Malware

Please review my HJ log and other logs

Sat, 24 Jul 2010 03:43:45 +0200

I have an older PC that I am reviving and it has been abused. I have cleaned it up as much as I can but am concerned that it is still infected. It was behaving very slow, now better but still not optimum. Items found and eventually cleaned were Win32/Viking.JB and Win32/Emerleox.gen!A.
One sign of a possible problem is that my View settings in Windows Explorer keep re-setting to default. I like to un-hide known file extensions but they keep re-hiding.

Below are my log files. Please let me know if you need more info.
Thanks

HIJACKTHIS LOGFILE:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:24 PM, on 7/16/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WIN98\System32\smss.exe
C:\WIN98\system32\winlogon.exe
C:\WIN98\system32\services.exe
C:\WIN98\system32\lsass.exe
C:\WIN98\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WIN98\SYSTEM32\acs.exe
C:\WIN98\system32\svchost.exe
C:\WIN98\Explorer.EXE
C:\WIN98\system32\msiexec.exe
C:\WIN98\system32\svchost.exe
C:\WIN98\system32\wuauclt.exe
C:\WIN98\system32\CTHELPER.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WIN98\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\WIN98\System32\svchost.exe
C:\WIN98\system32\wuauclt.exe
F:\Ad-AwareInstall.exe
F:\HijackThis.exe
c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adb...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WIN98\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: NETGEAR WG311T Wireless Assistant.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1279162089461
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WIN98\SYSTEM32\acs.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

--
End of file - 3593 bytes

MBAM LOG FILE:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4317

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

7/15/2010 11:19:54 PM
mbam-log-2010-07-15 (23-19-54).txt

Scan type: Quick scan
Objects scanned: 132455
Time elapsed: 1 hour(s), 31 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\GameSetup.exe (Worm.Fujacks) -> Quarantined and deleted successfully.

My comment - I have apparently cleaned up these findins with MBAM, Lavasoft Ad-Aware and Microsoft Security Essentials. new logfile is clean.

OTL.TXT:
OTL logfile created on: 7/19/2010 10:50:03 PM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = F:\
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: enu | Date Format: M/d/yyyy

512.00 Mb Total Physical Memory | 180.00 Mb Available Physical Memory | 35.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 63.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WIN98 | %ProgramFiles% = C:\Program Files
Drive C: | 111.76 Gb Total Space | 96.43 Gb Free Space | 86.29% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 960.32 Mb Total Space | 698.29 Mb Free Space | 72.71% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SUE
Current User Name: S
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/15 21:24:50 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2010/07/12 03:55:40 | 001,352,832 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/07/12 03:55:40 | 000,864,112 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/05/22 09:28:48 | 000,571,904 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
PRC - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2004/12/17 10:55:26 | 007,708,672 | ---- | M] () -- C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
PRC - [2004/12/01 21:44:00 | 000,036,864 | ---- | M] () -- C:\WIN98\SYSTEM32\acs.exe
PRC - [2004/08/04 12:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WIN98\explorer.exe
PRC - [2002/07/02 17:56:00 | 000,024,576 | ---- | M] (Creative Technology Ltd) -- C:\WIN98\SYSTEM32\CTHELPER.EXE

========== Modules (SafeList) ==========

EXTRAS.TXT:
OTL Extras logfile created on: 7/19/2010 10:50:04 PM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = F:\
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: enu | Date Format: M/d/yyyy

512.00 Mb Total Physical Memory | 180.00 Mb Available Physical Memory | 35.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 63.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WIN98 | %ProgramFiles% = C:\Program Files
Drive C: | 111.76 Gb Total Space | 96.43 Gb Free Space | 86.29% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 960.32 Mb Total Space | 698.29 Mb Free Space | 72.71% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SUE
Current User Name: S
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 File not found
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\1128224247\EE\aolsoftware.exe" = C:\Program Files\Common Files\AOL\1128224247\EE\aolsoftware.exe:*:Enabled:AOL Services -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\1128224247\EE\aim6.exe" = C:\Program Files\Common Files\AOL\1128224247\EE\aim6.exe:*:Enabled:AIM -- (America Online, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- File not found

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Small Business
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Disc 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3CB41017-F5CA-4C56-934C-ED02156251E6}" = iTunes
"{3FCAADB8-EB1B-11D6-AB2D-0090271A23A2}" = Sound Blaster Live! Web 2K/XP
"{50D8FFDD-90CD-4859-841F-AA1961C7767A}" = QuickTime
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0.5
"{AC76BA86-7AD7-5464-3428-7E8A450000A7}" = Spelling Dictionaries For Adobe Reader Package
"{CA0A1E54-CE0F-4366-B09C-A87B61DC5633}" = Symantec Network Drivers Update
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E62A1F01-07B7-4541-A835-EE5B0BF064C2}" = Microsoft Antimalware
"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FC321AD2-48B4-4013-B997-A65D5FBBD006}" = NETGEAR Wireless Adapter WG311T
"Ad-Aware" = Ad-Aware
"HijackThis" = HijackThis 2.0.2
"ie8" = Windows Internet Explorer 8
"InstallShield_{FC321AD2-48B4-4013-B997-A65D5FBBD006}" = NETGEAR Wireless Adapter WG311T
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft Security Essentials" = Microsoft Security Essentials
"Need For Speed III" = Need For Speed III
"NVIDIA Drivers" = NVIDIA Drivers
"RealPlayer 6.0" = RealPlayer
"Shockwaveflash" = Macromedia Flash Player 8
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/17/2010 5:57:20 PM | Computer Name = SUE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/17/2010 5:57:26 PM | Computer Name = SUE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/17/2010 5:57:34 PM | Computer Name = SUE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/17/2010 5:57:41 PM | Computer Name = SUE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/17/2010 5:57:49 PM | Computer Name = SUE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/17/2010 5:57:56 PM | Computer Name = SUE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/17/2010 5:58:04 PM | Computer Name = SUE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/17/2010 5:58:12 PM | Computer Name = SUE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/17/2010 5:58:21 PM | Computer Name = SUE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/17/2010 10:56:14 PM | Computer Name = SUE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 2.1.6805.0,
P5 mpsigdwn.dll, P6 2.1.6805.0, P7 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P8 NIL, P9 NIL, P10 NIL.

[ Application Events ]
Error - 7/17/2010 5:57:20 PM | Computer Name = SUE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/17/2010 5:57:26 PM | Computer Name = SUE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/17/2010 5:57:34 PM | Computer Name = SUE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/17/2010 5:57:41 PM | Computer Name = SUE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/17/2010 5:57:49 PM | Computer Name = SUE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/17/2010 5:57:56 PM | Computer Name = SUE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/17/2010 5:58:04 PM | Computer Name = SUE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/17/2010 5:58:12 PM | Computer Name = SUE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/17/2010 5:58:21 PM | Computer Name = SUE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/17/2010 10:56:14 PM | Computer Name = SUE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 2.1.6805.0,
P5 mpsigdwn.dll, P6 2.1.6805.0, P7 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P8 NIL, P9 NIL, P10 NIL.

[ System Events ]
Error - 7/18/2010 2:03:38 PM | Computer Name = SUE | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}.
The
error: "%2" Happened while starting this command: "C:\Program Files\Adobe\Acrobat
7.0\Reader\AcroRd32Info.exe" /PDFShell -Embedding

Error - 7/18/2010 2:03:38 PM | Computer Name = SUE | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}.
The
error: "%2" Happened while starting this command: "C:\Program Files\Adobe\Acrobat
7.0\Reader\AcroRd32Info.exe" /PDFShell -Embedding

Error - 7/18/2010 3:01:22 PM | Computer Name = SUE | Source = Service Control Manager | ID = 7001
Description = The Print Spooler service depends on the LexBce Server service which
failed to start because of the following error: %%1058

Error - 7/19/2010 9:42:44 PM | Computer Name = SUE | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 7/19/2010 9:43:44 PM | Computer Name = SUE | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x800f0102: Security Update for Windows XP (KB923561).

Error - 7/19/2010 9:43:44 PM | Computer Name = SUE | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070002: Security Update for Windows XP (KB958644).

Error - 7/19/2010 9:43:44 PM | Computer Name = SUE | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070002: Security Update for Windows XP (KB958470).

Error - 7/19/2010 9:49:38 PM | Computer Name = SUE | Source = Service Control Manager | ID = 7031
Description = The Microsoft Antimalware Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
15000 milliseconds: Restart the service.

Error - 7/19/2010 9:49:38 PM | Computer Name = SUE | Source = Service Control Manager | ID = 7034
Description = The Atheros Configuration Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 7/19/2010 9:49:51 PM | Computer Name = SUE | Source = Service Control Manager | ID = 7031
Description = The Lavasoft Ad-Aware Service service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 5000
milliseconds: Restart the service.

< End of report >

ROOTER.TXT:
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 2
[32_bits] - x86 Family 6 Model 7 Stepping 3, GenuineIntel
.
Error OpenService (wscsvc) : 1060
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
.
A:\ [Removable]
C:\ [Fixed-FAT32] .. ( Total:111 Go - Free:96 Go )
D:\ [Removable]
E:\ [CD_Rom]
F:\ [Removable]
.
Scan : 23:05.03
Path : F:\Rooter.exe
User : S ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (276)
______ \??\C:\WIN98\system32\csrss.exe (336)
______ \??\C:\WIN98\system32\winlogon.exe (360)
______ C:\WIN98\system32\services.exe (404)
______ C:\WIN98\system32\lsass.exe (416)
______ C:\WIN98\system32\svchost.exe (576)
______ C:\WIN98\system32\svchost.exe (640)
______ c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (680)
______ C:\WIN98\SYSTEM32\acs.exe (780)
______ C:\WIN98\system32\svchost.exe (836)
______ C:\WIN98\system32\svchost.exe (876)
______ C:\WIN98\system32\svchost.exe (964)
______ C:\WIN98\Explorer.EXE (1100)
______ C:\WIN98\system32\svchost.exe (1400)
______ C:\WIN98\system32\CTHELPER.EXE (1424)
______ C:\Program Files\Microsoft Security Essentials\msseces.exe (1440)
______ C:\WIN98\system32\ctfmon.exe (1448)
______ C:\Program Files\NETGEAR\WG311T\wlancfg5.exe (1480)
______ C:\WIN98\system32\svchost.exe (1792)
______ C:\WIN98\system32\wdfmgr.exe (1848)
______ C:\WIN98\System32\alg.exe (724)
______ C:\WIN98\System32\svchost.exe (2056)
______ C:\WIN98\system32\wuauclt.exe (2392)
______ C:\WIN98\system32\taskmgr.exe (2592)
______ C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (3792)
______ C:\WIN98\system32\wbem\unsecapp.exe (3896)
______ C:\WIN98\system32\wbem\wmiprvse.exe (3960)
______ C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (452)
______ F:\Rooter.exe (1752)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:120031478784)
.
----------------------\\ Scheduled Tasks
.
C:\WIN98\Tasks\DESKTOP.INI
C:\WIN98\Tasks\SA.DAT
C:\WIN98\Tasks\Tune-up Application Start.job
C:\WIN98\Tasks\Desktop_.ini
C:\WIN98\Tasks\MpIdleTask.job
C:\WIN98\Tasks\MP Scheduled Scan.job
C:\WIN98\Tasks\Ad-Aware Update (Weekly).job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 23:05.06
.
C:\Rooter$\Rooter_1.txt - (19/07/2010 | 23:05.06)

LOCKSEARC>TXT:
LockSearch by jpshortstuff (05.11.09.1)
Log created at 23:08 on 19/07/2010 (S)
Scanning C:\

C:\hiberfil.sys
-------------------------

C:\pagefile.sys
-------------------------

-=E.O.F=-

CKFILES.TXT:
CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----

CKFILES.TXT:
CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----

WVCHECK.EXE:
My comment - program opens and runs but does not open Notepad and no apparent log file generated!

ARK.TXT:
CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----

Looks like I've been hit again

Sat, 24 Jul 2010 05:35:44 +0200

Well, I followed the directions in the "Before you post" thread and am still having problems.

So here are the logs.

And now the MBAM log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4346

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/25/2010 2:49:41 PM
mbam-log-2010-07-25 (14-49-41).txt

Scan type: Quick scan
Objects scanned: 127948
Time elapsed: 9 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

The Rooter log:

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 10 Stepping 0, AuthenticAMD
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
Mozilla Firefox 3.6.7 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:70 Go - Free:44 Go )
D:\ [Fixed-FAT32] .. ( Total:3 Go - Free:1 Go )
E:\ [CD_Rom]
F:\ [CD_Rom]
G:\ [Removable]
H:\ [Removable]
I:\ [Removable]
J:\ [Removable]
K:\ [Fixed-FAT32] .. ( Total:149 Go - Free:72 Go )
.
Scan : 19:06.29
Path : C:\Documents and Settings\Owner\Desktop\Rooter.exe
User : Owner ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (560)
______ \??\C:\WINDOWS\system32\csrss.exe (608)
______ \??\C:\WINDOWS\system32\winlogon.exe (632)
______ C:\WINDOWS\system32\services.exe (680)
______ C:\WINDOWS\system32\lsass.exe (692)
______ C:\WINDOWS\system32\Ati2evxx.exe (856)
______ C:\WINDOWS\system32\svchost.exe (876)
______ C:\WINDOWS\system32\svchost.exe (984)
______ C:\WINDOWS\System32\svchost.exe (1084)
______ C:\WINDOWS\system32\svchost.exe (1196)
______ C:\WINDOWS\system32\svchost.exe (1360)
______ C:\WINDOWS\system32\Ati2evxx.exe (1428)
______ C:\WINDOWS\Explorer.EXE (1516)
______ C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (1656)
______ C:\WINDOWS\system32\LEXBCES.EXE (1960)
______ C:\WINDOWS\system32\spoolsv.exe (1996)
______ C:\WINDOWS\system32\LEXPPS.EXE (2044)
______ C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe (1040)
______ C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (1048)
______ C:\Program Files\Digital Media Reader\shwiconem.exe (1060)
______ C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe (1192)
______ C:\Program Files\Java\jre6\bin\jusched.exe (1160)
______ C:\Program Files\Freecorder\FLVSrvc.exe (1328)
______ C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe (968)
______ C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe (1468)
______ C:\Program Files\AWS\WeatherBug\Weather.exe (1888)
______ C:\WINDOWS\system32\svchost.exe (224)
______ C:\WINDOWS\system32\ctfmon.exe (228)
______ C:\WINDOWS\system32\rundll32.exe (448)
______ C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe (2100)
______ C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (2468)
______ C:\WINDOWS\system32\svchost.exe (2596)
______ C:\Program Files\Viewpoint\Common\ViewpointService.exe (2632)
______ C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe (3412)
______ C:\WINDOWS\System32\alg.exe (3628)
______ C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe (3924)
______ C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe (1296)
______ C:\Program Files\Mozilla Firefox\firefox.exe (280)
______ C:\WINDOWS\notepad.exe (2788)
______ C:\WINDOWS\notepad.exe (4020)
______ C:\Documents and Settings\Owner\Desktop\Rooter.exe (2368)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:3989260800 | Length:76034488320)
\Device\Harddisk0\Partition2 (Start_Offset:32256 | Length:3989228544)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\Google Software Updater.job
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2947025290-3301077733-503587302-1003Core.job
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2947025290-3301077733-503587302-1003UA.job
C:\WINDOWS\Tasks\ISP signup reminder 1.job
C:\WINDOWS\Tasks\ISP signup reminder 2.job
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
C:\DOCUME~1\Owner\My Documents\Apollo.WMV.ASF.ASX.To.DVD.Burner.v3.7.WinAll.Incl.KeyGen-EiTheL\keygen.exe
==> Cracks & Keygens <==
.
----------------------\\ Scan completed at 19:06.46
.
C:\Rooter$\Rooter_1.txt - (25/07/2010 | 19:06.46).c

The Lock Search log:

LockSearch by jpshortstuff (05.11.09.1)
Log created at 19:07 on 25/07/2010 (Owner)
Scanning C:\

C:\hiberfil.sys
-------------------------

C:\pagefile.sys
-------------------------

-=E.O.F=-

The CKScanner log:

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\owner\my documents\apollo.wmv.asf.asx.to.dvd.burner.v3.7.winall.incl.keygen-eithel.zip
c:\documents and settings\owner\my documents\apollo.wmv.asf.asx.to.dvd.burner.v3.7.winall.incl.keygen-eithel\eithel.nfo
c:\documents and settings\owner\my documents\apollo.wmv.asf.asx.to.dvd.burner.v3.7.winall.incl.keygen-eithel\file_id.diz
c:\documents and settings\owner\my documents\apollo.wmv.asf.asx.to.dvd.burner.v3.7.winall.incl.keygen-eithel\keygen.exe
c:\documents and settings\owner\my documents\sam.broadcaster.v4.2.2-yag\crack\serial.txt
scanner sequence 3.BC.11
----- EOF -----

The WVCheck log:

Windows Validation Check
Log Created On: 1912_25-07-2010
------------------------

Windows Information
-----------------------
Windows Version: Windows XP Service Pack 3
Windows Mode: Normal

WVCheck's Auto Update Check
-----------------------
Auto-Update Option: Download updates and install them automatically.
------------------------------
Last Success Time for Update Detection: 2010-07-22 16:52:54
Last Success Time for Update Download: 2010-07-14 12:00:07
Last Success Time for Update Installation: 2010-07-14 22:17:06

WVCheck's File Dump
-------------------
WVCheck found no known bad files.

WVCheck's Missing File Check
-------------------
WVCheck found no missing Windows files.

WVCheck's MBAM Quarantine Check
-------------------
There were no bad files quarantined by MBAM.

WVCheck's HOSTS File Check
-------------------
WVCheck found no bad lines in the hosts file.

WVCheck's MD5 Check
EXPERIMENTAL!!
-------------------
user32.dll - b26b135ff1b9f60c9388b4a7d16f600b

-------- End of File, program close at 1914_25-07-2010 --------

And finally the GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-25 19:40:47
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kgxiqaoc.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAEE9ECD2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAEE9EB8E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xAEE9F142]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAEE9F06C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAEE9E764]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAEE9EC68]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAEE9E6A4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAEE9E708]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAEE9ED88]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xAEE9F210]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAEE9ED48]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAEE9EEC8]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xAEEABB9C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xAEEAB9C0]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xAEEABAFA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ObInsertObject 8056503A 5 Bytes JMP AEEA8F6C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!NtCreateSection 805652B3 7 Bytes JMP AEEAB9C4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FE4C 7 Bytes JMP AEEABBA0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 8059F8CA 5 Bytes JMP AEEA75B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwLoadDriver 805A3B73 7 Bytes JMP AEEABAFE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.rsrc C:\WINDOWS\system32\drivers\ql1240.sys entry point in ".rsrc" section [0xF7D53894]
init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF7409B8D]
init C:\WINDOWS\System32\Drivers\sunkfilt.sys entry point in "init" section [0xF802A300]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[280] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0132000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[280] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0133000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[280] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0131000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[280] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1084] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[1084] ole32.dll!CoCreateInstance 7750057E 3 Bytes JMP 00DC000A
.text C:\WINDOWS\System32\svchost.exe[1084] ole32.dll!CoCreateInstance + 4 77500582 1 Byte [89]
.text C:\WINDOWS\Explorer.EXE[1516] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1516] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1516] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8348DEC5

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x46 0x47 0x15 0xB0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{95F092DC-FCE4-9AA5-40DE-843301A694E5}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{95F092DC-FCE4-9AA5-40DE-843301A694E5}@iaddgoccmndiilpkdb 0x6A 0x61 0x70 0x62 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{95F092DC-FCE4-9AA5-40DE-843301A694E5}@hajcmmnbgbhhpdcc 0x69 0x61 0x66 0x62 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{95F092DC-FCE4-9AA5-40DE-843301A694E5}@iapdnpkichhnjmebln 0x63 0x61 0x6F 0x62 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\ql1240.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Logs won't post

Mon, 26 Jul 2010 00:44:30 +0200

I'm pasting logs from notepad. The Post New and Preview buttons click through to Internet error page. Any suggestions? Thanks. Blue

Just tried to post logs again. Got this error/webpage: Internet Explorer cannot display the webpage What you can try: etc....

Any ideas?

WSCNTFY is bugged, no exes

Tue, 06 Jul 2010 11:32:45 +0200

Today I was going across some websites, and must have accidentally downloaded something faulty. Bottom line is I can't do anything, no EXE's and it keeps bothering me to download anti-virus software. The interesting part is my computer is still runny fairly fast, however I have no idea what to do. I'm freaking out because I have a lot of data I do need to keep and restoring my computer is going to hinder me a few weeks trying to get back all that I would lose. I'll be glad to give more information but any help would be godly appreciated....

-Max.

Google searches redirect to ad websites[Re-Opened]

Mon, 10 May 2010 04:44:49 +0200

Hello,

My google search results lead to random websites with ads in them and I would appreciate any help you may be able to offer.

I have followed all the instructions in the pinned thread "BEFORE YOU POST !!" except for Gmer, which would crash a few seconds after opening the file with the "gmer.exe has encountered a problem and needs to close" error. I tried renaming the file to 'test.exe' but still encountered the same problem.

The other log files are pasted below in the following order: OTL's otl.txt then extras.txt; MBAM; Rooter; LockSearch; CKScanner.

Thank you for your help!
The Leviathan

===========================================================

OTL logfile created on: 5/9/2010 3:26:05 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\TheLeviathan\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 47.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.13 Gb Total Space | 1.08 Gb Free Space | 5.63% Space Free | Partition Type: NTFS
Drive D: | 7.87 Gb Total Space | 0.99 Gb Free Space | 12.56% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 465.76 Gb Total Space | 303.47 Gb Free Space | 65.16% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 3.90 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive L: | 149.05 Gb Total Space | 1.48 Gb Free Space | 0.99% Space Free | Partition Type: NTFS
Drive M: | 74.53 Gb Total Space | 2.37 Gb Free Space | 3.18% Space Free | Partition Type: NTFS
Drive P: | 149.04 Gb Total Space | 4.47 Gb Free Space | 3.00% Space Free | Partition Type: NTFS

Computer Name: TheLeviathan
Current User Name: TheLeviathan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/09 15:24:43 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\TheLeviathan\Desktop\OTL.exe
PRC - [2010/05/07 03:26:00 | 001,285,864 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/05/07 03:26:00 | 000,834,248 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/03/21 21:30:02 | 002,909,696 | ---- | M] (SoftPerfect Research) -- C:\Program Files\NetWorx\networx.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/11/24 04:51:57 | 000,181,312 | ---- | M] () -- C:\Program Files\Photodex\ProShowGold\scsiaccess.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/11/15 14:28:04 | 000,085,744 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2005/11/15 14:27:54 | 001,756,912 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2005/11/15 14:27:44 | 000,020,208 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2005/10/04 13:42:50 | 000,177,776 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2005/10/04 13:42:42 | 000,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

========== Modules (SafeList) ==========

MOD - [2010/05/09 15:24:43 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\TheLeviathan\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - [2010/05/07 03:26:00 | 001,285,864 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2008/11/24 04:51:57 | 000,181,312 | ---- | M] () [Auto | Running] -- C:\Program Files\Photodex\ProShowGold\scsiaccess.exe -- (ScsiAccess)
SRV - [2008/11/23 12:29:10 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2005/11/15 14:27:56 | 000,169,200 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2005/11/15 14:27:54 | 001,756,912 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2005/11/15 14:27:44 | 000,020,208 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2005/10/19 18:39:34 | 000,214,672 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2005/10/04 13:42:50 | 000,177,776 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2005/10/04 13:42:48 | 000,083,568 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2005/10/04 13:42:42 | 000,185,968 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2005/03/30 22:48:22 | 000,992,864 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)

========== Driver Services (SafeList) ==========

DRV - [2010/03/28 22:57:46 | 000,038,976 | ---- | M] (microOLAP Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pssdk42.sys -- (PSSDK42)
DRV - [2010/02/16 05:00:00 | 001,324,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100508.003\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/02/16 05:00:00 | 000,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100508.003\NAVENG.SYS -- (NAVENG)
DRV - [2010/02/04 11:53:02 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/11/20 16:26:50 | 000,025,984 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tap0901.sys -- (tap0901)
DRV - [2009/11/16 11:11:12 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/11/16 11:11:12 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2008/04/13 14:45:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 13:45:32 | 000,059,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\GcKernel.sys -- (GcKernel)
DRV - [2007/11/20 18:35:48 | 000,049,792 | ---- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ser2pl.sys -- (Ser2pl)
DRV - [2007/04/18 09:59:40 | 000,098,600 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\COMMONFX.DLL -- (COMMONFX.DLL)
DRV - [2007/04/16 22:46:00 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2007/04/12 09:10:26 | 000,164,608 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CT20XUT.DLL -- (CT20XUT.DLL)
DRV - [2007/04/12 09:10:26 | 000,066,816 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTHWIUT.DLL -- (CTHWIUT.DLL)
DRV - [2007/04/12 09:10:24 | 001,317,632 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEXFIFX.DLL -- (CTEXFIFX.DLL)
DRV - [2007/04/12 09:10:22 | 000,323,328 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPSY.DLL -- (CTEDSPSY.DLL)
DRV - [2007/04/12 09:10:22 | 000,128,768 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPIO.DLL -- (CTEDSPIO.DLL)
DRV - [2007/04/12 09:10:20 | 000,280,320 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPFX.DLL -- (CTEDSPFX.DLL)
DRV - [2007/04/12 09:10:20 | 000,094,976 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTERFXFX.DLL -- (CTERFXFX.DLL)
DRV - [2007/04/12 09:10:18 | 000,168,192 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEAPSFX.DLL -- (CTEAPSFX.DLL)
DRV - [2007/04/12 09:10:16 | 000,560,384 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CTSBLFX.DLL -- (CTSBLFX.DLL)
DRV - [2007/04/12 09:10:16 | 000,546,048 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CTAUDFX.DLL -- (CTAUDFX.DLL)
DRV - [2007/04/10 07:00:24 | 000,157,480 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2007/04/10 06:59:04 | 000,126,760 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2007/04/10 05:32:06 | 000,189,736 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\haP17v2k.sys -- (hap17v2k)
DRV - [2007/04/10 05:31:18 | 000,163,112 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\haP16v2k.sys -- (hap16v2k)
DRV - [2007/04/10 05:29:10 | 000,797,992 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2007/04/10 05:28:36 | 000,092,968 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2007/04/10 05:25:46 | 000,014,632 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2007/04/10 05:21:06 | 000,347,128 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2007/04/10 05:20:38 | 000,520,488 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2007/04/10 05:19:30 | 000,511,272 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2006/10/22 13:22:00 | 003,994,624 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/10/19 18:39:04 | 000,195,728 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2005/10/19 18:38:58 | 000,024,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2005/09/17 01:20:06 | 000,108,168 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2005/08/26 15:22:50 | 000,053,896 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2005/08/26 15:22:48 | 000,334,984 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2005/03/30 22:48:20 | 000,372,832 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2004/08/22 17:31:48 | 000,005,248 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\d347prt.sys -- (d347prt)
DRV - [2004/08/22 17:31:10 | 000,155,136 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\d347bus.sys -- (d347bus)
DRV - [2003/10/30 23:22:38 | 000,077,312 | R--- | M] (VIA Technologies inc,.ltd) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viasraid.sys -- (viasraid)
DRV - [2001/08/17 14:02:50 | 000,002,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HIDSwvd.sys -- (HIDSwvd)
DRV - [2001/08/17 14:02:32 | 000,008,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hidgame.sys -- (hidgame)
DRV - [2001/08/17 10:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)
DRV - [2001/08/17 09:28:02 | 000,907,456 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HCF_MSFT.sys -- (HCF_MSFT)
DRV - [2001/08/17 08:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)
DRV - [2001/07/30 11:34:28 | 000,585,840 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2001/07/16 12:17:30 | 000,076,610 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\basic2.sys -- (basic2)
DRV - [2001/07/16 12:16:58 | 000,539,917 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\v124nt.sys -- (V124)
DRV - [2001/07/15 19:05:54 | 000,067,222 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rksample.sys -- (Rksample)
DRV - [2001/07/03 18:42:30 | 000,017,776 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\cnxtdiag.sys -- (Cnxtdiag)
DRV - [2001/06/24 18:16:36 | 000,427,215 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\k56nt.sys -- (K56)
DRV - [2001/06/24 18:16:08 | 000,124,189 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fsksnt.sys -- (Fsks)
DRV - [2001/06/24 18:15:20 | 000,215,195 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\faxnt.sys -- (SoftFax)
DRV - [2001/06/24 18:14:18 | 000,059,375 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tonesnt.sys -- (Tones)
DRV - [2001/06/24 18:13:56 | 000,308,403 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fallback.sys -- (Fallback)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://shop.thefreevpn.com/home.php
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

O1 HOSTS File: ([2010/05/06 02:49:50 | 000,393,109 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 mpa.one.microsoft.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 13577 more lines...
O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKLM\..\Toolbar: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll ()
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
O4 - HKLM..\Run: [NetWorx] C:\Program Files\NetWorx\networx.exe (SoftPerfect Research)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Download by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1227441747655 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1227451822000 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab (RIM AxLoader)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\TheLeviathan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/11/23 07:33:13 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{71ef8876-23e8-11df-9865-0050da29b0ad}\Shell\AutoRun\command - "" = J:\slacker.synclauncher.exe -- File not found
O33 - MountPoints2\{71ef8876-23e8-11df-9865-0050da29b0ad}\Shell\slacker\command - "" = J:\slacker.synclauncher.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/11/23 02:15:11 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe - (Adobe Systems Incorporated)
MsConfig - StartUpReg: Adobe Photo Downloader - hkey= - key= - C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe File not found
MsConfig - StartUpReg: ccApp - hkey= - key= - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
MsConfig - StartUpReg: chkeilor - hkey= - key= - C:\Documents and Settings\TheLeviathan\Local Settings\Application Data\mejrju\qgqisysguard.exe File not found
MsConfig - StartUpReg: ctfmon.exe - hkey= - key= - File not found
MsConfig - StartUpReg: CTHelper - hkey= - key= - File not found
MsConfig - StartUpReg: CTxfiHlp - hkey= - key= - File not found
MsConfig - StartUpReg: DivXUpdate - hkey= - key= - C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
MsConfig - StartUpReg: MSMSGS - hkey= - key= - C:\Program Files\Messenger\msmsgs.exe File not found
MsConfig - StartUpReg: NvCplDaemon - hkey= - key= - File not found
MsConfig - StartUpReg: NvMediaCenter - hkey= - key= - File not found
MsConfig - StartUpReg: nwiz - hkey= - key= - File not found
MsConfig - StartUpReg: pqxduivu - hkey= - key= - C:\Documents and Settings\TheLeviathan\Local Settings\Application Data\cuykgf\ocsnsysguard.exe File not found
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
MsConfig - StartUpReg: ypetnpgj - hkey= - key= - C:\Documents and Settings\TheLeviathan\Local Settings\Application Data\nxemvp\qvnhsysguard.exe File not found
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: rdpdd.sys - C:\WINDOWS\system32\rdpdd.cpo ()
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: UploadMgr - Service
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {77D921A1-8271-E407-E91A-B868F2F1B700} - NetShow
ActiveX: {7B4B3D63-E7C6-1DE0-43E6-F2973C88CCC7} - IE7 Uninstall Stub
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {AE6FCF2B-21B5-088B-2F0E-CCAE5A9C4349} - Browser Customizations
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17465059307421696)

========== Files/Folders - Created Within 90 Days ==========

[2010/05/09 15:24:42 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\TheLeviathan\Desktop\OTL.exe
[2010/05/09 02:02:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TheLeviathan\Application Data\Malwarebytes
[2010/05/09 02:02:34 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/09 02:02:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/09 02:02:32 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/09 02:02:32 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/09 01:46:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TheLeviathan\Desktop\Malware removal
[2010/05/09 01:46:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2010/05/07 03:26:44 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/05/07 03:26:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2010/05/07 03:26:35 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/05/07 03:24:42 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/05/07 03:24:10 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/05/07 03:24:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/05/06 02:02:02 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/05/06 02:02:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/05/05 00:01:46 | 000,156,672 | ---- | C] (Radioactive) -- C:\WINDOWS\System32\rmc_fixasf.exe
[2010/05/05 00:01:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TheLeviathan\Local Settings\Application Data\mdnslib
[2010/05/04 23:59:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TheLeviathan\Local Settings\Application Data\FLVService
[2010/05/04 23:59:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\Replay Media Catcher
[2010/05/04 23:46:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TheLeviathan\Application Data\DonationCoder
[2010/05/04 23:36:43 | 000,000,000 | ---D | C] -- C:\Program Files\Orbitdownloader
[2010/05/04 22:15:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/04 21:16:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/01 03:24:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TheLeviathan\Desktop\Return
[2010/05/01 00:10:03 | 000,000,000 | ---D | C] -- C:\Program Files\FreeVPN
[2010/04/25 16:18:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TheLeviathan\Desktop\Bills
[2010/04/25 01:20:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2010/04/25 01:20:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/25 01:20:44 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/04/25 01:20:00 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/04/25 01:19:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TheLeviathan\Application Data\Sun
[2010/04/18 22:31:43 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DivX Shared
[2010/04/18 22:31:20 | 000,000,000 | ---D | C] -- C:\Program Files\DivX
[2010/04/18 22:30:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DivX
[2010/04/16 02:59:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2010/04/10 17:24:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TheLeviathan\Desktop\Orbit Downloads
[2010/04/10 17:20:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TheLeviathan\Application Data\GrabPro
[2010/04/10 17:20:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TheLeviathan\Application Data\Orbit
[2010/03/30 21:58:24 | 000,353,592 | ---- | C] (DivX, Inc.) -- C:\WINDOWS\System32\DivXControlPanelApplet.cpl
[2010/03/28 22:57:46 | 000,038,976 | ---- | C] (microOLAP Technologies LTD) -- C:\WINDOWS\System32\drivers\pssdk42.sys
[2010/03/28 22:57:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SoftPerfect
[2010/03/28 22:57:45 | 000,000,000 | ---D | C] -- C:\Program Files\NetWorx
[2010/03/28 22:21:34 | 000,025,984 | ---- | C] (The OpenVPN Project) -- C:\WINDOWS\System32\drivers\tap0901.sys
[2010/03/26 00:34:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TheLeviathan\Desktop\youtube
[2010/03/25 21:01:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TheLeviathan\Desktop\BB backup
[2010/02/22 00:04:29 | 000,000,000 | ---D | C] -- C:\Program Files\DELL
[2010/02/21 23:55:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TheLeviathan\Local Settings\Application Data\Deployment
[2010/02/17 15:54:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010/02/15 09:48:00 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\TheLeviathan\Recent
[2010/02/15 09:41:13 | 000,000,000 | ---D | C] -- C:\Program Files\eXpress TimeStamp Toucher
[2010/02/14 02:28:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TheLeviathan\Desktop\DeviantART
[2010/02/13 19:23:28 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2010/02/10 04:04:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TheLeviathan\Local Settings\Application Data\Identities
[2008/11/23 10:18:17 | 000,155,136 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347bus.sys
[2008/11/23 10:18:17 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347prt.sys
[2007/04/09 13:32:58 | 000,034,816 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll

========== Files - Modified Within 90 Days ==========

[2010/05/09 15:24:43 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\TheLeviathan\Desktop\OTL.exe
[2010/05/09 15:19:41 | 000,088,566 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/05/09 15:19:41 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/09 15:18:17 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/05/09 15:16:45 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/09 15:16:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/09 08:01:18 | 014,680,064 | -H-- | M] () -- C:\Documents and Settings\TheLeviathan\NTUSER.DAT
[2010/05/09 08:01:17 | 000,030,120 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000000-00000000-0000000C-00001102-00000004-00511102}.rfx
[2010/05/09 08:01:17 | 000,030,120 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000000-00000000-0000000C-00001102-00000004-00511102}.rfx
[2010/05/09 08:01:17 | 000,027,408 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000000-00000000-0000000C-00001102-00000004-00511102}.rfx
[2010/05/09 08:01:17 | 000,027,408 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000000-00000000-0000000C-00001102-00000004-00511102}.rfx
[2010/05/09 08:01:17 | 000,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000000-00000000-0000000C-00001102-00000004-00511102}.rfx
[2010/05/09 08:01:00 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\TheLeviathan\ntuser.ini
[2010/05/09 06:48:48 | 000,188,416 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/09 02:22:14 | 000,000,261 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\YouTube - Marvel Ultimate Alliance part 35 Pitfall Wolverine.url
[2010/05/08 04:33:50 | 000,000,292 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\factorydirect.url
[2010/05/07 03:26:20 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/05/07 03:26:19 | 000,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/05/07 03:05:13 | 000,000,227 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\CBC News.url
[2010/05/07 03:05:13 | 000,000,195 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Past Podcasts Podcasts CBC Radio.url
[2010/05/07 01:32:49 | 000,000,298 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\factorydirect1.url
[2010/05/06 02:49:50 | 000,393,109 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/06 02:06:55 | 000,393,109 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100506-024950.backup
[2010/05/06 02:06:01 | 000,393,109 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100506-020654.backup
[2010/05/05 03:05:52 | 000,000,192 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Malcolm Gladwell - Outliers (book) - Wikipedia.url
[2010/05/05 03:05:51 | 000,000,208 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Low self-discharge NiMH battery - Wikipedia, the free encyclopedia.url
[2010/05/05 03:05:51 | 000,000,200 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Wall Street (1987 film) - Wikipedia, the free encyclopedia.url
[2010/05/05 03:05:51 | 000,000,195 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\The Wealthy Barber.url
[2010/05/05 00:05:58 | 000,156,672 | ---- | M] (Radioactive) -- C:\WINDOWS\System32\rmc_fixasf.exe
[2010/05/05 00:05:57 | 000,237,568 | ---- | M] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2010/05/04 23:46:44 | 000,000,046 | ---- | M] () -- C:\WINDOWS\System32\DonationCoder_urlsnooper_InstallInfo.dat
[2010/05/04 23:46:38 | 000,000,073 | ---- | M] () -- C:\WINDOWS\System32\-1
[2010/05/04 23:36:44 | 000,000,726 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Orbit.lnk
[2010/05/04 19:00:39 | 000,000,213 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\HDH Invitational #1.url
[2010/05/04 18:18:54 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\YouTube - HuskyStarcraft's Channel.url
[2010/05/04 02:52:34 | 000,000,207 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\CBC News - Consumer Life.url
[2010/05/04 02:52:34 | 000,000,206 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\CBC News - Consumer Life-.url
[2010/05/04 01:59:49 | 000,000,430 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\YouTube - HDstarcraft's Channel.url
[2010/05/02 16:33:51 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Hello.doc
[2010/05/02 05:33:13 | 000,000,217 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\HDH Invitational - Liquipedia Starcraft 2 Wiki.url
[2010/05/01 00:10:05 | 000,000,666 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\FreeVPN.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 15:23:22 | 000,032,256 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Schedule 2010.doc
[2010/04/28 03:57:51 | 000,000,256 | ---- | M] () -- C:\WINDOWS\System32\pool.bin
[2010/04/28 03:14:54 | 000,000,204 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\The U.S. Military's War On PowerPoint - Powerpoint - Gizmodo.url
[2010/04/25 15:32:03 | 000,000,140 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\De' Longhi Customer Care.url
[2010/04/25 14:51:45 | 000,000,204 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\HowardForums Your Mobile Phone Community & Resource - GSM vs AWS.url
[2010/04/25 14:51:40 | 000,000,290 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\tilt photography.url
[2010/04/25 14:51:39 | 000,000,229 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Turn Your XBMC Media Center into a Video Game Console - Xbmc - Lifehacker.url
[2010/04/25 06:51:28 | 000,000,208 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Marvel Games Wolverine MRD Escape.url
[2010/04/25 05:47:27 | 000,000,154 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\De'Longhi Accessories.url
[2010/04/25 05:32:46 | 000,000,274 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\The Globe and Mail.url
[2010/04/25 05:31:36 | 000,000,156 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Broadcaster - Canada's Communications Magazine.url
[2010/04/25 05:29:32 | 000,000,214 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\CBC News - Money.url
[2010/04/25 05:03:27 | 000,000,255 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\CBC News - Calgary.url
[2010/04/25 05:03:27 | 000,000,208 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\CBC News - Technology & Scien.url
[2010/04/25 05:03:27 | 000,000,201 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\CBC News - Cana.url
[2010/04/25 04:45:30 | 000,000,156 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\XBMC.url
[2010/04/25 04:40:14 | 000,000,212 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\top-10-hard-drive-upgrades-and-fixes.url
[2010/04/25 03:45:29 | 000,000,188 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\imgur The Simple Image Sharer Image Gallery.url
[2010/04/25 03:05:01 | 000,000,231 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\GSM Classic Mobile Cellular.url
[2010/04/25 02:27:32 | 000,000,238 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Tati LCD - Christopher Bradshaw's Project Bin.url
[2010/04/25 00:50:37 | 000,000,154 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Worldline.ca - Unlimited Call the World - NOW OVER 50 COUNTRIES Low Cost Calls.url
[2010/04/25 00:44:03 | 000,000,117 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\1011295.com - Rates.url
[2010/04/25 00:39:24 | 000,000,189 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\how-it-works.url
[2010/04/25 00:27:08 | 000,000,289 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\RedFlagDeals.url
[2010/04/24 18:50:04 | 000,000,243 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\League of Legends.url
[2010/04/24 18:09:38 | 000,000,383 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Find a Costco warehouse.url
[2010/04/24 16:51:20 | 000,000,655 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Costco - Houseware.url
[2010/04/24 15:51:55 | 000,000,238 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\BlackBerry OS 6.0 screenshots, details! � Boy Genius Report.url
[2010/04/24 06:32:45 | 000,000,242 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Dell Lightning, Flash, Thunder and Smoke leak out � Boy Genius Report.url
[2010/04/23 00:40:21 | 000,000,668 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\imjkyhgres.url
[2010/04/22 05:15:05 | 000,000,134 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\January 2010 Covers.url
[2010/04/22 05:00:05 | 000,000,694 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\imgremjns.url
[2010/04/22 03:24:36 | 000,000,160 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Comic Related - Hot Shot of the Week.url
[2010/04/19 23:32:02 | 000,000,196 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\YouTube - galleyuk's Channel.url
[2010/04/19 23:31:54 | 000,000,215 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\A Dangerous Man Lawrence After Arabia - Wikipedia, the free encyclopedia.url
[2010/04/19 14:20:57 | 000,000,285 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\sandbox app - Google Search.url
[2010/04/19 04:14:57 | 000,000,801 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/19 04:14:57 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/19 04:14:57 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/04/18 19:19:42 | 000,000,210 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\NationStates � View topic - Official Factbook of the Sagittarian Navy (Done).url
[2010/04/18 03:14:25 | 000,001,588 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\K-7 14.6 MP Digital SLR Bundle with Shake Reduction, 720p HD Video and DA 18-55mm f-3.5-5.6 AL Weather Resistant Lens Digital Cameras & Digital Camcorders Dell Canada.url
[2010/04/15 03:34:29 | 000,000,262 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Build your own �Super OTA TV Antenna� Digital Home.url
[2010/04/14 05:28:46 | 000,000,588 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2010/04/14 05:28:46 | 000,000,588 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2010/04/13 00:33:52 | 000,000,229 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\UT99.org - Unreal Tournament GOTY � Forum � View topic - TUTORIAL Tweak your UT graphics to the maximum.url
[2010/04/04 06:21:44 | 000,081,920 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Sales Application.doc
[2010/04/04 06:15:06 | 000,081,920 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Sales Application1.doc
[2010/04/04 03:10:11 | 000,000,176 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Normal-Tanks game official site.url
[2010/03/30 21:58:24 | 000,353,592 | ---- | M] (DivX, Inc.) -- C:\WINDOWS\System32\DivXControlPanelApplet.cpl
[2010/03/29 02:59:13 | 005,867,828 | -H-- | M] () -- C:\Documents and Settings\TheLeviathan\Local Settings\Application Data\IconCache.db
[2010/03/28 22:57:46 | 000,038,976 | ---- | M] (microOLAP Technologies LTD) -- C:\WINDOWS\System32\drivers\pssdk42.sys
[2010/03/25 20:41:14 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Desktop Manager.lnk
[2010/03/25 12:17:02 | 000,131,072 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Degree.doc
[2010/03/25 12:16:30 | 000,131,072 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Degree1.doc
[2010/03/21 14:07:50 | 000,000,212 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Aviation Document Booklet (New Licence Booklet) - Flight Crew Licensing - General Aviation - Aviation Safety - Air Transportation - Transport Canada.url
[2010/03/14 19:05:01 | 000,464,860 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/14 19:05:01 | 000,397,560 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/14 19:05:01 | 000,059,780 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/12 02:47:45 | 000,000,219 | ---- | M] () -- C:\Documents and Settings\TheLeviathan\Desktop\Extreme� 3D Pro.url

========== Files Created - No Company Name ==========

[2010/05/07 03:59:01 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/05/07 03:28:22 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/05/07 02:35:52 | 000,000,227 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\CBC News.url
[2010/05/05 14:25:25 | 000,000,195 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Past Podcasts Podcasts CBC Radio.url
[2010/05/05 00:01:46 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2010/05/04 23:46:44 | 000,000,046 | ---- | C] () -- C:\WINDOWS\System32\DonationCoder_urlsnooper_InstallInfo.dat
[2010/05/04 23:46:38 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\-1
[2010/05/04 23:36:44 | 000,000,726 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Orbit.lnk
[2010/05/02 16:18:54 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Hello.doc
[2010/05/02 05:35:24 | 000,000,213 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\HDH Invitational #1.url
[2010/05/02 05:33:13 | 000,000,217 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\HDH Invitational - Liquipedia Starcraft 2 Wiki.url
[2010/05/01 00:10:05 | 000,000,666 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\FreeVPN.lnk
[2010/04/28 15:23:07 | 000,032,256 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Summer 2010.doc
[2010/04/28 03:14:53 | 000,000,204 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\copy to word document The U.S. Military's War On PowerPoint - Powerpoint - Gizmodo.url
[2010/04/27 00:15:07 | 000,000,206 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\CBC News - Consumer Life.url
[2010/04/27 00:12:54 | 000,000,207 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\CBC News - Consumer Life-.url
[2010/04/25 06:51:28 | 000,000,208 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Marvel Games Wolverine MRD Escape.url
[2010/04/25 05:51:13 | 000,000,200 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Wall Street (1987 film) - Wikipedia, the free encyclopedia.url
[2010/04/25 05:47:27 | 000,000,154 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\De'Longhi Accessories.url
[2010/04/25 05:32:46 | 000,000,274 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\The Globe and Mail.url
[2010/04/25 05:31:36 | 000,000,156 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Broadcaster - Canada's Communications Magazine.url
[2010/04/25 05:29:32 | 000,000,214 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\CBC News - Money -.url
[2010/04/25 04:45:49 | 000,000,229 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Turn Your XBMC Media Center into a Video Game Console - Xbmc - Lifehacker.url
[2010/04/25 04:45:30 | 000,000,156 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\XBMC.url
[2010/04/25 04:40:14 | 000,000,212 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\top-10-hard-drive-upgrades-and-fixes.url
[2010/04/25 04:05:34 | 000,000,290 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\tilt photography.url
[2010/04/25 03:45:28 | 000,000,188 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\imgur The Simple Image Sharer Image Gallery.url
[2010/04/25 03:35:18 | 000,000,204 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\HowardForums Your Mobile Phone Community & Resource - GSM vs AWS.url
[2010/04/25 03:05:01 | 000,000,231 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\GSM Classic Mobile Cellular Retro Vintage Brick Phone.url
[2010/04/25 02:27:32 | 000,000,238 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Tati LCD - Christopher Bradshaw's Project Bin.url
[2010/04/25 00:44:03 | 000,000,117 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\1011295.com - Rates.url
[2010/04/25 00:42:18 | 000,000,154 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Worldline.ca - Unlimited Call the World - NOW OVER 50 COUNTRIES Low Cost Calls.url
[2010/04/25 00:39:24 | 000,000,189 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\how-it-works.url
[2010/04/25 00:29:01 | 000,000,208 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Low self-discharge NiMH battery - Wikipedia, the free encyclopedia.url
[2010/04/25 00:27:08 | 000,000,289 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\RedFlagDeals.url
[2010/04/24 18:50:04 | 000,000,243 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\League of Legends.url
[2010/04/24 18:09:29 | 000,000,383 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Find a Costco warehouse.url
[2010/04/24 17:56:11 | 000,000,140 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\De' Longhi Customer Care.url
[2010/04/24 06:36:59 | 000,000,238 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\BlackBerry OS 6.0 screenshots, details! � Boy Genius Report.url
[2010/04/24 06:32:45 | 000,000,242 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Dell Lightning, Flash, Thunder and Smoke leak out � Boy Genius Report.url
[2010/04/24 05:23:27 | 000,000,655 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Costco - Housewares.url
[2010/04/23 14:59:11 | 000,000,255 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\CBC News - Calgary.url
[2010/04/22 05:15:05 | 000,000,134 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\January 2010 Covers.url
[2010/04/22 05:00:05 | 000,000,694 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\imgremjns.url
[2010/04/22 05:00:05 | 000,000,668 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\imjkyhgres.url
[2010/04/22 03:24:36 | 000,000,160 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Comic Related - Hot Shot of the Week.url
[2010/04/19 23:36:58 | 000,000,195 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\The Wealthy Barber - borrow from Cherry.url
[2010/04/19 23:34:08 | 000,000,192 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Malcolm Gladwell - Outliers (book) - Wikipedia.url
[2010/04/19 14:31:42 | 000,000,201 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\CBC News - Canada -.url
[2010/04/19 14:20:57 | 000,000,285 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\sandbox app - Google Search.url
[2010/04/19 14:04:26 | 000,000,208 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\CBC News - Technology & Science -.url
[2010/04/18 19:19:42 | 000,000,210 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\NationStates � View topic - Official Factbook of the Sagittarian Navy (Done).url
[2010/04/17 05:39:40 | 000,000,215 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\A Dangerous Man Lawrence After Arabia - Wikipedia, the free encyclopedia.url
[2010/04/17 03:40:10 | 000,001,588 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\K-7 14.6 MP Digital SLR Bundle with Shake Reduction, 720p HD Video and DA 18-55mm f-3.5-5.6 AL Weather Resistant Lens Digital Cameras & Digital Camcorders Dell Canada.url
[2010/04/15 03:34:29 | 000,000,262 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Build your own �Super OTA TV Antenna� Digital Home.url
[2010/04/13 00:33:52 | 000,000,229 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\UT99.org - Unreal Tournament GOTY � Forum � View topic - TUTORIAL Tweak your UT graphics to the maximum.url
[2010/04/11 23:44:55 | 000,000,196 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\YouTube - galleyuk's Channel.url
[2010/04/07 00:00:22 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\YouTube - HuskyStarcraft's Channel.url
[2010/04/06 23:51:27 | 000,000,430 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\YouTube - HDstarcraft's Channel.url
[2010/04/04 16:38:31 | 000,000,298 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\factorydirect.url
[2010/04/04 06:07:41 | 000,081,920 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Sales Application.doc
[2010/04/04 03:10:11 | 000,000,176 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Normal-Tanks game official site.url
[2010/04/02 15:32:51 | 000,000,292 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\factorydirect1.url
[2010/03/25 20:41:14 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Desktop Manager.lnk
[2010/03/25 12:17:02 | 000,131,072 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Degree.doc
[2010/03/25 12:16:30 | 000,131,072 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Degree2.doc
[2010/03/14 22:10:44 | 000,000,261 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\YouTube - Marvel Ultimate Alliance part 35 Pitfall Wolverine.url
[2010/03/03 14:48:42 | 000,000,212 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Aviation Document Booklet (New Licence Booklet) - Flight Crew Licensing - General Aviation - Aviation Safety - Air Transportation - Transport Canada.url
[2010/03/02 02:18:10 | 000,000,219 | ---- | C] () -- C:\Documents and Settings\TheLeviathan\Desktop\Extreme� 3D Pro.url
[2010/02/22 00:05:10 | 000,000,766 | ---- | C] () -- C:\WINDOWS\Uninstall.ico
[2010/02/22 00:04:41 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\SSCoInst.exe
[2010/02/22 00:04:41 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\SVSetup.Exe
[2010/02/22 00:04:41 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\SSCoInst.dll
[2010/02/22 00:04:41 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\SVSetup.dll
[2010/02/22 00:04:39 | 000,020,594 | ---- | C] () -- C:\WINDOWS\System32\Dels3LMK.DLL
[2010/02/22 00:04:39 | 000,000,533 | ---- | C] () -- C:\WINDOWS\System32\Dels3LMK.SMT
[2009/12/07 01:41:34 | 000,000,126 | ---- | C] () -- C:\WINDOWS\kaillera.ini
[2009/11/22 03:56:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2009/11/22 03:39:35 | 000,000,043 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/06/14 08:58:18 | 000,000,132 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2008/12/05 13:23:07 | 000,000,635 | ---- | C] () -- C:\WINDOWS\ef.INI
[2008/11/24 02:09:50 | 000,004,841 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008/11/24 02:09:47 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008/11/23 10:31:28 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/04/12 09:10:28 | 000,105,728 | ---- | C] () -- C:\WINDOWS\System32\APOMgrH.dll
[2007/04/09 13:55:14 | 000,097,785 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2007/04/09 13:55:14 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2007/04/09 13:33:50 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CTBurst.dll
[2006/10/22 13:22:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/22 13:22:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/10/22 13:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/22 13:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 13:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/10/22 13:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/10/22 13:22:00 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/10/02 10:25:18 | 000,000,307 | ---- | C] () -- C:\WINDOWS\System32\kill.ini
[2005/06/16 11:17:16 | 000,071,680 | ---- | C] () -- C:\WINDOWS\System32\ctmmactl.dll
[2004/08/22 18:04:56 | 000,069,120 | ---- | C] () -- C:\WINDOWS\daemon.dll
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/01/29 16:46:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2010/03/28 22:57:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SoftPerfect
[2010/05/07 03:24:46 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/01/29 17:05:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TheLeviathan\Application Data\Blackberry Desktop
[2010/05/04 23:46:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TheLeviathan\Application Data\DonationCoder
[2010/04/10 17:27:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TheLeviathan\Application Data\GrabPro
[2008/11/24 04:52:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TheLeviathan\Application Data\Netscape
[2010/05/04 23:58:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TheLeviathan\Application Data\Orbit
[2008/11/24 04:51:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TheLeviathan\Application Data\Photodex
[2010/01/29 16:48:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TheLeviathan\Application Data\Research In Motion
[2010/05/09 15:18:17 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2010/05/09 15:15:52 | 000,001,822 | ---- | M] () -- C:\aaw7boot.log
[2008/11/23 07:33:13 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/04/19 04:14:57 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2008/11/23 07:33:13 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2008/11/23 07:33:13 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008/11/23 07:33:13 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/11/23 08:24:27 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/11/23 09:25:16 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/05/09 15:16:03 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2008/11/24 04:52:11 | 000,001,761 | ---- | M] () -- C:\photodex-presenter-install.log

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/08/26 03:24:28 | 000,347,136 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2008/08/26 03:24:28 | 000,214,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[2007/08/13 19:54:10 | 000,191,488 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iepeers.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/11/23 02:17:14 | 000,090,112 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/11/23 02:17:14 | 000,630,784 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/11/23 02:17:13 | 000,438,272 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010/03/28 22:57:46 | 000,038,976 | ---- | M] (microOLAP Technologies LTD) -- C:\WINDOWS\system32\drivers\pssdk42.sys
[2010/05/07 03:26:20 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\system32\drivers\SBREDrv.sys

< %PROGRAMFILES%\*. >
[2009/11/02 15:53:25 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2009/11/24 21:44:15 | 000,000,000 | ---D | M] -- C:\Program Files\CDisplay
[2010/04/25 01:20:44 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2008/11/23 07:29:34 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2008/11/23 09:59:05 | 000,000,000 | ---D | M] -- C:\Program Files\CONEXANT
[2008/11/23 10:18:17 | 000,000,000 | ---D | M] -- C:\Program Files\D-Tools
[2010/02/22 00:04:29 | 000,000,000 | ---D | M] -- C:\Program Files\DELL
[2010/04/18 22:32:10 | 000,000,000 | ---D | M] -- C:\Program Files\DivX
[2010/02/15 09:41:14 | 000,000,000 | ---D | M] -- C:\Program Files\eXpress TimeStamp Toucher
[2010/05/08 04:34:14 | 000,000,000 | ---D | M] -- C:\Program Files\FreeVPN
[2010/02/22 00:05:10 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2010/01/29 16:40:34 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2010/04/25 01:20:00 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2010/05/07 03:24:50 | 000,000,000 | ---D | M] -- C:\Program Files\Lavasoft
[2010/05/09 02:02:38 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2008/11/23 10:30:34 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft ActiveSync
[2008/11/23 07:33:36 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2009/06/18 10:46:06 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2009/10/18 08:04:15 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Rich Tools
[2010/02/13 19:23:28 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2008/11/23 09:30:00 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2009/06/18 10:45:51 | 000,000,000 | ---D | M] -- C:\Program Files\MSECache
[2008/11/23 07:29:19 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2008/11/23 07:28:57 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2008/12/05 13:41:01 | 000,000,000 | ---D | M] -- C:\Program Files\Nero
[2008/11/23 09:27:22 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2010/03/28 22:57:45 | 000,000,000 | ---D | M] -- C:\Program Files\NetWorx
[2008/11/23 07:29:19 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2010/05/04 23:36:44 | 000,000,000 | ---D | M] -- C:\Program Files\Orbitdownloader
[2008/11/23 09:27:18 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2008/11/24 04:51:45 | 000,000,000 | ---D | M] -- C:\Program Files\Photodex
[2008/11/24 04:52:04 | 000,000,000 | ---D | M] -- C:\Program Files\Photodex Presenter
[2009/04/08 21:24:04 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2010/01/29 16:46:01 | 000,000,000 | ---D | M] -- C:\Program Files\Research In Motion
[2008/11/24 04:54:20 | 000,000,000 | ---D | M] -- C:\Program Files\Soundslides
[2010/05/06 03:03:57 | 000,000,000 | ---D | M] -- C:\Program Files\Spybot - Search & Destroy
[2009/11/22 03:47:15 | 000,000,000 | ---D | M] -- C:\Program Files\Symantec
[2010/05/09 15:17:26 | 000,000,000 | ---D | M] -- C:\Program Files\Symantec AntiVirus
[2008/11/23 07:38:05 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2008/11/24 02:10:55 | 000,000,000 | ---D | M] -- C:\Program Files\VIA
[2008/11/24 23:58:36 | 000,000,000 | ---D | M] -- C:\Program Files\VideoLAN
[2008/11/23 10:02:17 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2008/11/23 10:02:16 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2008/11/23 09:27:18 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2008/12/05 13:39:47 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Sidebar
[2008/11/23 07:49:25 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2008/11/24 23:59:10 | 000,000,000 | ---D | M] -- C:\Program Files\WinRAR
[2008/11/23 07:33:36 | 000,000,000 | ---D | M] -- C:\Program Files\xerox

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
< End of report >

OTL Extras logfile created on: 5/9/2010 3:26:05 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\TheLeviathan\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 47.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.13 Gb Total Space | 1.08 Gb Free Space | 5.63% Space Free | Partition Type: NTFS
Drive D: | 7.87 Gb Total Space | 0.99 Gb Free Space | 12.56% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 465.76 Gb Total Space | 303.47 Gb Free Space | 65.16% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 3.90 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive L: | 149.05 Gb Total Space | 1.48 Gb Free Space | 0.99% Space Free | Partition Type: NTFS
Drive M: | 74.53 Gb Total Space | 2.37 Gb Free Space | 3.18% Space Free | Partition Type: NTFS
Drive P: | 149.04 Gb Total Space | 4.47 Gb Free Space | 3.00% Space Free | Partition Type: NTFS

Computer Name: THELEVIATHAN
Current User Name: TheLeviathan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2382:TCP" = 2382:TCP:*:Enabled:Services
"1941:TCP" = 1941:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"2102:TCP" = 2102:TCP:*:Enabled:Services
"2704:TCP" = 2704:TCP:*:Enabled:Services
"4509:TCP" = 4509:TCP:*:Enabled:Services
"7518:TCP" = 7518:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2382:TCP" = 2382:TCP:*:Enabled:Services
"1941:TCP" = 1941:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"2102:TCP" = 2102:TCP:*:Enabled:Services
"2704:TCP" = 2704:TCP:*:Enabled:Services
"4509:TCP" = 4509:TCP:*:Enabled:Services
"7518:TCP" = 7518:TCP:*:Enabled:Services

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"M:\Microsoft Games\Flight Simulator 9\fs9.exe" = M:\Microsoft Games\Flight Simulator 9\fs9.exe:*:Enabled:Microsoft Flight Simulator -- (Microsoft Corporation)
"C:\WINDOWS\system32\dpnsvr.exe" = C:\WINDOWS\system32\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server -- (Microsoft Corporation)
"L:\Microsoft Games\Flight Simulator 9\fs9.exe" = L:\Microsoft Games\Flight Simulator 9\fs9.exe:*:Enabled:Microsoft Flight Simulator -- (Microsoft Corporation)
"C:\Program Files\VideoLAN\VLC\vlc.exe" = C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player -- ()
"C:\Program Files\Orbitdownloader\orbitdm.exe" = C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
"C:\Program Files\Orbitdownloader\orbitnet.exe" = C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit -- (Orbitdownloader.com)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{086a7d8c-0a38-4c7f-819a-620275550d5c}" = Nero BurningROM
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{338F08AB-C262-42C7-B000-34DE1A475273}" = Ad-Aware Email Scanner for Outlook
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083}" = QuickTime
"{3b340a5d-8adf-4379-8edd-871acef5687b}" = Nero 9
"{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}" = DAEMON Tools
"{46B63F23-2B4A-4525-A827-688026BE5E40}" = Symantec AntiVirus
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{595a3116-40bb-4e0f-a2e8-d7951da56270}" = NeroExpress
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{60c731fb-c951-41ce-ad41-8e54c8594609}" = Nero Disc Copy Gadget Help
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7829db6f-a066-4e40-8912-cb07887c20bb}" = Nero BurnRights
"{83202942-84b3-4c50-8622-b8c0aa2d2885}" = Nero Express
"{86F4F32B-77C7-4951-B33C-05D41A8190C1}" = Microsoft RichCopy 4.0
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9497EBAA-87AD-41E6-8ED6-E1E52995A76C}" = VIA Integrated Setup Wizard
"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{b1adf008-e898-4fe2-8a1f-690d9a06acaf}" = DolbyFiles
"{b2ec4a38-b545-4a00-8214-13fe0e915e6d}" = Advertising Center
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B7618997-1B89-4680-A39B-342BBEF8E0D6}_is1" = FreeVPN v3.22
"{b78120a0-cf84-4366-a393-4d0a59bc546c}" = Menu Templates - Starter Kit
"{bd5ca0da-71ad-43da-b19e-6eee0c9adc9a}" = Nero ControlCenter
"{CE86E2F5-850C-4207-94A3-A58D647B1733}" = BlackBerry Desktop Software 5.0.1
"{d025a639-b9c9-417d-8531-208859000af8}" = NeroBurningROM
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{e498385e-1c51-459a-b45f-1721e37aa1a0}" = Movie Templates - Starter Kit
"{e8a80433-302b-4ff1-815d-fcc8eac482ff}" = Nero Installer
"{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}" = PL-2303 USB-to-Serial
"{f1861f30-3419-44db-b2a1-c274825698b3}" = Nero Disc Copy Gadget
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{f4041dce-3fe1-4e18-8a9e-9de65231ee36}" = Nero ControlCenter
"{f6bdd7c5-89ed-4569-9318-469aa9732572}" = Nero BurnRights
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"BlackBerry_{CE86E2F5-850C-4207-94A3-A58D647B1733}" = BlackBerry Desktop Software 5.0.1
"CDisplay_is1" = CDisplay 1.8
"CNXT_MODEM_PCI_VEN_14F1&DEV_2013&SUBSYS_201314F1" = SoftK56 Data Fax
"Dell Laser Printer 1110" = Dell Laser Printer 1110 Software Uninstall
"DivX Setup.divx.com" = DivX Setup
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083}" = QuickTime
"InstallShield_{9497EBAA-87AD-41E6-8ED6-E1E52995A76C}" = VIA Integrated Setup Wizard
"LiveUpdate" = LiveUpdate 2.6 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NetWorx_is1" = NetWorx 5.1
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Orbit_is1" = Orbit Downloader
"Photodex Presenter" = Photodex Presenter
"ProShow Gold" = ProShow Gold
"Soundslides" = Soundslides
"VLC media player" = VLC media player 0.9.6
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinImage" = WinImage
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"eXpress TimeStamp Toucher" = eXpress TimeStamp Toucher

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/8/2010 12:23:11 AM | Computer Name = THELEVIATHAN | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Trojan.ByteVerify in File: P:\backup\Documents
and Settings\TheLeviathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2e95c8bf-4adddc82.zip>>Dun.class
by: Manual scan. Action: Quarantine succeeded. Action Description: The file was
quarantined successfully. Threat Found!Threat: in File: P:\backup\Documents
and Settings\TheLeviathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-2e95c8bf-4adddc82.zip
by: Manual scan. Action: Quarantine succeeded. Action Description: The file was
quarantined successfully. Threat Found!Threat: Trojan.ByteVerify in File: P:\backup\Documents and Settings\TheLeviathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-30b9e234-16d4d616.zip>>BnnnnBaa.class
by: Manual scan. Action: Quarantine succeeded. Action Description: The file was
quarantined successfully.

Error - 5/8/2010 12:23:11 AM | Computer Name = THELEVIATHAN | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Trojan Horse in File: P:\backup\Documents
and Settings\TheLeviathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-30b9e234-16d4d616.zip>>VaannnaaBaa.class
by: Manual scan. Action: Quarantine succeeded. Action Description: The file was
quarantined successfully. Threat Found!Threat: Trojan Horse in File: P:\backup\Documents
and Settings\TheLeviathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-30b9e234-16d4d616.zip>>Dnnny.class
by: Manual scan. Action: Quarantine succeeded. Action Description: The file was
quarantined successfully. Threat Found!Threat: Trojan.ByteVerify in File: P:\backup\Documents and Settings\TheLeviathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-30b9e234-16d4d616.zip>>Bnnnnn.class
by: Manual scan. Action: Quarantine succeeded. Action Description: The file was
quarantined successfully.

Error - 5/8/2010 12:23:12 AM | Computer Name = THELEVIATHAN | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Trojan Horse in File: P:\backup\Documents
and Settings\TheLeviathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-30b9e234-16d4d616.zip>>Den.class
by: Manual scan. Action: Quarantine succeeded. Action Description: The file was
quarantined successfully. Threat Found!Threat: Trojan.ByteVerify in File: P:\backup\Documents and Settings\TheLeviathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-30b9e234-16d4d616.zip>>Din.class
by: Manual scan. Action: Quarantine succeeded. Action Description: The file was
quarantined successfully. Threat Found!Threat: Trojan.ByteVerify in File: P:\backup\Documents and Settings\TheLeviathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-30b9e234-16d4d616.zip>>Dun.class
by: Manual scan. Action: Quarantine succeeded. Action Description: The file was
quarantined successfully.

Error - 5/8/2010 12:24:11 AM | Computer Name = THELEVIATHAN | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: in File: P:\backup\Documents and Settings\TheLeviathan\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-30b9e234-16d4d616.zip
by: Manual scan. Action: Quarantine succeeded. Action Description: The file was
quarantined successfully. Threat Found!Threat: Downloader in File: P:\backup\Documents
and Settings\TheLeviathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-2e802fa5.zip>>vmain.class
by: Manual scan. Action: Quarantine succeeded. Action Description: The file was
quarantined successfully. Threat Found!Threat: in File: P:\backup\Documents
and Settings\TheLeviathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-2e802fa5.zip
by: Manual scan. Action: Quarantine succeeded. Action Description: The file was
quarantined successfully.

Error - 5/8/2010 1:11:50 AM | Computer Name = THELEVIATHAN | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Trojan Horse in File: P:\comp backup\Backup
May 3 2009\jars\Java Games\DigitalRed Shuffleboard v20\b-shuff2.zip>>Shuffleboard.2.00.7650.exe
by: Manual scan. Action: Quarantine succeeded. Action Description: The file was
quarantined successfully. Threat Found!Threat: in File: P:\comp backup\Backup
May 3 2009\jars\Java Games\DigitalRed Shuffleboard v20\b-shuff2.zip by: Manual
scan. Action: Quarantine succeeded. Action Description: The file was quarantined
successfully. Threat Found!Threat: Trojan Horse in File: P:\New Folder\New Folder\Backup
May 3 2009\jars\Java Games\DigitalRed Shuffleboard v20\b-shuff2.zip>>Shuffleboard.2.00.7650.exe
by: Manual scan. Action: Quarantine succeeded. Action Description: The file was
quarantined successfully.

[ System Events ]
Error - 5/9/2010 1:50:54 AM | Computer Name = THELEVIATHAN | Source = Service Control Manager | ID = 7034
Description = The Symantec Event Manager service terminated unexpectedly. It has
done this 1 time(s).

Error - 5/9/2010 1:50:54 AM | Computer Name = THELEVIATHAN | Source = Service Control Manager | ID = 7034
Description = The Symantec AntiVirus Definition Watcher service terminated unexpectedly.
It has done this 1 time(s).

Error - 5/9/2010 1:50:54 AM | Computer Name = THELEVIATHAN | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 5/9/2010 1:50:54 AM | Computer Name = THELEVIATHAN | Source = Service Control Manager | ID = 7031
Description = The Lavasoft Ad-Aware Service service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 5000
milliseconds: Restart the service.

Error - 5/9/2010 1:50:54 AM | Computer Name = THELEVIATHAN | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 5/9/2010 1:50:54 AM | Computer Name = THELEVIATHAN | Source = Service Control Manager | ID = 7034
Description = The ScsiAccess service terminated unexpectedly. It has done this
1 time(s).

Error - 5/9/2010 1:56:57 AM | Computer Name = THELEVIATHAN | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/9/2010 1:56:57 AM | Computer Name = THELEVIATHAN | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 5/9/2010 3:16:33 PM | Computer Name = THELEVIATHAN | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/9/2010 3:16:33 PM | Computer Name = THELEVIATHAN | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

< End of report >

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4080

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/9/2010 2:08:45 AM
mbam-log-2010-05-09 (02-08-45).txt

Scan type: Quick scan
Objects scanned: 124542
Time elapsed: 5 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 15 Model 47 Stepping 0, AuthenticAMD
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 7.0.5730.13
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:19 Go - Free:1 Go )
D:\ [Fixed-NTFS] .. ( Total:7 Go - Free:0 Go )
E:\ [CD_Rom]
F:\ [Fixed-NTFS] .. ( Total:465 Go - Free:303 Go )
I:\ [CD_Rom]
L:\ [Fixed-NTFS] .. ( Total:149 Go - Free:1 Go )
M:\ [Fixed-NTFS] .. ( Total:74 Go - Free:2 Go )
P:\ [Fixed-NTFS] .. ( Total:149 Go - Free:4 Go )
.
Scan : 15:34.01
Path : C:\Documents and Settings\TheLeviathan\Desktop\Rooter.exe
User : TheLeviathan ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (688)
______ \??\C:\WINDOWS\system32\csrss.exe (748)
______ \??\C:\WINDOWS\system32\winlogon.exe (788)
______ C:\WINDOWS\system32\services.exe (864)
______ C:\WINDOWS\system32\lsass.exe (876)
______ C:\WINDOWS\system32\svchost.exe (1080)
______ C:\WINDOWS\system32\svchost.exe (1188)
______ C:\WINDOWS\System32\svchost.exe (1252)
______ C:\WINDOWS\System32\svchost.exe (1516)
______ C:\WINDOWS\System32\svchost.exe (1632)
______ C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (1688)
______ C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (1724)
______ C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (1832)
______ C:\WINDOWS\system32\spoolsv.exe (1908)
______ C:\Program Files\Symantec AntiVirus\DefWatch.exe (2016)
______ C:\Program Files\Java\jre6\bin\jqs.exe (208)
______ C:\WINDOWS\system32\nvsvc32.exe (240)
______ C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe (276)
______ C:\Program Files\Symantec AntiVirus\Rtvscan.exe (380)
______ C:\WINDOWS\System32\wbem\unsecapp.exe (732)
______ C:\WINDOWS\System32\alg.exe (904)
______ C:\WINDOWS\System32\wbem\wmiprvse.exe (1536)
______ C:\WINDOWS\system32\wscntfy.exe (2720)
______ C:\WINDOWS\Explorer.EXE (2916)
______ C:\PROGRA~1\SYMANT~1\VPTray.exe (3216)
______ C:\Program Files\NetWorx\networx.exe (3540)
______ C:\WINDOWS\system32\ctfmon.exe (3548)
______ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (3564)
______ C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (3984)
______ C:\Program Files\Internet Explorer\IEXPLORE.EXE (220)
______ C:\Documents and Settings\TheLeviathan\Desktop\Rooter.exe (3316)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:8447330304)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 15:34.21
.
C:\Rooter$\Rooter_1.txt - (09/05/2010 | 15:34.21)

LockSearch by jpshortstuff (05.11.09.1)
Log created at 15:35 on 09/05/2010 (TheLeviathan)
Scanning C:\

C:\pagefile.sys
-------------------------

-=E.O.F=-

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11
----- EOF -----

BEFORE YOU POST !!

Wed, 17 Aug 2005 11:09:02 +0200

Welcome to Atribune.org!

Before we can help you, we need you to help us by completing the following procedure.

Step 1 : Preparation

Backup Your Registry with ERUNT

Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Step 2 : Cleaning

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Note: Some infections will prevent MBAM from running. If MBAM won't run, try renaming the file mbam-setup.exe to a random name, and then try again.

Extra Note: Do not run a full scan with MBAM. It is not required or needed, and in fact makes our job tougher.

Reboot your PC and run a full scan with your anti-virus program. This scan along with Malwarebytes should remove most malware.

If you're still having problems, continue to the next step. Otherwise, read "Preventing Malware and Safe Computing" to prevent future Spyware/Hijack attacks.

Step 3 : Post on the forum

Peer-to-peer programs/cracks/keygens/warez :

Downloading cracks and keygens from p2p programs ( Limewire, eMule, uTorrent ) is the most common way of how people get infected. We do not support the use of illegal software, that is why if you wish to get help on the forums, ALL p2p programs, cracks and keygens must be removed before posting. Failure to do so will result in your helper refusing to help you until they are completely removed.

If you download cracks you will get infected, that is a guarantee. We wont be here to help you every time, users who keep getting infected from using p2p programs will have to reformat, so use some common sense and avoid illegal software as they always contain spyware. It just isn't worth it.

Download OTL to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Under the Custom Scan box paste this in

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.*
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Update\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
CREATERESTOREPOINT
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\*.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time

Download Rooter.exe to your desktop

Then doubleclick it to start the tool
A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt.

Download LockSearch to your desktop

A window will pop up, Press 2 and then Enter. A scan will start, let it run uninterrupted. It should only take a few minutes.
A log will appear when it is finished, it will also be saved in the same location as LockSearch, which should be on your desktop. Post the contents of the log in your reply

Download CKScanner from here

Important : Save it to your desktop.

Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify that the file is saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Please download WVCheck by Artellos from one of the mirrors below;
Artellos.com (exe)
Artellos.com (zip)
After the download, run WVCheck.exe
As indicated by the prompt, This program can take a while depending on your hard drive space.
Once the program is done, copy the contents of the notepad file into your topic.

One final scan

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double click GMER.exe.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
  
  Click the image to enlarge it
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

Then go to the Malware Removal forum here and post your OTL log along with the MBAM, Rooter, LockSearch, CKScanner, WVCheck, and GMER logs in a topic there. If you know the name of your infection put this in your topic title. Please do not make multiple topics as this will waste helpers time, have some patience as your log will get handled eventually.

If you haven't received a response in over three days, then go and post in The Waiting Room, make sure to include a link to your original topic. Do not post HijackThis logs in your waiting room topic, they will just be removed.

If you don't follow the steps in this topic and go straight to the Malware Removal forum, our first reply will be to send you back here. These steps are designed to help fix a lot of cases and get important things done from the start, it will save us all time.

You will need to register to post on the forum:

Warning :

DO NOT follow advice from a topic other than your own. Other topics may have similar problems but please do NOT follow the advice given. Doing so will/can cause your PC some damage. ALL PC's have different situations. I cannot and will not stress this any more.

DO NOT run any tools used on the forum here unless instructed to by a helper, otherwise you may damage your PC !

Regards

Atribune.org Staff

vundoo like symptoms - rootkit like activity

Sat, 27 Feb 2010 09:55:16 +0100

Tuesday 9 Feb 2010 happily doing Google searches on Firefox 3.6. Stopped at 18:30 GMT to do a manual Windows Update on my SP2 partition. When that had finished re-booted into my SP3 partition and did a Windows Update. Re-booted to my SP2 partition and had symptoms best matched by the wiki entry for vundoo (redirect to ransomware list on wiki page and constant disk access causing explorer to crash). My SP3 partition showed symptoms the next day. After installing 7 to my software test disk (in caddy) it showed symptoms approximately 24 hours later also.

I am not worried about the 7 install as it is only for software testing so would be re-formatted within the 30 day activation period to be replaced with various win 9x from ghost images, again for software testing (to ensure everything I write works correctly from 3.11 to 7).

My ISP provides a free anti-virus/firewall package that updates automatically.

The only time I have problems is when Windows Update forces me to use IE. This time Malware Bytes, SAS & Hijack This show nothing of note.

As it matched vundoo I tried vundoofix :-
"VundoFix V7.0.6

Scan started at 18:10:08 23/02/2010

Listing files found while scanning....

No infected files were found."

I have followed your instructions ("http://www.atribune.org/forums/index.php?showtopic=424") on my SP3 partition (smallest footprint) and gathered logs as instructed before this post.

However GMER 1.0.15.15281 had :-
SOFTWARE\Classes\InternetExplorerApplication
in the bottom pane for at least 2 hours so I have posted an incomplete log and will re-attempt after this post.

Preventing Malware and Safe Computing

Fri, 16 Jan 2009 20:17:50 +0100

Preventing Malware and Safe Computing

The following are some valuable tips for maintaining a secure PC and ensuring that your PC will not get infected in the future.

Backups :

It is extremely important that you make regular backups. Having these can make all the difference if your PC ever has a problem.

Backup Your Registry with ERUNT

Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Now create a fresh system restore point

Download SysRestorePoint to your desktop and unzip it to it's own folder.

Double click SysRestorePoint.exe so that we can make a new system restore point.
A box will pop up after it has made a new point, usually after a few seconds. Close that window and exit the program.

Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

If you run Vista Premium, Business or Ultimate you have the ability to set automatic backups of your files.

Click Start > All Programs > Accessories > System Tools > Backup Status and Configuration
Click Back up files, and then follow the steps in the wizard.
Select where you want to back up to ... another partition,hard drive, CD or DVD.
Select which files you want to back up :

Pictures, Music, Videos, E-mail, Documents, etc
Select how often to back up:

Daily, Weekly or Monthly.
Select the day/time

Then click on Save settings and Exit.

To restore the files:

Click Restore files and then follow the steps in the wizard.

Note:
The ability to set up automatic backups is not included in Windows Vista Home Basic ; however, Windows will periodically remind you to back up your files. It is NOT recommended to backup to the same drive that your Operating System is located on.

Now if you ever have a PC problem, you should easily be able to restore your PC to a previous time.

Peer-to-Peer ( p2p ) programs :

Peer-to-peer programs, eg : LimeWire, Bitlord, Kazaa, are the most common way to get infected. Malware writers use these programs to spread infections as it is the easiest way for them. The majority of infections we see in the Malware Removal forum are due to people using p2p programs to download cracks/keygens/warez. These are not only illegal, but will always contain some form of malware.

You have no way of verifying that the things you download are legitimate or that they don't contain malware. Even with an up to date anti-virus and firewall, these things will still infect you. It is highly recommend that you uninstall all peer-to-peer programs. It just isn't worth it.

Note :

Other common ways of getting infected are dis-reputable sites forcing you to download and install a codec. Or viruses using Instant Messaging programs (msn, AIM) to send a file claiming it to be "photos" from a friend, only for it to turn out to be a virus.

Security Programs :

It is essential these days to have a few security programs installed and running on your machine. However, there are a few caveats, you should not install more than one anti-virus or firewall. This actually does more harm than good, and will cause a lot of issues for your PC.

It is important to have a good anti-spyware program. We highly recommend MalwareBytes Anti-Malware and SUPERAntiSpyware
SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
Some good free firewalls are Online Armor or Outpost or Sunbelt Personal Firewall.
Make sure you only use one firewall though. A tutorial on understanding and using firewalls may be found here.
Here are some good anti-virus programs, make sure you only use one though :
AntiVir or avast! or AVG.

It is important to keep these programs up to date. I would recommend using them once every 10 days.

Internet Browsers :

Picking the right internet browser is very important. You need to find one that suits your needs but that is also safe.

Mozilla's Firefox browser is fantastic, as is Opera. Both are far more secure than Internet Explorer, immune to almost all known browser hijackers, and also have the best built-in pop up blockers (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

While Opera can be downloaded from Here.

If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure.

NoScript - for blocking ads and other potential website attacks
McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling

Although, if you prefer staying with Internet Explorer I highly recommend you do this :

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

Extras :

Below are a few more steps that we highly recommend

OpenDNS is a very valuable feature that we strongly endorse here. It gives your PC the benefit of extra safety and increased browser speed. Enabling this takes hardly any time and is not complicated at all, even novice users will be able to set it up with the guide below.

Another huge advantage of using OpenDNS is that it blocks phishing websites from loading on your computer. It uses data from Phishtank, a community site that is also used by Yahoo! Mail to determine if some particular website is part of any online phishing scam.

To set this just have a look at the easy-to-use guide here
There are certain programs that are security vulnerabilities, it is recommended that you keep everything updated. Two of the main vulnerabilities are Java and Adobe Reader. You can find the latest version of Java here, you will want the Java SE Runtime Environment (JRE) one. Make sure to uninstall all previous versions of Java as well since they can be exploited.

You can also find the latest version of Adobe Reader here

Suggestion :

Foxit is a great free PDF alternative. It uses fewer system resources and is not vulnerable to the exploits affecting Adobe Reader. Providing full PDF functionality, Foxit is rapidly becoming the PDF reader of choice for many. Get it here
Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
TFC - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.
Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.

Advanced Tips :

The following suggestions are considered to be rather complicated for the average user, so I only recommend them if you know what you are doing or have a desire to learn more complicated procedures. A few of these programs listed below are paid products, I have tried to use free alternatives but it hasn't always been possible.

I have also tried to link to tutorials for each of the tools recommended. This tutorial is not to answer questions on how to use them

Image Backups

What is an image backup ? To put it simply, it will back up all your data into a single file, including system and registry data, allowing you to do an easy, fast, and complete PC restore should your computer ever crash.

Here are some suggestions

DriveImage ( my personal recommendation, it is also free )
Acronis
Macrium Reflect

Limited User Account

Using a Limited User Account can help decrease the effect of malware and other potential damaging things for your PC. A Limited User account lets you use most of the capabilities of the computer, but only an Administrator can make changes that affect other users of the computer.

Have a read of the following article for more detailed instructions on how to go about setting it up

Click

Tip : This sort of account would be very beneficial to use among any children in your family, or among those who are not comp savvy that have access to your PC.

DropMyRights

The following program is only for use on on Windows XP machines, this tool is not needed on Windows Vista or Windows Server 2008, because by default users are not administrators.

It can be downloaded from here

This program greatly increases the security of Windows XP by running selected programs in a restricted environment ( i.e. with lower rights ) even when logged on to Windows XP as an Administrator. It simply blocks them from performing certain security-breaking functions.

You can find a guide here on how to use it here

Sandbox Programs

One of the best forms of protection that you can use for your PC is a sandbox program. In laymans terms, what they do is let you install and run programs in a virtual environment, so any changes made will happen in the virtual environment and not in the real PC.

So if your PC was to get infected by a piece of malware while in this virtual setting, or anything else that may damage the machine, all you have to do is close this virtual session, reboot the PC, and it will be back to normal.

Here are some sandbox programs that I recommend

Returnil
Sandboxie

HIPS

These programs may conflict with your other security protection programs. If this is the case ( ie : you notice massive slow down or BSODs ) then uninstall them.

HIPS ( Host Based Intrusion Prevention System ) is considered as one the best steps in protecting your PC. What these programs do are prevent changes made to your PC by unauthorised sources. It allows you to very closely monitor what runs on your PC.

Here are some recommendations

ProcessGuard
Threatfire ( there is a tutorial located in this link as well )
DriveSentry ( this is a firewall so it will conflict with other firewalls )

Now after all these steps, your PC will be extremely secure. However it is important to note that you can still get infected if you are not careful. One of the best security programs you can have is common sense. As malware gets more sophisticated, you need to be more wary. If you do get caught though and the above steps cant help fix it, we will be here to help you out

Regards

The Atribune.org Team

Would you like to learn to fight malware ?

Fri, 26 Dec 2008 17:30:31 +0100

Are you interested in joining the fight against malware ? Below is a list of free online schools where you can learn such skills and help give back to the community. It is important to note that there is a lot of work and learning involved, but as long as you have the desire and are in it for the long haul, you will be able to get through it.

It is preferable to have some computer knowledge but is not essential. The training is a steady progress so you wont be dropped into the deep end straight away.

Students that complete training are expected to "pay it forward" by assisting in the forums, where they can continue to keep abreast of evolving malware and removal techniques.

Note : You should not enroll in more than one school at the start as you will find it a lot of work.

The list of schools is below

Good luck !

Tried Vundofix..But no luck..PLz help

Fri, 26 Dec 2008 09:54:41 +0100

Hi,

My laptop is infected with Vundo virus and the dll is created in system32 folder under the name KhfgFxyw.dll. I scanned the system using McAfee and it was unable to clean it. Now my automatic updates is showing turned off warnings but when i go to control panel it still shows ON. Some random ad sites are popping up and opening in IE every now and then. Thats when i tried vundofix. It scanned my laptop and showed a message that No infected files were found. But the dll is still present in system32 folder, McAfee still detects it as Vundo . Please help.
I have a very important assignment coming up and need to work on my laptop and this virus is driving me crazy. Please help.

Screenshot attached.

Thanks.Gouri