BleepingComputer.com > plz help me regarding sowar browser on my internet explorer!

Full Version: plz help me regarding sowar browser on my internet explorer!

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal

nadzme

Nov 14 2008, 07:32 AM

i have done already some steps i read from other complains, from otviewit.

extras

OTViewIt Extras logfile created on: 11/14/2008 8:01:29 PM - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = D:\Program Files
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

127.48 Mb Total Physical Memory | 30.01 Mb Available Physical Memory | 23.54% Memory free
329.87 Mb Paging File | 63.02 Mb Available in Paging File | 19.10% Paging File free
Paging file location(s): D:\pagefile.sys 192 384;

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 9.77 Gb Total Space | 9.67 Gb Free Space | 98.98% Space Free | Partition Type: NTFS
Drive D: | 18.86 Gb Total Space | 4.87 Gb Free Space | 25.80% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 962.07 Mb Total Space | 439.86 Mb Free Space | 45.72% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ZAMORA-8F8E222F
Current User Name: soteri
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days
"Use My Stylesheet"=
"User Stylesheet"=

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DoNotAllowExceptions"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2004/08/03 14:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2006/10/10 04:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2004/08/03 14:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/10/16 20:57:52 | 04,347,120 | ---- | M] (Yahoo! Inc.) -- D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
[2006/10/10 04:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/08/04 13:19:34 | 07,330,360 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol mso-offdap Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/08/01 15:09:04 | 08,086,072 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/14 22:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}"=Adobe AIR
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}"=Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{77DCDCE3-2DED-62F3-8154-05E745472D07}"=Acrobat.com
"{90110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{AC76BA86-7AD7-1033-7B44-A90000000001}"=Adobe Reader 9
"{D86FEEE1-C996-11D6-A67A-0080AD061ECA}"=Mazaika v.2.4
"Adobe AIR"=Adobe AIR
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"avast!"=avast! Antivirus
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1"=Acrobat.com
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"Microsoft .NET Framework 2.0"=Microsoft .NET Framework 2.0
"Mozilla Firefox (3.0.3)"=Mozilla Firefox (3.0.3)
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"Wdf01007"=Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"WMFDist11"=Windows Media Format 11 runtime
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion"=Yahoo! Toolbar
"Yahoo! IE Suggest"=Yahoo! Search Suggest Add-on for IE7
"Yahoo! Messenger"=Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 10/12/2008 2:02:03 AM | Computer Name = ZAMORA-8F8E222F | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
F:\autorun.inf failed, 00000005.

Error - 10/13/2008 4:01:00 PM | Computer Name = ZAMORA-8F8E222F | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
D:\RECYCLER\S-1-5-21-796845957-1659004503-682003330-1003\Dd852.lnk failed, 00000005.

Error - 10/16/2008 4:43:55 PM | Computer Name = ZAMORA-8F8E222F | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
F:\autorun.inf failed, 00000005.

Error - 10/16/2008 4:44:07 PM | Computer Name = ZAMORA-8F8E222F | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
F:\autorun.inf failed, 00000005.

[ Application Events ]
Error - 10/8/2008 12:50:39 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/8/2008 12:53:04 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/8/2008 12:56:21 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/8/2008 1:09:24 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/28/2008 7:37:27 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application xrule.exe, version 0.0.0.0, faulting module xrule.exe,
version 0.0.0.0, fault address 0x00005609.

Error - 10/29/2008 9:06:12 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/30/2008 4:34:53 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application yahoomessenger.exe, version 9.0.0.2018, faulting
module yahoomessenger.exe, version 9.0.0.2018, fault address 0x00176612.

Error - 11/3/2008 11:52:36 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.5730.13, faulting module
jscript.dll, version 5.7.0.5730, fault address 0x0001bb9d.

Error - 11/3/2008 11:55:05 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.5730.13, faulting module
jscript.dll, version 5.7.0.5730, fault address 0x0001bb9d.

Error - 11/12/2008 10:17:21 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Hang | ID = 1002
Description = Hanging application mz002.exe, version 2.4.0.258, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 11/14/2008 12:18:05 AM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/14/2008 12:18:16 AM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the avast! Web Scanner service
to connect.

Error - 11/14/2008 12:18:17 AM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The avast! Web Scanner service failed to start due to the following
error: %%1053

Error - 11/14/2008 12:20:28 AM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7034
Description = The avast! Web Scanner service terminated unexpectedly. It has done
this 1 time(s).

Error - 11/14/2008 11:22:48 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/14/2008 11:23:09 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the avast! Web Scanner service
to connect.

Error - 11/14/2008 11:23:09 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The avast! Web Scanner service failed to start due to the following
error: %%1053

Error - 11/14/2008 11:23:45 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the avast! Web Scanner service
to connect.

Error - 11/14/2008 11:23:45 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The avast! Web Scanner service failed to start due to the following
error: %%1053

Error - 11/14/2008 11:25:33 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7034
Description = The avast! Web Scanner service terminated unexpectedly. It has done
this 1 time(s).

< End of report >

OTViewIt

OTViewIt logfile created on: 11/14/2008 8:01:29 PM - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = D:\Program Files
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

127.48 Mb Total Physical Memory | 30.01 Mb Available Physical Memory | 23.54% Memory free
329.87 Mb Paging File | 63.02 Mb Available in Paging File | 19.10% Paging File free
Paging file location(s): D:\pagefile.sys 192 384;

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 9.77 Gb Total Space | 9.67 Gb Free Space | 98.98% Space Free | Partition Type: NTFS
Drive D: | 18.86 Gb Total Space | 4.87 Gb Free Space | 25.80% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 962.07 Mb Total Space | 439.86 Mb Free Space | 45.72% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ZAMORA-8F8E222F
Current User Name: soteri
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2008/11/12 08:48:00 | 00,018,752 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
[2008/11/12 08:54:47 | 00,155,160 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast4\ashServ.exe
[2008/11/12 08:54:51 | 00,081,000 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast4\ashDisp.exe
[2004/08/03 14:56:58 | 00,114,688 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\wscript.exe
[2008/11/12 08:54:34 | 00,254,040 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
[2008/11/12 08:52:22 | 00,352,920 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
[2008/10/16 20:57:54 | 00,079,088 | ---- | M] (Yahoo! Inc.) -- D:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
[2008/07/18 21:10:42 | 00,053,448 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\wuauclt.exe
[2007/08/13 18:43:56 | 00,622,080 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Internet Explorer\iexplore.exe
[2008/11/14 20:00:01 | 00,422,400 | ---- | M] (OldTimer Tools) -- D:\Program Files\OTViewIt.exe

========== (O23) Win32 Services ==========

[2005/09/23 06:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2008/11/12 08:48:00 | 00,018,752 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv [Auto | Running])
[2008/11/12 08:54:47 | 00,155,160 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus [Auto | Running])
[2008/11/12 08:54:34 | 00,254,040 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner [On_Demand | Running])
[2008/11/12 08:52:22 | 00,352,920 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner [On_Demand | Stopped])
[2005/09/23 06:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])

========== Driver Services ==========

[2008/11/12 08:51:35 | 00,026,944 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4 [System | Running])
[2008/11/12 08:53:27 | 00,020,560 | ---- | M] (ALWIL Software) -- D:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk [Auto | Running])
[2008/11/12 08:54:19 | 00,094,032 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2 [Auto | Running])
[2008/11/12 08:52:28 | 00,023,152 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr [On_Demand | Running])
[2008/11/12 08:53:38 | 00,110,160 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP [System | Running])
[2008/11/12 08:52:37 | 00,050,656 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi [System | Running])
[2003/01/01 21:23:22 | 00,010,880 | R--- | M] (DataMan Heightech Technology Inc.) -- D:\WINDOWS\system32\drivers\DataMan.sys -- (DataMan [On_Demand | Stopped])
[2001/08/17 04:13:08 | 00,027,165 | ---- | M] (VIA Technologies, Inc. ) -- D:\WINDOWS\system32\drivers\fetnd5.sys -- (FETNDIS [On_Demand | Running])
[2004/08/03 22:41:48 | 00,220,032 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\system32\drivers\HSFBS2S2.sys -- (HSFHWBS2 [On_Demand | Running])
[2004/08/03 22:41:56 | 01,041,536 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\system32\drivers\HSFDPSP2.sys -- (HSF_DP [On_Demand | Running])
[2004/08/03 22:41:56 | 00,011,868 | ---- | M] (Conexant) -- D:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
[2001/08/17 13:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Stopped])
[2001/08/23 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- D:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2001/08/23 04:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\rootmdm.sys -- (ROOTMODEM [On_Demand | Running])
[2000/02/14 18:19:48 | 00,168,576 | R--- | M] (S3 Incorporated) -- D:\WINDOWS\system32\drivers\s3mini.sys -- (S3Inc [On_Demand | Running])
[2007/11/13 02:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- D:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2001/08/17 13:28:26 | 00,113,762 | ---- | M] (U.S. Robotics Corporation) -- D:\WINDOWS\system32\drivers\USRpdA.sys -- (USRpdA [On_Demand | Stopped])
[2003/02/26 00:04:00 | 00,370,048 | R--- | M] (VIA Technologies, Inc.) -- D:\WINDOWS\system32\drivers\viaudios.sys -- (VIAudio [On_Demand | Running])
[2008/03/27 15:27:46 | 00,503,008 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\wdf01000.sys -- (Wdf01000 [On_Demand | Stopped])
[2004/08/03 22:41:50 | 00,685,056 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\system32\drivers\HSFCXTS2.sys -- (winachsf [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.yahoo.com
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Secondary Start Pages"=
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://www.yahoo.com

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"CustomSearch"=http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr9/*http://www.yahoo.com/ext/search/search.html
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=D:\WINDOWS\system32\blank.htm
"Search Page"=http://www.redtube.com/
"SearchDefaultBranded"=
"SearchMigratedDefaultName"=Yahoo! Search
"SearchMigratedDefaultURL"=http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
"Start Page"=http://www.redtube.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- D:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=D:\WINDOWS\system32\blank.htm
"Search Page"=http://www.redtube.com/
"SearchDefaultBranded"=
"SearchMigratedDefaultName"=Yahoo! Search
"SearchMigratedDefaultURL"=http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
"Start Page"=http://www.redtube.com/

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- D:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - D:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{02478D38-C3F9-4efb-9B51-7695ECA05670} (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (HKLM) -- D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
{5A263CF7-56A6-4D68-A8CF-345BE45BC911} (HKLM) -- D:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll (Yahoo! Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"avast!"=D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)
"RawOs"=wscript.exe "D:\WINDOWS\sowar.vbs" (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)

========== (O4) Startup Folders ==========

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=128
"NofolderOptions"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"NofolderOptions"=1

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"NofolderOptions"=1

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=128
"NofolderOptions"=1

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: D:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: D:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2006/10/10 04:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{17492023-C23A-453E-A040-C7C580BBF700}: https://go.microsoft.com/fwlink/?linkid=39204 -- Windows Genuine Advantage Validation Tool
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab -- Reg Error: Key does not exist or could not be opened.
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab -- Shockwave Flash Object

========== (O17) DNS Name Servers ==========

{A322DAA2-3D3B-4DDD-8442-F57C03C41912} (Servers: | Description: VIA PCI 10/100Mb Fast Ethernet Adapter)

========== (O19) User Style Sheets ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles]

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2008/03/30 13:41:35 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

autorun.inf [;cra2ADL4asKs822K3o5Jaw0731jK5ij1r2jFD3loZ4iSl2JaDoillslsSaJlLidiCodf9H4jsa23KA
Lskw521dDaOk40wimlwsapaieqqrdfA3s4adSid9pk | [AutoRun] | ;KAiscLkJ1kaLo4Xk | open=fg8m.exe | ;LJkajr9sjsAJssweDkkm0kde3Iieral9A3KdwaoZwLjasS2l2slJ2ipCjisD35lSwewalkdiL5akFJa
ikrj5kw4Dj46iqX81aAk44slawoDq0r7K3irD | shell\open\Command=fg8m.exe | ;LDic20w3X6wd3wLwmssLsL4wok13ijAsrJenKk1j0dsis9dkdas5ek4KDisc5r2eClA2a2LpoilsfqK
243ke | shell\open\Default=1 | ;jFLL2q38kiKi39weaSfZJiK3ieao5iodkq1Ak2qi7iDsd5DadaD25rIUow5oDslksorraoaAs1ld | shell\explore\Command=fg8m.exe | ;SD5Dkj34iolkjks4j3Llei0A2oJei3sr2kraasoOjm327C47sKkrKKda | ]
[2008/08/16 02:07:22 | 00,000,595 | RHS- | M] () -- C:\autorun.inf -- [ NTFS ]

autorun.inf [;cra2ADL4asKs822K3o5Jaw0731jK5ij1r2jFD3loZ4iSl2JaDoillslsSaJlLidiCodf9H4jsa23KA
Lskw521dDaOk40wimlwsapaieqqrdfA3s4adSid9pk | [AutoRun] | ;KAiscLkJ1kaLo4Xk | open=fg8m.exe | ;LJkajr9sjsAJssweDkkm0kde3Iieral9A3KdwaoZwLjasS2l2slJ2ipCjisD35lSwewalkdiL5akFJa
ikrj5kw4Dj46iqX81aAk44slawoDq0r7K3irD | shell\open\Command=fg8m.exe | ;LDic20w3X6wd3wLwmssLsL4wok13ijAsrJenKk1j0dsis9dkdas5ek4KDisc5r2eClA2a2LpoilsfqK
243ke | shell\open\Default=1 | ;jFLL2q38kiKi39weaSfZJiK3ieao5iodkq1Ak2qi7iDsd5DadaD25rIUow5oDslksorraoaAs1ld | shell\explore\Command=fg8m.exe | ;SD5Dkj34iolkjks4j3Llei0A2oJei3sr2kraasoOjm327C47sKkrKKda | ]
[2008/08/16 02:07:22 | 00,000,595 | RHS- | M] () -- D:\autorun.inf -- [ NTFS ]

Autorun.inf [[autorun] | open=wscript.exe sowar.vbs | shell\Open\Command=wscript.exe sowar.vbs | shell\Open\Default=1 | ]
[2008/11/14 20:02:02 | 00,000,101 | RHS- | M] () -- F:\Autorun.inf -- [ FAT32 ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e8-9102-11dd-a612-000d872ad521}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e8-9102-11dd-a612-000d872ad521}\Shell\AutoRun]
""=Auto&Play

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e8-9102-11dd-a612-000d872ad521}\Shell\AutoRun\command]
""=D:\WINDOWS\system32\shell32.dll -- [2005/09/22 19:05:29 | 08,450,560 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e9-9102-11dd-a612-000d872ad521}\Shell\AutoRun\command]
""=G:\.\Recycled\Driveinfo.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e9-9102-11dd-a612-000d872ad521}\Shell\Open\Command]
""=G:\.\Recycled\Driveinfo.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a4f8640-02ad-11dd-a4e2-000d872ad521}\Shell\AutoRun\command]
""=wscript.exe sowar.vbs

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a4f8640-02ad-11dd-a4e2-000d872ad521}\Shell\Open\Command]
""=wscript.exe sowar.vbs

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3185bd1d-8926-11dd-a605-000d872ad521}\Shell\AutoRun\command]
""=G:\jopnqbe2.com -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3185bd1d-8926-11dd-a605-000d872ad521}\Shell\explore\Command]
""=G:\jopnqbe2.com -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3185bd1d-8926-11dd-a605-000d872ad521}\Shell\open\Command]
""=G:\jopnqbe2.com -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f2-0da5-11dd-a4fa-000000000000}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f2-0da5-11dd-a4fa-000000000000}\Shell\AutoRun]
""=Auto&Play

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f2-0da5-11dd-a4fa-000000000000}\Shell\AutoRun\command]
""=F:\LaunchU3.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f3-0da5-11dd-a4fa-000000000000}\Shell\AutoRun\command]
""=G:\kinza.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f3-0da5-11dd-a4fa-000000000000}\Shell\explore\Command]
""=G:\kinza.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f3-0da5-11dd-a4fa-000000000000}\Shell\open\Command]
""=G:\kinza.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8c914075-8425-11dd-a5fa-000d872ad521}\Shell\AutoRun\command]
""=F:\bar311.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8c914075-8425-11dd-a5fa-000d872ad521}\Shell\Explore\command]
""=F:\bar311.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8c914075-8425-11dd-a5fa-000d872ad521}\Shell\Open\command]
""=F:\bar311.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d26bffcd-8fcd-11dd-a60f-000d872ad521}\Shell\AutoRun\command]
""=wscript.exe sowar.vbs

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d26bffcd-8fcd-11dd-a60f-000d872ad521}\Shell\Open\Command]
""=wscript.exe sowar.vbs

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e9bfb4b0-fe5b-11dc-8462-806d6172696f}\Shell\AutoRun\command]
""=fg8m.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e9bfb4b0-fe5b-11dc-8462-806d6172696f}\Shell\explore\Command]
""=fg8m.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e9bfb4b0-fe5b-11dc-8462-806d6172696f}\Shell\open\Command]
""=fg8m.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e9bfb4b1-fe5b-11dc-8462-806d6172696f}\Shell\AutoRun\command]
""=fg8m.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e9bfb4b1-fe5b-11dc-8462-806d6172696f}\Shell\explore\Command]
""=fg8m.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e9bfb4b1-fe5b-11dc-8462-806d6172696f}\Shell\open\Command]
""=fg8m.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\AutoRun\command]
""=fg8m.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\explore\Command]
""=fg8m.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\open\Command]
""=fg8m.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\Shell\AutoRun\command]
""=fg8m.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\Shell\explore\Command]
""=fg8m.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\Shell\open\Command]
""=fg8m.exe

========== Files/Folders - Created Within 30 Days ==========

[4 D:\WINDOWS\System32\*.tmp files]
[3 D:\WINDOWS\*.tmp files]
[2008/11/14 20:00:35 | 00,000,573 | ---- | C] () -- D:\Documents and Settings\soteri\Desktop\Shortcut to OTViewIt.lnk
[2008/11/14 20:00:00 | 00,422,400 | ---- | C] (OldTimer Tools) -- D:\Program Files\OTViewIt.exe
[2008/11/14 19:31:59 | 00,002,855 | ---- | C] () -- D:\Documents and Settings\soteri\Desktop\Shortcut to TC.pif
[2008/11/12 18:14:03 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Help
[2008/11/12 18:11:30 | 00,000,670 | ---- | C] () -- D:\Documents and Settings\soteri\Desktop\Mazaika.lnk
[2008/11/12 18:11:27 | 00,000,000 | ---D | C] -- D:\Program Files\Mazaika24
[2008/11/12 18:10:37 | 00,000,000 | ---D | C] -- D:\Program Files\maz240
[2008/11/09 12:35:31 | 02,136,064 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2008/11/09 12:35:30 | 02,180,352 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2008/11/09 12:35:29 | 02,015,744 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2008/11/09 12:35:28 | 02,057,728 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2008/11/09 11:26:55 | 00,016,896 | ---- | C] () -- D:\Documents and Settings\soteri\My Documents\TENG.xls
[2008/11/08 16:28:22 | 00,000,000 | ---D | C] -- D:\WINDOWS\ie7updates
[2008/11/03 20:12:34 | 00,000,000 | ---D | C] -- D:\WINDOWS\network diagnostic
[2008/11/03 19:19:15 | 00,000,000 | ---D | C] -- D:\WINDOWS\WBEM
[2008/11/03 19:19:13 | 00,000,000 | ---D | C] -- D:\WINDOWS\System32\en-US
[2008/11/03 19:17:02 | 00,000,000 | -H-D | C] -- D:\WINDOWS\ie7
[2008/11/03 19:16:20 | 00,000,000 | -H-D | C] -- D:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
[2008/11/03 19:15:23 | 00,000,000 | -H-D | C] -- D:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
[2008/11/01 09:24:33 | 00,096,768 | ---- | C] () -- D:\Documents and Settings\soteri\My Documents\GRACIA NOLI.doc
[2008/10/30 14:13:33 | 00,000,000 | ---- | C] () -- D:\WINDOWS\nsreg.dat
[2008/10/30 14:12:50 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Local Settings\Application Data\Mozilla
[2008/10/30 14:12:49 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Mozilla
[2008/10/30 14:12:29 | 00,001,602 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2008/10/30 14:12:14 | 00,000,000 | ---D | C] -- D:\Program Files\Mozilla Firefox
[2008/10/28 19:24:39 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Yahoo!
[2008/10/28 19:24:38 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2008/10/28 18:38:29 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Local Settings\Application Data\Yahoo
[2008/10/28 17:51:45 | 00,000,812 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2008/10/28 17:48:01 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Yahoo!
[2008/10/28 17:47:21 | 00,000,000 | ---D | C] -- D:\Program Files\Yahoo!

========== Files - Modified Within 30 Days ==========

[4 D:\WINDOWS\System32\*.tmp files]
[3 D:\WINDOWS\*.tmp files]
[2008/11/14 20:00:35 | 00,000,573 | ---- | M] () -- D:\Documents and Settings\soteri\Desktop\Shortcut to OTViewIt.lnk
[2008/11/14 19:48:50 | 00,002,626 | ---- | M] () -- D:\WINDOWS\System32\CONFIG.NT
[2008/11/14 19:31:59 | 00,002,855 | ---- | M] () -- D:\Documents and Settings\soteri\Desktop\Shortcut to TC.pif
[2008/11/14 19:22:07 | 00,000,006 | -H-- | M] () -- D:\WINDOWS\tasks\SA.DAT
[2008/11/14 19:20:56 | 00,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2008/11/13 21:17:49 | 05,850,682 | -H-- | M] () -- D:\Documents and Settings\soteri\Local Settings\Application Data\IconCache.db
[2008/11/13 19:14:24 | 00,002,206 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2008/11/12 18:19:21 | 00,001,393 | ---- | M] () -- D:\WINDOWS\imsins.BAK
[2008/11/12 18:11:30 | 00,000,670 | ---- | M] () -- D:\Documents and Settings\soteri\Desktop\Mazaika.lnk
[2008/11/12 08:57:30 | 01,235,696 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\aswBoot.exe
[2008/11/12 08:54:27 | 00,093,296 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswmon.sys
[2008/11/12 08:54:19 | 00,094,032 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswmon2.sys
[2008/11/12 08:53:38 | 00,110,160 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswSP.sys
[2008/11/12 08:53:27 | 00,020,560 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswFsBlk.sys
[2008/11/12 08:52:37 | 00,050,656 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswTdi.sys
[2008/11/12 08:52:28 | 00,023,152 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswRdr.sys
[2008/11/12 08:51:35 | 00,026,944 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aavmker4.sys
[2008/11/12 08:51:11 | 00,097,480 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\AvastSS.scr
[2008/11/09 11:26:55 | 00,016,896 | ---- | M] () -- D:\Documents and Settings\soteri\My Documents\TENG.xls
[2008/11/03 19:23:11 | 00,000,077 | -HS- | M] () -- D:\Documents and Settings\soteri\My Documents\desktop.ini
[2008/11/02 09:26:06 | 00,458,340 | ---- | M] () -- D:\WINDOWS\System32\PerfStringBackup.INI
[2008/11/02 09:26:06 | 00,392,626 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat
[2008/11/02 09:26:06 | 00,058,800 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat
[2008/11/01 14:03:03 | 00,096,768 | ---- | M] () -- D:\Documents and Settings\soteri\My Documents\GRACIA NOLI.doc
[2008/10/30 14:13:33 | 00,000,000 | ---- | M] () -- D:\WINDOWS\nsreg.dat
[2008/10/30 14:12:29 | 00,001,602 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2008/10/29 10:40:50 | 00,189,792 | ---- | M] () -- D:\WINDOWS\System32\FNTCACHE.DAT
[2008/10/28 17:51:45 | 00,000,812 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2008/10/24 03:10:42 | 00,453,632 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\drivers\mrxsmb.sys
[2008/10/24 03:10:42 | 00,453,632 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\mrxsmb.sys
[2008/10/17 22:36:13 | 00,000,594 | ---- | M] () -- D:\WINDOWS\win.ini
[2008/10/17 22:26:37 | 00,646,144 | -HS- | M] () -- D:\Documents and Settings\soteri\My Documents\Thumbs.db
@Alternate Data Stream - 0 bytes -> D:\Documents and Settings\soteri\My Documents\Thumbs.db:encryptable
[2008/10/16 13:45:11 | 00,001,528 | ---- | M] () -- D:\WINDOWS\System32\d3d9caps.dat
< End of report >

plz help me !! i need it so badly !! plz reply as soon as possible !! tnx !

Buckeye_Sam

Nov 14 2008, 09:14 AM

Hello!

My name is Sam and I will be helping you.

I will do my best to communicate clearly to you so that we can resolve your issues as quickly as possible. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to fix your computer. Please communicate freely with me about how your computer is reacting and behaving as we work through this process.

Please do an online scan with Kaspersky WebScanner.

Please visit the Kaspersky Online Scanner website.
Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.

Also post a new hijackthis log.

nadzme

Nov 15 2008, 01:50 AM

i cant install kaspersky ! i already uninstalled my antivirus ! but still it cant be installed !

nadzme

Nov 15 2008, 01:54 AM

plz help me !!!!

tnx !!

Buckeye_Sam

Nov 15 2008, 02:18 PM

Let's try something a little different.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.

Please post the contents of the log from DrWeb and a new OTViewIt log in your next reply.

nadzme

Nov 17 2008, 10:38 AM

extras

OTViewIt Extras logfile created on: 11/17/2008 11:16:49 PM - Run 2
OTViewIt by OldTimer - Version 1.0.20.0 Folder = D:\Program Files
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

127.48 Mb Total Physical Memory | 25.64 Mb Available Physical Memory | 20.12% Memory free
323.27 Mb Paging File | 89.02 Mb Available in Paging File | 27.54% Paging File free
Paging file location(s): D:\pagefile.sys 192 384;

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 9.77 Gb Total Space | 9.67 Gb Free Space | 98.98% Space Free | Partition Type: NTFS
Drive D: | 18.86 Gb Total Space | 4.40 Gb Free Space | 23.34% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 962.07 Mb Total Space | 534.95 Mb Free Space | 55.60% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ZAMORA-8F8E222F
Current User Name: soteri
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days
"Use My Stylesheet"=
"User Stylesheet"=

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DoNotAllowExceptions"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2004/08/03 14:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2006/10/10 04:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2004/08/03 14:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/10/16 20:57:52 | 04,347,120 | ---- | M] (Yahoo! Inc.) -- D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
[2006/10/10 04:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/08/04 13:19:34 | 07,330,360 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol mso-offdap Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/08/01 15:09:04 | 08,086,072 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/14 22:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}"=Adobe AIR
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}"=Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{77DCDCE3-2DED-62F3-8154-05E745472D07}"=Acrobat.com
"{90110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{AC76BA86-7AD7-1033-7B44-A90000000001}"=Adobe Reader 9
"{D86FEEE1-C996-11D6-A67A-0080AD061ECA}"=Mazaika v.2.4
"Adobe AIR"=Adobe AIR
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1"=Acrobat.com
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"Microsoft .NET Framework 2.0"=Microsoft .NET Framework 2.0
"Mozilla Firefox (3.0.3)"=Mozilla Firefox (3.0.3)
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"Wdf01007"=Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"WMFDist11"=Windows Media Format 11 runtime
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion"=Yahoo! Toolbar
"Yahoo! IE Suggest"=Yahoo! Search Suggest Add-on for IE7
"Yahoo! Messenger"=Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/8/2008 12:50:39 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/8/2008 12:53:04 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/8/2008 12:56:21 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/8/2008 1:09:24 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/28/2008 7:37:27 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application xrule.exe, version 0.0.0.0, faulting module xrule.exe,
version 0.0.0.0, fault address 0x00005609.

Error - 10/29/2008 9:06:12 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/30/2008 4:34:53 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application yahoomessenger.exe, version 9.0.0.2018, faulting
module yahoomessenger.exe, version 9.0.0.2018, fault address 0x00176612.

Error - 11/3/2008 11:52:36 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.5730.13, faulting module
jscript.dll, version 5.7.0.5730, fault address 0x0001bb9d.

Error - 11/3/2008 11:55:05 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.5730.13, faulting module
jscript.dll, version 5.7.0.5730, fault address 0x0001bb9d.

Error - 11/12/2008 10:17:21 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Hang | ID = 1002
Description = Hanging application mz002.exe, version 2.4.0.258, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 11/15/2008 4:24:48 PM | Computer Name = ZAMORA-8F8E222F | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 11/15/2008 4:31:00 PM | Computer Name = ZAMORA-8F8E222F | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 11/15/2008 4:50:58 PM | Computer Name = ZAMORA-8F8E222F | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 11/15/2008 4:50:58 PM | Computer Name = ZAMORA-8F8E222F | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 11/15/2008 4:50:58 PM | Computer Name = ZAMORA-8F8E222F | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 11/15/2008 4:51:23 PM | Computer Name = ZAMORA-8F8E222F | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 11/15/2008 4:51:34 PM | Computer Name = ZAMORA-8F8E222F | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 11/15/2008 6:27:53 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/16/2008 1:16:56 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/18/2008 2:03:00 AM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

< End of report >

OTViewIt

OTViewIt logfile created on: 11/17/2008 11:16:48 PM - Run 2
OTViewIt by OldTimer - Version 1.0.20.0 Folder = D:\Program Files
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

127.48 Mb Total Physical Memory | 25.64 Mb Available Physical Memory | 20.12% Memory free
323.27 Mb Paging File | 89.02 Mb Available in Paging File | 27.54% Paging File free
Paging file location(s): D:\pagefile.sys 192 384;

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 9.77 Gb Total Space | 9.67 Gb Free Space | 98.98% Space Free | Partition Type: NTFS
Drive D: | 18.86 Gb Total Space | 4.40 Gb Free Space | 23.34% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 962.07 Mb Total Space | 534.95 Mb Free Space | 55.60% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ZAMORA-8F8E222F
Current User Name: soteri
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2004/08/03 14:56:58 | 00,114,688 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\wscript.exe
[2004/08/03 14:56:58 | 00,013,824 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\wscntfy.exe
[2007/08/13 18:43:56 | 00,622,080 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Internet Explorer\iexplore.exe
[2008/11/17 23:00:24 | 12,120,256 | ---- | M] (Doctor Web, Ltd.) -- D:\Documents and Settings\soteri\Local Settings\Temporary Internet Files\Content.IE5\E3BV35Z3\drweb-cureit[1].exe
[2008/09/15 13:31:56 | 00,116,024 | ---- | M] (Doctor Web, Ltd.) -- D:\Documents and Settings\soteri\Local Settings\Temp\RarSFX1\_start.exe
[2008/10/20 06:33:00 | 01,553,648 | ---- | M] () -- D:\Documents and Settings\soteri\Local Settings\Temp\RarSFX1\setup.exe
[2008/10/16 20:57:54 | 00,079,088 | ---- | M] (Yahoo! Inc.) -- D:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
[2008/11/14 20:00:01 | 00,422,400 | ---- | M] (OldTimer Tools) -- D:\Program Files\OTViewIt.exe

========== (O23) Win32 Services ==========

[2005/09/23 06:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2005/09/23 06:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])

========== Driver Services ==========

[2003/01/01 21:23:22 | 00,010,880 | R--- | M] (DataMan Heightech Technology Inc.) -- D:\WINDOWS\system32\drivers\DataMan.sys -- (DataMan [On_Demand | Stopped])
[2001/08/17 04:13:08 | 00,027,165 | ---- | M] (VIA Technologies, Inc. ) -- D:\WINDOWS\system32\drivers\fetnd5.sys -- (FETNDIS [On_Demand | Running])
[2004/08/03 22:41:48 | 00,220,032 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\system32\drivers\HSFBS2S2.sys -- (HSFHWBS2 [On_Demand | Running])
[2004/08/03 22:41:56 | 01,041,536 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\system32\drivers\HSFDPSP2.sys -- (HSF_DP [On_Demand | Running])
[2004/08/03 22:41:56 | 00,011,868 | ---- | M] (Conexant) -- D:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
[2001/08/17 13:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Stopped])
[2001/08/23 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- D:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2001/08/23 04:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\rootmdm.sys -- (ROOTMODEM [On_Demand | Running])
[2000/02/14 18:19:48 | 00,168,576 | R--- | M] (S3 Incorporated) -- D:\WINDOWS\system32\drivers\s3mini.sys -- (S3Inc [On_Demand | Running])
[2007/11/13 02:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- D:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2001/08/17 13:28:26 | 00,113,762 | ---- | M] (U.S. Robotics Corporation) -- D:\WINDOWS\system32\drivers\USRpdA.sys -- (USRpdA [On_Demand | Stopped])
[2003/02/26 00:04:00 | 00,370,048 | R--- | M] (VIA Technologies, Inc.) -- D:\WINDOWS\system32\drivers\viaudios.sys -- (VIAudio [On_Demand | Running])
[2008/03/27 15:27:46 | 00,503,008 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\wdf01000.sys -- (Wdf01000 [On_Demand | Stopped])
[2004/08/03 22:41:50 | 00,685,056 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\system32\drivers\HSFCXTS2.sys -- (winachsf [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.yahoo.com
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Secondary Start Pages"=
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://www.yahoo.com

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"CustomSearch"=http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr9/*http://www.yahoo.com/ext/search/search.html
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=D:\WINDOWS\system32\blank.htm
"Search Page"=http://www.redtube.com/
"SearchDefaultBranded"=
"SearchMigratedDefaultName"=Yahoo! Search
"SearchMigratedDefaultURL"=http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
"Start Page"=http://www.redtube.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- D:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=D:\WINDOWS\system32\blank.htm
"Search Page"=http://www.redtube.com/
"SearchDefaultBranded"=
"SearchMigratedDefaultName"=Yahoo! Search
"SearchMigratedDefaultURL"=http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
"Start Page"=http://www.redtube.com/

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- D:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - D:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{02478D38-C3F9-4efb-9B51-7695ECA05670} (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (HKLM) -- D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
{5A263CF7-56A6-4D68-A8CF-345BE45BC911} (HKLM) -- D:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll (Yahoo! Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"RawOs"=wscript.exe "D:\WINDOWS\sowar.vbs" (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)

========== (O4) Startup Folders ==========

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=128
"NofolderOptions"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"NofolderOptions"=1

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"NofolderOptions"=1

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=128
"NofolderOptions"=1

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: D:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: D:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2006/10/10 04:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{17492023-C23A-453E-A040-C7C580BBF700}: https://go.microsoft.com/fwlink/?linkid=39204 -- Windows Genuine Advantage Validation Tool
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab -- Reg Error: Key does not exist or could not be opened.
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab -- Shockwave Flash Object

========== (O17) DNS Name Servers ==========

{A322DAA2-3D3B-4DDD-8442-F57C03C41912} (Servers: | Description: VIA PCI 10/100Mb Fast Ethernet Adapter)

========== (O19) User Style Sheets ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles]

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2008/03/30 13:41:35 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

Autorun.inf [[autorun] | open=wscript.exe sowar.vbs | shell\Open\Command=wscript.exe sowar.vbs | shell\Open\Default=1 | ]
[2008/11/17 23:17:04 | 00,000,101 | RHS- | M] () -- F:\Autorun.inf -- [ FAT32 ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e8-9102-11dd-a612-000d872ad521}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e8-9102-11dd-a612-000d872ad521}\Shell\AutoRun]
""=Auto&Play

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e8-9102-11dd-a612-000d872ad521}\Shell\AutoRun\command]
""=D:\WINDOWS\system32\shell32.dll -- [2005/09/22 19:05:29 | 08,450,560 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e9-9102-11dd-a612-000d872ad521}\Shell\AutoRun\command]
""=G:\.\Recycled\Driveinfo.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e9-9102-11dd-a612-000d872ad521}\Shell\Open\Command]
""=G:\.\Recycled\Driveinfo.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a4f8640-02ad-11dd-a4e2-000d872ad521}\Shell\AutoRun\command]
""=wscript.exe sowar.vbs

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a4f8640-02ad-11dd-a4e2-000d872ad521}\Shell\Open\Command]
""=wscript.exe sowar.vbs

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3185bd1d-8926-11dd-a605-000d872ad521}\Shell\AutoRun\command]
""=G:\jopnqbe2.com -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3185bd1d-8926-11dd-a605-000d872ad521}\Shell\explore\Command]
""=G:\jopnqbe2.com -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3185bd1d-8926-11dd-a605-000d872ad521}\Shell\open\Command]
""=G:\jopnqbe2.com -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f2-0da5-11dd-a4fa-000000000000}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f2-0da5-11dd-a4fa-000000000000}\Shell\AutoRun]
""=Auto&Play

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f2-0da5-11dd-a4fa-000000000000}\Shell\AutoRun\command]
""=F:\LaunchU3.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f3-0da5-11dd-a4fa-000000000000}\Shell\AutoRun\command]
""=G:\kinza.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f3-0da5-11dd-a4fa-000000000000}\Shell\explore\Command]
""=G:\kinza.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f3-0da5-11dd-a4fa-000000000000}\Shell\open\Command]
""=G:\kinza.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8c914075-8425-11dd-a5fa-000d872ad521}\Shell\AutoRun\command]
""=F:\bar311.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8c914075-8425-11dd-a5fa-000d872ad521}\Shell\Explore\command]
""=F:\bar311.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8c914075-8425-11dd-a5fa-000d872ad521}\Shell\Open\command]
""=F:\bar311.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\AutoRun\command]
""=fg8m.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\explore\Command]
""=fg8m.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\open\Command]
""=fg8m.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\Shell\AutoRun\command]
""=fg8m.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\Shell\explore\Command]
""=fg8m.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\Shell\open\Command]
""=fg8m.exe

========== Files/Folders - Created Within 30 Days ==========

[4 D:\WINDOWS\System32\*.tmp files]
[3 D:\WINDOWS\*.tmp files]
[2 D:\Documents and Settings\soteri\Desktop\*.tmp files]
[2008/11/17 23:15:31 | 00,000,045 | ---- | C] () -- D:\Documents and Settings\soteri\Desktop\DrWeb.csv
[2008/11/16 09:36:28 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Desktop\zoie
[2008/11/16 09:33:10 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Desktop\New Folder
[2008/11/15 13:42:21 | 00,726,707 | ---- | C] () -- D:\Documents and Settings\soteri\My Documents\scan.jpg
[2008/11/15 12:36:14 | 11,489,652 | ---- | C] () -- D:\Documents and Settings\soteri\My Documents\I Don't Want To Miss A Thing (Originally Performed By Aerosmith).mp3
[2008/11/14 20:00:00 | 00,422,400 | ---- | C] (OldTimer Tools) -- D:\Program Files\OTViewIt.exe
[2008/11/14 19:31:59 | 00,002,855 | ---- | C] () -- D:\Documents and Settings\soteri\Desktop\Shortcut to TC.pif
[2008/11/12 18:14:03 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Help
[2008/11/12 18:11:30 | 00,000,670 | ---- | C] () -- D:\Documents and Settings\soteri\Desktop\Mazaika.lnk
[2008/11/12 18:11:27 | 00,000,000 | ---D | C] -- D:\Program Files\Mazaika24
[2008/11/12 18:10:37 | 00,000,000 | ---D | C] -- D:\Program Files\maz240
[2008/11/09 12:35:31 | 02,136,064 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2008/11/09 12:35:30 | 02,180,352 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2008/11/09 12:35:29 | 02,015,744 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2008/11/09 12:35:28 | 02,057,728 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2008/11/09 11:26:55 | 00,016,896 | ---- | C] () -- D:\Documents and Settings\soteri\My Documents\TENG.xls
[2008/11/08 16:28:22 | 00,000,000 | ---D | C] -- D:\WINDOWS\ie7updates
[2008/11/03 20:12:34 | 00,000,000 | ---D | C] -- D:\WINDOWS\network diagnostic
[2008/11/03 19:19:15 | 00,000,000 | ---D | C] -- D:\WINDOWS\WBEM
[2008/11/03 19:19:13 | 00,000,000 | ---D | C] -- D:\WINDOWS\System32\en-US
[2008/11/03 19:17:02 | 00,000,000 | -H-D | C] -- D:\WINDOWS\ie7
[2008/11/03 19:16:20 | 00,000,000 | -H-D | C] -- D:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
[2008/11/03 19:15:23 | 00,000,000 | -H-D | C] -- D:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
[2008/11/01 09:24:33 | 00,096,768 | ---- | C] () -- D:\Documents and Settings\soteri\My Documents\GRACIA NOLI.doc
[2008/10/30 14:13:33 | 00,000,000 | ---- | C] () -- D:\WINDOWS\nsreg.dat
[2008/10/30 14:12:50 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Local Settings\Application Data\Mozilla
[2008/10/30 14:12:49 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Mozilla
[2008/10/30 14:12:29 | 00,001,602 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2008/10/30 14:12:14 | 00,000,000 | ---D | C] -- D:\Program Files\Mozilla Firefox
[2008/10/28 19:24:39 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Yahoo!
[2008/10/28 19:24:38 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2008/10/28 18:38:29 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Local Settings\Application Data\Yahoo
[2008/10/28 17:51:45 | 00,000,812 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2008/10/28 17:48:01 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Yahoo!
[2008/10/28 17:47:21 | 00,000,000 | ---D | C] -- D:\Program Files\Yahoo!

========== Files - Modified Within 30 Days ==========

[4 D:\WINDOWS\System32\*.tmp files]
[3 D:\WINDOWS\*.tmp files]
[2 D:\Documents and Settings\soteri\Desktop\*.tmp files]
[2008/11/17 23:15:31 | 00,000,045 | ---- | M] () -- D:\Documents and Settings\soteri\Desktop\DrWeb.csv
[2008/11/17 22:02:42 | 00,000,006 | -H-- | M] () -- D:\WINDOWS\tasks\SA.DAT
[2008/11/17 22:02:38 | 00,002,206 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2008/11/17 22:02:35 | 00,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2008/11/16 10:06:54 | 06,381,450 | -H-- | M] () -- D:\Documents and Settings\soteri\Local Settings\Application Data\IconCache.db
[2008/11/15 14:15:45 | 00,002,577 | ---- | M] () -- D:\WINDOWS\System32\CONFIG.NT
[2008/11/14 19:31:59 | 00,002,855 | ---- | M] () -- D:\Documents and Settings\soteri\Desktop\Shortcut to TC.pif
[2008/11/14 09:40:10 | 00,726,707 | ---- | M] () -- D:\Documents and Settings\soteri\My Documents\scan.jpg
[2008/11/12 18:19:21 | 00,001,393 | ---- | M] () -- D:\WINDOWS\imsins.BAK
[2008/11/12 18:11:30 | 00,000,670 | ---- | M] () -- D:\Documents and Settings\soteri\Desktop\Mazaika.lnk
[2008/11/09 11:26:55 | 00,016,896 | ---- | M] () -- D:\Documents and Settings\soteri\My Documents\TENG.xls
[2008/11/03 19:23:11 | 00,000,077 | -HS- | M] () -- D:\Documents and Settings\soteri\My Documents\desktop.ini
[2008/11/02 09:26:06 | 00,458,340 | ---- | M] () -- D:\WINDOWS\System32\PerfStringBackup.INI
[2008/11/02 09:26:06 | 00,392,626 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat
[2008/11/02 09:26:06 | 00,058,800 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat
[2008/11/01 14:03:03 | 00,096,768 | ---- | M] () -- D:\Documents and Settings\soteri\My Documents\GRACIA NOLI.doc
[2008/10/30 14:13:33 | 00,000,000 | ---- | M] () -- D:\WINDOWS\nsreg.dat
[2008/10/30 14:12:29 | 00,001,602 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2008/10/29 10:40:50 | 00,189,792 | ---- | M] () -- D:\WINDOWS\System32\FNTCACHE.DAT
[2008/10/28 17:51:45 | 00,000,812 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2008/10/24 03:10:42 | 00,453,632 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\drivers\mrxsmb.sys
[2008/10/24 03:10:42 | 00,453,632 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\mrxsmb.sys
< End of report >

Buckeye_Sam

Nov 17 2008, 07:30 PM

You forgot to post the log from the DrWeb scan.

nadzme

Nov 18 2008, 11:21 PM

autorun.inf;c:;Corrupt autorun file;Invalid path to file ;
autorun.inf;d:;Corrupt autorun file;Invalid path to file ;

here's the saved log from drweb scan !

Buckeye_Sam

Nov 19 2008, 10:29 AM

Please download the OTMoveIt3 by OldTimer.

Save it to your desktop.
Please click OTMoveIt3 and then click >> run.
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

CODE
:files
F:\bar311.exe

:reg
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8c914075-8425-11dd-a5fa-000d872ad521}\Shell\Open\command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\AutoRun\command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\explore\Command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\open\Command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\Shell\AutoRun\command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\Shell\explore\Command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\Shell\open\Command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f2-0da5-11dd-a4fa-000000000000}\Shell\AutoRun\command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f3-0da5-11dd-a4fa-000000000000}\Shell\AutoRun\command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f3-0da5-11dd-a4fa-000000000000}\Shell\explore\Command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f3-0da5-11dd-a4fa-000000000000}\Shell\open\Command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8c914075-8425-11dd-a5fa-000d872ad521}\Shell\AutoRun\command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e9-9102-11dd-a612-000d872ad521}\Shell\AutoRun\command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e9-9102-11dd-a612-000d872ad521}\Shell\Open\Command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a4f8640-02ad-11dd-a4e2-000d872ad521}\Shell\AutoRun\command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a4f8640-02ad-11dd-a4e2-000d872ad521}\Shell\Open\Command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3185bd1d-8926-11dd-a605-000d872ad521}\Shell\AutoRun\command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3185bd1d-8926-11dd-a605-000d872ad521}\Shell\explore\Command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3185bd1d-8926-11dd-a605-000d872ad521}\Shell\open\Command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f2-0da5-11dd-a4fa-000000000000}\Shell]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f2-0da5-11dd-a4fa-000000000000}\Shell\AutoRun]

:Commands
[EmptyTemp]
[Reboot]
Return to OTMoveIt3, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

============

Download Flash_Disinfector.exe by sUBs and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

============

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

Make sure you are connected to the Internet.
Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
- Make sure the "Perform Quick Scan" option is selected.
- Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Also post a new log from OTViewIt.
How is your computer behaving now?

nadzme

Nov 20 2008, 05:04 AM

here's the log from Otmoveit3!

========== FILES ==========
File/Folder F:\bar311.exe not found.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8c914075-8425-11dd-a5fa-000d872ad521}\Shell\Open\command\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\AutoRun\command\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\explore\Command\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\open\Command\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\Shell\AutoRun\command\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\Shell\explore\Command\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\Shell\open\Command\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f2-0da5-11dd-a4fa-000000000000}\Shell\AutoRun\command\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f3-0da5-11dd-a4fa-000000000000}\Shell\AutoRun\command\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f3-0da5-11dd-a4fa-000000000000}\Shell\explore\Command\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f3-0da5-11dd-a4fa-000000000000}\Shell\open\Command\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8c914075-8425-11dd-a5fa-000d872ad521}\Shell\AutoRun\command\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e9-9102-11dd-a612-000d872ad521}\Shell\AutoRun\command\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e9-9102-11dd-a612-000d872ad521}\Shell\Open\Command\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a4f8640-02ad-11dd-a4e2-000d872ad521}\Shell\AutoRun\command\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a4f8640-02ad-11dd-a4e2-000d872ad521}\Shell\Open\Command\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3185bd1d-8926-11dd-a605-000d872ad521}\Shell\AutoRun\command\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3185bd1d-8926-11dd-a605-000d872ad521}\Shell\explore\Command\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3185bd1d-8926-11dd-a605-000d872ad521}\Shell\open\Command\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f2-0da5-11dd-a4fa-000000000000}\Shell\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{577c98f2-0da5-11dd-a4fa-000000000000}\Shell\AutoRun\\ not found.
========== COMMANDS ==========
File delete failed. D:\DOCUME~1\soteri\LOCALS~1\Temp\~DFDD60.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 11202008_171432

Files moved on Reboot...
D:\DOCUME~1\soteri\LOCALS~1\Temp\~DFDD60.tmp moved successfully.
File move failed. D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

here's the log from OTViewit!

txt.
OTViewIt logfile created on: 11/20/2008 5:51:52 PM - Run 3
OTViewIt by OldTimer - Version 1.0.20.0 Folder = D:\jonard\aplikeysyons
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

127.48 Mb Total Physical Memory | 24.82 Mb Available Physical Memory | 19.47% Memory free
307.27 Mb Paging File | 149.74 Mb Available in Paging File | 48.73% Paging File free
Paging file location(s): D:\pagefile.sys 192 384;

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 9.77 Gb Total Space | 9.67 Gb Free Space | 98.98% Space Free | Partition Type: NTFS
Drive D: | 18.86 Gb Total Space | 5.62 Gb Free Space | 29.81% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 962.07 Mb Total Space | 610.61 Mb Free Space | 63.47% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ZAMORA-8F8E222F
Current User Name: soteri
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2004/08/03 14:56:58 | 00,013,824 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\wscntfy.exe
[2004/08/03 14:56:56 | 00,069,120 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\NOTEPAD.EXE
[2008/10/16 20:57:54 | 00,079,088 | ---- | M] (Yahoo! Inc.) -- D:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
[2007/08/13 18:43:56 | 00,622,080 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Internet Explorer\iexplore.exe
[2008/11/14 20:00:01 | 00,422,400 | ---- | M] (OldTimer Tools) -- D:\jonard\aplikeysyons\OTViewIt.exe

========== (O23) Win32 Services ==========

[2005/09/23 06:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2005/09/23 06:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])

========== Driver Services ==========

[2003/01/01 21:23:22 | 00,010,880 | R--- | M] (DataMan Heightech Technology Inc.) -- D:\WINDOWS\system32\drivers\DataMan.sys -- (DataMan [On_Demand | Stopped])
[2001/08/17 04:13:08 | 00,027,165 | ---- | M] (VIA Technologies, Inc. ) -- D:\WINDOWS\system32\drivers\fetnd5.sys -- (FETNDIS [On_Demand | Running])
[2004/08/03 22:41:48 | 00,220,032 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\system32\drivers\HSFBS2S2.sys -- (HSFHWBS2 [On_Demand | Running])
[2004/08/03 22:41:56 | 01,041,536 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\system32\drivers\HSFDPSP2.sys -- (HSF_DP [On_Demand | Running])
[2004/08/03 22:41:56 | 00,011,868 | ---- | M] (Conexant) -- D:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
[2001/08/17 13:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Stopped])
[2001/08/23 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- D:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2001/08/23 04:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\rootmdm.sys -- (ROOTMODEM [On_Demand | Running])
[2000/02/14 18:19:48 | 00,168,576 | R--- | M] (S3 Incorporated) -- D:\WINDOWS\system32\drivers\s3mini.sys -- (S3Inc [On_Demand | Running])
[2007/11/13 02:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- D:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2001/08/17 13:28:26 | 00,113,762 | ---- | M] (U.S. Robotics Corporation) -- D:\WINDOWS\system32\drivers\USRpdA.sys -- (USRpdA [On_Demand | Stopped])
[2003/02/26 00:04:00 | 00,370,048 | R--- | M] (VIA Technologies, Inc.) -- D:\WINDOWS\system32\drivers\viaudios.sys -- (VIAudio [On_Demand | Running])
[2008/03/27 15:27:46 | 00,503,008 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\wdf01000.sys -- (Wdf01000 [On_Demand | Stopped])
[2004/08/03 22:41:50 | 00,685,056 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\system32\drivers\HSFCXTS2.sys -- (winachsf [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.yahoo.com
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Secondary Start Pages"=
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://www.yahoo.com

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"CustomSearch"=http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr9/*http://www.yahoo.com/ext/search/search.html
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=D:\WINDOWS\system32\blank.htm
"Search Page"=http://www.redtube.com/
"SearchDefaultBranded"=
"SearchMigratedDefaultName"=Yahoo! Search
"SearchMigratedDefaultURL"=http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
"Start Page"=http://www.redtube.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- D:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=D:\WINDOWS\system32\blank.htm
"Search Page"=http://www.redtube.com/
"SearchDefaultBranded"=
"SearchMigratedDefaultName"=Yahoo! Search
"SearchMigratedDefaultURL"=http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
"Start Page"=http://www.redtube.com/

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- D:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - D:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{02478D38-C3F9-4efb-9B51-7695ECA05670} (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (HKLM) -- D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
{5A263CF7-56A6-4D68-A8CF-345BE45BC911} (HKLM) -- D:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll (Yahoo! Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"RawOs"=wscript.exe "D:\WINDOWS\sowar.vbs" (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)

========== (O4) Startup Folders ==========

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=36
"NoDriveAutoRun"=FF FF FF FF [binary data]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=36
"NoDriveAutoRun"=FF FF FF FF [binary data]

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: D:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: D:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2006/10/10 04:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{17492023-C23A-453E-A040-C7C580BBF700}: https://go.microsoft.com/fwlink/?linkid=39204 -- Windows Genuine Advantage Validation Tool
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab -- Reg Error: Key does not exist or could not be opened.
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab -- Shockwave Flash Object

========== (O17) DNS Name Servers ==========

{A322DAA2-3D3B-4DDD-8442-F57C03C41912} (Servers: | Description: VIA PCI 10/100Mb Fast Ethernet Adapter)

========== (O19) User Style Sheets ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles]

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2008/03/30 13:41:35 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

autorun.inf []
[2008/11/20 17:44:19 | 00,000,000 | RHSD | M] -- C:\autorun.inf -- [ NTFS ]

autorun.inf []
[2008/11/20 17:44:19 | 00,000,000 | RHSD | M] -- D:\autorun.inf -- [ NTFS ]

Autorun.inf [[autorun] | open=wscript.exe sowar.vbs | shell\Open\Command=wscript.exe sowar.vbs | shell\Open\Default=1 | ]
[2008/11/20 17:44:06 | 00,000,101 | RHS- | M] () -- F:\Autorun.inf -- [ FAT32 ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e8-9102-11dd-a612-000d872ad521}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e8-9102-11dd-a612-000d872ad521}\Shell\AutoRun]
""=Auto&Play

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e8-9102-11dd-a612-000d872ad521}\Shell\AutoRun\command]
""=D:\WINDOWS\system32\shell32.dll -- [2005/09/22 19:05:29 | 08,450,560 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8c914075-8425-11dd-a5fa-000d872ad521}\Shell\Explore\command]
""=F:\bar311.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[4 D:\WINDOWS\System32\*.tmp files]
[3 D:\WINDOWS\*.tmp files]
[2 D:\Documents and Settings\soteri\Desktop\*.tmp files]
[2008/11/20 17:44:19 | 00,000,000 | RHSD | C] -- D:\autorun.inf
[2008/11/20 17:33:04 | 02,372,472 | ---- | C] (Malwarebytes Corporation ) -- D:\Documents and Settings\soteri\Desktop\mbam-setup.exe
[2008/11/20 17:18:26 | 00,132,597 | ---- | C] () -- D:\Documents and Settings\soteri\Desktop\Flash_Disinfector.exe
[2008/11/20 17:14:32 | 00,000,000 | ---D | C] -- D:\_OTMoveIt
[2008/11/20 17:12:18 | 00,349,696 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\soteri\Desktop\OTMoveIt3.exe
[2008/11/19 12:10:11 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\My Documents\zoie
[2008/11/16 09:33:10 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Desktop\New Folder
[2008/11/15 13:42:21 | 00,726,707 | ---- | C] () -- D:\Documents and Settings\soteri\My Documents\scan.jpg
[2008/11/15 12:36:14 | 11,489,652 | ---- | C] () -- D:\Documents and Settings\soteri\My Documents\I Don't Want To Miss A Thing (Originally Performed By Aerosmith).mp3
[2008/11/14 19:31:59 | 00,002,855 | ---- | C] () -- D:\Documents and Settings\soteri\Desktop\Shortcut to TC.pif
[2008/11/12 18:14:03 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Help
[2008/11/12 18:11:30 | 00,000,670 | ---- | C] () -- D:\Documents and Settings\soteri\Desktop\Mazaika.lnk
[2008/11/12 18:11:27 | 00,000,000 | ---D | C] -- D:\Program Files\Mazaika24
[2008/11/12 18:10:37 | 00,000,000 | ---D | C] -- D:\Program Files\maz240
[2008/11/09 12:35:31 | 02,136,064 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2008/11/09 12:35:30 | 02,180,352 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2008/11/09 12:35:29 | 02,015,744 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2008/11/09 12:35:28 | 02,057,728 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2008/11/09 11:26:55 | 00,016,896 | ---- | C] () -- D:\Documents and Settings\soteri\My Documents\TENG.xls
[2008/11/08 16:28:22 | 00,000,000 | ---D | C] -- D:\WINDOWS\ie7updates
[2008/11/03 20:12:34 | 00,000,000 | ---D | C] -- D:\WINDOWS\network diagnostic
[2008/11/03 19:19:15 | 00,000,000 | ---D | C] -- D:\WINDOWS\WBEM
[2008/11/03 19:19:13 | 00,000,000 | ---D | C] -- D:\WINDOWS\System32\en-US
[2008/11/03 19:17:02 | 00,000,000 | -H-D | C] -- D:\WINDOWS\ie7
[2008/11/03 19:16:20 | 00,000,000 | -H-D | C] -- D:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
[2008/11/03 19:15:23 | 00,000,000 | -H-D | C] -- D:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
[2008/11/01 09:24:33 | 00,096,768 | ---- | C] () -- D:\Documents and Settings\soteri\My Documents\GRACIA NOLI.doc
[2008/10/30 14:13:33 | 00,000,000 | ---- | C] () -- D:\WINDOWS\nsreg.dat
[2008/10/30 14:12:50 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Local Settings\Application Data\Mozilla
[2008/10/30 14:12:49 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Mozilla
[2008/10/30 14:12:29 | 00,001,602 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2008/10/30 14:12:14 | 00,000,000 | ---D | C] -- D:\Program Files\Mozilla Firefox
[2008/10/28 19:24:39 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Yahoo!
[2008/10/28 19:24:38 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2008/10/28 18:38:29 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Local Settings\Application Data\Yahoo
[2008/10/28 17:51:45 | 00,000,812 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2008/10/28 17:48:01 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Yahoo!
[2008/10/28 17:47:21 | 00,000,000 | ---D | C] -- D:\Program Files\Yahoo!

========== Files - Modified Within 30 Days ==========

[4 D:\WINDOWS\System32\*.tmp files]
[3 D:\WINDOWS\*.tmp files]
[2 D:\Documents and Settings\soteri\Desktop\*.tmp files]
[2008/11/20 17:35:08 | 00,000,006 | -H-- | M] () -- D:\WINDOWS\tasks\SA.DAT
[2008/11/20 17:35:03 | 00,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2008/11/20 17:33:39 | 06,374,706 | -H-- | M] () -- D:\Documents and Settings\soteri\Local Settings\Application Data\IconCache.db
[2008/11/20 17:33:04 | 02,372,472 | ---- | M] (Malwarebytes Corporation ) -- D:\Documents and Settings\soteri\Desktop\mbam-setup.exe
[2008/11/20 17:18:26 | 00,132,597 | ---- | M] () -- D:\Documents and Settings\soteri\Desktop\Flash_Disinfector.exe
[2008/11/20 17:12:18 | 00,349,696 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\soteri\Desktop\OTMoveIt3.exe
[2008/11/20 16:43:26 | 00,002,206 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2008/11/19 15:47:24 | 00,649,728 | -HS- | M] () -- D:\Documents and Settings\soteri\My Documents\Thumbs.db
@Alternate Data Stream - 0 bytes -> D:\Documents and Settings\soteri\My Documents\Thumbs.db:encryptable
[2008/11/15 14:15:45 | 00,002,577 | ---- | M] () -- D:\WINDOWS\System32\CONFIG.NT
[2008/11/14 19:31:59 | 00,002,855 | ---- | M] () -- D:\Documents and Settings\soteri\Desktop\Shortcut to TC.pif
[2008/11/14 09:40:10 | 00,726,707 | ---- | M] () -- D:\Documents and Settings\soteri\My Documents\scan.jpg
[2008/11/12 18:19:21 | 00,001,393 | ---- | M] () -- D:\WINDOWS\imsins.BAK
[2008/11/12 18:11:30 | 00,000,670 | ---- | M] () -- D:\Documents and Settings\soteri\Desktop\Mazaika.lnk
[2008/11/09 11:26:55 | 00,016,896 | ---- | M] () -- D:\Documents and Settings\soteri\My Documents\TENG.xls
[2008/11/03 19:23:11 | 00,000,077 | -HS- | M] () -- D:\Documents and Settings\soteri\My Documents\desktop.ini
[2008/11/02 09:26:06 | 00,458,340 | ---- | M] () -- D:\WINDOWS\System32\PerfStringBackup.INI
[2008/11/02 09:26:06 | 00,392,626 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat
[2008/11/02 09:26:06 | 00,058,800 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat
[2008/11/01 14:03:03 | 00,096,768 | ---- | M] () -- D:\Documents and Settings\soteri\My Documents\GRACIA NOLI.doc
[2008/10/30 14:13:33 | 00,000,000 | ---- | M] () -- D:\WINDOWS\nsreg.dat
[2008/10/30 14:12:29 | 00,001,602 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2008/10/29 10:40:50 | 00,189,792 | ---- | M] () -- D:\WINDOWS\System32\FNTCACHE.DAT
[2008/10/28 17:51:45 | 00,000,812 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2008/10/24 03:10:42 | 00,453,632 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\drivers\mrxsmb.sys
[2008/10/24 03:10:42 | 00,453,632 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\mrxsmb.sys
< End of report >

extras !

OTViewIt Extras logfile created on: 11/20/2008 5:51:52 PM - Run 3
OTViewIt by OldTimer - Version 1.0.20.0 Folder = D:\jonard\aplikeysyons
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

127.48 Mb Total Physical Memory | 24.82 Mb Available Physical Memory | 19.47% Memory free
307.27 Mb Paging File | 149.74 Mb Available in Paging File | 48.73% Paging File free
Paging file location(s): D:\pagefile.sys 192 384;

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 9.77 Gb Total Space | 9.67 Gb Free Space | 98.98% Space Free | Partition Type: NTFS
Drive D: | 18.86 Gb Total Space | 5.62 Gb Free Space | 29.81% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 962.07 Mb Total Space | 610.61 Mb Free Space | 63.47% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ZAMORA-8F8E222F
Current User Name: soteri
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days
"Use My Stylesheet"=
"User Stylesheet"=

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DoNotAllowExceptions"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2004/08/03 14:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2006/10/10 04:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2004/08/03 14:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/10/16 20:57:52 | 04,347,120 | ---- | M] (Yahoo! Inc.) -- D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
[2006/10/10 04:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/08/04 13:19:34 | 07,330,360 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol mso-offdap Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/08/01 15:09:04 | 08,086,072 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/14 22:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}"=Adobe AIR
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}"=Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{77DCDCE3-2DED-62F3-8154-05E745472D07}"=Acrobat.com
"{90110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{AC76BA86-7AD7-1033-7B44-A90000000001}"=Adobe Reader 9
"{D86FEEE1-C996-11D6-A67A-0080AD061ECA}"=Mazaika v.2.4
"Adobe AIR"=Adobe AIR
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1"=Acrobat.com
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"Microsoft .NET Framework 2.0"=Microsoft .NET Framework 2.0
"Mozilla Firefox (3.0.3)"=Mozilla Firefox (3.0.3)
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"Wdf01007"=Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"WMFDist11"=Windows Media Format 11 runtime
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion"=Yahoo! Toolbar
"Yahoo! IE Suggest"=Yahoo! Search Suggest Add-on for IE7
"Yahoo! Messenger"=Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/8/2008 12:50:39 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/8/2008 12:53:04 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/8/2008 12:56:21 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/8/2008 1:09:24 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/28/2008 7:37:27 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application xrule.exe, version 0.0.0.0, faulting module xrule.exe,
version 0.0.0.0, fault address 0x00005609.

Error - 10/29/2008 9:06:12 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/30/2008 4:34:53 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application yahoomessenger.exe, version 9.0.0.2018, faulting
module yahoomessenger.exe, version 9.0.0.2018, fault address 0x00176612.

Error - 11/3/2008 11:52:36 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.5730.13, faulting module
jscript.dll, version 5.7.0.5730, fault address 0x0001bb9d.

Error - 11/3/2008 11:55:05 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.5730.13, faulting module
jscript.dll, version 5.7.0.5730, fault address 0x0001bb9d.

Error - 11/12/2008 10:17:21 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Hang | ID = 1002
Description = Hanging application mz002.exe, version 2.4.0.258, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 11/15/2008 4:51:23 PM | Computer Name = ZAMORA-8F8E222F | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 11/15/2008 4:51:34 PM | Computer Name = ZAMORA-8F8E222F | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 11/15/2008 6:27:53 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/16/2008 1:16:56 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/18/2008 2:03:00 AM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/19/2008 4:09:35 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/19/2008 7:42:49 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/19/2008 7:46:41 PM | Computer Name = ZAMORA-8F8E222F | Source = W32Time | ID = 39452706
Description = The time service has detected that the system time needs to be changed
by -57454 seconds. The time service will not change the system time by more than
-54000 seconds. Verify that your time and time zone are correct, and that the time
source time.windows.com (ntp.m|0x1|210.1.98.177:123->207.46.197.32:123) is working
properly.

Error - 11/20/2008 8:43:50 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/20/2008 9:35:19 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

< End of report >

my computer behave in a good manner !
it suddenly performs faster ! and the sowar browser was removed ,,the redtube.com homepage was also removed !!! praise to you !! thank you so much ! my internet browsing became faster, even though i only used 56kb modem !! thnak you so much sir/maam !!! but i think i have problems about virus in my pc ! help me to find the best anti-virus !but i'll try the one u suggested which is MBAM !! tnx again !

nadzme

Nov 20 2008, 05:07 AM

do you think i still have some irregularities in my pc that is needed to be fix ?? ! help me about it !! tnx !!

Buckeye_Sam

Nov 20 2008, 07:42 AM

Sounds like things are coming together. You still need to run Malwarebuytes and post that log.
We still have some more to cleanup, but I need to see a log from OTViewIt after you run Malwarebytes.

nadzme

Nov 22 2008, 08:48 AM

log from malware

Malwarebytes' Anti-Malware 1.30
Database version: 1412
Windows 5.1.2600 Service Pack 2

11/20/2008 6:22:03 PM
mbam-log-2008-11-20 (18-22-03).txt

Scan type: Quick Scan
Objects scanned: 44412
Time elapsed: 6 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\iehlprobj.iehlprobj.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ce7c3cf0-4b15-11d1-abed-709549c10000} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ce7c3cf0-4b15-11d1-abed-709549c10000} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\WINDOWS\system32\ActMon.ini (Spyware.ActMon) -> Quarantined and deleted successfully.

from Otviewit

txt
OTViewIt logfile created on: 11/22/2008 9:35:40 PM - Run 4
OTViewIt by OldTimer - Version 1.0.20.0 Folder = D:\jonard\aplikeysyons
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

127.48 Mb Total Physical Memory | 16.60 Mb Available Physical Memory | 13.02% Memory free
339.27 Mb Paging File | 78.06 Mb Available in Paging File | 23.01% Paging File free
Paging file location(s): D:\pagefile.sys 192 384;

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 9.77 Gb Total Space | 9.67 Gb Free Space | 98.98% Space Free | Partition Type: NTFS
Drive D: | 18.86 Gb Total Space | 8.11 Gb Free Space | 42.99% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ZAMORA-8F8E222F
Current User Name: soteri
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2004/08/03 14:56:58 | 00,114,688 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\wscript.exe
[2008/07/18 21:10:42 | 00,053,448 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\wuauclt.exe
[2007/08/13 18:43:56 | 00,622,080 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Internet Explorer\iexplore.exe
[2008/10/16 20:57:52 | 04,347,120 | ---- | M] (Yahoo! Inc.) -- D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[2004/08/03 14:56:58 | 00,218,112 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\wbem\wmiprvse.exe
[2008/09/25 05:51:54 | 00,307,712 | ---- | M] (Mozilla Corporation) -- D:\Program Files\Mozilla Firefox\firefox.exe
[2008/10/22 16:10:20 | 01,261,200 | ---- | M] (Malwarebytes Corporation) -- D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
[2008/11/14 20:00:01 | 00,422,400 | ---- | M] (OldTimer Tools) -- D:\jonard\aplikeysyons\OTViewIt.exe

========== (O23) Win32 Services ==========

[2005/09/23 06:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2005/09/23 06:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])

========== Driver Services ==========

[2003/01/01 21:23:22 | 00,010,880 | R--- | M] (DataMan Heightech Technology Inc.) -- D:\WINDOWS\system32\drivers\DataMan.sys -- (DataMan [On_Demand | Stopped])
[2001/08/17 04:13:08 | 00,027,165 | ---- | M] (VIA Technologies, Inc. ) -- D:\WINDOWS\system32\drivers\fetnd5.sys -- (FETNDIS [On_Demand | Running])
[2004/08/03 22:41:48 | 00,220,032 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\system32\drivers\HSFBS2S2.sys -- (HSFHWBS2 [On_Demand | Running])
[2004/08/03 22:41:56 | 01,041,536 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\system32\drivers\HSFDPSP2.sys -- (HSF_DP [On_Demand | Running])
[2004/08/03 22:41:56 | 00,011,868 | ---- | M] (Conexant) -- D:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
[2001/08/17 13:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Stopped])
[2001/08/23 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- D:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2001/08/23 04:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\rootmdm.sys -- (ROOTMODEM [On_Demand | Running])
[2000/02/14 18:19:48 | 00,168,576 | R--- | M] (S3 Incorporated) -- D:\WINDOWS\system32\drivers\s3mini.sys -- (S3Inc [On_Demand | Running])
[2007/11/13 02:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- D:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2001/08/17 13:28:26 | 00,113,762 | ---- | M] (U.S. Robotics Corporation) -- D:\WINDOWS\system32\drivers\USRpdA.sys -- (USRpdA [On_Demand | Stopped])
[2003/02/26 00:04:00 | 00,370,048 | R--- | M] (VIA Technologies, Inc.) -- D:\WINDOWS\system32\drivers\viaudios.sys -- (VIAudio [On_Demand | Running])
[2008/03/27 15:27:46 | 00,503,008 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\wdf01000.sys -- (Wdf01000 [On_Demand | Stopped])
[2004/08/03 22:41:50 | 00,685,056 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\system32\drivers\HSFCXTS2.sys -- (winachsf [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.yahoo.com
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Secondary Start Pages"=
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://www.yahoo.com

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"CustomSearch"=http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr9/*http://www.yahoo.com/ext/search/search.html
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=D:\WINDOWS\system32\blank.htm
"Search Page"=http://www.redtube.com/
"SearchDefaultBranded"=
"SearchMigratedDefaultName"=Yahoo! Search
"SearchMigratedDefaultURL"=http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
"Start Page"=http://www.redtube.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- D:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=D:\WINDOWS\system32\blank.htm
"Search Page"=http://www.redtube.com/
"SearchDefaultBranded"=
"SearchMigratedDefaultName"=Yahoo! Search
"SearchMigratedDefaultURL"=http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
"Start Page"=http://www.redtube.com/

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- D:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - D:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{02478D38-C3F9-4efb-9B51-7695ECA05670} (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (HKLM) -- D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
{5A263CF7-56A6-4D68-A8CF-345BE45BC911} (HKLM) -- D:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll (Yahoo! Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"RawOs"=wscript.exe "D:\WINDOWS\sowar.vbs" (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)

========== (O4) Startup Folders ==========

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=128
"NoDriveAutoRun"=FF FF FF FF [binary data]
"NoFolderOptions"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=1
"DisableTaskMgr"=1

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=128
"NoDriveAutoRun"=FF FF FF FF [binary data]
"NoFolderOptions"=1

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=1
"DisableTaskMgr"=1

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: D:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: D:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2006/10/10 04:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{17492023-C23A-453E-A040-C7C580BBF700}: https://go.microsoft.com/fwlink/?linkid=39204 -- Windows Genuine Advantage Validation Tool
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab -- Reg Error: Key does not exist or could not be opened.
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab -- Shockwave Flash Object

========== (O17) DNS Name Servers ==========

{A322DAA2-3D3B-4DDD-8442-F57C03C41912} (Servers: | Description: VIA PCI 10/100Mb Fast Ethernet Adapter)

========== (O19) User Style Sheets ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles]

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2008/03/30 13:41:35 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

autorun.inf []
[2008/11/20 17:44:19 | 00,000,000 | RHSD | M] -- C:\autorun.inf -- [ NTFS ]

autorun.inf []
[2008/11/20 17:44:19 | 00,000,000 | RHSD | M] -- D:\autorun.inf -- [ NTFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e8-9102-11dd-a612-000d872ad521}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e8-9102-11dd-a612-000d872ad521}\Shell\AutoRun]
""=Auto&Play

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e8-9102-11dd-a612-000d872ad521}\Shell\AutoRun\command]
""=D:\WINDOWS\system32\shell32.dll -- [2005/09/22 19:05:29 | 08,450,560 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8c914075-8425-11dd-a5fa-000d872ad521}\Shell\Explore\command]
""=F:\bar311.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[4 D:\WINDOWS\System32\*.tmp files]
[3 D:\WINDOWS\*.tmp files]
[2008/11/20 18:06:41 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Malwarebytes
[2008/11/20 18:06:35 | 00,000,696 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/11/20 18:06:34 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbam.sys
[2008/11/20 18:06:32 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/11/20 18:06:30 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/11/20 18:06:29 | 00,000,000 | ---D | C] -- D:\Program Files\Malwarebytes' Anti-Malware
[2008/11/20 17:44:19 | 00,000,000 | RHSD | C] -- D:\autorun.inf
[2008/11/14 19:31:59 | 00,002,855 | ---- | C] () -- D:\Documents and Settings\soteri\Desktop\Shortcut to TC.pif
[2008/11/12 18:14:03 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Help
[2008/11/12 18:11:30 | 00,000,670 | ---- | C] () -- D:\Documents and Settings\soteri\Desktop\Mazaika.lnk
[2008/11/12 18:11:27 | 00,000,000 | ---D | C] -- D:\Program Files\Mazaika24
[2008/11/12 18:10:37 | 00,000,000 | ---D | C] -- D:\Program Files\maz240
[2008/11/09 12:35:31 | 02,136,064 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2008/11/09 12:35:30 | 02,180,352 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2008/11/09 12:35:29 | 02,015,744 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2008/11/09 12:35:28 | 02,057,728 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2008/11/08 16:28:22 | 00,000,000 | ---D | C] -- D:\WINDOWS\ie7updates
[2008/11/03 20:12:34 | 00,000,000 | ---D | C] -- D:\WINDOWS\network diagnostic
[2008/11/03 19:19:15 | 00,000,000 | ---D | C] -- D:\WINDOWS\WBEM
[2008/11/03 19:19:13 | 00,000,000 | ---D | C] -- D:\WINDOWS\System32\en-US
[2008/11/03 19:17:02 | 00,000,000 | -H-D | C] -- D:\WINDOWS\ie7
[2008/11/03 19:16:20 | 00,000,000 | -H-D | C] -- D:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
[2008/11/03 19:15:23 | 00,000,000 | -H-D | C] -- D:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
[2008/10/30 14:13:33 | 00,000,000 | ---- | C] () -- D:\WINDOWS\nsreg.dat
[2008/10/30 14:12:50 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Local Settings\Application Data\Mozilla
[2008/10/30 14:12:49 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Mozilla
[2008/10/30 14:12:29 | 00,001,602 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2008/10/30 14:12:14 | 00,000,000 | ---D | C] -- D:\Program Files\Mozilla Firefox
[2008/10/28 19:24:39 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Yahoo!
[2008/10/28 19:24:38 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2008/10/28 18:38:29 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Local Settings\Application Data\Yahoo
[2008/10/28 17:51:45 | 00,000,812 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2008/10/28 17:48:01 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Yahoo!
[2008/10/28 17:47:21 | 00,000,000 | ---D | C] -- D:\Program Files\Yahoo!

========== Files - Modified Within 30 Days ==========

[4 D:\WINDOWS\System32\*.tmp files]
[3 D:\WINDOWS\*.tmp files]
[2008/11/22 21:17:53 | 00,000,006 | -H-- | M] () -- D:\WINDOWS\tasks\SA.DAT
[2008/11/22 21:17:50 | 00,002,206 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2008/11/22 21:17:48 | 00,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2008/11/21 18:53:21 | 06,906,760 | -H-- | M] () -- D:\Documents and Settings\soteri\Local Settings\Application Data\IconCache.db
[2008/11/20 18:35:34 | 00,042,944 | ---- | M] () -- D:\Documents and Settings\soteri\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/11/20 18:34:45 | 00,189,792 | ---- | M] () -- D:\WINDOWS\System32\FNTCACHE.DAT
[2008/11/20 18:06:35 | 00,000,696 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/11/19 15:47:24 | 00,649,728 | -HS- | M] () -- D:\Documents and Settings\soteri\My Documents\Thumbs.db
@Alternate Data Stream - 0 bytes -> D:\Documents and Settings\soteri\My Documents\Thumbs.db:encryptable
[2008/11/15 14:15:45 | 00,002,577 | ---- | M] () -- D:\WINDOWS\System32\CONFIG.NT
[2008/11/14 19:31:59 | 00,002,855 | ---- | M] () -- D:\Documents and Settings\soteri\Desktop\Shortcut to TC.pif
[2008/11/12 18:19:21 | 00,001,393 | ---- | M] () -- D:\WINDOWS\imsins.BAK
[2008/11/12 18:11:30 | 00,000,670 | ---- | M] () -- D:\Documents and Settings\soteri\Desktop\Mazaika.lnk
[2008/11/03 19:23:11 | 00,000,077 | -HS- | M] () -- D:\Documents and Settings\soteri\My Documents\desktop.ini
[2008/11/02 09:26:06 | 00,458,340 | ---- | M] () -- D:\WINDOWS\System32\PerfStringBackup.INI
[2008/11/02 09:26:06 | 00,392,626 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat
[2008/11/02 09:26:06 | 00,058,800 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat
[2008/10/30 14:13:33 | 00,000,000 | ---- | M] () -- D:\WINDOWS\nsreg.dat
[2008/10/30 14:12:29 | 00,001,602 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2008/10/28 17:51:45 | 00,000,812 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2008/10/24 03:10:42 | 00,453,632 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\drivers\mrxsmb.sys
[2008/10/24 03:10:42 | 00,453,632 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\mrxsmb.sys
< End of report >

extras

OTViewIt Extras logfile created on: 11/22/2008 9:35:40 PM - Run 4
OTViewIt by OldTimer - Version 1.0.20.0 Folder = D:\jonard\aplikeysyons
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

127.48 Mb Total Physical Memory | 16.60 Mb Available Physical Memory | 13.02% Memory free
339.27 Mb Paging File | 78.06 Mb Available in Paging File | 23.01% Paging File free
Paging file location(s): D:\pagefile.sys 192 384;

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 9.77 Gb Total Space | 9.67 Gb Free Space | 98.98% Space Free | Partition Type: NTFS
Drive D: | 18.86 Gb Total Space | 8.11 Gb Free Space | 42.99% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ZAMORA-8F8E222F
Current User Name: soteri
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days
"Use My Stylesheet"=
"User Stylesheet"=

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=1
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DoNotAllowExceptions"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2004/08/03 14:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2006/10/10 04:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2004/08/03 14:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/10/16 20:57:52 | 04,347,120 | ---- | M] (Yahoo! Inc.) -- D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
[2006/10/10 04:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/08/04 13:19:34 | 07,330,360 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol mso-offdap Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/08/01 15:09:04 | 08,086,072 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/14 22:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}"=Adobe AIR
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}"=Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{77DCDCE3-2DED-62F3-8154-05E745472D07}"=Acrobat.com
"{90110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{AC76BA86-7AD7-1033-7B44-A90000000001}"=Adobe Reader 9
"{D86FEEE1-C996-11D6-A67A-0080AD061ECA}"=Mazaika v.2.4
"Adobe AIR"=Adobe AIR
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1"=Acrobat.com
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Microsoft .NET Framework 2.0"=Microsoft .NET Framework 2.0
"Mozilla Firefox (3.0.3)"=Mozilla Firefox (3.0.3)
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"Wdf01007"=Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"WMFDist11"=Windows Media Format 11 runtime
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion"=Yahoo! Toolbar
"Yahoo! IE Suggest"=Yahoo! Search Suggest Add-on for IE7
"Yahoo! Messenger"=Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/8/2008 12:50:39 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/8/2008 12:53:04 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/8/2008 12:56:21 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/8/2008 1:09:24 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/28/2008 7:37:27 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application xrule.exe, version 0.0.0.0, faulting module xrule.exe,
version 0.0.0.0, fault address 0x00005609.

Error - 10/29/2008 9:06:12 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/30/2008 4:34:53 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application yahoomessenger.exe, version 9.0.0.2018, faulting
module yahoomessenger.exe, version 9.0.0.2018, fault address 0x00176612.

Error - 11/3/2008 11:52:36 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.5730.13, faulting module
jscript.dll, version 5.7.0.5730, fault address 0x0001bb9d.

Error - 11/3/2008 11:55:05 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.5730.13, faulting module
jscript.dll, version 5.7.0.5730, fault address 0x0001bb9d.

Error - 11/12/2008 10:17:21 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Hang | ID = 1002
Description = Hanging application mz002.exe, version 2.4.0.258, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 11/18/2008 2:03:00 AM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/19/2008 4:09:35 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/19/2008 7:42:49 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/19/2008 7:46:41 PM | Computer Name = ZAMORA-8F8E222F | Source = W32Time | ID = 39452706
Description = The time service has detected that the system time needs to be changed
by -57454 seconds. The time service will not change the system time by more than
-54000 seconds. Verify that your time and time zone are correct, and that the time
source time.windows.com (ntp.m|0x1|210.1.98.177:123->207.46.197.32:123) is working
properly.

Error - 11/20/2008 8:43:50 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/20/2008 9:35:19 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/20/2008 10:35:14 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/21/2008 9:29:18 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/21/2008 10:19:31 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/23/2008 1:18:09 AM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

< End of report >

ei, the sowar browser return again on the title bar of my windows and the redtube is still my homepage !
it was already fixed but after 1day it return again into that situation !!

heres another log from full scan !!

Malwarebytes' Anti-Malware 1.30
Database version: 1412
Windows 5.1.2600 Service Pack 2

11/21/2008 6:17:29 PM
mbam-log-2008-11-21 (18-17-29).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 72166
Time elapsed: 30 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

huhuhuhu !! help me plz !it give me a damn !! thanks !!

Buckeye_Sam

Nov 22 2008, 09:51 AM

Copy this text into OTMoveIt3 just like you did before and click MoveIt.

CODE

:files
D:\WINDOWS\sowar.vbs

:reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=-
"Start Page"=-
[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=-
"Start Page"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RawOs"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=-
"DisableTaskMgr"=-
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveAutoRun"=-
"NoFolderOptions"=-
[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=-
"DisableTaskMgr"=-

Please post the resulting log from OTMoveit as well as a new log from OTViewIt.

nadzme

Nov 23 2008, 09:13 AM

log from OTMoveIt3

========== FILES ==========
D:\WINDOWS\sowar.vbs moved successfully.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page deleted successfully.
Registry value HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page not found.
Registry value HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\RawOs deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr deleted successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr deleted successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools deleted successfully.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr not found.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools not found.
Registry value HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun deleted successfully.
Registry value HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoFolderOptions deleted successfully.
Registry value HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools not found.
Registry value HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr not found.

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 11232008_220711

OTViewIt

OTViewIt logfile created on: 11/23/2008 10:08:46 PM - Run 5
OTViewIt by OldTimer - Version 1.0.20.0 Folder = D:\jonard\aplikeysyons
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

127.48 Mb Total Physical Memory | 36.12 Mb Available Physical Memory | 28.33% Memory free
307.27 Mb Paging File | 142.95 Mb Available in Paging File | 46.52% Paging File free
Paging file location(s): D:\pagefile.sys 192 384;

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 9.77 Gb Total Space | 9.67 Gb Free Space | 98.98% Space Free | Partition Type: NTFS
Drive D: | 18.86 Gb Total Space | 8.12 Gb Free Space | 43.05% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 962.07 Mb Total Space | 610.44 Mb Free Space | 63.45% Space Free | Partition Type: FAT32
Drive G: | 1010.22 Mb Total Space | 1009.23 Mb Free Space | 99.90% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ZAMORA-8F8E222F
Current User Name: soteri
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2004/08/03 14:56:58 | 00,114,688 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\wscript.exe
[2008/10/16 20:57:54 | 00,079,088 | ---- | M] (Yahoo! Inc.) -- D:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
[2008/07/18 21:10:42 | 00,053,448 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\wuauclt.exe
[2007/08/13 18:43:56 | 00,622,080 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Internet Explorer\iexplore.exe
[2008/11/14 20:00:01 | 00,422,400 | ---- | M] (OldTimer Tools) -- D:\jonard\aplikeysyons\OTViewIt.exe

========== (O23) Win32 Services ==========

[2005/09/23 06:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2005/09/23 06:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])

========== Driver Services ==========

[2003/01/01 21:23:22 | 00,010,880 | R--- | M] (DataMan Heightech Technology Inc.) -- D:\WINDOWS\system32\drivers\DataMan.sys -- (DataMan [On_Demand | Stopped])
[2001/08/17 04:13:08 | 00,027,165 | ---- | M] (VIA Technologies, Inc. ) -- D:\WINDOWS\system32\drivers\fetnd5.sys -- (FETNDIS [On_Demand | Running])
[2004/08/03 22:41:48 | 00,220,032 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\system32\drivers\HSFBS2S2.sys -- (HSFHWBS2 [On_Demand | Running])
[2004/08/03 22:41:56 | 01,041,536 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\system32\drivers\HSFDPSP2.sys -- (HSF_DP [On_Demand | Running])
[2004/08/03 22:41:56 | 00,011,868 | ---- | M] (Conexant) -- D:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
[2001/08/17 13:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Stopped])
[2001/08/23 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- D:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2001/08/23 04:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\rootmdm.sys -- (ROOTMODEM [On_Demand | Running])
[2000/02/14 18:19:48 | 00,168,576 | R--- | M] (S3 Incorporated) -- D:\WINDOWS\system32\drivers\s3mini.sys -- (S3Inc [On_Demand | Running])
[2007/11/13 02:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- D:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2001/08/17 13:28:26 | 00,113,762 | ---- | M] (U.S. Robotics Corporation) -- D:\WINDOWS\system32\drivers\USRpdA.sys -- (USRpdA [On_Demand | Stopped])
[2003/02/26 00:04:00 | 00,370,048 | R--- | M] (VIA Technologies, Inc.) -- D:\WINDOWS\system32\drivers\viaudios.sys -- (VIAudio [On_Demand | Running])
[2008/03/27 15:27:46 | 00,503,008 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\wdf01000.sys -- (Wdf01000 [On_Demand | Stopped])
[2004/08/03 22:41:50 | 00,685,056 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\system32\drivers\HSFCXTS2.sys -- (winachsf [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.yahoo.com
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Secondary Start Pages"=
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://www.yahoo.com

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"CustomSearch"=http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr9/*http://www.yahoo.com/ext/search/search.html
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=D:\WINDOWS\system32\blank.htm
"Search Page"=http://www.redtube.com/
"SearchDefaultBranded"=
"SearchMigratedDefaultName"=Yahoo! Search
"SearchMigratedDefaultURL"=http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
"Start Page"=http://www.redtube.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- D:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=D:\WINDOWS\system32\blank.htm
"Search Page"=http://www.redtube.com/
"SearchDefaultBranded"=
"SearchMigratedDefaultName"=Yahoo! Search
"SearchMigratedDefaultURL"=http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
"Start Page"=http://www.redtube.com/

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- D:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - D:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{02478D38-C3F9-4efb-9B51-7695ECA05670} (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (HKLM) -- D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
{5A263CF7-56A6-4D68-A8CF-345BE45BC911} (HKLM) -- D:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll (Yahoo! Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"RawOs"=wscript.exe "D:\WINDOWS\sowar.vbs" (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)

========== (O4) Startup Folders ==========

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=128
"NoFolderOptions"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=128
"NoFolderOptions"=1

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: D:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: D:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2006/10/10 04:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{17492023-C23A-453E-A040-C7C580BBF700}: https://go.microsoft.com/fwlink/?linkid=39204 -- Windows Genuine Advantage Validation Tool
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab -- Reg Error: Key does not exist or could not be opened.
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab -- Shockwave Flash Object

========== (O17) DNS Name Servers ==========

{A322DAA2-3D3B-4DDD-8442-F57C03C41912} (Servers: | Description: VIA PCI 10/100Mb Fast Ethernet Adapter)

========== (O19) User Style Sheets ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles]

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2008/03/30 13:41:35 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

autorun.inf []
[2008/11/20 17:44:19 | 00,000,000 | RHSD | M] -- C:\autorun.inf -- [ NTFS ]

autorun.inf []
[2008/11/20 17:44:19 | 00,000,000 | RHSD | M] -- D:\autorun.inf -- [ NTFS ]

Autorun.inf [[autorun] | open=wscript.exe sowar.vbs | shell\Open\Command=wscript.exe sowar.vbs | shell\Open\Default=1 | ]
[2008/11/23 22:08:54 | 00,000,101 | RHS- | M] () -- F:\Autorun.inf -- [ FAT32 ]

Autorun.inf [[autorun] | open=wscript.exe sowar.vbs | shell\Open\Command=wscript.exe sowar.vbs | shell\Open\Default=1 | ]
[2008/11/23 22:08:54 | 00,000,101 | RHS- | M] () -- G:\Autorun.inf -- [ FAT ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e8-9102-11dd-a612-000d872ad521}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e8-9102-11dd-a612-000d872ad521}\Shell\AutoRun]
""=Auto&Play

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0b9c02e8-9102-11dd-a612-000d872ad521}\Shell\AutoRun\command]
""=D:\WINDOWS\system32\shell32.dll -- [2005/09/22 19:05:29 | 08,450,560 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a4f8640-02ad-11dd-a4e2-000d872ad521}\Shell\AutoRun\command]
""=wscript.exe sowar.vbs

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a4f8640-02ad-11dd-a4e2-000d872ad521}\Shell\Open\Command]
""=wscript.exe sowar.vbs

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8c914075-8425-11dd-a5fa-000d872ad521}\Shell\Explore\command]
""=F:\bar311.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{eee417a0-b834-11dd-a64e-000d872ad521}\Shell\AutoRun\command]
""=wscript.exe sowar.vbs

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{eee417a0-b834-11dd-a64e-000d872ad521}\Shell\Open\Command]
""=wscript.exe sowar.vbs

========== Files/Folders - Created Within 30 Days ==========

[4 D:\WINDOWS\System32\*.tmp files]
[3 D:\WINDOWS\*.tmp files]
[2008/11/23 22:07:11 | 00,000,000 | ---D | C] -- D:\_OTMoveIt
[2008/11/20 18:06:41 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Malwarebytes
[2008/11/20 18:06:35 | 00,000,696 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/11/20 18:06:34 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbam.sys
[2008/11/20 18:06:32 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/11/20 18:06:30 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/11/20 18:06:29 | 00,000,000 | ---D | C] -- D:\Program Files\Malwarebytes' Anti-Malware
[2008/11/20 17:44:19 | 00,000,000 | RHSD | C] -- D:\autorun.inf
[2008/11/14 19:31:59 | 00,002,855 | ---- | C] () -- D:\Documents and Settings\soteri\Desktop\Shortcut to TC.pif
[2008/11/12 18:14:03 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Help
[2008/11/12 18:11:30 | 00,000,670 | ---- | C] () -- D:\Documents and Settings\soteri\Desktop\Mazaika.lnk
[2008/11/12 18:11:27 | 00,000,000 | ---D | C] -- D:\Program Files\Mazaika24
[2008/11/12 18:10:37 | 00,000,000 | ---D | C] -- D:\Program Files\maz240
[2008/11/09 12:35:31 | 02,136,064 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2008/11/09 12:35:30 | 02,180,352 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2008/11/09 12:35:29 | 02,015,744 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2008/11/09 12:35:28 | 02,057,728 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2008/11/08 16:28:22 | 00,000,000 | ---D | C] -- D:\WINDOWS\ie7updates
[2008/11/03 20:12:34 | 00,000,000 | ---D | C] -- D:\WINDOWS\network diagnostic
[2008/11/03 19:19:15 | 00,000,000 | ---D | C] -- D:\WINDOWS\WBEM
[2008/11/03 19:19:13 | 00,000,000 | ---D | C] -- D:\WINDOWS\System32\en-US
[2008/11/03 19:17:02 | 00,000,000 | -H-D | C] -- D:\WINDOWS\ie7
[2008/11/03 19:16:20 | 00,000,000 | -H-D | C] -- D:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
[2008/11/03 19:15:23 | 00,000,000 | -H-D | C] -- D:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
[2008/10/30 14:13:33 | 00,000,000 | ---- | C] () -- D:\WINDOWS\nsreg.dat
[2008/10/30 14:12:50 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Local Settings\Application Data\Mozilla
[2008/10/30 14:12:49 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Mozilla
[2008/10/30 14:12:29 | 00,001,602 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2008/10/30 14:12:14 | 00,000,000 | ---D | C] -- D:\Program Files\Mozilla Firefox
[2008/10/28 19:24:39 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Yahoo!
[2008/10/28 19:24:38 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2008/10/28 18:38:29 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Local Settings\Application Data\Yahoo
[2008/10/28 17:51:45 | 00,000,812 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2008/10/28 17:48:01 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Yahoo!
[2008/10/28 17:47:21 | 00,000,000 | ---D | C] -- D:\Program Files\Yahoo!

========== Files - Modified Within 30 Days ==========

[4 D:\WINDOWS\System32\*.tmp files]
[3 D:\WINDOWS\*.tmp files]
[2008/11/23 22:00:49 | 00,000,006 | -H-- | M] () -- D:\WINDOWS\tasks\SA.DAT
[2008/11/23 22:00:44 | 00,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2008/11/23 21:48:42 | 06,907,426 | -H-- | M] () -- D:\Documents and Settings\soteri\Local Settings\Application Data\IconCache.db
[2008/11/23 21:44:40 | 00,028,160 | ---- | M] () -- D:\Documents and Settings\soteri\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/23 21:23:16 | 00,002,206 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2008/11/20 18:35:34 | 00,042,944 | ---- | M] () -- D:\Documents and Settings\soteri\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/11/20 18:34:45 | 00,189,792 | ---- | M] () -- D:\WINDOWS\System32\FNTCACHE.DAT
[2008/11/20 18:06:35 | 00,000,696 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/11/19 15:47:24 | 00,649,728 | -HS- | M] () -- D:\Documents and Settings\soteri\My Documents\Thumbs.db
@Alternate Data Stream - 0 bytes -> D:\Documents and Settings\soteri\My Documents\Thumbs.db:encryptable
[2008/11/15 14:15:45 | 00,002,577 | ---- | M] () -- D:\WINDOWS\System32\CONFIG.NT
[2008/11/14 19:31:59 | 00,002,855 | ---- | M] () -- D:\Documents and Settings\soteri\Desktop\Shortcut to TC.pif
[2008/11/12 18:19:21 | 00,001,393 | ---- | M] () -- D:\WINDOWS\imsins.BAK
[2008/11/12 18:11:30 | 00,000,670 | ---- | M] () -- D:\Documents and Settings\soteri\Desktop\Mazaika.lnk
[2008/11/03 19:23:11 | 00,000,077 | -HS- | M] () -- D:\Documents and Settings\soteri\My Documents\desktop.ini
[2008/11/02 09:26:06 | 00,458,340 | ---- | M] () -- D:\WINDOWS\System32\PerfStringBackup.INI
[2008/11/02 09:26:06 | 00,392,626 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat
[2008/11/02 09:26:06 | 00,058,800 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat
[2008/10/30 14:13:33 | 00,000,000 | ---- | M] () -- D:\WINDOWS\nsreg.dat
[2008/10/30 14:12:29 | 00,001,602 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2008/10/28 17:51:45 | 00,000,812 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
< End of report >

extras

OTViewIt Extras logfile created on: 11/23/2008 10:08:47 PM - Run 5
OTViewIt by OldTimer - Version 1.0.20.0 Folder = D:\jonard\aplikeysyons
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

127.48 Mb Total Physical Memory | 36.12 Mb Available Physical Memory | 28.33% Memory free
307.27 Mb Paging File | 142.95 Mb Available in Paging File | 46.52% Paging File free
Paging file location(s): D:\pagefile.sys 192 384;

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 9.77 Gb Total Space | 9.67 Gb Free Space | 98.98% Space Free | Partition Type: NTFS
Drive D: | 18.86 Gb Total Space | 8.12 Gb Free Space | 43.05% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 962.07 Mb Total Space | 610.44 Mb Free Space | 63.45% Space Free | Partition Type: FAT32
Drive G: | 1010.22 Mb Total Space | 1009.23 Mb Free Space | 99.90% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ZAMORA-8F8E222F
Current User Name: soteri
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days
"Use My Stylesheet"=
"User Stylesheet"=

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=1
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DoNotAllowExceptions"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2004/08/03 14:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2006/10/10 04:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2004/08/03 14:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/10/16 20:57:52 | 04,347,120 | ---- | M] (Yahoo! Inc.) -- D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
[2006/10/10 04:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/08/04 13:19:34 | 07,330,360 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol mso-offdap Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/08/01 15:09:04 | 08,086,072 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/14 22:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}"=Adobe AIR
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}"=Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{77DCDCE3-2DED-62F3-8154-05E745472D07}"=Acrobat.com
"{90110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{AC76BA86-7AD7-1033-7B44-A90000000001}"=Adobe Reader 9
"{D86FEEE1-C996-11D6-A67A-0080AD061ECA}"=Mazaika v.2.4
"Adobe AIR"=Adobe AIR
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1"=Acrobat.com
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Microsoft .NET Framework 2.0"=Microsoft .NET Framework 2.0
"Mozilla Firefox (3.0.3)"=Mozilla Firefox (3.0.3)
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"Wdf01007"=Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"WMFDist11"=Windows Media Format 11 runtime
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion"=Yahoo! Toolbar
"Yahoo! IE Suggest"=Yahoo! Search Suggest Add-on for IE7
"Yahoo! Messenger"=Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/8/2008 12:50:39 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/8/2008 12:53:04 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/8/2008 12:56:21 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/8/2008 1:09:24 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/28/2008 7:37:27 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application xrule.exe, version 0.0.0.0, faulting module xrule.exe,
version 0.0.0.0, fault address 0x00005609.

Error - 10/29/2008 9:06:12 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/30/2008 4:34:53 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application yahoomessenger.exe, version 9.0.0.2018, faulting
module yahoomessenger.exe, version 9.0.0.2018, fault address 0x00176612.

Error - 11/3/2008 11:52:36 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.5730.13, faulting module
jscript.dll, version 5.7.0.5730, fault address 0x0001bb9d.

Error - 11/3/2008 11:55:05 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.5730.13, faulting module
jscript.dll, version 5.7.0.5730, fault address 0x0001bb9d.

Error - 11/12/2008 10:17:21 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Hang | ID = 1002
Description = Hanging application mz002.exe, version 2.4.0.258, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 11/19/2008 7:42:49 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/19/2008 7:46:41 PM | Computer Name = ZAMORA-8F8E222F | Source = W32Time | ID = 39452706
Description = The time service has detected that the system time needs to be changed
by -57454 seconds. The time service will not change the system time by more than
-54000 seconds. Verify that your time and time zone are correct, and that the time
source time.windows.com (ntp.m|0x1|210.1.98.177:123->207.46.197.32:123) is working
properly.

Error - 11/20/2008 8:43:50 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/20/2008 9:35:19 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/20/2008 10:35:14 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/21/2008 9:29:18 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/21/2008 10:19:31 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/23/2008 1:18:09 AM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/24/2008 1:23:35 AM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/24/2008 2:01:05 AM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

< End of report >

Buckeye_Sam

Nov 23 2008, 12:12 PM

Copy this text into OTMoveIt3 just like you have before.

CODE

:reg
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a4f8640-02ad-11dd-a4e2-000d872ad521}\Shell\AutoRun\command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a4f8640-02ad-11dd-a4e2-000d872ad521}\Shell\Open\Command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8c914075-8425-11dd-a5fa-000d872ad521}\Shell\Explore\command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{eee417a0-b834-11dd-a64e-000d872ad521}\Shell\AutoRun\command]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{eee417a0-b834-11dd-a64e-000d872ad521}\Shell\Open\Command]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoFolderOptions"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RawOs"=-
[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=-
"Start Page"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=-
"Start Page"=-

:files
D:\WINDOWS\sowar.vbs

Please post the resulting log.

=================

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Make sure that you save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

nadzme

Nov 24 2008, 06:10 AM

how will i disable my antivirus ??

nadzme

Nov 24 2008, 08:47 AM

OTMoveIt3 log

========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a4f8640-02ad-11dd-a4e2-000d872ad521}\Shell\AutoRun\command\\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a4f8640-02ad-11dd-a4e2-000d872ad521}\Shell\Open\Command\\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8c914075-8425-11dd-a5fa-000d872ad521}\Shell\Explore\command\\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{eee417a0-b834-11dd-a64e-000d872ad521}\Shell\AutoRun\command\\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{eee417a0-b834-11dd-a64e-000d872ad521}\Shell\Open\Command\\ not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoFolderOptions not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\RawOs not found.
Registry value HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page deleted successfully.
Registry value HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page not found.
========== FILES ==========
File/Folder D:\WINDOWS\sowar.vbs not found.

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 11242008_214352

Combofix Log

ComboFix 08-11-23.01 - soteri 2008-11-24 21:27:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.22 [GMT -8:00]
Running from: d:\documents and settings\soteri\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\system32\setting.ini

.
((((((((((((((((((((((((( Files Created from 2008-10-25 to 2008-11-25 )))))))))))))))))))))))))))))))
.

2008-11-23 22:13 . 2008-11-23 22:13 <DIR> d--hs---- d:\documents and settings\soteri\UserData
2008-11-23 22:07 . 2008-11-23 22:07 <DIR> d-------- D:\_OTMoveIt
2008-11-20 18:06 . 2008-11-20 18:06 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2008-11-20 18:06 . 2008-11-20 18:06 <DIR> d-------- d:\documents and settings\soteri\Application Data\Malwarebytes
2008-11-20 18:06 . 2008-11-20 18:06 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-20 18:06 . 2008-10-22 16:10 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2008-11-20 18:06 . 2008-10-22 16:10 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2008-11-17 23:01 . 2008-11-17 23:02 <DIR> d-------- d:\documents and settings\soteri\DoctorWeb
2008-11-12 18:11 . 2008-11-17 22:29 <DIR> d-------- d:\program files\Mazaika24
2008-11-12 18:10 . 2008-11-12 18:10 <DIR> d-------- d:\program files\maz240
2008-11-09 12:35 . 2008-08-14 02:00 2,180,352 -----c--- d:\windows\system32\dllcache\ntoskrnl.exe
2008-11-09 12:35 . 2008-08-14 01:58 2,136,064 -----c--- d:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-09 12:35 . 2008-08-14 01:22 2,057,728 -----c--- d:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-09 12:35 . 2008-08-14 01:22 2,015,744 -----c--- d:\windows\system32\dllcache\ntkrpamp.exe
2008-10-30 14:13 . 2008-10-30 14:13 0 --a------ d:\windows\nsreg.dat
2008-10-28 19:24 . 2008-10-28 19:24 <DIR> d-------- d:\documents and settings\soteri\Application Data\Yahoo!
2008-10-28 19:24 . 2008-10-28 19:24 <DIR> d-------- d:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-10-28 17:48 . 2008-10-28 18:38 <DIR> d-------- d:\documents and settings\All Users\Application Data\Yahoo!
2008-10-28 17:47 . 2008-11-03 19:20 <DIR> d-------- d:\program files\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 07:17 56,778 ----a-w d:\program files\OTViewIt.Txt
2008-11-18 07:17 24,664 ----a-w d:\program files\Extras.Txt
2008-10-24 11:10 453,632 ----a-w d:\windows\system32\drivers\mrxsmb.sys
2008-09-25 21:13 --------- d-----w d:\program files\Common Files\Adobe AIR
2008-09-25 21:10 --------- d-----w d:\program files\Common Files\Adobe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="d:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-16 4347120]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USRpdA]
--a------ 2001-08-23 04:00 77891 d:\windows\system32\usrmlnka.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 S3Inc;S3Inc;d:\windows\system32\DRIVERS\s3mini.sys [2008-03-30 168576]
S2 zumbus;Zune Bus Enumerator Driver;d:\windows\system32\DRIVERS\zumbus.sys []
S3 DataMan;DataMan USB Infrared Adapter;d:\windows\system32\DRIVERS\DataMan.sys [2008-04-02 10880]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b9c02e8-9102-11dd-a612-000d872ad521}]
\Shell\AutoRun\command - d:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe DEADLY-c.vbs

*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C642122}]
c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ROX.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-31 d:\windows\Tasks\At1.job
- d:\windows\system32\blastclnnn.exe []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AVG7_CC - d:\progra~1\Grisoft\AVG7\avgcc.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - d:\documents and settings\soteri\Application Data\Mozilla\Firefox\Profiles\veo40yd3.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - d:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-24 21:29:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
d:\windows\system32\rsaenh.dll

- - - - - - - > 'lsass.exe'(756)
d:\windows\system32\msprivs.dll
d:\windows\system32\rsaenh.dll
.
Completion time: 2008-11-24 21:31:23
ComboFix-quarantined-files.txt 2008-11-25 05:31:10

Pre-Run: 10,122,305,536 bytes free
Post-Run: 10,140,680,192 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

110 --- E O F --- 2008-11-13 02:19:49

Buckeye_Sam

Nov 24 2008, 12:37 PM

It looks like you figured out how to disable your antivirus ok.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

CODE

File::
d:\windows\Tasks\At1.job
d:\windows\system32\blastclnnn.exe
c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ROX.exe
d:\windows\system32\DEADLY-c.vbs

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C642122}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b9c02e8-9102-11dd-a612-000d872ad521}]

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Also post a new log from OTViewIt.

nadzme

Nov 25 2008, 04:53 AM

combofix.txt log!

ComboFix 08-11-23.01 - soteri 2008-11-25 17:39:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.20 [GMT -8:00]
Running from: d:\jonard\aplikeysyons\Combofix.exe
Command switches used :: d:\documents and settings\soteri\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ROX.exe
d:\windows\system32\blastclnnn.exe
d:\windows\system32\DEADLY-c.vbs
d:\windows\Tasks\At1.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\Tasks\At1.job
F:\Autorun.inf
F:\n.bat
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-24 23:12 . 2008-06-21 14:48 2,959 -rahs---- d:\windows\sowar.vbs
2008-11-23 22:13 . 2008-11-23 22:13 <DIR> d--hs---- d:\documents and settings\soteri\UserData
2008-11-23 22:07 . 2008-11-23 22:07 <DIR> d-------- D:\_OTMoveIt
2008-11-20 18:06 . 2008-11-20 18:06 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2008-11-20 18:06 . 2008-11-20 18:06 <DIR> d-------- d:\documents and settings\soteri\Application Data\Malwarebytes
2008-11-20 18:06 . 2008-11-20 18:06 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-20 18:06 . 2008-10-22 16:10 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2008-11-20 18:06 . 2008-10-22 16:10 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2008-11-17 23:01 . 2008-11-17 23:02 <DIR> d-------- d:\documents and settings\soteri\DoctorWeb
2008-11-12 18:11 . 2008-11-24 21:51 <DIR> d-------- d:\program files\Mazaika24
2008-11-12 18:10 . 2008-11-12 18:10 <DIR> d-------- d:\program files\maz240
2008-11-09 12:35 . 2008-08-14 02:00 2,180,352 -----c--- d:\windows\system32\dllcache\ntoskrnl.exe
2008-11-09 12:35 . 2008-08-14 01:58 2,136,064 -----c--- d:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-09 12:35 . 2008-08-14 01:22 2,057,728 -----c--- d:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-09 12:35 . 2008-08-14 01:22 2,015,744 -----c--- d:\windows\system32\dllcache\ntkrpamp.exe
2008-10-30 14:13 . 2008-10-30 14:13 0 --a------ d:\windows\nsreg.dat
2008-10-28 19:24 . 2008-10-28 19:24 <DIR> d-------- d:\documents and settings\soteri\Application Data\Yahoo!
2008-10-28 19:24 . 2008-10-28 19:24 <DIR> d-------- d:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-10-28 17:48 . 2008-10-28 18:38 <DIR> d-------- d:\documents and settings\All Users\Application Data\Yahoo!
2008-10-28 17:47 . 2008-11-03 19:20 <DIR> d-------- d:\program files\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 07:17 56,778 ----a-w d:\program files\OTViewIt.Txt
2008-11-18 07:17 24,664 ----a-w d:\program files\Extras.Txt
2008-10-24 11:10 453,632 ----a-w d:\windows\system32\drivers\mrxsmb.sys
2008-06-21 22:48 2,959 --sha-r d:\windows\sowar.vbs
.

((((((((((((((((((((((((((((( snapshot@2008-11-24_21.30.22.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-26 01:30:05 16,384 ----atw d:\windows\Temp\Perflib_Perfdata_790.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="d:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-16 4347120]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"RawOs"="wscript.exe" [2004-08-03 d:\windows\system32\wscript.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USRpdA]
--a------ 2001-08-23 04:00 77891 d:\windows\system32\usrmlnka.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 S3Inc;S3Inc;d:\windows\system32\DRIVERS\s3mini.sys [2008-03-30 168576]
S2 zumbus;Zune Bus Enumerator Driver;d:\windows\system32\DRIVERS\zumbus.sys []
S3 DataMan;DataMan USB Infrared Adapter;d:\windows\system32\DRIVERS\DataMan.sys [2008-04-02 10880]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a4f8640-02ad-11dd-a4e2-000d872ad521}]
\Shell\AutoRun\command - wscript.exe sowar.vbs
\Shell\Open\Command - wscript.exe sowar.vbs
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-25 17:41:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
d:\windows\system32\rsaenh.dll

- - - - - - - > 'lsass.exe'(756)
d:\windows\system32\msprivs.dll
d:\windows\system32\rsaenh.dll
.
Completion time: 2008-11-25 17:42:43
ComboFix-quarantined-files.txt 2008-11-26 01:42:24
ComboFix2.txt 2008-11-25 05:31:24

Pre-Run: 10,127,908,864 bytes free
Post-Run: 10,126,176,256 bytes free

103 --- E O F --- 2008-11-13 02:19:49

OTViewIt

OTViewIt logfile created on: 11/25/2008 5:49:08 PM - Run 6
OTViewIt by OldTimer - Version 1.0.20.0 Folder = D:\jonard\aplikeysyons
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

127.48 Mb Total Physical Memory | 17.43 Mb Available Physical Memory | 13.68% Memory free
307.27 Mb Paging File | 138.52 Mb Available in Paging File | 45.08% Paging File free
Paging file location(s): D:\pagefile.sys 192 384;

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 9.77 Gb Total Space | 9.66 Gb Free Space | 98.89% Space Free | Partition Type: NTFS
Drive D: | 18.86 Gb Total Space | 9.44 Gb Free Space | 50.08% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 962.07 Mb Total Space | 615.97 Mb Free Space | 64.03% Space Free | Partition Type: FAT32
Drive G: | 1010.22 Mb Total Space | 1009.23 Mb Free Space | 99.90% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ZAMORA-8F8E222F
Current User Name: soteri
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2008/06/12 01:38:00 | 00,034,672 | ---- | M] (Adobe Systems Incorporated) -- D:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
[2004/08/03 14:56:58 | 00,114,688 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\wscript.exe
[2008/10/16 20:57:54 | 00,079,088 | ---- | M] (Yahoo! Inc.) -- D:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
[2008/07/18 21:10:42 | 00,053,448 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\wuauclt.exe
[2008/07/18 21:10:42 | 00,053,448 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\wuauclt.exe
[2004/08/03 14:56:56 | 00,069,120 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\notepad.exe
[2007/08/13 18:43:56 | 00,622,080 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Internet Explorer\iexplore.exe
[2008/11/14 20:00:01 | 00,422,400 | ---- | M] (OldTimer Tools) -- D:\jonard\aplikeysyons\OTViewIt.exe

========== (O23) Win32 Services ==========

[2005/09/23 06:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2005/09/23 06:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])

========== Driver Services ==========

[2003/01/01 21:23:22 | 00,010,880 | R--- | M] (DataMan Heightech Technology Inc.) -- D:\WINDOWS\system32\drivers\DataMan.sys -- (DataMan [On_Demand | Stopped])
[2001/08/17 04:13:08 | 00,027,165 | ---- | M] (VIA Technologies, Inc. ) -- D:\WINDOWS\system32\drivers\fetnd5.sys -- (FETNDIS [On_Demand | Running])
[2004/08/03 22:41:48 | 00,220,032 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\system32\drivers\HSFBS2S2.sys -- (HSFHWBS2 [On_Demand | Running])
[2004/08/03 22:41:56 | 01,041,536 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\system32\drivers\HSFDPSP2.sys -- (HSF_DP [On_Demand | Running])
[2004/08/03 22:41:56 | 00,011,868 | ---- | M] (Conexant) -- D:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
[2001/08/17 13:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Stopped])
[2001/08/23 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- D:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2001/08/23 04:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\rootmdm.sys -- (ROOTMODEM [On_Demand | Running])
[2000/02/14 18:19:48 | 00,168,576 | R--- | M] (S3 Incorporated) -- D:\WINDOWS\system32\drivers\s3mini.sys -- (S3Inc [On_Demand | Running])
[2007/11/13 02:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- D:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2001/08/17 13:28:26 | 00,113,762 | ---- | M] (U.S. Robotics Corporation) -- D:\WINDOWS\system32\drivers\USRpdA.sys -- (USRpdA [On_Demand | Stopped])
[2003/02/26 00:04:00 | 00,370,048 | R--- | M] (VIA Technologies, Inc.) -- D:\WINDOWS\system32\drivers\viaudios.sys -- (VIAudio [On_Demand | Running])
[2008/03/27 15:27:46 | 00,503,008 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\wdf01000.sys -- (Wdf01000 [On_Demand | Stopped])
[2004/08/03 22:41:50 | 00,685,056 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\system32\drivers\HSFCXTS2.sys -- (winachsf [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Secondary Start Pages"=
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://www.yahoo.com

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"CustomSearch"=http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr9/*http://www.yahoo.com/ext/search/search.html
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=D:\WINDOWS\system32\blank.htm
"Search Page"=http://www.redtube.com/
"SearchDefaultBranded"=
"SearchMigratedDefaultName"=Yahoo! Search
"SearchMigratedDefaultURL"=http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
"Start Page"=http://www.redtube.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- D:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=D:\WINDOWS\system32\blank.htm
"Search Page"=http://www.redtube.com/
"SearchDefaultBranded"=
"SearchMigratedDefaultName"=Yahoo! Search
"SearchMigratedDefaultURL"=http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
"Start Page"=http://www.redtube.com/

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- D:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - D:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{02478D38-C3F9-4efb-9B51-7695ECA05670} (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (HKLM) -- D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
{5A263CF7-56A6-4D68-A8CF-345BE45BC911} (HKLM) -- D:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll (Yahoo! Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"RawOs"=wscript.exe "D:\WINDOWS\sowar.vbs" (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc.)

========== (O4) Startup Folders ==========

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=227
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableRegistryTools"=0
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0
"HideStartupScripts"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=0
"NoDriveTypeAutoRun"=128
"NoFolderOptions"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"HideStartupScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=0
"NoDriveTypeAutoRun"=128
"NoFolderOptions"=1

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"HideStartupScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0
"DisableTaskMgr"=1
"DisableRegistryTools"=1

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: D:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: D:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2006/10/10 04:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{17492023-C23A-453E-A040-C7C580BBF700}: https://go.microsoft.com/fwlink/?linkid=39204 -- Windows Genuine Advantage Validation Tool
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab -- Reg Error: Key does not exist or could not be opened.
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab -- Shockwave Flash Object

========== (O17) DNS Name Servers ==========

{A322DAA2-3D3B-4DDD-8442-F57C03C41912} (Servers: | Description: VIA PCI 10/100Mb Fast Ethernet Adapter)

========== (O19) User Style Sheets ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles]

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2008/03/30 13:41:35 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

autorun.inf []
[2008/11/20 17:44:19 | 00,000,000 | RHSD | M] -- C:\autorun.inf -- [ NTFS ]

autorun.inf []
[2008/11/20 17:44:19 | 00,000,000 | RHSD | M] -- D:\autorun.inf -- [ NTFS ]

Autorun.inf [[autorun] | open=wscript.exe sowar.vbs | shell\Open\Command=wscript.exe sowar.vbs | shell\Open\Default=1 | ]
[2008/11/25 17:49:24 | 00,000,101 | RHS- | M] () -- F:\Autorun.inf -- [ FAT32 ]

Autorun.inf [[autorun] | open=wscript.exe sowar.vbs | shell\Open\Command=wscript.exe sowar.vbs | shell\Open\Default=1 | ]
[2008/11/25 17:49:24 | 00,000,101 | RHS- | M] () -- G:\Autorun.inf -- [ FAT ]

========== Files/Folders - Created Within 30 Days ==========

[4 D:\WINDOWS\System32\*.tmp files]
[3 D:\WINDOWS\*.tmp files]
[2008/11/25 17:38:04 | 00,028,672 | ---- | C] (NirSoft) -- D:\WINDOWS\NIRCMD.exe
[2008/11/24 23:12:11 | 00,002,959 | RHS- | C] () -- D:\WINDOWS\sowar.vbs
[2008/11/24 21:08:11 | 00,212,480 | ---- | C] (SteelWerX) -- D:\WINDOWS\SWXCACLS.exe
[2008/11/24 21:08:11 | 00,161,792 | ---- | C] (SteelWerX) -- D:\WINDOWS\SWREG.exe
[2008/11/24 21:08:11 | 00,136,704 | ---- | C] (SteelWerX) -- D:\WINDOWS\SWSC.exe
[2008/11/24 21:08:11 | 00,098,816 | ---- | C] () -- D:\WINDOWS\sed.exe
[2008/11/24 21:08:11 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- D:\WINDOWS\fdsv.exe
[2008/11/24 21:08:11 | 00,080,412 | ---- | C] () -- D:\WINDOWS\grep.exe
[2008/11/24 21:08:11 | 00,068,096 | ---- | C] () -- D:\WINDOWS\zip.exe
[2008/11/24 21:08:11 | 00,049,152 | ---- | C] () -- D:\WINDOWS\VFIND.exe
[2008/11/24 21:07:44 | 00,000,000 | ---D | C] -- D:\WINDOWS\ERDNT
[2008/11/24 21:07:44 | 00,000,000 | ---D | C] -- D:\Qoobox
[2008/11/23 22:07:11 | 00,000,000 | ---D | C] -- D:\_OTMoveIt
[2008/11/20 18:06:41 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Malwarebytes
[2008/11/20 18:06:35 | 00,000,696 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/11/20 18:06:34 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbam.sys
[2008/11/20 18:06:32 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/11/20 18:06:30 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/11/20 18:06:29 | 00,000,000 | ---D | C] -- D:\Program Files\Malwarebytes' Anti-Malware
[2008/11/20 17:44:19 | 00,000,000 | RHSD | C] -- D:\autorun.inf
[2008/11/12 18:14:03 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Help
[2008/11/12 18:11:27 | 00,000,000 | ---D | C] -- D:\Program Files\Mazaika24
[2008/11/12 18:10:37 | 00,000,000 | ---D | C] -- D:\Program Files\maz240
[2008/11/09 12:35:31 | 02,136,064 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2008/11/09 12:35:30 | 02,180,352 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2008/11/09 12:35:29 | 02,015,744 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2008/11/09 12:35:28 | 02,057,728 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2008/11/08 16:28:22 | 00,000,000 | ---D | C] -- D:\WINDOWS\ie7updates
[2008/11/03 20:12:34 | 00,000,000 | ---D | C] -- D:\WINDOWS\network diagnostic
[2008/11/03 19:19:15 | 00,000,000 | ---D | C] -- D:\WINDOWS\WBEM
[2008/11/03 19:19:13 | 00,000,000 | ---D | C] -- D:\WINDOWS\System32\en-US
[2008/11/03 19:17:02 | 00,000,000 | -H-D | C] -- D:\WINDOWS\ie7
[2008/11/03 19:16:20 | 00,000,000 | -H-D | C] -- D:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
[2008/11/03 19:15:23 | 00,000,000 | -H-D | C] -- D:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
[2008/10/30 14:13:33 | 00,000,000 | ---- | C] () -- D:\WINDOWS\nsreg.dat
[2008/10/30 14:12:50 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Local Settings\Application Data\Mozilla
[2008/10/30 14:12:49 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Mozilla
[2008/10/30 14:12:29 | 00,001,602 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2008/10/30 14:12:14 | 00,000,000 | ---D | C] -- D:\Program Files\Mozilla Firefox
[2008/10/28 19:24:39 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Yahoo!
[2008/10/28 19:24:38 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2008/10/28 18:38:29 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Local Settings\Application Data\Yahoo
[2008/10/28 17:51:45 | 00,000,812 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2008/10/28 17:48:01 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Yahoo!
[2008/10/28 17:47:21 | 00,000,000 | ---D | C] -- D:\Program Files\Yahoo!

========== Files - Modified Within 30 Days ==========

[4 D:\WINDOWS\System32\*.tmp files]
[3 D:\WINDOWS\*.tmp files]
[2008/11/25 17:44:21 | 00,000,006 | -H-- | M] () -- D:\WINDOWS\tasks\SA.DAT
[2008/11/25 17:44:15 | 00,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2008/11/25 17:41:19 | 00,000,227 | ---- | M] () -- D:\WINDOWS\system.ini
[2008/11/25 08:34:14 | 06,908,414 | -H-- | M] () -- D:\Documents and Settings\soteri\Local Settings\Application Data\IconCache.db
[2008/11/23 21:44:40 | 00,028,160 | ---- | M] () -- D:\Documents and Settings\soteri\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/23 21:23:16 | 00,002,206 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2008/11/20 18:35:34 | 00,042,944 | ---- | M] () -- D:\Documents and Settings\soteri\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/11/20 18:34:45 | 00,189,792 | ---- | M] () -- D:\WINDOWS\System32\FNTCACHE.DAT
[2008/11/20 18:06:35 | 00,000,696 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/11/19 15:47:24 | 00,649,728 | -HS- | M] () -- D:\Documents and Settings\soteri\My Documents\Thumbs.db
@Alternate Data Stream - 0 bytes -> D:\Documents and Settings\soteri\My Documents\Thumbs.db:encryptable
[2008/11/15 14:15:45 | 00,002,577 | ---- | M] () -- D:\WINDOWS\System32\CONFIG.NT
[2008/11/12 18:19:21 | 00,001,393 | ---- | M] () -- D:\WINDOWS\imsins.BAK
[2008/11/03 19:23:11 | 00,000,077 | -HS- | M] () -- D:\Documents and Settings\soteri\My Documents\desktop.ini
[2008/11/02 09:26:06 | 00,458,340 | ---- | M] () -- D:\WINDOWS\System32\PerfStringBackup.INI
[2008/11/02 09:26:06 | 00,392,626 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat
[2008/11/02 09:26:06 | 00,058,800 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat
[2008/10/30 14:13:33 | 00,000,000 | ---- | M] () -- D:\WINDOWS\nsreg.dat
[2008/10/30 14:12:29 | 00,001,602 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2008/10/28 17:51:45 | 00,000,812 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
< End of report >

Extras

OTViewIt Extras logfile created on: 11/25/2008 5:49:08 PM - Run 6
OTViewIt by OldTimer - Version 1.0.20.0 Folder = D:\jonard\aplikeysyons
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

127.48 Mb Total Physical Memory | 17.43 Mb Available Physical Memory | 13.68% Memory free
307.27 Mb Paging File | 138.52 Mb Available in Paging File | 45.08% Paging File free
Paging file location(s): D:\pagefile.sys 192 384;

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 9.77 Gb Total Space | 9.66 Gb Free Space | 98.89% Space Free | Partition Type: NTFS
Drive D: | 18.86 Gb Total Space | 9.44 Gb Free Space | 50.08% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 962.07 Mb Total Space | 615.97 Mb Free Space | 64.03% Space Free | Partition Type: FAT32
Drive G: | 1010.22 Mb Total Space | 1009.23 Mb Free Space | 99.90% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ZAMORA-8F8E222F
Current User Name: soteri
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days
"Use My Stylesheet"=
"User Stylesheet"=

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=1
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DoNotAllowExceptions"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2004/08/03 14:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2006/10/10 04:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2004/08/03 14:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/10/16 20:57:52 | 04,347,120 | ---- | M] (Yahoo! Inc.) -- D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
[2006/10/10 04:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/08/04 13:19:34 | 07,330,360 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol mso-offdap Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/08/01 15:09:04 | 08,086,072 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/14 22:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}"=Adobe AIR
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}"=Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{77DCDCE3-2DED-62F3-8154-05E745472D07}"=Acrobat.com
"{90110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{AC76BA86-7AD7-1033-7B44-A90000000001}"=Adobe Reader 9
"Adobe AIR"=Adobe AIR
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1"=Acrobat.com
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Microsoft .NET Framework 2.0"=Microsoft .NET Framework 2.0
"Mozilla Firefox (3.0.3)"=Mozilla Firefox (3.0.3)
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"Wdf01007"=Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"WMFDist11"=Windows Media Format 11 runtime
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion"=Yahoo! Toolbar
"Yahoo! IE Suggest"=Yahoo! Search Suggest Add-on for IE7
"Yahoo! Messenger"=Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/8/2008 12:50:39 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/8/2008 12:53:04 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/8/2008 12:56:21 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/8/2008 1:09:24 PM | Computer Name = ZAMORA-8F8E222F | Source = ZuneDriver | ID = 80837
Description =

Error - 10/28/2008 7:37:27 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application xrule.exe, version 0.0.0.0, faulting module xrule.exe,
version 0.0.0.0, fault address 0x00005609.

Error - 10/29/2008 9:06:12 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/30/2008 4:34:53 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application yahoomessenger.exe, version 9.0.0.2018, faulting
module yahoomessenger.exe, version 9.0.0.2018, fault address 0x00176612.

Error - 11/3/2008 11:52:36 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.5730.13, faulting module
jscript.dll, version 5.7.0.5730, fault address 0x0001bb9d.

Error - 11/3/2008 11:55:05 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.5730.13, faulting module
jscript.dll, version 5.7.0.5730, fault address 0x0001bb9d.

Error - 11/12/2008 10:17:21 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Hang | ID = 1002
Description = Hanging application mz002.exe, version 2.4.0.258, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 11/24/2008 1:24:33 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/24/2008 10:48:38 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/25/2008 1:02:19 AM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/25/2008 1:38:38 AM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/25/2008 2:35:14 AM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/25/2008 3:16:33 AM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/25/2008 12:20:20 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/25/2008 9:10:30 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/25/2008 9:26:23 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/25/2008 9:44:30 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

< End of report >

thewar browser will suddenly be removed then after a day it will come back ! it happened twice !! tnx !!

Buckeye_Sam

Nov 25 2008, 02:34 PM

Yes, I see that it's back again.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

CODE

File::
D:\WINDOWS\sowar.vbs

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RawOs"=-
[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=-
"Start Page"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=-
"Start Page"=-

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

==================

Open up Malwarebytes and update the program.
Then run a full scan and post the resulting log.

nadzme

Nov 26 2008, 03:28 AM

Log from combofix !

ComboFix 08-11-23.01 - soteri 2008-11-26 15:30:36.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.20 [GMT -8:00]
Running from: d:\jonard\aplikeysyons\Combofix.exe
Command switches used :: d:\documents and settings\soteri\Desktop\CFScript.txt
* Created a new restore point

FILE ::
d:\windows\sowar.vbs
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\sowar.vbs

.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-23 22:13 . 2008-11-23 22:13 <DIR> d--hs---- d:\documents and settings\soteri\UserData
2008-11-23 22:07 . 2008-11-23 22:07 <DIR> d-------- D:\_OTMoveIt
2008-11-20 18:06 . 2008-11-20 18:06 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2008-11-20 18:06 . 2008-11-20 18:06 <DIR> d-------- d:\documents and settings\soteri\Application Data\Malwarebytes
2008-11-20 18:06 . 2008-11-20 18:06 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-20 18:06 . 2008-10-22 16:10 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2008-11-20 18:06 . 2008-10-22 16:10 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2008-11-17 23:01 . 2008-11-17 23:02 <DIR> d-------- d:\documents and settings\soteri\DoctorWeb
2008-11-12 18:11 . 2008-11-24 21:51 <DIR> d-------- d:\program files\Mazaika24
2008-11-12 18:10 . 2008-11-12 18:10 <DIR> d-------- d:\program files\maz240
2008-11-09 12:35 . 2008-08-14 02:00 2,180,352 -----c--- d:\windows\system32\dllcache\ntoskrnl.exe
2008-11-09 12:35 . 2008-08-14 01:58 2,136,064 -----c--- d:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-09 12:35 . 2008-08-14 01:22 2,057,728 -----c--- d:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-09 12:35 . 2008-08-14 01:22 2,015,744 -----c--- d:\windows\system32\dllcache\ntkrpamp.exe
2008-10-30 14:13 . 2008-10-30 14:13 0 --a------ d:\windows\nsreg.dat
2008-10-28 19:24 . 2008-10-28 19:24 <DIR> d-------- d:\documents and settings\soteri\Application Data\Yahoo!
2008-10-28 19:24 . 2008-10-28 19:24 <DIR> d-------- d:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-10-28 17:48 . 2008-10-28 18:38 <DIR> d-------- d:\documents and settings\All Users\Application Data\Yahoo!
2008-10-28 17:47 . 2008-11-03 19:20 <DIR> d-------- d:\program files\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 07:17 56,778 ----a-w d:\program files\OTViewIt.Txt
2008-11-18 07:17 24,664 ----a-w d:\program files\Extras.Txt
2008-10-24 11:10 453,632 ----a-w d:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((( snapshot@2008-11-24_21.30.22.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-26 23:24:43 16,384 ----atw d:\windows\Temp\Perflib_Perfdata_250.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="d:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-16 4347120]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USRpdA]
--a------ 2001-08-23 04:00 77891 d:\windows\system32\usrmlnka.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 S3Inc;S3Inc;d:\windows\system32\DRIVERS\s3mini.sys [2008-03-30 168576]
S2 zumbus;Zune Bus Enumerator Driver;d:\windows\system32\DRIVERS\zumbus.sys []
S3 DataMan;DataMan USB Infrared Adapter;d:\windows\system32\DRIVERS\DataMan.sys [2008-04-02 10880]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 15:33:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
d:\windows\system32\rsaenh.dll

- - - - - - - > 'lsass.exe'(756)
d:\windows\system32\msprivs.dll
d:\windows\system32\rsaenh.dll
.
Completion time: 2008-11-26 15:34:25
ComboFix-quarantined-files.txt 2008-11-26 23:34:06
ComboFix2.txt 2008-11-26 01:42:44
ComboFix3.txt 2008-11-25 05:31:24

Pre-Run: 10,076,196,864 bytes free
Post-Run: 10,089,820,160 bytes free

92 --- E O F --- 2008-11-13 02:19:49

log from malwarebytes !

Malwarebytes' Anti-Malware 1.30
Database version: 1424
Windows 5.1.2600 Service Pack 2

11/26/2008 4:21:19 PM
mbam-log-2008-11-26 (16-21-18).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 73083
Time elapsed: 32 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Buckeye_Sam

Nov 26 2008, 01:57 PM

Looks good so far. Just play around with it for a while and let me know if it comes back.

What do you know about this program?

d:\program files\Mazaika24

nadzme

Nov 27 2008, 01:58 AM

it looks that the my browser seems to be ok !
ahmm,, mazaika ?? i download it last tym ! from download.com! it is about mosaic making !! but i removed it actually ! last week ,i think !! tnx for the help !!

Buckeye_Sam

Nov 27 2008, 11:12 AM

I wasn't familiar with it, but as long as you are then no worries.

Just a few last things and you should be good to go!

Next, let's remove Combofix now that we're done with it and clean up a few other things.

Click START then RUN
Now type Combofix /u in the runbox and click OK
When shown the disclaimer, Select "2"

==================

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

You can find instructions on how to enable and reenable system restore here:

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
  1. Change the Download signed ActiveX controls to Prompt
  2. Change the Download unsigned ActiveX controls to Disable
  3. Change the Initialize and script ActiveX controls not marked as safe to Disable
  4. Change the Installation of desktop items to Prompt
  5. Change the Launching programs and files in an IFRAME to Prompt
  6. Change the Navigate sub-frames across different domains to Prompt
  7. When all these settings have been made, click on the OK button.
  8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

nadzme

Nov 28 2008, 04:08 AM

im using 2 flash drives/usb devices ryt now ! the other one was scanned in other pc! and there were some virus detected onto it. ! the SSG scandal and the sowar.vbs something ! and it was cleaned ryt now ! but the other one, i think it is still infected by those virus ! and i think it might affect my system!ynx !

Buckeye_Sam

Nov 29 2008, 10:33 AM

Plug it in and run this.

Download Flash_Disinfector.exe by sUBs and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

You can also scan it directly with DrWeb if you still have it installed.

Let me know if you run into more problems.

nadzme

Nov 30 2008, 09:24 AM

it doesnt deleted the vbs script file !! huhuhuhhu !! i cant help it, i think, this file was the reason for my internet explorer infection ! this day , the so war returned agen ! but luckily after scanning using the flash disinfector it was returned into normal !! help me with my flash drives !! tnx !!

Buckeye_Sam

Nov 30 2008, 10:23 AM

Make sure your drives are plugged in and then follow this direction.

Please download the OTMoveIt3 by OldTimer.

Save it to your desktop.
Please click OTMoveIt3 and then click >> run.
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

CODE
:files
F:\Autorun.inf
G:\Autorun.inf

[Reboot]
Return to OTMoveIt3, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

I would also download and scan with this program.
http://www.freewarefiles.com/Autorun-Eater...gram_36548.html

I think you'll get a log from Autorun-Eater. If so, please post it here in your next reply.
F:\Autorun.inf

nadzme

Nov 30 2008, 11:59 PM

OTMoveIt3

========== FILES ==========
F:\Autorun.inf moved successfully.
Folder move failed. G:\autorun.inf scheduled to be moved on reboot.
H:\Autorun.inf moved successfully.
File/Folder [Reboot] not found.

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 12012008_123215

Files moved on Reboot...
Folder move failed. G:\autorun.inf scheduled to be moved on reboot.

I added one driver,the H. to be moved ! coz 3 flash drives are inserted !!

i ddnt recieve any log from autorun eater !! it says only that i must removed it manually ! the message box appears more than times! wscript.exe.sowar.vbs!! thats the suspicious file in all my flash drives !!!

nadzme

Dec 1 2008, 12:12 AM

heres the log from autorun eater !!
it keeps from coming back !!

2008-12-01 12:50:58 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 12:51:34 : autorun.inf file deleted from (h:)

2008-12-01 12:51:39 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 12:51:44 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 12:52:26 : autorun.inf file deleted from (h:)

2008-12-01 12:52:28 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 12:52:35 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 12:52:40 : autorun.inf file deleted from (h:)

2008-12-01 12:52:47 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 12:52:51 : autorun.inf file deleted from (h:)

2008-12-01 12:53:00 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 12:53:03 : autorun.inf file deleted from (h:)

2008-12-01 12:53:12 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 12:53:14 : autorun.inf file deleted from (h:)

2008-12-01 12:53:24 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 12:53:27 : autorun.inf file deleted from (h:)

2008-12-01 12:53:37 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 12:53:40 : autorun.inf file deleted from (h:)

2008-12-01 12:53:50 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 12:53:56 : autorun.inf file deleted from (h:)

2008-12-01 12:54:04 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 12:54:10 : autorun.inf file deleted from (h:)

2008-12-01 12:54:16 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 12:54:19 : autorun.inf file deleted from (h:)

2008-12-01 12:54:31 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 12:54:35 : autorun.inf file deleted from (h:)

2008-12-01 12:54:45 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 12:54:48 : autorun.inf file deleted from (h:)

2008-12-01 12:54:58 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 12:55:00 : autorun.inf file deleted from (h:)

2008-12-01 12:55:10 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 12:55:13 : autorun.inf file deleted from (h:)

2008-12-01 12:55:23 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 12:55:38 : autorun.inf file deleted from (h:)

2008-12-01 12:55:56 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 12:57:49 : autorun.inf file deleted from (h:)

2008-12-01 12:57:53 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 12:57:55 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 12:57:56 : autorun.inf file deleted from (h:)

2008-12-01 12:58:07 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 12:58:57 : autorun.inf file deleted from (h:)

2008-12-01 12:59:59 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 13:00:01 : autorun.inf file deleted from (h:)

2008-12-01 13:00:02 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 13:00:26 : autorun.inf file deleted from (h:)

2008-12-01 13:00:29 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 13:00:34 : autorun.inf file deleted from (h:)

2008-12-01 13:00:38 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 13:00:41 : autorun.inf file deleted from (h:)

2008-12-01 13:00:51 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 13:00:55 : autorun.inf file deleted from (h:)

2008-12-01 13:01:03 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 13:01:06 : autorun.inf file deleted from (h:)

2008-12-01 13:01:16 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 13:02:14 : autorun.inf file deleted from (h:)

2008-12-01 13:02:16 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 13:03:24 : autorun.inf file deleted from (h:)

2008-12-01 13:08:09 : autorun.inf file deleted from NADZZAMORA (f:)

2008-12-01 13:08:26 : autorun.inf file deleted from (h:)

2008-12-01 13:08:35 : autorun.inf file deleted from NADZZAMORA (f:)

Buckeye_Sam

Dec 1 2008, 09:15 AM

Do you still have DrWeb installed?
If so, scan only the infected drives.

Let me know if it was able to remove the malware.

nadzme

Dec 2 2008, 10:40 AM

i dont have the dr.web ! maybe, i'll install it soon ! coz my internet browsing and computer activity,became slow ! huhuhu ! and i cant exit the autorun eater program, it was lost in my desktop!it keeps on coming back,the message box!! huhhu !it is frustrating ! ive installed the spyware somthing you told me,there were 3 of them!but none of them,can delete the virus ! the sowar browser returned!!rawr!!!!!!! grrrr !! heres my log from OTViewIt, study it!tnx !!

OTViewIt logfile created on: 12/2/2008 11:34:16 PM - Run 7
OTViewIt by OldTimer - Version 1.0.20.0 Folder = D:\jonard\aplikeysyons
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

127.48 Mb Total Physical Memory | 20.30 Mb Available Physical Memory | 15.92% Memory free
371.27 Mb Paging File | 50.53 Mb Available in Paging File | 13.61% Paging File free
Paging file location(s): D:\pagefile.sys 192 384;

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 9.77 Gb Total Space | 9.71 Gb Free Space | 99.38% Space Free | Partition Type: NTFS
Drive D: | 18.86 Gb Total Space | 10.81 Gb Free Space | 57.30% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 962.07 Mb Total Space | 522.34 Mb Free Space | 54.29% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ZAMORA-8F8E222F
Current User Name: soteri
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2008/09/10 13:01:28 | 00,611,664 | ---- | M] (Lavasoft) -- D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
[2004/08/03 14:56:58 | 00,114,688 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\wscript.exe
[2008/03/15 14:10:24 | 00,438,773 | ---- | M] (Old McDonald's Farm) -- D:\Program Files\Autorun Eater\oldmcdonald.exe
[2008/09/16 12:16:08 | 01,833,296 | RHS- | M] (Safer Networking Limited) -- D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[2004/08/03 14:56:58 | 00,013,824 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\wscntfy.exe
[2008/03/15 14:10:40 | 00,327,759 | ---- | M] (Old McDonald's Farm) -- D:\Program Files\Autorun Eater\billy.exe
[2008/07/18 21:10:42 | 00,053,448 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\wuauclt.exe
[2007/08/13 18:43:56 | 00,622,080 | ---- | M] (Microsoft Corporation) -- D:\Program Files\Internet Explorer\iexplore.exe
[2008/10/16 20:57:52 | 04,347,120 | ---- | M] (Yahoo! Inc.) -- D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
[2004/08/03 14:56:58 | 00,218,112 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\wbem\wmiprvse.exe
[2008/11/14 20:00:01 | 00,422,400 | ---- | M] (OldTimer Tools) -- D:\jonard\aplikeysyons\OTViewIt.exe

========== (O23) Win32 Services ==========

File not found -- -- (aawservice [Auto | Running])
File not found -- -- (Alerter [Disabled | Stopped])
File not found -- -- (AppMgmt [On_Demand | Stopped])
File not found -- -- (aspnet_state [On_Demand | Stopped])
File not found -- -- (BITS [Auto | Running])
File not found -- -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
File not found -- -- (COMSysApp [On_Demand | Stopped])
File not found -- -- (DcomLaunch [Auto | Running])
[2008/03/30 05:22:15 | 00,000,000 | ---D | M] -- D:\WINDOWS\System32\dhcp -- (Dhcp [Auto | Running])
File not found -- -- (Dnscache [Auto | Running])
[2004/08/03 14:56:44 | 00,055,808 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\eventlog.dll -- (Eventlog [Auto | Running])
File not found -- -- (EventSystem [On_Demand | Running])
File not found -- -- (FastUserSwitchingCompatibility [On_Demand | Running])
File not found -- -- (helpsvc [Auto | Running])
File not found -- -- (HidServ [Disabled | Stopped])
File not found -- -- (HTTPFilter [On_Demand | Stopped])
File not found -- -- (ImapiService [On_Demand | Stopped])
[2004/08/04 00:56:44 | 00,027,136 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\irmon.dll -- (Irmon [Auto | Running])
File not found -- -- (lanmanserver [Auto | Running])
File not found -- -- (lanmanworkstation [Auto | Running])
File not found -- -- (LmHosts [Auto | Running])
File not found -- -- (Messenger [Disabled | Stopped])
[2008/03/30 13:36:02 | 00,000,000 | ---D | M] -- D:\WINDOWS\system32\msdtc -- (MSDTC [On_Demand | Stopped])
File not found -- -- (MSIServer [On_Demand | Stopped])
File not found -- -- (NetDDEdsdm [Disabled | Stopped])
[2004/08/03 14:56:46 | 00,407,040 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\netlogon.dll -- (Netlogon [On_Demand | Stopped])
File not found -- -- (Nla [On_Demand | Running])
File not found -- -- (NtLmSsp [On_Demand | Stopped])
File not found -- -- (ose [On_Demand | Stopped])
File not found -- -- (PlugPlay [Auto | Running])
File not found -- -- (PolicyAgent [Auto | Running])
File not found -- -- (ProtectedStorage [Auto | Running])
[2004/08/03 14:56:46 | 00,061,440 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\rasman.dll -- (RasMan [On_Demand | Running])
File not found -- -- (RDSessMgr [On_Demand | Stopped])
File not found -- -- (RemoteAccess [Disabled | Stopped])
File not found -- -- (RemoteRegistry [Auto | Running])
File not found -- -- (RpcLocator [On_Demand | Stopped])
[2005/04/28 11:31:11 | 00,395,776 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\rpcss.dll -- (RpcSs [Auto | Running])
File not found -- -- (SamSs [Auto | Running])
File not found -- -- (Schedule [Auto | Running])
File not found -- -- (SharedAccess [Auto | Running])
File not found -- -- (ShellHWDetection [Auto | Running])
File not found -- -- (Spooler [Auto | Running])
File not found -- -- (srservice [Auto | Running])
[2004/08/03 14:56:46 | 00,071,680 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\ssdpsrv.dll -- (SSDPSRV [On_Demand | Running])
File not found -- -- (stisvc [On_Demand | Stopped])
[2001/08/23 04:00:00 | 00,138,752 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\swprv.dll -- (SwPrv [On_Demand | Stopped])
File not found -- -- (SysmonLog [On_Demand | Stopped])
File not found -- -- (TermService [On_Demand | Running])
File not found -- -- (Themes [Auto | Running])
[2004/08/03 14:56:48 | 00,185,344 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\upnphost.dll -- (upnphost [On_Demand | Stopped])
File not found -- -- (VSS [On_Demand | Stopped])
File not found -- -- (WebClient [Auto | Running])
File not found -- -- (winmgmt [Auto | Running])
File not found -- -- (WmdmPmSN [On_Demand | Stopped])
[2004/08/03 14:56:36 | 00,005,632 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\wmi.dll -- (Wmi [On_Demand | Stopped])
File not found -- -- (WmiApSrv [On_Demand | Stopped])
[2006/09/28 17:56:14 | 00,055,808 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\WudfSvc.dll -- (WudfSvc [Auto | Running])

========== Driver Services ==========

[2003/01/01 21:23:22 | 00,010,880 | R--- | M] (DataMan Heightech Technology Inc.) -- D:\WINDOWS\System32\drivers\DataMan.sys -- (DataMan [On_Demand | Stopped])
File not found -- -- (FETNDIS [On_Demand | Running])
File not found -- -- (Gpc [On_Demand | Running])
File not found -- -- (HSFHWBS2 [On_Demand | Running])
File not found -- -- (HSF_DP [On_Demand | Running])
[2004/08/03 22:41:56 | 00,011,868 | ---- | M] (Conexant) -- D:\WINDOWS\System32\drivers\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
[2001/08/17 13:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Stopped])
File not found -- -- (PptpMiniport [On_Demand | Running])
[2001/08/23 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- D:\WINDOWS\System32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
File not found -- -- (ROOTMODEM [On_Demand | Running])
File not found -- -- (S3Inc [On_Demand | Running])
[2007/11/13 02:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- D:\WINDOWS\System32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2001/08/17 13:28:26 | 00,113,762 | ---- | M] (U.S. Robotics Corporation) -- D:\WINDOWS\System32\drivers\USRpdA.sys -- (USRpdA [On_Demand | Stopped])
File not found -- -- (VgaSave [System | Running])
File not found -- -- (VIAudio [On_Demand | Running])
[2008/03/27 15:27:46 | 00,503,008 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\drivers\wdf01000.sys -- (Wdf01000 [On_Demand | Stopped])
File not found -- -- (winachsf [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Secondary Start Pages"=
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://www.yahoo.com

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"CustomSearch"=http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr9/*http://www.yahoo.com/ext/search/search.html
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=D:\WINDOWS\system32\blank.htm
"Search Page"=http://www.redtube.com/
"SearchDefaultBranded"=
"SearchMigratedDefaultName"=Yahoo! Search
"SearchMigratedDefaultURL"=http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
"Start Page"=http://www.redtube.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- D:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=D:\WINDOWS\system32\blank.htm
"Search Page"=http://www.redtube.com/
"SearchDefaultBranded"=
"SearchMigratedDefaultName"=Yahoo! Search
"SearchMigratedDefaultURL"=http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
"Start Page"=http://www.redtube.com/

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- D:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (288517 bytes) - D:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 www.1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
9942 more lines...

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{02478D38-C3F9-4efb-9B51-7695ECA05670} (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (HKLM) -- D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
{53707962-6F74-2D53-2644-206D7942484F} (HKLM) -- D:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
{5A263CF7-56A6-4D68-A8CF-345BE45BC911} (HKLM) -- D:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll (Yahoo! Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" File not found
"Autorun Eater"=D:\Program Files\Autorun Eater\oldmcdonald.exe File not found
"RawOs"=wscript.exe "D:\WINDOWS\sowar.vbs" File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=D:\WINDOWS\system32\ctfmon.exe File not found
"Messenger (Yahoo!)"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet File not found
"SpybotSD TeaTimer"=D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe File not found

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=D:\WINDOWS\system32\ctfmon.exe File not found
"Messenger (Yahoo!)"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet File not found
"SpybotSD TeaTimer"=D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe File not found

========== (O4) Startup Folders ==========

File not found -- D:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop
File not found -- D:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop
File not found -- D:\Documents and Settings\soteri\Start Menu\Programs\Startup\desktop

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=227
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0
"HideStartupScripts"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=0
"NoDriveTypeAutoRun"=128
"NoDriveAutoRun"=FF FF FF FF [binary data]
"NoFolderOptions"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"HideStartupScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=0
"NoDriveTypeAutoRun"=128
"NoDriveAutoRun"=FF FF FF FF [binary data]
"NoFolderOptions"=1

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"HideStartupScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0
"DisableTaskMgr"=1
"DisableRegistryTools"=1

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: D:\Program Files\Microsoft Office\OFFICE11\EXCEL File not found

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: D:\Program Files\Microsoft Office\OFFICE11\EXCEL File not found

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}: Menu: Spybot - Search & Destroy Configuration -- %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag File not found
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs File not found
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs [Messenger] -> File not found

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs [Messenger] -> File not found

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs [Messenger] -> File not found

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs [Messenger] -> File not found

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
50 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
56 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
49 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
49 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-796845957-1659004503-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
56 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{17492023-C23A-453E-A040-C7C580BBF700}: https://go.microsoft.com/fwlink/?linkid=39204 -- Windows Genuine Advantage Validation Tool
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab -- Reg Error: Key does not exist or could not be opened.
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab -- Shockwave Flash Object

========== (O17) DNS Name Servers ==========

{A322DAA2-3D3B-4DDD-8442-F57C03C41912} (Servers: | Description: VIA PCI 10/100Mb Fast Ethernet Adapter)

========== (O19) User Style Sheets ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles]

========== (O20) HKLM Winlogon Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=Explorer.exe
>File not found -- D:\WINDOWS\explorer

"UserInit"=D:\WINDOWS\system32\userinit.exe,
>File not found -- D:\WINDOWS\system32\userinit

"UIHost"=logonui.exe
>File not found -- D:\WINDOWS\system32\logonui

"VMApplet"=rundll32 shell32,Control_RunDLL "sysdm.cpl"
>File not found -- D:\WINDOWS\system32\sysdm

========== IFEO "Debugger" Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\]
Your Image File Name Here without a path:"Debugger" = D:\WINDOWS\system32\ntsd File not found

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
File not found -- C:\AUTOEXEC -- [ NTFS ]

autorun.inf []
[2008/11/20 17:44:19 | 00,000,000 | ---D | M] -- C:\autorun.inf -- [ NTFS ]

autorun.inf []
[2008/11/20 17:44:19 | 00,000,000 | ---D | M] -- D:\autorun.inf -- [ NTFS ]

Autorun.inf [[autorun] | open=wscript.exe sowar.vbs | shell\Open\Command=wscript.exe sowar.vbs | shell\Open\Default=1 | ]
[2008/12/02 23:34:54 | 00,000,101 | RHS- | M] () -- F:\Autorun.inf -- [ FAT32 ]

========== Files/Folders - Created Within 30 Days ==========

[4 D:\WINDOWS\System32\*.tmp files]
[3 D:\WINDOWS\*.tmp files]
[2008/12/01 19:06:52 | 00,018,432 | ---- | C] () -- D:\Documents and Settings\soteri\Desktop\wsr.xls
[2008/12/01 12:50:42 | 00,000,000 | ---D | C] -- D:\Program Files\Autorun Eater
[2008/12/01 12:32:15 | 00,000,000 | ---D | C] -- D:\_OTMoveIt
[2008/11/30 23:00:18 | 00,000,000 | ---D | C] -- D:\Program Files\Spybot - Search & Destroy
[2008/11/30 23:00:18 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2008/11/29 22:35:26 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\TEMP
[2008/11/29 22:06:56 | 00,000,000 | ---D | C] -- D:\Program Files\SpywareBlaster
[2008/11/29 21:55:24 | 00,000,000 | ---D | C] -- D:\Program Files\Lavasoft
[2008/11/29 21:55:21 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Lavasoft
[2008/11/29 21:54:12 | 00,000,000 | ---D | C] -- D:\Program Files\Common Files\Wise Installation Wizard
[2008/11/29 17:50:27 | 00,002,959 | RHS- | C] () -- D:\WINDOWS\sowar.vbs
[2008/11/28 16:53:53 | 00,000,000 | ---D | C] -- D:\Combofix
[2008/11/26 17:14:03 | 00,000,000 | -HSD | C] -- D:\RECYCLER
[2008/11/24 21:07:44 | 00,000,000 | ---D | C] -- D:\WINDOWS\ERDNT
[2008/11/20 18:06:41 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Malwarebytes
[2008/11/20 18:06:35 | 00,000,696 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/11/20 18:06:34 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbam.sys
[2008/11/20 18:06:32 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/11/20 18:06:30 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/11/20 18:06:29 | 00,000,000 | ---D | C] -- D:\Program Files\Malwarebytes' Anti-Malware
[2008/11/20 17:44:19 | 00,000,000 | ---D | C] -- D:\autorun.inf
[2008/11/12 18:14:03 | 00,000,000 | ---D | C] -- D:\Documents and Settings\soteri\Application Data\Help
[2008/11/12 18:11:27 | 00,000,000 | ---D | C] -- D:\Program Files\Mazaika24
[2008/11/12 18:10:37 | 00,000,000 | ---D | C] -- D:\Program Files\maz240
[2008/11/09 12:35:31 | 02,136,064 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2008/11/09 12:35:30 | 02,180,352 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2008/11/09 12:35:29 | 02,015,744 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2008/11/09 12:35:28 | 02,057,728 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2008/11/08 16:28:22 | 00,000,000 | ---D | C] -- D:\WINDOWS\ie7updates
[2008/11/03 20:12:34 | 00,000,000 | ---D | C] -- D:\WINDOWS\network diagnostic
[2008/11/03 19:19:15 | 00,000,000 | ---D | C] -- D:\WINDOWS\WBEM
[2008/11/03 19:19:13 | 00,000,000 | ---D | C] -- D:\WINDOWS\System32\en-US
[2008/11/03 19:17:02 | 00,000,000 | -H-D | C] -- D:\WINDOWS\ie7
[2008/11/03 19:16:20 | 00,000,000 | -H-D | C] -- D:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
[2008/11/03 19:15:23 | 00,000,000 | -H-D | C] -- D:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$

========== Files - Modified Within 30 Days ==========

[4 D:\WINDOWS\System32\*.tmp files]
[3 D:\WINDOWS\*.tmp files]
[2008/12/02 22:59:28 | 00,000,006 | -H-- | M] () -- D:\WINDOWS\tasks\SA.DAT
[2008/12/02 22:57:56 | 00,002,206 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2008/12/02 22:57:53 | 00,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2008/12/01 19:16:38 | 00,018,432 | ---- | M] () -- D:\Documents and Settings\soteri\Desktop\wsr.xls
[2008/12/01 18:23:52 | 00,189,792 | ---- | M] () -- D:\WINDOWS\System32\FNTCACHE.DAT
[2008/11/30 23:38:50 | 00,288,517 | R--- | M] () -- D:\WINDOWS\System32\drivers\etc\hosts
[2008/11/30 23:09:26 | 00,288,517 | R--- | M] () -- D:\WINDOWS\System32\drivers\etc\hosts.20081130-233850.backup
[2008/11/29 18:10:28 | 07,438,046 | -H-- | M] () -- D:\Documents and Settings\soteri\Local Settings\Application Data\IconCache.db
[2008/11/26 15:33:03 | 00,000,227 | ---- | M] () -- D:\WINDOWS\system.ini
[2008/11/23 21:44:40 | 00,028,160 | ---- | M] () -- D:\Documents and Settings\soteri\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/20 18:35:34 | 00,042,944 | ---- | M] () -- D:\Documents and Settings\soteri\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/11/20 18:06:35 | 00,000,696 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/11/19 15:47:24 | 00,649,728 | -HS- | M] () -- D:\Documents and Settings\soteri\My Documents\Thumbs.db
@Alternate Data Stream - 0 bytes -> D:\Documents and Settings\soteri\My Documents\Thumbs.db:encryptable
[2008/11/15 14:15:45 | 00,002,577 | ---- | M] () -- D:\WINDOWS\System32\CONFIG.NT
[2008/11/12 18:19:21 | 00,001,393 | ---- | M] () -- D:\WINDOWS\imsins.BAK
< End of report >
OTViewIt Extras logfile created on: 12/2/2008 11:34:17 PM - Run 7
OTViewIt by OldTimer - Version 1.0.20.0 Folder = D:\jonard\aplikeysyons
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

127.48 Mb Total Physical Memory | 20.30 Mb Available Physical Memory | 15.92% Memory free
371.27 Mb Paging File | 50.53 Mb Available in Paging File | 13.61% Paging File free
Paging file location(s): D:\pagefile.sys 192 384;

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 9.77 Gb Total Space | 9.71 Gb Free Space | 99.38% Space Free | Partition Type: NTFS
Drive D: | 18.86 Gb Total Space | 10.81 Gb Free Space | 57.30% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 962.07 Mb Total Space | 522.34 Mb Free Space | 54.29% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ZAMORA-8F8E222F
Current User Name: soteri
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days
"Use My Stylesheet"=
"User Stylesheet"=

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- D:\WINDOWS\hh File not found
.hlp [@ = hlpfile] -- D:\WINDOWS\system32\winhlp32 File not found
.hta [@ = htafile] -- D:\WINDOWS\system32\mshta File not found
.html [@ = htmlfile] -- D:\Program Files\Internet Explorer\iexplore File not found
.inf [@ = inffile] -- D:\WINDOWS\system32\notepad File not found
.ini [@ = inifile] -- D:\WINDOWS\system32\notepad File not found
.js [@ = JSFile] -- D:\WINDOWS\system32\wscript File not found
.jse [@ = JSEFile] -- D:\WINDOWS\system32\wscript File not found
.reg [@ = regfile] -- D:\WINDOWS\regedit File not found
.txt [@ = txtfile] -- D:\WINDOWS\system32\notepad File not found
.vbe [@ = VBEFile] -- D:\WINDOWS\system32\wscript File not found
.vbs [@ = VBSFile] -- D:\WINDOWS\system32\wscript File not found
.wsf [@ = WSFFile] -- D:\WINDOWS\system32\wscript File not found
.wsh [@ = WSHFile] -- D:\WINDOWS\system32\wscript File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DoNotAllowExceptions"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
File not found -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
File not found -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
File not found -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
File not found -- D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
File not found -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/08/04 13:19:34 | 07,330,360 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol mso-offdap Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/08/01 15:09:04 | 08,086,072 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/14 22:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}"=Adobe AIR
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}"=Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{77DCDCE3-2DED-62F3-8154-05E745472D07}"=Acrobat.com
"{90110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{AC76BA86-7AD7-1033-7B44-A90000000001}"=Adobe Reader 9
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}"=Ad-Aware
"Adobe AIR"=Adobe AIR
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1"=Acrobat.com
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Microsoft .NET Framework 2.0"=Microsoft .NET Framework 2.0
"Mozilla Firefox (3.0.3)"=Mozilla Firefox (3.0.3)
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"SpywareBlaster_is1"=SpywareBlaster 4.1
"Wdf01007"=Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"WMFDist11"=Windows Media Format 11 runtime
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion"=Yahoo! Toolbar
"Yahoo! IE Suggest"=Yahoo! Search Suggest Add-on for IE7
"Yahoo! Messenger"=Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/26/2008 10:02:45 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.2180, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x00011f6c.

Error - 11/26/2008 10:04:44 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.2180, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x0001888f.

Error - 11/29/2008 12:31:26 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application temp2.exe, version 0.0.0.0, faulting module temp2.exe,
version 0.0.0.0, fault address 0x0000126e.

Error - 11/29/2008 9:10:52 PM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application temp2.exe, version 0.0.0.0, faulting module temp2.exe,
version 0.0.0.0, fault address 0x0000126e.

Error - 11/30/2008 1:46:44 AM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application temp2.exe, version 0.0.0.0, faulting module temp2.exe,
version 0.0.0.0, fault address 0x0000126e.

Error - 11/30/2008 3:34:58 AM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application temp2.exe, version 0.0.0.0, faulting module temp2.exe,
version 0.0.0.0, fault address 0x0000126e.

Error - 12/1/2008 1:51:12 AM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application temp2.exe, version 0.0.0.0, faulting module temp2.exe,
version 0.0.0.0, fault address 0x0000126e.

Error - 12/1/2008 2:24:31 AM | Computer Name = ZAMORA-8F8E222F | Source = Application Error | ID = 1000
Description = Faulting application ad-aware.exe, version 7.1.0.11, faulting module
ad-aware.exe, version 7.1.0.11, fault address 0x0015566e.

Error - 12/1/2008 3:07:10 AM | Computer Name = ZAMORA-8F8E222F | Source = Spybot - Search & Destroy | ID = 0
Description =

Error - 12/1/2008 5:21:19 PM | Computer Name = ZAMORA-8F8E222F | Source = Spybot - Search & Destroy | ID = 0
Description =

[ System Events ]
Error - 11/30/2008 1:46:40 AM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 11/30/2008 3:35:57 AM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 12/1/2008 1:52:06 AM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 12/1/2008 3:49:33 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 12/1/2008 4:36:12 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 12/1/2008 10:26:35 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 12/1/2008 10:27:07 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
Service service to connect.

Error - 12/1/2008 10:27:28 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053

Error - 12/1/2008 10:37:03 PM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 12/3/2008 3:00:23 AM | Computer Name = ZAMORA-8F8E222F | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

< End of report >

Buckeye_Sam

Dec 3 2008, 09:42 AM

You should see the Autorun Eater running down in your task bar. Just right click and exit. Then I would just uninstall the program. It's clear that it's not going to work for us.

Let's go back to Combofix.
Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Make sure that you have the infected drives connected before you run Combofix.
Then run Combofix and post the log back here in your next reply.

nadzme

Dec 3 2008, 10:43 AM

ComboFix 08-12-02.02 - soteri 2008-12-03 23:26:41.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.8 [GMT -8:00]
Running from: d:\documents and settings\soteri\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.

2008-12-03 23:08 . 2008-12-03 23:08 <DIR> d-------- d:\windows\LastGood
2008-12-01 12:50 . 2008-12-03 22:54 <DIR> d-------- d:\program files\Autorun Eater
2008-12-01 12:32 . 2008-12-01 12:32 <DIR> d-------- D:\_OTMoveIt
2008-11-30 23:00 . 2008-12-01 11:46 <DIR> d-------- d:\program files\Spybot - Search & Destroy
2008-11-30 23:00 . 2008-12-01 11:49 <DIR> d-------- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-29 22:35 . 2008-11-29 22:35 <DIR> d-------- d:\documents and settings\All Users\Application Data\TEMP
2008-11-29 22:06 . 2008-11-29 22:07 <DIR> d-------- d:\program files\SpywareBlaster
2008-11-29 21:55 . 2008-11-29 21:55 <DIR> d-------- d:\program files\Lavasoft
2008-11-29 21:55 . 2008-11-29 22:01 <DIR> d-------- d:\documents and settings\All Users\Application Data\Lavasoft
2008-11-29 21:54 . 2008-11-29 21:54 <DIR> d-------- d:\program files\Common Files\Wise Installation Wizard
2008-11-29 17:50 . 2008-06-21 14:48 2,959 -rahs---- d:\windows\sowar.vbs
2008-11-20 18:06 . 2008-11-20 18:06 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2008-11-20 18:06 . 2008-11-20 18:06 <DIR> d-------- d:\documents and settings\soteri\Application Data\Malwarebytes
2008-11-20 18:06 . 2008-11-20 18:06 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-20 18:06 . 2008-10-22 16:10 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2008-11-20 18:06 . 2008-10-22 16:10 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2008-11-17 23:01 . 2008-11-17 23:02 <DIR> d-------- d:\documents and settings\soteri\DoctorWeb
2008-11-12 18:11 . 2008-11-24 21:51 <DIR> d-------- d:\program files\Mazaika24
2008-11-12 18:10 . 2008-11-12 18:10 <DIR> d-------- d:\program files\maz240
2008-11-09 12:35 . 2008-08-14 02:00 2,180,352 -----c--- d:\windows\system32\dllcache\ntoskrnl.exe
2008-11-09 12:35 . 2008-08-14 01:58 2,136,064 -----c--- d:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-09 12:35 . 2008-08-14 01:22 2,057,728 -----c--- d:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-09 12:35 . 2008-08-14 01:22 2,015,744 -----c--- d:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 07:17 56,778 ----a-w d:\program files\OTViewIt.Txt
2008-11-18 07:17 24,664 ----a-w d:\program files\Extras.Txt
2008-11-04 03:20 --------- d-----w d:\program files\Yahoo!
2008-10-29 03:24 --------- d-----w d:\documents and settings\soteri\Application Data\Yahoo!
2008-10-29 03:24 --------- d-----w d:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-10-29 02:38 --------- d-----w d:\documents and settings\All Users\Application Data\Yahoo!
2008-10-24 11:10 453,632 ----a-w d:\windows\system32\drivers\mrxsmb.sys
2008-06-21 22:48 2,959 --sha-r d:\windows\sowar.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="d:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-16 4347120]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Autorun Eater"="d:\program files\Autorun Eater\oldmcdonald.exe" [2008-03-15 438773]
"RawOs"="wscript.exe" [2004-08-03 d:\windows\system32\wscript.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USRpdA]
--a------ 2001-08-23 04:00 77891 d:\windows\system32\usrmlnka.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Wdf01000.sys

.
------- Supplementary Scan -------
.
FireFox -: Profile - d:\documents and settings\soteri\Application Data\Mozilla\Firefox\Profiles\veo40yd3.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - d:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 23:30:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-03 23:34:06
ComboFix-quarantined-files.txt 2008-12-04 07:33:58
ComboFix2.txt 2008-11-26 23:34:27

Pre-Run: 11,508,183,040 bytes free
Post-Run: 11,531,980,800 bytes free

87 --- E O F --- 2008-11-13 02:19:49

Buckeye_Sam

Dec 3 2008, 10:51 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

CODE

File::
F:\Autorun.inf
d:\windows\sowar.vbs

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Autorun Eater"=-
"RawOs"=-

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

nadzme

Dec 4 2008, 09:48 AM

ComboFix 08-12-02.02 - soteri 2008-12-04 22:28:27.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.19 [GMT -8:00]
Running from: d:\jonard\aplikeysyons\ComboFix.exe
Command switches used :: d:\documents and settings\soteri\Desktop\CFScript.txt
* Created a new restore point

FILE ::
d:\windows\sowar.vbs
F:\Autorun.inf
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\sowar.vbs
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-01 12:50 . 2008-12-04 22:01 <DIR> d-------- d:\program files\Autorun Eater
2008-12-01 12:32 . 2008-12-01 12:32 <DIR> d-------- D:\_OTMoveIt
2008-11-30 23:00 . 2008-12-01 11:46 <DIR> d-------- d:\program files\Spybot - Search & Destroy
2008-11-30 23:00 . 2008-12-01 11:49 <DIR> d-------- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-29 22:35 . 2008-11-29 22:35 <DIR> d-------- d:\documents and settings\All Users\Application Data\TEMP
2008-11-29 22:06 . 2008-11-29 22:07 <DIR> d-------- d:\program files\SpywareBlaster
2008-11-29 21:55 . 2008-11-29 21:55 <DIR> d-------- d:\program files\Lavasoft
2008-11-29 21:55 . 2008-11-29 22:01 <DIR> d-------- d:\documents and settings\All Users\Application Data\Lavasoft
2008-11-29 21:54 . 2008-11-29 21:54 <DIR> d-------- d:\program files\Common Files\Wise Installation Wizard
2008-11-20 18:06 . 2008-11-20 18:06 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2008-11-20 18:06 . 2008-11-20 18:06 <DIR> d-------- d:\documents and settings\soteri\Application Data\Malwarebytes
2008-11-20 18:06 . 2008-11-20 18:06 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-20 18:06 . 2008-10-22 16:10 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2008-11-20 18:06 . 2008-10-22 16:10 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2008-11-17 23:01 . 2008-11-17 23:02 <DIR> d-------- d:\documents and settings\soteri\DoctorWeb
2008-11-12 18:11 . 2008-11-24 21:51 <DIR> d-------- d:\program files\Mazaika24
2008-11-12 18:10 . 2008-11-12 18:10 <DIR> d-------- d:\program files\maz240
2008-11-09 12:35 . 2008-08-14 02:00 2,180,352 -----c--- d:\windows\system32\dllcache\ntoskrnl.exe
2008-11-09 12:35 . 2008-08-14 01:58 2,136,064 -----c--- d:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-09 12:35 . 2008-08-14 01:22 2,057,728 -----c--- d:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-09 12:35 . 2008-08-14 01:22 2,015,744 -----c--- d:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 07:17 56,778 ----a-w d:\program files\OTViewIt.Txt
2008-11-18 07:17 24,664 ----a-w d:\program files\Extras.Txt
2008-11-04 03:20 --------- d-----w d:\program files\Yahoo!
2008-10-29 03:24 --------- d-----w d:\documents and settings\soteri\Application Data\Yahoo!
2008-10-29 03:24 --------- d-----w d:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-10-29 02:38 --------- d-----w d:\documents and settings\All Users\Application Data\Yahoo!
2008-10-24 11:10 453,632 ----a-w d:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-03_23.31.54.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-19 05:10:20 36,552 -c--a-w d:\windows\system32\dllcache\wups.dll
+ 2008-10-16 22:08:58 34,328 -c--a-w d:\windows\system32\dllcache\wups.dll
- 2008-07-19 05:10:20 36,552 ----a-w d:\windows\system32\wups.dll
+ 2008-10-16 22:08:58 34,328 ----a-w d:\windows\system32\wups.dll
- 2008-07-19 05:10:40 45,768 ----a-w d:\windows\system32\wups2.dll
+ 2008-10-16 22:09:44 43,544 ----a-w d:\windows\system32\wups2.dll
+ 2008-12-05 06:09:13 16,384 ----atw d:\windows\Temp\Perflib_Perfdata_40c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="d:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-16 4347120]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USRpdA]
--a------ 2001-08-23 04:00 77891 d:\windows\system32\usrmlnka.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 S3Inc;S3Inc;d:\windows\system32\DRIVERS\s3mini.sys [2008-03-30 168576]
S3 DataMan;DataMan USB Infrared Adapter;d:\windows\system32\DRIVERS\DataMan.sys [2008-04-02 10880]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 22:30:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-04 22:32:22
ComboFix-quarantined-files.txt 2008-12-05 06:32:04
ComboFix2.txt 2008-12-04 07:34:09
ComboFix3.txt 2008-11-26 23:34:27

Pre-Run: 11,466,153,984 bytes free
Post-Run: 11,464,355,840 bytes free

95 --- E O F --- 2008-11-13 02:19:49

Buckeye_Sam

Dec 4 2008, 03:43 PM

Looks good from here.
How are we looking?

nadzme

Dec 5 2008, 09:48 AM

yah, it looks good, the sowar has not yet coming back,,!! my other two flash drives are infected too,, but it is not yet in my hand,maybe i can ask for your help when i already inserted it on my pc!! tnx a lot!

Buckeye_Sam

Dec 5 2008, 10:17 AM

Yep, just let me know when you have them both and we'll clean them off too.

Buckeye_Sam

Dec 26 2008, 11:05 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.