Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

w32/lovgate worm


  • This topic is locked This topic is locked
12 replies to this topic

#1 isaurocbr

isaurocbr

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 19 February 2009 - 08:44 PM

Attempted to remove, avast didnt find anything, Ad-Aware SE, initially found the worm, (removed portions of it), and then ran Malwarebytes' anti-malware, removed more of it. Can someone please check if its been removed completly,
(the HJT log is done right after a restart)

Running XP 64-bit,
dds and combofix has os sytem incompatibility


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:06 PM, on 2/19/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files (x86)\Java\jre6\bin\jqs.exe
C:\WINDOWS\SysWOW64\HPZipm12.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files (x86)\GhostWall\ghostwall.exe
C:\PROGRA~2\iolo\SYSTEM~1\PopupStopper.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\WINDOWS\SysWOW64\rundll32.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\ASUS\Ai Booster\OverClk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Documents and Settings\Administrator\Desktop\highjackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files (x86)\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files (x86)\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files (x86)\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\PROGRA~2\iolo\SYSTEM~1\PopupStopper.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files (x86)\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files (x86)\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files (x86)\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172270994890
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files (x86)\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 9865 bytes

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:04:16 PM

Posted 02 March 2009 - 09:22 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 isaurocbr

isaurocbr
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 04 March 2009 - 04:32 PM

thank you for looking into this matter, i attempted the dds, but the is an operating system incompatibility, im running win xp pro 64-bit, and it doesnt work with that version,

#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:04:16 PM

Posted 04 March 2009 - 04:34 PM

Hang on. Well try to get you some other help.

Please be patient.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 PM

Posted 04 March 2009 - 05:54 PM

Hello.

Let's see what we can find.

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Download and Run OTListIt
Please download OTListIt by OldTimer to your desktop.
Open OTListIt by double clicking its icon. If you are using Windows Vista, right click OTListIt2.exe and select Run As Administrator.
Click Run Scan without changing any settings. When the scan is complete, a logfile will open.
Copy the contents of the log into your next reply. It will be saved as OTListIt.txt where OTListIt.exe is located.

Please tell me what changes have been made to the computer since your topic was started. Also give me an update on any symptoms.

With Regards,
The Panda

#6 isaurocbr

isaurocbr
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 06 March 2009 - 11:13 PM

Thank you for your time, i havent really seen any symptoms, really, the ad-aware program caught it and removed some of it, and through other
legitimate programs like Malwarebytes' Anti-Malware removed a lot more. And it appears as if everything is ok... but i would like for you, PP, to take a look and see
if your experience can catch anything the program missed, i still feel exposed and unprotected,
i also noticed that when i hit ctrl+alt+del, there is always an iexpore.exe *32 regardless if i open a browser or anything, and when i do decide
to open a browser, then i get two iexpore.exe *32 , why?
Thank you in advance.

OTListIt logfile created on: 3/6/2009 10:04:48 PM - Run 2
OTListIt2 by OldTimer - Version 2.0.3.4 Folder = C:\Documents and Settings\Administrator\Desktop\OTListIt2
Windows Server 2003 Service Pack 2 (Version = 5.2.3790) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.40 Gb Available Physical Memory | 70.26% Memory free
3.87 Gb Paging File | 3.38 Gb Available in Paging File | 87.16% Paging File free
Paging file location(s): c:\pagefile.sys 0 0;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 232.88 Gb Total Space | 44.93 Gb Free Space | 19.29% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: T1000
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2009/02/05 15:01:25 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/02/05 15:08:40 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/01/08 21:33:14 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Java\jre6\bin\jqs.exe
PRC - [2009/02/05 15:08:26 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/02/05 15:06:04 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2005/09/29 16:28:22 | 00,217,088 | ---- | M] () -- C:\Program Files (x86)\GhostWall\ghostwall.exe
PRC - [2005/03/25 06:00:00 | 00,034,816 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\rundll32.exe
PRC - [2005/03/25 06:00:00 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\ctfmon.exe
PRC - [2003/11/17 15:18:20 | 00,428,032 | ---- | M] () -- C:\Program Files (x86)\iolo\System Mechanic 4 Professional\PopupStopper.exe
PRC - [2009/01/19 21:05:42 | 00,634,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PRC - [2006/04/30 20:07:44 | 00,843,776 | R--- | M] (Analog Devices, Inc.) -- C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
PRC - [2006/05/05 16:49:30 | 03,680,256 | ---- | M] () -- C:\Program Files (x86)\ASUS\Ai Booster\OverClk.exe
PRC - [2009/02/05 15:08:45 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2004/08/09 04:03:38 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2009/01/08 21:33:14 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Java\jre6\bin\jusched.exe
PRC - [2007/01/19 12:54:56 | 05,674,352 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\MSN Messenger\msnmsgr.exe
PRC - [2007/01/19 12:54:14 | 00,097,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\MSN Messenger\usnsvc.exe
PRC - [2009/03/06 21:50:51 | 00,498,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTListIt2\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/03/18 19:25:23 | 00,072,704 | ---- | M] (Adobe Systems) -- C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
SRV - [2008/07/25 10:13:44 | 00,046,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/02/05 15:01:25 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv [Auto | Running])
SRV - [2006/04/10 17:56:14 | 00,252,416 | ---- | M] (ASUSTeK COMPUTER INC.) -- C:\WINDOWS\ATKKBService.exe -- (ATKKeyboardService [Auto | Running])
SRV - [2009/02/05 15:08:40 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus [Auto | Running])
SRV - [2009/02/05 15:08:26 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner [On_Demand | Running])
SRV - [2009/02/05 15:06:04 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner [On_Demand | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/25 10:13:48 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64 [On_Demand | Stopped])
SRV - File not found -- -- (dmadmin [On_Demand | Stopped])
SRV - File not found -- -- (Eventlog [Auto | Running])
SRV - [2008/07/29 21:18:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2007/02/16 23:44:20 | 00,077,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/03/25 06:00:00 | 00,162,816 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\iasrecst.dll -- (IASJet [On_Demand | Stopped])
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 19:28:38 | 00,859,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - File not found -- -- (ImapiService [On_Demand | Stopped])
SRV - [2009/01/08 21:33:14 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2007/11/15 10:17:04 | 00,160,272 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ [On_Demand | Stopped])
SRV - File not found -- -- (MSDTC [On_Demand | Stopped])
SRV - [2007/02/18 10:05:42 | 00,430,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\netlogon.dll -- (Netlogon [On_Demand | Stopped])
SRV - [2008/07/29 19:20:34 | 00,119,808 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - File not found -- -- (NtLmSsp [On_Demand | Stopped])
SRV - [2007/09/04 18:31:22 | 00,180,224 | ---- | M] (NVIDIA) -- C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe -- (nTuneService [Auto | Running])
SRV - File not found -- -- (NVSvc [Auto | Running])
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - File not found -- -- (PlugPlay [Auto | Running])
SRV - [2006/03/03 20:03:10 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12 [Unknown | Stopped])
SRV - File not found -- -- (PolicyAgent [Auto | Running])
SRV - File not found -- -- (ProtectedStorage [Auto | Running])
SRV - File not found -- -- (RDSessMgr [On_Demand | Stopped])
SRV - File not found -- -- (SamSs [Auto | Running])
SRV - File not found -- -- (TlntSvr [Disabled | Stopped])
SRV - [2007/01/19 12:54:14 | 00,097,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\MSN Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Running])
SRV - File not found -- -- (vds [On_Demand | Stopped])
SRV - File not found -- -- (VSS [On_Demand | Stopped])
SRV - [2007/02/18 10:05:40 | 00,025,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\mspmsnsv.dll -- (WmdmPmSN [On_Demand | Stopped])
SRV - File not found -- -- (WmiApSrv [On_Demand | Stopped])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - File not found -- -- (ACPI [Boot | Running])
DRV - File not found -- -- (ADIHdAudAddService [On_Demand | Running])
DRV - File not found -- -- (AEAudio [On_Demand | Running])
DRV - File not found -- -- (AFD [System | Running])
DRV - File not found -- -- (AmdK8 [System | Running])
DRV - File not found -- -- (amdtools [On_Demand | Running])
DRV - File not found -- -- (Arp1394 [On_Demand | Running])
DRV - [2004/10/14 03:53:22 | 00,006,656 | R--- | M] () -- C:\WINDOWS\SysWow64\drivers\AsIO.sys -- (AsIO [System | Running])
DRV - File not found -- -- (asuskbnt [System | Running])
DRV - File not found -- -- (aswFsBlk [Auto | Running])
DRV - File not found -- -- (aswMonFlt [Auto | Running])
DRV - File not found -- -- (aswRdr [On_Demand | Running])
DRV - File not found -- -- (aswSP [System | Running])
DRV - File not found -- -- (aswTdi [System | Running])
DRV - File not found -- -- (atapi [Boot | Running])
DRV - File not found -- -- (audstub [On_Demand | Running])
DRV - File not found -- -- (Beep [System | Running])
DRV - File not found -- -- (CdaC15BA [Auto | Running])
DRV - File not found -- -- (CdaD10BA [Auto | Running])
DRV - File not found -- -- (Cdfs [Disabled | Running])
DRV - File not found -- -- (Cdrom [System | Running])
DRV - File not found -- -- (crcdisk [Boot | Running])
DRV - File not found -- -- (Disk [Boot | Running])
DRV - File not found -- -- (dmio [Boot | Running])
DRV - File not found -- -- (dmload [Boot | Running])
DRV - File not found -- -- (EIO [Auto | Running])
DRV - File not found -- -- (Fips [System | Running])
DRV - File not found -- -- (FltMgr [Boot | Running])
DRV - File not found -- -- (Ftdisk [Boot | Running])
DRV - File not found -- -- (ghstwall [Auto | Running])
DRV - File not found -- -- (Gpc [On_Demand | Running])
DRV - File not found -- -- (HDAudBus [On_Demand | Running])
DRV - File not found -- -- (hidusb [On_Demand | Running])
DRV - File not found -- -- (HPZid412 [On_Demand | Running])
DRV - [2006/03/03 20:02:58 | 00,204,800 | ---- | M] (HP) -- C:\WINDOWS\System32\HPZipr12.dll -- (HPZipr12 [On_Demand | Running])
DRV - File not found -- -- (HPZius12 [On_Demand | Running])
DRV - File not found -- -- (HTTP [On_Demand | Running])
DRV - File not found -- -- (imapi [System | Running])
DRV - File not found -- -- (IpNat [On_Demand | Running])
DRV - File not found -- -- (IPSec [System | Running])
DRV - File not found -- -- (isapnp [Boot | Running])
DRV - File not found -- -- (Kbdclass [System | Running])
DRV - File not found -- -- (kbdhid [System | Running])
DRV - File not found -- -- (kmixer [On_Demand | Running])
DRV - File not found -- -- (KSecDD [Boot | Running])
DRV - File not found -- -- (ksthunk [On_Demand | Running])
DRV - File not found -- -- (LHidFilt [On_Demand | Running])
DRV - File not found -- -- (LMouFilt [On_Demand | Running])
DRV - [2005/03/25 06:00:00 | 00,033,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mnmdd.dll -- (mnmdd [System | Running])
DRV - File not found -- -- (Mouclass [System | Running])
DRV - File not found -- -- (mouhid [On_Demand | Running])
DRV - File not found -- -- (MountMgr [Boot | Running])
DRV - File not found -- -- (MRxDAV [On_Demand | Running])
DRV - File not found -- -- (MRxSmb [System | Running])
DRV - File not found -- -- (Msfs [System | Running])
DRV - File not found -- -- (mssmbios [On_Demand | Running])
DRV - File not found -- -- (MTsensor [On_Demand | Running])
DRV - File not found -- -- (Mup [Boot | Running])
DRV - File not found -- -- (NDIS [Boot | Running])
DRV - File not found -- -- (NdisTapi [On_Demand | Running])
DRV - File not found -- -- (NdisWan [On_Demand | Running])
DRV - File not found -- -- (NDProxy [On_Demand | Running])
DRV - File not found -- -- (NetBIOS [System | Running])
DRV - File not found -- -- (NetBT [System | Running])
DRV - File not found -- -- (NIC1394 [On_Demand | Running])
DRV - File not found -- -- (Npfs [System | Running])
DRV - File not found -- -- (Ntfs [Disabled | Running])
DRV - File not found -- -- (Null [System | Running])
DRV - File not found -- -- (nv [On_Demand | Running])
DRV - File not found -- -- (nvata64 [Boot | Running])
DRV - File not found -- -- (NVENETFD [On_Demand | Running])
DRV - File not found -- -- (nvnetbus [On_Demand | Running])
DRV - [2007/09/04 18:26:38 | 00,039,968 | ---- | M] (NVidia Corp.) -- C:\WINDOWS\nvoclk64.sys -- (NVR0Dev [On_Demand | Running])
DRV - File not found -- -- (ohci1394 [Boot | Running])
DRV - File not found -- -- (Parport [On_Demand | Running])
DRV - File not found -- -- (PartMgr [Boot | Running])
DRV - File not found -- -- (PCI [Boot | Running])
DRV - File not found -- -- (PCIIde [Boot | Running])
DRV - [2003/08/11 09:07:46 | 00,014,604 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc [On_Demand | Stopped])
DRV - File not found -- -- (PptpMiniport [On_Demand | Running])
DRV - File not found -- -- (PSched [On_Demand | Running])
DRV - File not found -- -- (Ptilink [On_Demand | Running])
DRV - File not found -- -- (RasAcd [System | Running])
DRV - File not found -- -- (Rasl2tp [On_Demand | Running])
DRV - File not found -- -- (RasPppoe [On_Demand | Running])
DRV - File not found -- -- (Raspti [On_Demand | Running])
DRV - File not found -- -- (Rdbss [System | Running])
DRV - File not found -- -- (RDPCDD [System | Running])
DRV - File not found -- -- (rdpdr [On_Demand | Running])
DRV - File not found -- -- (RDPWD [On_Demand | Running])
DRV - File not found -- -- (redbook [System | Running])
DRV - File not found -- -- (Secdrv [Auto | Running])
DRV - File not found -- -- (SenFiltService [On_Demand | Running])
DRV - File not found -- -- (serenum [On_Demand | Running])
DRV - File not found -- -- (Serial [System | Running])
DRV - [2007/02/07 12:27:46 | 00,014,104 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\SysWOW64\speedfan.sys -- (speedfan [System | Running])
DRV - File not found -- -- (sr [Boot | Running])
DRV - File not found -- -- (Srv [On_Demand | Running])
DRV - File not found -- -- (swenum [On_Demand | Running])
DRV - File not found -- -- (sysaudio [On_Demand | Running])
DRV - File not found -- -- (Tcpip [System | Running])
DRV - File not found -- -- (TDTCP [On_Demand | Running])
DRV - File not found -- -- (TermDD [System | Running])
DRV - File not found -- -- (Update [On_Demand | Running])
DRV - File not found -- -- (usbccgp [On_Demand | Running])
DRV - File not found -- -- (usbehci [On_Demand | Running])
DRV - File not found -- -- (usbhub [On_Demand | Running])
DRV - File not found -- -- (usbohci [On_Demand | Running])
DRV - File not found -- -- (usbprint [On_Demand | Running])
DRV - File not found -- -- (usbscan [On_Demand | Running])
DRV - File not found -- -- (USBSTOR [On_Demand | Running])
DRV - File not found -- -- (VgaSave [System | Running])
DRV - File not found -- -- (VolSnap [Boot | Running])
DRV - File not found -- -- (Wanarp [On_Demand | Running])
DRV - File not found -- -- (Wdf01000 [On_Demand | Running])
DRV - [2005/03/25 06:00:00 | 00,023,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wdmaud.drv -- (wdmaud [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0
FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com -> %ProgramFiles%\JAVA\JRE6\LIB\DEPLOY\JQS\FF [C:\PROGRAM FILES (X86)\JAVA\JRE6\LIB\DEPLOY\JQS\FF] -> [2009/01/08 21:33:14 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b} -> %SystemRoot%\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION [C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\] -> [2009/02/12 23:37:44 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.14\extensions\\Components -> %ProgramFiles%\MOZILLA FIREFOX\COMPONENTS [C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\COMPONENTS] -> [2008/12/08 12:57:14 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.14\extensions\\Plugins -> %ProgramFiles%\MOZILLA FIREFOX\PLUGINS [C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\PLUGINS] -> [2008/12/08 12:57:16 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0\extensions\\Components -> E:\FOX\COMPONENTS ->
FF - HKLM\software\mozilla\Mozilla Firefox 3.0\extensions\\Plugins -> E:\FOX\PLUGINS ->
FF - C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions [2008/09/13 14:31:19 00,000,000 | ---D | M]
FF - C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} [2008/09/13 14:31:19 00,000,000 | ---D | M]
FF - C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\l36fj3pu.default\extensions [2008/05/01 00:18:27 00,000,000 | ---D | M]
FF - C:\Program Files (x86)\mozilla firefox\extensions [2008/05/01 00:18:23 00,000,000 | ---D | M]
FF - C:\Program Files (x86)\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2008/05/01 00:18:23 00,000,000 | ---D | M]

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key error. File not found
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files (x86)\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\SysWOW64\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\syswow64\SHELL32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\SysWOW64\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\syswow64\SHELL32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup File not found
O4 - HKLM..\Run: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start (InstallShield Software Corporation)
O4 - HKLM..\Run: [Launch Ai Booster] "C:\Program Files (x86)\ASUS\Ai Booster\OverClk.exe" ()
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SoundMAX] "C:\Program Files (x86)\Analog Devices\SoundMAX\Smax4.exe" /tray (Analog Devices, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [NVIDIA nTune] "C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneCmd.exe" clear (NVIDIA)
O4 - HKCU..\Run: [System Mechanic Popup Stopper] "C:\PROGRA~2\iolo\SYSTEM~1\PopupStopper.exe" ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceActiveDesktopOn = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartBanner = [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsMenu = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files (x86)\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @C:\Program Files (x86)\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files (x86)\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Program Files (x86)\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files (x86)\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1172270994890 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} http://www.yougamers.com/systeminfo/MSC3.cab (Measurement Services Client v.3.12)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\syswow64\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\SysWOW64\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\SysWOW64\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp Reg Error: Value error. - Reg Error: Key error. File not found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\SysWOW64\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files (x86)\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files (x86)\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\syswow64\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\SysWOW64\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/webviewhtml - C:\WINDOWS\syswow64\SHELL32.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\system32\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: System - (lsass.exe) - File not found
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - File not found
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - File not found
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - File not found
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - File not found
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\syswow64\SHELL32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\syswow64\SHELL32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\SysWOW64\stobject.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\SysWOW64\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\SysWOW64\browseui.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/02/23 16:16:15 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/04/04 20:29:47 00,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{7bfd8089-c357-11db-b17d-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{7bfd8089-c357-11db-b17d-806e6f6e6963}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7bfd8089-c357-11db-b17d-806e6f6e6963}\Shell\AutoRun\command - "" = D:\Bin\Assetup.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[4 C:\WINDOWS\*.tmp files]
[2009/03/06 22:04:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\OTListIt2
[2009/03/04 15:56:38 | 00,321,442 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\need a vacation.mp3
[2009/03/04 15:40:43 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2009/03/04 15:40:43 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2009/02/23 20:19:31 | 00,884,736 | ---- | C] () -- C:\WINDOWS\gmer.dll
[2009/02/23 20:19:31 | 00,811,008 | ---- | C] () -- C:\WINDOWS\gmer.exe
[2009/02/23 20:19:31 | 00,085,969 | ---- | C] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[2009/02/23 20:19:31 | 00,000,250 | ---- | C] () -- C:\WINDOWS\gmer.ini
[2009/02/23 20:19:31 | 00,000,080 | ---- | C] () -- C:\WINDOWS\gmer_uninstall.cmd
[2009/02/23 20:18:02 | 00,747,873 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2009/02/19 20:13:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\nedy
[2009/02/19 19:46:43 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW
[2009/02/19 19:46:32 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.execf
[2009/02/19 19:28:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\bleeping comp
[2009/02/19 18:55:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\highjackthis
[2009/02/15 21:03:08 | 00,172,912 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\diagn_assess.pdf
[2009/02/14 13:34:45 | 00,258,391 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\drg.pdf
[2009/02/14 13:31:55 | 00,474,326 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\prep1896.pdf
[2009/02/14 13:30:22 | 00,039,706 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\admission.pdf
[2009/02/14 02:40:56 | 00,000,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Autorun Eater.lnk
[2009/02/14 02:40:55 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Autorun Eater
[2009/02/14 02:05:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2009/02/14 02:05:03 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/02/14 02:05:03 | 00,000,726 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/02/14 02:05:01 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/02/14 02:05:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/02/14 02:04:59 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2009/02/13 16:28:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\bike orders
[2009/02/13 13:01:51 | 21,244,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/02/12 23:34:52 | 00,000,000 | ---D | C] -- C:\55e40205393fcfa663932ac17ec9
[2009/02/12 23:34:08 | 00,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2009/02/10 07:52:22 | 08,360,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\shell32.dll

========== Files - Modified Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/03/06 21:45:57 | 00,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2009/03/06 21:45:57 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2009/03/05 18:59:13 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/03/05 18:59:11 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/03/05 18:59:08 | 21,459,02592 | -HS- | M] () -- C:\hiberfil.sys
[2009/03/04 15:47:41 | 00,321,442 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\need a vacation.mp3
[2009/03/04 15:40:43 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/03/04 15:40:43 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/03/01 17:19:51 | 00,000,268 | -H-- | M] () -- C:\sqmdata19.sqm
[2009/03/01 17:19:51 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2009/02/27 19:37:22 | 00,000,268 | -H-- | M] () -- C:\sqmdata18.sqm
[2009/02/27 19:37:22 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2009/02/27 11:52:07 | 00,000,970 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/02/27 11:51:28 | 00,000,268 | -H-- | M] () -- C:\sqmdata17.sqm
[2009/02/27 11:51:28 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2009/02/27 10:19:04 | 00,000,268 | -H-- | M] () -- C:\sqmdata16.sqm
[2009/02/27 10:19:03 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2009/02/25 23:43:15 | 00,000,268 | -H-- | M] () -- C:\sqmdata15.sqm
[2009/02/25 23:43:15 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2009/02/24 20:12:27 | 00,000,268 | -H-- | M] () -- C:\sqmdata14.sqm
[2009/02/24 20:12:27 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2009/02/23 22:14:42 | 00,000,600 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\winscp.rnd
[2009/02/23 20:27:18 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2009/02/23 20:27:18 | 00,000,232 | -H-- | M] () -- C:\sqmdata13.sqm
[2009/02/23 20:25:12 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2009/02/23 20:25:12 | 00,000,232 | -H-- | M] () -- C:\sqmdata12.sqm
[2009/02/23 20:22:41 | 00,000,250 | ---- | M] () -- C:\WINDOWS\gmer.ini
[2009/02/23 20:19:31 | 00,884,736 | ---- | M] () -- C:\WINDOWS\gmer.dll
[2009/02/23 20:19:31 | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[2009/02/23 20:19:31 | 00,000,080 | ---- | M] () -- C:\WINDOWS\gmer_uninstall.cmd
[2009/02/23 20:19:27 | 00,811,008 | ---- | M] () -- C:\WINDOWS\gmer.exe
[2009/02/23 20:18:03 | 00,747,873 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2009/02/22 22:53:51 | 00,000,268 | -H-- | M] () -- C:\sqmdata11.sqm
[2009/02/22 22:53:51 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2009/02/19 19:46:47 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.execf
[2009/02/15 21:47:22 | 00,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
[2009/02/15 21:47:22 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2009/02/15 21:03:08 | 00,172,912 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\diagn_assess.pdf
[2009/02/14 15:14:33 | 00,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
[2009/02/14 15:14:33 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2009/02/14 13:34:45 | 00,258,391 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\drg.pdf
[2009/02/14 13:31:55 | 00,474,326 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\prep1896.pdf
[2009/02/14 13:30:22 | 00,039,706 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\admission.pdf
[2009/02/14 02:43:21 | 00,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2009/02/14 02:43:21 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2009/02/14 02:40:56 | 00,000,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Autorun Eater.lnk
[2009/02/14 02:05:03 | 00,000,726 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/02/13 02:32:45 | 00,162,304 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/12 23:55:16 | 00,000,002 | ---- | M] () -- C:\WINDOWS\System32\config.nt
[2009/02/12 23:41:46 | 00,736,050 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/02/11 20:56:18 | 21,244,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/02/11 20:37:32 | 00,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2009/02/11 20:37:32 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2009/02/11 15:12:29 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2009/02/11 15:12:29 | 00,000,232 | -H-- | M] () -- C:\sqmdata06.sqm
[2009/02/11 15:10:14 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2009/02/11 15:10:14 | 00,000,232 | -H-- | M] () -- C:\sqmdata05.sqm
[2009/02/11 15:10:08 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2009/02/11 15:10:08 | 00,000,232 | -H-- | M] () -- C:\sqmdata04.sqm
[2009/02/11 15:10:03 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2009/02/11 15:10:03 | 00,000,232 | -H-- | M] () -- C:\sqmdata03.sqm
[2009/02/11 15:09:59 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2009/02/11 15:09:59 | 00,000,232 | -H-- | M] () -- C:\sqmdata02.sqm
[2009/02/11 10:19:42 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/02/11 10:19:34 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/02/10 19:55:57 | 00,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2009/02/10 19:55:57 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2009/02/10 07:52:22 | 08,360,960 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\shell32.dll
[2009/02/05 15:11:35 | 01,256,296 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\WINDOWS\screenclean.swf:SummaryInformation
@Alternate Data Stream - 0 bytes -> C:\WINDOWS\screenclean.swf:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
@Alternate Data Stream - 0 bytes -> C:\Documents and Settings\Administrator\Desktop\Thumbs.db:encryptable
< End of report >

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 PM

Posted 07 March 2009 - 11:20 AM

Hello.

Your log looks good.

i also noticed that when i hit ctrl+alt+del, there is always an iexpore.exe *32 regardless if i open a browser or anything, and when i do decide
to open a browser, then i get two iexpore.exe *32 , why?

Iexplore.exe is the Internet Explorer.

I do not understand what you mean by "*32". Please explain.

With Regards,
The Panda

#8 isaurocbr

isaurocbr
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 08 March 2009 - 12:47 PM

The *32 is just the way of the pc showing that its the 32 bit version of internet explorer (as oposed the the 64 bit one, which i really dont use anyway) (im running a 64 bit version of windows, I know... people say its worthless, and not necessary, but i like the feel to the 64 bit, lol), but i digress, my question is why do i have it on the task manager even though i never opened it, is it possible that there is a hidden window or service running in the background utilizing the internet explorer browser?
Anyway, thank you for taking a look into the log, i think now i feel a little more secure having someone with your level of expertise having looked at the log, and telling me im ok,

Thank You,
Isauro

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 PM

Posted 08 March 2009 - 01:22 PM

Hello Isauro.

Certain variants of the lovgate worm do drop fake files named Iexplore.exe.

Let's use OTListIt to search for any fake versions.

If you have lost your copy of OTListIt, please download a new one from here.
Copy the contents of the CodeBox below into the Custom Scans/Fixes.
C:\iexplore.exe /s

Click the Run Scan button. Post back with the logfile that opens.

With Regards,
The Panda

#10 isaurocbr

isaurocbr
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 10 March 2009 - 03:17 AM

for some reason it keeps freezing up on me when i add the c: iexplore, (i copied and pasted exactly ) it just states at the bottom bar that it is checking manual scans, and then it does nothing for like ten minutes, after that i ran task manager and it said it wasnt responding, i tried like 5 times, and even restarted the computer same problem, that seems very odd doesnt it?

ok, now it seems to work, stubborn little feller...

OTListIt logfile created on: 3/10/2009 3:17:01 AM - Run 8
OTListIt2 by OldTimer - Version 2.0.3.4 Folder = C:\Documents and Settings\Administrator\Desktop\OTListIt2
Windows Server 2003 Service Pack 2 (Version = 5.2.3790) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.50 Gb Available Physical Memory | 74.99% Memory free
3.87 Gb Paging File | 3.45 Gb Available in Paging File | 89.02% Paging File free
Paging file location(s): c:\pagefile.sys 0 0;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 232.88 Gb Total Space | 44.86 Gb Free Space | 19.26% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: T1000
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: Off

========== Processes (SafeList) ==========

PRC - [2009/02/05 16:01:25 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/02/05 16:08:40 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/01/08 22:33:14 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Java\jre6\bin\jqs.exe
PRC - [2006/03/03 21:03:10 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\SysWOW64\HPZipm12.exe
PRC - [2009/02/05 16:08:26 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2005/09/29 17:28:22 | 00,217,088 | ---- | M] () -- C:\Program Files (x86)\GhostWall\ghostwall.exe
PRC - [2009/02/05 16:06:04 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2003/11/17 16:18:20 | 00,428,032 | ---- | M] () -- C:\Program Files (x86)\iolo\System Mechanic 4 Professional\PopupStopper.exe
PRC - [2005/03/25 07:00:00 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\ctfmon.exe
PRC - [2005/03/25 07:00:00 | 00,034,816 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\rundll32.exe
PRC - [2009/01/19 22:05:42 | 00,634,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PRC - [2006/04/30 21:07:44 | 00,843,776 | R--- | M] (Analog Devices, Inc.) -- C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
PRC - [2006/05/05 17:49:30 | 03,680,256 | ---- | M] () -- C:\Program Files (x86)\ASUS\Ai Booster\OverClk.exe
PRC - [2009/02/05 16:08:45 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2004/08/09 05:03:38 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2009/01/08 22:33:14 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Java\jre6\bin\jusched.exe
PRC - [2009/03/06 22:50:51 | 00,498,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTListIt2\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/03/18 20:25:23 | 00,072,704 | ---- | M] (Adobe Systems) -- C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
SRV - [2008/07/25 11:13:44 | 00,046,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/02/05 16:01:25 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv [Auto | Running])
SRV - [2006/04/10 18:56:14 | 00,252,416 | ---- | M] (ASUSTeK COMPUTER INC.) -- C:\WINDOWS\ATKKBService.exe -- (ATKKeyboardService [Auto | Running])
SRV - [2009/02/05 16:08:40 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus [Auto | Running])
SRV - [2009/02/05 16:08:26 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner [On_Demand | Running])
SRV - [2009/02/05 16:06:04 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner [On_Demand | Running])
SRV - [2008/07/25 12:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/25 11:13:48 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64 [On_Demand | Stopped])
SRV - File not found -- -- (dmadmin [On_Demand | Stopped])
SRV - File not found -- -- (Eventlog [Auto | Running])
SRV - [2008/07/29 22:18:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2007/02/17 00:44:20 | 00,077,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/03/25 07:00:00 | 00,162,816 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\iasrecst.dll -- (IASJet [On_Demand | Stopped])
SRV - [2005/04/04 01:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 20:28:38 | 00,859,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - File not found -- -- (ImapiService [On_Demand | Stopped])
SRV - [2009/01/08 22:33:14 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2007/11/15 11:17:04 | 00,160,272 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ [On_Demand | Stopped])
SRV - File not found -- -- (MSDTC [On_Demand | Stopped])
SRV - [2007/02/18 11:05:42 | 00,430,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\netlogon.dll -- (Netlogon [On_Demand | Stopped])
SRV - [2008/07/29 20:20:34 | 00,119,808 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - File not found -- -- (NtLmSsp [On_Demand | Stopped])
SRV - [2007/09/04 19:31:22 | 00,180,224 | ---- | M] (NVIDIA) -- C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe -- (nTuneService [Auto | Running])
SRV - File not found -- -- (NVSvc [Auto | Running])
SRV - [2003/07/28 13:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - File not found -- -- (PlugPlay [Auto | Running])
SRV - [2006/03/03 21:03:10 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12 [Unknown | Running])
SRV - File not found -- -- (PolicyAgent [Auto | Running])
SRV - File not found -- -- (ProtectedStorage [Auto | Running])
SRV - File not found -- -- (RDSessMgr [On_Demand | Stopped])
SRV - File not found -- -- (SamSs [Auto | Running])
SRV - File not found -- -- (TlntSvr [Disabled | Stopped])
SRV - [2007/01/19 13:54:14 | 00,097,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\MSN Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
SRV - File not found -- -- (vds [On_Demand | Stopped])
SRV - File not found -- -- (VSS [On_Demand | Stopped])
SRV - [2007/02/18 11:05:40 | 00,025,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\mspmsnsv.dll -- (WmdmPmSN [On_Demand | Stopped])
SRV - File not found -- -- (WmiApSrv [On_Demand | Stopped])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - File not found -- -- (ACPI [Boot | Running])
DRV - File not found -- -- (ADIHdAudAddService [On_Demand | Running])
DRV - File not found -- -- (AEAudio [On_Demand | Running])
DRV - File not found -- -- (AFD [System | Running])
DRV - File not found -- -- (AmdK8 [System | Running])
DRV - File not found -- -- (amdtools [On_Demand | Running])
DRV - File not found -- -- (Arp1394 [On_Demand | Running])
DRV - [2004/10/14 04:53:22 | 00,006,656 | R--- | M] () -- C:\WINDOWS\SysWow64\drivers\AsIO.sys -- (AsIO [System | Running])
DRV - File not found -- -- (asuskbnt [System | Running])
DRV - File not found -- -- (aswFsBlk [Auto | Running])
DRV - File not found -- -- (aswMonFlt [Auto | Running])
DRV - File not found -- -- (aswRdr [On_Demand | Running])
DRV - File not found -- -- (aswSP [System | Running])
DRV - File not found -- -- (aswTdi [System | Running])
DRV - File not found -- -- (atapi [Boot | Running])
DRV - File not found -- -- (audstub [On_Demand | Running])
DRV - File not found -- -- (Beep [System | Running])
DRV - File not found -- -- (CdaC15BA [Auto | Running])
DRV - File not found -- -- (CdaD10BA [Auto | Running])
DRV - File not found -- -- (Cdfs [Disabled | Running])
DRV - File not found -- -- (Cdrom [System | Running])
DRV - File not found -- -- (crcdisk [Boot | Running])
DRV - File not found -- -- (Disk [Boot | Running])
DRV - File not found -- -- (dmio [Boot | Running])
DRV - File not found -- -- (dmload [Boot | Running])
DRV - File not found -- -- (EIO [Auto | Running])
DRV - File not found -- -- (Fips [System | Running])
DRV - File not found -- -- (FltMgr [Boot | Running])
DRV - File not found -- -- (Ftdisk [Boot | Running])
DRV - File not found -- -- (ghstwall [Auto | Running])
DRV - File not found -- -- (Gpc [On_Demand | Running])
DRV - File not found -- -- (HDAudBus [On_Demand | Running])
DRV - File not found -- -- (hidusb [On_Demand | Running])
DRV - File not found -- -- (HPZid412 [On_Demand | Running])
DRV - [2006/03/03 21:02:58 | 00,204,800 | ---- | M] (HP) -- C:\WINDOWS\System32\HPZipr12.dll -- (HPZipr12 [On_Demand | Running])
DRV - File not found -- -- (HPZius12 [On_Demand | Running])
DRV - File not found -- -- (HTTP [On_Demand | Running])
DRV - File not found -- -- (imapi [System | Running])
DRV - File not found -- -- (IpNat [On_Demand | Running])
DRV - File not found -- -- (IPSec [System | Running])
DRV - File not found -- -- (isapnp [Boot | Running])
DRV - File not found -- -- (Kbdclass [System | Running])
DRV - File not found -- -- (kbdhid [System | Running])
DRV - File not found -- -- (KSecDD [Boot | Running])
DRV - File not found -- -- (ksthunk [On_Demand | Running])
DRV - File not found -- -- (LHidFilt [On_Demand | Running])
DRV - File not found -- -- (LMouFilt [On_Demand | Running])
DRV - [2005/03/25 07:00:00 | 00,033,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mnmdd.dll -- (mnmdd [System | Running])
DRV - File not found -- -- (Mouclass [System | Running])
DRV - File not found -- -- (mouhid [On_Demand | Running])
DRV - File not found -- -- (MountMgr [Boot | Running])
DRV - File not found -- -- (MRxDAV [On_Demand | Running])
DRV - File not found -- -- (MRxSmb [System | Running])
DRV - File not found -- -- (Msfs [System | Running])
DRV - File not found -- -- (mssmbios [On_Demand | Running])
DRV - File not found -- -- (MTsensor [On_Demand | Running])
DRV - File not found -- -- (Mup [Boot | Running])
DRV - File not found -- -- (NDIS [Boot | Running])
DRV - File not found -- -- (NdisTapi [On_Demand | Running])
DRV - File not found -- -- (NdisWan [On_Demand | Running])
DRV - File not found -- -- (NDProxy [On_Demand | Running])
DRV - File not found -- -- (NetBIOS [System | Running])
DRV - File not found -- -- (NetBT [System | Running])
DRV - File not found -- -- (NIC1394 [On_Demand | Running])
DRV - File not found -- -- (Npfs [System | Running])
DRV - File not found -- -- (Ntfs [Disabled | Running])
DRV - File not found -- -- (Null [System | Running])
DRV - File not found -- -- (nv [On_Demand | Running])
DRV - File not found -- -- (nvata64 [Boot | Running])
DRV - File not found -- -- (NVENETFD [On_Demand | Running])
DRV - File not found -- -- (nvnetbus [On_Demand | Running])
DRV - [2007/09/04 19:26:38 | 00,039,968 | ---- | M] (NVidia Corp.) -- C:\WINDOWS\nvoclk64.sys -- (NVR0Dev [On_Demand | Running])
DRV - File not found -- -- (ohci1394 [Boot | Running])
DRV - File not found -- -- (Parport [On_Demand | Running])
DRV - File not found -- -- (PartMgr [Boot | Running])
DRV - File not found -- -- (PCI [Boot | Running])
DRV - File not found -- -- (PCIIde [Boot | Running])
DRV - [2003/08/11 10:07:46 | 00,014,604 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc [On_Demand | Stopped])
DRV - File not found -- -- (PptpMiniport [On_Demand | Running])
DRV - File not found -- -- (PSched [On_Demand | Running])
DRV - File not found -- -- (Ptilink [On_Demand | Running])
DRV - File not found -- -- (RasAcd [System | Running])
DRV - File not found -- -- (Rasl2tp [On_Demand | Running])
DRV - File not found -- -- (RasPppoe [On_Demand | Running])
DRV - File not found -- -- (Raspti [On_Demand | Running])
DRV - File not found -- -- (Rdbss [System | Running])
DRV - File not found -- -- (RDPCDD [System | Running])
DRV - File not found -- -- (rdpdr [On_Demand | Running])
DRV - File not found -- -- (RDPWD [On_Demand | Running])
DRV - File not found -- -- (redbook [System | Running])
DRV - File not found -- -- (Secdrv [Auto | Running])
DRV - File not found -- -- (SenFiltService [On_Demand | Running])
DRV - File not found -- -- (serenum [On_Demand | Running])
DRV - File not found -- -- (Serial [System | Running])
DRV - [2007/02/07 13:27:46 | 00,014,104 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\SysWOW64\speedfan.sys -- (speedfan [System | Running])
DRV - File not found -- -- (sr [Boot | Running])
DRV - File not found -- -- (Srv [On_Demand | Running])
DRV - File not found -- -- (swenum [On_Demand | Running])
DRV - File not found -- -- (sysaudio [On_Demand | Running])
DRV - File not found -- -- (Tcpip [System | Running])
DRV - File not found -- -- (TDTCP [On_Demand | Running])
DRV - File not found -- -- (TermDD [System | Running])
DRV - File not found -- -- (Update [On_Demand | Running])
DRV - File not found -- -- (usbccgp [On_Demand | Running])
DRV - File not found -- -- (usbehci [On_Demand | Running])
DRV - File not found -- -- (usbhub [On_Demand | Running])
DRV - File not found -- -- (usbohci [On_Demand | Running])
DRV - File not found -- -- (usbprint [On_Demand | Running])
DRV - File not found -- -- (usbscan [On_Demand | Running])
DRV - File not found -- -- (USBSTOR [On_Demand | Running])
DRV - File not found -- -- (VgaSave [System | Running])
DRV - File not found -- -- (VolSnap [Boot | Running])
DRV - File not found -- -- (Wanarp [On_Demand | Running])
DRV - File not found -- -- (Wdf01000 [On_Demand | Running])
DRV - [2005/03/25 07:00:00 | 00,023,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wdmaud.drv -- (wdmaud [On_Demand | Running])

========== Files/Folders - Created Within 30 Days ==========

[4 C:\WINDOWS\*.tmp files]
[2009/03/06 23:04:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\OTListIt2
[2009/03/04 16:56:38 | 00,321,442 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\need a vacation.mp3
[2009/03/04 16:40:43 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2009/03/04 16:40:43 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2009/02/23 21:19:31 | 00,884,736 | ---- | C] () -- C:\WINDOWS\gmer.dll
[2009/02/23 21:19:31 | 00,811,008 | ---- | C] () -- C:\WINDOWS\gmer.exe
[2009/02/23 21:19:31 | 00,085,969 | ---- | C] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[2009/02/23 21:19:31 | 00,000,250 | ---- | C] () -- C:\WINDOWS\gmer.ini
[2009/02/23 21:19:31 | 00,000,080 | ---- | C] () -- C:\WINDOWS\gmer_uninstall.cmd
[2009/02/23 21:18:02 | 00,747,873 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2009/02/19 21:13:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\nedy
[2009/02/19 20:46:43 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW
[2009/02/19 20:46:32 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.execf
[2009/02/19 20:28:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\bleeping comp
[2009/02/19 19:55:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\highjackthis
[2009/02/15 22:03:08 | 00,172,912 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\diagn_assess.pdf
[2009/02/14 14:34:45 | 00,258,391 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\drg.pdf
[2009/02/14 14:31:55 | 00,474,326 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\prep1896.pdf
[2009/02/14 14:30:22 | 00,039,706 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\admission.pdf
[2009/02/14 03:40:56 | 00,000,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Autorun Eater.lnk
[2009/02/14 03:40:55 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Autorun Eater
[2009/02/14 03:05:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2009/02/14 03:05:03 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/02/14 03:05:03 | 00,000,726 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/02/14 03:05:01 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/02/14 03:05:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/02/14 03:04:59 | 00,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2009/02/13 17:28:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\bike orders
[2009/02/13 14:01:51 | 21,244,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/02/13 00:34:52 | 00,000,000 | ---D | C] -- C:\55e40205393fcfa663932ac17ec9
[2009/02/13 00:34:08 | 00,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2009/02/10 08:52:22 | 08,360,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\shell32.dll

========== Files - Modified Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/03/10 03:14:11 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/03/10 03:14:09 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/03/10 03:14:06 | 21,459,02592 | -HS- | M] () -- C:\hiberfil.sys
[2009/03/10 00:03:39 | 00,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2009/03/10 00:03:39 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2009/03/09 21:54:21 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/03/06 22:45:57 | 00,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2009/03/06 22:45:57 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2009/03/04 16:47:41 | 00,321,442 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\need a vacation.mp3
[2009/03/04 16:40:43 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/03/01 18:19:51 | 00,000,268 | -H-- | M] () -- C:\sqmdata19.sqm
[2009/03/01 18:19:51 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2009/02/27 20:37:22 | 00,000,268 | -H-- | M] () -- C:\sqmdata18.sqm
[2009/02/27 20:37:22 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2009/02/27 12:52:07 | 00,000,970 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/02/27 12:51:28 | 00,000,268 | -H-- | M] () -- C:\sqmdata17.sqm
[2009/02/27 12:51:28 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2009/02/27 11:19:04 | 00,000,268 | -H-- | M] () -- C:\sqmdata16.sqm
[2009/02/27 11:19:03 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2009/02/26 00:43:15 | 00,000,268 | -H-- | M] () -- C:\sqmdata15.sqm
[2009/02/26 00:43:15 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2009/02/24 21:12:27 | 00,000,268 | -H-- | M] () -- C:\sqmdata14.sqm
[2009/02/24 21:12:27 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2009/02/23 23:14:42 | 00,000,600 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\winscp.rnd
[2009/02/23 21:27:18 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2009/02/23 21:27:18 | 00,000,232 | -H-- | M] () -- C:\sqmdata13.sqm
[2009/02/23 21:25:12 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2009/02/23 21:25:12 | 00,000,232 | -H-- | M] () -- C:\sqmdata12.sqm
[2009/02/23 21:22:41 | 00,000,250 | ---- | M] () -- C:\WINDOWS\gmer.ini
[2009/02/23 21:19:31 | 00,884,736 | ---- | M] () -- C:\WINDOWS\gmer.dll
[2009/02/23 21:19:31 | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[2009/02/23 21:19:31 | 00,000,080 | ---- | M] () -- C:\WINDOWS\gmer_uninstall.cmd
[2009/02/23 21:19:27 | 00,811,008 | ---- | M] () -- C:\WINDOWS\gmer.exe
[2009/02/23 21:18:03 | 00,747,873 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2009/02/22 23:53:51 | 00,000,268 | -H-- | M] () -- C:\sqmdata11.sqm
[2009/02/22 23:53:51 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2009/02/19 20:46:47 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.execf
[2009/02/15 22:47:22 | 00,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
[2009/02/15 22:47:22 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2009/02/15 22:03:08 | 00,172,912 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\diagn_assess.pdf
[2009/02/14 16:14:33 | 00,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
[2009/02/14 16:14:33 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2009/02/14 14:34:45 | 00,258,391 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\drg.pdf
[2009/02/14 14:31:55 | 00,474,326 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\prep1896.pdf
[2009/02/14 14:30:22 | 00,039,706 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\admission.pdf
[2009/02/14 03:43:21 | 00,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2009/02/14 03:43:21 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2009/02/14 03:40:56 | 00,000,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Autorun Eater.lnk
[2009/02/14 03:05:03 | 00,000,726 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/02/13 03:32:45 | 00,162,304 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/13 00:55:16 | 00,000,002 | ---- | M] () -- C:\WINDOWS\System32\config.nt
[2009/02/13 00:41:46 | 00,736,050 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/02/11 21:56:18 | 21,244,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/02/11 21:37:32 | 00,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2009/02/11 21:37:32 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2009/02/11 16:12:29 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2009/02/11 16:12:29 | 00,000,232 | -H-- | M] () -- C:\sqmdata06.sqm
[2009/02/11 16:10:14 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2009/02/11 16:10:14 | 00,000,232 | -H-- | M] () -- C:\sqmdata05.sqm
[2009/02/11 16:10:08 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2009/02/11 16:10:08 | 00,000,232 | -H-- | M] () -- C:\sqmdata04.sqm
[2009/02/11 16:10:03 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2009/02/11 16:10:03 | 00,000,232 | -H-- | M] () -- C:\sqmdata03.sqm
[2009/02/11 16:09:59 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2009/02/11 16:09:59 | 00,000,232 | -H-- | M] () -- C:\sqmdata02.sqm
[2009/02/11 11:19:42 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/02/11 11:19:34 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/02/10 08:52:22 | 08,360,960 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\shell32.dll

========== Custom Scans ==========


< c:\iexplore.exe /s >
[2009/01/19 22:03:52 | 00,709,800 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Internet Explorer\iexplore.exe
[2009/01/19 22:05:42 | 00,634,024 | ---- | M] (Microsoft Corporation) -- c:\Program Files (x86)\Internet Explorer\iexplore.exe
[2007/04/03 13:01:14 | 00,679,424 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\$hf_mig$\KB931768-IE7\SP2QFE\iexplore.exe
[2007/05/07 16:07:28 | 00,679,424 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\$hf_mig$\KB933566-IE7\SP2QFE\iexplore.exe
[2007/07/19 06:59:14 | 00,679,424 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\$hf_mig$\KB937143-IE7\SP2QFE\iexplore.exe
[2007/08/20 04:23:12 | 00,700,928 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\iexplore.exe
[2007/10/31 21:39:02 | 00,701,440 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe
[2008/01/12 14:25:20 | 00,701,440 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\iexplore.exe
[2008/02/16 10:29:24 | 00,701,440 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe
[2008/05/07 14:56:52 | 00,701,440 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\iexplore.exe
[2008/06/27 16:48:30 | 00,701,440 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\$hf_mig$\KB953838-IE7\SP2QFE\iexplore.exe
[2008/10/04 07:44:00 | 00,711,624 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe
[2008/10/17 06:08:20 | 00,709,408 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\$hf_mig$\KB958215-IE7\SP2QFE\iexplore.exe
[2009/01/19 21:57:22 | 00,709,800 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\$hf_mig$\KB961260-IE7\SP2QFE\iexplore.exe
[2005/03/25 07:00:00 | 00,096,256 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\ie7\iexplore.exe
[2006/10/17 13:25:54 | 00,674,304 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\ie7updates\KB928090-IE7\iexplore.exe
[2007/01/08 19:58:10 | 00,675,328 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\ie7updates\KB931768-IE7\iexplore.exe
[2007/04/03 13:09:24 | 00,675,328 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\ie7updates\KB933566-IE7\iexplore.exe
[2007/05/07 16:28:26 | 00,679,424 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\ie7updates\KB937143-IE7\iexplore.exe
[2007/07/19 07:13:22 | 00,679,424 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\ie7updates\KB939653-IE7\iexplore.exe
[2007/08/20 04:43:28 | 00,679,424 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\ie7updates\KB942615-IE7\iexplore.exe
[2007/10/31 22:11:12 | 00,700,928 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\ie7updates\KB944533-IE7\iexplore.exe
[2008/01/12 14:32:42 | 00,701,440 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\ie7updates\KB947864-IE7\iexplore.exe
[2008/02/16 11:03:30 | 00,701,440 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe
[2008/05/08 09:19:18 | 00,701,440 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\ie7updates\KB953838-IE7\iexplore.exe
[2008/06/27 15:12:38 | 00,701,440 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\ie7updates\KB956390-IE7\iexplore.exe
[2008/10/04 07:54:04 | 00,711,624 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\ie7updates\KB958215-IE7\iexplore.exe
[2008/10/17 06:16:44 | 00,709,408 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\ie7updates\KB961260-IE7\iexplore.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\WINDOWS\screenclean.swf:SummaryInformation
@Alternate Data Stream - 0 bytes -> C:\WINDOWS\screenclean.swf:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
@Alternate Data Stream - 0 bytes -> C:\Documents and Settings\Administrator\Desktop\Thumbs.db:encryptable
< End of report >

Edited by isaurocbr, 10 March 2009 - 03:20 AM.


#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 PM

Posted 10 March 2009 - 07:27 AM

Hello.

Though OTListIt works, it was not meant for 64x machines.

All copies of Iexplore.exe on the machine are clean.
---
In the Task Manager, select View, Select Columns. Check Image Path.

Please tell me where the iexplore.exe's that are running that are located.

With Regards,
The Panda

#12 isaurocbr

isaurocbr
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 12 March 2009 - 03:25 AM

No option for image path is availiable, but strangely i've been cecking the task manager, and the second instance of iexplore isnt there anymore.
i think were about done with this topic then, i got no more complaints, lol if theres anything you recommend me doing, go ahead and give me your suggestions please, other than that, i appreciate your time and patience with my situation.

Thank you PP,
Isauro

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 PM

Posted 18 March 2009 - 09:15 AM

Hello.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users