Nasty Virus

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Nasty Virus

Post by mandrews on Wed 29 Jun 2011, 6:41 pm

I have a virus or something nasty, cant use microsoft malicious scanner, Hijack this, or any other scanner. Need some help here.

mandrews

Newbie Surfer
Newbie Surfer

Posts : 20
Joined : 2011-02-08
Operating System : Greer, South Carolina

View user profile

Back to top Go down

Re: Nasty Virus

Post by Gabethebabe on Wed 29 Jun 2011, 9:16 pm

Hi there mandrews!

I am Gabethebabe and I will be helping you with this issue. Before we start some general remarks/rules:
  • Whilst I´m helping you, please follow my instructions carefully and do not experiment on your own or accept help from other persons.
  • Feel free to ask questions! Especially if my instructions are not clear. I´m here to help, not confuse you.
  • I will try and respond quickly, but please understand I do have a real life (job, wife, 3 kids, kinky hobbies).
  • Stick with me till the end. If your computer starts running better, doesn´t mean it is clean yet!

====================

I´m not sure what exactly is happening with your computer without a more specified description.

If you have something nasty that is prohibiting you from running any software, we are probably looking at a rogue and you should do the following:

====================

Please download RKill by Grinler from Download Mirror #1 and save it to your desktop.
Download Mirror #1 (rkill.exe)
Download Mirror #2 (rkill.scr)
Download Mirror #3 (rkill.com)
Download Mirror #4 (WiNlOgOn.exe)
Download Mirror #5 (uSeRiNiT.exe)
Download Mirror #6 (iExplore.exe)
Download Mirror #7 (eXplorer.exe)

  • Double click the RKill desktop icon (rightclick > Run as Administrator for Vista/WIN7).
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and try using Mirror #2
  • Continue process until the tool runs.
  • Important: RKill only temporarily disables the malware. If you reboot the computer, it will be active again. So do not reboot until we kill the infection.

====================

Please download OTL by OldTimer from here and save it to your desktop.
  • Close all windows and double click OTL.exe.
  • The Extra Registry setting should be Use Safelist
  • Copy and paste the following text into the Custom Scans/Fixes box:

Code:
%APPDATA%\Microsoft\*.*
%systemroot%\system32\config\systemprofile\*.dat /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\winn32\*.*
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%PROGRAMFILES%\Mozilla Firefox\*.exe
%ProgramFiles%\TinyProxy.
%systemroot%\system32\*.* /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.* /lockedfiles
%PROGRAMFILES%\*.
netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
/md5start
netlogon.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
disk.sys
explorer.exe
userinit.exe
winlogon.exe
/md5stop
CREATERESTOREPOINT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
  • Click the Run Scan button and allow it to run.
  • It will produce two logs for you, OTL.txt and Extras.txt. Please post both logs in this thread.
  • You may need multiple posts to get it all.



Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Nasty Virus

Post by mandrews on Thu 30 Jun 2011, 4:39 am

OTL would not start, erorr windows cannot access the specified device,path, or file. You may not have the appropriate permissions to access the item

mandrews

Newbie Surfer
Newbie Surfer

Posts : 20
Joined : 2011-02-08
Operating System : Greer, South Carolina

View user profile

Back to top Go down

ran aswMBR here is report

Post by kf4nxs on Thu 30 Jun 2011, 3:08 pm

aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-29 23:20:59
-----------------------------
23:20:59.812 OS Version: Windows 6.0.6002 Service Pack 2
23:20:59.812 Number of processors: 2 586 0x6802
23:20:59.814 ComputerName: MUSICMATT-PC UserName: musicmatt
23:21:12.439 Initialize success
23:23:30.387 AVAST engine defs: 11062900
23:23:34.958 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
23:23:34.962 Disk 0 Vendor: Hitachi_HTS542516K9SA00 BBCOC31P Size: 152627MB BusType: 3
23:23:37.000 Disk 0 MBR read successfully
23:23:37.003 Disk 0 MBR scan
23:23:37.006 Disk 0 unknown MBR code
23:23:39.011 Disk 0 scanning sectors +312578048
23:23:39.044 Disk 0 scanning C:\Windows\system32\drivers
23:23:44.489 File: C:\Windows\system32\drivers\dfsc.sys **INFECTED** Win32:Sirefef-E [Rtk]
23:23:53.748 Service scanning
23:23:55.610 Disk 0 trace - called modules:
23:23:55.633 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8cf16890]<<
23:23:55.638 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x861b0030]
23:23:55.643 3 CLASSPNP.SYS[83fa48b3] -> nt!IofCallDriver -> [0x8775a880]
23:23:55.650 \Driver\disk[0x874b7b08] -> IRP_MJ_CREATE -> 0x8cf16890
23:23:56.089 AVAST engine scan C:\Windows
23:27:30.593 File: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe **INFECTED** Win32:Patched-WQ [Trj]
23:30:07.771 File: C:\Windows\System32\agrsmsvc.exe **INFECTED** Win32:Patched-WQ [Trj]
23:30:09.899 File: C:\Windows\System32\Ati2evxx.exe **INFECTED** Win32:Patched-WQ [Trj]
23:35:19.444 File: C:\Windows\System32\drivers\dfsc.sys **INFECTED** Win32:Sirefef-E [Rtk]
23:42:50.048 File: C:\Windows\System32\lxdecoms.exe **INFECTED** Win32:Patched-WQ [Trj]
23:58:49.582 Disk 0 MBR has been saved successfully to "C:\Users\musicmatt\Desktop\MBR.dat"
23:58:49.617 The log file has been saved successfully to "C:\Users\musicmatt\Desktop\aswMBR.txt"


aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-29 23:20:59
-----------------------------
23:20:59.812 OS Version: Windows 6.0.6002 Service Pack 2
23:20:59.812 Number of processors: 2 586 0x6802
23:20:59.814 ComputerName: MUSICMATT-PC UserName: musicmatt
23:21:12.439 Initialize success
23:23:30.387 AVAST engine defs: 11062900
23:23:34.958 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
23:23:34.962 Disk 0 Vendor: Hitachi_HTS542516K9SA00 BBCOC31P Size: 152627MB BusType: 3
23:23:37.000 Disk 0 MBR read successfully
23:23:37.003 Disk 0 MBR scan
23:23:37.006 Disk 0 unknown MBR code
23:23:39.011 Disk 0 scanning sectors +312578048
23:23:39.044 Disk 0 scanning C:\Windows\system32\drivers
23:23:44.489 File: C:\Windows\system32\drivers\dfsc.sys **INFECTED** Win32:Sirefef-E [Rtk]
23:23:53.748 Service scanning
23:23:55.610 Disk 0 trace - called modules:
23:23:55.633 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8cf16890]<<
23:23:55.638 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x861b0030]
23:23:55.643 3 CLASSPNP.SYS[83fa48b3] -> nt!IofCallDriver -> [0x8775a880]
23:23:55.650 \Driver\disk[0x874b7b08] -> IRP_MJ_CREATE -> 0x8cf16890
23:23:56.089 AVAST engine scan C:\Windows
23:27:30.593 File: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe **INFECTED** Win32:Patched-WQ [Trj]
23:30:07.771 File: C:\Windows\System32\agrsmsvc.exe **INFECTED** Win32:Patched-WQ [Trj]
23:30:09.899 File: C:\Windows\System32\Ati2evxx.exe **INFECTED** Win32:Patched-WQ [Trj]
23:35:19.444 File: C:\Windows\System32\drivers\dfsc.sys **INFECTED** Win32:Sirefef-E [Rtk]
23:42:50.048 File: C:\Windows\System32\lxdecoms.exe **INFECTED** Win32:Patched-WQ [Trj]
23:58:49.582 Disk 0 MBR has been saved successfully to "C:\Users\musicmatt\Desktop\MBR.dat"
23:58:49.617 The log file has been saved successfully to "C:\Users\musicmatt\Desktop\aswMBR.txt"
23:59:08.807 Disk 0 MBR has been saved successfully to "C:\Users\musicmatt\Desktop\MBR.dat"
23:59:08.815 The log file has been saved successfully to "C:\Users\musicmatt\Desktop\aswMBR.txt"



kf4nxs

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2009-09-29
Operating System : vista

View user profile

Back to top Go down

Re: Nasty Virus

Post by Gabethebabe on Thu 30 Jun 2011, 5:37 pm

OK, this looks ugly. Please try the following:

Time to bring out ComboFix by sUBs, a powerful tool that you are advised not to run without supervision of a trained malware helper. Please visit this webpage and read the tutorial on using ComboFix very carefully. After that proceed to download ComboFix, but rename it during the download, to make sure the malware does not interfere.

The easiest is to download using Internet Explorer. If you insist on using Mozilla Firefox, you have to make a change to its configuration:
Tools >> Options >> General >> Downloads >> select Always ask me where to save files.

Use one of the links in the guide to download ComboFix and when your browser asks you where to save it, change the name of the file to svchost.exe and save it to your desktop.



Doubleclick svchost.exe to run the tool. Please post its log back here.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Combofix

Post by kf4nxs on Fri 01 Jul 2011, 5:08 am

It gets as far as this should take 10 min maybe longer, after waiting an hr. Nothing changed.

kf4nxs

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2009-09-29
Operating System : vista

View user profile

Back to top Go down

Re: Nasty Virus

Post by kf4nxs on Fri 01 Jul 2011, 5:56 am

Forgot to mention its a vista system if that matters

kf4nxs

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2009-09-29
Operating System : vista

View user profile

Back to top Go down

bump

Post by mandrews on Fri 01 Jul 2011, 1:35 pm

bump

mandrews

Newbie Surfer
Newbie Surfer

Posts : 20
Joined : 2011-02-08
Operating System : Greer, South Carolina

View user profile

Back to top Go down

Re: Nasty Virus

Post by Gabethebabe on Fri 01 Jul 2011, 5:14 pm

Two persons are replying to this thread: mandrews and kf4nxs.
Are you one and the same person or am I looking at two different cases here?

Please make sure that only one case is handled per thread.

====================

This computer appears to be massively infected. Therefore I think it is a good idea to try and approach it from a boot CD and see if we can disable the worst of it.
You will need a clean computer with access to the internet to proceed with the following:

  • You will need a blank CD to burn the boot CD
  • Download OTLPEStd.exe by OldTimer from here (a big download)
  • Double-click on OTLPEStd.exe to burn the boot CD
  • Reboot your system using the boot CD you just created. If you don´t know how to boot from CD, check out this page
  • Booting will take quite some time, so please be patient
  • Finally you should see the REATOGO-X-PE desktop. Find the OTLPE icon and double click it to run OTLPE
  • Answer Yes and OK to all prompts
  • Ensure the option Automatically Load All Remaining Users is checked
  • OTL should now start. Set the option Drivers to Non-Microsoft
  • Copy and paste the following text into the Custom Scans/Fixes field:
    /md5start
    atapi.sys
    iastor.sys
    ndis.sys
    userinit.exe
    winlogon.exe
    dfsc.sys
    agrsmsvc.exe
    Ati2evxx.exe
    lxdecoms.exe
    /md5stop
  • Click Run Scan to start the scan
  • When finished, a log file C:\OTL.txt will be created
  • Please post the contents of the file in your next reply


Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Nasty Virus

Post by kf4nxs on Fri 01 Jul 2011, 7:47 pm

Yes it is the same, just logging in from different source, I will get back with you when I have this done.



OTL logfile created on: 7/1/2011 6:44:11 AM - Run
OTLPE by OldTimer - Version 3.1.46.0 Folder = X:\Programs\OTLPE
Windows Vista (TM) Home Premium Service Pack 2 (Version = 6.0.6002) - Type = System
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 80.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 69.65 Gb Total Space | 33.27 Gb Free Space | 47.78% Space Free | Partition Type: NTFS
Drive E: | 69.64 Gb Total Space | 65.68 Gb Free Space | 94.32% Space Free | Partition Type: NTFS
Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - (szserver) -- C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe ()
SRV - (AdobeARMservice) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (NisSrv) -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe (Microsoft Corporation)
SRV - (MsMpSvc) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe ()
SRV - (Tether) -- C:\Program Files\Tether\TBService.exe ()
SRV - (BcmSqlStartupSvc) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (eDataSecurity Service) -- C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe (Egis Incorporated)
SRV - (eNet Service) -- C:\Acer\Empowering Technology\eNet\eNet Service.exe (Acer Inc.)
SRV - (eSettingsService) -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe ()
SRV - (MobilityService) -- C:\Acer\Mobility Center\MobilityService.exe ()
SRV - (eLockService) -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe (Acer Inc.)
SRV - (WMIService) -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe (acer)
SRV - (eRecoveryService) -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe (Acer Inc.)
SRV - (lxde_device) -- C:\Windows\System32\lxdecoms.exe ( )
SRV - (lxdeCATSCustConnectService) -- C:\Windows\System32\spool\DRIVERS\W32X86\3\\lxdeserv.exe ()
SRV - (AgereModemAudio) -- C:\Windows\System32\agrsmsvc.exe (Agere Systems)


========== Driver Services (SafeList) ==========

DRV - (ute3mty1) -- File not found
DRV - (NwlnkFwd) -- File not found
DRV - (NwlnkFlt) -- File not found
DRV - (MEMSWEEP2) -- File not found
DRV - (IpInIp) -- File not found
DRV - (catchme) -- File not found
DRV - (Aspi32) -- File not found
DRV - (F-Secure Standalone Minifilter) -- C:\Users\musicmatt\AppData\Local\Temp\OnlineScanner\Anti-Virus\fsgk.sys ()
DRV - (1206856434) -- C:\Windows\System32\drivers\1206856434.sys (VIA Technologies)
DRV - (NisDrv) -- C:\Windows\System32\drivers\NisDrvWFP.sys (Microsoft Corporation)
DRV - (MpNWMon) -- C:\Windows\System32\drivers\MpNWMon.sys (Microsoft Corporation)
DRV - (DfsC) -- C:\Windows\System32\drivers\dfsc.sys ()
DRV - (kl2) -- C:\Windows\System32\drivers\kl2.sys (Kaspersky Lab ZAO)
DRV - (qrkis) -- C:\Windows\System32\drivers\qrkis.sys (Tether)
DRV - (szkgfs) -- C:\Windows\System32\drivers\SZKGFS.sys (iS3, Inc.)
DRV - (KLIM6) -- C:\Windows\System32\drivers\klim6.sys (Kaspersky Lab ZAO)
DRV - (szkg5) -- C:\Windows\System32\drivers\SZKG.sys (iS3 Inc.)
DRV - (is3srv) -- C:\Windows\System32\drivers\is3srv.sys (iS3 Inc.)
DRV - (klmouflt) -- C:\Windows\System32\drivers\klmouflt.sys (Kaspersky Lab)
DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (int15) -- C:\Acer\Empowering Technology\eRecovery\int15.sys (Acer, Inc.)
DRV - (O2MDRDR) -- C:\Windows\System32\drivers\o2media.sys (O2Micro )
DRV - (O2SDRDR) -- C:\Windows\System32\drivers\o2sd.sys (O2Micro )
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (Agere Systems)
DRV - (AtiPcie) ATI PCI Express (3GIO) -- C:\Windows\System32\drivers\AtiPcie.sys (ATI Technologies Inc.)
DRV - (WSVD) -- C:\Windows\System32\drivers\WSVD.sys (Wasay)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKLM\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\musicmatt_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKU\musicmatt_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Restore = [You must be registered and logged in to see this link.]
IE - HKU\musicmatt_ON_C\Software\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\musicmatt_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0





O1 HOSTS File: ([2011/04/12 23:26:27 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (no name) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - No CLSID value found.
O2 - BHO: (Freecorder Toolbar) - {70dd86e8-b5bc-4e4a-9d5c-b6234c24323c} - C:\Program Files\freecordertoolbar\vmntemplateX.dll ()
O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (HiTRUST)
O2 - BHO: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
O2 - BHO: (STOPzilla Browser Helper Object) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll (iS3, Inc.)
O2 - BHO: (no name) - {E33CF602-D945-461A-83F0-819F76A199F8} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKLM\..\Toolbar: (Freecorder Toolbar) - {70dd86e8-b5bc-4e4a-9d5c-b6234c24323c} - C:\Program Files\freecordertoolbar\vmntemplateX.dll ()
O3 - HKLM\..\Toolbar: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\musicmatt_ON_C\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKU\musicmatt_ON_C\..\Toolbar\WebBrowser: (uTorrentBar Toolbar) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
O4 - HKLM..\Run: [ContentTransferWMDetector.exe] C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe (Sony Corporation)
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe (Egis Incorporated)
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [LTCM Client] C:\Program Files\LTCM Client\ltcmClient.exe (Leader Technologies Inc.)
O4 - HKLM..\Run: [lxdeamon] C:\Program Files\Lexmark 4800 Series\lxdeamon.exe ()
O4 - HKLM..\Run: [lxdemon.exe] C:\Program Files\Lexmark 4800 Series\lxdemon.exe ()
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKU\musicmatt_ON_C..\Run: [RocketDock] C:\Program Files\RocketDock\RocketDock.exe ()
O4 - Startup: Error locating startup folders.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 28
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\musicmatt_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - File not found
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} [You must be registered and logged in to see this link.] (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_25)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 205.152.128.23 205.152.37.23
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\Windows\system32\klogon.dll - C:\Windows\System32\klogon.dll (Kaspersky Lab ZAO)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/30 23:13:23 | 000,000,000 | --SD | C] -- C:\nchost26863n
[2011/06/30 22:41:05 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/06/30 18:38:58 | 000,000,000 | --SD | C] -- C:\nchost22291n
[2011/06/30 14:34:33 | 000,000,000 | --SD | C] -- C:\nchost3682n
[2011/06/30 14:20:31 | 000,000,000 | --SD | C] -- C:\nchost17059n
[2011/06/30 14:19:58 | 000,000,000 | --SD | C] -- C:\nchost
[2011/06/30 14:09:25 | 004,130,198 | R--- | C] (Swearware) -- C:\Users\musicmatt\Desktop\nchost.exe
[2011/06/30 13:54:31 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/06/30 13:54:31 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/06/30 13:54:31 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/06/30 13:54:26 | 000,000,000 | --SD | C] -- C:\Commy8405C
[2011/06/30 13:53:57 | 000,000,000 | --SD | C] -- C:\Commy31465C
[2011/06/30 13:53:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/06/30 13:53:11 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/06/29 22:42:22 | 000,000,000 | --SD | C] -- C:\Commy
[2011/06/29 04:11:19 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\f-secure
[2011/06/29 04:10:39 | 000,000,000 | ---D | C] -- C:\ProgramData\F-Secure
[2011/06/29 04:08:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
[2011/06/29 03:20:26 | 000,000,000 | ---D | C] -- C:\Windows\TempBC33A0E8-0AC2-22D1-303C-C46234BCB4E2-Signatures
[2011/06/29 03:19:24 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/06/29 02:57:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\STOPzilla
[2011/06/29 02:56:58 | 000,000,000 | ---D | C] -- C:\Program Files\STOPzilla!
[2011/06/29 02:56:57 | 000,000,000 | ---D | C] -- C:\ProgramData\STOPzilla!
[2011/06/29 02:56:57 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2011/06/29 02:49:00 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/06/29 02:49:00 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/06/29 02:45:03 | 000,015,872 | ---- | C] (VIA Technologies) -- C:\Windows\System32\drivers\1206856434.sys
[2011/06/29 01:47:48 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/06/28 17:58:32 | 000,132,560 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3HTUI5.dll
[2011/06/28 17:58:30 | 000,546,256 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\SZComp5.dll
[2011/06/28 17:58:30 | 000,456,144 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\SZBase5.dll
[2011/06/28 17:58:30 | 000,398,800 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3DBA5.dll
[2011/06/28 17:58:30 | 000,028,624 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3XDat5.dll
[2011/06/28 17:58:30 | 000,022,992 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\SZIO5.dll
[2011/06/28 17:58:28 | 000,390,608 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3UI5.dll
[2011/06/28 17:58:28 | 000,230,864 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3Win325.dll
[2011/06/28 17:58:28 | 000,099,792 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3Svc5.dll
[2011/06/28 17:58:28 | 000,099,792 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3Inet5.dll
[2011/06/28 17:58:28 | 000,067,024 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3Hks5.dll
[2011/06/28 17:58:26 | 000,738,768 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3Base5.dll
[2011/06/24 02:23:41 | 000,000,000 | ---D | C] -- C:\Program Files\WXWarning
[2011/06/24 02:23:20 | 000,000,000 | ---D | C] -- C:\Program Files\WXSpots
[2011/06/22 21:28:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java(7)
[2011/06/22 21:27:30 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/06/22 21:27:29 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/06/22 21:27:29 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/06/22 20:30:37 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\Desktop\camera
[2011/06/22 01:03:24 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\Weather Defender
[2011/06/20 15:40:59 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\FileZilla
[2011/06/20 15:40:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client
[2011/06/20 15:40:38 | 000,000,000 | ---D | C] -- C:\Program Files\FileZilla FTP Client
[2011/06/20 15:38:31 | 000,000,000 | ---D | C] -- C:\Program Files\Scanner Recorder
[2011/06/18 23:22:23 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Local\Apple Computer
[2011/06/18 23:22:11 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\Apple Computer
[2011/06/18 11:58:19 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2011/06/18 03:07:17 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/06/18 03:07:15 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/06/18 03:07:14 | 001,797,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2011/06/18 03:07:14 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2011/06/16 23:25:08 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Interbank FX Trader 4
[2011/06/16 23:24:51 | 000,000,000 | ---D | C] -- C:\InterbankFX_1-Click
[2011/06/15 20:12:51 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\SpotterNetwork
[2011/06/15 20:07:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spotter Network
[2011/06/15 20:07:48 | 001,355,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msvbvm50.dll
[2011/06/15 20:07:48 | 000,132,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Msinet.ocx
[2011/06/15 20:07:42 | 000,368,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbar332.dll
[2011/06/15 20:07:42 | 000,000,000 | ---D | C] -- C:\Program Files\SpotterNetwork
[2011/06/15 20:07:41 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\temp.005
[2011/06/15 20:07:40 | 001,376,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\temp.004
[2011/06/15 20:07:40 | 000,017,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\temp.003
[2011/06/15 20:07:39 | 000,569,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\temp.000
[2011/06/15 20:07:39 | 000,106,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\temp.001
[2011/06/15 20:07:39 | 000,077,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\temp.002
[2011/06/15 01:02:57 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
[2011/06/15 01:02:52 | 000,000,000 | ---D | C] -- C:\Program Files\TweetDeck
[2011/06/09 14:37:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2011/06/09 14:37:32 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2011/06/09 14:37:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
[2011/06/05 12:01:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth
[2011/04/01 15:25:51 | 000,434,176 | ---- | C] ( ) -- C:\Windows\System32\lxdehcp.dll
[2011/01/16 16:17:52 | 000,016,384 | ---- | C] ( ) -- C:\Windows\System32\ClearEvent.exe
[2007/05/29 12:08:10 | 000,320,432 | ---- | C] ( ) -- C:\Windows\System32\lxdeih.exe
[2007/05/29 12:07:58 | 000,598,960 | ---- | C] ( ) -- C:\Windows\System32\lxdecoms.exe
[2007/05/29 12:07:48 | 000,365,488 | ---- | C] ( ) -- C:\Windows\System32\lxdecfg.exe
[2007/05/17 17:08:58 | 000,647,168 | ---- | C] ( ) -- C:\Windows\System32\lxdepmui.dll
[2007/05/17 17:06:40 | 001,200,128 | ---- | C] ( ) -- C:\Windows\System32\lxdeserv.dll
[2007/05/17 17:00:32 | 000,565,248 | ---- | C] ( ) -- C:\Windows\System32\lxdelmpm.dll
[2007/05/17 17:00:32 | 000,364,544 | ---- | C] ( ) -- C:\Windows\System32\lxdecomm.dll
[2007/05/17 17:00:32 | 000,356,352 | ---- | C] ( ) -- C:\Windows\System32\lxdeinpa.dll
[2007/05/17 16:59:34 | 000,663,552 | ---- | C] ( ) -- C:\Windows\System32\lxdehbn3.dll
[2007/05/17 16:57:52 | 000,950,272 | ---- | C] ( ) -- C:\Windows\System32\lxdeusb1.dll
[2007/05/17 16:56:56 | 000,860,160 | ---- | C] ( ) -- C:\Windows\System32\lxdecomc.dll
[2007/05/17 16:52:56 | 000,339,968 | ---- | C] ( ) -- C:\Windows\System32\lxdeiesc.dll
[2007/05/17 16:51:30 | 000,053,248 | ---- | C] ( ) -- C:\Windows\System32\lxdeprox.dll
[6 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/01 05:11:30 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/07/01 05:11:30 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/07/01 05:11:23 | 000,067,584 | ---- | M] () -- C:\Windows\bootstat.dat
[2011/07/01 04:56:59 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/07/01 04:12:00 | 000,000,924 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-880227785-1377843364-700853731-1003UA.job
[2011/06/30 23:35:09 | 000,656,214 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/06/30 23:35:09 | 000,123,536 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/06/30 23:30:11 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/30 23:30:00 | 1877,065,728 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/30 21:12:00 | 000,000,872 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-880227785-1377843364-700853731-1003Core.job
[2011/06/30 14:20:14 | 004,130,198 | R--- | M] (Swearware) -- C:\Users\musicmatt\Desktop\nchost.exe
[2011/06/30 01:15:51 | 000,302,592 | ---- | M] () -- C:\Users\musicmatt\Desktop\so44z52z.exe
[2011/06/29 22:55:57 | 205,789,499 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/06/29 17:15:30 | 000,000,072 | ---- | M] () -- C:\Users\musicmatt\Desktop\gwrra.sc.t.url
[2011/06/29 17:14:36 | 000,000,072 | ---- | M] () -- C:\Users\musicmatt\Desktop\kf4nxs.url
[2011/06/29 17:13:34 | 000,000,078 | ---- | M] () -- C:\Users\musicmatt\Desktop\whenpigsflypro.url
[2011/06/29 13:21:06 | 000,002,713 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LTCM Client.lnk
[2011/06/29 04:08:28 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
[2011/06/29 03:30:55 | 000,002,198 | ---- | M] () -- C:\Windows\epplauncher.mif
[2011/06/29 03:27:36 | 000,001,772 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2011/06/29 03:19:24 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/06/29 03:18:33 | 000,395,608 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/06/29 02:57:04 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\STOPzilla
[2011/06/29 02:45:03 | 000,015,872 | ---- | M] (VIA Technologies) -- C:\Windows\System32\drivers\1206856434.sys
[2011/06/29 01:47:50 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2011/06/28 17:58:32 | 000,132,560 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3HTUI5.dll
[2011/06/28 17:58:30 | 000,546,256 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\SZComp5.dll
[2011/06/28 17:58:30 | 000,456,144 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\SZBase5.dll
[2011/06/28 17:58:30 | 000,398,800 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3DBA5.dll
[2011/06/28 17:58:30 | 000,028,624 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3XDat5.dll
[2011/06/28 17:58:30 | 000,022,992 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\SZIO5.dll
[2011/06/28 17:58:28 | 000,390,608 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3UI5.dll
[2011/06/28 17:58:28 | 000,230,864 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3Win325.dll
[2011/06/28 17:58:28 | 000,099,792 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3Svc5.dll
[2011/06/28 17:58:28 | 000,099,792 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3Inet5.dll
[2011/06/28 17:58:28 | 000,067,024 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3Hks5.dll
[2011/06/28 17:58:26 | 000,738,768 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3Base5.dll
[2011/06/27 00:48:42 | 000,000,894 | ---- | M] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/06/26 21:44:14 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GRLevelX
[2011/06/26 02:45:56 | 000,256,000 | ---- | M] () -- C:\Windows\PEV.exe
[2011/06/21 03:07:50 | 000,000,196 | ---- | M] () -- C:\Windows\System32\~.inf
[2011/06/21 03:07:22 | 004,212,452 | ---- | M] () -- C:\Users\musicmatt\Desktop\United_States_Frequency_Allocations_Chart_2003_-_The_Radio_Spectrum.jpg
[2011/06/20 15:40:43 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client
[2011/06/20 15:38:31 | 000,001,888 | ---- | M] () -- C:\Users\Public\Desktop\Scanner Recorder.lnk
[2011/06/20 15:38:31 | 000,001,888 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Scanner Recorder.lnk
[2011/06/18 11:58:36 | 000,001,804 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2011/06/16 23:25:09 | 000,001,499 | ---- | M] () -- C:\Users\musicmatt\Desktop\Interbank FX Trader 4.lnk
[2011/06/16 15:37:26 | 000,000,066 | ---- | M] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Chasing the Southeast.url
[2011/06/15 20:08:02 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spotter Network
[2011/06/15 20:07:56 | 000,001,620 | ---- | M] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Spotter Network.lnk
[2011/06/15 01:02:53 | 000,000,738 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TweetDeck.lnk
[2011/06/15 01:02:53 | 000,000,726 | ---- | M] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\TweetDeck.lnk
[2011/06/12 05:46:03 | 000,001,356 | ---- | M] () -- C:\Users\musicmatt\AppData\Local\d3d9caps.dat
[2011/06/09 14:37:54 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2011/06/06 18:11:35 | 000,000,258 | ---- | M] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2011/06/05 12:01:00 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth
[6 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/30 13:54:31 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/06/30 13:54:31 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/06/30 13:54:31 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/06/30 13:54:31 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/06/30 13:54:31 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/06/30 01:17:12 | 000,302,592 | ---- | C] () -- C:\Users\musicmatt\Desktop\so44z52z.exe
[2011/06/29 23:06:55 | 1877,065,728 | -HS- | C] () -- C:\hiberfil.sys
[2011/06/29 22:55:57 | 205,789,499 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/06/29 17:15:30 | 000,000,072 | ---- | C] () -- C:\Users\musicmatt\Desktop\gwrra.sc.t.url
[2011/06/29 17:14:18 | 000,000,072 | ---- | C] () -- C:\Users\musicmatt\Desktop\kf4nxs.url
[2011/06/29 17:13:34 | 000,000,078 | ---- | C] () -- C:\Users\musicmatt\Desktop\whenpigsflypro.url
[2011/06/29 03:27:36 | 000,001,772 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2011/06/21 03:08:03 | 004,212,452 | ---- | C] () -- C:\Users\musicmatt\Desktop\United_States_Frequency_Allocations_Chart_2003_-_The_Radio_Spectrum.jpg
[2011/06/20 15:38:31 | 000,001,888 | ---- | C] () -- C:\Users\Public\Desktop\Scanner Recorder.lnk
[2011/06/20 15:38:31 | 000,001,888 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Scanner Recorder.lnk
[2011/06/18 11:58:36 | 000,001,804 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2011/06/17 07:11:35 | 000,075,264 | ---- | C] () -- C:\Windows\System32\drivers\dfsc.sys
[2011/06/16 23:25:09 | 000,001,499 | ---- | C] () -- C:\Users\musicmatt\Desktop\Interbank FX Trader 4.lnk
[2011/06/16 14:41:49 | 000,000,066 | ---- | C] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Chasing the Southeast.url
[2011/06/15 20:07:56 | 000,001,620 | ---- | C] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Spotter Network.lnk
[2011/06/15 01:02:53 | 000,000,738 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TweetDeck.lnk
[2011/06/15 01:02:53 | 000,000,726 | ---- | C] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\TweetDeck.lnk
[2011/06/06 18:11:35 | 000,000,258 | ---- | C] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2011/05/06 14:00:10 | 000,246,094 | ---- | C] () -- C:\Users\musicmatt\AppData\Local\census.cache
[2011/05/06 13:59:50 | 000,182,006 | ---- | C] () -- C:\Users\musicmatt\AppData\Local\ars.cache
[2011/05/06 13:48:06 | 000,000,036 | ---- | C] () -- C:\Users\musicmatt\AppData\Local\housecall.guid.cache
[2011/04/24 15:15:00 | 000,098,816 | ---- | C] () -- C:\Windows\System32\FGWVB32.DLL
[2011/04/01 15:25:51 | 000,348,160 | ---- | C] () -- C:\Windows\System32\lxdeinst.dll
[2011/03/29 20:45:53 | 000,116,224 | ---- | C] () -- C:\Windows\System32\pdfcmnnt.dll
[2011/03/29 19:33:19 | 000,580,096 | ---- | C] () -- C:\Windows\System32\lame.exe
[2011/03/29 19:33:19 | 000,496,640 | ---- | C] () -- C:\Windows\System32\lame_enc.dll
[2011/03/29 19:33:19 | 000,307,200 | ---- | C] () -- C:\Windows\System32\Mp3Ctrl.dll
[2011/03/29 19:33:19 | 000,131,176 | ---- | C] () -- C:\Windows\System32\mp3gain.exe
[2011/03/29 19:33:19 | 000,086,016 | ---- | C] () -- C:\Windows\System32\akrip32.dll
[2011/03/29 16:56:23 | 000,000,047 | ---- | C] () -- C:\Windows\WinInit.Ini
[2011/03/29 16:24:12 | 000,000,416 | ---- | C] () -- C:\ProgramData\lxde
[2011/03/13 23:05:38 | 000,165,376 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2011/01/21 04:51:26 | 000,001,356 | ---- | C] () -- C:\Users\musicmatt\AppData\Local\d3d9caps.dat
[2011/01/19 04:43:58 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2011/01/19 04:43:57 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2011/01/18 02:15:50 | 000,669,002 | ---- | C] () -- C:\Windows\unins000.exe
[2011/01/18 02:15:50 | 000,001,103 | ---- | C] () -- C:\Windows\unins000.dat
[2011/01/17 22:23:02 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2011/01/17 02:56:42 | 000,000,000 | ---- | C] () -- C:\Windows\PROTOCOL.INI
[2011/01/16 23:26:26 | 000,027,648 | ---- | C] () -- C:\Users\musicmatt\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/16 23:15:44 | 000,036,864 | ---- | C] () -- C:\Windows\System32\lxf3oem.dll
[2011/01/16 23:15:44 | 000,012,288 | ---- | C] () -- C:\Windows\System32\LXF3PMRC.DLL
[2011/01/16 18:44:22 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2011/01/16 18:44:22 | 000,168,886 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2011/01/16 18:44:22 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2011/01/16 18:44:22 | 000,090,112 | ---- | C] () -- C:\Windows\System32\atibrtmon.exe
[2011/01/16 17:51:11 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011/01/16 17:12:37 | 000,115,267 | ---- | C] () -- C:\Windows\System32\drivers\klin.dat
[2011/01/16 17:12:36 | 000,097,859 | ---- | C] () -- C:\Windows\System32\drivers\klick.dat
[2011/01/16 16:17:52 | 000,016,384 | ---- | C] () -- C:\Windows\System32\LauncheRyAgentUser.exe
[2011/01/16 16:17:04 | 000,015,656 | ---- | C] () -- C:\Windows\System32\drivers\int15_64.sys
[2011/01/16 16:16:18 | 000,065,536 | ---- | C] () -- C:\Windows\System32\NATTraversal.dll
[2009/09/09 19:01:40 | 000,027,675 | ---- | C] () -- C:\Windows\System32\drivers\klopp.dat
[2008/03/30 02:41:02 | 000,001,024 | RH-- | C] () -- C:\Windows\System32\NTIBUN4.dll
[2008/03/29 23:28:22 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2008/03/29 23:28:06 | 000,872,448 | ---- | C] () -- C:\Windows\iconv.dll
[2008/03/29 23:28:06 | 000,743,424 | ---- | C] () -- C:\Windows\libxml2.dll
[2008/03/29 23:28:05 | 000,000,040 | ---- | C] () -- C:\Windows\Prelaunch.ini
[2008/03/29 22:51:04 | 000,001,132 | ---- | C] () -- C:\Windows\RtDefLvl.ini
[2008/03/29 22:51:04 | 000,000,008 | ---- | C] () -- C:\Windows\System32\drivers\RtkHDAud.dat
[2007/05/28 01:02:38 | 000,208,896 | ---- | C] () -- C:\Windows\System32\lxdegrd.dll
[2007/05/24 16:24:26 | 000,692,224 | ---- | C] () -- C:\Windows\System32\lxdedrs.dll
[2007/05/22 10:09:42 | 000,065,536 | ---- | C] () -- C:\Windows\System32\lxdecaps.dll
[2007/05/03 18:50:10 | 000,348,160 | ---- | C] () -- C:\Windows\System32\lxdecoin.dll
[2007/04/17 10:17:06 | 000,069,632 | ---- | C] () -- C:\Windows\System32\lxdecnv4.dll
[2006/11/02 08:57:28 | 000,067,584 | ---- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:47:37 | 000,395,608 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 06:33:01 | 000,656,214 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,123,536 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/08/01 04:53:18 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxdevs.dll
[2001/12/26 18:12:30 | 000,065,536 | ---- | C] () -- C:\Windows\System32\multiplex_vcd.dll
[2001/09/04 01:46:38 | 000,110,592 | ---- | C] () -- C:\Windows\System32\Hmpg12.dll
[2001/07/30 18:33:56 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC.dll
[2001/07/24 00:04:36 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC_MMX.dll

========== LOP Check ==========

[2011/06/29 01:15:37 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\.purple
[2011/01/16 16:21:59 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Acer
[2011/03/05 21:12:14 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Audacity
[2011/06/29 02:24:48 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\BitTorrent
[2011/05/06 00:07:35 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\DriverCure
[2011/06/29 04:11:19 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\f-secure
[2011/06/29 02:24:48 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\FileZilla
[2011/04/22 18:53:39 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\GetRightToGo
[2011/06/27 15:00:46 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\GRLevel3
[2011/06/16 22:09:08 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\gtk-2.0
[2011/01/16 16:21:58 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Leadertech
[2011/03/13 23:20:33 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Leawo
[2011/04/25 19:44:24 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Lexmark Productivity Studio
[2011/03/13 23:20:37 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Moyea
[2011/01/18 03:31:26 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\OpenOffice.org
[2011/05/06 00:07:34 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\ParetoLogic
[2011/01/16 22:08:06 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\PCDJ
[2011/01/16 21:21:34 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Shareaza
[2011/05/10 18:19:09 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Sony
[2011/05/10 17:51:02 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Sony Setup
[2011/06/24 02:33:23 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\SpotterNetwork
[2011/04/12 14:47:34 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\SumatraPDF
[2011/04/27 12:38:04 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\TeamViewer
[2011/04/08 10:40:13 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Tether
[2011/06/15 01:02:57 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
[2011/05/06 02:00:49 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Uniblue
[2011/06/29 02:24:48 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\uTorrent
[2011/06/24 02:18:26 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Weather Defender
[2011/05/05 11:59:36 | 000,000,000 | ---D | M] -- C:\ProgramData\Alwil Software
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Desktop
[2011/04/24 21:53:37 | 000,000,000 | ---D | M] -- C:\ProgramData\Digital Entertainer
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Documents
[2011/06/29 04:10:39 | 000,000,000 | ---D | M] -- C:\ProgramData\F-Secure
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favorites
[2011/03/13 23:07:48 | 000,000,000 | ---D | M] -- C:\ProgramData\Leawo
[2011/05/09 12:36:59 | 000,000,000 | ---D | M] -- C:\ProgramData\Lx_cats
[2011/01/17 15:07:30 | 000,000,000 | ---D | M] -- C:\ProgramData\musicmatt
[2011/05/06 00:50:26 | 000,000,000 | ---D | M] -- C:\ProgramData\ParetoLogic
[2011/01/16 22:08:03 | 000,000,000 | ---D | M] -- C:\ProgramData\PCDJ
[2011/05/10 18:19:09 | 000,000,000 | ---D | M] -- C:\ProgramData\Sony
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Start Menu
[2011/06/29 03:03:48 | 000,000,000 | ---D | M] -- C:\ProgramData\STOPzilla!
[2011/06/27 15:00:46 | 000,000,000 | ---D | M] -- C:\ProgramData\TEMP
[2006/11/02 09:02:04 | 000,000,000 | -HSD | M] -- C:\ProgramData\Templates
[2011/05/06 02:00:53 | 000,000,000 | ---D | M] -- C:\ProgramData\Uniblue
[2008/03/29 23:11:48 | 000,000,000 | ---D | M] -- C:\ProgramData\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
[2011/07/01 05:11:11 | 000,032,646 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: AGRSMSVC.EXE >
[2006/10/05 16:10:12 | 000,009,216 | ---- | M] (Agere Systems) MD5=39E435C90C9C4F780FA0ED05CA3C3A1B -- C:\Windows\System32\DriverStore\FileRepository\agrmdv32.inf_0ddf652a\agrsmsvc.exe
[2006/10/05 16:10:12 | 000,011,264 | ---- | M] (Agere Systems) MD5=D094FF2360F0F6937E8D162AA98A6B4C -- C:\Windows\System32\agrsmsvc.exe

< MD5 for: ATAPI.SYS >
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\ERDNT\cache\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/20 22:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/20 22:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 05:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

< MD5 for: ATI2EVXX.EXE >
[2008/03/10 01:59:02 | 000,655,360 | ---- | M] (ATI Technologies Inc.) MD5=05D9E2AF577D85F089C55780CDC41EE3 -- C:\Windows\System32\Ati2evxx.exe
[2008/03/10 01:59:02 | 000,655,360 | ---- | M] (ATI Technologies Inc.) MD5=B886D349AFAD502DE4F6EA0C64B1CC4D -- C:\Windows\System32\DriverStore\FileRepository\cl_61295.inf_f4ec1680\B_60953\Ati2evxx.exe

< MD5 for: DFSC.SYS >
[2009/04/11 00:14:12 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=218D8AE46C88E82014F5D73D0236D9B2 -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.18005_none_8985a6e9e33db02a\dfsc.sys
[2011/04/14 10:36:03 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=3A3436F7DFE0E0C58CD5C3B6C9F21634 -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.22625_none_89f9ad5afc6b7999\dfsc.sys
[2008/01/20 22:24:55 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=9E635AE5E8AD93E2B5989E2E23679F97 -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6001.18000_none_879a2ddde61be4de\dfsc.sys
[2011/04/14 10:24:14 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=A3E9FA213F443AC77C7746119D13FEEC -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6001.18633_none_877cca5be63173a0\dfsc.sys
[2011/04/14 10:59:03 | 000,075,264 | ---- | M] () MD5=BE3E3DC3A2C04A0F2D2BF98B34F4B94C -- C:\Windows\System32\drivers\dfsc.sys
[2011/04/14 10:59:03 | 000,075,264 | ---- | M] () MD5=BE3E3DC3A2C04A0F2D2BF98B34F4B94C -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.18451_none_894b9dbde369cb1f\dfsc.sys
[2011/04/13 09:22:40 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=E20FB30D720810646ED24FB7CA9899A2 -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6001.22899_none_87cb8b40ff7a5041\dfsc.sys

< MD5 for: LXDECOMS.EXE >
[2007/05/29 16:07:58 | 000,598,960 | ---- | M] ( ) MD5=1A195D6B59A4F79C6B182C3B4A81535A -- C:\Windows\System32\lxdecoms.exe
[2007/05/29 16:07:58 | 000,598,960 | ---- | M] ( ) MD5=626CF4DB8FF93DF819A6FF479F8086C4 -- C:\Windows\System32\config\systemprofile\{4a452778-f0bb-4a38-940c-1cc99117d899}\i386\lxdecoms.exe
[2007/05/29 16:07:58 | 000,598,960 | ---- | M] ( ) MD5=626CF4DB8FF93DF819A6FF479F8086C4 -- C:\Windows\System32\config\systemprofile\{f48ced33-c68e-430f-80ed-9a2ea4ef228f}\i386\lxdecoms.exe
[2007/05/29 16:07:58 | 000,598,960 | ---- | M] ( ) MD5=626CF4DB8FF93DF819A6FF479F8086C4 -- C:\Windows\System32\DriverStore\FileRepository\lxdeprc.inf_7b84dc0b\i386\lxdecoms.exe
[2007/05/29 16:07:58 | 000,598,960 | ---- | M] ( ) MD5=626CF4DB8FF93DF819A6FF479F8086C4 -- C:\Windows\System32\spool\drivers\w32x86\{2C4DFD08-EF95-4C6A-9F2A-885FB012BA44}\i386\lxdecoms.exe
[2007/05/29 16:07:58 | 000,598,960 | ---- | M] ( ) MD5=626CF4DB8FF93DF819A6FF479F8086C4 -- C:\Windows\System32\spool\drivers\w32x86\{E94154B4-8774-497D-9EEC-81A38EA9F76A}\i386\lxdecoms.exe

< MD5 for: NDIS.SYS >
[2009/04/11 02:32:49 | 000,527,848 | ---- | M] (Microsoft Corporation) MD5=1357274D1883F68300AEADD15D7BBB42 -- C:\Windows\ERDNT\cache\ndis.sys
[2009/04/11 02:32:49 | 000,527,848 | ---- | M] (Microsoft Corporation) MD5=1357274D1883F68300AEADD15D7BBB42 -- C:\Windows\System32\drivers\ndis.sys
[2009/04/11 02:32:49 | 000,527,848 | ---- | M] (Microsoft Corporation) MD5=1357274D1883F68300AEADD15D7BBB42 -- C:\Windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.0.6002.18005_none_a9b2a4d31930d864\ndis.sys
[2008/01/20 22:23:50 | 000,529,464 | ---- | M] (Microsoft Corporation) MD5=9BDC71790FA08F0A0B5F10462B1BD0B1 -- C:\Windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.0.6001.18000_none_a7c72bc71c0f0d18\ndis.sys

< MD5 for: USERINIT.EXE >
[2008/01/20 22:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\ERDNT\cache\userinit.exe
[2008/01/20 22:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe
[2008/01/20 22:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe

< MD5 for: WINLOGON.EXE >
[2009/04/11 02:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\ERDNT\cache\winlogon.exe
[2009/04/11 02:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe
[2009/04/11 02:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2008/01/20 22:24:49 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 85 bytes -> C:\ProgramData\Application Data:$SS_DESCRIPTOR_1VPTV9VVMVFBVLVHKV6FYJ6VDVPMF7LBWK96HUTVVVVKVVBVLVV5
@Alternate Data Stream - 85 bytes -> C:\ProgramData:$SS_DESCRIPTOR_1VPTV9VVMVFBVLVHKV6FYJ6VDVPMF7LBWK96HUTVVVVKVVBVLVV5
@Alternate Data Stream - 164 bytes -> C:\ProgramData\TEMP:53829683
@Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:B63300D1
@Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:8331D35A
@Alternate Data Stream - 100 bytes -> C:\ProgramData\TEMP:EBC2DB92
< End of report >

kf4nxs

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2009-09-29
Operating System : vista

View user profile

Back to top Go down

bump

Post by kf4nxs on Sat 02 Jul 2011, 6:52 pm

bump

kf4nxs

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2009-09-29
Operating System : vista

View user profile

Back to top Go down

Re: Nasty Virus

Post by Gabethebabe on Sun 03 Jul 2011, 2:48 am

kf4nxs wrote:bump
You don´t need to up your thread - you will not be forgotten.
I am currently enjoying the weekend with my family
I will get back and analyze your log when I can.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Nasty Virus

Post by Gabethebabe on Sun 03 Jul 2011, 6:17 am

Well, that was an interesting log. The good news it that clean copies of all infected files are available, so we are going to replace infected files with clean files in the following step:

  • Double click OTLPE to run
  • Under the Custom Scans/Fixes box at the bottom, type or copy/paste the following:
    :files
    C:\Windows\System32\drivers\1206856434.sys
    copy "C:\Windows\System32\DriverStore\FileRepository\lxdeprc.inf_7b84dc0b\i386\lxdecoms.exe" "C:\Windows\System32\lxdecoms.exe" /c
    copy "C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.22625_none_89f9ad5afc6b7999\dfsc.sys" C:\Windows\System32\drivers\dfsc.sys /c
    copy "C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.22625_none_89f9ad5afc6b7999\dfsc.sys" "C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.18451_none_894b9dbde369cb1f\dfsc.sys" /c
    copy "C:\Windows\System32\DriverStore\FileRepository\cl_61295.inf_f4ec1680\B_60953\Ati2evxx.exe" C:\Windows\System32\Ati2evxx.exe /c
    copy "C:\Windows\System32\DriverStore\FileRepository\agrmdv32.inf_0ddf652a\agrsmsvc.exe" C:\Windows\System32\agrsmsvc.exe /c


    :services
    1206856434

    :otl
    O2 - BHO: (no name) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - No CLSID value found.
    O2 - BHO: (no name) - {E33CF602-D945-461A-83F0-819F76A199F8} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
  • Then click the Run Fix button at the top (not the Run Scan!)
  • Allow it to run. If you get any error message or your computer freezes, let me know.
  • Finally, post the contents of the log (located at C:\_OTL\Moved Files)


====================

A good idea may be to copy the script text and paste it into a text file and take that to your infected computer running the REATOGO-X-PE windows environment with an USB disk and paste it into the OTLPE custom fixes field.

If you have such a USB stick, it is also a good idea to do this:

Please download MBRCheck by a_d_13 from either of the following mirrors and save it to the USB stick
  • Mirror #1
  • Mirror #2
  • Mirror #3

Take that USB drive to the infected computer running the REATOGO-X-PE environment and run mbrcheck. Post the log back here.

====================

There is another infected file we have not dealt with yet. With the following step I want to find clean backup copies.
  • Run OTLPE
  • Answer Yes and OK to all prompts
  • Ensure the option Automatically Load All Remaining Users is checked
  • OTL should now start. Set the option Drivers to Non-Microsoft
  • Copy and paste the following text into the Custom Scans/Fixes field:
    /md5start
    atapi.sys
    iastor.sys
    ndis.sys
    userinit.exe
    winlogon.exe
    dfsc.sys
    agrsmsvc.exe
    Ati2evxx.exe
    lxdecoms.exe
    mscorsvw.exe
    /md5stop
  • Click Run Scan to start the scan
  • When finished, a log file C:\OTL.txt will be created
  • Please post the contents of the file in your next reply

====================

These are some complicated scripts we are running. I hope I made no error in the scripts, so we will verify all carefully before booting your computer in a normal way.

Let me know how that all went.


Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

some errors

Post by kf4nxs on Mon 04 Jul 2011, 6:22 pm

Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
========== SERVICES/DRIVERS ==========
Service\Driver key 1206856434 not found.
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E33CF602-D945-461A-83F0-819F76A199F8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E33CF602-D945-461A-83F0-819F76A199F8}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{0BF43445-2F28-4351-9252-17FE6E806AA0} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BF43445-2F28-4351-9252-17FE6E806AA0}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.

OTLPE by OldTimer - Version 3.1.46.0 log created on 07042011_040121

kf4nxs

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2009-09-29
Operating System : vista

View user profile

Back to top Go down

Re: Nasty Virus

Post by Gabethebabe on Mon 04 Jul 2011, 7:50 pm

hmmm ... something went wrong with that script.
We´ll do it in another way.

Create a text file with the name fix.bat with the following content:

Code:
copy "C:\Windows\System32\DriverStore\FileRepository\lxdeprc.inf_7b84dc0b\i386\lxdecoms.exe" "C:\Windows\System32\lxdecoms.exe"
copy "C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.22625_none_89f9ad5afc6b7999\dfsc.sys" C:\Windows\System32\drivers\dfsc.sys
copy "C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.22625_none_89f9ad5afc6b7999\dfsc.sys" "C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.18451_none_894b9dbde369cb1f\dfsc.sys"
copy "C:\Windows\System32\DriverStore\FileRepository\cl_61295.inf_f4ec1680\B_60953\Ati2evxx.exe" C:\Windows\System32\Ati2evxx.exe
copy "C:\Windows\System32\DriverStore\FileRepository\agrmdv32.inf_0ddf652a\agrsmsvc.exe" C:\Windows\System32\agrsmsvc.exe
pause
(Note that there should be six lines in this script, 5 starting with the word "copy" and one with pause)

You can create fix.bat on another computer and transfer it to the problem computer with a USB disk, for example.

Run fix.bat in the REATOGO-X-PE environment by doubleclicking it. It should show 5 successful copies and no error messages.

After that follow the second and third instruction of my previous post, please.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

mbr log forgot to otle log

Post by kf4nxs on Tue 05 Jul 2011, 4:52 am

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: (build 2600)
Logical Drives Mask: 0x0080001e

Kernel Drivers (total 79):
0x80400000 \i386\system32\ntoskrnl.exe
0x80615000 \i386\system32\halaacpi.dll
0xF7987000 \i386\system32\KDCOM.DLL
0xF7897000 \i386\system32\BOOTVID.dll
0xF73EC000 setupdd.sys
0xF7A4F000 \i386\system32\drivers\SPDDLANG.SYS
0xF73DB000 pci.sys
0xF73AD000 acpi.sys
0xF7989000 \i386\system32\drivers\WMILIB.SYS
0xF7487000 isapnp.sys
0xF789B000 acpiec.sys
0xF7A50000 \i386\system32\drivers\OPRGHDLR.SYS
0xF7497000 ohci1394.sys
0xF74A7000 \i386\system32\drivers\1394BUS.SYS
0xF738F000 pcmcia.sys
0xF7707000 \i386\system32\drivers\PCIIDEX.SYS
0xF74B7000 mountmgr.sys
0xF7370000 ftdisk.sys
0xF7717000 partmgr.sys
0xF7993000 dmload.sys
0xF734A000 dmio.sys
0xF74E7000 \i386\system32\drivers\CLASSPNP.SYS
0xF7A53000 amdide1.SY_
0xF7727000 usbehci.sys
0xF72F0000 \i386\system32\drivers\USBPORT.SYS
0xF772F000 usbohci.sys
0xF7507000 usbhub.sys
0xF7997000 \i386\system32\drivers\USBD.SYS
0xF7747000 \i386\system32\drivers\HIDPARSE.SYS
0xF7537000 i8042prt.sys
0xF7757000 kbdclass.sys
0xF775F000 mouclass.sys
0xF72D8000 SCSIPORT.SYS
0xF72C0000 atapi.sys
0xF78C7000 VMSCSI.SY_
0xF77BF000 VIAPDSK.SY_
0xF7193000 viamraid.SY_
0xF712C000 SISRAID4.SY_
0xF77C7000 SISRAID2.SY_
0xF6893000 ahci6xx.SY_
0xF614C000 dmboot.sys
0xF720B000 cdrom.sys
0xF71FB000 disk.sys
0xF6135000 ksecdd.sys
0xF6112000 fastfat.sys
0xF6085000 ntfs.sys
0xF71EB000 cdfs.sys
0xF6058000 ndis.sys
0xF603D000 mup.sys
0xF7A62000 \SystemRoot\System32\drivers\audstub.sys
0xF799F000 \SystemRoot\System32\Drivers\RootMdm.sys
0xF6863000 \SystemRoot\System32\Drivers\Modem.SYS
0xF79A3000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF5E71000 \SystemRoot\System32\DRIVERS\ks.sys
0xF797B000 \SystemRoot\system32\drivers\ramdriv.sys
0xF7837000 \SystemRoot\System32\drivers\vga.sys
0xBAFEC000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0xBAFBB000 \SystemRoot\System32\Drivers\Udfs.SYS
0xF6019000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF7A7D000 \SystemRoot\System32\Drivers\Null.SYS
0xF7767000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7777000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBAFA8000 \SystemRoot\System32\drivers\ipsec.sys
0xF79A7000 \SystemRoot\System32\Drivers\Beep.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF778F000 \SystemRoot\System32\watchdog.sys
0xF5FCC000 \SystemRoot\System32\drivers\Dxapi.sys
0xBF9C1000 \SystemRoot\System32\drivers\dxg.sys
0xF7ACF000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFF50000 \SystemRoot\System32\framebuf.dll
0xF76C7000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF771F000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xBAAB4000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xBAA45000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA9ED000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xBA9CB000 \SystemRoot\system32\drivers\afd.sys
0xBA9A3000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF784F000 \SystemRoot\System32\drivers\usbstor.sys
0x7C900000 \I386\SYSTEM32\NTDLL.DLL

Processes (total 14):
0 System Idle Process
4 System
212 X:\I386\SYSTEM32\CSRSS.EXE
272 X:\I386\SYSTEM32\SERVICES.EXE
284 X:\I386\SYSTEM32\LSASS.EXE
400 X:\I386\SYSTEM32\SVCHOST.EXE
432 X:\I386\SYSTEM32\REATOGOLOGON.EXE
484 X:\I386\SYSTEM32\SVCHOST.EXE
1496 X:\I386\SYSTEM32\SVCHOST.EXE
1672 X:\I386\SYSTEM32\SVCHOST.EXE
1804 X:\PROGRAMS\wbload\wbload.exe
1936 X:\I386\SYSTEM32\SVCHOST.EXE
1988 X:\I386\EXPLORER.EXE
236 E:\MBRCheck.exe

\\.\B: --> error 1
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`71100000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000013`da600000 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS542516K9SA, Rev: 1.10

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 RE: Unknown MBR code
SHA1: 75374D27B77E61C9316E27BACDEE41C1E2C9874E


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:




________________________________________________________________



kf4nxs

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2009-09-29
Operating System : vista

View user profile

Back to top Go down

otle log

Post by kf4nxs on Tue 05 Jul 2011, 5:26 am

OTL logfile created on: 7/4/2011 4:06:06 PM - Run
OTLPE by OldTimer - Version 3.1.46.0 Folder = X:\Programs\OTLPE
Windows Vista (TM) Home Premium Service Pack 2 (Version = 6.0.6002) - Type = System
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 85.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 69.65 Gb Total Space | 28.72 Gb Free Space | 41.24% Space Free | Partition Type: NTFS
Drive E: | 69.64 Gb Total Space | 65.68 Gb Free Space | 94.32% Space Free | Partition Type: NTFS
Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2011/07/02 00:42:50 | 000,588,672 | ---- | M] (Sysinternals - [You must be registered and logged in to see this link.] [On_Demand] -- C:\Users\musicmatt\AppData\Local\Temp\PRWXOUZX.exe -- (PRWXOUZX)
SRV - [2011/06/28 17:58:38 | 000,062,928 | R--- | M] () [Auto] -- C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe -- (szserver)
SRV - [2011/06/06 12:55:28 | 000,059,392 | ---- | M] (Adobe Systems Incorporated) [Auto] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/04/27 15:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] () [Auto] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/09/21 16:09:24 | 000,052,664 | ---- | M] () [Disabled] -- C:\Program Files\Tether\TBService.exe -- (Tether)
SRV - [2009/02/20 09:46:52 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/03 02:55:52 | 000,506,416 | ---- | M] (Egis Incorporated) [Disabled] -- C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe -- (eDataSecurity Service)
SRV - [2007/12/20 12:32:04 | 000,131,072 | ---- | M] (Acer Inc.) [Auto] -- C:\Acer\Empowering Technology\eNet\eNet Service.exe -- (eNet Service)
SRV - [2007/12/19 19:09:22 | 000,024,576 | ---- | M] () [Disabled] -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe -- (eSettingsService)
SRV - [2007/11/27 19:54:36 | 000,112,128 | ---- | M] () [Auto] -- C:\Acer\Mobility Center\MobilityService.exe -- (MobilityService)
SRV - [2007/10/01 17:42:36 | 000,024,576 | ---- | M] (Acer Inc.) [Auto] -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe -- (eLockService)
SRV - [2007/09/20 14:57:28 | 000,167,936 | ---- | M] (acer) [Auto] -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe -- (WMIService)
SRV - [2007/09/10 16:28:18 | 000,057,344 | ---- | M] (Acer Inc.) [Auto] -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe -- (eRecoveryService)
SRV - [2007/05/29 16:07:58 | 000,598,960 | ---- | M] ( ) [Auto] -- C:\Windows\System32\lxdecoms.exe -- (lxde_device)
SRV - [2007/05/29 16:06:44 | 000,099,248 | ---- | M] () [Auto] -- C:\Windows\System32\spool\DRIVERS\W32X86\3\\lxdeserv.exe -- (lxdeCATSCustConnectService)
SRV - [2006/10/05 16:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (ute3mty1)
DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand] -- -- (MEMSWEEP2)
DRV - File not found [Kernel | On_Demand] -- -- (IpInIp)
DRV - File not found [Kernel | On_Demand] -- -- (catchme)
DRV - File not found [Kernel | Auto] -- -- (Aspi32)
DRV - [2011/06/29 04:02:44 | 000,070,144 | ---- | M] () [Kernel | On_Demand] -- C:\Users\musicmatt\AppData\Local\Temp\OnlineScanner\Anti-Virus\fsgk.sys -- (F-Secure Standalone Minifilter)
DRV - [2011/04/27 15:25:24 | 000,065,024 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2011/04/18 13:18:50 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2010/06/09 17:43:52 | 000,011,352 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System] -- C:\Windows\System32\drivers\kl2.sys -- (kl2)
DRV - [2010/05/26 10:45:04 | 000,018,816 | ---- | M] (Sophos Plc) [Kernel | System] -- C:\Windows\System32\SAVRKBootTasks.sys -- (SAVRKBootTasks)
DRV - [2010/05/18 10:53:18 | 000,045,608 | ---- | M] (Tether) [Kernel | On_Demand] -- C:\Windows\System32\drivers\qrkis.sys -- (qrkis)
DRV - [2010/05/12 18:01:06 | 000,059,280 | R--- | M] (iS3, Inc.) [Kernel | Boot] -- C:\Windows\System32\drivers\SZKGFS.sys -- (szkgfs)
DRV - [2010/04/22 19:07:34 | 000,022,104 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System] -- C:\Windows\System32\drivers\klim6.sys -- (KLIM6)
DRV - [2009/12/07 17:59:32 | 000,061,328 | R--- | M] (iS3 Inc.) [Kernel | Boot] -- C:\Windows\System32\drivers\SZKG.sys -- (szkg5)
DRV - [2009/12/07 17:59:32 | 000,061,328 | R--- | M] (iS3 Inc.) [Kernel | Boot] -- C:\Windows\System32\drivers\is3srv.sys -- (is3srv)
DRV - [2009/11/02 20:27:16 | 000,019,984 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand] -- C:\Windows\System32\drivers\klmouflt.sys -- (klmouflt)
DRV - [2008/03/10 02:58:40 | 003,533,824 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2007/07/03 11:05:20 | 000,015,392 | ---- | M] (Acer, Inc.) [Kernel | Auto] -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15)
DRV - [2007/04/03 14:04:28 | 000,039,680 | ---- | M] (O2Micro ) [Kernel | Boot] -- C:\Windows\System32\drivers\o2media.sys -- (O2MDRDR)
DRV - [2007/04/02 20:11:08 | 000,035,712 | ---- | M] (O2Micro ) [Kernel | Boot] -- C:\Windows\System32\drivers\o2sd.sys -- (O2SDRDR)
DRV - [2007/03/09 18:56:04 | 001,163,616 | ---- | M] (Agere Systems) [Kernel | On_Demand] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/10/30 15:23:12 | 000,007,680 | ---- | M] (ATI Technologies Inc.) [Kernel | Boot] -- C:\Windows\System32\drivers\AtiPcie.sys -- (AtiPcie) ATI PCI Express (3GIO)
DRV - [2006/09/19 17:47:04 | 000,080,744 | ---- | M] (Wasay) [Kernel | On_Demand] -- C:\Windows\System32\drivers\WSVD.sys -- (WSVD)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKLM\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\musicmatt_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKU\musicmatt_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Restore = [You must be registered and logged in to see this link.]
IE - HKU\musicmatt_ON_C\Software\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\musicmatt_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0





