Finally back after hacker had his way with my puter..

View previous topic View next topic Go down

Finally back after hacker had his way with my puter..

Post by Kado420 on Wed Mar 31, 2010 9:24 pm

So i had posted a week or so ago about the Antivirus Soft Virus i got, well shortly after that a hacker came in through an open port supposidly through Azurus which was closed at the time is what the computer repair guy said. He has my computer for over a Week fixing everthing, removed Norton and put on Kaspersky. This hacker now has my tcip ip address and im worried about another attack i mean this guy ran a muck everything from keylogerz to malware to locking up to redirecting ports to callback to his computer when i got online. It was a mess, i would just like a little reassurance he is gone and what he has put on here is gone

Kado420
Novice
Novice

Posts Posts : 37
Joined Joined : 2010-03-09
OS OS : Windows XP Home
Points Points : 25107
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Finally back after hacker had his way with my puter..

Post by Kado420 on Wed Mar 31, 2010 10:27 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:13 PM, on 3/31/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\UB\mainclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\UB\aphh.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Documents and Settings\Cade Waldschmidt\Desktop\winlogon.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} (WNICheck2 Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Unknown owner - C:\Program Files\Canon\CAL\CALMAIN.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 5513 bytes

Kado420
Novice
Novice

Posts Posts : 37
Joined Joined : 2010-03-09
OS OS : Windows XP Home
Points Points : 25107
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Finally back after hacker had his way with my puter..

Post by Belahzur on Thu Apr 01, 2010 12:10 am

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Finally back after hacker had his way with my puter..

Post by Kado420 on Thu Apr 01, 2010 7:55 am

He just hacked me again man this is really worring me, you were helping me before but he crashed me completly, i just got it fixed first day running and he is all over it again...

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/1/2010 1:13:08 AM
mbam-log-2010-04-01 (01-13-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 341284
Time elapsed: 1 hour(s), 39 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7370f91f-6994-4595-9949-601fa2261c8d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Cade Waldschmidt\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant.D64PGX91\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Kado420
Novice
Novice

Posts Posts : 37
Joined Joined : 2010-03-09
OS OS : Windows XP Home
Points Points : 25107
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Finally back after hacker had his way with my puter..

Post by Kado420 on Thu Apr 01, 2010 5:46 pm

Here is an updated Hijack this after i did a couple things last night....

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:45:24 AM, on 4/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Program Files\NOS\bin\getPlusPlus_Adobe.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Cade Waldschmidt\Desktop\utilities\Process Utilities\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O1 - Hosts: ::1 localhost # IPv6
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} (WNICheck2 Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Unknown owner - C:\Program Files\Canon\CAL\CALMAIN.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 5515 bytes

Kado420
Novice
Novice

Posts Posts : 37
Joined Joined : 2010-03-09
OS OS : Windows XP Home
Points Points : 25107
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Finally back after hacker had his way with my puter..

Post by Belahzur on Thu Apr 01, 2010 11:20 pm

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Finally back after hacker had his way with my puter..

Post by Kado420 on Fri Apr 02, 2010 12:47 am

OTL logfile created on: 4/1/2010 6:42:05 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Cade Waldschmidt\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 63.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 455.35 Gb Total Space | 155.88 Gb Free Space | 34.23% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D64PGX91
Current User Name: Cade Waldschmidt
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/01 18:41:35 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cade Waldschmidt\My Documents\Downloads\OTL.exe
PRC - [2010/03/16 14:44:31 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/20 20:39:28 | 000,340,456 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
PRC - [2009/10/20 20:34:38 | 000,207,376 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/08 17:31:14 | 000,410,904 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe


========== Modules (SafeList) ==========

MOD - [2010/04/01 18:41:35 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cade Waldschmidt\My Documents\Downloads\OTL.exe
MOD - [2010/03/23 10:21:52 | 000,109,072 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\mzvkbd3.dll
MOD - [2010/03/23 10:21:52 | 000,017,936 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\kloehk.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (WMPNetworkSvc)
SRV - File not found [Disabled | Stopped] -- -- (PLFlash DeviceIoControl Service)
SRV - File not found [Disabled | Stopped] -- -- (Fax)
SRV - File not found [Auto | Stopped] -- -- (CCALib8)
SRV - [2010/03/22 15:53:24 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
SRV - [2009/10/20 20:39:28 | 000,340,456 | ---- | M] (Kaspersky Lab) [Auto | Running] -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe -- (AVP)
SRV - [2009/05/06 15:15:00 | 002,785,582 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\System32\GameMon.des -- (npggsvc)
SRV - [2008/12/23 09:35:20 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2007/08/08 17:31:14 | 000,410,904 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2005/02/09 12:59:00 | 000,014,165 | ---- | M] (Pinnacle Systems GmbH) [Auto | Stopped] -- C:\WINDOWS\system32\drivers\Pclepci.sys -- (PCLEPCI)
SRV - [2004/08/26 15:57:02 | 000,450,560 | ---- | M] (Dell) [Disabled | Stopped] -- C:\WINDOWS\System32\dlbxcoms.exe -- (dlbx_device)


========== Driver Services (SafeList) ==========

DRV - [2010/03/23 10:21:52 | 000,315,408 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2009/12/21 20:39:14 | 000,016,456 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\pwdrvio.sys -- (pwdrvio)
DRV - [2009/12/21 20:39:12 | 000,011,088 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\pwdspio.sys -- (pwdspio)
DRV - [2009/10/14 21:18:34 | 000,036,880 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\klbg.sys -- (klbg)
DRV - [2009/10/02 19:39:44 | 000,019,472 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klmouflt.sys -- (klmouflt)
DRV - [2009/09/14 14:42:46 | 000,032,272 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klim5.sys -- (klim5)
DRV - [2009/09/01 15:29:50 | 000,128,016 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1)
DRV - [2008/12/23 09:35:02 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2008/04/13 12:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2008/04/13 12:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 12:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 10:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/01/04 10:07:00 | 000,171,520 | ---- | M] (Pinnacle Systems GmbH) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MarvinBus.sys -- (MarvinBus)
DRV - [2005/11/16 20:36:00 | 001,047,816 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/08/04 03:10:18 | 001,273,344 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/08/03 21:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2002/09/16 17:14:32 | 000,004,228 | ---- | M] (PowerQuest Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\PQNTDRV.sys -- (PQNTDrv)
DRV - [2001/08/17 13:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 13:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 13:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 13:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 13:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 12:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 12:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 12:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 12:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 12:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 12:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 12:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 12:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 12:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 12:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2000/03/29 17:11:20 | 000,008,096 | ---- | M] (MicroStaff Co.,Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\MASPINT.SYS -- (MASPINT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:9.0.0.736
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.63
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.7
FF - prefs.js..network.proxy.ftp: ":0"
FF - prefs.js..network.proxy.gopher: ":0"
FF - prefs.js..network.proxy.http: ":0"
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: ":0"
FF - prefs.js..network.proxy.ssl: ":0"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/01 04:08:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/01 11:43:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\THBExt [2010/03/22 12:01:06 | 000,000,000 | ---D | M]

[2010/01/08 22:43:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Cade Waldschmidt\Application Data\Mozilla\Extensions
[2010/04/01 15:30:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Cade Waldschmidt\Application Data\Mozilla\Firefox\Profiles\xk73bo7f.default\extensions
[2010/01/08 22:44:43 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Cade Waldschmidt\Application Data\Mozilla\Firefox\Profiles\xk73bo7f.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/01 15:30:31 | 000,000,000 | ---D | M] (FireFTP) -- C:\Documents and Settings\Cade Waldschmidt\Application Data\Mozilla\Firefox\Profiles\xk73bo7f.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2010/04/01 11:40:44 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus(R))) -- C:\Documents and Settings\Cade Waldschmidt\Application Data\Mozilla\Firefox\Profiles\xk73bo7f.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/04/01 15:30:37 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/22 13:40:08 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru

O1 HOSTS File: ([2010/03/16 14:26:16 | 004,010,007 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost #IPv4
O1 - Hosts: ::1 localhost # IPv6
O1 - Hosts: 127.0.0.1 -com.superhighest.ru
O1 - Hosts: 127.0.0.1 0-0-0-0-0-0-0-0-0-0-0-0-0-1-0-0-0-0-0-0-0-0-0-0-0-0-0.info
O1 - Hosts: 127.0.0.1 0-0-0-0-0-0-0-0-0-0-0-0-0-10-0-0-0-0-0-0-0-0-0-0-0-0-0.info
O1 - Hosts: 127.0.0.1 0-0-0-0-0-0-0-0-0-0-0-0-0-2-0-0-0-0-0-0-0-0-0-0-0-0-0.info
O1 - Hosts: 127.0.0.1 0-0-0-0-0-0-0-0-0-0-0-0-0-3-0-0-0-0-0-0-0-0-0-0-0-0-0.info
O1 - Hosts: 127.0.0.1 0-0-0-0-0-0-0-0-0-0-0-0-0-4-0-0-0-0-0-0-0-0-0-0-0-0-0.info
O1 - Hosts: 127.0.0.1 0-0-0-0-0-0-0-0-0-0-0-0-0-5-0-0-0-0-0-0-0-0-0-0-0-0-0.info
O1 - Hosts: 127.0.0.1 0-0-0-0-0-0-0-0-0-0-0-0-0-6-0-0-0-0-0-0-0-0-0-0-0-0-0.info
O1 - Hosts: 127.0.0.1 0-0-0-0-0-0-0-0-0-0-0-0-0-7-0-0-0-0-0-0-0-0-0-0-0-0-0.info
O1 - Hosts: 127.0.0.1 0-0-0-0-0-0-0-0-0-0-0-0-0-8-0-0-0-0-0-0-0-0-0-0-0-0-0.info
O1 - Hosts: 127.0.0.1 0-0-0-0-0-0-0-0-0-0-0-0-0-9-0-0-0-0-0-0-0-0-0-0-0-0-0.info
O1 - Hosts: 127.0.0.1 0-29.com
O1 - Hosts: 127.0.0.1 0-antivirus.org
O1 - Hosts: 127.0.0.1 0-pdf.com
O1 - Hosts: 127.0.0.1 0.gvt0.com
O1 - Hosts: 127.0.0.1 00.eatgoogle.345.pl
O1 - Hosts: 127.0.0.1 00.eatgoogle.bee.pl
O1 - Hosts: 127.0.0.1 00.eatgoogle.bij.pl
O1 - Hosts: 127.0.0.1 00.eatgoogle.orge.pl
O1 - Hosts: 127.0.0.1 00.eatgoogle.osa.pl
O1 - Hosts: 127.0.0.1 00.googleeat.345.pl
O1 - Hosts: 127.0.0.1 00.googleeat.bee.pl
O1 - Hosts: 127.0.0.1 00.googleeat.bij.pl
O1 - Hosts: 125962 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll (Kaspersky Lab)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D7293762-9884-48E2-B836-E0195B9D91D0} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe (Kaspersky Lab)
O4 - HKLM..\RunOnce: [Uninstall Adobe Download Manager] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 28
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm ()
O9 - Extra Button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll (Kaspersky Lab)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll (Kaspersky Lab)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} [You must be registered and logged in to see this link.] (Microsoft Office Template and Media Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} [You must be registered and logged in to see this link.] (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [You must be registered and logged in to see this link.] (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} [You must be registered and logged in to see this link.] (WNICheck2 Class)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_07)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 69.144.49.30 69.146.17.2 69.144.49.29
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\mzvkbd3.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\kloehk.dll (Kaspersky Lab)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/03/29 19:02:04 | 000,000,095 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/04/01 11:43:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9 Installer
[2010/04/01 11:42:23 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/04/01 11:40:49 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2010/04/01 07:09:39 | 000,000,000 | ---D | C] -- C:\Program Files\PowerQuest
[2010/04/01 06:24:34 | 000,000,000 | ---D | C] -- C:\Program Files\Partition Wizard Home Edition 4.2.2
[2010/04/01 04:38:59 | 000,000,000 | ---D | C] -- C:\Program Files\hpHosts
[2010/04/01 04:08:49 | 000,177,968 | ---- | C] (Sonic Solutions) -- C:\inuninst.exe
[2010/04/01 04:03:40 | 008,351,672 | ---- | C] (Mozilla) -- C:\Documents and Settings\Cade Waldschmidt\Desktop\Firefox Setup 3.6.2.exe
[2010/04/01 03:48:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cade Waldschmidt\.SunDownloadManager
[2010/03/31 23:31:52 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/31 23:31:50 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/28 14:16:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/03/28 14:09:52 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/03/28 14:09:52 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/03/28 14:09:52 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/03/28 07:59:09 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/03/28 07:38:47 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/03/28 07:32:22 | 000,000,000 | ---D | C] -- C:\Program Files\RegCleaner
[2010/03/22 12:00:06 | 000,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
[2010/03/22 12:00:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
[2010/03/22 11:58:21 | 000,315,408 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2010/03/22 11:53:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
[2010/03/19 14:39:14 | 000,854,064 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Cade Waldschmidt\Desktop\Norton_Removal_Tool.exe
[2010/03/19 14:01:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cade Waldschmidt\Desktop\utilities
[2010/03/19 13:20:57 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2010/03/19 12:59:57 | 000,000,000 | ---D | C] -- C:\Program Files\msn gaming zone
[2010/03/09 18:55:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cade Waldschmidt\Application Data\Malwarebytes
[2010/03/09 17:08:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2010/03/09 17:07:59 | 000,000,000 | ---D | C] -- C:\Program Files\Security Task Manager
[2010/03/09 10:19:09 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/03/09 10:19:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/03/09 03:14:42 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/03/08 08:37:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SpeedyPC
[2010/03/07 16:56:42 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msxml4a.dll
[2010/03/07 14:44:47 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Cade Waldschmidt\IECompatCache
[2010/03/07 11:10:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/03/07 11:09:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cade Waldschmidt\Application Data\SUPERAntiSpyware.com
[2010/03/07 11:09:47 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/03/07 07:59:13 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/03/07 07:59:13 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/03/07 07:47:06 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/07 07:47:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/03/07 07:45:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cade Waldschmidt\Desktop\Malware
[2010/03/07 02:55:35 | 000,000,000 | ---D | C] -- C:\Program Files\WinPalace
[2010/03/07 01:51:26 | 000,000,000 | ---D | C] -- C:\Program Files\Cirrus Casino
[2010/03/06 15:54:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MGS
[2010/03/06 10:53:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cade Waldschmidt\Local Settings\Application Data\cache
[2010/01/28 05:41:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/10/24 20:33:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/10/24 20:18:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/10/02 11:24:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ICS
[2009/09/09 15:44:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Downloaded Installations
[2008/07/15 13:09:43 | 000,308,600 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\NortonProtectionMemo.exe
[2008/03/06 09:17:04 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/10/14 18:18:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/09/13 11:21:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/08/22 21:24:11 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2006/06/24 17:56:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
[35 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/01 11:43:49 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/01 11:42:55 | 000,000,732 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Acrobat_com.lnk
[2010/04/01 11:21:41 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/01 11:20:55 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/01 11:20:52 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/01 07:19:54 | 000,000,211 | -H-- | M] () -- C:\boot.ini
[2010/04/01 06:24:37 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Partition Wizard Home Edition.lnk
[2010/04/01 04:19:05 | 000,000,000 | ---- | M] () -- C:\WINDOWS\iplayer.INI
[2010/04/01 04:18:48 | 000,000,779 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\InterActual Player.lnk
[2010/04/01 04:09:17 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/04/01 04:05:19 | 008,351,672 | ---- | M] (Mozilla) -- C:\Documents and Settings\Cade Waldschmidt\Desktop\Firefox Setup 3.6.2.exe
[2010/04/01 02:28:06 | 014,942,208 | ---- | M] () -- C:\Documents and Settings\Cade Waldschmidt\ntuser.dat
[2010/04/01 02:27:38 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Cade Waldschmidt\ntuser.ini
[2010/03/31 23:31:55 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/31 21:46:11 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/03/31 21:46:11 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2010/03/31 14:56:31 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/29 15:47:59 | 000,114,176 | ---- | M] () -- C:\Documents and Settings\Cade Waldschmidt\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/29 15:34:16 | 000,000,980 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/28 19:53:36 | 000,001,024 | ---- | M] () -- C:\Documents and Settings\Cade Waldschmidt\.rnd
[2010/03/28 14:23:20 | 000,004,008 | ---- | M] () -- C:\Documents and Settings\Cade Waldschmidt\My Documents\After2ndscan.reg
[2010/03/28 14:09:16 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/03/28 14:09:16 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/03/28 14:09:16 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/03/28 14:09:16 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/03/28 14:09:15 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/03/28 07:38:48 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\Cade Waldschmidt\Desktop\CCleaner.lnk
[2010/03/28 07:32:23 | 000,000,645 | ---- | M] () -- C:\Documents and Settings\Cade Waldschmidt\Desktop\RegCleaner.lnk
[2010/03/23 10:21:52 | 000,315,408 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2010/03/22 13:39:46 | 000,108,059 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
[2010/03/22 13:39:46 | 000,095,259 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
[2010/03/20 09:34:43 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/03/19 14:39:16 | 000,854,064 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Cade Waldschmidt\Desktop\Norton_Removal_Tool.exe
[2010/03/19 14:15:41 | 000,000,644 | ---- | M] () -- C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Cade Waldschmidt.job
[2010/03/19 14:15:41 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/03/19 13:20:32 | 000,443,434 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/19 13:20:32 | 000,072,256 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/19 12:37:38 | 000,523,360 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/16 14:26:16 | 004,010,007 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2010/03/15 09:33:13 | 3767,175,927 | ---- | M] () -- C:\Documents and Settings\Cade Waldschmidt\My Documents\My Pictures.rar
[2010/03/14 00:50:40 | 047,744,459 | ---- | M] () -- C:\Documents and Settings\Cade Waldschmidt\My Documents\Corel User Files.rar
[2010/03/14 00:49:46 | 000,118,369 | ---- | M] () -- C:\Documents and Settings\Cade Waldschmidt\My Documents\Andi.rar
[2010/03/14 00:46:12 | 047,738,206 | ---- | M] () -- C:\Documents and Settings\Cade Waldschmidt\My Documents\CadePersonal.rar
[2010/03/11 18:34:56 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/11 09:15:03 | 000,001,857 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\MSN Installer.lnk
[2010/03/09 13:24:24 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/09 10:19:15 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Cade Waldschmidt\Desktop\Spybot - Search & Destroy.lnk
[2010/03/08 09:02:52 | 000,000,588 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2010/03/07 15:53:40 | 003,708,436 | -H-- | M] () -- C:\Documents and Settings\Cade Waldschmidt\Local Settings\Application Data\IconCache.db
[2010/03/06 17:47:51 | 000,000,000 | ---- | M] () -- C:\10.1.19.109
[35 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/01 11:43:49 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/01 11:42:54 | 000,000,732 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Acrobat_com.lnk
[2010/04/01 06:24:58 | 000,461,368 | ---- | C] () -- C:\WINDOWS\System32\pwNative.exe
[2010/04/01 06:24:46 | 000,016,456 | ---- | C] () -- C:\WINDOWS\System32\pwdrvio.sys
[2010/04/01 06:24:46 | 000,011,088 | ---- | C] () -- C:\WINDOWS\System32\pwdspio.sys
[2010/04/01 06:24:37 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Partition Wizard Home Edition.lnk
[2010/04/01 04:19:05 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iplayer.INI
[2010/04/01 04:18:48 | 000,000,779 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\InterActual Player.lnk
[2010/03/31 23:31:55 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/31 21:46:11 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2010/03/31 21:46:11 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2010/03/28 14:23:18 | 000,004,008 | ---- | C] () -- C:\Documents and Settings\Cade Waldschmidt\My Documents\After2ndscan.reg
[2010/03/28 07:38:48 | 000,001,548 | ---- | C] () -- C:\Documents and Settings\Cade Waldschmidt\Desktop\CCleaner.lnk
[2010/03/28 07:32:23 | 000,000,645 | ---- | C] () -- C:\Documents and Settings\Cade Waldschmidt\Desktop\RegCleaner.lnk
[2010/03/22 13:39:46 | 000,108,059 | ---- | C] () -- C:\WINDOWS\System32\drivers\klin.dat
[2010/03/22 13:39:46 | 000,095,259 | ---- | C] () -- C:\WINDOWS\System32\drivers\klick.dat
[2010/03/19 12:33:37 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/03/15 08:18:39 | 3767,175,927 | ---- | C] () -- C:\Documents and Settings\Cade Waldschmidt\My Documents\My Pictures.rar
[2010/03/14 00:50:00 | 047,744,459 | ---- | C] () -- C:\Documents and Settings\Cade Waldschmidt\My Documents\Corel User Files.rar
[2010/03/14 00:45:34 | 047,738,206 | ---- | C] () -- C:\Documents and Settings\Cade Waldschmidt\My Documents\CadePersonal.rar
[2010/03/14 00:38:42 | 000,118,369 | ---- | C] () -- C:\Documents and Settings\Cade Waldschmidt\My Documents\Andi.rar
[2010/03/11 09:15:03 | 000,001,857 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\MSN Installer.lnk
[2010/03/10 00:55:00 | 000,107,882 | ---- | C] () -- C:\WINDOWS\System32\mib_ii.mib
[2010/03/10 00:55:00 | 000,049,275 | ---- | C] () -- C:\WINDOWS\System32\wfospf.mib
[2010/03/10 00:55:00 | 000,048,593 | ---- | C] () -- C:\WINDOWS\System32\hostmib.mib
[2010/03/10 00:55:00 | 000,038,608 | ---- | C] () -- C:\WINDOWS\System32\nipx.mib
[2010/03/10 00:55:00 | 000,034,317 | ---- | C] () -- C:\WINDOWS\System32\msiprip2.mib
[2010/03/10 00:55:00 | 000,030,448 | ---- | C] () -- C:\WINDOWS\System32\mcastmib.mib
[2010/03/10 00:55:00 | 000,026,236 | ---- | C] () -- C:\WINDOWS\System32\wins.mib
[2010/03/10 00:55:00 | 000,026,100 | ---- | C] () -- C:\WINDOWS\System32\lmmib2.mib
[2010/03/10 00:55:00 | 000,021,386 | ---- | C] () -- C:\WINDOWS\System32\mipx.mib
[2010/03/10 00:55:00 | 000,016,617 | ---- | C] () -- C:\WINDOWS\System32\authserv.mib
[2010/03/10 00:55:00 | 000,015,799 | ---- | C] () -- C:\WINDOWS\System32\ipforwd.mib
[2010/03/10 00:55:00 | 000,013,767 | ---- | C] () -- C:\WINDOWS\System32\msipbtp.mib
[2010/03/10 00:55:00 | 000,010,313 | ---- | C] () -- C:\WINDOWS\System32\mripsap.mib
[2010/03/10 00:55:00 | 000,004,597 | ---- | C] () -- C:\WINDOWS\System32\dhcp.mib
[2010/03/10 00:55:00 | 000,004,332 | ---- | C] () -- C:\WINDOWS\System32\smi.mib
[2010/03/10 00:55:00 | 000,000,581 | ---- | C] () -- C:\WINDOWS\System32\msft.mib
[2010/03/10 00:54:59 | 000,015,597 | ---- | C] () -- C:\WINDOWS\System32\accserv.mib
[2010/03/09 13:24:24 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/09 10:19:15 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Cade Waldschmidt\Desktop\Spybot - Search & Destroy.lnk
[2010/03/07 08:00:52 | 001,152,444 | ---- | C] () -- C:\WINDOWS\UDB.zip
[2010/03/07 08:00:52 | 000,000,882 | ---- | C] () -- C:\WINDOWS\RegSDImport.xml
[2010/03/07 08:00:52 | 000,000,880 | ---- | C] () -- C:\WINDOWS\RegISSImport.xml
[2010/03/07 08:00:52 | 000,000,131 | ---- | C] () -- C:\WINDOWS\IDB.zip
[2010/03/06 17:47:51 | 000,000,000 | ---- | C] () -- C:\10.1.19.109
[2010/03/05 14:48:07 | 014,942,208 | ---- | C] () -- C:\Documents and Settings\Cade Waldschmidt\ntuser.dat
[2010/02/05 00:03:59 | 000,012,800 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/23 09:33:18 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2008/10/08 12:54:20 | 000,000,570 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2008/10/08 10:36:19 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\dlbxinsr.dll
[2008/10/08 10:36:18 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\dlbxins.dll
[2008/10/08 10:36:18 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbxvs.dll
[2008/10/08 10:36:15 | 000,397,312 | ---- | C] () -- C:\WINDOWS\System32\dlbxutil.dll
[2008/10/08 10:36:15 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\dlbxcu.dll
[2008/10/08 10:36:15 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\dlbxcur.dll
[2008/10/08 10:36:14 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlbxinsb.dll
[2008/10/08 10:36:14 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\dlbxcub.dll
[2008/10/08 10:36:13 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\dlbxjswr.dll
[2008/04/16 18:05:34 | 000,030,208 | ---- | C] () -- C:\WINDOWS\System32\WNASPI32.DLL
[2008/04/16 18:05:33 | 000,000,291 | ---- | C] () -- C:\WINDOWS\msfsetup.ini
[2008/04/08 07:54:51 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/03/29 21:56:43 | 000,000,017 | ---- | C] () -- C:\WINDOWS\MovingPicture.ini
[2008/03/29 20:17:26 | 000,000,024 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\__FileUploader.log
[2008/03/29 20:09:01 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\DVResampleru.dll
[2007/10/27 13:46:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2007/09/23 01:37:37 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/08/29 18:16:51 | 000,000,086 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/07/13 10:42:46 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/05/07 22:09:11 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\Cade Waldschmidt\Local Settings\Application Data\.mpid
[2007/02/19 21:07:31 | 000,001,759 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/02/18 19:27:41 | 002,255,360 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2007/02/18 19:27:41 | 000,395,776 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2007/02/18 19:27:41 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2007/02/18 19:27:41 | 000,112,640 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2006/07/09 21:22:37 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/07/09 21:22:37 | 000,000,122 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2006/07/09 21:22:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NSREX.INI
[2006/07/09 05:52:08 | 000,114,176 | ---- | C] () -- C:\Documents and Settings\Cade Waldschmidt\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/07/08 21:13:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OPPRIN~1.INI
[2006/07/08 21:03:13 | 000,000,664 | ---- | C] () -- C:\WINDOWS\photoimpression.ini
[2006/07/08 21:03:13 | 000,000,176 | ---- | C] () -- C:\WINDOWS\videoimp.ini
[2006/07/08 21:03:02 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2006/07/02 18:27:05 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/07/02 18:27:03 | 000,001,191 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/06/26 13:56:09 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\704903F26A.sys
[2006/06/25 13:19:51 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\Cade Waldschmidt\Application Data\dvd.bmk
[2006/06/25 13:15:00 | 000,000,139 | ---- | C] () -- C:\Documents and Settings\Cade Waldschmidt\Local Settings\Application Data\fusioncache.dat
[2006/06/24 18:11:51 | 000,000,183 | ---- | C] () -- C:\WINDOWS\Quicken.ini
[2006/06/24 18:05:34 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Cade Waldschmidt\Application Data\PFP120JPR.{PB
[2006/06/24 18:05:34 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Cade Waldschmidt\Application Data\PFP120JCM.{PB
[2006/06/24 18:05:14 | 000,004,184 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/06/24 18:05:14 | 000,000,056 | RHS- | C] () -- C:\WINDOWS\System32\6AF2034970.sys
[2006/04/28 13:57:49 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/04/28 13:25:14 | 000,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/11/10 07:56:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/02/24 21:23:46 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\dlbxcnv4.dll
[2004/08/10 12:12:05 | 000,000,887 | ---- | C] () -- C:\WINDOWS\orun32.ini
[1999/01/22 12:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:24051EFF
@Alternate Data Stream - 193 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A4C6B9CD
@Alternate Data Stream - 172 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:91496422
@Alternate Data Stream - 158 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

Kado420
Novice
Novice

Posts Posts : 37
Joined Joined : 2010-03-09
OS OS : Windows XP Home
Points Points : 25107
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Finally back after hacker had his way with my puter..

Post by Kado420 on Fri Apr 02, 2010 12:47 am

OTL Extras logfile created on: 4/1/2010 6:42:05 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Cade Waldschmidt\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 63.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 455.35 Gb Total Space | 155.88 Gb Free Space | 34.23% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D64PGX91
Current User Name: Cade Waldschmidt
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"1650:TCP" = 1650:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"80:TCP" = 80:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"4801:TCP" = 4801:TCP:*:Enabled:Services
"8102:TCP" = 8102:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"56545:TCP" = 56545:TCP:*:Enabled:Pando Media Booster
"56545:UDP" = 56545:UDP:*:Enabled:Pando Media Booster
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"1650:TCP" = 1650:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"4801:TCP" = 4801:TCP:*:Enabled:Services
"8102:TCP" = 8102:TCP:*:Enabled:Services

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- File not found
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- File not found
"C:\Program Files\Common Files\AOL\1151886605\ee\aolsoftware.exe" = C:\Program Files\Common Files\AOL\1151886605\ee\aolsoftware.exe:*:Enabled:AOL Services -- File not found
"C:\Program Files\Common Files\AOL\1151886605\ee\aim6.exe" = C:\Program Files\Common Files\AOL\1151886605\ee\aim6.exe:*:Enabled:AIM -- File not found
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- File not found
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- File not found
"C:\Program Files\Pinnacle\Studio 11\programs\RM.exe" = C:\Program Files\Pinnacle\Studio 11\programs\RM.exe:*:Enabled:Render Manager -- File not found
"C:\Program Files\Pinnacle\Studio 11\programs\Studio.exe" = C:\Program Files\Pinnacle\Studio 11\programs\Studio.exe:*:Enabled:Studio -- File not found
"C:\Program Files\Pinnacle\Studio 11\programs\PMSRegisterFile.exe" = C:\Program Files\Pinnacle\Studio 11\programs\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile -- File not found
"C:\Program Files\Pinnacle\Studio 11\programs\umi.exe" = C:\Program Files\Pinnacle\Studio 11\programs\umi.exe:*:Enabled:umi -- File not found
"C:\WINDOWS\system32\dlbxcoms.exe" = C:\WINDOWS\system32\dlbxcoms.exe:*:Disabled:Dell 962 Server -- (Dell)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Program Files\Willing Webcam\wwcam.exe" = C:\Program Files\Willing Webcam\wwcam.exe:*:Enabled:Willing Webcam -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional
"{01ED1F71-DFB4-43CC-B787-02D07BC9F59B}" = Nero 8
"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{0F756CD9-4A1E-409B-B101-601DDC4C03AA}" = Qualxserve Service Agreement
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{16BE87BC-69F5-4D36-8CF0-E1CB3ACD5ED3}" = HP Driver Diagnostics
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{206FD69B-F9FE-4164-81BD-D52552BC9C23}" = GearDrvs
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
"{2DBE41DD-2129-4C65-A3D3-5647236A60F3}" = Quicken 2005
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150070}" = J2SE Runtime Environment 5.0 Update 7
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java(TM) 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50D8FFDD-90CD-4859-841F-AA1961C7767A}" = QuickTime
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5967A03E-3B74-4DF1-B591-2D89CA26BDC9}" = LaCie Backup Software v1.5.2378
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{60EB76E2-DF31-477B-A28C-2303ADE6629D}" = PurePlay Poker
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}" = PartitionMagic
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7AEBFFF0-15A1-48A9-88F3-06604486C7C9}" = WMPTagSupportExtender
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}" = Intel(R) PROSet for Wired Connections
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{9617BEC2-A487-40E7-94FB-AC699F1B360B}" = Walaber's Trampoline
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9D8B0949-7C47-476F-9F06-F900D3B078EA}" = Kaspersky Internet Security 2010
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AA468551-1794-42FE-B504-C41D75EEBDF2}_is1" = Partition Wizard Home Edition 4.2.2
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{B702CCCE-3176-4DBF-B932-D1B8F402F330}" = Digital Content Portal
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B941B1C3-40AF-4E1E-AA5F-ED99EDEA1033}" = SecurDisc Viewer
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB84F0F2-927B-458D-9DC5-87832E3DC653}" = GearDrvs
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE7CB214-DB11-4B5D-A6AF-3B4ED47C68B7}" = Microsoft Game Studios Common Redistributables Pack 1
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{DDC63227-BA06-4855-B002-BDB49E9F677E}" = Symantec Technical Support Web Controls
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E93E5EF6-D361-481E-849D-F16EF5C78EBC}" = Musicmatch for Windows Media Player
"{EF781A5C-58F5-4BFD-87F9-E4F14D382F25}" = Pinnacle Instant DVD Recorder
"{FD350FC2-A972-427D-800B-A2D200ACFF41}" = ImageMixer for Sony DVD Handycam
"AC3Filter" = AC3Filter (remove only)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 1.0" = Adobe Photoshop Elements
"Adobe SVG Viewer" = Adobe SVG Viewer
"ATI Display Driver" = ATI Display Driver
"Cain & Abel v4.9.31" = Cain & Abel v4.9.31
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CCleaner" = CCleaner
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ComcastHSI" = Comcast High-Speed Internet Install Wizard
"Cross Fire_is1" = Cross Fire En
"CSCLIB" = Canon Camera Support Core Library
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"Dell Photo AIO Printer 962" = Dell Photo AIO Printer 962
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"EOS Utility" = Canon Utilities EOS Utility
"FL Studio 6" = FL Studio 6
"HijackThis" = HijackThis 2.0.0
"hpHosts_is1" = hpHosts
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"ieSpell" = ieSpell
"InstallShield_{2DBE41DD-2129-4C65-A3D3-5647236A60F3}" = Quicken 2005
"InstallShield_{4E5E22C2-1386-47AE-8EDE-32DDCDCD6653}" = QuickTime
"InstallShield_{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}" = PowerQuest PartitionMagic 8.0 Demo
"InstallShield_{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC}" = iPod for Windows 2005-09-23
"InstallWIX_{9D8B0949-7C47-476F-9F06-F900D3B078EA}" = Kaspersky Internet Security 2010
"InterActual Player" = InterActual Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Metin2.us_is1" = Metin2.us
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.6.2)" = Mozilla Firefox (3.6.2)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MWASPI" = MicroStaff WINASPI
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PhotoStitch" = Canon Utilities PhotoStitch
"Plato Video To iPod Converter_is1" = Plato Video To iPod Converter 3.27
"PokerStars" = PokerStars
"PROSet" = Intel(R) PRO Network Connections Drivers
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RegistryBooster 2_is1" = Uniblue RegistryBooster 2
"RemoteCaptureDC" = Canon Utilities RemoteCapture DC
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"Soulseek" = SoulSeek Client 156c
"StreetPlugin" = Learn2 Player (Uninstall Only)
"TBSB07183.TBSB07183Toolbar" = Fast Browser Search (My Web Tattoo)
"Texas Calculatem_is1" = Texas Calculatem 4 with "AutoRead"
"ToneThis" = ToneThis
"WebCyberCoach_wtrb" = WebCyberCoach 3.2 Dell
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinPcapInst" = WinPcap 4.1 beta5
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Messenger" = Yahoo! Messenger
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Absolute Poker" = absoƖute Poker
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer
"UB" = UB
"UltimateBet InstantPlay" = UltimateBet InstantPlay

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/31/2010 11:51:18 PM | Computer Name = D64PGX91 | Source = Application Hang | ID = 1002
Description = Hanging application DeviceCentral.exe, version 2.0.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/31/2010 11:51:45 PM | Computer Name = D64PGX91 | Source = Application Hang | ID = 1002
Description = Hanging application DeviceCentral.exe, version 2.0.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/31/2010 11:51:50 PM | Computer Name = D64PGX91 | Source = Application Hang | ID = 1002
Description = Hanging application DeviceCentral.exe, version 2.0.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/31/2010 11:51:57 PM | Computer Name = D64PGX91 | Source = Application Hang | ID = 1002
Description = Hanging application DeviceCentral.exe, version 2.0.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/31/2010 11:52:00 PM | Computer Name = D64PGX91 | Source = Application Hang | ID = 1002
Description = Hanging application DeviceCentral.exe, version 2.0.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/31/2010 11:52:01 PM | Computer Name = D64PGX91 | Source = Application Hang | ID = 1002
Description = Hanging application DeviceCentral.exe, version 2.0.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/31/2010 11:52:02 PM | Computer Name = D64PGX91 | Source = Application Hang | ID = 1002
Description = Hanging application DeviceCentral.exe, version 2.0.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/1/2010 8:44:19 AM | Computer Name = D64PGX91 | Source = Application Hang | ID = 1002
Description = Hanging application PartitionWizard.exe, version 4.2.0.1, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/1/2010 8:44:27 AM | Computer Name = D64PGX91 | Source = Application Hang | ID = 1002
Description = Hanging application PartitionWizard.exe, version 4.2.0.1, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/1/2010 9:08:51 AM | Computer Name = D64PGX91 | Source = MsiInstaller | ID = 1013
Description = Product: PartitionMagic -- 1: This installation can not be run by
directly launching the MSI package; you must run setup.exe.

[ System Events ]
Error - 4/1/2010 1:40:04 PM | Computer Name = D64PGX91 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 4/1/2010 1:40:04 PM | Computer Name = D64PGX91 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 4/1/2010 1:40:04 PM | Computer Name = D64PGX91 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 4/1/2010 1:40:04 PM | Computer Name = D64PGX91 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 4/1/2010 1:40:05 PM | Computer Name = D64PGX91 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 4/1/2010 1:40:05 PM | Computer Name = D64PGX91 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 4/1/2010 1:40:05 PM | Computer Name = D64PGX91 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 4/1/2010 1:40:05 PM | Computer Name = D64PGX91 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 4/1/2010 1:40:05 PM | Computer Name = D64PGX91 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 4/1/2010 1:40:05 PM | Computer Name = D64PGX91 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126


< End of report >

Kado420
Novice
Novice

Posts Posts : 37
Joined Joined : 2010-03-09
OS OS : Windows XP Home
Points Points : 25107
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Finally back after hacker had his way with my puter..

Post by Belahzur on Fri Apr 02, 2010 1:54 pm

Well, we found the problem. OTL shows me a rootkit hiding.

Please download Stealth MBR Rootkit Detector by GMER from [You must be registered and logged in to see this link.], and save to your Desktop.

  • Double-click mbr.exe to start the program.
  • When done scanning, it will save a log on the Desktop called mbr.log.
  • Please post the contents of that log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Finally back after hacker had his way with my puter..

Post by Kado420 on Fri Apr 02, 2010 6:28 pm

Thank you for helping, is this the reason he was able to come back so quick after i got my computer fixed? I deleted Azurus and Soulseek which were p2p programs i had, if those ports it was using are still open please let me know how to close them. Im hoping to get a wireless router with built in firewall soon to deter this guy....

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x03A384C41
malicious code @ sector 0x03A384C44 !
PE file found in sector at 0x03A384C5A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

Kado420
Novice
Novice

Posts Posts : 37
Joined Joined : 2010-03-09
OS OS : Windows XP Home
Points Points : 25107
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Finally back after hacker had his way with my puter..

Post by Belahzur on Fri Apr 02, 2010 6:38 pm

Hello.
The infection likely got in via P2P, but he hacker isn't using those. This infection opens ANOTHER port for remote desktop connection.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

cmd

Enter the following in to the command prompt, pressing enter after each line:

Code:
cd desktop

mbr.exe -f

exit

Please post the resulting log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Finally back after hacker had his way with my puter..

Post by Kado420 on Fri Apr 02, 2010 7:29 pm

its saying mbr.exe-f is not recognized as an internal or external command, operable program or batch file. And what log do u want me to post??

Kado420
Novice
Novice

Posts Posts : 37
Joined Joined : 2010-03-09
OS OS : Windows XP Home
Points Points : 25107
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Finally back after hacker had his way with my puter..

Post by Belahzur on Fri Apr 02, 2010 7:31 pm

Make sure mbr.exe is on your Desktop, then try again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Finally back after hacker had his way with my puter..

Post by Kado420 on Fri Apr 02, 2010 8:08 pm

Is there a way for me to make sure the ports he was using are closed and a way to keep him out??
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Cade Waldschmidt>cd desktop

C:\Documents and Settings\Cade Waldschmidt\Desktop>mbr.exe -f
'mbr.exe' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Cade Waldschmidt\Desktop>mbr.exe-f
'mbr.exe-f' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Cade Waldschmidt\Desktop>mbr.exe-f
'mbr.exe-f' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Cade Waldschmidt\Desktop>exit

Kado420
Novice
Novice

Posts Posts : 37
Joined Joined : 2010-03-09
OS OS : Windows XP Home
Points Points : 25107
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Finally back after hacker had his way with my puter..

Post by Kado420 on Fri Apr 02, 2010 8:54 pm

Im sorry that is the wrong log, it said that it was restored to the original.. I just dont know how to go back and get it. But it said that it fixed it once i put it on the desktop. But im still concerned about him coming back. Is this the only thing that you saw that he changed.

Kado420
Novice
Novice

Posts Posts : 37
Joined Joined : 2010-03-09
OS OS : Windows XP Home
Points Points : 25107
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Finally back after hacker had his way with my puter..

Post by Belahzur on Sat Apr 03, 2010 12:25 am

Hello.
The infection you have is a big messy one, we've only dented it right now, but we'll keep chopping it down till it's gone.

Just run mbr.exe as normal 1 more time, just double click on it and run it, then post the new log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Finally back after hacker had his way with my puter..

Post by Kado420 on Sat Apr 03, 2010 11:37 pm

Does this mean anything to you? I found it in my Kaspersky history



4/1/2010 11:04:57 PM My Update Center Task completed My Update Center
Windows NT Session Manager (events: 1)
4/1/2010 3:37:57 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Client Server Runtime Process (events: 1)
4/1/2010 3:37:57 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Windows NT Logon Application (events: 1)
4/1/2010 3:37:57 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Services and Controller app (events: 1)
4/1/2010 3:37:57 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
LSA Shell (Export Version) (events: 1)
4/1/2010 3:37:57 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
ATI External Event Utility EXE Module (events: 1)
4/1/2010 3:37:57 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Generic Host Process for Win32 Services (events: 1)
4/1/2010 3:37:57 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Spooler SubSystem App (events: 1)
4/1/2010 3:37:58 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Windows Explorer (events: 1)
4/1/2010 3:37:58 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Acronis Scheduler 2 (events: 1)
4/1/2010 3:37:58 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Windows Media Player Network Sharing Service Configuration Application (events: 1)
4/1/2010 4:12:57 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Application Layer Gateway Service (events: 1)
4/1/2010 3:37:58 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Windows® installer (events: 1)
4/1/2010 7:08:48 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Internet Explorer (events: 1)
4/1/2010 7:03:21 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Microsoft® HTML Help Executable (events: 1)
4/1/2010 6:49:22 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Notepad (events: 1)
4/1/2010 6:44:33 PM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Registry Editor (events: 1)
4/1/2010 2:38:28 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Microsoft® Help (events: 1)
4/1/2010 7:17:54 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Check Disk Utility (events: 1)
4/1/2010 6:31:25 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Disk Defragmenter Module (events: 1)
4/1/2010 9:38:51 PM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Disk Defragmenter NTFS Module (events: 1)
4/1/2010 9:38:51 PM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
COM Surrogate (events: 1)
4/1/2010 11:40:54 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Logical Disk Manager service process (events: 1)
4/1/2010 6:50:53 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Logical Disk Manager component (events: 1)
4/1/2010 6:50:52 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Windows Error Reporting Dump Reporting Tool (events: 1)
4/1/2010 4:23:08 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Microsoft Application Error Reporting (events: 1)
4/1/2010 4:23:29 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Windows Logon UI (events: 1)
4/1/2010 3:53:06 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Net Command (events: 1)
4/1/2010 4:39:06 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Net Command (events: 1)
4/1/2010 4:39:06 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Notepad (events: 1)
4/1/2010 4:32:25 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Microsoft(C) Register Server (events: 1)
4/1/2010 11:21:11 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Removable Storage Sink Layer (events: 1)
4/1/2010 6:50:36 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Windows NT Save Dump Utility (events: 1)
4/1/2010 4:22:37 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
A tool to aid in developing services for WindowsNT (events: 1)
4/1/2010 4:39:06 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Userinit Logon Application (events: 1)
4/1/2010 3:53:06 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Verify Class ID (events: 1)
4/1/2010 3:53:10 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Windows Genuine Advantage Notification (events: 1)
4/1/2010 3:53:06 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Windows Update (events: 1)
4/1/2010 3:53:08 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
WMI (events: 1)
4/1/2010 3:53:08 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Windows Shell Common Dll (events: 1)
4/1/2010 6:24:21 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers
Kaspersky Anti-Virus GUI Windows part (events: 1)
4/1/2010 3:40:40 AM Application Control Placed in group Trusted Signed by the digital signature of entrusted manufacturers

Kado420
Novice
Novice

Posts Posts : 37
Joined Joined : 2010-03-09
OS OS : Windows XP Home
Points Points : 25107
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Finally back after hacker had his way with my puter..

Post by Kado420 on Sat Apr 03, 2010 11:39 pm

Here is the new MBR.exe log, shit man i thought it was gone and ive been playing online poker all night and have entered my credit card multiple times. Do you think his keylogger is still hidden somewhere and he was watching me????


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x03A384C41
malicious code @ sector 0x03A384C44 !
PE file found in sector at 0x03A384C5A !

Kado420
Novice
Novice

Posts Posts : 37
Joined Joined : 2010-03-09
OS OS : Windows XP Home
Points Points : 25107
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Finally back after hacker had his way with my puter..

Post by Belahzur on Mon Apr 05, 2010 12:04 am

Yes.
As I said, this infection is messy. The original MBR has been replaced, although there is some dead code leftover, there is nothing that can be done about it without formatting - it's dead though, it's no longer a threat.

The remote connection is still working though, so we'll chop that down next.

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Finally back after hacker had his way with my puter..

Post by Kado420 on Wed Apr 07, 2010 6:27 am

Well he came in and messed up alot more stuff, the computer guy is coming to reformat my computer asap, i saved my music and videos and stuff to an external. I will post after the format and all that and have u take one more look to make sure everything is gone. Thank u again...

Kado420
Novice
Novice

Posts Posts : 37
Joined Joined : 2010-03-09
OS OS : Windows XP Home
Points Points : 25107
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum