Backdoor.Tidserv

View previous topic View next topic Go down

Backdoor.Tidserv

Post by ViceVersaMan on Fri May 28, 2010 4:19 pm

Hi,

I'm something of a layman when it comes to advanced computer diagnosis and repair, so please be patient with me.

I have been infected with the Backdoor.Tidserv Trojan for the last week or so. Symantec's Norton Internet Security program, my primary anti-virus software, has been informing me of attempted "attacks" at sporadic intervals. The Norton reports vary, but read (for example):

"An intrusion attempt by n16fa53.com was blocked. Application path \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SVCHOST.EXE

Risk Name: HTTPS Tidserv Request 2
[...]
Attacking Computer: n16fa53.com (202.157.171.207,443)
[etc.]"

I scanned with both Norton and the latest version of MalwareBytes and cleared off some infected files, but the problem persisted. I then downloaded and scanned with a suite of recommended anti-virus programs: Spyware Doctor (full version), HitmanPro 3.5 (trial version), and SUPERAntiSpyware (Free Version, 4.38.1004). I also disabled Windows System Restore, scanned again with all of the aforementioned AV software, and got little in the way of results (aside from the occasional tracking cookie). Still, the problem persists.

I have followed all of the instructions found
[You must be registered and logged in to see this link.], but JavaRa repeatedly crashed when I attempted to "Remove older versions," despite uninstalling and reinstalling the product.

Any help in this matter would be immensely appreciated. I would be happy to provide any additional information as required. Below you will find the complete "OTL.Txt" and "Extras.Txt" files generated following the OTL scan I have just conducted.

--OTL.txt:--

OTL logfile created on: 5/28/2010 10:50:32 AM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Charles\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 73.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 2048 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 117.19 Gb Total Space | 52.38 Gb Free Space | 44.69% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 78.13 Gb Total Space | 59.45 Gb Free Space | 76.09% Space Free | Partition Type: NTFS
Drive G: | 736.19 Gb Total Space | 422.20 Gb Free Space | 57.35% Space Free | Partition Type: NTFS
Drive H: | 465.76 Gb Total Space | 112.80 Gb Free Space | 24.22% Space Free | Partition Type: NTFS
Drive I: | 279.46 Gb Total Space | 36.39 Gb Free Space | 13.02% Space Free | Partition Type: NTFS
Drive J: | 279.46 Gb Total Space | 10.86 Gb Free Space | 3.88% Space Free | Partition Type: NTFS
Drive L: | 465.76 Gb Total Space | 462.33 Gb Free Space | 99.26% Space Free | Partition Type: NTFS

Computer Name: WARPCORE
Current User Name: Charles
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/28 10:46:39 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Charles\Desktop\OTL.exe
PRC - [2010/05/18 12:26:23 | 002,397,424 | ---- | M] (SUPERAntiSpyware.com) -- G:\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2010/01/22 09:56:24 | 000,112,592 | ---- | M] (Threat Expert Ltd.) -- G:\Spyware Doctor\BDT\BDTUpdateService.exe
PRC - [2009/08/22 02:28:17 | 000,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
PRC - [2009/04/02 07:01:11 | 000,655,624 | ---- | M] (Acresso Software Inc.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2009/02/19 00:33:08 | 000,809,488 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2009/02/19 00:28:52 | 000,076,304 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/28 17:50:50 | 000,180,224 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
PRC - [2007/02/15 16:39:26 | 000,057,344 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Sound Blaster X-Fi\Console Launcher\CTAPR2.exe
PRC - [2005/11/15 14:50:46 | 000,222,784 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
PRC - [2005/11/10 14:03:52 | 000,036,975 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
PRC - [2005/07/26 18:51:22 | 000,606,316 | ---- | M] (Executive Software International, Inc.) -- C:\Program Files\Executive Software\Diskeeper\DkService.exe
PRC - [2004/09/29 13:14:36 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2000/05/20 18:23:48 | 000,086,016 | ---- | M] () -- C:\WINDOWS\StartupMonitor.exe


========== Modules (SafeList) ==========

MOD - [2010/05/28 10:46:39 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Charles\Desktop\OTL.exe
MOD - [2009/08/22 02:28:14 | 000,419,696 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\16.8.0.41\asOEHook.dll
MOD - [2009/07/12 02:12:06 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
MOD - [2009/02/19 00:31:16 | 000,045,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2005/09/29 12:23:54 | 000,042,552 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\patrolpro.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/03/15 11:50:36 | 001,142,224 | ---- | M] (PC Tools) [On_Demand | Stopped] -- G:\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2010/03/11 11:09:22 | 000,366,840 | ---- | M] (PC Tools) [On_Demand | Stopped] -- G:\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2010/01/22 09:56:24 | 000,112,592 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- G:\Spyware Doctor\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2009/08/22 02:28:17 | 000,117,640 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe -- (Norton Internet Security)
SRV - [2009/04/02 07:01:11 | 000,655,624 | ---- | M] (Acresso Software Inc.) [Auto | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/02/19 00:30:20 | 000,121,360 | ---- | M] (Logitech, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2006/04/03 18:12:14 | 000,014,032 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2005/08/02 16:18:49 | 000,086,016 | ---- | M] (CACE Technologies) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2005/07/26 18:51:22 | 000,606,316 | ---- | M] (Executive Software International, Inc.) [Auto | Running] -- C:\Program Files\Executive Software\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2005/07/01 17:15:46 | 001,053,672 | ---- | M] (SiSoftware) [On_Demand | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe -- (SandraTheSrv)
SRV - [2005/07/01 17:11:52 | 000,173,040 | ---- | M] (SiSoftware) [On_Demand | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe -- (SandraDataSrv)
SRV - [2005/01/10 08:10:00 | 000,193,592 | ---- | M] (SafeNet, Inc) [Disabled | Stopped] -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe -- (SentinelProtectionServer)
SRV - [2004/09/29 13:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2002/12/17 18:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR)
SRV - [2002/12/17 18:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -- (SQLAgent$SONY_MEDIAMGR)


========== Driver Services (SafeList) ==========

DRV - [2010/05/26 03:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/05/26 03:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/05/10 13:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- G:\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/05/10 03:00:00 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100528.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/05/10 03:00:00 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100528.002\NAVENG.SYS -- (NAVENG)
DRV - [2010/03/29 10:06:14 | 000,218,592 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2010/02/17 13:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- G:\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/01/27 19:58:37 | 000,482,432 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\ccHPx86.sys -- (ccHP)
DRV - [2009/10/28 17:37:24 | 000,329,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100520.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2009/08/22 02:28:17 | 000,310,320 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1008000.029\SYMEFA.SYS -- (SymEFA)
DRV - [2009/08/22 02:28:17 | 000,308,272 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\SRTSP.SYS -- (SRTSP)
DRV - [2009/08/22 02:28:17 | 000,259,632 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\BHDrvx86.sys -- (BHDrvx86)
DRV - [2009/08/22 02:28:17 | 000,217,136 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\SYMTDI.SYS -- (SYMTDI)
DRV - [2009/08/22 02:28:17 | 000,089,904 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\SYMFW.SYS -- (SYMFW)
DRV - [2009/08/22 02:28:17 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1008000.029\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2009/08/22 02:28:17 | 000,036,400 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\SYMNDIS.SYS -- (SYMNDIS)
DRV - [2009/08/22 02:28:17 | 000,033,072 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\SYMIDS.SYS -- (SYMIDS)
DRV - [2009/08/18 21:12:26 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/08/18 14:11:17 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP)
DRV - [2009/08/18 14:11:17 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM)
DRV - [2008/12/18 23:43:48 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2008/12/18 23:43:40 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2008/12/01 17:13:40 | 003,452,928 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/05/20 18:53:36 | 000,093,696 | R--- | M] (ATI Research Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2008/04/13 13:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2008/04/13 13:46:20 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\61883.sys -- (61883)
DRV - [2008/04/13 13:46:20 | 000,038,912 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avc.sys -- (Avc)
DRV - [2008/04/13 13:46:09 | 000,051,200 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msdv.sys -- (MSDV)
DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/07/20 03:56:22 | 001,312,768 | R--- | M] (C-Media Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CM108.sys -- (USBPNPA)
DRV - [2007/03/01 22:37:00 | 000,732,672 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\t3.sys -- (t3)
DRV - [2007/02/27 02:31:10 | 000,171,008 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctusfsyn.sys -- (CTUSFSYN)
DRV - [2007/02/20 09:01:58 | 001,656,576 | R--- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\t3filt.sys -- (t3filt)
DRV - [2006/11/06 12:21:20 | 000,611,064 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2006/11/01 14:42:14 | 000,033,280 | ---- | M] (AMD, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AmdLLD.sys -- (AmdLLD)
DRV - [2006/09/24 08:28:47 | 000,005,248 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Boot | Running] -- C:\WINDOWS\system32\speedfan.sys -- (speedfan)
DRV - [2006/08/07 03:39:24 | 000,018,944 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/08/07 03:39:22 | 000,052,736 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/12/07 22:54:52 | 000,114,688 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2005/12/07 22:54:44 | 000,142,336 | R--- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2005/09/29 12:01:51 | 000,066,048 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfvfs02.sys -- (sfvfs02) StarForce Protection VFS Driver (version 2.x)
DRV - [2005/08/19 18:31:52 | 003,644,800 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/08/18 18:52:06 | 000,093,568 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2005/08/17 15:43:20 | 000,330,240 | ---- | M] (ZyDAS Technology Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZD1211BU.sys -- (ZD1211BU(ZyDAS)) ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS)
DRV - [2005/08/10 07:44:04 | 000,050,688 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)
DRV - [2005/08/02 16:10:13 | 000,032,512 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2005/07/23 00:41:46 | 000,026,112 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidKE.Sys -- (LHidKe)
DRV - [2005/07/23 00:41:42 | 000,068,864 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouKE.Sys -- (LMouKE)
DRV - [2005/07/23 00:41:08 | 000,055,040 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042MOU.SYS -- (L8042mou)
DRV - [2005/07/23 00:40:58 | 000,013,440 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042Kbd.SYS -- (L8042Kbd)
DRV - [2005/06/08 19:44:20 | 000,020,608 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BRGSp50.sys -- (BRGSp50)
DRV - [2005/05/16 08:20:39 | 000,006,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)
DRV - [2005/05/06 11:12:36 | 000,021,632 | ---- | M] (AMD, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\amdtools.sys -- (amdtools)
DRV - [2005/03/09 16:53:00 | 000,036,352 | ---- | M] (Advanced Micro Devices) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2005/02/14 12:54:26 | 000,013,824 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AmdAcpi.sys -- (AmdAcpi)
DRV - [2005/01/10 08:10:00 | 000,090,168 | ---- | M] (SafeNet, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS -- (Sentinel)
DRV - [2005/01/10 08:10:00 | 000,028,216 | ---- | M] (SafeNet, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SNTNLUSB.SYS -- (SNTNLUSB)
DRV - [2004/12/22 06:58:14 | 000,008,704 | R--- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Pfmodnt.sys -- (PfModNT)
DRV - [2004/10/25 14:40:58 | 000,017,664 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZDPSp50.sys -- (ZDPSp50)
DRV - [2004/08/04 14:56:40 | 000,010,752 | ---- | M] (ABIT Computer Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\Drivers\uGuru.sys -- (uGuru)
DRV - [2004/04/01 17:30:46 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2002/09/17 13:55:06 | 000,003,548 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\ABIT\ABIT uGuru\WinFlash.sys -- (Winflash)
DRV - [2001/11/29 05:49:56 | 000,004,047 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\ABIT\ABIT uGuru\MEMCTL.SYS -- (Memctl)
DRV - [2001/08/17 08:46:40 | 000,006,400 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\enum1394.sys -- (ENUM1394)
DRV - [1996/04/03 14:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\giveio.sys -- (giveio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - HKLM\software\mozilla\Firefox\extensions\\{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\ [2010/04/25 17:18:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/18 19:09:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/28 10:44:30 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/03/17 17:21:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010/05/28 10:44:30 | 000,000,000 | ---D | M]

[2008/08/26 18:18:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charles\Application Data\Mozilla\Extensions
[2010/05/28 10:38:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Charles\Application Data\Mozilla\Firefox\Profiles\ps2qcrdf.default\extensions
[2009/09/02 14:24:04 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Charles\Application Data\Mozilla\Firefox\Profiles\ps2qcrdf.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/15 01:29:49 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Charles\Application Data\Mozilla\Firefox\Profiles\ps2qcrdf.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2008/06/11 21:26:35 | 000,000,000 | ---D | M] (Duplicate Tab) -- C:\Documents and Settings\Charles\Application Data\Mozilla\Firefox\Profiles\ps2qcrdf.default\extensions\{61ED2A9A-39EB-4AAF-BD14-06DFBE8880C3}
[2010/01/26 15:36:10 | 000,000,000 | ---D | M] (IE View) -- C:\Documents and Settings\Charles\Application Data\Mozilla\Firefox\Profiles\ps2qcrdf.default\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
[2008/08/12 15:04:22 | 000,001,196 | ---- | M] () -- C:\Documents and Settings\Charles\Application Data\Mozilla\Firefox\Profiles\ps2qcrdf.default\searchplugins\winamp-search.xml
[2010/05/28 10:38:21 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/28 10:37:51 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/05/28 10:37:38 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2006/10/06 14:19:37 | 000,114,688 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
[2010/01/13 17:46:00 | 000,063,488 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

O1 HOSTS File: ([2004/08/04 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\CoIEPlg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [Cm108Sound] File not found
O4 - HKLM..\Run: [CTAPR2] C:\Program Files\Creative\Sound Blaster X-Fi\Console Launcher\CTAPR2.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [DiskeeperSystray] C:\Program Files\Executive Software\Diskeeper\DkIcon.exe (Executive Software International, Inc.)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NWEReboot] File not found
O4 - HKLM..\Run: [Run StartupMonitor] C:\WINDOWS\StartupMonitor.exe ()
O4 - HKLM..\Run: [SPIRun] C:\WINDOWS\System32\SPIRun.dll (Creative Technology Ltd.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [UDC Integration] File not found
O4 - HKLM..\Run: [VolPanel] C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [WinPatrol System Monitor] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe (BillP Studios)
O4 - HKCU..\Run: [Aim6] File not found
O4 - HKCU..\Run: [SUPERAntiSpyware] G:\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} [You must be registered and logged in to see this link.] (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [You must be registered and logged in to see this link.] (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} [You must be registered and logged in to see this link.] (Creative Software AutoUpdate Support Package)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\CoIEPlg.dll (Symantec Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - G:\SUPERAntiSpyware\SASWINLO.DLL - G:\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - G:\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/11/20 17:27:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/11/20 17:27:41 | 000,000,000 | ---- | M] () - F:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{6b1788aa-59d0-11da-8854-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{6b1788aa-59d0-11da-8854-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/11/20 09:38:15 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: SymEFA.sys - C:\WINDOWS\system32\drivers\NIS\1008000.029\SYMEFA.SYS (Symantec Corporation)
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: WdfLoadGroup -
SafeBootMin: WinDefend - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: hitmanpro35 - Reg Error: Value error.
SafeBootNet: hitmanpro35.sys - Reg Error: Value error.
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: nm - C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation)
SafeBootNet: nm.sys - C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation)
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: SymEFA.sys - C:\WINDOWS\system32\drivers\NIS\1008000.029\SYMEFA.SYS (Symantec Corporation)
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: vsmon - Service
SafeBootNet: WdfLoadGroup -
SafeBootNet: WinDefend - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
SafeBootNet: {1a3e09be-1e45-494b-9174-d7385b45bbf5} - Reg Error: Value error.
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 10.1.3
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 10.1.3
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5C3E78F8-E38B-4059-24E9-E7C2CF137297} - Microsoft Windows Media Player 6.4
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {8D2F8D28-6C2D-85CD-C778-34D0353698BC} - Microsoft Windows Media Player
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {BC1A1BAF-9292-B287-31A3-650AA5A9D98E} - Java (Sun)
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Macromedia Shockwave Flash
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.ffds - H:\Combined Community Codec Pack\Filters\FFDShow\ff_vfw.dll ()
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.VP60 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.VP61 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.wmv3 - H:\Combined Community Codec Pack\Filters\wmv9vcm.dll (Microsoft Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\yv12vfw.dll ([You must be registered and logged in to see this link.]

CREATERESTOREPOINT
Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

========== Files/Folders - Created Within 30 Days ==========

[2010/05/28 10:46:38 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Charles\Desktop\OTL.exe
[2010/05/28 10:43:13 | 027,386,256 | ---- | C] ( ) -- C:\Documents and Settings\Charles\Desktop\AdbeRdr930_en_US.exe
[2010/05/28 10:40:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charles\Desktop\JavaRa
[2010/05/28 10:38:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/05/28 10:37:49 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/05/28 10:37:49 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/05/28 10:36:22 | 016,295,712 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Charles\Desktop\jre-6u20-windows-i586.exe
[2010/05/27 12:55:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charles\Desktop\Backup
[2010/05/27 12:31:36 | 000,562,840 | ---- | C] (Google Inc.) -- C:\Documents and Settings\Charles\Desktop\ChromeSetup.exe
[2010/05/27 09:21:06 | 000,512,000 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jscript.dll
[2010/05/27 07:13:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2010/05/27 06:50:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2010/05/27 06:50:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2010/05/27 06:50:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2010/05/27 06:50:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2010/05/27 06:46:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic
[2010/05/27 06:43:20 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2010/05/26 16:53:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charles\Application Data\SUPERAntiSpyware.com
[2010/05/26 16:53:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/05/25 05:21:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/05/25 05:20:58 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/05/24 20:55:49 | 001,652,688 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll
[2010/05/24 20:55:49 | 000,165,840 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDRes.dll
[2010/05/24 20:55:49 | 000,149,456 | ---- | C] (PC Tools) -- C:\WINDOWS\SGDetectionTool.dll
[2010/05/24 20:53:46 | 000,233,136 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2010/05/24 20:53:41 | 000,218,592 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2010/05/24 20:53:41 | 000,088,040 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2010/05/24 20:53:33 | 000,063,360 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2010/05/24 20:53:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/05/24 20:53:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charles\Application Data\PC Tools
[2010/05/24 20:53:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/05/23 19:33:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Charles\Application Data\Malwarebytes
[2010/05/23 19:32:48 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/23 19:32:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/23 19:32:47 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/23 19:10:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/28 10:46:39 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Charles\Desktop\OTL.exe
[2010/05/28 10:44:30 | 000,001,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/05/28 10:43:29 | 027,386,256 | ---- | M] ( ) -- C:\Documents and Settings\Charles\Desktop\AdbeRdr930_en_US.exe
[2010/05/28 10:40:32 | 000,071,798 | ---- | M] () -- C:\Documents and Settings\Charles\Desktop\JavaRa.zip
[2010/05/28 10:40:00 | 000,000,986 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1606980848-725345543-1003UA.job
[2010/05/28 10:37:37 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/05/28 10:37:37 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/05/28 10:37:37 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/05/28 10:37:37 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/05/28 10:37:37 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/05/28 10:36:28 | 016,295,712 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Charles\Desktop\jre-6u20-windows-i586.exe
[2010/05/28 10:16:11 | 000,001,486 | ---- | M] () -- C:\Documents and Settings\Charles\Desktop\Windows Explorer.lnk
[2010/05/28 03:06:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/27 16:35:51 | 000,009,049 | ---- | M] () -- C:\WINDOWS\UEDIT32.INI
[2010/05/27 15:50:21 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/05/27 12:58:08 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/05/27 12:56:22 | 014,942,208 | ---- | M] () -- C:\Documents and Settings\Charles\NTUSER.DAT
[2010/05/27 12:43:43 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/27 12:42:44 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/27 12:42:41 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/27 12:42:40 | 000,069,112 | ---- | M] () -- C:\WINDOWS\System32\ativvaxx.cap
[2010/05/27 12:41:45 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Charles\ntuser.ini
[2010/05/27 12:40:00 | 000,000,934 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1606980848-725345543-1003Core.job
[2010/05/27 12:36:01 | 000,002,311 | ---- | M] () -- C:\Documents and Settings\Charles\Desktop\Google Chrome.lnk
[2010/05/27 12:31:38 | 000,562,840 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Charles\Desktop\ChromeSetup.exe
[2010/05/27 11:59:20 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/27 07:17:05 | 000,596,944 | ---- | M] () -- C:\Documents and Settings\Charles\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/27 07:16:10 | 003,509,064 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/05/27 07:04:42 | 002,391,012 | ---- | M] () -- C:\WINDOWS\iis6.BAK
[2010/05/27 06:46:24 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/05/26 16:53:01 | 000,000,615 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/25 05:20:58 | 000,001,674 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/05/24 20:53:38 | 000,000,596 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2010/05/23 19:32:51 | 000,000,481 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/23 14:44:20 | 000,096,256 | ---- | M] () -- C:\Documents and Settings\Charles\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/22 22:22:49 | 000,000,000 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2010/05/12 22:19:21 | 000,001,926 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/05/03 10:37:58 | 000,024,064 | ---- | M] () -- G:\Charles's My Documents\Nervous First Draft.doc
[2010/04/30 00:03:56 | 000,004,096 | ---- | M] () -- C:\WINDOWS\System32\crash
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

---Continued next post...---

ViceVersaMan
Novice
Novice

Posts Posts : 6
Joined Joined : 2010-05-25
OS OS : Windows XP
Points Points : 23938
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tidserv

Post by ViceVersaMan on Fri May 28, 2010 4:21 pm

---OTL.txt Continued---


========== Files Created - No Company Name ==========

[2010/05/28 10:44:30 | 000,001,740 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/05/28 10:39:03 | 000,071,798 | ---- | C] () -- C:\Documents and Settings\Charles\Desktop\JavaRa.zip
[2010/05/27 12:36:01 | 000,002,311 | ---- | C] () -- C:\Documents and Settings\Charles\Desktop\Google Chrome.lnk
[2010/05/27 12:35:17 | 000,000,986 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1606980848-725345543-1003UA.job
[2010/05/27 12:35:16 | 000,000,934 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1606980848-725345543-1003Core.job
[2010/05/26 16:53:01 | 000,000,615 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/25 05:21:13 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/05/25 05:20:58 | 000,001,674 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/05/24 20:55:49 | 001,152,444 | ---- | C] () -- C:\WINDOWS\UDB.zip
[2010/05/24 20:55:49 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll
[2010/05/24 20:55:49 | 000,000,882 | ---- | C] () -- C:\WINDOWS\RegSDImport.xml
[2010/05/24 20:55:49 | 000,000,879 | ---- | C] () -- C:\WINDOWS\RegISSImport.xml
[2010/05/24 20:55:49 | 000,000,131 | ---- | C] () -- C:\WINDOWS\IDB.zip
[2010/05/24 20:53:46 | 000,007,387 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctgntdi.cat
[2010/05/24 20:53:41 | 000,007,412 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCTAppEvent.cat
[2010/05/24 20:53:41 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctcore.cat
[2010/05/24 20:53:38 | 000,000,596 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2010/05/24 20:53:33 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctplsg.cat
[2010/05/23 19:32:51 | 000,000,481 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/12 22:19:21 | 000,001,926 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/05/03 09:14:03 | 000,024,064 | ---- | C] () -- G:\Charles's My Documents\Nervous First Draft.doc
[2010/02/15 12:37:24 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2009/05/20 18:33:17 | 000,001,368 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009/02/27 00:09:47 | 000,000,244 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/01/17 20:58:07 | 000,045,056 | R--- | C] () -- C:\WINDOWS\System32\CM108rm.dll
[2009/01/17 20:58:07 | 000,000,161 | ---- | C] () -- C:\WINDOWS\Cm108.ini.cfl
[2009/01/17 20:57:40 | 000,002,584 | R--- | C] () -- C:\WINDOWS\Cm108.ini.cfg
[2008/05/21 08:29:28 | 000,003,923 | ---- | C] () -- C:\WINDOWS\System32\AudioDrv.ini
[2008/05/21 08:29:13 | 000,028,614 | R--- | C] () -- C:\WINDOWS\System32\t3.ini
[2008/05/21 08:29:13 | 000,000,049 | R--- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2008/05/21 08:28:23 | 000,007,404 | R--- | C] () -- C:\WINDOWS\sfsyn.ini
[2008/05/21 08:28:22 | 000,137,728 | R--- | C] () -- C:\WINDOWS\System32\OemSpi.dll
[2008/05/21 08:28:22 | 000,118,850 | R--- | C] () -- C:\WINDOWS\System32\CTPcie.dll
[2008/04/28 11:13:33 | 000,000,310 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2007/08/11 08:40:47 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2007/07/04 21:00:53 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2007/05/07 22:38:26 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2007/05/07 22:38:26 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2007/05/07 22:38:26 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2007/05/07 22:38:26 | 000,000,205 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2007/05/07 22:38:26 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
[2007/05/07 21:50:28 | 000,471,552 | ---- | C] () -- C:\WINDOWS\System32\Smab.dll
[2007/05/07 21:50:28 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2007/02/17 18:13:19 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD.dll
[2007/02/17 18:13:19 | 000,015,872 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD64.DLL
[2006/11/06 12:21:20 | 000,611,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2006/10/21 12:59:59 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\Manipulate.dll
[2006/09/24 13:53:54 | 000,268,242 | ---- | C] () -- C:\WINDOWS\System32\erdmpg-parse.dll
[2006/09/24 13:53:42 | 002,518,779 | ---- | C] () -- C:\WINDOWS\System32\erdmpg-enc.dll
[2006/09/24 13:52:04 | 000,030,693 | ---- | C] () -- C:\WINDOWS\System32\erdmpg-int.dll
[2006/04/24 18:04:40 | 000,000,026 | ---- | C] () -- C:\WINDOWS\WAR2R.INI
[2006/01/06 11:34:58 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/12/26 02:50:30 | 000,000,028 | ---- | C] () -- C:\WINDOWS\atid.ini
[2005/12/23 15:35:29 | 000,372,736 | ---- | C] () -- C:\WINDOWS\System32\hpzidi01.dll
[2005/12/23 15:35:29 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2005/12/22 21:34:33 | 001,513,984 | ---- | C] () -- C:\WINDOWS\System32\MgxRdr80.dll
[2005/12/22 21:34:33 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2005/12/22 21:34:25 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\LFFPX7.DLL
[2005/12/22 21:34:25 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\LFKODAK.DLL
[2005/12/22 21:33:53 | 000,064,000 | ---- | C] () -- C:\WINDOWS\System32\Ppiv30.dll
[2005/12/22 21:33:52 | 000,001,077 | ---- | C] () -- C:\WINDOWS\Mgxclean.sys
[2005/12/20 18:23:37 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/12/09 13:08:45 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/11/30 01:16:30 | 000,034,633 | ---- | C] () -- C:\WINDOWS\System32\FlashMenu.sys
[2005/11/30 01:16:30 | 000,005,018 | ---- | C] () -- C:\WINDOWS\System32\drivers\HWIOCTL.SYS
[2005/11/30 01:16:30 | 000,004,047 | ---- | C] () -- C:\WINDOWS\System32\drivers\MEMCTL.SYS
[2005/11/30 01:16:30 | 000,003,548 | ---- | C] () -- C:\WINDOWS\System32\WINFLASH.SYS
[2005/11/30 01:16:30 | 000,003,548 | ---- | C] () -- C:\WINDOWS\System32\drivers\WINFLASH.SYS
[2005/11/30 01:16:30 | 000,002,721 | ---- | C] () -- C:\WINDOWS\System32\drivers\AMINTSYS.SYS
[2005/11/26 20:08:02 | 000,009,049 | ---- | C] () -- C:\WINDOWS\UEDIT32.INI
[2005/11/26 20:03:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2005/11/24 13:02:34 | 000,000,204 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2005/11/24 12:55:37 | 000,156,672 | R--- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005/11/24 12:55:33 | 000,000,164 | R--- | C] () -- C:\WINDOWS\avrack.ini
[2005/11/17 12:57:30 | 000,258,560 | ---- | C] () -- C:\WINDOWS\System32\MusicTagsAX.dll
[2005/10/14 22:10:24 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\comLyricGetter.dll
[2005/08/02 16:24:01 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2004/08/04 07:00:00 | 000,096,256 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptddrv1.sys
[2004/02/01 14:21:56 | 000,097,280 | ---- | C] () -- C:\WINDOWS\System32\Uncommon.dll
[2003/08/07 15:01:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[1999/09/18 16:47:02 | 000,115,712 | ---- | C] () -- C:\WINDOWS\System32\UNZDLL.DLL
[1999/05/21 22:10:00 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\ZIPDLL.DLL
[1998/01/28 01:06:04 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\UNACE.DLL
[1997/02/17 17:23:58 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\UNRAR.DLL
[1996/04/03 14:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Custom Scans ==========


< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/12/01 15:52:52 | 000,425,984 | ---- | M] (Advanced Micro Devices, Inc.) Unable to obtain MD5 -- C:\WINDOWS\system32\ATIDEMGX.dll
[5 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.exe /lockedfiles >
[5 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2006/11/06 12:21:20 | 000,611,064 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\sptd.sys
[2004/08/04 07:00:00 | 000,096,256 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\sptddrv1.sys

< %systemroot%\System32\config\*.sav >
[2005/11/20 09:42:13 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2005/11/20 09:42:13 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2005/11/20 09:42:13 | 000,892,928 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2004/08/04 07:00:00 | 000,009,029 | ---- | M] () -- C:\WINDOWS\system32\ansi.sys
[2004/08/04 07:00:00 | 000,027,097 | ---- | M] () -- C:\WINDOWS\system32\country.sys
[2006/01/16 20:22:39 | 000,034,633 | ---- | M] () -- C:\WINDOWS\system32\FlashMenu.sys
[1996/04/03 14:33:26 | 000,005,248 | ---- | M] () -- C:\WINDOWS\system32\giveio.sys
[2004/08/04 07:00:00 | 000,004,768 | ---- | M] () -- C:\WINDOWS\system32\himem.sys
[2004/08/04 07:00:00 | 000,042,809 | ---- | M] () -- C:\WINDOWS\system32\key01.sys
[2004/08/04 07:00:00 | 000,042,537 | ---- | M] () -- C:\WINDOWS\system32\keyboard.sys
[2009/05/20 18:33:18 | 000,001,368 | -HS- | M] () -- C:\WINDOWS\system32\KGyGaAvL.sys
[2004/08/04 07:00:00 | 000,027,866 | ---- | M] () -- C:\WINDOWS\system32\ntdos.sys
[2004/08/04 07:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos404.sys
[2004/08/04 07:00:00 | 000,029,370 | ---- | M] () -- C:\WINDOWS\system32\ntdos411.sys
[2004/08/04 07:00:00 | 000,029,274 | ---- | M] () -- C:\WINDOWS\system32\ntdos412.sys
[2004/08/04 07:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos804.sys
[2004/08/04 07:00:00 | 000,033,840 | ---- | M] () -- C:\WINDOWS\system32\ntio.sys
[2004/08/04 07:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio404.sys
[2004/08/04 07:00:00 | 000,035,648 | ---- | M] () -- C:\WINDOWS\system32\ntio411.sys
[2004/08/04 07:00:00 | 000,035,424 | ---- | M] () -- C:\WINDOWS\system32\ntio412.sys
[2004/08/04 07:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio804.sys
[2005/02/14 11:05:00 | 000,006,528 | ---- | M] (NVidia Corp.) -- C:\WINDOWS\system32\nvoclock.sys
[2006/09/24 08:28:47 | 000,005,248 | ---- | M] (Windows (R) 2000 DDK provider) -- C:\WINDOWS\system32\speedfan.sys
[2008/04/13 13:44:59 | 000,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\watchdog.sys
[2009/08/14 08:21:25 | 001,850,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[2002/09/17 13:55:06 | 000,003,548 | ---- | M] () -- C:\WINDOWS\system32\WINFLASH.SYS
[2004/01/14 12:30:00 | 000,017,151 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\WINDOWS\system32\ZDPNDIS5.SYS
[5 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\drivers\*.dll >
[2008/04/13 19:11:48 | 000,004,255 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv01nt5.dll
[2008/04/13 19:11:48 | 000,003,967 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv02nt5.dll
[2008/04/13 19:11:48 | 000,003,615 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv05nt5.dll
[2008/04/13 19:11:48 | 000,003,647 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv07nt5.dll
[2008/04/13 19:11:48 | 000,003,135 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv08nt5.dll
[2008/04/13 19:11:48 | 000,003,711 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv09nt5.dll
[2008/04/13 19:11:48 | 000,003,775 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv11nt5.dll
[2008/12/01 14:51:10 | 000,053,248 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2erec.dll
[2008/04/13 19:11:50 | 000,021,183 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv01nt5.dll
[2008/04/13 19:11:50 | 000,011,359 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv02nt5.dll
[2008/04/13 19:11:50 | 000,025,471 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv04nt5.dll
[2008/04/13 19:11:50 | 000,014,143 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv06nt5.dll
[2008/04/13 19:11:50 | 000,017,279 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv10nt5.dll
[2008/04/13 19:11:50 | 000,015,423 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
[2005/09/29 20:35:44 | 001,466,368 | ---- | M] (ABIT Computer Corporation) -- C:\WINDOWS\system32\drivers\FlashMenuCHS.dll
[2008/04/13 19:12:05 | 000,003,901 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\siint5.dll
[2008/04/13 19:12:08 | 000,011,325 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\vchnt5.dll

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %SYSTEMDRIVE%\*.* >
[2005/11/20 17:27:41 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2008/11/25 15:39:19 | 000,000,301 | -HS- | M] () -- C:\boot.ini
[2005/11/25 13:37:17 | 000,000,325 | -HS- | M] () -- C:\bootini1.bak
[2005/12/21 17:05:45 | 000,000,312 | -HS- | M] () -- C:\bootini2.bak
[2005/12/24 18:29:27 | 000,000,332 | -HS- | M] () -- C:\bootini3.bak
[2005/11/20 17:27:41 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2008/11/26 07:31:24 | 000,000,000 | ---- | M] () -- C:\cookiesnew.txt
[2007/03/29 12:07:37 | 000,000,332 | RHS- | M] () -- C:\Copy of boot.ini
[2005/11/20 17:27:41 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/05/28 10:41:00 | 000,000,495 | ---- | M] () -- C:\JavaRa.log
[2005/11/20 17:27:41 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 07:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2010/05/27 06:46:24 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2007/01/15 10:52:45 | 000,020,992 | ---- | M] () -- C:\out.gpk
[2007/01/15 10:50:43 | 002,687,104 | ---- | M] () -- C:\out.wav
[2010/05/27 12:42:36 | 2147,483,648 | -HS- | M] () -- C:\pagefile.sys
[2009/12/06 15:50:41 | 000,078,988 | ---- | M] () -- C:\Rescued document 1.txt
[2009/07/24 12:32:12 | 000,010,738 | ---- | M] () -- C:\Rescued document.txt
[2008/07/09 03:44:07 | 000,002,197 | ---- | M] () -- C:\rollback.ini
[2007/12/05 12:31:36 | 000,000,512 | ---- | M] () -- C:\ScanSectorLog.dat
[2005/12/24 18:53:29 | 000,000,166 | ---- | M] () -- C:\systemscandata.txt

< %PROGRAMFILES%\*. >
[2005/11/22 23:53:15 | 000,000,000 | ---D | M] -- C:\Program Files\ABIT
[2010/02/15 12:37:09 | 000,000,000 | ---D | M] -- C:\Program Files\Acro Software
[2008/06/24 07:32:23 | 000,000,000 | ---D | M] -- C:\Program Files\activePDF
[2010/05/28 10:44:19 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2009/04/02 07:07:13 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe Media Player
[2005/11/25 13:43:56 | 000,000,000 | ---D | M] -- C:\Program Files\AMD
[2006/01/19 21:03:35 | 000,000,000 | ---D | M] -- C:\Program Files\AOD
[2005/12/26 02:52:31 | 000,000,000 | ---D | M] -- C:\Program Files\AOL
[2008/07/18 05:53:52 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2005/12/25 09:14:25 | 000,000,000 | ---D | M] -- C:\Program Files\Atari
[2009/06/08 08:03:52 | 000,000,000 | ---D | M] -- C:\Program Files\ATI
[2008/12/13 22:12:00 | 000,000,000 | ---D | M] -- C:\Program Files\ATI Technologies
[2006/10/28 16:52:41 | 000,000,000 | ---D | M] -- C:\Program Files\Audacity 1.3 Beta
[2007/05/07 21:50:27 | 000,000,000 | ---D | M] -- C:\Program Files\AviSynth 2.5
[2005/11/24 12:55:33 | 000,000,000 | ---D | M] -- C:\Program Files\AvRack
[2005/11/22 23:30:26 | 000,000,000 | ---D | M] -- C:\Program Files\BillP Studios
[2007/08/11 08:40:00 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2007/01/15 11:26:42 | 000,000,000 | ---D | M] -- C:\Program Files\Chaos Compressor
[2010/05/24 20:53:24 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2005/11/20 17:25:10 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2009/05/20 18:30:07 | 000,000,000 | ---D | M] -- C:\Program Files\Corel
[2008/05/21 08:29:27 | 000,000,000 | ---D | M] -- C:\Program Files\Creative
[2008/05/21 08:05:20 | 000,000,000 | -H-D | M] -- C:\Program Files\Creative Installation Information
[2005/12/16 18:18:17 | 000,000,000 | ---D | M] -- C:\Program Files\Digital Anarchy
[2006/01/22 23:46:37 | 000,000,000 | ---D | M] -- C:\Program Files\DirectVobSub
[2005/11/25 14:11:37 | 000,000,000 | ---D | M] -- C:\Program Files\directx
[2005/11/30 17:23:58 | 000,000,000 | ---D | M] -- C:\Program Files\Disk Detective - Shows folder & Filespace used
[2008/11/24 18:09:25 | 000,000,000 | ---D | M] -- C:\Program Files\DiskPie
[2008/01/27 18:21:43 | 000,000,000 | ---D | M] -- C:\Program Files\DivX
[2005/12/20 11:55:18 | 000,000,000 | ---D | M] -- C:\Program Files\EasyZip
[2008/06/18 21:10:41 | 000,000,000 | ---D | M] -- C:\Program Files\Electronic Arts
[2005/12/20 20:04:06 | 000,000,000 | ---D | M] -- C:\Program Files\Executive Software
[2005/12/09 21:13:14 | 000,000,000 | ---D | M] -- C:\Program Files\FileSync
[2005/11/29 19:06:03 | 000,000,000 | ---D | M] -- C:\Program Files\FreebyteZip
[2010/05/12 22:19:04 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2010/02/15 12:36:08 | 000,000,000 | ---D | M] -- C:\Program Files\GPLGS
[2005/12/23 15:40:41 | 000,000,000 | ---D | M] -- C:\Program Files\Hewlett-Packard
[2010/05/25 05:20:58 | 000,000,000 | ---D | M] -- C:\Program Files\Hitman Pro 3.5
[2005/12/23 15:40:38 | 000,000,000 | ---D | M] -- C:\Program Files\HP
[2009/06/06 16:15:48 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2010/05/27 06:50:59 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2005/11/26 20:13:14 | 000,000,000 | ---D | M] -- C:\Program Files\IrfanView
[2005/12/20 12:57:50 | 000,000,000 | ---D | M] -- C:\Program Files\IZArc
[2010/05/28 10:37:34 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2009/06/09 11:27:03 | 000,000,000 | ---D | M] -- C:\Program Files\JRE
[2005/12/20 16:51:37 | 000,000,000 | ---D | M] -- C:\Program Files\LightWave [8]
[2006/01/02 09:04:41 | 000,000,000 | ---D | M] -- C:\Program Files\Logitech
[2005/12/23 11:49:54 | 000,000,000 | ---D | M] -- C:\Program Files\Magic Bullet Movie Looks
[2007/03/28 14:14:02 | 000,000,000 | ---D | M] -- C:\Program Files\Media Player Classic
[2010/05/27 06:53:38 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2005/12/22 21:34:34 | 000,000,000 | ---D | M] -- C:\Program Files\Micrografx
[2005/12/20 13:17:15 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft
[2009/06/09 18:32:09 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft ActiveSync
[2006/05/05 12:32:24 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft AntiSpyware
[2005/11/20 17:27:53 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2005/12/22 23:12:58 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2005/12/16 13:25:20 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft SQL Server
[2009/06/09 18:32:27 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Works
[2009/05/27 21:46:23 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft WSE
[2005/12/20 18:22:56 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft.NET
[2010/05/27 07:02:47 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/04/02 02:49:51 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2010/05/27 11:57:33 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Thunderbird
[2009/08/05 23:47:27 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2005/11/20 17:24:23 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2005/11/20 17:24:52 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2005/12/09 14:06:42 | 000,000,000 | ---D | M] -- C:\Program Files\MsnMusic
[2009/05/22 02:13:35 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2009/04/03 12:00:38 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 6.0
[2009/04/09 21:37:08 | 000,000,000 | ---D | M] -- C:\Program Files\Mumble
[2009/05/13 18:46:30 | 000,000,000 | ---D | M] -- C:\Program Files\MWSnap
[2005/11/22 23:16:46 | 000,000,000 | ---D | M] -- C:\Program Files\MWSnap Screen Capture
[2005/12/08 15:42:10 | 000,000,000 | ---D | M] -- C:\Program Files\Nero
[2010/05/27 06:48:21 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2008/11/21 20:31:05 | 000,000,000 | ---D | M] -- C:\Program Files\Norton Internet Security
[2008/11/21 20:30:43 | 000,000,000 | ---D | M] -- C:\Program Files\NortonInstaller
[2005/11/23 18:28:58 | 000,000,000 | ---D | M] -- C:\Program Files\NVIDIA Corporation
[2005/11/20 17:25:00 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2009/06/09 11:27:02 | 000,000,000 | ---D | M] -- C:\Program Files\OpenOffice.org 3
[2010/05/27 07:03:54 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2006/01/19 09:59:59 | 000,000,000 | ---D | M] -- C:\Program Files\Page Defrag
[2008/11/25 15:48:09 | 000,000,000 | ---D | M] -- C:\Program Files\PC Wizard 2008
[2005/11/26 08:14:53 | 000,000,000 | ---D | M] -- C:\Program Files\Prime 95
[2005/11/29 18:53:08 | 000,000,000 | ---D | M] -- C:\Program Files\PrintFolder
[2008/07/18 05:54:45 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2006/01/02 10:59:40 | 000,000,000 | ---D | M] -- C:\Program Files\Raxco
[2006/10/21 15:27:23 | 000,000,000 | ---D | M] -- C:\Program Files\Real
[2005/11/24 12:55:33 | 000,000,000 | ---D | M] -- C:\Program Files\Realtek AC97
[2005/11/24 12:55:33 | 000,000,000 | ---D | M] -- C:\Program Files\Realtek Sound Manager
[2009/08/05 23:47:19 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2005/12/20 16:43:44 | 000,000,000 | ---D | M] -- C:\Program Files\SafeNet Sentinel
[2009/06/01 17:16:29 | 000,000,000 | ---D | M] -- C:\Program Files\SI Central System
[2005/11/24 14:54:35 | 000,000,000 | ---D | M] -- C:\Program Files\SiSoftware
[2009/11/13 20:36:30 | 000,000,000 | R--D | M] -- C:\Program Files\Skype
[2005/12/20 12:54:57 | 000,000,000 | ---D | M] -- C:\Program Files\Sony
[2008/11/15 19:05:26 | 000,000,000 | ---D | M] -- C:\Program Files\SpeedFan
[2005/11/26 14:10:01 | 000,000,000 | ---D | M] -- C:\Program Files\Startup Control Panel
[2010/02/08 05:10:09 | 000,000,000 | ---D | M] -- C:\Program Files\Steam
[2005/11/29 08:50:12 | 000,000,000 | ---D | M] -- C:\Program Files\Steinberg
[2009/08/18 21:12:29 | 000,000,000 | ---D | M] -- C:\Program Files\Symantec
[2005/12/16 17:59:33 | 000,000,000 | ---D | M] -- C:\Program Files\Synthetic Aperture
[2005/11/26 19:59:16 | 000,000,000 | ---D | M] -- C:\Program Files\SysInternals
[2008/09/13 13:12:45 | 000,000,000 | ---D | M] -- C:\Program Files\SystemRequirementsLab
[2009/12/01 17:50:30 | 000,000,000 | ---D | M] -- C:\Program Files\TapeCalc
[2005/12/16 18:01:00 | 000,000,000 | ---D | M] -- C:\Program Files\The Foundry
[2008/12/29 19:04:15 | 000,000,000 | ---D | M] -- C:\Program Files\ThreatFire
[2005/11/26 20:25:28 | 000,000,000 | ---D | M] -- C:\Program Files\TreeComp
[2005/11/26 20:09:44 | 000,000,000 | ---D | M] -- C:\Program Files\ULTRAEDT
[2005/12/16 13:25:29 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2009/01/17 20:57:16 | 000,000,000 | ---D | M] -- C:\Program Files\USB PnP Sound Device
[2005/12/26 02:52:23 | 000,000,000 | ---D | M] -- C:\Program Files\Viewpoint
[2009/08/18 17:35:28 | 000,000,000 | ---D | M] -- C:\Program Files\Vstplugins
[2010/03/11 21:27:42 | 000,000,000 | ---D | M] -- C:\Program Files\Winamp
[2010/03/11 21:20:48 | 000,000,000 | ---D | M] -- C:\Program Files\Winamp Detect
[2006/05/05 12:32:30 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Defender
[2007/02/12 01:55:15 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2010/05/27 06:48:18 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2010/05/27 06:48:18 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2008/11/21 20:31:00 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Sidebar
[2005/11/20 17:26:45 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2009/12/06 14:56:34 | 000,000,000 | ---D | M] -- C:\Program Files\WinPcap
[2006/04/22 02:30:43 | 000,000,000 | ---D | M] -- C:\Program Files\WinRAR
[2010/05/21 05:46:46 | 000,000,000 | ---D | M] -- C:\Program Files\World of Warcraft
[2008/11/25 19:34:58 | 000,000,000 | ---D | M] -- C:\Program Files\WoWBack
[2005/11/20 17:27:53 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2005/12/02 19:12:12 | 000,000,000 | ---D | M] -- C:\Program Files\Zone Labs
[2007/09/14 00:25:43 | 000,000,000 | ---D | M] -- C:\Program Files\Zoom Player

< %appdata%\*.* >
[2010/02/15 12:32:47 | 000,000,310 | ---- | M] () -- C:\Documents and Settings\Charles\Application Data\APUSet.xml
[2005/11/20 09:43:55 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Charles\Application Data\desktop.ini
[2010/02/15 12:33:54 | 000,006,496 | ---- | M] () -- C:\Documents and Settings\Charles\Application Data\PrimoPDFSet.xml
[2009/05/05 23:03:58 | 000,000,760 | ---- | M] () -- C:\Documents and Settings\Charles\Application Data\setup_ldm.iss


< MD5 for: AGP440.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2010/05/27 06:42:28 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2010/05/27 06:42:28 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2010/05/27 06:42:28 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2010/05/27 06:42:28 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2010/05/27 06:42:28 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2010/05/27 06:42:28 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 07:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: DISK.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2010/05/27 06:42:28 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2010/05/27 06:42:28 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2010/05/27 06:42:28 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\sp3.cab:disk.sys
[2004/08/04 07:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\$NtServicePackUninstall$\disk.sys
[2008/04/13 13:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008/04/13 13:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\disk.sys
[2008/04/13 13:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\disk.sys
[2008/04/13 13:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2004/08/04 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtUninstallKB968389_0$\netlogon.dll

< MD5 for: NVATA.SYS >
[2005/08/18 18:52:06 | 000,093,568 | ---- | M] (NVIDIA Corporation) MD5=0344AA9113DC16EEC379F4652020849D -- C:\NVIDIA\nForceWin2KXP\6.70\IDE\Win2K\sata_ide\nvata.sys
[2005/08/18 18:52:06 | 000,093,568 | ---- | M] (NVIDIA Corporation) MD5=0344AA9113DC16EEC379F4652020849D -- C:\NVIDIA\nForceWin2KXP\6.70\IDE\WinXP\sata_ide\nvata.sys
[2005/08/18 18:52:06 | 000,093,568 | ---- | M] (NVIDIA Corporation) MD5=0344AA9113DC16EEC379F4652020849D -- C:\WINDOWS\system32\drivers\nvata.sys

< MD5 for: NVATABUS.SYS >
[2005/08/18 18:52:06 | 000,093,568 | ---- | M] (NVIDIA Corporation) MD5=0344AA9113DC16EEC379F4652020849D -- C:\NVIDIA\nForceWin2KXP\6.70\IDE\Win2K\legacy\nvatabus.sys
[2005/08/18 18:52:06 | 000,093,568 | ---- | M] (NVIDIA Corporation) MD5=0344AA9113DC16EEC379F4652020849D -- C:\NVIDIA\nForceWin2KXP\6.70\IDE\Win2K\sataraid\nvatabus.sys
[2005/08/18 18:52:06 | 000,093,568 | ---- | M] (NVIDIA Corporation) MD5=0344AA9113DC16EEC379F4652020849D -- C:\NVIDIA\nForceWin2KXP\6.70\IDE\WinXP\legacy\nvatabus.sys
[2005/08/18 18:52:06 | 000,093,568 | ---- | M] (NVIDIA Corporation) MD5=0344AA9113DC16EEC379F4652020849D -- C:\NVIDIA\nForceWin2KXP\6.70\IDE\WinXP\sataraid\nvatabus.sys
[2005/08/18 18:52:06 | 000,093,568 | ---- | M] (NVIDIA Corporation) MD5=0344AA9113DC16EEC379F4652020849D -- C:\WINDOWS\system32\drivers\nvatabus.sys
[2005/08/18 18:52:06 | 000,093,568 | ---- | M] (NVIDIA Corporation) MD5=0344AA9113DC16EEC379F4652020849D -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\nvatabus.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USBSTOR.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:usbstor.sys
[2010/05/27 06:42:28 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:usbstor.sys
[2010/05/27 06:42:28 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:usbstor.sys
[2010/05/27 06:42:28 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\sp3.cab:usbstor.sys
[2004/08/04 00:08:48 | 000,026,496 | ---- | M] (Microsoft Corporation) MD5=6CD7B22193718F1D17A47A1CD6D37E75 -- C:\WINDOWS\$NtServicePackUninstall$\usbstor.sys
[2008/04/13 13:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\ServicePackFiles\i386\usbstor.sys
[2008/04/13 13:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\usbstor.sys
[2008/04/13 13:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\usbstor.sys
[2008/04/13 13:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\drivers\usbstor.sys

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-05-27 16:59:30

========== Alternate Data Streams ==========

@Alternate Data Stream - 195 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >


--Extras.Txt:--

OTL Extras logfile created on: 5/28/2010 10:50:32 AM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Charles\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 73.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 2048 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 117.19 Gb Total Space | 52.38 Gb Free Space | 44.69% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 78.13 Gb Total Space | 59.45 Gb Free Space | 76.09% Space Free | Partition Type: NTFS
Drive G: | 736.19 Gb Total Space | 422.20 Gb Free Space | 57.35% Space Free | Partition Type: NTFS
Drive H: | 465.76 Gb Total Space | 112.80 Gb Free Space | 24.22% Space Free | Partition Type: NTFS
Drive I: | 279.46 Gb Total Space | 36.39 Gb Free Space | 13.02% Space Free | Partition Type: NTFS
Drive J: | 279.46 Gb Total Space | 10.86 Gb Free Space | 3.88% Space Free | Partition Type: NTFS
Drive L: | 465.76 Gb Total Space | 462.33 Gb Free Space | 99.26% Space Free | Partition Type: NTFS

Computer Name: WARPCORE
Current User Name: Charles
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.txt [@ = UltraEdit.txt] -- C:\Program Files\ULTRAEDT\UEDIT32.EXE (IDM Computer Solutions, Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "G:\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "G:\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe" = C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe:*:Enabled:Sentinel Protection Server -- (SafeNet, Inc)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\1135583528\ee\aolsoftware.exe" = C:\Program Files\Common Files\AOL\1135583528\ee\aolsoftware.exe:*:Enabled:AOL Services -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\1135583528\ee\aim6.exe" = C:\Program Files\Common Files\AOL\1135583528\ee\aim6.exe:*:Enabled:AIM -- (America Online, Inc.)
"C:\Program Files\BitTornado\btdownloadgui.exe" = C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui -- File not found
"C:\Program Files\Electronic Arts\EADM\Core.exe" = C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager -- File not found
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\World of Warcraft\BackgroundDownloader.exe" = C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\kav\kav7\setup.exe" = C:\kav\kav7\setup.exe:*:Enabled:Kaspersky Anti-Virus 7.0 Setup -- File not found
"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe:*:Enabled:Kaspersky Anti-Virus -- File not found
"G:\Vent\Ventrilo.exe" = G:\Vent\Ventrilo.exe:*:Enabled:Ventrilo.exe -- ()
"C:\Program Files\Steam\steamapps\common\aliens vs predator demo\AvP.exe" = C:\Program Files\Steam\steamapps\common\aliens vs predator demo\AvP.exe:*:Enabled:Aliens vs Predator Demo -- (Sega Europe Limited)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{7C5123A9-30A8-4C44-89CA-A8C87A1FCC91}" = CorelDRAW Graphics Suite X3
"{005E3474-A9DB-4EB2-BDB8-0AA7541A0782}" = Sony Preset Manager 2.0
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update
"{02EBDBB9-4600-41D3-B566-40CB861511D2}" = World of Warcraft FREE Trial
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{0C9D0200-FA32-44B7-BBB3-7C03F700C4A0}" = Sound Blaster X-Fi
"{1131AF4D-A6FD-4E73-8099-3CFE3521ECF3}" = NewTek LightWave 3D [8] Content CD One
"{15047293-954F-45B2-8A7B-D7226D2B6931}" = SyncToy
"{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{1E99F5D7-4262-4C7C-9135-F066E7485811}" = System Requirements Lab
"{1ED6E4D0-8DB0-A333-DEA6-188F957F5A43}" = Catalyst Control Center Graphics Light
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{2D637DF4-652D-4E5D-8303-7EE07C495033}" = Sony Sound Series Loops and Samples Reference Library v2
"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{32A72502-BC2C-4C39-ACEA-BC3D463F0697}" = EN
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36CDA33B-909B-4719-97D1-C4B99309BDC7}" = ATI Parental Control & Encoder
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}" = ATI HYDRAVISION
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = Logitech Registration
"{407E0CBD-D6BF-F243-6DE9-F1EEA525BA1C}" = Catalyst Control Center Graphics Full Existing
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4E98F23B-1328-4322-A6EC-2EDC8FC3A4FE}" = FontNav
"{513AEC24-3465-8C4F-87BA-652D6F491033}" = Nero 7 Demo
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{5569C99B-129C-426E-920A-FD1F0DC01FDC}" = Dawn
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{5DA6F06A-B389-407B-BF8C-1548767914D8}" = ATI Problem Report Wizard
"{5EC634FA-5047-38B2-A53A-15963D9BD872}" = CCC Help English
"{5F26311C-B135-4F7F-B11E-8E650F83651E}" = DeviceFunctionQFolder
"{61CEB2D7-8D3B-4247-B75E-A95F6699B90A}" = Adobe After Effects 6.5
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{651AFCC8-2F1A-8132-0A33-FA5F041380BA}" = Catalyst Control Center Graphics Full New
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{681F447D-49EC-4D5D-AE0A-145A8AA4E239}" = Nalu
"{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}" = CmdHere Powertoy For Windows XP
"{69EF33D7-3425-1409-0BE1-C4F3A6FB57A8}" = ccc-utility
"{6A136B9A-1895-436F-83F8-30D9C68BB6EA}" = Rhapsody Player Engine
"{6B52140A-F189-4945-BFFC-DB3F00B8C589}" = Adobe Flash CS3
"{6BD31B80-7E9E-4FAF-B911-0AC31FB94BF6}" = Adobe Encore DVD 1.5
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7510EF8C-99B9-8533-524E-BF41BDC04188}" = Skins
"{76EFAC4F-1712-401F-B2AE-590B170C9BCE}" = StartupMonitor
"{773040E1-3B60-6507-C387-71F8F0A03C59}" = ccc-core-static
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{79546A5F-AE7C-4693-8670-A3401B43ABD2}" = HP Deskjet 5900 series
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7C5123A9-30A8-4C44-89CA-A8C87A1FCC91}" = CorelDRAW Graphics Suite X3
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{86EF9FC4-F209-4520-B7E1-C7FF0EEBDFFF}" = Adobe Audition 1.5
"{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}" = ATI AVIVO Codecs
"{8A5F34E2-37CF-4AD4-808C-2D413786E31A}" = Microsoft Visual C Runtime
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8F66DDC0-5674-4286-A6A8-2AD67E6CF081}" = Diskeeper Home Edition
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{90F80409-6000-11D3-8CFE-0150048383C9}" = Remove Hidden Data Tool
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{91185ACE-3EE0-4759-A37D-C412131A10B1}" = NewTek LightWave 3D [8]
"{92DEC792-A722-5991-2607-3EE3A4BD502B}" = Catalyst Control Center HydraVision Full
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{9551930D-3EAA-4D28-AD7A-D50D8DD50DD1}" = Sony ACID Pro 5.0a
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{96793032-8651-805A-67EF-E1759C1A8E3D}" = Catalyst Control Center Graphics Previews Common
"{97E038E1-41AD-4C93-BCDC-6A2394AEE352}" = Vegas Movie Studio Platinum 9.0
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{9DF0196F-B6B8-4C3A-8790-DE42AA530101}" = SPORE™
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5222E5A-13CB-4C98-9F5C-21CF6896A25C}" = HPDeskjet5900Series
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{B094F70F-2CC2-5062-8534-D3830FC4B018}" = Catalyst Control Center Core Implementation
"{B2D7CE29-614A-4ACC-8BFE-009EB3A244C9}" = Windows Defender
"{B37C842A-B624-46B8-A727-654E72F1C91A}" = Calculator Powertoy for Windows XP
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}" = BufferChm
"{BBA7D86C-8233-469B-9B1D-AD2FCFB96BB3}" = NewTek LightWave 3D [8] Content CD Two
"{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}" = Adobe Flash Player 9 ActiveX
"{BCA02FAD-2C86-4C8C-A815-51C09F4E51FF}" = Dual-Core Optimizer
"{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5
"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = Athlon 64 Processor Driver
"{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe Extendscript Toolkit 2
"{C7793EE8-F666-4E6B-9827-76468679480E}" = Tweakui Powertoy for Windows XP
"{C8C8387B-A98B-44E8-807A-1A9B7F51FFDA}" = Blaze Media Pro
"{C94E45B0-6AA6-4FB9-9AAE-22085F631880}" = VBA
"{CA42C38C-B369-B190-AD06-76D3AC95CFAC}" = ccc-core-preinstall
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D2E7A6EA-5853-426A-920D-12F4F250927E}" = Sentinel Protection Installer 7.1.1
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{EA960DA1-121B-413D-A50D-FB6D3857F790}" = AMD Power Monitor
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}" = Update Manager
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
"{F59A237B-7B38-4106-ADF4-7F2806CDBF5F}" = Luna
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FF8500E6-EA0D-11D7-8755-0080C8F92A32}" = ABIT uGuru
"{FFC1ADE3-944B-4231-894E-3903C37271D2}" = Adobe Setup
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Adobe_c3c7fe8b09d497ab2b3fd91c9353390" = Adobe Flash CS3 Professional
"All ATI Software" = ATI - Software Uninstall Utility
"AOL Instant Messenger" = AOL Instant Messenger
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"ATI Display Driver" = ATI Display Driver
"Audacity 1.3 Beta_is1" = Audacity 1.3.0
"Blaze Media Pro" = Blaze Media Pro
"Browser Defender_is1" = Browser Defender 2.0.6.15
"CDisplay_is1" = CDisplay 1.8
"Color Finesse" = Color Finesse
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2007-02-22
"Creative Software AutoUpdate" = Creative Software AutoUpdate
"CutePDF Writer Installation" = CutePDF Writer 2.8
"DirectVobSub" = DirectVobSub (remove only)
"FileSync" = FileSync
"FLV Player1.33" = FLV Player
"FLVPlayer" = FLV Player 1.3.3
"Free CD to MP3 Converter" = Free CD to MP3 Converter
"Generic USB 108 Sound" = USB PnP Sound Device
"Google Updater" = Google Updater
"HaaliMkx" = Haali Media Splitter
"HitmanPro35" = Hitman Pro 3.5
"HP Imaging Device Functions" = HP Imaging Device Functions 5.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.0
"IrfanView" = IrfanView (remove only)
"IZArc 3.5 beta 3_is1" = IZArc 3.5 beta 3
"Keylight (1.0v4) for Adobe After Effects" = Keylight (1.0v4) for Adobe After Effects
"Magic Bullet Movie Looks" = Magic Bullet Movie Looks
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Matroska Pack" = Matroska Pack
"MatroskaProp" = MatroskaProp (remove only)
"Micrografx Picture Publisher 8" = Micrografx Picture Publisher 8
"Micrografx Webtricity 2" = Micrografx Webtricity 2
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"mIRC" = mIRC
"MKV Minimum Set (LD-Anime) - MatroskaSplitter & VSFilter_is1" = Matroska Pack - Lazy Man's MKV 0.9.9
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"Mozilla Thunderbird (2.0.0.24)" = Mozilla Thunderbird (2.0.0.24)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"Mumble" = Mumble and Murmur
"MWSnap 3" = MWSnap 3
"Native Instruments Xpress Keyboards" = Native Instruments Xpress Keyboards
"NIS" = Norton Internet Security
"NVIDIA Drivers" = NVIDIA Drivers
"PC Magazine's DiskPie_is1" = DiskPie 2.1
"PC Magazine's TapeCalc_is1" = TapeCalc 2.1
"PC Wizard 2008_is1" = PC Wizard 2008.1.86
"Picasa 3" = Picasa 3
"Picasa2" = Picasa 2
"PrimoPDF4.0.2.5" = PrimoPDF
"PrintFolder_is1" = PrintFolder 1.2
"Product_Name" = script Maker
"RealAlt_is1" = Real Alternative 1.51
"SI Central System" = SI Central System 1.0.1
"SI Engineering System" = SI Engineering System 2.4.41
"SiSoftware Sandra Lite 2005.SR2a_is1" = SiSoftware Sandra Lite 2005.SR2a (Win64/32/CE)
"SmartCDRipper_is1" = SmartCDRipper
"SpeedFan" = SpeedFan (remove only)
"Spyware Doctor" = Spyware Doctor 7.0
"StarCraft" = StarCraft
"StarCraft II Beta" = StarCraft II Beta
"Steam App 12910" = Audiosurf Demo
"Steam App 34200" = Aliens vs Predator Demo
"System47" = System47 Screen Saver
"SystemRequirementsLab" = System Requirements Lab
"TreeComp" = TreeComp
"Tunatic" = Tunatic
"UltraEdit-32" = UltraEdit-32 Uninstall
"Universal Document Converter_is1" = Universal Document Converter
"ViewpointMediaPlayer" = Viewpoint Media Player
"VLC media player" = VLC media player 1.0.5
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WindowsDraw6" = Micrografx Windows Draw 6
"WinPatrol" = WinPatrol
"WinPcapInst" = WinPcap 3.1
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"World of Warcraft" = World of Warcraft
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Warcraft III" = Warcraft III: All Products
"Winamp Detect" = Winamp Detector Plug-in

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/28/2010 7:52:14 AM | Computer Name = WARPCORE | Source = Google Update | ID = 20
Description =

Error - 5/28/2010 8:40:05 AM | Computer Name = WARPCORE | Source = Google Update | ID = 20
Description =

Error - 5/28/2010 8:52:14 AM | Computer Name = WARPCORE | Source = Google Update | ID = 20
Description =

Error - 5/28/2010 9:40:05 AM | Computer Name = WARPCORE | Source = Google Update | ID = 20
Description =

Error - 5/28/2010 9:52:14 AM | Computer Name = WARPCORE | Source = Google Update | ID = 20
Description =

Error - 5/28/2010 10:40:05 AM | Computer Name = WARPCORE | Source = Google Update | ID = 20
Description =

Error - 5/28/2010 10:52:14 AM | Computer Name = WARPCORE | Source = Google Update | ID = 20
Description =

Error - 5/28/2010 11:39:47 AM | Computer Name = WARPCORE | Source = Application Error | ID = 1000
Description = Faulting application javara.exe, version 1.15.0.1745, faulting module
msvcrt.dll, version 7.0.2600.5512, fault address 0x00032a16.

Error - 5/28/2010 11:40:06 AM | Computer Name = WARPCORE | Source = Application Error | ID = 1000
Description = Faulting application javara.exe, version 1.15.0.1745, faulting module
msvcrt.dll, version 7.0.2600.5512, fault address 0x00032a16.

Error - 5/28/2010 11:41:01 AM | Computer Name = WARPCORE | Source = Application Error | ID = 1000
Description = Faulting application javara.exe, version 1.15.0.1745, faulting module
msvcrt.dll, version 7.0.2600.5512, fault address 0x00032a16.

[ System Events ]
Error - 5/27/2010 7:26:31 PM | Computer Name = WARPCORE | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 5/27/2010 7:26:32 PM | Computer Name = WARPCORE | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 5/27/2010 7:26:34 PM | Computer Name = WARPCORE | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 5/27/2010 7:26:36 PM | Computer Name = WARPCORE | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 5/27/2010 7:27:46 PM | Computer Name = WARPCORE | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 5/27/2010 7:27:47 PM | Computer Name = WARPCORE | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 5/27/2010 7:27:49 PM | Computer Name = WARPCORE | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 5/27/2010 7:27:50 PM | Computer Name = WARPCORE | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 5/28/2010 11:50:55 AM | Computer Name = WARPCORE | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 5/28/2010 11:50:56 AM | Computer Name = WARPCORE | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2


< End of report >

ViceVersaMan
Novice
Novice

Posts Posts : 6
Joined Joined : 2010-05-25
OS OS : Windows XP
Points Points : 23938
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tidserv

Post by Belahzur on Fri May 28, 2010 6:18 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tidserv

Post by ViceVersaMan on Fri May 28, 2010 8:47 pm

As requested:

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4135

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

5/28/2010 3:30:59 PM
mbam-log-2010-05-28 (15-30-59).txt

Scan type: Quick scan
Objects scanned: 148176
Time elapsed: 10 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ViceVersaMan
Novice
Novice

Posts Posts : 6
Joined Joined : 2010-05-25
OS OS : Windows XP
Points Points : 23938
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tidserv

Post by Belahzur on Sat May 29, 2010 10:45 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tidserv

Post by ViceVersaMan on Sun May 30, 2010 2:23 am

As requested:

ComboFix 10-05-29.03 - Charles 05/29/2010 21:06:24.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2458 [GMT -5:00]
Running from: c:\documents and settings\Charles\Desktop\Combo-Fix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: F-Secure Anti-Virus 2006 6.10 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\ftdisk.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
.