O1 HOSTS File: ([2011/04/12 23:26:27 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (CescrtHlpr Object) - {64182481-4F71-486b-A045-B233BD0DA8FC} - C:\Program Files\facemoods.com\facemoods\1.4.17.10\bh\facemoods.dll (facemoods.com BHO)
O2 - BHO: (Freecorder Toolbar) - {70dd86e8-b5bc-4e4a-9d5c-b6234c24323c} - C:\Program Files\freecordertoolbar\vmntemplateX.dll ()
O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (HiTRUST)
O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
O2 - BHO: (UrlHelper Class) - {A40DC6C5-79D0-4ca8-A185-8FF989AF1115} - C:\Program Files\Windows iLivid Toolbar\Datamngr\IEBHO.dll (Bandoo Media, inc)
O2 - BHO: (DealPly) - {A6174F27-1FFF-E1D6-A93F-BA48AD5DD448} - C:\Program Files\DealPly\DealPlyIE.dll (DealPly)
O2 - BHO: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
O2 - BHO: (STOPzilla Browser Helper Object) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll (iS3, Inc.)
O3 - HKLM\..\Toolbar: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKLM\..\Toolbar: (Freecorder Toolbar) - {70dd86e8-b5bc-4e4a-9d5c-b6234c24323c} - C:\Program Files\freecordertoolbar\vmntemplateX.dll ()
O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
O3 - HKLM\..\Toolbar: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (facemoods Toolbar) - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files\facemoods.com\facemoods\1.4.17.10\facemoodsTlbr.dll (facemoods.com)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\musicmatt_ON_C\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKU\musicmatt_ON_C\..\Toolbar\WebBrowser: (uTorrentBar Toolbar) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - C:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
O4 - HKLM..\Run: [ContentTransferWMDetector.exe] C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe (Sony Corporation)
O4 - HKLM..\Run: [DATAMNGR] C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe (Bandoo Media, inc)
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe (Egis Incorporated)
O4 - HKLM..\Run: [facemoods] C:\Program Files\facemoods.com\facemoods\1.4.17.10\facemoodssrv.exe (facemoods.com)
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [LTCM Client] C:\Program Files\LTCM Client\ltcmClient.exe (Leader Technologies Inc.)
O4 - HKLM..\Run: [lxdeamon] C:\Program Files\Lexmark 4800 Series\lxdeamon.exe ()
O4 - HKLM..\Run: [lxdemon.exe] C:\Program Files\Lexmark 4800 Series\lxdemon.exe ()
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKU\musicmatt_ON_C..\Run: [RocketDock] C:\Program Files\RocketDock\RocketDock.exe ()
O4 - Startup: Error locating startup folders.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 28
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\musicmatt_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - File not found
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} [You must be registered and logged in to see this link.] (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_25)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 205.152.128.23 205.152.37.23
O20 - AppInit_DLLs: (C:\PROGRA~1\WI371A~1\Datamngr\datamngr.dll) - C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngr.dll (Bandoo Media, inc)
O20 - AppInit_DLLs: (C:\PROGRA~1\WI371A~1\Datamngr\IEBHO.dll) - C:\Program Files\Windows iLivid Toolbar\Datamngr\IEBHO.dll (Bandoo Media, inc)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\Windows\system32\klogon.dll - C:\Windows\System32\klogon.dll (Kaspersky Lab ZAO)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/07/04 03:58:30 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/07/02 15:51:59 | 000,000,000 | ---D | C] -- C:\ProgramData\boost_interprocess
[2011/07/02 02:33:29 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2011/07/02 02:33:28 | 000,000,000 | ---D | C] -- C:\Program Files\facemoods.com
[2011/07/02 02:33:28 | 000,000,000 | ---D | C] -- C:\Program Files\DealPly
[2011/07/02 02:30:37 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Local\Ilivid Player
[2011/07/02 02:29:35 | 000,000,000 | ---D | C] -- C:\Program Files\iLivid
[2011/07/02 02:29:11 | 000,000,000 | ---D | C] -- C:\Program Files\Windows iLivid Toolbar
[2011/07/02 01:22:52 | 000,018,816 | ---- | C] (Sophos Plc) -- C:\Windows\System32\SAVRKBootTasks.sys
[2011/07/02 00:07:12 | 000,000,000 | --SD | C] -- C:\nchost31914n
[2011/07/02 00:06:29 | 000,000,000 | --SD | C] -- C:\nchost30408n
[2011/06/30 23:13:23 | 000,000,000 | --SD | C] -- C:\nchost26863n
[2011/06/30 22:41:05 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/06/30 18:38:58 | 000,000,000 | --SD | C] -- C:\nchost22291n
[2011/06/30 14:34:33 | 000,000,000 | --SD | C] -- C:\nchost3682n
[2011/06/30 14:20:31 | 000,000,000 | --SD | C] -- C:\nchost17059n
[2011/06/30 14:19:58 | 000,000,000 | --SD | C] -- C:\nchost
[2011/06/30 14:09:25 | 004,130,507 | R--- | C] (Swearware) -- C:\Users\musicmatt\Desktop\nchost.exe
[2011/06/30 13:54:31 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/06/30 13:54:31 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/06/30 13:54:31 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/06/30 13:54:26 | 000,000,000 | --SD | C] -- C:\Commy8405C
[2011/06/30 13:53:57 | 000,000,000 | --SD | C] -- C:\Commy31465C
[2011/06/30 13:53:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/06/30 13:53:11 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/06/29 22:42:22 | 000,000,000 | --SD | C] -- C:\Commy
[2011/06/29 04:11:19 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\f-secure
[2011/06/29 04:10:39 | 000,000,000 | ---D | C] -- C:\ProgramData\F-Secure
[2011/06/29 04:08:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
[2011/06/29 03:20:26 | 000,000,000 | ---D | C] -- C:\Windows\TempBC33A0E8-0AC2-22D1-303C-C46234BCB4E2-Signatures
[2011/06/29 03:19:24 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/06/29 02:57:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\STOPzilla
[2011/06/29 02:56:58 | 000,000,000 | ---D | C] -- C:\Program Files\STOPzilla!
[2011/06/29 02:56:57 | 000,000,000 | ---D | C] -- C:\ProgramData\STOPzilla!
[2011/06/29 02:56:57 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2011/06/29 02:49:00 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/06/29 02:49:00 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/06/29 02:45:03 | 000,015,872 | ---- | C] (VIA Technologies) -- C:\Windows\System32\drivers\1206856434.sys
[2011/06/29 01:47:48 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/06/28 17:58:32 | 000,132,560 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3HTUI5.dll
[2011/06/28 17:58:30 | 000,546,256 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\SZComp5.dll
[2011/06/28 17:58:30 | 000,456,144 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\SZBase5.dll
[2011/06/28 17:58:30 | 000,398,800 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3DBA5.dll
[2011/06/28 17:58:30 | 000,028,624 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3XDat5.dll
[2011/06/28 17:58:30 | 000,022,992 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\SZIO5.dll
[2011/06/28 17:58:28 | 000,390,608 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3UI5.dll
[2011/06/28 17:58:28 | 000,230,864 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3Win325.dll
[2011/06/28 17:58:28 | 000,099,792 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3Svc5.dll
[2011/06/28 17:58:28 | 000,099,792 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3Inet5.dll
[2011/06/28 17:58:28 | 000,067,024 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3Hks5.dll
[2011/06/28 17:58:26 | 000,738,768 | R--- | C] (iS3, Inc.) -- C:\Windows\System32\IS3Base5.dll
[2011/06/24 02:23:41 | 000,000,000 | ---D | C] -- C:\Program Files\WXWarning
[2011/06/24 02:23:20 | 000,000,000 | ---D | C] -- C:\Program Files\WXSpots
[2011/06/22 21:28:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java(7)
[2011/06/22 21:27:30 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/06/22 21:27:29 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/06/22 21:27:29 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/06/22 20:30:37 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\Desktop\camera
[2011/06/22 01:03:24 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\Weather Defender
[2011/06/20 15:40:59 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\FileZilla
[2011/06/20 15:40:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client
[2011/06/20 15:40:38 | 000,000,000 | ---D | C] -- C:\Program Files\FileZilla FTP Client
[2011/06/20 15:38:31 | 000,000,000 | ---D | C] -- C:\Program Files\Scanner Recorder
[2011/06/18 23:22:23 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Local\Apple Computer
[2011/06/18 23:22:11 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\Apple Computer
[2011/06/18 11:58:19 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2011/06/18 03:07:17 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/06/18 03:07:15 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/06/18 03:07:14 | 001,797,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2011/06/18 03:07:14 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2011/06/16 23:25:08 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Interbank FX Trader 4
[2011/06/16 23:24:51 | 000,000,000 | ---D | C] -- C:\InterbankFX_1-Click
[2011/06/15 20:12:51 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\SpotterNetwork
[2011/06/15 20:07:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spotter Network
[2011/06/15 20:07:48 | 001,355,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msvbvm50.dll
[2011/06/15 20:07:48 | 000,132,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Msinet.ocx
[2011/06/15 20:07:42 | 000,368,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbar332.dll
[2011/06/15 20:07:42 | 000,000,000 | ---D | C] -- C:\Program Files\SpotterNetwork
[2011/06/15 20:07:41 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\temp.005
[2011/06/15 20:07:40 | 001,376,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\temp.004
[2011/06/15 20:07:40 | 000,017,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\temp.003
[2011/06/15 20:07:39 | 000,569,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\temp.000
[2011/06/15 20:07:39 | 000,106,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\temp.001
[2011/06/15 20:07:39 | 000,077,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\temp.002
[2011/06/15 01:02:57 | 000,000,000 | ---D | C] -- C:\Users\musicmatt\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
[2011/06/15 01:02:52 | 000,000,000 | ---D | C] -- C:\Program Files\TweetDeck
[2011/06/09 14:37:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2011/06/09 14:37:32 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2011/06/09 14:37:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
[2011/06/05 12:01:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth
[2011/04/01 15:25:51 | 000,434,176 | ---- | C] ( ) -- C:\Windows\System32\lxdehcp.dll
[2011/01/16 16:17:52 | 000,016,384 | ---- | C] ( ) -- C:\Windows\System32\ClearEvent.exe
[2007/05/29 12:08:10 | 000,320,432 | ---- | C] ( ) -- C:\Windows\System32\lxdeih.exe
[2007/05/29 12:07:58 | 000,598,960 | ---- | C] ( ) -- C:\Windows\System32\lxdecoms.exe
[2007/05/29 12:07:48 | 000,365,488 | ---- | C] ( ) -- C:\Windows\System32\lxdecfg.exe
[2007/05/17 17:08:58 | 000,647,168 | ---- | C] ( ) -- C:\Windows\System32\lxdepmui.dll
[2007/05/17 17:06:40 | 001,200,128 | ---- | C] ( ) -- C:\Windows\System32\lxdeserv.dll
[2007/05/17 17:00:32 | 000,565,248 | ---- | C] ( ) -- C:\Windows\System32\lxdelmpm.dll
[2007/05/17 17:00:32 | 000,364,544 | ---- | C] ( ) -- C:\Windows\System32\lxdecomm.dll
[2007/05/17 17:00:32 | 000,356,352 | ---- | C] ( ) -- C:\Windows\System32\lxdeinpa.dll
[2007/05/17 16:59:34 | 000,663,552 | ---- | C] ( ) -- C:\Windows\System32\lxdehbn3.dll
[2007/05/17 16:57:52 | 000,950,272 | ---- | C] ( ) -- C:\Windows\System32\lxdeusb1.dll
[2007/05/17 16:56:56 | 000,860,160 | ---- | C] ( ) -- C:\Windows\System32\lxdecomc.dll
[2007/05/17 16:52:56 | 000,339,968 | ---- | C] ( ) -- C:\Windows\System32\lxdeiesc.dll
[2007/05/17 16:51:30 | 000,053,248 | ---- | C] ( ) -- C:\Windows\System32\lxdeprox.dll
[6 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/04 14:53:37 | 000,067,584 | ---- | M] () -- C:\Windows\bootstat.dat
[2011/07/04 14:49:21 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/07/04 14:49:21 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/07/04 14:49:21 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/07/04 14:49:08 | 1877,065,728 | -HS- | M] () -- C:\hiberfil.sys
[2011/07/04 13:01:37 | 000,656,214 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/07/04 13:01:37 | 000,123,536 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/07/04 12:57:36 | 000,000,782 | ---- | M] () -- C:\Users\musicmatt\Desktop\fix.bat
[2011/07/04 12:57:00 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/07/04 12:12:00 | 000,000,924 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-880227785-1377843364-700853731-1003UA.job
[2011/07/04 05:05:05 | 179,362,107 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/07/03 21:12:00 | 000,000,872 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-880227785-1377843364-700853731-1003Core.job
[2011/07/02 15:53:02 | 000,000,858 | ---- | M] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Virtual DJ Pro.lnk
[2011/07/02 00:06:54 | 004,130,507 | R--- | M] (Swearware) -- C:\Users\musicmatt\Desktop\nchost.exe
[2011/07/02 00:04:17 | 000,000,894 | ---- | M] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/06/29 17:15:30 | 000,000,072 | ---- | M] () -- C:\Users\musicmatt\Desktop\gwrra.sc.t.url
[2011/06/29 17:14:36 | 000,000,072 | ---- | M] () -- C:\Users\musicmatt\Desktop\kf4nxs.url
[2011/06/29 17:13:34 | 000,000,078 | ---- | M] () -- C:\Users\musicmatt\Desktop\whenpigsflypro.url
[2011/06/29 13:21:06 | 000,002,713 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LTCM Client.lnk
[2011/06/29 04:08:28 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
[2011/06/29 03:30:55 | 000,002,198 | ---- | M] () -- C:\Windows\epplauncher.mif
[2011/06/29 03:27:36 | 000,001,772 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2011/06/29 03:19:24 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/06/29 03:18:33 | 000,395,608 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/06/29 02:57:04 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\STOPzilla
[2011/06/29 02:45:03 | 000,015,872 | ---- | M] (VIA Technologies) -- C:\Windows\System32\drivers\1206856434.sys
[2011/06/29 01:47:50 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2011/06/28 17:58:32 | 000,132,560 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3HTUI5.dll
[2011/06/28 17:58:30 | 000,546,256 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\SZComp5.dll
[2011/06/28 17:58:30 | 000,456,144 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\SZBase5.dll
[2011/06/28 17:58:30 | 000,398,800 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3DBA5.dll
[2011/06/28 17:58:30 | 000,028,624 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3XDat5.dll
[2011/06/28 17:58:30 | 000,022,992 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\SZIO5.dll
[2011/06/28 17:58:28 | 000,390,608 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3UI5.dll
[2011/06/28 17:58:28 | 000,230,864 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3Win325.dll
[2011/06/28 17:58:28 | 000,099,792 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3Svc5.dll
[2011/06/28 17:58:28 | 000,099,792 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3Inet5.dll
[2011/06/28 17:58:28 | 000,067,024 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3Hks5.dll
[2011/06/28 17:58:26 | 000,738,768 | R--- | M] (iS3, Inc.) -- C:\Windows\System32\IS3Base5.dll
[2011/06/26 21:44:14 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GRLevelX
[2011/06/26 02:45:56 | 000,256,000 | ---- | M] () -- C:\Windows\PEV.exe
[2011/06/21 03:07:50 | 000,000,196 | ---- | M] () -- C:\Windows\System32\~.inf
[2011/06/21 03:07:22 | 004,212,452 | ---- | M] () -- C:\Users\musicmatt\Desktop\United_States_Frequency_Allocations_Chart_2003_-_The_Radio_Spectrum.jpg
[2011/06/20 15:40:43 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client
[2011/06/20 15:38:31 | 000,001,888 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Scanner Recorder.lnk
[2011/06/18 11:58:36 | 000,001,804 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2011/06/16 23:25:09 | 000,001,499 | ---- | M] () -- C:\Users\musicmatt\Desktop\Interbank FX Trader 4.lnk
[2011/06/16 15:37:26 | 000,000,066 | ---- | M] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Chasing the Southeast.url
[2011/06/15 20:08:02 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spotter Network
[2011/06/15 20:07:56 | 000,001,620 | ---- | M] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Spotter Network.lnk
[2011/06/15 01:02:53 | 000,000,738 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TweetDeck.lnk
[2011/06/15 01:02:53 | 000,000,726 | ---- | M] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\TweetDeck.lnk
[2011/06/12 05:46:03 | 000,001,356 | ---- | M] () -- C:\Users\musicmatt\AppData\Local\d3d9caps.dat
[2011/06/09 14:37:54 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2011/06/06 18:11:35 | 000,000,258 | ---- | M] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2011/06/05 12:01:00 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth
[6 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/04 12:57:36 | 000,000,782 | ---- | C] () -- C:\Users\musicmatt\Desktop\fix.bat
[2011/07/02 15:53:02 | 000,000,858 | ---- | C] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Virtual DJ Pro.lnk
[2011/06/30 13:54:31 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/06/30 13:54:31 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/06/30 13:54:31 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/06/30 13:54:31 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/06/30 13:54:31 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/06/29 23:06:55 | 1877,065,728 | -HS- | C] () -- C:\hiberfil.sys
[2011/06/29 22:55:57 | 179,362,107 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/06/29 17:15:30 | 000,000,072 | ---- | C] () -- C:\Users\musicmatt\Desktop\gwrra.sc.t.url
[2011/06/29 17:14:18 | 000,000,072 | ---- | C] () -- C:\Users\musicmatt\Desktop\kf4nxs.url
[2011/06/29 17:13:34 | 000,000,078 | ---- | C] () -- C:\Users\musicmatt\Desktop\whenpigsflypro.url
[2011/06/29 03:27:36 | 000,001,772 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2011/06/21 03:08:03 | 004,212,452 | ---- | C] () -- C:\Users\musicmatt\Desktop\United_States_Frequency_Allocations_Chart_2003_-_The_Radio_Spectrum.jpg
[2011/06/20 15:38:31 | 000,001,888 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Scanner Recorder.lnk
[2011/06/18 11:58:36 | 000,001,804 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2011/06/16 23:25:09 | 000,001,499 | ---- | C] () -- C:\Users\musicmatt\Desktop\Interbank FX Trader 4.lnk
[2011/06/16 14:41:49 | 000,000,066 | ---- | C] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Chasing the Southeast.url
[2011/06/15 20:07:56 | 000,001,620 | ---- | C] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Spotter Network.lnk
[2011/06/15 01:02:53 | 000,000,738 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TweetDeck.lnk
[2011/06/15 01:02:53 | 000,000,726 | ---- | C] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\TweetDeck.lnk
[2011/06/06 18:11:35 | 000,000,258 | ---- | C] () -- C:\Users\musicmatt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2011/05/06 14:00:10 | 000,246,094 | ---- | C] () -- C:\Users\musicmatt\AppData\Local\census.cache
[2011/05/06 13:59:50 | 000,182,006 | ---- | C] () -- C:\Users\musicmatt\AppData\Local\ars.cache
[2011/05/06 13:48:06 | 000,000,036 | ---- | C] () -- C:\Users\musicmatt\AppData\Local\housecall.guid.cache
[2011/04/24 15:15:00 | 000,098,816 | ---- | C] () -- C:\Windows\System32\FGWVB32.DLL
[2011/04/01 15:25:51 | 000,348,160 | ---- | C] () -- C:\Windows\System32\lxdeinst.dll
[2011/03/29 20:45:53 | 000,116,224 | ---- | C] () -- C:\Windows\System32\pdfcmnnt.dll
[2011/03/29 19:33:19 | 000,580,096 | ---- | C] () -- C:\Windows\System32\lame.exe
[2011/03/29 19:33:19 | 000,496,640 | ---- | C] () -- C:\Windows\System32\lame_enc.dll
[2011/03/29 19:33:19 | 000,307,200 | ---- | C] () -- C:\Windows\System32\Mp3Ctrl.dll
[2011/03/29 19:33:19 | 000,131,176 | ---- | C] () -- C:\Windows\System32\mp3gain.exe
[2011/03/29 19:33:19 | 000,086,016 | ---- | C] () -- C:\Windows\System32\akrip32.dll
[2011/03/29 16:56:23 | 000,000,047 | ---- | C] () -- C:\Windows\WinInit.Ini
[2011/03/29 16:24:12 | 000,000,416 | ---- | C] () -- C:\ProgramData\lxde
[2011/03/13 23:05:38 | 000,165,376 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2011/01/21 04:51:26 | 000,001,356 | ---- | C] () -- C:\Users\musicmatt\AppData\Local\d3d9caps.dat
[2011/01/19 04:43:58 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2011/01/19 04:43:57 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2011/01/18 02:15:50 | 000,669,002 | ---- | C] () -- C:\Windows\unins000.exe
[2011/01/18 02:15:50 | 000,001,103 | ---- | C] () -- C:\Windows\unins000.dat
[2011/01/17 22:23:02 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2011/01/17 02:56:42 | 000,000,000 | ---- | C] () -- C:\Windows\PROTOCOL.INI
[2011/01/16 23:26:26 | 000,027,648 | ---- | C] () -- C:\Users\musicmatt\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/16 23:15:44 | 000,036,864 | ---- | C] () -- C:\Windows\System32\lxf3oem.dll
[2011/01/16 23:15:44 | 000,012,288 | ---- | C] () -- C:\Windows\System32\LXF3PMRC.DLL
[2011/01/16 18:44:22 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2011/01/16 18:44:22 | 000,168,886 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2011/01/16 18:44:22 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2011/01/16 18:44:22 | 000,090,112 | ---- | C] () -- C:\Windows\System32\atibrtmon.exe
[2011/01/16 17:51:11 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011/01/16 17:12:37 | 000,115,267 | ---- | C] () -- C:\Windows\System32\drivers\klin.dat
[2011/01/16 17:12:36 | 000,097,859 | ---- | C] () -- C:\Windows\System32\drivers\klick.dat
[2011/01/16 16:17:52 | 000,016,384 | ---- | C] () -- C:\Windows\System32\LauncheRyAgentUser.exe
[2011/01/16 16:17:04 | 000,015,656 | ---- | C] () -- C:\Windows\System32\drivers\int15_64.sys
[2011/01/16 16:16:18 | 000,065,536 | ---- | C] () -- C:\Windows\System32\NATTraversal.dll
[2009/09/09 19:01:40 | 000,027,675 | ---- | C] () -- C:\Windows\System32\drivers\klopp.dat
[2008/03/30 02:41:02 | 000,001,024 | RH-- | C] () -- C:\Windows\System32\NTIBUN4.dll
[2008/03/29 23:28:22 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2008/03/29 23:28:21 | 000,192,816 | ---- | C] () -- C:\Windows\System32\drivers\SynTP.sys
[2008/03/29 23:28:06 | 000,872,448 | ---- | C] () -- C:\Windows\iconv.dll
[2008/03/29 23:28:06 | 000,743,424 | ---- | C] () -- C:\Windows\libxml2.dll
[2008/03/29 23:28:05 | 000,000,040 | ---- | C] () -- C:\Windows\Prelaunch.ini
[2008/03/29 22:51:04 | 000,001,132 | ---- | C] () -- C:\Windows\RtDefLvl.ini
[2008/03/29 22:51:04 | 000,000,008 | ---- | C] () -- C:\Windows\System32\drivers\RtkHDAud.dat
[2007/05/28 01:02:38 | 000,208,896 | ---- | C] () -- C:\Windows\System32\lxdegrd.dll
[2007/05/24 16:24:26 | 000,692,224 | ---- | C] () -- C:\Windows\System32\lxdedrs.dll
[2007/05/22 10:09:42 | 000,065,536 | ---- | C] () -- C:\Windows\System32\lxdecaps.dll
[2007/05/03 18:50:10 | 000,348,160 | ---- | C] () -- C:\Windows\System32\lxdecoin.dll
[2007/04/17 10:17:06 | 000,069,632 | ---- | C] () -- C:\Windows\System32\lxdecnv4.dll
[2006/11/02 08:57:28 | 000,067,584 | ---- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:47:37 | 000,395,608 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 06:33:01 | 000,656,214 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,123,536 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/08/01 04:53:18 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxdevs.dll
[2001/12/26 18:12:30 | 000,065,536 | ---- | C] () -- C:\Windows\System32\multiplex_vcd.dll
[2001/09/04 01:46:38 | 000,110,592 | ---- | C] () -- C:\Windows\System32\Hmpg12.dll
[2001/07/30 18:33:56 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC.dll
[2001/07/24 00:04:36 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC_MMX.dll

========== LOP Check ==========

[2011/06/29 01:15:37 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\.purple
[2011/01/16 16:21:59 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Acer
[2011/03/05 21:12:14 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Audacity
[2011/06/29 02:24:48 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\BitTorrent
[2011/05/06 00:07:35 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\DriverCure
[2011/06/29 04:11:19 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\f-secure
[2011/06/29 02:24:48 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\FileZilla
[2011/04/22 18:53:39 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\GetRightToGo
[2011/06/27 15:00:46 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\GRLevel3
[2011/06/16 22:09:08 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\gtk-2.0
[2011/01/16 16:21:58 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Leadertech
[2011/03/13 23:20:33 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Leawo
[2011/04/25 19:44:24 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Lexmark Productivity Studio
[2011/03/13 23:20:37 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Moyea
[2011/01/18 03:31:26 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\OpenOffice.org
[2011/05/06 00:07:34 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\ParetoLogic
[2011/01/16 22:08:06 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\PCDJ
[2011/01/16 21:21:34 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Shareaza
[2011/05/10 18:19:09 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Sony
[2011/05/10 17:51:02 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Sony Setup
[2011/06/24 02:33:23 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\SpotterNetwork
[2011/04/12 14:47:34 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\SumatraPDF
[2011/04/27 12:38:04 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\TeamViewer
[2011/04/08 10:40:13 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Tether
[2011/06/15 01:02:57 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
[2011/05/06 02:00:49 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Uniblue
[2011/06/29 02:24:48 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\uTorrent
[2011/06/24 02:18:26 | 000,000,000 | ---D | M] -- C:\Users\musicmatt\AppData\Roaming\Weather Defender
[2011/05/05 11:59:36 | 000,000,000 | ---D | M] -- C:\ProgramData\Alwil Software
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data
[2011/07/02 15:51:59 | 000,000,000 | ---D | M] -- C:\ProgramData\boost_interprocess
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Desktop
[2011/04/24 21:53:37 | 000,000,000 | ---D | M] -- C:\ProgramData\Digital Entertainer
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Documents
[2011/06/29 04:10:39 | 000,000,000 | ---D | M] -- C:\ProgramData\F-Secure
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favorites
[2011/03/13 23:07:48 | 000,000,000 | ---D | M] -- C:\ProgramData\Leawo
[2011/05/09 12:36:59 | 000,000,000 | ---D | M] -- C:\ProgramData\Lx_cats
[2011/01/17 15:07:30 | 000,000,000 | ---D | M] -- C:\ProgramData\musicmatt
[2011/05/06 00:50:26 | 000,000,000 | ---D | M] -- C:\ProgramData\ParetoLogic
[2011/01/16 22:08:03 | 000,000,000 | ---D | M] -- C:\ProgramData\PCDJ
[2011/05/10 18:19:09 | 000,000,000 | ---D | M] -- C:\ProgramData\Sony
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Start Menu
[2011/06/29 03:03:48 | 000,000,000 | ---D | M] -- C:\ProgramData\STOPzilla!
[2011/06/27 15:00:46 | 000,000,000 | ---D | M] -- C:\ProgramData\TEMP
[2006/11/02 09:02:04 | 000,000,000 | -HSD | M] -- C:\ProgramData\Templates
[2011/05/06 02:00:53 | 000,000,000 | ---D | M] -- C:\ProgramData\Uniblue
[2008/03/29 23:11:48 | 000,000,000 | ---D | M] -- C:\ProgramData\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
[2011/07/04 14:53:17 | 000,032,646 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: AGRSMSVC.EXE >
[2006/10/05 16:10:12 | 000,009,216 | ---- | M] (Agere Systems) MD5=39E435C90C9C4F780FA0ED05CA3C3A1B -- C:\Windows\System32\agrsmsvc.exe
[2006/10/05 16:10:12 | 000,009,216 | ---- | M] (Agere Systems) MD5=39E435C90C9C4F780FA0ED05CA3C3A1B -- C:\Windows\System32\DriverStore\FileRepository\agrmdv32.inf_0ddf652a\agrsmsvc.exe

< MD5 for: ATAPI.SYS >
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\ERDNT\cache\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/20 22:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/20 22:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 05:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

< MD5 for: ATI2EVXX.EXE >
[2008/03/10 01:59:02 | 000,655,360 | ---- | M] (ATI Technologies Inc.) MD5=B886D349AFAD502DE4F6EA0C64B1CC4D -- C:\Windows\System32\Ati2evxx.exe
[2008/03/10 01:59:02 | 000,655,360 | ---- | M] (ATI Technologies Inc.) MD5=B886D349AFAD502DE4F6EA0C64B1CC4D -- C:\Windows\System32\DriverStore\FileRepository\cl_61295.inf_f4ec1680\B_60953\Ati2evxx.exe

< MD5 for: DFSC.SYS >
[2009/04/11 00:14:12 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=218D8AE46C88E82014F5D73D0236D9B2 -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.18005_none_8985a6e9e33db02a\dfsc.sys
[2011/04/14 10:36:03 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=3A3436F7DFE0E0C58CD5C3B6C9F21634 -- C:\Windows\System32\drivers\dfsc.sys
[2011/04/14 10:36:03 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=3A3436F7DFE0E0C58CD5C3B6C9F21634 -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.18451_none_894b9dbde369cb1f\dfsc.sys
[2011/04/14 10:36:03 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=3A3436F7DFE0E0C58CD5C3B6C9F21634 -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.22625_none_89f9ad5afc6b7999\dfsc.sys
[2008/01/20 22:24:55 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=9E635AE5E8AD93E2B5989E2E23679F97 -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6001.18000_none_879a2ddde61be4de\dfsc.sys
[2011/04/14 10:24:14 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=A3E9FA213F443AC77C7746119D13FEEC -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6001.18633_none_877cca5be63173a0\dfsc.sys
[2011/04/13 09:22:40 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=E20FB30D720810646ED24FB7CA9899A2 -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6001.22899_none_87cb8b40ff7a5041\dfsc.sys

< MD5 for: LXDECOMS.EXE >
[2007/05/29 16:07:58 | 000,598,960 | ---- | M] ( ) MD5=626CF4DB8FF93DF819A6FF479F8086C4 -- C:\Windows\System32\config\systemprofile\{4a452778-f0bb-4a38-940c-1cc99117d899}\i386\lxdecoms.exe
[2007/05/29 16:07:58 | 000,598,960 | ---- | M] ( ) MD5=626CF4DB8FF93DF819A6FF479F8086C4 -- C:\Windows\System32\config\systemprofile\{f48ced33-c68e-430f-80ed-9a2ea4ef228f}\i386\lxdecoms.exe
[2007/05/29 16:07:58 | 000,598,960 | ---- | M] ( ) MD5=626CF4DB8FF93DF819A6FF479F8086C4 -- C:\Windows\System32\DriverStore\FileRepository\lxdeprc.inf_7b84dc0b\i386\lxdecoms.exe
[2007/05/29 16:07:58 | 000,598,960 | ---- | M] ( ) MD5=626CF4DB8FF93DF819A6FF479F8086C4 -- C:\Windows\System32\lxdecoms.exe
[2007/05/29 16:07:58 | 000,598,960 | ---- | M] ( ) MD5=626CF4DB8FF93DF819A6FF479F8086C4 -- C:\Windows\System32\spool\drivers\w32x86\{2C4DFD08-EF95-4C6A-9F2A-885FB012BA44}\i386\lxdecoms.exe
[2007/05/29 16:07:58 | 000,598,960 | ---- | M] ( ) MD5=626CF4DB8FF93DF819A6FF479F8086C4 -- C:\Windows\System32\spool\drivers\w32x86\{E94154B4-8774-497D-9EEC-81A38EA9F76A}\i386\lxdecoms.exe

< MD5 for: MSCORSVW.EXE >
[2010/03/18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) MD5=31A71C94C8DD415B1C6A90BEE470F727 -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
[2009/03/30 00:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation) MD5=8EE772032E2FE80A924F3B8DD5082194 -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
[2009/03/30 00:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation) MD5=8EE772032E2FE80A924F3B8DD5082194 -- C:\Windows\winsxs\x86_netfx-mscorsvw_exe_b03f5f7f11d50a3a_6.0.6002.18005_none_1fd1ab49e8ca6ebb\mscorsvw.exe
[2008/01/20 22:24:55 | 000,070,144 | ---- | M] (Microsoft Corporation) MD5=A4AF4201BD519971F8F34724F3CA9DBB -- C:\Windows\winsxs\x86_netfx-mscorsvw_exe_b03f5f7f11d50a3a_6.0.6001.18000_none_1ff6260de878daa7\mscorsvw.exe
[2006/11/02 02:34:11 | 000,059,392 | ---- | M] (Microsoft Corporation) MD5=D3BF342F47996E18490970FCFB8126A8 -- C:\Windows\winsxs\x86_netfx-mscorsvw_exe_b03f5f7f11d50a3a_6.0.6000.16386_none_2021a451e82131db\mscorsvw.exe
[2008/07/27 14:00:25 | 000,069,632 | ---- | M] (Microsoft Corporation) MD5=D87ACAED61E417BBA546CED5E7E36D9C -- C:\Windows\winsxs\x86_netfx-mscorsvw_exe_b03f5f7f11d50a3a_6.0.6000.16720_none_201c2ab5e826014f\mscorsvw.exe
[2008/07/27 13:55:53 | 000,069,632 | ---- | M] (Microsoft Corporation) MD5=D87ACAED61E417BBA546CED5E7E36D9C -- C:\Windows\winsxs\x86_netfx-mscorsvw_exe_b03f5f7f11d50a3a_6.0.6000.20883_none_0954415a01c84642\mscorsvw.exe
[2008/07/27 14:03:13 | 000,069,632 | ---- | M] (Microsoft Corporation) MD5=D87ACAED61E417BBA546CED5E7E36D9C -- C:\Windows\winsxs\x86_netfx-mscorsvw_exe_b03f5f7f11d50a3a_6.0.6001.18111_none_1ff70f6be8780df0\mscorsvw.exe
[2008/07/27 13:58:33 | 000,069,632 | ---- | M] (Microsoft Corporation) MD5=D87ACAED61E417BBA546CED5E7E36D9C -- C:\Windows\winsxs\x86_netfx-mscorsvw_exe_b03f5f7f11d50a3a_6.0.6001.22230_none_092b8008021d8703\mscorsvw.exe

< MD5 for: NDIS.SYS >
[2009/04/11 02:32:49 | 000,527,848 | ---- | M] (Microsoft Corporation) MD5=1357274D1883F68300AEADD15D7BBB42 -- C:\Windows\ERDNT\cache\ndis.sys
[2009/04/11 02:32:49 | 000,527,848 | ---- | M] (Microsoft Corporation) MD5=1357274D1883F68300AEADD15D7BBB42 -- C:\Windows\System32\drivers\ndis.sys
[2009/04/11 02:32:49 | 000,527,848 | ---- | M] (Microsoft Corporation) MD5=1357274D1883F68300AEADD15D7BBB42 -- C:\Windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.0.6002.18005_none_a9b2a4d31930d864\ndis.sys
[2008/01/20 22:23:50 | 000,529,464 | ---- | M] (Microsoft Corporation) MD5=9BDC71790FA08F0A0B5F10462B1BD0B1 -- C:\Windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.0.6001.18000_none_a7c72bc71c0f0d18\ndis.sys

< MD5 for: USERINIT.EXE >
[2008/01/20 22:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\ERDNT\cache\userinit.exe
[2008/01/20 22:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe
[2008/01/20 22:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe

< MD5 for: WINLOGON.EXE >
[2009/04/11 02:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\ERDNT\cache\winlogon.exe
[2009/04/11 02:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe
[2009/04/11 02:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2008/01/20 22:24:49 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 85 bytes -> C:\ProgramData\Application Data:$SS_DESCRIPTOR_1VPTV9VVMVFBVLVHKV6FYJ6VDVPMF7LBWK96HUTVVVVKVVBVLVV5
@Alternate Data Stream - 85 bytes -> C:\ProgramData:$SS_DESCRIPTOR_1VPTV9VVMVFBVLVHKV6FYJ6VDVPMF7LBWK96HUTVVVVKVVBVLVV5
@Alternate Data Stream - 164 bytes -> C:\ProgramData\TEMP:53829683
@Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:B63300D1
@Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:8331D35A
@Alternate Data Stream - 100 bytes -> C:\ProgramData\TEMP:EBC2DB92
< End of report >

kf4nxs

Newbie Surfer
Newbie Surfer

Posts : 30
Joined : 2009-09-29
Operating System : vista

View user profile

Back to top Go down

Re: Nasty Virus

Post by Gabethebabe on Tue 05 Jul 2011, 4:45 pm

OK!
Our fix.bat has done its work. We need to do that for one more file.

Create another fix.bat with this contents:
copy C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
pause


Run that on the infected machine in REATOGO-X-PE desktop. It should run without error.

After this we are ready to try and boot to normal. We have cleaned up a number of infections in system files, hopefully our system will be more responsive now to our tools.

If you still have combofix on your desktop, please delete it.

Please visit this webpage to download ComboFix again and save it to your desktop.

Doubleclick ComboFix.exe to run the tool. Please post its log back here.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

combo fix

Post by mandrews on Tue 05 Jul 2011, 11:46 pm

ComboFix 11-07-04.02 - musicmatt 07/05/2011 10:22:34.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1789.941 [GMT -4:00]
Running from: c:\users\musicmatt\Downloads\Commy.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\facemoods.com
c:\program files\facemoods.com\facemoods\1.4.17.10\bh\facemoods.dll
c:\program files\facemoods.com\facemoods\1.4.17.10\facemoods.crx
c:\program files\facemoods.com\facemoods\1.4.17.10\facemoods.png
c:\program files\facemoods.com\facemoods\1.4.17.10\facemoodsApp.dll
c:\program files\facemoods.com\facemoods\1.4.17.10\facemoodsEng.dll
c:\program files\facemoods.com\facemoods\1.4.17.10\facemoodssrv.exe
c:\program files\facemoods.com\facemoods\1.4.17.10\facemoodsTlbr.dll
c:\program files\facemoods.com\facemoods\1.4.17.10\uninstall.exe
c:\program files\facemoods.com\sqlite3.dll
c:\users\musicmatt\AppData\Roaming\Microsoft\Windows\Recent\Archive created by free jZip.url
c:\windows\system32\~.inf
c:\windows\system32\c_03600.nls
c:\windows\system32\config\qnbwvoto
c:\windows\system32\drivers\1206856434.sys
c:\windows\system32\zip32.dll
.
Infected copy of c:\windows\system32\DRIVERS\SynTP.sys was found and disinfected
Restored copy from - The cat found it
.
((((((((((((((((((((((((( Files Created from 2011-06-05 to 2011-07-05 )))))))))))))))))))))))))))))))
.
.
2011-07-05 14:33 . 2011-07-05 14:35 -------- d-----w- c:\users\musicmatt\AppData\Local\temp
2011-07-05 14:33 . 2011-07-05 14:33 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-07-05 14:33 . 2011-07-05 14:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-05 14:18 . 2007-09-07 19:56 192816 ----a-w- c:\windows\system32\drivers\SynTP.sys
2011-07-04 07:58 . 2011-07-04 07:58 -------- d-----w- C:\_OTL
2011-07-02 19:51 . 2011-07-02 19:51 -------- d-----w- c:\programdata\boost_interprocess
2011-07-02 06:33 . 2011-07-02 06:33 -------- d-----w- c:\program files\DealPly
2011-07-02 06:30 . 2011-07-02 06:30 -------- d-----w- c:\users\musicmatt\AppData\Local\Ilivid Player
2011-07-02 06:29 . 2011-07-02 07:53 -------- d-----w- c:\program files\iLivid
2011-07-02 06:29 . 2011-07-02 06:29 -------- d-----w- c:\program files\Windows iLivid Toolbar
2011-07-02 05:22 . 2010-05-26 14:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-07-01 02:41 . 2011-07-01 02:41 -------- d-----w- c:\program files\ESET
2011-06-30 18:19 . 2011-06-30 18:20 -------- d-----w- C:\nchost
2011-06-30 17:53 . 2011-06-30 17:53 -------- d-----w- C:\ComboFix
2011-06-30 02:42 . 2011-06-30 02:43 -------- d-----w- C:\Commy
2011-06-29 08:11 . 2011-06-29 08:11 -------- d-----w- c:\users\musicmatt\AppData\Roaming\f-secure
2011-06-29 08:10 . 2011-06-29 08:10 -------- d-----w- c:\programdata\F-Secure
2011-06-29 07:27 . 2011-06-07 15:55 7074640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8D411D8D-1796-4E8E-8120-CC1D98E749FC}\mpengine.dll
2011-06-29 07:20 . 2011-06-29 07:20 -------- d-----w- c:\windows\TempBC33A0E8-0AC2-22D1-303C-C46234BCB4E2-Signatures
2011-06-29 07:19 . 2011-06-29 07:19 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-29 06:56 . 2011-06-29 06:56 -------- d-----w- c:\program files\STOPzilla!
2011-06-29 06:56 . 2011-06-29 07:03 -------- d-----w- c:\programdata\STOPzilla!
2011-06-29 06:56 . 2011-06-29 06:56 -------- d-----w- c:\program files\Common Files\iS3
2011-06-29 06:49 . 2011-06-29 06:49 388096 ----a-r- c:\users\musicmatt\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-29 06:49 . 2011-06-29 06:49 -------- d-----w- c:\program files\Trend Micro
2011-06-29 05:47 . 2011-06-29 05:47 -------- d-----w- c:\program files\CCleaner
2011-06-28 22:06 . 2011-04-29 15:59 276992 ----a-w- c:\windows\system32\schannel.dll
2011-06-28 21:58 . 2011-06-28 21:58 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2011-06-28 21:58 . 2011-06-28 21:58 546256 ----a-r- c:\windows\system32\SZComp5.dll
2011-06-28 21:58 . 2011-06-28 21:58 456144 ----a-r- c:\windows\system32\SZBase5.dll
2011-06-28 21:58 . 2011-06-28 21:58 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2011-06-28 21:58 . 2011-06-28 21:58 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2011-06-28 21:58 . 2011-06-28 21:58 22992 ----a-r- c:\windows\system32\SZIO5.dll
2011-06-28 21:58 . 2011-06-28 21:58 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2011-06-28 21:58 . 2011-06-28 21:58 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2011-06-28 21:58 . 2011-06-28 21:58 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2011-06-28 21:58 . 2011-06-28 21:58 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2011-06-28 21:58 . 2011-06-28 21:58 230864 ----a-r- c:\windows\system32\IS3Win325.dll
2011-06-28 21:58 . 2011-06-28 21:58 738768 ----a-r- c:\windows\system32\IS3Base5.dll
2011-06-24 06:23 . 2011-06-24 06:37 -------- d-----w- c:\program files\WXWarning
2011-06-24 06:23 . 2011-06-24 06:36 -------- d-----w- c:\program files\WXSpots
2011-06-23 01:28 . 2011-06-23 01:28 -------- d-----w- c:\program files\Common Files\Java(7)
2011-06-22 05:03 . 2011-06-24 06:18 -------- d-----w- c:\users\musicmatt\AppData\Roaming\Weather Defender
2011-06-20 19:40 . 2011-06-29 06:24 -------- d-----w- c:\users\musicmatt\AppData\Roaming\FileZilla
2011-06-20 19:40 . 2011-06-20 19:40 -------- d-----w- c:\program files\FileZilla FTP Client
2011-06-20 19:38 . 2011-06-20 19:38 -------- d-----w- c:\program files\Scanner Recorder
2011-06-19 03:22 . 2011-06-19 03:22 -------- d-----w- c:\users\musicmatt\AppData\Local\Apple Computer
2011-06-19 03:22 . 2011-06-19 03:22 -------- d-----w- c:\users\musicmatt\AppData\Roaming\Apple Computer
2011-06-18 15:58 . 2011-06-18 15:58 -------- d-----w- c:\program files\Common Files\Adobe
2011-06-18 07:07 . 2011-04-22 23:25 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-18 07:07 . 2011-04-25 15:29 141104 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2011-06-18 07:07 . 2011-04-22 23:35 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-17 11:11 . 2011-04-14 14:36 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-06-17 11:11 . 2011-04-21 13:58 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-17 11:11 . 2011-04-29 13:25 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-17 11:11 . 2011-04-29 13:25 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-17 11:11 . 2010-12-20 16:35 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-17 11:11 . 2011-05-02 17:16 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-17 11:11 . 2011-04-29 13:24 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-17 11:11 . 2011-04-29 13:24 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-17 11:11 . 2011-04-29 13:24 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-17 11:11 . 2011-05-02 12:02 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-06-17 03:24 . 2011-06-17 05:12 -------- d-----w- C:\InterbankFX_1-Click
2011-06-16 00:12 . 2011-06-24 06:33 -------- d-----w- c:\users\musicmatt\AppData\Roaming\SpotterNetwork
2011-06-16 00:07 . 2004-03-09 04:00 132880 ----a-w- c:\windows\system32\Msinet.ocx
2011-06-16 00:07 . 2001-08-23 04:00 1355776 ----a-w- c:\windows\system32\msvbvm50.dll
2011-06-16 00:07 . 2011-06-16 00:08 -------- d-----w- c:\program files\SpotterNetwork
2011-06-16 00:07 . 1998-04-24 04:00 368912 ----a-w- c:\windows\system32\vbar332.dll
2011-06-16 00:07 . 2001-08-23 11:00 65024 ----a-w- c:\windows\system32\temp.005
2011-06-16 00:07 . 2006-11-02 08:46 1376528 ----a-w- c:\windows\system32\temp.004
2011-06-16 00:07 . 2001-08-23 11:00 17920 ----a-w- c:\windows\system32\temp.003
2011-06-16 00:07 . 2001-08-23 11:00 77824 ----a-w- c:\windows\system32\temp.002
2011-06-16 00:07 . 2001-08-23 11:00 569344 ----a-w- c:\windows\system32\temp.000
2011-06-16 00:07 . 2001-08-23 11:00 106496 ----a-w- c:\windows\system32\temp.001
2011-06-15 05:02 . 2011-06-15 05:02 -------- d-----w- c:\users\musicmatt\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2011-06-15 05:02 . 2011-06-15 05:02 -------- d-----w- c:\program files\TweetDeck
2011-06-09 18:38 . 2011-06-09 18:38 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2011-06-09 18:38 . 2011-06-09 18:38 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2011-06-09 18:38 . 2011-06-09 18:38 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2011-06-09 18:38 . 2011-06-09 18:38 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2011-06-09 18:38 . 2011-06-09 18:38 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2011-06-09 18:38 . 2011-06-09 18:38 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2011-06-09 18:38 . 2011-06-09 18:38 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2011-06-09 18:37 . 2011-06-09 18:38 -------- d-----w- c:\program files\QuickTime
2011-06-09 18:37 . 2011-06-09 18:37 -------- d-----w- c:\programdata\Apple Computer
2011-06-06 16:55 . 2011-06-06 16:55 183696 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2011-06-05 16:07 . 2010-11-30 15:43 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-21 07:07 . 2011-04-18 16:14 96626003 ----a-w- c:\windows\system32\~.tmp
2011-06-07 15:55 . 2011-05-08 08:56 7074640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-05-29 13:11 . 2011-04-13 10:32 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2011-04-13 10:32 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-09 16:32 . 2011-05-09 16:32 917577 ----a-w- c:\programdata\SPLB026.tmp
2011-04-27 19:25 . 2011-04-27 19:25 65024 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2011-04-22 18:14 . 2011-04-22 18:14 161792 ----a-w- c:\windows\system32\msls31.dll
2011-04-22 18:14 . 2011-04-22 18:14 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-04-22 18:14 . 2011-04-22 18:14 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-04-22 18:14 . 2011-04-22 18:14 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-04-22 18:14 . 2011-04-22 18:14 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-04-22 18:14 . 2011-04-22 18:14 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-04-22 18:14 . 2011-04-22 18:14 367104 ----a-w- c:\windows\system32\html.iec
2011-04-22 18:14 . 2011-04-22 18:14 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-04-22 18:14 . 2011-04-22 18:14 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-04-22 18:14 . 2011-04-22 18:14 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-22 18:14 . 2011-04-22 18:14 152064 ----a-w- c:\windows\system32\wextract.exe
2011-04-22 18:14 . 2011-04-22 18:14 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-22 18:14 . 2011-04-22 18:14 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-04-22 18:14 . 2011-04-22 18:14 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-04-22 18:14 . 2011-04-22 18:14 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-04-22 18:14 . 2011-04-22 18:14 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-04-22 18:14 . 2011-04-22 18:14 11776 ----a-w- c:\windows\system32\mshta.exe
2011-04-22 18:14 . 2011-04-22 18:14 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-04-22 18:14 . 2011-04-22 18:14 101888 ----a-w- c:\windows\system32\admparse.dll
2011-04-18 17:18 . 2011-04-18 17:18 43392 ----a-w- c:\windows\system32\drivers\MpNWMon.sys
2011-04-18 17:18 . 2011-04-18 17:18 165648 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2011-04-14 09:07 . 2011-01-17 20:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-13 03:10 . 2011-04-13 03:10 1307647 ----a-w- c:\programdata\SPLE0CC.tmp
2011-04-13 02:46 . 2011-04-13 02:46 3425131 ----a-w- c:\programdata\SPL5D71.tmp
2011-04-11 07:04 . 2011-05-07 05:16 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B409AE95-DECB-41AB-9F47-7E6974A33CE3}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-12-09 17:51 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70dd86e8-b5bc-4e4a-9d5c-b6234c24323c}]
2011-03-16 11:59 81920 ----a-w- c:\program files\freecordertoolbar\vmntemplateX.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}]
2011-06-06 12:20 78600 ----a-w- c:\program files\DealPly\DealPlyIE.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2010-12-09 17:51 3911776 ----a-w- c:\program files\uTorrentBar\tbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]
"{70dd86e8-b5bc-4e4a-9d5c-b6234c24323c}"= "c:\program files\freecordertoolbar\vmntemplateX.dll" [2011-03-16 81920]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CLASSES_ROOT\clsid\{70dd86e8-b5bc-4e4a-9d5c-b6234c24323c}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 07:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-12 249856]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-08 4853760]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-01-03 521776]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-01-07 858632]
"lxdemon.exe"="c:\program files\Lexmark 4800 Series\lxdemon.exe" [2007-06-11 455600]
"lxdeamon"="c:\program files\Lexmark 4800 Series\lxdeamon.exe" [2007-06-01 20480]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-11-19 583016]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\WI371A~1\Datamngr\datamngr.dll c:\progra~1\WI371A~1\Datamngr\IEBHO.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2007-11-26 18:21 3387392 ----a-w- c:\program files\Acer\Acer Registration\ACE1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 16:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-06 16:55 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ContentTransferWMDetector.exe]
2009-11-19 22:15 583016 ----a-w- c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freecorder FLV Service]
2011-03-24 07:11 167936 ----a-w- c:\program files\Freecorder 5\FLVSrvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-01-16 20:57 136176 ----atw- c:\users\musicmatt\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-10-11 17:06 62760 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2011-05-29 13:11 1047656 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2008-01-22 19:23 81920 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-11-21 02:15 1826816 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-01-07 17:12 253672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-07 61328]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-16 136176]
R2 lxdeCATSCustConnectService;lxdeCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdeserv.exe [2007-05-29 99248]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;c:\users\MUSICM~1\AppData\Local\Temp\OnlineScanner\Anti-Virus\fsgk.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-16 136176]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\4059.tmp [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 PRWXOUZX;PRWXOUZX;c:\users\MUSICM~1\AppData\Local\Temp\PRWXOUZX.exe [x]
R3 qrkis;Tether Miniport;c:\windows\system32\DRIVERS\qrkis.sys [2010-05-18 45608]
R3 ute3mty1;AVZ Kernel Driver;c:\windows\system32\Drivers\ute3mty1.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2006-09-19 80744]
R4 Tether;Tether;c:\program files\Tether\TBService.exe [2010-09-21 52664]
S0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2007-04-03 39680]
S0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2007-04-03 35712]
S0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys [2009-12-07 61328]
S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys [2010-05-12 59280]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2010-06-09 11352]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2010-04-22 22104]
S1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-05-26 18816]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 59392]
S2 lxde_device;lxde_device;c:\windows\system32\lxdecoms.exe [2007-05-29 598960]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-11-03 19984]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-14 20:57]
.
2011-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-14 20:57]
.
2011-07-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-880227785-1377843364-700853731-1003Core.job
- c:\users\musicmatt\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-16 20:57]
.
2011-07-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-880227785-1377843364-700853731-1003UA.job
- c:\users\musicmatt\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-16 20:57]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 205.152.128.23 205.152.37.23
TCP: Interfaces\{E7FC0445-53E8-4DE0-8BD6-E22182383273}: NameServer = 208.67.222.222,208.67.220.220
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{64182481-4F71-486b-A045-B233BD0DA8FC} - c:\program files\facemoods.com\facemoods\1.4.17.10\bh\facemoods.dll
Toolbar-10 - (no file)
Toolbar-{DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - c:\program files\facemoods.com\facemoods\1.4.17.10\facemoodsTlbr.dll
HKLM-Run-LTCM Client - c:\program files\LTCM Client\ltcmClient.exe
HKLM-Run-facemoods - c:\program files\facemoods.com\facemoods\1.4.17.10\facemoodssrv.exe
AddRemove-facemoods - c:\program files\facemoods.com\facemoods\1.4.17.10\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-07-05 10:35
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\4059.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Enum\Root\*PNP92e2\0000]
@DACL=(02 0000)
"Service"="1206856434"
"ClassGUID"="{4D36E97D-E325-11CE-BFC1-08002BE10318}"
"Class"="System"
"DeviceDesc"="PCI bus"
"Mfg"="Technologies Inc"
"LocationInformation"="on Microsoft ACPI-Compliant System"
"ConfigFlags"=dword:00000000
"Capabilities"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1024)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\PEV.exe
c:\windows\system32\wermgr.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-07-05 10:40:08 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-05 14:40
.
Pre-Run: 29,476,433,920 bytes free
Post-Run: 30,146,457,600 bytes free
.
- - End Of File - - 22AFFCE9C0EB53F2B564927601BA5B5E

mandrews

Newbie Surfer
Newbie Surfer

Posts : 20
Joined : 2011-02-08
Operating System : Greer, South Carolina

View user profile

Back to top Go down

Re: Nasty Virus

Post by Gabethebabe on Tue 05 Jul 2011, 11:59 pm

We are making progress.

I see you have malwarebytes installed.

Please open Malwarebytes' Anti-Malware, click the Update tab and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan and click Scan. Please post the resulting log in your next reply.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

mbam log

Post by mandrews on Wed 06 Jul 2011, 5:42 am

Malwarebytes' Anti-Malware 1.51.0.1200
[You must be registered and logged in to see this link.]

Database version: 7028

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

7/5/2011 4:41:36 PM
mbam-log-2011-07-05 (16-41-36).txt

Scan type: Quick scan
Objects scanned: 156407
Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

mandrews

Newbie Surfer
Newbie Surfer

Posts : 20
Joined : 2011-02-08
Operating System : Greer, South Carolina

View user profile

Back to top Go down

Re: Nasty Virus

Post by Gabethebabe on Wed 06 Jul 2011, 8:17 pm

Now that looks good!
How is your computer running now?

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Nasty Virus

Post by mandrews on Thu 07 Jul 2011, 4:05 am

I got security essentials back working had to go in and fix the permissions on mbam to get it to scan. I need to clean up some of the reg files and the progs used to get the virus, thanks for the help. It no longer redirects my searches. Thanks again.... also I can not see the volume disply on the monitor with function up or down arrow like I used to, any suggestions

mandrews

Newbie Surfer
Newbie Surfer

Posts : 20
Joined : 2011-02-08
Operating System : Greer, South Carolina

View user profile

Back to top Go down

Re: Nasty Virus

Post by Gabethebabe on Thu 07 Jul 2011, 5:01 pm

This could be related to the drivers of the monitor not being correctly installed. I´d search for those on the website of the manufacturer and re-install them

====================

You need to install the latest version of Java. Having the latest version is important to take advantage of fixes that have eliminated security vulnerabilities.
  • Go to Start > Control Panel
  • Double-click on Add or Remove Programs
  • Look for entries that say Java, Java RunTime Environment or J2SE.
  • Uninstall all of them that are not named Java (TM) 6 Update 26

After doing this, you can go to java.com, click on Free Java Download and proceed from there to install the latest version of Java (currently Version 6 Update 26).

After installing Java, go to Start > Control Panel > Java to open the Java Control Panel.
Under the General tab, Temporary Internet Files click Settings, then click Delete Files.
Select both options and click OK to delete the Java cache.

====================
I see that you have P2P software installed on your machine (uTorrent).
While file-sharing is a useful concept, P2P programs are mostly used for shady/illegal practices like software piracy, copyright infraction and malware distribution. You really do not want to contribute to illegal activities or find yourself victim of cybercriminals using P2P for spreading of their malware. I would strongly recommend that you uninstall all P2P software, however that choice is up to you. If you choose to remove these programs, you can do so via Start >> Control Panel >> Add or Remove Programs.

====================

You have Stopzilla installed. That is a close to useless program, I recommend you uninstall it. You are running Kaspersky, which is totally fine and you don´t need the additional dubious services of Stopzilla.

====================

Time to uninstall used tools.
  • Go to Start > Run and type or copy/paste Combofix /uninstall (note the space before the "/").
  • Double click OTL.exe to run it again and click the CleanUp button.
  • If we used any other tools and they still remain on your desktop, please delete them manually.


====================

Do you have any more questions or do you want to see my ALORTKYCC (Awesome List Or Recommendations To Keep Your Computer Clean)?


Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Nasty Virus

Post by mandrews on Fri 08 Jul 2011, 2:08 pm

OK after a restart everything is good but one thing, error WMIServi Application stopped working.

mandrews

Newbie Surfer
Newbie Surfer

Posts : 20
Joined : 2011-02-08
Operating System : Greer, South Carolina

View user profile

Back to top Go down

Re: Nasty Virus

Post by Sponsored content Today at 9:42 am


Sponsored content


Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum