CCFC7BEF94B5C50297CAD . 2062976 . . [5.1.2600.3427] . . c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe
[7] 2008-04-13 . 109F8E3E3C82E337BB71B6BC9B895D61 . 2065792 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ntkrnlpa.exe
[7] 2007-02-28 . 4D3DBDCCBF97F5BA1E74F322B155C3BA . 2059392 . . [5.1.2600.3093] . . c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[-] 2007-02-28 . 54A8B9806027049F8B19F1274A63C7B4 . 2027520 . . [5.1.2600.3093] . . c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[7] 2006-12-19 . BA4B97C00A437C1CC3DA365D93EE1E9D . 2059392 . . [5.1.2600.3051] . . c:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
[-] 2006-12-19 . 44B54761A335D89C0CFB7364B23B0128 . 2026496 . . [5.1.2600.3051] . . c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
[7] 2005-03-02 . D8ABA3EAB509627E707A3B14F00FBB6B . 2056832 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[7] 2005-03-02 . 3CD941E472DDF3534E53038535719771 . 2015232 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
[7] 2004-08-04 . FB142B7007CA2EEA76966C6C5CC12150 . 2015232 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
[7] 2004-08-04 . 947FB1D86D14AFCFFDB54BF837EC25D0 . 2056832 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\backup\ntkrnlpa.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CursorXP"="c:\program files\CursorXP\CursorXP.exe" [2005-01-20 128000]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-20 65536]
"ViStart"="c:\program files\ViStart\ViStart.exe" [2007-11-27 593920]
"ViOrb"="c:\program files\ViOrb\ViOrb.exe" [2007-11-19 163840]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-14 323392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-08-02 49152]
"VTTrayp"="VTtrayp.exe" [2004-08-02 143360]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-20 65536]
"FLMOFFICE4DMOUSE"="c:\program files\Browser Mouse\moffice.exe" [2007-04-15 806912]
"BootSkin Startup Jobs"="c:\program files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 270336]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"Glass2k"="c:\documents and settings\ngo\My Documents\Downloads\Glass2k.exe" [2007-04-06 56325]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2009-09-04 158448]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\Anh Pham\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-8 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo Scheduler server.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo Scheduler server.lnk
backup=c:\windows\pss\InterVideo Scheduler server.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Glass2k]
2007-04-06 01:24   56325   ----a-w-   c:\documents and settings\ngo\My Documents\Downloads\Glass2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2002-08-12 18:07   36864   ----a-w-   c:\program files\Scansoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2008-09-20 00:34   4347120   ----a-w-   c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2002-08-12 17:33   45108   ----a-w-   c:\program files\Scansoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vista Sidebar]
2007-11-20 21:51   524288   ----a-w-   c:\program files\Vista Sidebar\sidebar.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\WINDOWS\\system32\\P3MxSvr.exe"=
"c:\\WINDOWS\\system32\\p3mxvsvr.exe"=
"c:\\WINDOWS\\system32\\mnetasvr.exe"=
"c:\\WINDOWS\\system32\\mnetvsvr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5000:UDP"= 5000:UDP:Yahoo Voice

S2 PortTalk;PortTalk;

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [11/8/2004 5:10 PM 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [11/8/2004 5:10 PM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [11/8/2004 5:10 PM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [11/8/2004 5:10 PM 10368]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
uDefault_Search_URL = hxxp://ie.search.msn.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {0B96BF84-DA5C-46F4-A7FC-5319CFF74163} - hxxp://player.mnet.com/package/cjmuset.cab
DPF: {882A7CC6-0163-4BC1-8BC1-505E36C9FFA2} - hxxp://www.mnet.com/Ver2/App/totalApp/maxhelper/maxhelper.cab
DPF: {F0320816-41D9-49DD-B2F3-8E7B0AE32796} - hxxp://live.pdbox.co.kr:8057/AFCStarter.cab
FF - ProfilePath - c:\documents and settings\ngo\Application Data\Mozilla\Firefox\Profiles\h1ooj7gl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\ngo\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-01 23:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2946896428-4015859676-2471532444-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(512)
c:\windows\system32\cscui.dll

- - - - - - - > 'explorer.exe'(352)
c:\windows\system32\WININET.dll
c:\program files\ViStart\MainHook.Dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\NETSHELL.dll
c:\program files\LClock\LC.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Browser Mouse\MOUDL32A.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brss01a.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\VTTimer.exe
c:\program files\Browser Mouse\MOUSE32A.DAT
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-01  23:37:56 - machine was rebooted
ComboFix-quarantined-files.txt  2010-02-02 07:37
ComboFix2.txt  2010-01-30 06:47
ComboFix3.txt  2010-01-25 21:23
ComboFix4.txt  2008-06-06 23:05

Pre-Run: 112,903,077,888 bytes free
Post-Run: 112,878,338,048 bytes free

- - End Of File - - 6B5E332AF53602A5579578A295F866A0


Everything runs a bit better now. Thank you so much!!
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Rootkit.TDSS
« Reply #18 on: February 03, 2010, 09:37:45 PM »
Can you still do the following
Go to START>>RUN>>Copy/paste the next command and then hit OK

ComboFix /uninstall

If you do happen to type in that command, note the single space after ComboFix
This will remove combofix and it's components

To properly remove OTL.exe
Double click OTL.exe.
  • Click the CleanUp button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
« Last Edit: February 03, 2010, 09:38:06 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Ryugata

  • Newbie
  • *
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Rootkit.TDSS
« Reply #19 on: February 06, 2010, 03:21:17 PM »
Ok, I did what you instructed and they're gone now. Thanks again!
Logged
Pages: [1] 2
« previous next »