2010-05-28 15:38 . 2010-05-28 15:38 61440 ----a-w- c:\documents and settings\Charles\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-174e2506-n\decora-sse.dll
2010-05-28 15:38 . 2010-05-28 15:38 503808 ----a-w- c:\documents and settings\Charles\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2ee07ae2-n\msvcp71.dll
2010-05-28 15:38 . 2010-05-28 15:38 499712 ----a-w- c:\documents and settings\Charles\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2ee07ae2-n\jmc.dll
2010-05-28 15:38 . 2010-05-28 15:38 348160 ----a-w- c:\documents and settings\Charles\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2ee07ae2-n\msvcr71.dll
2010-05-28 15:38 . 2010-05-28 15:38 12800 ----a-w- c:\documents and settings\Charles\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-174e2506-n\decora-d3d.dll
2010-05-28 15:37 . 2010-05-28 15:37 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-27 14:21 . 2009-08-13 15:16 512000 -c----w- c:\windows\system32\dllcache\jscript.dll
2010-05-27 11:50 . 2010-05-27 11:50 -------- d-----w- c:\windows\system32\scripting
2010-05-27 11:50 . 2010-05-27 11:50 -------- d-----w- c:\windows\l2schemas
2010-05-27 11:50 . 2010-05-27 11:50 -------- d-----w- c:\windows\system32\en
2010-05-27 11:50 . 2010-05-27 11:50 -------- d-----w- c:\windows\system32\bits
2010-05-26 21:53 . 2010-05-26 21:53 63488 ----a-w- c:\documents and settings\Charles\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-26 21:53 . 2010-05-26 21:53 52224 ----a-w- c:\documents and settings\Charles\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-26 21:53 . 2010-05-26 21:53 117760 ----a-w- c:\documents and settings\Charles\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-26 21:53 . 2010-05-26 21:53 -------- d-----w- c:\documents and settings\Charles\Application Data\SUPERAntiSpyware.com
2010-05-26 21:53 . 2010-05-26 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-25 10:21 . 2010-05-27 17:58 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-25 10:21 . 2010-05-25 10:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-25 10:20 . 2010-05-25 10:20 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-25 01:55 . 2010-01-22 14:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-05-25 01:55 . 2010-01-22 14:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-05-25 01:55 . 2010-01-22 14:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-05-25 01:55 . 2010-01-22 14:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-05-25 01:55 . 2009-10-28 06:36 1152444 ----a-w- c:\windows\UDB.zip
2010-05-25 01:55 . 2008-11-26 17:08 131 ----a-w- c:\windows\IDB.zip
2010-05-25 01:53 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-05-25 01:53 . 2010-03-29 15:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-05-25 01:53 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-05-25 01:53 . 2010-04-08 19:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-05-25 01:53 . 2010-05-25 01:56 -------- d-----w- c:\program files\Common Files\PC Tools
2010-05-25 01:53 . 2010-05-25 01:53 -------- d-----w- c:\documents and settings\Charles\Application Data\PC Tools
2010-05-25 01:53 . 2010-05-25 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-05-24 00:33 . 2010-05-24 00:33 -------- d-----w- c:\documents and settings\Charles\Application Data\Malwarebytes
2010-05-24 00:32 . 2010-05-24 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-24 00:32 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-24 00:32 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-30 02:04 . 2007-02-16 22:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-28 15:44 . 2005-11-23 22:53 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-28 15:38 . 2005-12-26 08:05 -------- d-----w- c:\program files\Common Files\Java
2010-05-28 15:37 . 2005-12-26 08:05 -------- d-----w- c:\program files\Java
2010-05-27 16:57 . 2005-12-23 04:22 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-05-27 12:17 . 2005-12-17 00:14 596944 ----a-w- c:\documents and settings\Charles\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-27 11:52 . 2005-11-20 22:27 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-05-23 07:16 . 2010-02-22 21:42 -------- d-----w- c:\documents and settings\Charles\Application Data\vlc
2010-05-21 11:13 . 2009-06-09 16:29 1 ----a-w- c:\documents and settings\Charles\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-21 10:46 . 2005-12-03 00:28 -------- d-----w- c:\program files\World of Warcraft
2010-05-13 03:19 . 2009-06-26 15:03 -------- d-----w- c:\program files\Google
2010-05-13 02:42 . 2008-09-27 01:38 -------- d-----w- c:\documents and settings\Charles\Application Data\Skype
2010-05-12 22:00 . 2008-07-13 22:47 -------- d-----w- c:\documents and settings\Charles\Application Data\skypePM
2010-04-06 22:33 . 2010-04-06 22:33 -------- d-----w- c:\program files\Common Files\Skype
2010-03-26 15:33 . 2010-04-15 06:29 1496064 ----a-w- c:\documents and settings\Charles\Application Data\Mozilla\Firefox\Profiles\ps2qcrdf.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 15:33 . 2010-04-15 06:29 43008 ----a-w- c:\documents and settings\Charles\Application Data\Mozilla\Firefox\Profiles\ps2qcrdf.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 15:33 . 2010-04-15 06:29 339456 ----a-w- c:\documents and settings\Charles\Application Data\Mozilla\Firefox\Profiles\ps2qcrdf.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 15:32 . 2010-04-15 06:29 346112 ----a-w- c:\documents and settings\Charles\Application Data\Mozilla\Firefox\Profiles\ps2qcrdf.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2009-05-20 23:33 . 2009-05-20 23:33 1368 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="g:\superantispyware\SUPERAntiSpyware.exe" [2010-05-18 2397424]
"Google Update"="c:\documents and settings\Charles\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-05-27 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 86016]
"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 184408]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-19 76304]
"CTAPR2"="c:\program files\Creative\Sound Blaster X-Fi\Console Launcher\CTAPR2.exe" [2007-02-15 57344]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-02-28 180224]
"SPIRun"="SPIRun.dll" [2006-11-29 8704]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-19 76304]
"WinPatrol System Monitor"="c:\program files\BillP Studios\WinPatrol\WinPatrol.exe" [2005-11-15 222784]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-6-6 809488]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "g:\superantispyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- g:\superantispyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-02-19 05:30 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135583528\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135583528\\ee\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"g:\\Vent\\Ventrilo.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator demo\\AvP.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 AmdAcpi;AmdAcpi Bus Filter Driver;c:\windows\system32\drivers\amdacpi.sys [11/24/2005 1:07 PM 13824]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/24/2010 8:53 PM 218592]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SymEFA.sys [1/27/2010 7:58 PM 310320]
R0 uGuru;uGuru;c:\windows\system32\drivers\uGuru.SYS [11/30/2005 1:16 AM 10752]
R1 amdtools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys [11/24/2005 1:07 PM 21632]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1008000.029\BHDrvx86.sys [1/27/2010 7:58 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1008000.029\cchpx86.sys [1/27/2010 7:58 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100520.001\IDSXpx86.sys [10/28/2009 5:37 PM 329592]
R1 SASDIFSV;SASDIFSV;g:\superantispyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;g:\superantispyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 Browser Defender Update Service;Browser Defender Update Service;g:\spyware doctor\BDT\BDTUpdateService.exe [5/24/2010 8:55 PM 112592]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [1/27/2010 7:58 PM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/26/2010 3:00 AM 102448]
R3 t3;Sound Blaster X-Fi Xtreme Audio;c:\windows\system32\drivers\t3.sys [5/21/2008 8:28 AM 732672]
R3 t3filt;t3filt;c:\windows\system32\drivers\t3filt.sys [5/21/2008 8:28 AM 1656576]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [1/17/2009 8:57 PM 1312768]
S2 gupdate1ca237fe011090;Google Update Service (gupdate1ca237fe011090);c:\program files\Google\Update\GoogleUpdate.exe [8/22/2009 6:19 PM 133104]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 4:10 PM 32512]
S3 sdAuxService;PC Tools Auxiliary Service;g:\spyware doctor\pctsAuxs.exe [5/24/2010 8:53 PM 366840]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S4 Mnmimbustsvic;Mnmimbustsvic; [x]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/6/2006 12:21 PM 611064]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [4/3/2006 6:12 PM 14032]
.
Contents of the 'Scheduled Tasks' folder

2010-05-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-26 23:19]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-22 23:19]

2010-05-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1606980848-725345543-1003Core.job
- c:\documents and settings\Charles\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-27 17:35]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1606980848-725345543-1003UA.job
- c:\documents and settings\Charles\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-27 17:35]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Charles\Application Data\Mozilla\Firefox\Profiles\ps2qcrdf.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\Charles\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1691.8062\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: g:\picasa2\npPicasa3.dll
FF - plugin: h:\real alternative\browser\plugins\nppl3260.dll
FF - plugin: h:\real alternative\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
------- File Associations -------
.
.txt=UltraEdit.txt
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-NWEReboot - (no file)
HKLM-Run-UDC Integration - (no file)
HKLM-Run-Cm108Sound - cm108.cpl
AddRemove-Picasa2 - c:\program files\Picasa2\Uninstall.exe
AddRemove-_{7C5123A9-30A8-4C44-89CA-A8C87A1FCC91} - c:\program files\Corel\CorelDRAW Graphics Suite 13\Programs\MSILauncher {7C5123A9-30A8-4C44-89CA-A8C87A1FCC91}



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-05-29 21:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SPIRun = Rundll32 SPIRun.dll,RunDLLEntry?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1935655697-1606980848-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f2,de,3f,2c,3d,8e,f7,3b,3e,01,fa,18,2d,13,a4,db,5d,c6,1f,7e,65,31,f4,
09,1f,2f,c0,65,de,b3,e2,d7,1d,7c,62,3d,4f,b0,ea,e8,1b,04,17,a3,7e,a8,cf,b2,\
"??"=hex:32,6d,17,bd,ce,bc,fe,c7,b0,58,a8,8f,4a,f8,bf,a3

[HKEY_USERS\S-1-5-21-1935655697-1606980848-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:56,96,6c,9a,5c,6a,ab,b1,20,50,eb,c1,09,5b,60,1f,98,fa,35,9d,55,
a1,02,d5,4e,55,06,41,0d,9e,0c,c5,b5,09,5d,fe,b2,bb,3d,b2,f2,73,ab,c8,79,5c,\
"rkeysecu"=hex:e2,26,6d,94,9c,ba,ad,1d,64,79,70,1b,d8,19,de,23

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:94,dd,18,92,fb,1b,c1,ef,2e,da,dd,0c,63,9c,17,92,81,e5,b8,15,cc,
f7,8d,7c,d9,6f,c0,95,57,de,b1,fb,3b,ba,c5,a7,ac,56,10,e1,84,b3,8f,38,ba,4e,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:94,dd,18,92,fb,1b,c1,ef,2e,da,dd,0c,63,9c,17,92,81,e5,b8,15,cc,
f7,8d,7c,d9,6f,c0,95,57,de,b1,fb,3b,ba,c5,a7,ac,56,10,e1,84,b3,8f,38,ba,4e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1480)
g:\superantispyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3460)
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-05-29 21:16:23
ComboFix-quarantined-files.txt 2010-05-30 02:16

Pre-Run: 56,042,180,608 bytes free
Post-Run: 59,502,161,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP NORMAL" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP SPARE - UNACTIVATED" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 87ECAD2A960D000003515126B46E75A0

ViceVersaMan
Novice
Novice

Posts Posts : 6
Joined Joined : 2010-05-25
OS OS : Windows XP
Points Points : 23938
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tidserv

Post by Belahzur on Sun May 30, 2010 10:09 pm

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tidserv

Post by ViceVersaMan on Mon May 31, 2010 5:06 pm

My system APPEARS to be clean following the running of Combofix! Hooray! I ran the program (adhering closely to your directions) on Saturday evening and used my computer normally for a good part of Sunday to test it out. I have received none of the worrisome notices from Norton Internet Security in the interim!

I went ahead and ran an ESET Online Scan on Sunday evening following your recommendation, just to be sure. Unfortunately, when prompted by the scanner, I chose the option to uninstall ESET following its completion. I don't know if this action erased the log you mentioned, but I could not find C:\Program Files\esetonlinescanner\log.txt. Instead, following the scan and subsequent uninstall, I found a remnant of the program at C:\Program Files\ESET\ESET Online Scanner, but the folder contained only the files "OnlineScanner.ocx" and "OnlineScannerUninstaller". I can run ESET Online Scan again if you think it would be prudent for me to post the log here, again, just to be sure. Just let me know.

I cannot express the depth of my appreciation for your assistance in cleaning my system of what has been a most frustrating nuisance, Belahzur! You truly are a powerful Anti-Malware Wizard of considerable ability and knowledge! Please let me know if there are any further steps I should take to make sure that my system is 100% TidServ free.

Otherwise, all that's left is a heartfelt and well-deserved Thank You!

GeekPolice is truly number one, and I'll surely be recommending it to anyone with any sort of computer woes! Thanks again!

ViceVersaMan
Novice
Novice

Posts Posts : 6
Joined Joined : 2010-05-25
OS OS : Windows XP
Points Points : 23938
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Backdoor.Tidserv

Post by Belahzur on Mon May 31, 2010 11:37 pm

Hello.
Did the first scan report anything? as in did it find anything? Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Backdoor.Tidserv

Post by ViceVersaMan on Tue Jun 01, 2010 2:48 pm

As best as I can recall, it didn't alert me to having found anything, no. Although to be fair, I had planned to examine the log.txt file with more scrutiny, so I might have missed something if the information was obscure in any way.

ViceVersaMan
Novice
Novice

Posts Posts : 6
Joined Joined : 2010-05-25
OS OS : Windows XP
Points Points : 23938
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum