BullGuard
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Need help with virus that takes over admin powers (cont)
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > Need help with virus that takes over admin powers (cont)  
Forum Quick Jump
 
New Topic Post reply to : Need help with virus that takes over admin powers (cont) Printable version of : Need help with virus that takes over admin powers (cont)
[ << Previous Thread | Next Thread >> ]

urbane
New Member


Date Joined Nov 2009
Total Posts : 30
 
   Posted 12/10/2009 3:21 PM (GMT +3)    Quote: Need help with virus that takes over admin powers (cont)Alert an admin about: Need help with virus that takes over admin powers (cont)
Er can we post in this new thread instead please, for some bizarre your post and everything after it does not want to load... my internet has been loading for hours to no avail. Maybe its my crappy net, an image u hosted, or the virus slowing down net, or a bug. I dunno, but yeah I can't view anything in that thread.

I couldn't see that last reply of yours, it just forever got stuck here:

Post Edited (urbane) : 12-12-2009 01:21:15 GMT

Back to Top
 

urbane
New Member


Date Joined Nov 2009
Total Posts : 30
 
   Posted 12/11/2009 12:32 PM (GMT +3)    Quote: Need help with virus that takes over admin powers (cont)Alert an admin about: Need help with virus that takes over admin powers (cont)
Jintan please continue your support here. The other thread as shown in the screenshot above isn't working beyond that point.. It just forever loads and I used many different browsers. I even left my computer on for 8 hours, come back and its still loading :S

I dunno why, but yeah please reply here

Post Edited (urbane) : 11-12-2009 09:33:52 GMT

Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 12/12/2009 2:45 AM (GMT +3)    Quote: Need help with virus that takes over admin powers (cont)Alert an admin about: Need help with virus that takes over admin powers (cont)
One thing that might help us is not posting these very large graphics shots. They cause my browser problems as well. Go back to that earlier post and click the Pencil icon, upper right corner, and remvoe that graphics link please.

Once you have done that post here, and I will be able to continue with our work here.
Back to Top
 

urbane
New Member


Date Joined Nov 2009
Total Posts : 30
 
   Posted 12/12/2009 4:26 AM (GMT +3)    Quote: Need help with virus that takes over admin powers (cont)Alert an admin about: Need help with virus that takes over admin powers (cont)
Done. Yeah I think the graphics screwed it up, I still cannot view that thread so lets stay in here.

We were up to the abp470n5 file I detected in my last log post. I couldn't see your instructions after that
Back to Top
 

urbane
New Member


Date Joined Nov 2009
Total Posts : 30
 
   Posted 12/16/2009 10:29 AM (GMT +3)    Quote: Need help with virus that takes over admin powers (cont)Alert an admin about: Need help with virus that takes over admin powers (cont)
*bump* Er Jintan?
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 12/17/2009 2:23 AM (GMT +3)    Quote: Need help with virus that takes over admin powers (cont)Alert an admin about: Need help with virus that takes over admin powers (cont)
My apoligies for wandering off. I think I did not have this new thread marked for notifications correctly. Better to regroup after the delay with new information, then continue.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


Delete the existing copy of ComboFix. Then download the temporarily renamed ComboFix.exe from here to your desktop, then click the renamed KittyFix.exe to run the ComboFix scan.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt. This renamed version is new, so I haven't had a chance to verify if it creates that log, or instead a C:\KittyFix.txt log, so check for either after please.
Back to Top
 

urbane
New Member


Date Joined Nov 2009
Total Posts : 30
 
   Posted 12/17/2009 2:16 PM (GMT +3)    Quote: Need help with virus that takes over admin powers (cont)Alert an admin about: Need help with virus that takes over admin powers (cont)
Alright, I thought you might have made a breakthrough in the previous thread.

The virus is getting bad now, computer restarted all the time automatically for no reason to, so I had to untick the automatic restart box on system failure in system recovery. Now I get a lot of "irql not less or equal" blue screen errors rather frequently. Ok here is your combofix log

ComboFix 09-12-16.05 - Owner 12/17/2009 22:05:36.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1663 [GMT 11:00]
Running from: c:\documents and settings\Owner\Desktop\KittyFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-11-17 to 2009-12-17 )))))))))))))))))))))))))))))))
.

2009-12-17 09:23 . 2009-12-17 09:23 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-12-10 11:53 . 2009-12-10 11:53 -------- d-s---w- c:\documents and settings\Owner\UserData
2009-12-09 11:44 . 2009-12-09 11:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-12-09 02:23 . 2009-12-09 02:23 -------- d-----w- c:\documents and settings\Owner\WINDOWS
2009-12-04 06:50 . 2009-12-04 06:50 -------- d-----w- c:\documents and settings\Owner\dwhelper
2009-12-04 06:46 . 2009-12-04 06:46 -------- d-----w- C:\downloads
2009-12-04 06:46 . 2009-12-04 06:46 -------- d-----w- c:\documents and settings\Owner\Application Data\GrabPro
2009-12-04 06:46 . 2009-12-04 06:50 -------- d-----w- c:\program files\Orbitdownloader
2009-12-04 06:46 . 2009-12-04 06:48 -------- d-----w- c:\documents and settings\Owner\Application Data\Orbit
2009-12-04 04:27 . 2009-12-04 04:27 151040 ----a-w- C:\mbr.exe
2009-12-04 04:25 . 2009-12-04 04:25 -------- d-----w- c:\program files\QuickTime
2009-12-04 04:25 . 2009-12-04 04:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-12-04 04:25 . 2009-12-04 04:25 -------- d-----w- c:\program files\Common Files\Apple
2009-12-04 04:24 . 2009-12-04 04:24 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple
2009-12-04 04:24 . 2009-12-04 04:24 -------- d-----w- c:\program files\Apple Software Update
2009-12-04 04:24 . 2009-12-04 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-04 04:24 . 2009-12-04 04:24 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple Computer
2009-11-26 15:30 . 2009-11-28 07:55 40 ----a-w- c:\windows\servcheck.bat
2009-11-25 18:53 . 2009-12-16 05:25 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-11-25 18:53 . 2009-11-25 18:53 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-25 18:49 . 2009-12-16 06:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-11-25 18:28 . 2009-11-25 18:28 -------- d-----w- c:\program files\Common Files\Skype
2009-11-25 18:28 . 2009-11-25 18:29 -------- d-----r- c:\program files\Skype
2009-11-25 18:27 . 2009-11-25 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-11-23 17:38 . 2009-12-07 07:27 -------- d-----w- C:\ComboFix
2009-11-22 06:56 . 2009-11-30 20:23 -------- d-----w- c:\program files\trend micro
2009-11-22 06:56 . 2009-11-22 06:56 -------- d-----w- C:\rsit
2009-11-20 21:11 . 2009-12-16 09:11 17169 ----a-w- c:\windows\system32\nvModes.dat
2009-11-20 08:25 . 2009-12-17 11:04 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2009-11-20 08:24 . 2009-11-20 08:24 -------- d-----w- c:\program files\VideoLAN
2009-11-20 07:16 . 2009-11-20 07:16 -------- d-----w- C:\SamRO
2009-11-20 06:50 . 2009-11-20 07:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-20 06:50 . 2009-11-20 06:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-20 06:11 . 2009-11-20 06:11 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG8
2009-11-20 06:10 . 2009-11-20 06:10 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-20 06:10 . 2009-09-10 03:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-20 06:10 . 2009-11-20 06:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-20 06:10 . 2009-11-20 06:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-20 06:10 . 2009-09-10 03:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-12 00:17 . 2009-12-05 05:00 -------- d-----w- c:\program files\Winamp
2009-12-05 05:06 . 2009-12-05 05:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Winamp
2009-11-21 20:17 . 2009-12-16 09:43 142714 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2009-11-21 20:16 . 2009-11-19 05:25 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-20 20:01 . 2009-11-19 14:37 -------- d-----w- c:\program files\Yahoo!
2009-11-20 17:52 . 2009-11-20 17:52 -------- d-----w- c:\program files\Sony Ericsson
2009-11-20 17:52 . 2009-11-20 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Ericsson
2009-11-20 17:52 . 2009-11-19 05:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-19 14:45 . 2009-11-19 14:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2009-11-19 14:44 . 2009-11-19 14:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-11-19 06:43 . 2009-11-19 06:43 -------- d-----w- c:\documents and settings\Owner\Application Data\Media Player Classic
2009-11-19 06:35 . 2009-11-19 06:35 12328 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-19 06:32 . 2009-11-19 06:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Leadertech
2009-11-19 06:20 . 2009-11-19 06:20 -------- d-----w- c:\program files\Common Files\Adobe
.

((((((((((((((((((((((((((((( SnapShot@2009-11-23_07.24.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-05 05:00 . 2009-04-28 20:20 96752 c:\windows\system32\vxblock.dll
+ 2009-12-05 05:00 . 2009-04-28 20:20 66032 c:\windows\system32\pxinsa64.exe
+ 2009-12-05 05:00 . 2009-04-28 20:20 72176 c:\windows\system32\pxhpinst.exe
+ 2009-12-05 05:00 . 2009-04-28 20:20 66544 c:\windows\system32\pxcpya64.exe
+ 2009-12-05 05:00 . 2009-04-28 20:20 44944 c:\windows\system32\drivers\PxHelp20.sys
+ 2009-12-04 04:25 . 2009-12-04 04:25 27136 c:\windows\Installer\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}\AppleSoftwareUpdateIco.exe
+ 2009-12-05 05:00 . 2009-04-28 20:20 9200 c:\windows\system32\drivers\cdralw2k.sys
+ 2009-12-05 05:00 . 2009-04-28 20:20 9072 c:\windows\system32\drivers\cdr4_xp.sys
+ 2009-12-05 05:00 . 2009-04-28 20:20 436720 c:\windows\system32\pxwave.dll
+ 2009-12-05 05:00 . 2009-04-28 20:20 219632 c:\windows\system32\pxmas.dll
+ 2009-12-05 05:00 . 2009-04-28 20:20 551408 c:\windows\system32\pxdrv.dll
+ 2009-12-05 05:00 . 2009-04-28 20:20 129520 c:\windows\system32\pxafs.dll
+ 2009-12-05 05:00 . 2009-04-28 20:20 670192 c:\windows\system32\px.dll
+ 2009-11-25 18:29 . 2009-11-25 18:29 794112 c:\windows\Installer\a76b39c.msi
+ 2009-12-04 04:25 . 2009-12-04 04:25 796672 c:\windows\Installer\112ab576.msi
+ 2009-11-25 18:28 . 2009-11-25 18:28 371272 c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
+ 2009-12-05 05:00 . 2009-04-28 20:20 1858032 c:\windows\system32\pxsfs.dll
+ 2009-11-25 18:28 . 2009-11-25 18:28 1565696 c:\windows\Installer\a76b395.msi
+ 2009-12-04 04:25 . 2009-12-04 04:25 9473024 c:\windows\Installer\112ab57a.msi
+ 2009-12-04 04:25 . 2009-12-04 04:25 1549312 c:\windows\Installer\112ab56f.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5317944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 155648]
"nwiz"="nwiz.exe" [2004-11-14 995328]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2004-11-01 166400]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-11-14 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-11-14 4620288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1488208]
"D-Link D-Link Wireless G DWA-110"="c:\program files\D-Link\D-Link Wireless G DWA-110\AirGCFG.exe" [2007-05-03 1736704]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 131072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-02 113520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 1009016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 491520]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 107520]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\ANI\\ANIWZCS2 Service\\ANIWZCSdS.exe"=
"c:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"=
"c:\\SamRO\\RO\\VanRO.exe"=
"c:\\Program Files\\D-Link\\D-Link Wireless G DWA-110\\AirGCFG.exe"=
"d:\\My Documents\\VanRO\\RO\\VanRO.exe"=
"c:\\SamRO\\RO\\SamRO.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson PC Suite\\SupServ.exe"=
"c:\\Program Files\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe"=
"c:\\Program Files\\Mozilla Firefox\\uninstall\\helper.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\l0tkxmho.exe"=
"d:\\My Documents\\VanRO\\RO\\VanRO X.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\WINDOWS\\SOUNDMAN.EXE"=
"c:\\Documents and Settings\\Owner\\Desktop\\RSIT.exe"=
"d:\\Desktop\\games\\emulators\\FB\\finalburn.exe"=
"c:\\Program Files\\Winamp\\winampa.exe"=
"c:\\Program Files\\WinRAR\\WinRAR.exe"=
"c:\\Program Files\\Apple Software Update\\SoftwareUpdate.exe"=
"c:\\Program Files\\Mozilla Firefox\\crashreporter.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\flnipn.sys --> c:\windows\system32\drivers\flnipn.sys [?]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [11/21/2009 4:52 AM 27632]
S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [11/21/2009 4:52 AM 172032]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [11/21/2009 4:52 AM 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [11/21/2009 4:52 AM 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [11/21/2009 4:52 AM 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [11/21/2009 4:52 AM 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [11/21/2009 4:52 AM 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [11/21/2009 4:52 AM 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [11/21/2009 4:52 AM 109864]
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ra4q4zbh.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-17 22:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2304)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-12-17 22:09:23
ComboFix-quarantined-files.txt 2009-12-17 11:09
ComboFix2.txt 2009-12-09 02:40
ComboFix3.txt 2009-12-07 07:36
ComboFix4.txt 2009-11-23 17:45
ComboFix5.txt 2009-12-17 11:05

Pre-Run: 56,566,546,432 bytes free
Post-Run: 56,681,168,896 bytes free

- - End Of File - - A2CDB49187D9DF99999193B85F0B6C31

Post Edited (urbane) : 17-12-2009 11:18:07 GMT

Back to Top
 

jekyll
New Member


Date Joined Dec 2009
Total Posts : 4
 
   Posted 12/17/2009 4:33 PM (GMT +3)    Quote: Need help with virus that takes over admin powers (cont)Alert an admin about: Need help with virus that takes over admin powers (cont)
PLEASE HELP ME. i HAVE THE SAME PROBLEM :
  I can't modify l'account , I can't dellete files , If i move the files i can't see them, but they are there , the proof is that i tried to copy a file sull desktop but it disappeared i copied again and he asks me if i want to rewritte the file. he doesn't read me anymore the cd  it tells me that the cd is empty. and more other problems if anyone could help me ...........
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 12/18/2009 4:35 AM (GMT +3)    Quote: Need help with virus that takes over admin powers (cont)Alert an admin about: Need help with virus that takes over admin powers (cont)
Please do not post in other people's request threads jekyll. You have your own thread, so have patience, and someone will respond there as time permits.


I researched some more on this Win32/Sality infection giving the problems there urbane, and we will need one more piece of info to see if we can get the upper hand there.


@ECHO OFF
cd c:\windows
type system.ini > c:\looki.txt
notepad c:\looki.txt

Open Notepad (Start - Run, type notepad and press Enter).

Copy/paste the above text (inside the Code box) into the open text box, then save this to your desktop as "3serv.bat"

Be sure to include the "" quotes in the name. Then click on 3serv.bat. When the scan completes a textbox will open - copy/paste those contents back here please.
Back to Top
 

urbane
New Member


Date Joined Nov 2009
Total Posts : 30
 
   Posted 12/18/2009 1:26 PM (GMT +3)    Quote: Need help with virus that takes over admin powers (cont)Alert an admin about: Need help with virus that takes over admin powers (cont)
; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[MCIDRV_VER]
DEVICEMB=11532832482
DEVICEMB=73404633621
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 12/19/2009 2:33 AM (GMT +3)    Quote: Need help with virus that takes over admin powers (cont)Alert an admin about: Need help with virus that takes over admin powers (cont)
Good job, and although there are other malware changes let's see if removing what it added to the system.ini file brings some progress there.


Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

Right click My Computer, left click Explore, and use the plus + symbols to navigate to the following hilighted file:

C:\Windows\system.ini

Right click that file and select Open. Then delete these last three entries at the bottom:

[MCIDRV_VER]
DEVICEMB=11532832482
DEVICEMB=73404633621



When you have done that, this is all that should show in the system.ini file:

; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON


Then go to File, and click Save to save the changes you made.

-------------------

Then go back to Device Manager (Start - Run, type devmgmt.msc and press OK). When the Device Manager display opens click View - Show hidden devices.

Then in the list below that click the plus symbol (+) next to the following to expand that list:

Non-Plug and Play Drivers


In that list locate the following item, right click it and select Disable.

abp470n5

Go ahead and allow the computer to reboot to complete disabling that malware service.

----------------------

After the reboot run a new KittyFix scan, as well as a new Gmer scan, and post those logs please.
Back to Top
 

urbane
New Member


Date Joined Nov 2009
Total Posts : 30
 
   Posted 12/19/2009 5:14 AM (GMT +3)    Quote: Need help with virus that takes over admin powers (cont)Alert an admin about: Need help with virus that takes over admin powers (cont)
It seems to have made no effect... even worse, when I deleted those entries it just remade part of it again:
[MCIDRV_VER]
DEVICEMB=14687357

Each time you ask for a new combo fix, the virus disables me from running it again.. like most other exe applications so I have to delete and re download each time.

Here is Combofix (kittyfix):

ComboFix 09-12-18.01 - Owner 12/19/2009 12:37:35.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1757 [GMT 11:00]
Running from: c:\documents and settings\Owner\Desktop\KittyFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-11-19 to 2009-12-19 )))))))))))))))))))))))))))))))
.

2009-12-17 09:23 . 2009-12-17 09:23 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-12-10 11:53 . 2009-12-10 11:53 -------- d-s---w- c:\documents and settings\Owner\UserData
2009-12-09 11:44 . 2009-12-09 11:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-12-09 02:23 . 2009-12-09 02:23 -------- d-----w- c:\documents and settings\Owner\WINDOWS
2009-12-04 06:50 . 2009-12-04 06:50 -------- d-----w- c:\documents and settings\Owner\dwhelper
2009-12-04 06:46 . 2009-12-04 06:46 -------- d-----w- C:\downloads
2009-12-04 06:46 . 2009-12-04 06:46 -------- d-----w- c:\documents and settings\Owner\Application Data\GrabPro
2009-12-04 06:46 . 2009-12-04 06:50 -------- d-----w- c:\program files\Orbitdownloader
2009-12-04 06:46 . 2009-12-04 06:48 -------- d-----w- c:\documents and settings\Owner\Application Data\Orbit
2009-12-04 04:27 . 2009-12-04 04:27 151040 ----a-w- C:\mbr.exe
2009-12-04 04:25 . 2009-12-04 04:25 -------- d-----w- c:\program files\QuickTime
2009-12-04 04:25 . 2009-12-04 04:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-12-04 04:25 . 2009-12-04 04:25 -------- d-----w- c:\program files\Common Files\Apple
2009-12-04 04:24 . 2009-12-04 04:24 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple
2009-12-04 04:24 . 2009-12-04 04:24 -------- d-----w- c:\program files\Apple Software Update
2009-12-04 04:24 . 2009-12-04 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-04 04:24 . 2009-12-04 04:24 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple Computer
2009-11-26 15:30 . 2009-11-28 07:55 40 ----a-w- c:\windows\servcheck.bat
2009-11-25 18:53 . 2009-12-16 05:25 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-11-25 18:53 . 2009-11-25 18:53 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-25 18:49 . 2009-12-16 06:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-11-25 18:28 . 2009-11-25 18:28 -------- d-----w- c:\program files\Common Files\Skype
2009-11-25 18:28 . 2009-11-25 18:29 -------- d-----r- c:\program files\Skype
2009-11-25 18:27 . 2009-11-25 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-11-23 17:38 . 2009-12-07 07:27 -------- d-----w- C:\ComboFix
2009-11-22 06:56 . 2009-11-30 20:23 -------- d-----w- c:\program files\trend micro
2009-11-22 06:56 . 2009-11-22 06:56 -------- d-----w- C:\rsit
2009-11-20 21:11 . 2009-12-16 09:11 17169 ----a-w- c:\windows\system32\nvModes.dat
2009-11-20 08:25 . 2009-12-19 00:44 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2009-11-20 08:24 . 2009-11-20 08:24 -------- d-----w- c:\program files\VideoLAN
2009-11-20 07:16 . 2009-11-20 07:16 -------- d-----w- C:\SamRO
2009-11-20 06:50 . 2009-11-20 07:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-20 06:50 . 2009-11-20 06:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-20 06:11 . 2009-11-20 06:11 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG8
2009-11-20 06:10 . 2009-11-20 06:10 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-20 06:10 . 2009-09-10 03:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-20 06:10 . 2009-11-20 06:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-20 06:10 . 2009-11-20 06:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-20 06:10 . 2009-09-10 03:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-12 00:17 . 2009-12-05 05:00 -------- d-----w- c:\program files\Winamp
2009-12-05 05:06 . 2009-12-05 05:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Winamp
2009-11-21 20:17 . 2009-12-16 09:43 142714 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2009-11-21 20:16 . 2009-11-19 05:25 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-20 20:01 . 2009-11-19 14:37 -------- d-----w- c:\program files\Yahoo!
2009-11-20 17:52 . 2009-11-20 17:52 -------- d-----w- c:\program files\Sony Ericsson
2009-11-20 17:52 . 2009-11-20 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Ericsson
2009-11-20 17:52 . 2009-11-19 05:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-19 14:45 . 2009-11-19 14:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2009-11-19 14:44 . 2009-11-19 14:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-11-19 06:43 . 2009-11-19 06:43 -------- d-----w- c:\documents and settings\Owner\Application Data\Media Player Classic
2009-11-19 06:35 . 2009-11-19 06:35 12328 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-19 06:32 . 2009-11-19 06:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Leadertech
2009-11-19 06:20 . 2009-11-19 06:20 -------- d-----w- c:\program files\Common Files\Adobe
.

((((((((((((((((((((((((((((( SnapShot@2009-11-23_07.24.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-05 05:00 . 2009-04-28 20:20 96752 c:\windows\system32\vxblock.dll
+ 2009-12-05 05:00 . 2009-04-28 20:20 66032 c:\windows\system32\pxinsa64.exe
+ 2009-12-05 05:00 . 2009-04-28 20:20 72176 c:\windows\system32\pxhpinst.exe
+ 2009-12-05 05:00 . 2009-04-28 20:20 66544 c:\windows\system32\pxcpya64.exe
+ 2009-12-05 05:00 . 2009-04-28 20:20 44944 c:\windows\system32\drivers\PxHelp20.sys
+ 2009-12-04 04:25 . 2009-12-04 04:25 27136 c:\windows\Installer\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}\AppleSoftwareUpdateIco.exe
+ 2009-12-05 05:00 . 2009-04-28 20:20 9200 c:\windows\system32\drivers\cdralw2k.sys
+ 2009-12-05 05:00 . 2009-04-28 20:20 9072 c:\windows\system32\drivers\cdr4_xp.sys
+ 2009-12-05 05:00 . 2009-04-28 20:20 436720 c:\windows\system32\pxwave.dll
+ 2009-12-05 05:00 . 2009-04-28 20:20 219632 c:\windows\system32\pxmas.dll
+ 2009-12-05 05:00 . 2009-04-28 20:20 551408 c:\windows\system32\pxdrv.dll
+ 2009-12-05 05:00 . 2009-04-28 20:20 129520 c:\windows\system32\pxafs.dll
+ 2009-12-05 05:00 . 2009-04-28 20:20 670192 c:\windows\system32\px.dll
+ 2009-11-25 18:29 . 2009-11-25 18:29 794112 c:\windows\Installer\a76b39c.msi
+ 2009-12-04 04:25 . 2009-12-04 04:25 796672 c:\windows\Installer\112ab576.msi
+ 2009-11-25 18:28 . 2009-11-25 18:28 371272 c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
+ 2009-12-05 05:00 . 2009-04-28 20:20 1858032 c:\windows\system32\pxsfs.dll
+ 2009-11-25 18:28 . 2009-11-25 18:28 1565696 c:\windows\Installer\a76b395.msi
+ 2009-12-04 04:25 . 2009-12-04 04:25 9473024 c:\windows\Installer\112ab57a.msi
+ 2009-12-04 04:25 . 2009-12-04 04:25 1549312 c:\windows\Installer\112ab56f.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5317944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 155648]
"nwiz"="nwiz.exe" [2004-11-14 995328]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2004-11-01 166400]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-11-14 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-11-14 4620288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1488208]
"D-Link D-Link Wireless G DWA-110"="c:\program files\D-Link\D-Link Wireless G DWA-110\AirGCFG.exe" [2007-05-03 1736704]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 131072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-02 113520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 1009016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 491520]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 107520]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\ANI\\ANIWZCS2 Service\\ANIWZCSdS.exe"=
"c:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"=
"c:\\SamRO\\RO\\VanRO.exe"=
"c:\\Program Files\\D-Link\\D-Link Wireless G DWA-110\\AirGCFG.exe"=
"d:\\My Documents\\VanRO\\RO\\VanRO.exe"=
"c:\\SamRO\\RO\\SamRO.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson PC Suite\\SupServ.exe"=
"c:\\Program Files\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe"=
"c:\\Program Files\\Mozilla Firefox\\uninstall\\helper.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\l0tkxmho.exe"=
"d:\\My Documents\\VanRO\\RO\\VanRO X.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\WINDOWS\\SOUNDMAN.EXE"=
"c:\\Documents and Settings\\Owner\\Desktop\\RSIT.exe"=
"d:\\Desktop\\games\\emulators\\FB\\finalburn.exe"=
"c:\\Program Files\\Winamp\\winampa.exe"=
"c:\\Program Files\\WinRAR\\WinRAR.exe"=
"c:\\Program Files\\Apple Software Update\\SoftwareUpdate.exe"=
"c:\\Program Files\\Mozilla Firefox\\crashreporter.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [11/21/2009 4:52 AM 27632]
S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [11/21/2009 4:52 AM 172032]
S3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\irnp.sys --> c:\windows\system32\drivers\irnp.sys [?]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [11/21/2009 4:52 AM 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [11/21/2009 4:52 AM 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [11/21/2009 4:52 AM 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [11/21/2009 4:52 AM 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [11/21/2009 4:52 AM 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [11/21/2009 4:52 AM 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [11/21/2009 4:52 AM 109864]
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ra4q4zbh.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-19 12:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2072)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-12-19 12:42:38
ComboFix-quarantined-files.txt 2009-12-19 01:42
ComboFix2.txt 2009-12-17 11:09
ComboFix3.txt 2009-12-09 02:40
ComboFix4.txt 2009-12-07 07:36
ComboFix5.txt 2009-12-19 01:37

Pre-Run: 55,857,942,528 bytes free
Post-Run: 55,830,396,928 bytes free

- - End Of File - - FFFEE6F864DE3A6F606E167623453DB0




Here is GMER:

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-19 13:09:06
Windows 5.1.2600 Service Pack 2
Running: l0tkxmho.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kxtdipow.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)

---- EOF - GMER 1.0.15 ----
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 12/19/2009 7:03 AM (GMT +3)    Quote: Need help with virus that takes over admin powers (cont)Alert an admin about: Need help with virus that takes over admin powers (cont)
There should be some malware drivers, but Gmer nor ComboFix are showing these. There are also altered system files that we will have to replace, or the situation won't improve. But the scans are just not capturing the data to work from. A plus is that the changes you were able to make to the system.ini file had an effect, as the known malware device driver is showing as not running this time.


Click here and download jpshortstuff's SystemLook to your desktop, then click that file to open the scan display. In the open textbox, copy and paste the following (inside the Code box below):

:filefind
cmd.exe
ctfmon.exe
mmc.exe
taskmgr.exe


Then click Look. Once the scan completes Notepad will open - copy/paste those contents back here please. That will also be saved as a log where you have the scan file, named SystemLook.txt.

-------------------

Go here and download reglooks.exe to your Desktop. Doubleclick on it to run it and when it has finished scanning, a log named result.txt will open in Notepad. Copy the log and post it in this thread.
Back to Top
 

urbane
New Member


Date Joined Nov 2009
Total Posts : 30
 
   Posted 12/22/2009 9:53 AM (GMT +3)    Quote: Need help with virus that takes over admin powers (cont)Alert an admin about: Need help with virus that takes over admin powers (cont)
System look:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 17:49 on 22/12/2009 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "cmd.exe"
C:\WINDOWS\system32\cmd.exe --a--- 388608 bytes [12:00 04/08/2004] [12:00 04/08/2004] EEB024F2C81F0D55936FB825D21A91D6
C:\WINDOWS\system32\dllcache\cmd.exe --a--c 388608 bytes [12:00 04/08/2004] [12:00 04/08/2004] EEB024F2C81F0D55936FB825D21A91D6

Searching for "ctfmon.exe"
C:\WINDOWS\ERDNT\cache\ctfmon.exe --a--- 15360 bytes [07:24 23/11/2009] [12:00 04/08/2004] 24232996A38C0B0CF151C2140AE29FC8
C:\WINDOWS\system32\ctfmon.exe ------ 15360 bytes [12:00 04/08/2004] [12:00 04/08/2004] 24232996A38C0B0CF151C2140AE29FC8
C:\WINDOWS\system32\dllcache\ctfmon.exe --a--c 15360 bytes [12:00 04/08/2004] [12:00 04/08/2004] 24232996A38C0B0CF151C2140AE29FC8

Searching for "mmc.exe"
C:\WINDOWS\system32\dllcache\mmc.exe --a--c 815104 bytes [12:00 04/08/2004] [12:00 04/08/2004] 808A9C735682FA8F23747F7E3E765C3B
C:\WINDOWS\system32\mmc.exe --a--- 815104 bytes [12:00 04/08/2004] [12:00 04/08/2004] 808A9C735682FA8F23747F7E3E765C3B

Searching for "taskmgr.exe"
C:\WINDOWS\system32\dllcache\taskmgr.exe --a--c 135680 bytes [12:00 04/08/2004] [12:00 04/08/2004] FC160ACE21C81837692B339D230DD4BE
C:\WINDOWS\system32\taskmgr.exe --a--- 135680 bytes [12:00 04/08/2004] [12:00 04/08/2004] FC160ACE21C81837692B339D230DD4BE

-=End Of File=-


Reglooks:

REGLOOKS logfile - version 0.983
Scan started: Tue 12/22/2009 17:50:05.32

--- INFORMATION ---

Manufacturer: NVIDIA - Model: AWRDACPI
Operating System: Microsoft Windows XP Home Edition -- 5.1.2600 -- Service Pack 2 --
Processor: AMD Athlon(tm) 64 Processor 3500+

Work Station
Bootmode: Normal boot
Total RAM: 2047 MB (free 1626 MB - 79%)

Computername: TYLER
Domain: MSHOME
User: Owner (Administrator account)

Bootdevice: \Device\HarddiskVolume1
Systemdrive: C:
Windowsdirectory: C:\WINDOWS
Systemdirectory: C:\WINDOWS\system32

Internet Explorer Version: 6.0.2900.2180




--- SIGCHECK ---

C:\WINDOWS\explorer.exe -- [1032192] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\appmgmts.dll NOT found
C:\WINDOWS\system32\browser.dll -- [77312] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\comres.dll -- [792064] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\comctl32.dll -- [611328] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\cryptsvc.dll -- [60416] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\ctfmon.exe -- [15360] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\es.dll -- [243200] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\eventlog.dll -- [55808] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\ias.dll NOT found
C:\WINDOWS\system32\imm32.dll -- [110080] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\kernel32.dll -- [983552] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\linkinfo.dll -- [18944] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\lpk.dll -- [22016] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\lsass.exe -- [13312] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\mfc40u.dll -- [924432] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\msgsvc.dll -- [33792] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\mshtml.dll -- [3003392] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\mspmsnsv.dll -- [27136] -- [10/18/2006 09:47 PM] -- sigcheck OK
C:\WINDOWS\system32\mswsock.dll -- [245248] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\netlogon.dll -- [407040] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\netman.dll -- [198144] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\ntkrnlpa.exe -- [2056832] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\ntmssvc.dll -- [435200] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\ntoskrnl.exe -- [2180992] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\pchsvc.dll NOT found
C:\WINDOWS\system32\powrprof.dll -- [17408] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\qmgr.dll -- [382464] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\rasauto.dll -- [89088] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\regsvc.dll -- [59904] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\rpcss.dll -- [395776] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\scecli.dll -- [180224] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\schedsvc.dll -- [190976] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\services.exe -- [108032] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\sfc.dll -- [5120] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\sfcfiles.dll -- [1580544] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\spoolsv.exe -- [57856] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\srsvc.dll -- [170496] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\ssdpsrv.dll -- [71680] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\svchost.exe -- [14336] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\tapisrv.dll -- [246272] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\termsrv.dll -- [295424] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\upnphost.dll -- [185344] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\user32.dll -- [577024] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\userinit.exe -- [24576] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\wininet.dll -- [656384] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\winlogon.exe -- [502272] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\ws2_32.dll -- [82944] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\wscntfy.exe -- [13824] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\wuauclt.exe -- [111104] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\xmlprov.dll -- [129536] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\drivers\acpiec.sys -- [11648] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\drivers\aec.sys -- [142464] -- [08/03/2004 10:39 PM] -- sigcheck OK
C:\WINDOWS\system32\drivers\asyncmac.sys -- [14336] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\drivers\beep.sys -- [4224] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\drivers\ip6fw.sys -- [29056] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\drivers\kbdclass.sys -- [24576] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\drivers\ndis.sys -- [182912] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\drivers\ntfs.sys -- [574592] -- [08/04/2004 11:00 PM] -- sigcheck OK
C:\WINDOWS\system32\drivers\tcpip.sys -- [359040] -- [08/04/2004 11:00 PM] -- sigcheck OK


--- SSODL regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" -- File: %SystemRoot%\system32\SHELL32.dll -- [?]
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" -- File: %SystemRoot%\system32\SHELL32.dll -- [?]
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" -- File: %Systemroot%\system32\webcheck.dll -- [?]
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" -- File: %systemroot%\system32\stobject.dll -- [?]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -- File: C:\WINDOWS\system32\WPDShServiceObj.dll -- [133632] -- [10/18/2006 09:47 PM]


--- STS regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" -- File: %SystemRoot%\system32\browseui.dll -- [?]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" -- File: %SystemRoot%\system32\browseui.dll -- [?]


--- USERINIT regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
File: C:\WINDOWS\system32\userinit.exe -- [24576] -- [08/04/2004 11:00 PM]


--- SHELL regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
File: C:\WINDOWS\Explorer.exe -- [1032192] -- [08/04/2004 11:00 PM]


--- SYSTEM regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


--- APPINIT_DLLS regkey ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
no AppInit_DLLs regkey found


--- NOTIFY regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
-- File: C:\WINDOWS\system32\crypt32.dll -- [597504] -- [08/04/2004 11:00 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
-- File: C:\WINDOWS\system32\cryptnet.dll -- [63488] -- [08/04/2004 11:00 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
-- File: C:\WINDOWS\system32\cscdll.dll -- [101888] -- [08/04/2004 11:00 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
-- File: C:\WINDOWS\system32\wlnotify.dll -- [92672] -- [08/04/2004 11:00 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
-- File: C:\WINDOWS\system32\wlnotify.dll -- [92672] -- [08/04/2004 11:00 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
-- File: C:\WINDOWS\system32\sclgntfy.dll -- [20992] -- [08/04/2004 11:00 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
-- File: C:\WINDOWS\system32\WlNotify.dll -- [92672] -- [08/04/2004 11:00 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
-- File: C:\WINDOWS\system32\wlnotify.dll -- [92672] -- [08/04/2004 11:00 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
-- File: C:\WINDOWS\system32\wlnotify.dll -- [92672] -- [08/04/2004 11:00 PM]


--- RUN / LOAD regkeys ---

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
no run / load keys found


--- SHELLEXECUTEHOOKS regkey ---

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" -- File: shell32.dll -- [?]


--- HKLM AUTORUN regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor]
no AutoRun regkey found


--- HKCU AUTORUN regkeys ---

[HKEY_CURRENT_USER\Software\Microsoft\Command Processor]
no AutoRun regkey found


--- HKLM\RUN regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan" -- File: SOUNDMAN.EXE -- [?]
"nwiz" -- File: nwiz.exe /installquiet -- [?]
"NVRaidService" -- File C:\WINDOWS\system32\nvraidservice.exe -- [166400] -- [11/02/2004 09:55 AM]
"NvMediaCenter" -- File: RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit -- [?]
"NvCplDaemon" -- File: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup -- [?]
"Malwarebytes Anti-Malware (reboot)" -- File: "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript -- [?]
"D-Link D-Link Wireless G DWA-110" -- File: C:\Program Files\D-Link\D-Link Wireless G DWA-110\AirGCFG.exe -- [?]
"ANIWZCS2Service" -- File C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe -- [131072] -- [01/19/2007 11:49 AM]
"Adobe Reader Speed Launcher" -- File "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" -- [113520] -- [10/03/2009 04:08 AM]
"Adobe ARM" -- File "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" -- [1009016] -- [09/04/2009 12:08 PM]
"QuickTime Task" -- File: "C:\Program Files\QuickTime\QTTask.exe" -atboottime -- [?]
"WinampAgent" -- File "C:\Program Files\Winamp\winampa.exe" -- [107520] -- [07/02/2009 03:37 AM]


--- HKLM\RUNONCE regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
no runonce values found


--- HKLM\RUNONCEEX regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
no runonceex values found


--- HKLM\RUNSERVICES regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
no runservices values found


--- HKLM\RUNSERVICESONCE regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
no runservicesonce values found


--- HKCU\RUN regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)" -- File: "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet -- [?]


--- HKCU\RUNONCE regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
no runonce values found


--- HKCU\RUNONCEEX regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
key not found


--- HKCU\RUNSERVICES regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
no runservices values found


--- HKCU\RUNSERVICESONCE regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
no runservicesonce values found


--- HKU\.DEFAULT\Run regkeys - Default user ---

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
no run values found


--- HKU\S-1-5-18\Run regkeys - user SYSTEM ---

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
no run values found


--- HKU\S-1-5-19\Run regkeys - User Lokale service ---

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
key not found


--- HKU\S-1-5-20\Run regkeys - User Lokale service ---

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
key not found


--- HKLM\Explorer\Run regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
no run values found


--- HKCU\Explorer\Run regkeys ---

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
no run values found


--- Image File Execution regkeys ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
no debuggers found


--- BROWSER HELPER OBJECTS regkeys ---

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
-- CLSID not found
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
-- File: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll -- [75128] -- [02/27/2009 01:07 PM]


--- TOOLBAR regkeys ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
no toolbars found


--- HKLM\URLSEARCHHOOKS regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks]
no urlsearchhooks found


--- HKCU\URLSEARCHHOOKS regkeys ---

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
{CFBFAE00-17A6-11D0-99CB-00C04FD64497} -- File: %SystemRoot%\system32\shdocvw.dll -- [?]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} -- CLSID not found


--- SRCEENSAVER regkey ---

[HKEY_CURRENT_USER\Control Panel\Desktop]
scrnsave.exe value not found


--- ALTERNATESHELL regkey ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
no AlternateShell value found


--- SECURITYPROVIDERS regkey ---

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
File: C:\WINDOWS\system32\msapsspc.dll -- [86016] -- [08/04/2004 11:00 PM]
File: C:\WINDOWS\system32\schannel.dll -- [144896] -- [08/04/2004 11:00 PM]
File: C:\WINDOWS\system32\digest.dll -- [68608] -- [08/04/2004 11:00 PM]
File: C:\WINDOWS\system32\msnsspc.dll -- [290816] -- [08/04/2004 11:00 PM]


--- Active Setup\Installed Components regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
-- File: %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
-- File: RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
-- File: %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
-- File: %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
-- File: "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
-- File: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}]
-- File: %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
-- File: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
-- File: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
-- File: regsvr32.exe /s /n /i:U shell32.dll -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
-- File: %SystemRoot%\system32\ie4uinit.exe -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
-- File: %SystemRoot%\system32\ie4uinit.exe -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}]
-- filepath not found


--- Services regkey ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\abp470n5]
-- File: \??\C:\WINDOWS\system32\drivers\jljnk.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\abp480n5]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\adpu160m]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aec]
-- File: system32\drivers\aec.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aic78u2]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aic78xx]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ANIO]
-- File: \??\C:\WINDOWS\system32\ANIO.SYS -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ANIWZCSdService]
-- File: C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe -- [126976] -- [01/19/2007 11:49 AM]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3350p]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi]
-- File: system32\DRIVERS\atapi.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\audstub]
-- File: system32\DRIVERS\audstub.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i2omgmt]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i2omp]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt]
-- File: system32\DRIVERS\i8042prt.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\inetaccs]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ini910u]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irda]
-- File: system32\DRIVERS\irda.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irsir]
-- File: system32\DRIVERS\irsir.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\isapnp]
-- File: system32\DRIVERS\isapnp.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npkcrypt]
-- File: \??\C:\Documents and Settings\Owner\Desktop\RO\npkcrypt.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ohci1394]
-- File: system32\DRIVERS\ohci1394.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OMSI download service]
-- File: C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe -- [172032] -- [04/30/2009 12:23 PM]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s1018bus]
-- File: system32\DRIVERS\s1018bus.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s1018mdfl]
-- File: system32\DRIVERS\s1018mdfl.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s1018mgmt]
-- File: system32\DRIVERS\s1018mgmt.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s1018nd5]
-- File: system32\DRIVERS\s1018nd5.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s1018obex]
-- File: system32\DRIVERS\s1018obex.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s1018unic]
-- File: system32\DRIVERS\s1018unic.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seehcri]
-- File: system32\DRIVERS\seehcri.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ultra]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost]
-- File: %SystemRoot%\system32\svchost.exe -k LocalService -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbehci]
-- File: system32\DRIVERS\usbehci.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbhub]
-- File: system32\DRIVERS\usbhub.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbohci]
-- File: system32\DRIVERS\usbohci.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbstor]
-- File: system32\DRIVERS\USBSTOR.SYS -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yukonwxp]
-- File: system32\DRIVERS\yk51x86.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{0A088315-C8DE-4EEF-B02E-065DB21B2E51}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{472CA9A7-544B-4C06-B16E-6AE35D88C7EC}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{977F7CC0-6ED7-4D79-B0D1-7DD3D9727859}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{E4B884A5-4CB7-4B70-B230-39FD9A24852E}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{F5600E9E-F754-4AEE-81D3-68BA1E3AFE09}]
-- filepath not found


--- SAFEBOOT MINIMAL SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
no unknown services found


--- SAFEBOOT Network SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
no unknown services found


--- BOOTEXECUTE regkey ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"= autocheck autochk *\0\0


--- PENDINGFILERENAMEOPERATIONS regkey ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations"= \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\FlashPlayerUpdate.exe\0\0\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\~nsu.tmp\Au_.exe\0\0\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\nsm3.tmp\NSISArray.dll\0\0\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\nsm3.tmp\\0\0\0


--- WOW-CMDLINE regkeys ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW]
"cmdline" = %SystemRoot%\system32\ntvdm.exe
"cmdline" = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386


--- NETSVCS regkey ---

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] -- NETSVCS
0WmdmPmSN


--- DNS SERVER regkeys ---

no "NameServer" values found


--- File associations ---

.BAT files: ("%1" %*)
.COM files: ("%1" %*)
.EXE files: ("%1" %*)
.HLP files: (%SystemRoot%\System32\winhlp32.exe %1)
.INF files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.INI files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.JS files: (%SystemRoot%\System32\WScript.exe "%1" %*)
.PIF files: ("%1" %*)
.REG files: (regedit.exe "%1")
.SCR files: ("%1" /S)
.TXT files: (%SystemRoot%\system32\NOTEPAD.EXE %1)
.VBS files: (%SystemRoot%\System32\WScript.exe "%1" %*)


--- STARTUP FOLDERS ---

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini -- [84] -- [11/19/2009 04:26 PM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini -- [84] -- [11/19/2009 04:26 PM]
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini -- [84] -- [11/19/2009 04:26 PM]
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini -- [84] -- [11/19/2009 04:26 PM]


--- TASK SCHEDULER JOBS ---

C:\WINDOWS\tasks\AppleSoftwareUpdate.job -- [284] -- [12/16/2009 10:44 PM]


Scan completed: Tue 12/22/2009 17:50:30.60
FINISHED
Back to Top
 

urbane
New Member


Date Joined Nov 2009
Total Posts : 30
 
   Posted 12/22/2009 2:24 PM (GMT +3)    Quote: Need help with virus that takes over admin powers (cont)Alert an admin about: Need help with virus that takes over admin powers (cont)
My computer is really starting to get bad. Constant crashes blue screens:
"A thread tried to release a resource it did not own"

Definitely sounds driver related.. has this virus got us beat, we cant seem to beat it
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 12/23/2009 3:08 AM (GMT +3)    Quote: Need help with virus that takes over admin powers (cont)Alert an admin about: Need help with virus that takes over admin powers (cont)
Well, a big issue is that this malware variant is a file infector, so has likely loaded it's code into some files there. And we are not aware of which files. See if you can run a scan that might "heal" the files.


Download Dr.Web CureIt! from here to your Desktop.

Doubleclick the drweb-cureit.exe file. Click on Start and Ok and allow it to run the express scan. This is a short scan and will scan all files currently running in memory. If something is found, click the Yes button when it asks you if you want to cure it.

Once the short scan has finished, click on Custom Scan and choose the drives that you want to scan. Click on the drive to select it. A red dot shows which drives have been chosen (if only one drive you will not be shown these options). Click the green arrow > to the right and the scan will begin. At the first sign of infection, Select 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, click the "Select all" button and then click on the Move button. This will move any infected files to the %userprofile%\DoctorWeb\quarantine folder.

Next and this is important, from the main Dr.Web CureIt menu (top left), click File and choose save report list and save the report to your desktop. The report will be called DrWeb.csv and it can be opened in Notepad.

Close Cureit and restart your computer to completely remove any stubborn files. You may get a message saying "No operations performed with some objects in list. Exit program". If so, click "Yes" (You may get a popup offering you a discount if you purchase DrWeb AntiVirus. You may or may not wish to take advantage of this offer later but for now, just close the popup and wait for the scan to finish).

Please post the log in this thread.
Back to Top
 

urbane
New Member


Date Joined Nov 2009
Total Posts : 30
 
   Posted 1/4/2010 7:41 AM (GMT +3)    Quote: Need help with virus that takes over admin powers (cont)Alert an admin about: Need help with virus that takes over admin powers (cont)
Sorry the virus gave me browser problems I could not post in this forum till now.

I reformatted my computer again... the virus just came back came back over and over. So I decided to reformat my computer one more time and straight away I downloaded Norton Anti-virus gaming edition. The Anti Virus seems to have killed the virus on a full system scan, my entire computer is normal again. All exe applications work, I can use all my drives without worry, my computer does not auto switch off and error to blue screen like before and I have admin powers again.

The main things I see inside quarantine is a high risk threat called W32.Sality.AE I think it is the name of the virus I had.

I can run a combo fix or something for you so you can check if my computer is all in the clear.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/4/2010 8:13 PM (GMT +3)    Quote: Need help with virus that takes over admin powers (cont)Alert an admin about: Need help with virus that takes over admin powers (cont)
Aside from a fairly infrequent MBR infector, if you had infection after a reformat that suggests infection was returned to the system. Perhaps through using the same infected flash drive before and after the reformat, or saving infected files then returning them after. For now let's just take a look - please run and post back new RSIT and Gmer logs.
Back to Top
 

urbane
New Member


Date Joined Nov 2009
Total Posts : 30
 
   Posted 1/5/2010 10:07 PM (GMT +3)    Quote: Need help with virus that takes over admin powers (cont)Alert an admin about: Need help with virus that takes over admin powers (cont)
Well I have 3 drives, I dont format 1 as i need one back up. The virus I think was staying in that.

I disconnected the back up drive, format everything, install antivirus then re connect that drive and scanned it. Many virus was in it, mainly that W32.Sality.AE

Here is the logs:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Tyler Williams at 2010-01-05 23:30:11
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 60 GB (78%) free of 76 GB
Total RAM: 2047 MB (64% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:19 PM, on 1/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\D-Link\D-Link Wireless G DWA-110\AirGCFG.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PingFu Iris\PingFu.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tyler Williams\Desktop\RSIT.exe
C:\Program Files\trend micro\Tyler Williams.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.7.2.11\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [D-Link D-Link Wireless G DWA-110] C:\Program Files\D-Link\D-Link Wireless G DWA-110\AirGCFG.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NSWosCheck] "C:\Program Files\Norton SystemWorks Basic Edition\osCheck.exe"
O4 - HKLM\..\Run: [NswUiTray] C:\Program Files\Norton SystemWorks Basic Edition\NswUiTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1262694367562
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 6908 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
Symantec Intrusion Prevention - C:\Program Files\Norton AntiVirus\Engine\16.7.2.11\IPSBHO.DLL [2009-08-22 107896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}]
Search Helper - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll [2009-01-14 92504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}]
Windows Live Toolbar Helper - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{21FA44EF-376D-4D53-9B0F-8A89D3229068} - &Windows Live Toolbar - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2004-11-15 77824]
"NVRaidService"=C:\WINDOWS\system32\nvraidservice.exe [2004-11-02 84480]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2005-12-10 7311360]
"nwiz"=nwiz.exe /install []
"ANIWZCS2Service"=C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe [2007-01-19 49152]
"D-Link D-Link Wireless G DWA-110"=C:\Program Files\D-Link\D-Link Wireless G DWA-110\AirGCFG.exe [2007-05-04 1662976]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2005-12-10 86016]
"NSWosCheck"=C:\Program Files\Norton SystemWorks Basic Edition\osCheck.exe [2008-09-25 160112]
"NswUiTray"=C:\Program Files\Norton SystemWorks Basic Edition\NswUiTray.exe [2008-09-25 85360]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-07-26 3883856]
"Messenger (Yahoo!)"=C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe [2009-11-10 5244216]
"Sony Ericsson PC Suite"=C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe [2009-09-24 434176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SymEFA.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\Program Files\Vuze\Azureus.exe"="C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

======List of files/folders created in the last 1 months======

2010-01-05 23:30:11 ----D---- C:\rsit
2010-01-05 23:30:11 ----D---- C:\Program Files\trend micro
2010-01-05 04:26:00 ----D---- C:\Documents and Settings\Tyler Williams\Application Data\ArtOfPing
2010-01-05 04:25:55 ----D---- C:\Program Files\PingFu Iris
2010-01-05 01:25:55 ----D---- C:\Documents and Settings\All Users\Application Data\BVRP Software
2010-01-05 01:24:00 ----A---- C:\Documents and Settings\All Users\Application Data\hpe1767.dll
2010-01-05 01:23:49 ----D---- C:\Program Files\Sony Ericsson
2010-01-05 01:23:48 ----D---- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2010-01-04 23:05:23 ----HD---- C:\WINDOWS\PIF
2010-01-04 22:21:58 ----D---- C:\Documents and Settings\Tyler Williams\Application Data\Leadertech
2010-01-04 22:21:44 ----D---- C:\Program Files\GameSpy Arcade
2010-01-04 22:13:43 ----D---- C:\NeverwinterNights
2010-01-04 12:02:04 ----D---- C:\Documents and Settings\Tyler Williams\Application Data\Symantec
2010-01-04 11:29:50 ----D---- C:\Documents and Settings\Tyler Williams\Application Data\vlc
2010-01-04 11:28:47 ----D---- C:\Program Files\VideoLAN
2010-01-04 03:54:47 ----D---- C:\Documents and Settings\Tyler Williams\Application Data\Yahoo!
2010-01-04 03:54:28 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo!
2010-01-04 03:39:59 ----D---- C:\Program Files\Yahoo!
2010-01-04 02:48:25 ----D---- C:\Documents and Settings\Tyler Williams\Application Data\WinRAR
2010-01-04 01:33:35 ----D---- C:\Documents and Settings\All Users\Application Data\Azureus
2010-01-04 01:33:32 ----D---- C:\Documents and Settings\Tyler Williams\Application Data\Azureus
2010-01-04 01:32:51 ----D---- C:\Program Files\Vuze
2010-01-04 01:32:51 ----D---- C:\Program Files\Common Files\i4j_jres
2010-01-04 00:45:10 ----D---- C:\Program Files\Microsoft Silverlight
2010-01-04 00:44:51 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-01-04 00:41:37 ----RSD---- C:\WINDOWS\assembly
2010-01-04 00:40:17 ----D---- C:\WINDOWS\Microsoft.NET
2010-01-04 00:39:33 ----D---- C:\Program Files\Microsoft Sync Framework
2010-01-04 00:38:46 ----A---- C:\WINDOWS\system32\d3dx9_32.dll
2010-01-04 00:38:38 ----D---- C:\Program Files\Microsoft SQL Server Compact Edition
2010-01-04 00:38:19 ----HDC---- C:\WINDOWS\$NtUninstallKB954708$
2010-01-04 00:37:26 ----D---- C:\Program Files\Microsoft
2010-01-04 00:37:06 ----D---- C:\Program Files\Windows Live SkyDrive
2010-01-04 00:36:42 ----D---- C:\Program Files\Windows Live
2010-01-04 00:26:15 ----N---- C:\WINDOWS\system32\spmsg.dll
2010-01-04 00:26:12 ----HDC---- C:\WINDOWS\$NtUninstallMSCompPackV1$
2010-01-04 00:25:58 ----D---- C:\Program Files\Windows Media Connect 2
2010-01-04 00:25:45 ----HDC---- C:\WINDOWS\$NtUninstallwmp11$
2010-01-04 00:24:58 ----HDC---- C:\WINDOWS\$NtUninstallWMFDist11$
2010-01-04 00:24:18 ----D---- C:\WINDOWS\system32\LogFiles
2010-01-04 00:24:13 ----HDC---- C:\WINDOWS\$NtUninstallWudf01000$
2010-01-04 00:22:17 ----D---- C:\Program Files\WinRAR
2010-01-04 00:04:32 ----D---- C:\Program Files\Common Files\Windows Live
2010-01-04 00:01:54 ----D---- C:\Documents and Settings\Tyler Williams\Application Data\Mozilla
2010-01-04 00:01:47 ----D---- C:\Program Files\Mozilla Firefox
2010-01-03 18:52:30 ----D---- C:\Documents and Settings\All Users\Application Data\NortonSystemWorks
2010-01-03 18:52:08 ----D---- C:\Program Files\Norton SystemWorks Basic Edition
2010-01-03 18:32:21 ----D---- C:\Program Files\Symantec
2010-01-03 18:32:21 ----D---- C:\Program Files\Common Files\Symantec Shared
2010-01-03 18:32:21 ----A---- C:\WINDOWS\system32\S32EVNT1.DLL
2010-01-03 18:32:02 ----D---- C:\Program Files\Windows Sidebar
2010-01-03 18:32:02 ----D---- C:\Program Files\Norton AntiVirus
2010-01-03 18:32:02 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2010-01-03 18:21:12 ----D---- C:\Documents and Settings\All Users\Application Data\Norton
2010-01-03 18:21:09 ----D---- C:\Program Files\NortonInstaller
2010-01-03 18:21:09 ----D---- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2010-01-03 15:52:05 ----A---- C:\WINDOWS\system32\h323log.txt
2010-01-03 15:48:56 ----ASH---- C:\Documents and Settings\All Users\Application Data\desktop.ini
2010-01-03 15:48:51 ----RA---- C:\WINDOWS\SET29.tmp
2010-01-03 15:48:49 ----RA---- C:\WINDOWS\SET1D.tmp
2010-01-03 15:48:47 ----RA---- C:\WINDOWS\SET1A.tmp
2010-01-03 15:48:32 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-01-03 15:45:55 ----A---- C:\WINDOWS\system32\wshirda.dll
2010-01-03 15:45:55 ----A---- C:\WINDOWS\system32\irmon.dll
2010-01-03 15:45:55 ----A---- C:\WINDOWS\system32\irftp.exe
2010-01-03 15:45:43 ----A---- C:\WINDOWS\system32\usbui.dll
2010-01-03 15:44:52 ----A---- C:\WINDOWS\imsins.BAK
2010-01-03 15:44:50 ----SHD---- C:\WINDOWS\Installer
2010-01-03 15:44:50 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-01-03 15:44:49 ----D---- C:\Program Files\Common Files\ODBC
2010-01-03 15:44:49 ----A---- C:\WINDOWS\ODBCINST.INI
2010-01-03 15:44:46 ----D---- C:\Program Files\Common Files\SpeechEngines
2010-01-03 15:44:45 ----RD---- C:\Program Files
2010-01-03 15:44:45 ----D---- C:\Program Files\Common Files\Microsoft Shared
2010-01-03 15:44:45 ----D---- C:\Program Files\Common Files
2010-01-03 15:44:43 ----RA---- C:\WINDOWS\system32\kbdtuq.dll
2010-01-03 15:44:43 ----RA---- C:\WINDOWS\system32\kbdazel.dll
2010-01-03 15:44:42 ----RA---- C:\WINDOWS\system32\kbdtuf.dll
2010-01-03 15:44:40 ----RA---- C:\WINDOWS\system32\kbdycc.dll
2010-01-03 15:44:40 ----RA---- C:\WINDOWS\system32\kbduzb.dll
2010-01-03 15:44:40 ----RA---- C:\WINDOWS\system32\kbdur.dll
2010-01-03 15:44:40 ----RA---- C:\WINDOWS\system32\kbdtat.dll
2010-01-03 15:44:40 ----RA---- C:\WINDOWS\system32\kbdru1.dll
2010-01-03 15:44:40 ----RA---- C:\WINDOWS\system32\kbdru.dll
2010-01-03 15:44:40 ----RA---- C:\WINDOWS\system32\kbdmon.dll
2010-01-03 15:44:40 ----RA---- C:\WINDOWS\system32\kbdkyr.dll
2010-01-03 15:44:40 ----RA---- C:\WINDOWS\system32\kbdkaz.dll
2010-01-03 15:44:40 ----RA---- C:\WINDOWS\system32\kbdbu.dll
2010-01-03 15:44:40 ----RA---- C:\WINDOWS\system32\kbdblr.dll
2010-01-03 15:44:40 ----RA---- C:\WINDOWS\system32\kbdaze.dll
2010-01-03 15:44:37 ----RA---- C:\WINDOWS\system32\kbdhept.dll
2010-01-03 15:44:37 ----RA---- C:\WINDOWS\system32\kbdhela3.dll
2010-01-03 15:44:37 ----RA---- C:\WINDOWS\system32\kbdhela2.dll
2010-01-03 15:44:37 ----RA---- C:\WINDOWS\system32\kbdhe319.dll
2010-01-03 15:44:37 ----RA---- C:\WINDOWS\system32\kbdhe220.dll
2010-01-03 15:44:37 ----RA---- C:\WINDOWS\system32\kbdhe.dll
2010-01-03 15:44:37 ----RA---- C:\WINDOWS\system32\kbdgkl.dll
2010-01-03 15:44:35 ----RA---- C:\WINDOWS\system32\kbdlv1.dll
2010-01-03 15:44:35 ----RA---- C:\WINDOWS\system32\kbdlv.dll
2010-01-03 15:44:35 ----RA---- C:\WINDOWS\system32\kbdlt1.dll
2010-01-03 15:44:35 ----RA---- C:\WINDOWS\system32\kbdlt.dll
2010-01-03 15:44:35 ----RA---- C:\WINDOWS\system32\kbdest.dll
2010-01-03 15:44:33 ----RA---- C:\WINDOWS\system32\kbdsl1.dll
2010-01-03 15:44:33 ----RA---- C:\WINDOWS\system32\kbdsl.dll
2010-01-03 15:44:33 ----RA---- C:\WINDOWS\system32\kbdro.dll
2010-01-03 15:44:33 ----RA---- C:\WINDOWS\system32\kbdpl.dll
2010-01-03 15:44:32 ----RA---- C:\WINDOWS\system32\kbdycl.dll
2010-01-03 15:44:32 ----RA---- C:\WINDOWS\system32\kbdpl1.dll
2010-01-03 15:44:32 ----RA---- C:\WINDOWS\system32\kbdhu1.dll
2010-01-03 15:44:32 ----RA---- C:\WINDOWS\system32\kbdhu.dll
2010-01-03 15:44:32 ----RA---- C:\WINDOWS\system32\kbdcz2.dll
2010-01-03 15:44:32 ----RA---- C:\WINDOWS\system32\kbdcz1.dll
2010-01-03 15:44:32 ----RA---- C:\WINDOWS\system32\kbdcz.dll
2010-01-03 15:44:32 ----RA---- C:\WINDOWS\system32\kbdcr.dll
2010-01-03 15:44:32 ----RA---- C:\WINDOWS\system32\KBDAL.DLL
2010-01-03 15:44:30 ----A---- C:\WINDOWS\system32\irclass.dll
2010-01-03 15:44:30 ----A---- C:\WINDOWS\system32\dgsetup.dll
2010-01-03 15:44:30 ----A---- C:\WINDOWS\system32\dgrpsetu.dll
2010-01-03 15:44:29 ----A---- C:\WINDOWS\system32\spxcoins.dll
2010-01-03 15:44:29 ----A---- C:\WINDOWS\system32\EqnClass.Dll
2010-01-03 15:44:27 ----N---- C:\WINDOWS\system32\CONFIG.TMP
2010-01-03 15:44:27 ----A---- C:\WINDOWS\TASKMAN.EXE
2010-01-03 15:44:26 ----A---- C:\WINDOWS\system32\batt.dll
2010-01-03 15:44:26 ----A---- C:\WINDOWS\notepad.exe
2010-01-03 15:44:25 ----A---- C:\WINDOWS\system32\storprop.dll
2010-01-03 15:44:14 ----RA---- C:\WINDOWS\SET8.tmp
2010-01-03 15:44:11 ----RA---- C:\WINDOWS\SET4.tmp
2010-01-03 15:44:10 ----RA---- C:\WINDOWS\SET3.tmp
2010-01-03 15:44:05 ----D---- C:\WINDOWS\system32\CatRoot2
2010-01-03 15:44:05 ----D---- C:\WINDOWS\system32\CatRoot
2010-01-03 15:43:39 ----A---- C:\WINDOWS\setuplog.txt
2010-01-03 15:43:36 ----D---- C:\Documents and Settings
2010-01-03 15:43:35 ----SHD---- C:\System Volume Information
2010-01-03 15:42:40 ----SH---- C:\boot.ini
2010-01-03 15:38:27 ----HDC---- C:\WINDOWS\$NtUninstallKB971737$
2010-01-03 15:38:24 ----HDC---- C:\WINDOWS\$NtUninstallKB970430$
2010-01-03 15:37:04 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-01-03 15:37:04 ----RSD---- C:\WINDOWS\Fonts
2010-01-03 15:37:04 ----RD---- C:\WINDOWS\Web
2010-01-03 15:37:04 ----HD---- C:\WINDOWS\inf
2010-01-03 15:37:04 ----D---- C:\WINDOWS\WinSxS
2010-01-03 15:37:04 ----D---- C:\WINDOWS\twain_32
2010-01-03 15:37:04 ----D---- C:\WINDOWS\Temp
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\wins
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\wbem
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\usmt
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\spool
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\ShellExt
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\Setup
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\ras
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\oobe
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\npp
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\mui
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\inetsrv
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\IME
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\icsxml
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\ias
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\export
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\drivers
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\dhcp
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\config
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\3com_dmi
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\3076
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\2052
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\1054
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\1042
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\1041
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\1037
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\1033
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\1031
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\1028
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32\1025
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system32
2010-01-03 15:37:04 ----D---- C:\WINDOWS\system
2010-01-03 15:37:04 ----D---- C:\WINDOWS\security
2010-01-03 15:37:04 ----D---- C:\WINDOWS\Resources
2010-01-03 15:37:04 ----D---- C:\WINDOWS\repair
2010-01-03 15:37:04 ----D---- C:\WINDOWS\Provisioning
2010-01-03 15:37:04 ----D---- C:\WINDOWS\PeerNet
2010-01-03 15:37:04 ----D---- C:\WINDOWS\pchealth
2010-01-03 15:37:04 ----D---- C:\WINDOWS\mui
2010-01-03 15:37:04 ----D---- C:\WINDOWS\msapps
2010-01-03 15:37:04 ----D---- C:\WINDOWS\msagent
2010-01-03 15:37:04 ----D---- C:\WINDOWS\Media
2010-01-03 15:37:04 ----D---- C:\WINDOWS\java
2010-01-03 15:37:04 ----D---- C:\WINDOWS\ime
2010-01-03 15:37:04 ----D---- C:\WINDOWS\Help
2010-01-03 15:37:04 ----D---- C:\WINDOWS\Driver Cache
2010-01-03 15:37:04 ----D---- C:\WINDOWS\Debug
2010-01-03 15:37:04 ----D---- C:\WINDOWS\Cursors
2010-01-03 15:37:04 ----D---- C:\WINDOWS\Connection Wizard
2010-01-03 15:37:04 ----D---- C:\WINDOWS\Config
2010-01-03 15:37:04 ----D---- C:\WINDOWS\AppPatch
2010-01-03 15:37:04 ----D---- C:\WINDOWS\addins
2010-01-03 15:37:04 ----D---- C:\WINDOWS
2010-01-03 15:26:48 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2010-01-03 15:26:44 ----HDC---- C:\WINDOWS\$NtUninstallKB955759$
2010-01-03 15:26:41 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2010-01-03 15:26:37 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2010-01-03 15:26:32 ----HDC---- C:\WINDOWS\$NtUninstallKB976325$
2010-01-03 15:26:28 ----HDC---- C:\WINDOWS\$NtUninstallKB976098-v2$
2010-01-03 15:26:25 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2010-01-03 15:26:21 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$
2010-01-03 15:26:18 ----HDC---- C:\WINDOWS\$NtUninstallKB969947$
2010-01-03 15:26:15 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$
2010-01-03 15:26:11 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2010-01-03 15:26:08 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2010-01-03 15:26:06 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2010-01-03 15:26:01 ----HDC---- C:\WINDOWS\$NtUninstallKB971486$
2010-01-03 15:25:57 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2010-01-03 15:25:54 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$
2010-01-03 15:25:51 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2010-01-03 15:25:49 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$
2010-01-03 15:25:46 ----HDC---- C:\WINDOWS\$NtUninstallKB973525$
2010-01-03 15:25:43 ----HDC---- C:\WINDOWS\$NtUninstallKB968816_WM9$
2010-01-03 15:25:41 ----HDC---- C:\WINDOWS\$NtUninstallKB971961$
2010-01-03 15:25:38 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$
2010-01-03 15:25:11 ----D---- C:\WINDOWS\ie8updates
2010-01-03 15:25:06 ----D---- C:\WINDOWS\WBEM
2010-01-03 15:24:52 ----HDC---- C:\WINDOWS\ie8
2010-01-03 15:24:17 ----A---- C:\WINDOWS\system32\MRT.exe
2010-01-03 15:22:39 ----HDC---- C:\WINDOWS\$NtUninstallKB961371-v2$
2010-01-03 15:22:36 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2010-01-03 15:22:33 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2010-01-03 15:22:30 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2010-01-03 15:22:27 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2010-01-03 15:22:25 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2010-01-03 15:22:21 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2010-01-03 15:22:19 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2010-01-03 15:22:13 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2010-01-03 15:22:11 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2010-01-03 15:22:08 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2010-01-03 15:22:05 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2010-01-03 15:22:02 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2010-01-03 15:21:59 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2010-01-03 15:21:56 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2010-01-03 15:21:53 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2010-01-03 15:21:46 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2010-01-03 15:21:42 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2010-01-03 15:21:36 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2010-01-03 15:21:33 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2010-01-03 15:21:30 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2010-01-03 15:21:28 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2010-01-03 15:21:25 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2010-01-03 15:21:22 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2010-01-03 15:21:19 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2010-01-03 15:21:17 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2010-01-03 15:21:14 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2010-01-03 15:21:11 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2010-01-03 15:21:09 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2010-01-03 15:21:06 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2010-01-03 15:21:04 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2010-01-03 15:21:01 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2010-01-03 15:20:58 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2010-01-03 15:20:54 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2010-01-03 15:20:51 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2010-01-03 15:20:47 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2010-01-03 14:12:33 ----D---- C:\WINDOWS\Prefetch
2010-01-03 13:36:58 ----D---- C:\WINDOWS\system32\scripting
2010-01-03 13:36:58 ----D---- C:\WINDOWS\system32\en-us
2010-01-03 13:36:57 ----D---- C:\WINDOWS\system32\en
2010-01-03 13:36:57 ----D---- C:\WINDOWS\system32\bits
2010-01-03 13:36:57 ----D---- C:\WINDOWS\l2schemas
2010-01-03 13:36:18 ----D---- C:\WINDOWS\ServicePackFiles
2010-01-03 13:35:25 ----D---- C:\WINDOWS\network diagnostic
2010-01-03 13:34:25 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2010-01-03 13:34:24 ----D---- C:\WINDOWS\EHome
2010-01-03 13:31:36 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2010-01-03 13:30:57 ----A---- C:\WINDOWS\system32\wpa.bak
2010-01-03 06:18:13 ----N---- C:\WINDOWS\system32\xpsp3res.dll
2010-01-03 06:18:12 ----A---- C:\WINDOWS\system32\xmllite.dll
2010-01-03 06:18:11 ----N---- C:\WINDOWS\system32\wmphoto.dll
2010-01-03 06:18:10 ----N---- C:\WINDOWS\system32\wlanapi.dll
2010-01-03 06:18:10 ----N---- C:\WINDOWS\system32\windowscodecsext.dll
2010-01-03 06:18:10 ----N---- C:\WINDOWS\system32\windowscodecs.dll
2010-01-03 06:18:09 ----N---- C:\WINDOWS\system32\verclsid.exe
2010-01-03 06:18:08 ----N---- C:\WINDOWS\system32\tzchange.exe
2010-01-03 06:18:08 ----N---- C:\WINDOWS\system32\tspkg.dll
2010-01-03 06:18:08 ----N---- C:\WINDOWS\system32\tsgqec.dll
2010-01-03 06:18:07 ----N---- C:\WINDOWS\system32\spupdwxp.exe
2010-01-03 06:18:07 ----A---- C:\WINDOWS\system32\spdwnwxp.exe
2010-01-03 06:18:05 ----N---- C:\WINDOWS\system32\slserv.exe
2010-01-03 06:18:05 ----N---- C:\WINDOWS\system32\slrundll.exe
2010-01-03 06:18:05 ----N---- C:\WINDOWS\system32\slgen.dll
2010-01-03 06:18:05 ----N---- C:\WINDOWS\system32\slextspk.dll
2010-01-03 06:18:05 ----N---- C:\WINDOWS\system32\slcoinst.dll
2010-01-03 06:18:05 ----N---- C:\WINDOWS\slrundll.exe
2010-01-03 06:18:04 ----N---- C:\WINDOWS\system32\setupn.exe
2010-01-03 06:18:04 ----N---- C:\WINDOWS\system32\s3gnb.dll
2010-01-03 06:18:04 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2010-01-03 06:18:03 ----N---- C:\WINDOWS\system32\rasqec.dll
2010-01-03 06:18:03 ----N---- C:\WINDOWS\system32\qutil.dll
2010-01-03 06:18:03 ----N---- C:\WINDOWS\system32\qcliprov.dll
2010-01-03 06:18:03 ----N---- C:\WINDOWS\system32\qagentrt.dll
2010-01-03 06:18:03 ----N---- C:\WINDOWS\system32\qagent.dll
2010-01-03 06:18:03 ----N---- C:\WINDOWS\system32\photometadatahandler.dll
2010-01-03 06:18:02 ----N---- C:\WINDOWS\system32\onex.dll
2010-01-03 06:18:00 ----N---- C:\WINDOWS\system32\napstat.exe
2010-01-03 06:18:00 ----N---- C:\WINDOWS\system32\napmontr.dll
2010-01-03 06:18:00 ----N---- C:\WINDOWS\system32\napipsec.dll
2010-01-03 06:18:00 ----N---- C:\WINDOWS\system32\mtxparhd.dll
2010-01-03 06:18:00 ----N---- C:\WINDOWS\system32\msxml6r.dll
2010-01-03 06:17:59 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2010-01-03 06:17:59 ----N---- C:\WINDOWS\system32\mssha.dll
2010-01-03 06:17:59 ----A---- C:\WINDOWS\system32\msxml6.dll
2010-01-03 06:17:55 ----N---- C:\WINDOWS\system32\mmcperf.exe
2010-01-03 06:17:55 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2010-01-03 06:17:55 ----N---- C:\WINDOWS\system32\mmcex.dll
2010-01-03 06:17:55 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2010-01-03 06:17:55 ----N---- C:\WINDOWS\system32\mdmxsdk.dll
2010-01-03 06:17:52 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2010-01-03 06:17:52 ----N---- C:\WINDOWS\system32\kmsvc.dll
2010-01-03 06:17:52 ----N---- C:\WINDOWS\system32\kbdpash.dll
2010-01-03 06:17:52 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2010-01-03 06:17:52 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2010-01-03 06:17:52 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2010-01-03 06:17:51 ----N---- C:\WINDOWS\system32\hsfcisp2.dll
2010-01-03 06:17:50 ----N---- C:\WINDOWS\system32\faxpatch.exe
2010-01-03 06:17:50 ----N---- C:\WINDOWS\system32\eapsvc.dll
2010-01-03 06:17:50 ----N---- C:\WINDOWS\system32\eapqec.dll
2010-01-03 06:17:50 ----N---- C:\WINDOWS\system32\eappprxy.dll
2010-01-03 06:17:50 ----N---- C:\WINDOWS\system32\eapphost.dll
2010-01-03 06:17:50 ----N---- C:\WINDOWS\system32\eappgnui.dll
2010-01-03 06:17:50 ----N---- C:\WINDOWS\system32\eappcfg.dll
2010-01-03 06:17:50 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2010-01-03 06:17:50 ----N---- C:\WINDOWS\system32\eapolqec.dll
2010-01-03 06:17:50 ----N---- C:\WINDOWS\system32\dot3ui.dll
2010-01-03 06:17:50 ----N---- C:\WINDOWS\system32\dot3svc.dll
2010-01-03 06:17:50 ----N---- C:\WINDOWS\system32\dot3msm.dll
2010-01-03 06:17:50 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2010-01-03 06:17:50 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2010-01-03 06:17:50 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2010-01-03 06:17:50 ----N---- C:\WINDOWS\system32\dot3api.dll
2010-01-03 06:17:50 ----A---- C:\WINDOWS\002582_.tmp
2010-01-03 06:17:49 ----N---- C:\WINDOWS\system32\dimsroam.dll
2010-01-03 06:17:49 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2010-01-03 06:17:49 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2010-01-03 06:17:49 ----N---- C:\WINDOWS\system32\credssp.dll
2010-01-03 06:17:48 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2010-01-03 06:17:48 ----N---- C:\WINDOWS\system32\azroles.dll
2010-01-03 06:17:47 ----N---- C:\WINDOWS\system32\ativvaxx.dll
2010-01-03 06:17:47 ----N---- C:\WINDOWS\system32\ativtmxx.dll
2010-01-03 06:17:47 ----N---- C:\WINDOWS\system32\ati3duag.dll
2010-01-03 06:17:47 ----N---- C:\WINDOWS\system32\ati3d1ag.dll
2010-01-03 06:17:47 ----N---- C:\WINDOWS\system32\ati2dvag.dll
2010-01-03 06:17:47 ----N---- C:\WINDOWS\system32\ati2dvaa.dll
2010-01-03 06:17:47 ----N---- C:\WINDOWS\system32\ati2cqag.dll
2010-01-03 06:17:47 ----N---- C:\WINDOWS\system32\aaclient.dll
2010-01-03 06:05:43 ----D---- C:\Documents and Settings\Tyler Williams\Application Data\Macromedia
2010-01-03 06:05:41 ----D---- C:\Documents and Settings\Tyler Williams\Application Data\Adobe
2010-01-03 05:48:48 ----D---- C:\NVIDIA
2010-01-03 05:46:35 ----N---- C:\WINDOWS\system32\xpsp4res.dll
2010-01-03 05:33:26 ----D---- C:\WINDOWS\system32\PreInstall
2010-01-03 05:33:26 ----A---- C:\WINDOWS\system32\spupdsvc.exe
2010-01-03 05:33:25 ----HDC---- C:\WINDOWS\$NtUninstallKB898461$
2010-01-03 05:33:25 ----HD---- C:\WINDOWS\$hf_mig$
2010-01-03 05:33:11 ----HDC---- C:\WINDOWS\$MSI31Uninstall_KB893803v2$
2010-01-03 05:21:31 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2010-01-03 05:18:55 ----A---- C:\WINDOWS\system32\wnicapi.dll
2010-01-03 05:18:55 ----A---- C:\WINDOWS\system32\WlanApp.dll
2010-01-03 05:18:55 ----A---- C:\WINDOWS\system32\odSupp_M.dll
2010-01-03 05:18:55 ----A---- C:\WINDOWS\system32\JJAKEn.dll
2010-01-03 05:18:55 ----A---- C:\WINDOWS\system32\AQCKGen.dll
2010-01-03 05:18:55 ----A---- C:\WINDOWS\system32\ANIWZCS2.dll
2010-01-03 05:18:55 ----A---- C:\WINDOWS\system32\ANICtl.dll
2010-01-03 05:18:55 ----A---- C:\WINDOWS\system32\aIPH.dll
2010-01-03 05:18:42 ----D---- C:\Program Files\ANI
2010-01-03 05:18:42 ----A---- C:\WINDOWS\system32\ANIOApi.dll
2010-01-03 05:18:27 ----D---- C:\Program Files\D-Link
2010-01-03 05:18:07 ----D---- C:\Documents and Settings\Tyler Williams\Application Data\InstallShield
2010-01-03 05:16:44 ----D---- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2010-01-03 05:16:31 ----SHD---- C:\RECYCLER
2010-01-03 05:12:46 ----D---- C:\WINDOWS\nview
2010-01-03 05:12:45 ----A---- C:\WINDOWS\system32\nvudisp.exe
2010-01-03 05:12:41 ----A---- C:\WINDOWS\system32\nwiz.exe
2010-01-03 05:12:41 ----A---- C:\WINDOWS\system32\nvwimg.dll
2010-01-03 05:12:41 ----A---- C:\WINDOWS\system32\nvwdmcpl.dll
2010-01-03 05:12:41 ----A---- C:\WINDOWS\system32\nvwddi.dll
2010-01-03 05:12:40 ----A---- C:\WINDOWS\system32\nvsvc32.exe
2010-01-03 05:12:40 ----A---- C:\WINDOWS\system32\nvoglnt.dll
2010-01-03 05:12:40 ----A---- C:\WINDOWS\system32\nvnt4cpl.dll
2010-01-03 05:12:40 ----A---- C:\WINDOWS\system32\nvcodins.dll
2010-01-03 05:12:40 ----A---- C:\WINDOWS\system32\nvcod.dll
2010-01-03 05:12:39 ----A---- C:\WINDOWS\system32\nvshell.dll
2010-01-03 05:12:39 ----A---- C:\WINDOWS\system32\nvdspsch.exe
2010-01-03 05:12:39 ----A---- C:\WINDOWS\system32\nvappbar.exe
2010-01-03 05:12:38 ----A---- C:\WINDOWS\system32\nview.dll
2010-01-03 05:12:38 ----A---- C:\WINDOWS\system32\nv4_disp.dll
2010-01-03 05:12:37 ----A---- C:\WINDOWS\system32\nvmctray.dll
2010-01-03 05:12:37 ----A---- C:\WINDOWS\system32\keystone.exe
2010-01-03 05:12:36 ----A---- C:\WINDOWS\system32\nvcpl.dll
2010-01-03 05:12:31 ----D---- C:\WINDOWS\system32\WinFast
2010-01-03 05:11:45 ----D---- C:\WINDOWS\system32\WinFox
2010-01-03 05:09:16 ----RA---- C:\WINDOWS\system32\NvSataConnectionzht.dll
2010-01-03 05:09:16 ----RA---- C:\WINDOWS\system32\NvRaidWizardzht.dll
2010-01-03 05:09:16 ----A---- C:\WINDOWS\system32\nvuide.exe
2010-01-03 05:09:15 ----RA---- C:\WINDOWS\system32\NvSataConnectionzhc.dll
2010-01-03 05:09:15 ----RA---- C:\WINDOWS\system32\NvSataConnectiontr.dll
2010-01-03 05:09:15 ----RA---- C:\WINDOWS\system32\NvSataConnectionth.dll
2010-01-03 05:09:15 ----RA---- C:\WINDOWS\system32\NvSataConnectionsv.dll
2010-01-03 05:09:15 ----RA---- C:\WINDOWS\system32\NvRaidzht.dll
2010-01-03 05:09:15 ----RA---- C:\WINDOWS\system32\NvRaidzhc.dll
2010-01-03 05:09:15 ----RA---- C:\WINDOWS\system32\NvRaidWizardzhc.dll
2010-01-03 05:09:15 ----RA---- C:\WINDOWS\system32\NvRaidWizardtr.dll
2010-01-03 05:09:15 ----RA---- C:\WINDOWS\system32\NvRaidWizardth.dll
2010-01-03 05:09:15 ----RA---- C:\WINDOWS\system32\NvRaidWizardsv.dll
2010-01-03 05:09:15 ----RA---- C:\WINDOWS\system32\NvRaidtr.dll
2010-01-03 05:09:15 ----RA---- C:\WINDOWS\system32\NvRaidth.dll
2010-01-03 05:09:15 ----RA---- C:\WINDOWS\system32\NvRaidSvzht.dll
2010-01-03 05:09:15 ----RA---- C:\WINDOWS\system32\NvRaidSvzhc.dll
2010-01-03 05:09:15 ----RA---- C:\WINDOWS\system32\NvRaidSvtr.dll
2010-01-03 05:09:15 ----RA---- C:\WINDOWS\system32\NvRaidSvth.dll
2010-01-03 05:09:14 ----RA---- C:\WINDOWS\system32\NvSataConnectionsl.dll
2010-01-03 05:09:14 ----RA---- C:\WINDOWS\system32\NvSataConnectionsk.dll
2010-01-03 05:09:14 ----RA---- C:\WINDOWS\system32\NvSataConnectionru.dll
2010-01-03 05:09:14 ----RA---- C:\WINDOWS\system32\NvSataConnectionptb.dll
2010-01-03 05:09:14 ----RA---- C:\WINDOWS\system32\NvRaidWizardsl.dll
2010-01-03 05:09:14 ----RA---- C:\WINDOWS\system32\NvRaidWizardsk.dll
2010-01-03 05:09:14 ----RA---- C:\WINDOWS\system32\NvRaidWizardru.dll
2010-01-03 05:09:14 ----RA---- C:\WINDOWS\system32\NvRaidSvsv.dll
2010-01-03 05:09:14 ----RA---- C:\WINDOWS\system32\NvRaidSvsl.dll
2010-01-03 05:09:14 ----RA---- C:\WINDOWS\system32\NvRaidSvsk.dll
2010-01-03 05:09:14 ----RA---- C:\WINDOWS\system32\NvRaidSvru.dll
2010-01-03 05:09:14 ----RA---- C:\WINDOWS\system32\NvRaidsv.dll
2010-01-03 05:09:14 ----RA---- C:\WINDOWS\system32\NvRaidsl.dll
2010-01-03 05:09:14 ----RA---- C:\WINDOWS\system32\NvRaidsk.dll
2010-01-03 05:09:14 ----RA---- C:\WINDOWS\system32\NvRaidru.dll
2010-01-03 05:09:13 ----RA---- C:\WINDOWS\system32\NvSataConnectionpt.dll
2010-01-03 05:09:13 ----RA---- C:\WINDOWS\system32\NvSataConnectionpl.dll
2010-01-03 05:09:13 ----RA---- C:\WINDOWS\system32\NvSataConnectionno.dll
2010-01-03 05:09:13 ----RA---- C:\WINDOWS\system32\NvRaidWizardptb.dll
2010-01-03 05:09:13 ----RA---- C:\WINDOWS\system32\NvRaidWizardpt.dll
2010-01-03 05:09:13 ----RA---- C:\WINDOWS\system32\NvRaidWizardpl.dll
2010-01-03 05:09:13 ----RA---- C:\WINDOWS\system32\NvRaidSvptb.dll
2010-01-03 05:09:13 ----RA---- C:\WINDOWS\system32\NvRaidSvpt.dll
2010-01-03 05:09:13 ----RA---- C:\WINDOWS\system32\NvRaidSvpl.dll
2010-01-03 05:09:13 ----RA---- C:\WINDOWS\system32\NvRaidptb.dll
2010-01-03 05:09:13 ----RA---- C:\WINDOWS\system32\NvRaidpt.dll
2010-01-03 05:09:13 ----RA---- C:\WINDOWS\system32\NvRaidpl.dll
2010-01-03 05:09:12 ----RA---- C:\WINDOWS\system32\NvSataConnectionnl.dll
2010-01-03 05:09:12 ----RA---- C:\WINDOWS\system32\NvSataConnectionko.dll
2010-01-03 05:09:12 ----RA---- C:\WINDOWS\system32\NvSataConnectionja.dll
2010-01-03 05:09:12 ----RA---- C:\WINDOWS\system32\NvRaidWizardno.dll
2010-01-03 05:09:12 ----RA---- C:\WINDOWS\system32\NvRaidWizardnl.dll
2010-01-03 05:09:12 ----RA---- C:\WINDOWS\system32\NvRaidWizardko.dll
2010-01-03 05:09:12 ----RA---- C:\WINDOWS\system32\NvRaidWizardja.dll
2010-01-03 05:09:12 ----RA---- C:\WINDOWS\system32\NvRaidSvno.dll
2010-01-03 05:09:12 ----RA---- C:\WINDOWS\system32\NvRaidSvnl.dll
2010-01-03 05:09:12 ----RA---- C:\WINDOWS\system32\NvRaidSvko.dll
2010-01-03 05:09:12 ----RA---- C:\WINDOWS\system32\NvRaidSvja.dll
2010-01-03 05:09:12 ----RA---- C:\WINDOWS\system32\NvRaidno.dll
2010-01-03 05:09:12 ----RA---- C:\WINDOWS\system32\NvRaidnl.dll
2010-01-03 05:09:12 ----RA---- C:\WINDOWS\system32\NvRaidko.dll
2010-01-03 05:09:12 ----RA---- C:\WINDOWS\system32\NvRaidja.dll
2010-01-03 05:09:11 ----RA---- C:\WINDOWS\system32\NvSataConnectionit.dll
2010-01-03 05:09:11 ----RA---- C:\WINDOWS\system32\NvSataConnectionhu.dll
2010-01-03 05:09:11 ----RA---- C:\WINDOWS\system32\NvSataConnectionhe.dll
2010-01-03 05:09:11 ----RA---- C:\WINDOWS\system32\NvSataConnectionfr.dll
2010-01-03 05:09:11 ----RA---- C:\WINDOWS\system32\NvRaidWizardit.dll
2010-01-03 05:09:11 ----RA---- C:\WINDOWS\system32\NvRaidWizardhu.dll
2010-01-03 05:09:11 ----RA---- C:\WINDOWS\system32\NvRaidWizardhe.dll
2010-01-03 05:09:11 ----RA---- C:\WINDOWS\system32\NvRaidWizardfr.dll
2010-01-03 05:09:11 ----RA---- C:\WINDOWS\system32\NvRaidSvit.dll
2010-01-03 05:09:11 ----RA---- C:\WINDOWS\system32\NvRaidSvhu.dll
2010-01-03 05:09:11 ----RA---- C:\WINDOWS\system32\NvRaidSvhe.dll
2010-01-03 05:09:11 ----RA---- C:\WINDOWS\system32\NvRaidSvfr.dll
2010-01-03 05:09:11 ----RA---- C:\WINDOWS\system32\NvRaidit.dll
2010-01-03 05:09:11 ----RA---- C:\WINDOWS\system32\NvRaidhu.dll
2010-01-03 05:09:11 ----RA---- C:\WINDOWS\system32\NvRaidhe.dll
2010-01-03 05:09:10 ----RA---- C:\WINDOWS\system32\NvSataConnectionfi.dll
2010-01-03 05:09:10 ----RA---- C:\WINDOWS\system32\NvSataConnectiones.dll
2010-01-03 05:09:10 ----RA---- C:\WINDOWS\system32\NvSataConnectioneng.dll
2010-01-03 05:09:10 ----RA---- C:\WINDOWS\system32\NvSataConnectionel.dll
2010-01-03 05:09:10 ----RA---- C:\WINDOWS\system32\NvRaidWizardfi.dll
2010-01-03 05:09:10 ----RA---- C:\WINDOWS\system32\NvRaidWizardes.dll
2010-01-03 05:09:10 ----RA---- C:\WINDOWS\system32\NvRaidWizardeng.dll
2010-01-03 05:09:10 ----RA---- C:\WINDOWS\system32\NvRaidSvfi.dll
2010-01-03 05:09:10 ----RA---- C:\WINDOWS\system32\NvRaidSves.dll
2010-01-03 05:09:10 ----RA---- C:\WINDOWS\system32\NvRaidSveng.dll
2010-01-03 05:09:10 ----RA---- C:\WINDOWS\system32\NvRaidfr.dll
2010-01-03 05:09:10 ----RA---- C:\WINDOWS\system32\NvRaidfi.dll
2010-01-03 05:09:10 ----RA---- C:\WINDOWS\system32\NvRaides.dll
2010-01-03 05:09:10 ----RA---- C:\WINDOWS\system32\NvRaideng.dll
2010-01-03 05:09:09 ----RA---- C:\WINDOWS\system32\NvSataConnectionde.dll
2010-01-03 05:09:09 ----RA---- C:\WINDOWS\system32\NvSataConnectionda.dll
2010-01-03 05:09:09 ----RA---- C:\WINDOWS\system32\NvSataConnectioncs.dll
2010-01-03 05:09:09 ----RA---- C:\WINDOWS\system32\NvRaidWizardel.dll
2010-01-03 05:09:09 ----RA---- C:\WINDOWS\system32\NvRaidWizardde.dll
2010-01-03 05:09:09 ----RA---- C:\WINDOWS\system32\NvRaidWizardda.dll
2010-01-03 05:09:09 ----RA---- C:\WINDOWS\system32\NvRaidWizardcs.dll
2010-01-03 05:09:09 ----RA---- C:\WINDOWS\system32\NvRaidSvel.dll
2010-01-03 05:09:09 ----RA---- C:\WINDOWS\system32\NvRaidSvde.dll
2010-01-03 05:09:09 ----RA---- C:\WINDOWS\system32\NvRaidSvda.dll
2010-01-03 05:09:09 ----RA---- C:\WINDOWS\system32\NvRaidSvcs.dll
2010-01-03 05:09:09 ----RA---- C:\WINDOWS\system32\NvRaidel.dll
2010-01-03 05:09:09 ----RA---- C:\WINDOWS\system32\NvRaidde.dll
2010-01-03 05:09:09 ----RA---- C:\WINDOWS\system32\NvRaidda.dll
2010-01-03 05:09:09 ----RA---- C:\WINDOWS\system32\NvRaidcs.dll
2010-01-03 05:09:08 ----RA---- C:\WINDOWS\system32\NvSataConnectionEnu.dll
2010-01-03 05:09:08 ----RA---- C:\WINDOWS\system32\NvSataConnectionar.dll
2010-01-03 05:09:08 ----RA---- C:\WINDOWS\system32\nvsataconnection.exe
2010-01-03 05:09:08 ----RA---- C:\WINDOWS\system32\NvRaidWizardEnu.dll
2010-01-03 05:09:08 ----RA---- C:\WINDOWS\system32\NvRaidWizardar.dll
2010-01-03 05:09:08 ----RA---- C:\WINDOWS\system32\NvRaidSvEnu.dll
2010-01-03 05:09:08 ----RA---- C:\WINDOWS\system32\NvRaidSvar.dll
2010-01-03 05:09:08 ----RA---- C:\WINDOWS\system32\nvraidservice.exe
2010-01-03 05:09:08 ----RA---- C:\WINDOWS\system32\NvRaidMan.exe
2010-01-03 05:09:08 ----RA---- C:\WINDOWS\system32\NvRaidEnu.dll
2010-01-03 05:09:08 ----RA---- C:\WINDOWS\system32\NvRaidar.dll
2010-01-03 05:09:07 ----RA---- C:\WINDOWS\system32\NvRaidWizard.dll
2010-01-03 05:09:01 ----RA---- C:\WINDOWS\system32\nvraidco.dll
2010-01-03 05:09:01 ----A---- C:\WINDOWS\system32\nvraiins.dll
2010-01-03 05:08:56 ----RA---- C:\WINDOWS\system32\idecoi.dll
2010-01-03 05:07:21 ----A---- C:\WINDOWS\system32\ksuser.dll
2010-01-03 05:07:18 ----D---- C:\Program Files\Realtek Sound Manager
2010-01-03 05:07:14 ----N---- C:\WINDOWS\avrack.ini
2010-01-03 05:07:14 ----D---- C:\Program Files\AvRack
2010-01-03 05:07:09 ----N---- C:\WINDOWS\system32\ChCfg.exe
2010-01-03 05:07:09 ----A---- C:\WINDOWS\system32\RTLCPAPI.dll
2010-01-03 05:07:09 ----A---- C:\WINDOWS\SOUNDMAN.EXE
2010-01-03 05:07:04 ----A---- C:\WINDOWS\system32\RTLCPL.EXE
2010-01-03 05:06:55 ----N---- C:\WINDOWS\alcupd.exe
2010-01-03 05:06:54 ----N---- C:\WINDOWS\alcrmv.exe
2010-01-03 05:06:54 ----HD---- C:\Program Files\InstallShield Installation Information
2010-01-03 05:04:24 ----RA---- C:\WINDOWS\system32\fdco1ins.dll
2010-01-03 05:04:24 ----RA---- C:\WINDOWS\system32\fdco1.dll
2010-01-03 05:04:22 ----A---- C:\WINDOWS\system32\nvunrm.exe
2010-01-03 05:04:21 ----RA---- C:\WINDOWS\system32\nvconrm.dll
2010-01-03 05:04:21 ----RA---- C:\WINDOWS\system32\bdco1ins.dll
2010-01-03 05:04:21 ----RA---- C:\WINDOWS\system32\bdco1.dll
2010-01-03 05:04:20 ----A---- C:\WINDOWS\system32\nvusmb.exe
2010-01-03 05:04:20 ----A---- C:\WINDOWS\system32\NVUNINST.EXE
2010-01-03 05:04:10 ----D---- C:\WINDOWS\system32\ReinstallBackups
2010-01-03 05:04:03 ----D---- C:\Program Files\Common Files\InstallShield
2010-01-03 05:02:24 ----D---- C:\Documents and Settings\Tyler Williams\Application Data\Identities
2010-01-03 05:02:23 ----HD---- C:\Program Files\Uninstall Information
2010-01-03 05:02:18 ----SD---- C:\Documents and Settings\Tyler Williams\Application Data\Microsoft
2010-01-03 05:02:18 ----ASH---- C:\Documents and Settings\Tyler Williams\Application Data\desktop.ini
2010-01-03 05:01:45 ----D---- C:\WINDOWS\SoftwareDistribution
2010-01-03 05:01:43 ----SD---- C:\WINDOWS\system32\Microsoft
2010-01-03 05:01:43 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-01-03 04:58:01 ----D---- C:\WINDOWS\system32\xircom
2010-01-03 04:58:01 ----D---- C:\Program Files\xerox
2010-01-03 04:58:01 ----D---- C:\Program Files\microsoft frontpage
2010-01-03 04:57:53 ----A---- C:\WINDOWS\control.ini
2010-01-03 04:57:53 ----A---- C:\AUTOEXEC.BAT
2010-01-03 04:57:39 ----A---- C:\WINDOWS\OEWABLog.txt
2010-01-03 04:57:35 ----A---- C:\WINDOWS\system32\mapi32.dll
2010-01-03 04:56:59 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-01-03 04:56:59 ----RD---- C:\WINDOWS\Offline Web Pages
2010-01-03 04:56:59 ----RAH---- C:\WINDOWS\system32\logonui.exe.manifest
2010-01-03 04:56:55 ----RAH---- C:\WINDOWS\system32\cdplayer.exe.manifest
2010-01-03 04:56:51 ----HD---- C:\Program Files\WindowsUpdate
2010-01-03 04:56:31 ----D---- C:\WINDOWS\system32\DirectX
2010-01-03 04:56:08 ----A---- C:\WINDOWS\system32\atrace.dll
2010-01-03 04:56:05 ----A---- C:\WINDOWS\system32\desktop.ini
2010-01-03 04:56:05 ----A---- C:\WINDOWS\desktop.ini
2010-01-03 04:55:57 ----A---- C:\WINDOWS\system32\nmevtmsg.dll
2010-01-03 04:55:55 ----D---- C:\Program Files\Common Files\Services
2010-01-03 04:55:55 ----A---- C:\WINDOWS\system32\acctres.dll
2010-01-03 04:55:51 ----SD---- C:\WINDOWS\Tasks
2010-01-03 04:55:51 ----A---- C:\WINDOWS\system32\icfgnt5.dll
2010-01-03 04:55:50 ----D---- C:\Program Files\Common Files\MSSoap
2010-01-03 04:55:46 ----D---- C:\WINDOWS\srchasst
2010-01-03 04:55:45 ----D---- C:\WINDOWS\system32\Macromed
2010-01-03 04:55:41 ----A---- C:\WINDOWS\system32\wuweb.dll
2010-01-03 04:55:41 ----A---- C:\WINDOWS\system32\wups.dll
2010-01-03 04:55:41 ----A---- C:\WINDOWS\system32\wucltui.dll
2010-01-03 04:55:41 ----A---- C:\WINDOWS\system32\wuauserv.dll
2010-01-03 04:55:41 ----A---- C:\WINDOWS\system32\wuaueng1.dll
2010-01-03 04:55:41 ----A---- C:\WINDOWS\system32\wuaueng.dll
2010-01-03 04:55:41 ----A---- C:\WINDOWS\system32\wuauclt1.exe
2010-01-03 04:55:40 ----A---- C:\WINDOWS\system32\wuauclt.exe
2010-01-03 04:55:40 ----A---- C:\WINDOWS\system32\wuapi.dll
2010-01-03 04:55:40 ----A---- C:\WINDOWS\system32\qmgrprxy.dll
2010-01-03 04:55:40 ----A---- C:\WINDOWS\system32\qmgr.dll
2010-01-03 04:55:40 ----A---- C:\WINDOWS\system32\bitsprx3.dll
2010-01-03 04:55:40 ----A---- C:\WINDOWS\system32\bitsprx2.dll
2010-01-03 04:55:36 ----D---- C:\Program Files\Movie Maker
2010-01-03 04:55:31 ----A---- C:\WINDOWS\system32\safrslv.dll
2010-01-03 04:55:31 ----A---- C:\WINDOWS\system32\safrdm.dll
2010-01-03 04:55:31 ----A---- C:\WINDOWS\system32\safrcdlg.dll
2010-01-03 04:55:31 ----A---- C:\WINDOWS\system32\racpldlg.dll
2010-01-03 04:55:27 ----D---- C:\WINDOWS\system32\Restore
2010-01-03 04:55:27 ----A---- C:\WINDOWS\system32\srrstr.dll
2010-01-03 04:55:27 ----A---- C:\WINDOWS\system32\fltmc.exe
2010-01-03 04:55:27 ----A---- C:\WINDOWS\system32\fltlib.dll
2010-01-03 04:55:26 ----A---- C:\WINDOWS\system32\srsvc.dll
2010-01-03 04:55:26 ----A---- C:\WINDOWS\system32\srclient.dll
2010-01-03 04:55:26 ----A---- C:\WINDOWS\system32\ils.dll
2010-01-03 04:55:25 ----A---- C:\WINDOWS\system32\nmmkcert.dll
2010-01-03 04:55:25 ----A---- C:\WINDOWS\system32\msconf.dll
2010-01-03 04:55:25 ----A---- C:\WINDOWS\system32\mnmsrvc.exe
2010-01-03 04:55:25 ----A---- C:\WINDOWS\system32\mnmdd.dll
2010-01-03 04:55:25 ----A---- C:\WINDOWS\system32\isrdbg32.dll
2010-01-03 04:55:22 ----D---- C:\Program Files\NetMeeting
2010-01-03 04:55:22 ----A---- C:\WINDOWS\system32\msoert2.dll
2010-01-03 04:55:21 ----A---- C:\WINDOWS\system32\msoeacct.dll
2010-01-03 04:55:20 ----A---- C:\WINDOWS\system32\inetres.dll
2010-01-03 04:55:20 ----A---- C:\WINDOWS\system32\inetcomm.dll
2010-01-03 04:55:18 ----D---- C:\Program Files\Outlook Express
2010-01-03 04:55:18 ----A---- C:\WINDOWS\system32\schedsvc.dll
2010-01-03 04:55:18 ----A---- C:\WINDOWS\system32\mstinit.exe
2010-01-03 04:55:17 ----A---- C:\WINDOWS\system32\mstask.dll
2010-01-03 04:55:17 ----A---- C:\WINDOWS\system32\isign32.dll
2010-01-03 04:55:17 ----A---- C:\WINDOWS\system32\icwphbk.dll
2010-01-03 04:55:17 ----A---- C:\WINDOWS\system32\icwdial.dll
2010-01-03 04:55:16 ----A---- C:\WINDOWS\system32\inetcfg.dll
2010-01-03 04:55:10 ----D---- C:\Program Files\Common Files\System
2010-01-03 04:55:09 ----D---- C:\Program Files\Internet Explorer
2010-01-03 04:54:57 ----D---- C:\Program Files\ComPlus Applications
2010-01-03 04:54:55 ----A---- C:\WINDOWS\vbaddin.ini
2010-01-03 04:54:55 ----A---- C:\WINDOWS\vb.ini
2010-01-03 04:54:50 ----D---- C:\WINDOWS\Registration
2010-01-03 04:54:28 ----D---- C:\Program Files\Online Services
2010-01-03 04:54:27 ----D---- C:\Program Files\Windows Media Player
2010-01-03 04:54:23 ----D---- C:\Program Files\Messenger
2010-01-03 04:54:19 ----D---- C:\Program Files\MSN Gaming Zone
2010-01-03 04:54:19 ----A---- C:\WINDOWS\system32\write.exe
2010-01-03 04:54:08 ----A---- C:\WINDOWS\system32\sndvol32.exe
2010-01-03 04:54:08 ----A---- C:\WINDOWS\system32\hticons.dll
2010-01-03 04:54:08 ----A---- C:\WINDOWS\system32\avwav.dll
2010-01-03 04:54:08 ----A---- C:\WINDOWS\system32\avmeter.dll
2010-01-03 04:54:07 ----A---- C:\WINDOWS\system32\winchat.exe
2010-01-03 04:54:07 ----A---- C:\WINDOWS\system32\avtapi.dll
2010-01-03 04:53:59 ----A---- C:\WINDOWS\system32\getuname.dll
2010-01-03 04:53:58 ----A---- C:\WINDOWS\system32\sol.exe
2010-01-03 04:53:58 ----A---- C:\WINDOWS\system32\charmap.exe
2010-01-03 04:53:58 ----A---- C:\WINDOWS\system32\calc.exe
2010-01-03 04:53:57 ----A---- C:\WINDOWS\system32\winmine.exe
2010-01-03 04:53:57 ----A---- C:\WINDOWS\system32\reset.exe
2010-01-03 04:53:57 ----A---- C:\WINDOWS\system32\mshearts.exe
2010-01-03 04:53:57 ----A---- C:\WINDOWS\system32\freecell.exe
2010-01-03 04:53:56 ----A---- C:\WINDOWS\system32\usrlogon.cmd
2010-01-03 04:53:56 ----A---- C:\WINDOWS\system32\tsshutdn.exe
2010-01-03 04:53:56 ----A---- C:\WINDOWS\system32\tslabels.ini
2010-01-03 04:53:56 ----A---- C:\WINDOWS\system32\tskill.exe
2010-01-03 04:53:56 ----A---- C:\WINDOWS\system32\tsdiscon.exe
2010-01-03 04:53:56 ----A---- C:\WINDOWS\system32\tscon.exe
2010-01-03 04:53:56 ----A---- C:\WINDOWS\system32\shadow.exe
2010-01-03 04:53:56 ----A---- C:\WINDOWS\system32\rwinsta.exe
2010-01-03 04:53:56 ----A---- C:\WINDOWS\system32\regini.exe
2010-01-03 04:53:56 ----A---- C:\WINDOWS\system32\rdpcfgex.dll
2010-01-03 04:53:56 ----A---- C:\WINDOWS\system32\qwinsta.exe
2010-01-03 04:53:55 ----A---- C:\WINDOWS\system32\qappsrv.exe
2010-01-03 04:53:55 ----A---- C:\WINDOWS\system32\msg.exe
2010-01-03 04:53:55 ----A---- C:\WINDOWS\system32\msdtcprf.ini
2010-01-03 04:53:55 ----A---- C:\WINDOWS\system32\logoff.exe
2010-01-03 04:53:55 ----A---- C:\WINDOWS\system32\cdmodem.dll
2010-01-03 04:53:54 ----A---- C:\WINDOWS\system32\mtxlegih.dll
2010-01-03 04:53:54 ----A---- C:\WINDOWS\system32\mtxex.dll
2010-01-03 04:53:54 ----A---- C:\WINDOWS\system32\mtxdm.dll
2010-01-03 04:53:54 ----A---- C:\WINDOWS\system32\dcomcnfg.exe
2010-01-03 04:53:53 ----A---- C:\WINDOWS\system32\comrepl.dll
2010-01-03 04:53:53 ----A---- C:\WINDOWS\system32\comaddin.dll
2010-01-03 04:53:52 ----A---- C:\WINDOWS\system32\stclient.dll
2010-01-03 04:53:52 ----A---- C:\WINDOWS\system32\comsnap.dll
2010-01-03 04:53:47 ----A---- C:\WINDOWS\system32\wmimgmt.msc
2010-01-03 04:53:38 ----D---- C:\Program Files\MSN
2010-01-03 04:53:37 ----A---- C:\WINDOWS\system32\accwiz.exe
2010-01-03 04:53:36 ----A---- C:\WINDOWS\system32\sndrec32.exe
2010-01-03 04:53:36 ----A---- C:\WINDOWS\system32\mplay32.exe
2010-01-03 04:53:36 ----A---- C:\WINDOWS\system32\hypertrm.dll
2010-01-03 04:53:35 ----D---- C:\Program Files\Windows NT
2010-01-03 04:53:35 ----A---- C:\WINDOWS\system32\spider.exe
2010-01-03 04:53:35 ----A---- C:\WINDOWS\system32\mspaint.exe
2010-01-03 04:53:35 ----A---- C:\WINDOWS\system32\clipbrd.exe
2010-01-03 04:53:34 ----A---- C:\WINDOWS\system32\tscfgwmi.dll
2010-01-03 04:53:34 ----A---- C:\WINDOWS\system32\mstscax.dll
2010-01-03 04:53:33 ----A---- C:\WINDOWS\system32\tscupgrd.exe
2010-01-03 04:53:33 ----A---- C:\WINDOWS\system32\termsrv.dll
2010-01-03 04:53:33 ----A---- C:\WINDOWS\system32\sessmgr.exe
2010-01-03 04:53:33 ----A---- C:\WINDOWS\system32\remotepg.dll
2010-01-03 04:53:33 ----A---- C:\WINDOWS\system32\rdshost.exe
2010-01-03 04:53:33 ----A---- C:\WINDOWS\system32\rdsaddin.exe
2010-01-03 04:53:33 ----A---- C:\WINDOWS\system32\rdchost.dll
2010-01-03 04:53:33 ----A---- C:\WINDOWS\system32\mstsc.exe
2010-01-03 04:53:32 ----D---- C:\WINDOWS\system32\MsDtc
2010-01-03 04:53:32 ----A---- C:\WINDOWS\system32\rdpwsx.dll
2010-01-03 04:53:32 ----A---- C:\WINDOWS\system32\rdpsnd.dll
2010-01-03 04:53:32 ----A---- C:\WINDOWS\system32\rdpclip.exe
2010-01-03 04:53:32 ----A---- C:\WINDOWS\system32\qprocess.exe
2010-01-03 04:53:32 ----A---- C:\WINDOWS\system32\msdtcuiu.dll
2010-01-03 04:53:32 ----A---- C:\WINDOWS\system32\icaapi.dll
2010-01-03 04:53:32 ----A---- C:\WINDOWS\system32\cfgbkend.dll
2010-01-03 04:53:31 ----A---- C:\WINDOWS\system32\mtxoci.dll
2010-01-03 04:53:31 ----A---- C:\WINDOWS\system32\msdtctm.dll
2010-01-03 04:53:31 ----A---- C:\WINDOWS\system32\msdtcprx.dll
2010-01-03 04:53:30 ----A---- C:\WINDOWS\system32\xolehlp.dll
2010-01-03 04:53:30 ----A---- C:\WINDOWS\system32\msdtclog.dll
2010-01-03 04:53:30 ----A---- C:\WINDOWS\system32\msdtc.exe
2010-01-03 04:53:29 ----D---- C:\WINDOWS\system32\Com
2010-01-03 04:53:29 ----A---- C:\WINDOWS\system32\colbact.dll
2010-01-03 04:53:29 ----A---- C:\WINDOWS\system32\clbcatex.dll
2010-01-03 04:53:29 ----A---- C:\WINDOWS\system32\catsrvut.dll
2010-01-03 04:53:29 ----A---- C:\WINDOWS\system32\catsrvps.dll
2010-01-03 04:53:29 ----A---- C:\WINDOWS\system32\catsrv.dll
2010-01-03 04:53:28 ----A---- C:\WINDOWS\system32\comuid.dll
2010-01-03 04:53:28 ----A---- C:\WINDOWS\system32\comsvcs.dll
2010-01-03 04:53:27 ----A---- C:\WINDOWS\system32\clbcatq.dll
2010-01-03 04:53:22 ----A---- C:\WINDOWS\system32\servdeps.dll
2010-01-03 04:53:22 ----A---- C:\WINDOWS\system32\mmfutil.dll
2010-01-03 04:53:22 ----A---- C:\WINDOWS\system32\licwmi.dll
2010-01-03 04:53:21 ----A---- C:\WINDOWS\system32\cmprops.dll

======List of files/folders modified in the last 1 months======

2010-01-04 00:26:04 ----A---- C:\WINDOWS\win.ini
2010-01-03 15:49:03 ----A---- C:\WINDOWS\system.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 BHDrvx86;Symantec Heuristics Driver; C:\WINDOWS\System32\Drivers\NAV\1007020.00B\BHDrvx86.sys [2009-08-22 259632]
R1 ccHP;Symantec Hash Provider; C:\WINDOWS\System32\Drivers\NAV\1007020.00B\ccHPx86.sys [2010-01-03 482432]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 IDSxpx86;IDSxpx86; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20091230.004\IDSxpx86.sys []
R1 SRTSPX;Symantec Real Time Storage Protection (PEL); C:\WINDOWS\system32\drivers\NAV\1007020.00B\SRTSPX.SYS [2009-08-22 43696]
R1 SYMTDI;Symantec Network Dispatch Driver; C:\WINDOWS\System32\Drivers\NAV\1007020.00B\SYMTDI.SYS [2009-08-22 217136]
R2 ANIO;ANIO Service; \??\C:\WINDOWS\system32\ANIO.SYS []
R2 fssfltr;FssFltr; C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys [2009-08-05 54752]
R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2008-04-14 88192]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-11-17 2297664]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 irsir;Microsoft Serial Infrared Driver; C:\WINDOWS\system32\DRIVERS\irsir.sys [2001-08-18 18688]
R3 NAVENG;NAVENG; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100104.022\NAVENG.SYS []
R3 NAVEX15;NAVEX15; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100104.022\NAVEX15.SYS []
R3 NetHook_ControlCenter;ArtOfPing ControlCenter; \??\C:\Program Files\PingFu Iris\ControlCenter.sys []
R3 NetHook_Interceptor;ArtOfPing TDI Interceptor; \??\C:\Program Files\PingFu Iris\Interceptor.sys []
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 NPDriver;Norton UnErase Protection Driver; \??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS []
R3 npkcrypt;npkcrypt; \??\D:\RO\npkcrypt.sys []
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-12-10 3536768]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2004-10-20 33280]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2004-10-20 12928]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-18 19584]
R3 RT73;D-Link USB Wireless LAN Card Driver; C:\WINDOWS\system32\DRIVERS\Dr71WU.sys [2006-12-21 429440]
R3 seehcri;Sony Ericsson seehcri Device Driver; C:\WINDOWS\system32\DRIVERS\seehcri.sys [2008-01-09 27632]
R3 SRTSP;Symantec Real Time Storage Protection; C:\WINDOWS\System32\Drivers\NAV\1007020.00B\SRTSP.SYS [2009-08-22 308272]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 SYMFW;Symantec Network Filter Driver; C:\WINDOWS\System32\Drivers\NAV\1007020.00B\SYMFW.SYS [2009-08-22 89904]
R3 SYMIDS;Symantec Network Filter Driver; C:\WINDOWS\System32\Drivers\NAV\1007020.00B\SYMIDS.SYS [2009-08-22 33072]
R3 SymIMMP;SymIMMP; C:\WINDOWS\system32\DRIVERS\SymIM.sys [2009-08-22 36400]
R3 SYMNDIS;Symantec Network Filter Driver; C:\WINDOWS\System32\Drivers\NAV\1007020.00B\SYMNDIS.SYS [2009-08-22 36400]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-14 17152]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\system32\DRIVERS\yk51x86.sys [2004-10-27 223104]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM); C:\WINDOWS\system32\DRIVERS\s1018bus.sys [2009-03-25 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\s1018mdfl.sys [2009-03-25 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\s1018mdm.sys [2009-03-25 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\s1018mgmt.sys [2009-03-25 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS); C:\WINDOWS\system32\DRIVERS\s1018nd5.sys [2009-03-25 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\s1018obex.sys [2009-03-25 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM); C:\WINDOWS\system32\DRIVERS\s1018unic.sys [2009-03-25 109864]
S3 SDdriver;SDdriver; \??\C:\WINDOWS\system32\Drivers\sddriver.sys []
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\WINDOWS\system32\DRIVERS\SymIM.sys [2009-08-22 36400]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe [2008-08-02 238968]
R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 Norton AntiVirus;Norton AntiVirus; C:\Program Files\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe [2009-08-22 117640]
R2 NProtectService;Norton UnErase Protection; C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE [2008-09-25 95600]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-12-10 131139]
R2 OMSI download service;Sony Ericsson OMSI download service; C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2009-04-30 90112]
R2 SeaPort;SeaPort; C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
R2 Speed Disk service;Speed Disk service; C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE [2008-09-25 181680]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 YahooAUService;Yahoo! Updater; C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-10 602392]
S2 ANIWZCSdService;ANIWZCSd Service; C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe [2007-01-19 49152]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 fsssvc;Windows Live Family Safety Service; C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2009-08-05 704864]
S3 LiveUpdate;LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE [2008-08-02 3220856]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-06 00:06:37
Windows 5.1.2600 Service Pack 3
Running: mdz0ny5p.exe; Driver: C:\DOCUME~1\TYLERW~1\LOCALS~1\Temp\kxtdipow.sys


---- System - GMER 1.0.15 ----

SSDT 89FEE748 ZwAlertResumeThread
SSDT 89FF6368 ZwAlertThread
SSDT 89A128A0 ZwAllocateVirtualMemory
SSDT 89FD60C0 ZwAssignProcessToJobObject
SSDT 89CB9728 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB4317130]
SSDT 89A42928 ZwCreateMutant
SSDT 89AA3858 ZwCreateSymbolicLinkObject
SSDT 8A0FD1F0 ZwCreateThread
SSDT 89FD6BC0 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB43173B0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB4317910]
SSDT 89A137C8 ZwDuplicateObject
SSDT 89A0F928 ZwFreeVirtualMemory
SSDT 89FE84F8 ZwImpersonateAnonymousToken
SSDT 89FE85D0 ZwImpersonateThread
SSDT 89FD5540 ZwLoadDriver
SSDT 8A0ED650 ZwMapViewOfSection
SSDT 89FE2738 Z!!!enEvent
SSDT 89A13968 Z!!!enProcess
SSDT 8A0148B8 Z!!!enProcessToken
SSDT 89FD9720 Z!!!enSection
SSDT 89A13898 Z!!!enThread
SSDT 89AA3928 ZwProtectVirtualMemory
SSDT 8A103008 ZwResumeThread
SSDT 8A00E658 ZwSetContextThread
SSDT 89A0D970 ZwSetInformationProcess
SSDT 89FD8C08 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB4317B60]
SSDT 89FDC8A8 ZwSuspendProcess
SSDT 89FF66A0 ZwSuspendThread
SSDT 8A0332B0 ZwTerminateProcess
SSDT 8A00C6B0 ZwTerminateThread
SSDT 89B7D2A0 ZwUnmapViewOfSection
SSDT 89A127D0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? SYMEFA.SYS The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB906A360, 0x20598D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5508] ntdll.dll!RtlValidateUnicodeString + 554 7C9163BE 10 Bytes JMP 046F003A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5508] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5508] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9865 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5508] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCEE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5508] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6EC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5508] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254602 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5508] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E441F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5508] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4351 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5508] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E43BC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5508] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4222 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5508] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4284 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5508] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4482 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5508] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E42E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5508] ole32.dll!OleInitialize + E37 77500521 7 Bytes JMP 046F0275
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5508] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED748 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5508] ole32.dll!CoImpersonateClient + 51 775156C0 7 Bytes JMP 046F032B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5508] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E47A0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5560] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5560] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6EC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5560] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E441F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5560] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4351 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5560] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E43BC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5560] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4222 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5560] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4284 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5560] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4482 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5560] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E42E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61449CEC] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6144A3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61449C27] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61449B56] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61449B94] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61449D87] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61449B94] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6144A3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61449C27] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [61449CF2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61449B56] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2124] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[5508] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Interceptor.sys
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Interceptor.sys
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Interceptor.sys
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp Interceptor.sys
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\streamlock.dat 0 bytes
File C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\tmpeaa.tmp 0 bytes
File C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Lue\Downloads\1262693972jtun_streamset.zip 805 bytes
File C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Lue\Downloads\streaming 0 bytes
File C:\WINDOWS\SoftwareDistribution\Download\Install 0 bytes

---- EOF - GMER 1.0.15 ----
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/6/2010 3:37 AM (GMT +3)    Quote: Need help with virus that takes over admin powers (cont)Alert an admin about: Need help with virus that takes over admin powers (cont)
Not seeing any malware, though one unknown file that needs checking. Let's do that, as well as scan for Sality or other infected files there.


Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

Then just go here, press new topic, fill in the needed details and just give a link to your post back here (see the "Instructions for uploading files" there for help, if needed). Then press the browse button and then navigate to & select the following file on your computer.

C:\Documents and Settings\All Users\Application Data\hpe1767.dll <----

You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.

Then, for now, locate that file and Rename it to hpe1767.bad

----------------

Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes:

Remove found threats
Scan unwanted applications


Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives).

Click Start. This scan may take a while, so please be patient. A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here please.


If you have any problems getting Eset started, one work-around is to have an open Internet connection, and then click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file, and follow the same previous steps to run the scan.
Back to Top
 
New Topic Post reply to : Need help with virus that takes over admin powers (cont) Printable version of : Need help with virus that takes over admin powers (cont)
 
Forum Information
Currently it is Friday, August 22, 2014 4:42 PM (GMT +3)
There are a total of 60,568 posts in 13,311 threads.
In the last 3 days there were 2 new threads and 1 reply posts. View Active Threads
Who's Online
This forum has 36262 registered members. Please welcome our newest member, pravintechno.
4 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
Best antivirus features under free licensing (0)8/22/2014 6:30:43 AM (pravintechno)
Malware bytes can not be installed successfully and pricechope adware (0)8/21/2014 10:23:52 PM (petlad)
Bullguard 2014 Firewall and high DPC latency (12)8/21/2014 3:33:32 PM (Lammy101)