Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HiJackThis log


  • This topic is locked This topic is locked
13 replies to this topic

#1 Joony

Joony

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 10 July 2009 - 05:13 AM

Hi everyone, please help me analyze this log, just to make sure everything is OK

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:47, on 7/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\App\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\App\DAEMON Tools Lite\daemon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\App\RivaTuner v2.24\RivaTuner.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\T\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 82.5.185.111:7212
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: (no name) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\App\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: Logitech Mouse and Keyboard Settings.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Startup: Shortcut to RivaTuner.lnk = C:\App\RivaTuner v2.24\RivaTuner.exe
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70} (VaxSIPUserAgentCAB Control) - http://callme.co.il/SIP/VaxSIPUserAgentCAB.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1237307026281
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1237307008265
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F368DBB-20A5-42CA-8E95-081E39D933D8}: NameServer = 192.168.0.1,192.169.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{FBA140B0-E390-4DEA-8840-5BCBDE8CA70A}: NameServer = 192.115.106.35,62.219.186.7
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\App\Sandboxie\SbieSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 6533 bytes


Thanks

BC AdBot (Login to Remove)

 


m

#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:37 PM

Posted 18 July 2009 - 08:01 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 Joony

Joony
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 23 July 2009 - 01:39 PM

Thank you for your response.

My computer has been infected and I have managed to remove the virus, ever since my computer is slow and I want to know what's the problem.

The log:


DDS (Ver_09-06-26.01) - NTFSx86
Run by T at 21:22:14.43 on Thu 07/23/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1255.972.1033.18.2046.1481 [GMT 2:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\App\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\App\DAEMON Tools Lite\daemon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\App\RivaTuner v2.24\RivaTuner.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\App\Winamp\winamp.exe
C:\App\Last.fm\LastFM.exe
C:\App\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Documents and Settings\T\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.il/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = localhost;<local>
uInternet Settings,ProxyServer = 82.5.185.111:7212
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\app\daemon tools lite\daemon.exe" -autorun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
mRun: [QuickTime Task] "c:\app\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\t\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\t\startm~1\programs\startup\shortc~1.lnk - c:\app\rivatuner v2.24\RivaTuner.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\progra~1\icq\ICQ.exe
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
DPF: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70} - hxxp://callme.co.il/SIP/VaxSIPUserAgentCAB.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237307026281
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237307008265
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
TCP: {1F368DBB-20A5-42CA-8E95-081E39D933D8} = 192.168.0.1,192.169.0.1
TCP: {FBA140B0-E390-4DEA-8840-5BCBDE8CA70A} = 192.115.106.35,62.219.186.7
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AutorunsDisabled - WgaLogon.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\t\applic~1\mozilla\firefox\profiles\0zwfwcli.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\app\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\app\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\app\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\app\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\app\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\app\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\app\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\app\quicktime\plugins\npqtplugin6.dll
FF - plugin: c:\app\quicktime\plugins\npqtplugin7.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-5-24 128016]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-12-15 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-6-25 296976]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-5-13 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]
R3 SbieDrv;SbieDrv;c:\app\sandboxie\SbieDrv.sys [2009-5-28 108032]
S2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-5-25 303376]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\everestultimate_build_1043_xvwplkj3lms\kerneld.wnt [2007-6-19 20856]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-6-24 13224]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [2008-3-14 81832]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [2008-3-14 13864]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [2008-3-14 107304]
S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [2008-3-14 99112]
S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [2008-3-14 21928]
S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [2008-3-14 97320]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [2008-3-14 97704]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\vboxnetflt.sys --> c:\windows\system32\drivers\VBoxNetFlt.sys [?]

=============== Created Last 30 ================

2009-07-18 14:23 <DIR> --d----- c:\docume~1\t\applic~1\My Battle for Middle-earth Files
2009-06-27 20:18 388 a------- c:\windows\wininit.ini
2009-06-25 00:16 604,140 a--sh--- c:\windows\system32\drivers\ISwift3.dat
2009-06-25 00:13 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-06-25 00:13 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-06-25 00:12 <DIR> --d----- c:\program files\Kaspersky Lab
2009-06-25 00:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-06-25 00:00 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-06-24 20:47 <DIR> --d----- c:\program files\sys
2009-06-24 20:47 2 ----h--- c:\windows\zaponce52689.dat
2009-06-24 20:47 <DIR> --d----- c:\windows\DLL
2009-06-24 20:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\99849206
2009-06-24 20:47 <DIR> --d-h--- c:\windows\system32\3361
2009-06-24 20:47 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-06-24 20:47 12,288 a------- c:\windows\zfhsh5usr6i6u43t2q3awhrejaew81.exe
2009-06-24 20:46 <DIR> --d----- c:\program files\Microsoft Common

==================== Find3M ====================

2009-07-14 06:47 288,048 a------- C:\utorrent.exe
2009-07-09 19:15 128,016 a------- c:\windows\system32\drivers\kl1.sys
2009-06-24 20:46 12,288 a------- c:\windows\xfgjxrtisrrs45y3heszgraw81.exe
2009-06-21 11:06 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-05-25 05:21 219,664 a------- c:\windows\system32\klogon.dll
2009-05-25 05:18 27,507 a------- c:\windows\system32\drivers\klopp.dat
2009-05-03 18:12 107,888 a------- c:\windows\system32\CmdLineExt.dll
2007-11-17 19:28 22,328 a------- c:\docume~1\t\applic~1\PnkBstrK.sys
2007-06-18 22:13 457 a------- c:\program files\INSTALL.LOG

============= FINISH: 21:22:39.04 ===============



Thanks

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:37 AM

Posted 24 July 2009 - 03:47 PM

Hi Joony,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

I will be back soon with the first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:37 AM

Posted 24 July 2009 - 04:40 PM

There's files in the log that, if they are still there, are going to cause problems.

First, let's make sure there isn't anything even nastier conducting the whole thing.

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop, please rename it as gamer.exe.
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Then please run Malwarebytes.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

That should flush out anything that's still there. :thumbup2:

Finally,

We need to create an OTL Report
  • Please download OTL from the mirror:
    [http://oldtimer.geekstogo.com/OTL.exe]This is THE Mirror[/url]
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:[list]
    OTListIt.txt <-- Will be opened
    Extra.txt <-- Will be minimized
Thanks :)
Posted Image
m0le is a proud member of UNITE

#6 Joony

Joony
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 25 July 2009 - 02:59 PM

Thank you for your help!

GMER report:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-25 17:20:17
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xB514836E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xB5148A86]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xB514960C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xB5149B40]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xB5148D78]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xB5147460]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xB5149A18]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xB5146D0A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xB51498D4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xB5148102]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xB5149C72]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xB514B40E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xB5148886]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xB5149976]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xB5147A20]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xB5147CF8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xB514921C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xB514B980]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xB5147E3A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xB5147EE4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xB5149016]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xB514AEA6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xB514743C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xB514744E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xB5148030]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xB5149BE2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenFile [0xB5148B08]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenKey [0xB5147604]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xB5149AB0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xB514856E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xB514B438]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xB5149D14]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xB5148492]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xB5147F8E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xB5147BB6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xB51478BC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xB514B128]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xB5147B34]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xB51470C2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xB514A09E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xB5149F64]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xB514AC30]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xB5147224]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xB514B860]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xB5146EC4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xB5149312]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xB5148984]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xB514A5F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSecurityObject [0xB514AFA0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xB514B4C2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xB5147744]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xB514B5A6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xB514B6D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xB514ADD2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xB51486EA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xB514863C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xB51487C8]

INT 0x62 ? 8AD1EBF8
INT 0x63 ? 8AB76BF8
INT 0x63 ? 8AB76BF8
INT 0x73 ? 8AD1EBF8
INT 0x83 ? 8AB76BF8
INT 0x84 ? 8AB76BF8
INT 0xA4 ? 8AB76BF8
INT 0xB4 ? 8AD1EBF8
INT 0xB4 ? 8AD1EBF8
INT 0xB4 ? 8AB76BF8
INT 0xB4 ? 8AD1EBF8

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 13E 804E4978 16 Bytes [02, 81, 14, B5, 72, 9C, 14, ...]
.text ntoskrnl.exe!ZwYieldExecution + 1FA 804E4A34 12 Bytes [A6, AE, 14, B5, 3C, 74, 14, ...]
.text ntoskrnl.exe!ZwYieldExecution + 376 804E4BB0 16 Bytes [34, 7B, 14, B5, C2, 70, 14, ...] {XOR AL, 0x7b; ADC AL, 0xb5; RET 0x1470; MOV CH, 0x9e; MOV AL, [0x9f64b514]; ADC AL, 0xb5}
.text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CA4 12 Bytes [A6, B5, 14, B5, D2, B6, 14, ...] {CMPSB ; MOV CH, 0x14; MOV CH, 0xd2; MOV DH, 0x14; MOV CH, 0xd2; LODSD ; ADC AL, 0xb5}
.text ntoskrnl.exe!ZwYieldExecution + 47A 804E4CB4 4 Bytes JMP 3CB51486
.text ntoskrnl.exe!IoIsOperationSynchronous 804EAF8E 5 Bytes JMP B513D7DE \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 804F9AF4 5 Bytes JMP B513D424 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
? spin.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B78A080C 5 Bytes JMP 8AB761D8
.text a9s21nlp.SYS B77B6386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text a9s21nlp.SYS B77B63AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a9s21nlp.SYS B77B63C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text a9s21nlp.SYS B77B63C9 1 Byte [30]
.text a9s21nlp.SYS B77B63C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text win32k.sys!EngCreateBitmap + D9AD BF845A5D 5 Bytes JMP 8A263610

---- User code sections - GMER 1.0.15 ----

? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[372] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch;
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[372] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[372] USER32.dll!VRipOutput + FFFA4C6F 7E412A78 4 Bytes [70, 11, 32, 6D]
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[3488] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch;
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[3488] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[3488] USER32.dll!VRipOutput + FFFA4C6F 7E412A78 4 Bytes [70, 11, 32, 6D]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8AD212D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7507C4C] spin.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7507CA0] spin.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74D7042] spin.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74D713E] spin.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74D70C0] spin.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74D7800] spin.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74D76D6] spin.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8AB762D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74E6E9C] spin.sys
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!RtlInitUnicodeString] 00021083
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!swprintf] 01B05E00
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!KeSetEvent] 5DE58B5B
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 7E8366C3
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoGetConfigurationInformation] 0F740028
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 89320C8D
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!MmFreeMappingAddress] 0002288B
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 46B70F00
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 66D00328
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!MmUnmapIoSpace] 002A7E83
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 0C8D1574
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IofCompleteRequest] 248B8932
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 0F000002
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IofCallDriver] 832A46B7
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!MmAllocateMappingAddress] E08303C0
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 66D003FC
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoConnectInterrupt] 002C7E83
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoDetachDevice] 0C8D1E74
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!KeWaitForSingleObject] 208B8932
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!KeInitializeEvent] 8A000002
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 83880846
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!RtlInitAnsiString] 000001C0
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 2C4EB70F
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoQueueWorkItem] 8303C183
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!MmMapIoSpace] D103FCE1
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 2E7E8366
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoReportDetectedDevice] 8D1C7400
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoReportResourceForDetection] 83893204
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 00000218
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!NlsMbCodePageTag] 2E4EB70F
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!PoRequestPowerIrp] 021C8B89
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] B70F0000
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] E0C12E46
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!sprintf] 03D00304
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 0CB389F2
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!ObfDereferenceObject] 80000002
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 0975013E
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 1B42E853
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!ZwClose] C4830000
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] B05E5F04
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] E58B5B01
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] CCCCC35D
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!PoStartNextPowerIrp] CCCCCCCC
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!PoCallDriver] 53EC8B55
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoCreateDevice] 08758B56
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 0214BE83
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 57000000
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!ZwOpenKey] 45C60674
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 1EEB010B
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoStartTimer] 020C868B
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!KeInitializeTimer] C0850000
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoInitializeTimer] 808A1074
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!KeInitializeDpc] 00000804
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!KeInitializeSpinLock] A03CF024
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoInitializeIrp] 0B45950F
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!ZwCreateKey] 45C604EB
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 458A000B
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 88C0840B
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!ZwSetValueKey] 840F0946
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!KeInsertQueueDpc] 000000C1
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 14B30E8B
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoStartPacket] 1C8286C6
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 88010000
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 001C859E
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoFreeMdl] A19E8800
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!MmUnlockPages] C600001C
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 001C8686
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 86C60100
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 00001CA2
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 70518B01
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!KeSynchronizeExecution] 8D52006A
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoStartNextPacket] 001C8886
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!KeBugCheckEx] 55E85000
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 8B000023
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!KeSetTimer] 70518B0E
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!KeCancelTimer] 8D52016A
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!_allmul] 001CA486
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!MmProbeAndLockPages] 41E85000
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!_except_handler3] 8B000023
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!PoSetPowerState] 18C4830E
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 1C8D9E88
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 9E880000
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!_aulldiv] 00001CA9
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!strstr] 0E798366
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!_strupr] 74AAB000
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!KeQuerySystemTime] 8186C636
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 1A00001C
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!KeTickCount] 1C8386C6
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] C6020000
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoDeleteDevice] 001C8E86
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 86C60200
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoAllocateWorkItem] 00001CAA
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoAllocateIrp] 959E8802
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoAllocateMdl] 8800001C
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 001CB19E
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!MmLockPagableDataSection] 96868800
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 8800001C
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 001CB286
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!ExFreePoolWithTag] C61AEB00
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoFreeIrp] 001C8186
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!IoFreeWorkItem] 86C61200
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!InitSafeBootMode] 00001C83
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!RtlCompareMemory] 8E868801
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 8800001C
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!memmove] 001CAA86
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[ntoskrnl.exe!MmHighestUserAddress] 80968B00
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[HAL.dll!KfAcquireSpinLock] 0C8D1C46
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[HAL.dll!READ_PORT_UCHAR] B08B8932
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[HAL.dll!KeGetCurrentIrql] 89000001
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[HAL.dll!KfRaiseIrql] 0001BC83
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[HAL.dll!KfLowerIrql] 24468B00
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[HAL.dll!HalGetInterruptVector] 89820C8D
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[HAL.dll!HalTranslateBusAddress] D18BF84D
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[HAL.dll!KeStallExecutionProcessor] 860F1639
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[HAL.dll!KfReleaseSpinLock] 000000BD
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 0208B389
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 7400067E
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[HAL.dll!WRITE_PORT_UCHAR] 89D60320
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[WMILIB.SYS!WmiSystemControl] 8D168B00
IAT \SystemRoot\System32\Drivers\a9s21nlp.SYS[WMILIB.SYS!WmiCompleteRequest] F0003284
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[ntoskrnl.exe!IoCreateDevice] [BA95E520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [BA95E670] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\ipnat.sys[ntoskrnl.exe!IoCreateDevice] [BA95E520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCreateDevice] [BA95E520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [BA95E670] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateDevice] [BA95E520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbios.sys[ntoskrnl.exe!IoCreateDevice] [BA95E520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \??\C:\WINDOWS\system32\Drivers\vmm.sys[ntoskrnl.exe!IoCreateDevice] [BA95E520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IoCreateDevice] [BA95E520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IoCreateDevice] [BA95E520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Fips.SYS[ntoskrnl.exe!IoCreateDevice] [BA95E520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Cdfs.SYS[ntoskrnl.exe!IoCreateDevice] [BA95E520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\Wdf01000.sys[ntoskrnl.exe!IoCreateDevice] [BA95E520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\HIDCLASS.SYS[ntoskrnl.exe!IoCreateDevice] [BA95E520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\mouhid.sys[ntoskrnl.exe!IoCreateDevice] [BA95E520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\rspndr.sys[ntoskrnl.exe!IoCreateDevice] [BA95E520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\mrxdav.sys[ntoskrnl.exe!IoCreateDevice] [BA95E520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\ParVdm.SYS[ntoskrnl.exe!IoCreateDevice] [BA95E520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateDevice] [BA95E520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\wdmaud.sys[ntoskrnl.exe!IoCreateDevice] [BA95E520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\sysaudio.sys[ntoskrnl.exe!IoCreateDevice] [BA95E520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\HTTP.sys[ntoskrnl.exe!IoCreateDevice] [BA95E520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\kmixer.sys[ntoskrnl.exe!IoCreateDevice] [BA95E520] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AD1D1F8

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\usbuhci \Device\USBPDO-0 8AB751F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AD901F8
Device \Driver\dmio \Device\DmControl\DmConfig 8AD901F8
Device \Driver\dmio \Device\DmControl\DmPnP 8AD901F8
Device \Driver\dmio \Device\DmControl\DmInfo 8AD901F8
Device \Driver\usbuhci \Device\USBPDO-1 8AB751F8
Device \Driver\usbehci \Device\USBPDO-2 8A9F51F8
Device \Driver\usbuhci \Device\USBPDO-3 8AB751F8
Device \Driver\usbuhci \Device\USBPDO-4 8AB751F8

AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\usbuhci \Device\USBPDO-5 8AB751F8
Device \Driver\usbehci \Device\USBPDO-6 8A9F51F8
Device \Driver\PCI_PNP7430 \Device\00000057 spin.sys
Device \Driver\PCI_PNP7430 \Device\00000057 spin.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AD1F1F8
Device \Driver\Cdrom \Device\CdRom0 8AB541F8
Device \Driver\Cdrom \Device\CdRom1 8AB541F8
Device \Driver\atapi \Device\Ide\IdePort0 8AD1E1F8
Device \Driver\atapi \Device\Ide\IdePort1 8AD1E1F8
Device \Driver\atapi \Device\Ide\IdePort2 8AD1E1F8
Device \Driver\atapi \Device\Ide\IdePort3 8AD1E1F8
Device \Driver\atapi \Device\Ide\IdePort4 8AD1E1F8
Device \Driver\atapi \Device\Ide\IdePort5 8AD1E1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 8AD1E1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-16 8AD1E1F8
Device \Driver\sptd \Device\3864177430 spin.sys

AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\usbuhci \Device\USBFDO-0 8AB751F8
Device \Driver\usbuhci \Device\USBFDO-1 8AB751F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A3D11F8
Device \Driver\usbehci \Device\USBFDO-2 8A9F51F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A3D11F8
Device \Driver\usbuhci \Device\USBFDO-3 8AB751F8
Device \Driver\usbuhci \Device\USBFDO-4 8AB751F8
Device \Driver\Ftdisk \Device\FtControl 8AD1F1F8
Device \Driver\usbuhci \Device\USBFDO-5 8AB751F8
Device \Driver\usbehci \Device\USBFDO-6 8A9F51F8
Device \Driver\a9s21nlp \Device\Scsi\a9s21nlp1Port6Path0Target0Lun0 8A9F01F8
Device \Driver\a9s21nlp \Device\Scsi\a9s21nlp1 8A9F01F8
Device \FileSystem\Cdfs \Cdfs 8A3BE1F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDE 0xDD 0xEE 0x75 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\App\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xEE 0x8B 0x87 0x5E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x33 0xB1 0x57 0x79 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x25 0xFF 0xCF 0xFD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x95 0x6A 0xCE 0xC6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x8A 0x67 0xD3 0xCB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDE 0xDD 0xEE 0x75 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\App\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xEE 0x8B 0x87 0x5E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x33 0xB1 0x57 0x79 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x25 0xFF 0xCF 0xFD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x95 0x6A 0xCE 0xC6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x8A 0x67 0xD3 0xCB ...

---- EOF - GMER 1.0.15 ----


MBAM report:

Malwarebytes' Anti-Malware 1.39
Database version: 2499
Windows 5.1.2600 Service Pack 2

7/25/2009 22:45:19
mbam-log-2009-07-25 (22-45-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 214319
Time elapsed: 1 hour(s), 54 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3361 (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
c:\App\daemon tools pro\daemon.tools.pro.patch.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\UQ5WBS3V\ms[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{125d0a09-cdf3-4cd1-8072-5548c9aa414c}\RP893\A0239536.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{125d0a09-cdf3-4cd1-8072-5548c9aa414c}\RP897\A0242501.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{125d0a09-cdf3-4cd1-8072-5548c9aa414c}\RP894\A0240031.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\WINDOWS\xfgjxrtisrrs45y3heszgraw81.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\zfhsh5usr6i6u43t2q3awhrejaew81.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\msncache.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\program files\microsoft common\emails.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\microsoft common\log.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\3361\mlog (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\T\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\T\Application Data\wiaservg.log (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\zaponce52689.dat (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wiawow32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.


OTL.txt:


OTL logfile created on: 7/25/2009 22:51:05 - Run 1
OTL by OldTimer - Version 3.0.10.3 Folder = C:\Documents and Settings\T\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.47 Gb Available Physical Memory | 73.66% Memory free
3.84 Gb Paging File | 3.49 Gb Available in Paging File | 90.75% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 68.40 Gb Free Space | 22.95% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: T
Current User Name: T
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2008/11/12 14:54:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
PRC - [2009/05/28 15:32:26 | 00,053,760 | ---- | M] (tzuk) -- C:\App\Sandboxie\SbieSvc.exe
PRC - [2004/08/04 01:56:58 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wscntfy.exe
PRC - [2007/06/13 13:26:03 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2006/11/14 11:21:00 | 16,270,848 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2009/04/23 15:51:38 | 00,691,656 | ---- | M] (DT Soft Ltd) -- C:\App\DAEMON Tools Lite\daemon.exe
PRC - [2008/05/02 02:44:08 | 00,805,392 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2009/02/25 19:55:00 | 02,781,184 | ---- | M] () -- C:\App\RivaTuner v2.24\RivaTuner.exe
PRC - [2008/05/02 02:40:56 | 00,076,304 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
PRC - [2009/07/24 14:17:07 | 00,908,280 | ---- | M] (Mozilla Corporation) -- C:\App\Mozilla Firefox\firefox.exe
PRC - [2009/07/25 17:32:30 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\T\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (AcrSch2Svc [Disabled | Stopped])
SRV - [2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/05/25 05:26:40 | 00,303,376 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe -- (AVP [Auto | Running])
SRV - [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2007/10/09 12:58:12 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2004/08/04 01:56:46 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Disabled | Stopped])
SRV - [2007/10/11 09:55:10 | 00,864,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/05/02 02:42:06 | 00,121,360 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe -- (LBTServ [On_Demand | Stopped])
SRV - [2007/08/24 06:59:20 | 00,068,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service [On_Demand | Stopped])
SRV - [2007/10/11 09:55:14 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2009/04/07 02:04:00 | 02,792,477 | ---- | M] (INCA Internet Co., Ltd.) -- C:\WINDOWS\System32\GameMon.des -- (npggsvc [On_Demand | Stopped])
SRV - [2008/11/12 14:54:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2007/08/24 03:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2009/05/28 15:32:26 | 00,053,760 | ---- | M] (tzuk) -- C:\App\Sandboxie\SbieSvc.exe -- (SbieSvc [Auto | Running])
SRV - [2007/06/15 16:55:00 | 00,300,544 | ---- | M] (Nokia.) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer [On_Demand | Stopped])
SRV - [2007/10/18 11:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
SRV - [2007/10/25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])
SRV - [2005/10/07 03:12:30 | 00,855,552 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Connect 2\wmccds.exe -- (WMConnectCDS [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2008/11/04 09:09:56 | 00,279,712 | ---- | M] () -- C:\WINDOWS\System32\DRIVERS\atksgt.sys -- (atksgt [Auto | Running])
DRV - [2004/10/25 20:02:58 | 00,021,664 | ---- | M] (EnTech Taiwan) -- C:\WINDOWS\System32\DRIVERS\ENTECH.sys -- (ENTECH [On_Demand | Stopped])
DRV - [2006/12/15 10:42:28 | 00,020,856 | ---- | M] () -- C:\everestultimate_build_1043_xvwplkj3lms\kerneld.wnt -- (EverestDriver [On_Demand | Stopped])
DRV - [2007/06/17 21:04:29 | 00,014,656 | ---- | M] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\gdrv.sys -- (gdrv [On_Demand | Stopped])
DRV - [2009/04/07 17:14:35 | 00,013,224 | ---- | M] (Sony Ericsson Mobile Communications) -- C:\WINDOWS\System32\DRIVERS\ggflt.sys -- (ggflt [On_Demand | Stopped])
DRV - [2009/04/07 17:14:35 | 00,024,616 | ---- | M] (Sony Ericsson Mobile Communications) -- C:\WINDOWS\System32\DRIVERS\ggsemc.sys -- (ggsemc [On_Demand | Stopped])
DRV - [2007/05/23 23:10:05 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2006/11/15 08:34:00 | 04,225,920 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2009/07/09 19:15:39 | 00,128,016 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1 [Boot | Running])
DRV - [2008/12/15 20:41:32 | 00,033,808 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\klbg.sys -- (klbg [Boot | Running])
DRV - [2009/07/09 19:15:39 | 00,296,976 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\DRIVERS\klif.sys -- (KLIF [System | Running])
DRV - [2009/05/13 17:46:52 | 00,031,760 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\DRIVERS\klim5.sys -- (klim5 [On_Demand | Running])
DRV - [2009/05/16 20:59:44 | 00,019,472 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\DRIVERS\klmouflt.sys -- (klmouflt [On_Demand | Running])
DRV - [2008/02/29 03:12:48 | 00,020,240 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\System32\DRIVERS\L8042Kbd.sys -- (L8042Kbd [On_Demand | Running])
DRV - [2004/04/26 16:09:52 | 00,054,657 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\System32\DRIVERS\L8042mou.Sys -- (L8042mou [On_Demand | Stopped])
DRV - [2008/02/29 03:13:16 | 00,035,344 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\System32\DRIVERS\LHidFilt.Sys -- (LHidFilt [On_Demand | Running])
DRV - [2004/04/26 16:09:24 | 00,024,605 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\System32\DRIVERS\LHidKE.Sys -- (LHidKe [On_Demand | Stopped])
DRV - [2004/04/26 16:10:00 | 00,038,081 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\System32\Drivers\LHidUsbK.Sys -- (LHidUsbK [On_Demand | Stopped])
DRV - [2008/11/04 09:09:55 | 00,025,888 | ---- | M] () -- C:\WINDOWS\System32\DRIVERS\lirsgt.sys -- (lirsgt [Auto | Running])
DRV - [2008/02/29 03:13:24 | 00,036,880 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\System32\DRIVERS\LMouFilt.Sys -- (LMouFilt [On_Demand | Running])
DRV - [2004/04/26 16:09:42 | 00,071,405 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\System32\DRIVERS\LMouKE.Sys -- (LMouKE [On_Demand | Stopped])
DRV - [2008/02/29 03:13:46 | 00,028,944 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\System32\Drivers\LUsbFilt.Sys -- (LUsbFilt [On_Demand | Running])
DRV - [2007/12/24 22:52:50 | 00,028,352 | ---- | M] (MusicMatch, Inc.) -- C:\WINDOWS\System32\drivers\MxlW2k.sys -- (MxlW2k [On_Demand | Running])
DRV - [2008/11/12 14:54:00 | 06,188,320 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2003/09/26 03:00:00 | 00,174,530 | ---- | M] (OmniVision Technologies, Inc.) -- C:\WINDOWS\System32\Drivers\ov519vid.sys -- (ovt519 [On_Demand | Stopped])
DRV - [2001/08/23 14:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/03/08 01:51:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2009/02/25 19:55:00 | 00,009,088 | ---- | M] () -- C:\App\RivaTuner v2.24\RivaTuner32.sys -- (RivaTuner32 [On_Demand | Running])
DRV - [2001/08/23 14:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\Drivers\RootMdm.sys -- (ROOTMODEM [On_Demand | Stopped])
DRV - [2007/04/03 12:57:42 | 00,083,336 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\s116bus.sys -- (s116bus [On_Demand | Stopped])
DRV - [2007/04/03 12:57:48 | 00,015,112 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\s116mdfl.sys -- (s116mdfl [On_Demand | Stopped])
DRV - [2007/04/03 12:57:48 | 00,108,680 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\s116mdm.sys -- (s116mdm [On_Demand | Stopped])
DRV - [2007/04/03 12:57:50 | 00,100,488 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\s116mgmt.sys -- (s116mgmt [On_Demand | Stopped])
DRV - [2007/04/03 12:57:52 | 00,023,176 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\s116nd5.sys -- (s116nd5 [On_Demand | Stopped])
DRV - [2007/04/03 12:57:52 | 00,098,696 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\s116obex.sys -- (s116obex [On_Demand | Stopped])
DRV - [2007/04/03 12:57:54 | 00,099,080 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\s116unic.sys -- (s116unic [On_Demand | Stopped])
DRV - [2007/06/19 09:51:16 | 00,081,832 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\s816bus.sys -- (s816bus [On_Demand | Stopped])
DRV - [2007/06/19 09:51:18 | 00,013,864 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\s816mdfl.sys -- (s816mdfl [On_Demand | Stopped])
DRV - [2007/06/19 09:51:20 | 00,107,304 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\s816mdm.sys -- (s816mdm [On_Demand | Stopped])
DRV - [2007/06/19 09:51:18 | 00,099,112 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\s816mgmt.sys -- (s816mgmt [On_Demand | Stopped])
DRV - [2007/06/19 09:51:18 | 00,021,928 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\s816nd5.sys -- (s816nd5 [On_Demand | Stopped])
DRV - [2007/06/19 09:51:18 | 00,097,320 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\s816obex.sys -- (s816obex [On_Demand | Stopped])
DRV - [2007/06/19 09:51:18 | 00,097,704 | R--- | M] (MCCI) -- C:\WINDOWS\System32\DRIVERS\s816unic.sys -- (s816unic [On_Demand | Stopped])
DRV - [2009/05/28 15:32:24 | 00,108,032 | ---- | M] (tzuk) -- C:\App\Sandboxie\SbieDrv.sys -- (SbieDrv [On_Demand | Running])
DRV - [2007/11/13 12:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [Auto | Running])
DRV - [2003/12/01 04:54:20 | 00,043,136 | R--- | M] (Prolific Technology Inc.) -- C:\WINDOWS\System32\DRIVERS\ser2pl.sys -- (Ser2pl [On_Demand | Stopped])
DRV - [2009/06/21 11:06:45 | 00,721,904 | ---- | M] () -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd [Boot | Running])
DRV - [2008/01/23 23:25:32 | 00,027,136 | ---- | M] (The OpenVPN Project) -- C:\WINDOWS\System32\DRIVERS\tapvpn.sys -- (tapvpn [On_Demand | Stopped])
DRV - [2008/09/26 15:16:39 | 00,044,384 | ---- | M] (Acronis) -- C:\WINDOWS\System32\DRIVERS\tifsfilt.sys -- (tifsfilter [Auto | Running])
DRV - [2008/09/26 15:16:39 | 00,441,760 | ---- | M] (Acronis) -- C:\WINDOWS\System32\DRIVERS\timntr.sys -- (timounter [Disabled | Stopped])
DRV - [2004/08/04 09:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
DRV - [2008/02/12 03:42:38 | 00,232,472 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\Drivers\vmm.sys -- (vmm [System | Running])
DRV - [2008/02/05 01:50:44 | 00,059,960 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\VMNetSrv.sys -- (VPCNetS2 [On_Demand | Running])
DRV - [2006/11/22 17:01:00 | 00,250,496 | ---- | M] (Marvell) -- C:\WINDOWS\System32\DRIVERS\yk51x86.sys -- (yukonwxp [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes

IE - HKU\S-1-5-21-796845957-1275210071-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-21-796845957-1275210071-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-796845957-1275210071-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-796845957-1275210071-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
IE - HKU\S-1-5-21-796845957-1275210071-682003330-1003\S-1-5-21-796845957-1275210071-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-796845957-1275210071-682003330-1003\S-1-5-21-796845957-1275210071-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost;<local>
IE - HKU\S-1-5-21-796845957-1275210071-682003330-1003\S-1-5-21-796845957-1275210071-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 82.5.185.111:7212

========== FireFox ==========

FF - prefs.js..browser.search.autosizerwizard: ""
FF - prefs.js..browser.search.openintab: true
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1
FF - prefs.js..extensions.enabledItems: {987311C6-B504-4aa2-90BF-60CC49808D42}:2.1
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.4
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20090123.1
FF - prefs.js..extensions.enabledItems: {77b819fa-95ad-4f2c-ac7c-486b356188a9}:1.5.20090525
FF - prefs.js..extensions.enabledItems: linkfilter@kaspersky.ru:9.0.0.459
FF - prefs.js..extensions.enabledItems: {35106bca-6c78-48c7-ac28-56df30b51d2a}:1.3.6
FF - prefs.js..extensions.enabledItems: {FBF6D7FB-F305-4445-BB3D-FEF66579A033}:3.8
FF - prefs.js..extensions.enabledItems: qtl.co.il@gmail.com:13.9
FF - prefs.js..extensions.enabledItems: {1280606b-2510-4fe0-97ef-9b5a22eafe30}:0.6.6.2
FF - prefs.js..extensions.enabledItems: SkipScreen@SkipScreen:0.1.07102009
FF - prefs.js..extensions.enabledItems: splash@aldreneo.com:2.0.2
FF - prefs.js..extensions.enabledItems: {61D0D7AF-4FF6-476a-B68F-6531F613A6D8}:0.2.2
FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.38
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.7.4pre.090516
FF - prefs.js..extensions.enabledItems: {239c61a8-e55f-11db-8314-0800200c9a66}:2.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.1
FF - prefs.js..network.proxy.backup.ftp: "218.84.186.230"
FF - prefs.js..network.proxy.backup.ftp_port: 8080
FF - prefs.js..network.proxy.backup.gopher: "218.84.186.230"
FF - prefs.js..network.proxy.backup.gopher_port: 8080
FF - prefs.js..network.proxy.backup.socks: "218.84.186.230"
FF - prefs.js..network.proxy.backup.socks_port: 8080
FF - prefs.js..network.proxy.backup.ssl: "218.84.186.230"
FF - prefs.js..network.proxy.backup.ssl_port: 8080
FF - prefs.js..network.proxy.ftp: "83.100.217.53"
FF - prefs.js..network.proxy.ftp_port: 80
FF - prefs.js..network.proxy.gopher: "83.100.217.53"
FF - prefs.js..network.proxy.gopher_port: 80
FF - prefs.js..network.proxy.http: "83.100.217.53"
FF - prefs.js..network.proxy.http_port: 80
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "83.100.217.53"
FF - prefs.js..network.proxy.socks_port: 80
FF - prefs.js..network.proxy.socks_remote_dns: true
FF - prefs.js..network.proxy.ssl: "83.100.217.53"
FF - prefs.js..network.proxy.ssl_port: 80

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.1\extensions\\Components: C:\App\Mozilla Firefox\components [2009/07/24 14:17:26 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.1\extensions\\Plugins: C:\App\Mozilla Firefox\plugins [2009/07/24 14:17:26 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\App\ESET\ESET Smart Security\Mozilla Thunderbird
FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\THBExt [2009/06/25 00:13:12 | 00,000,000 | ---D | M]

[2008/06/22 09:45:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Extensions
[2008/06/22 09:45:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/07/24 19:41:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions
[2009/07/08 06:51:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
[2009/06/25 00:00:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}(2)
[2009/07/24 14:18:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\{239c61a8-e55f-11db-8314-0800200c9a66}
[2009/03/24 19:03:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}
[2008/07/09 09:27:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\{47d1d620-5e5b-11da-8cd6-0800200c9a66}
[2009/07/01 16:31:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\{55009080-176f-11da-8cd6-0800200c9a66}
[2008/06/22 11:22:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\{61D0D7AF-4FF6-476a-B68F-6531F613A6D8}
[2009/06/11 22:07:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2008/06/22 11:22:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\{8620c15f-30dc-4dba-a131-7c5d20cf4a29}
[2008/12/16 23:24:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\{987311C6-B504-4aa2-90BF-60CC49808D42}
[2009/07/24 14:04:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2008/06/22 11:22:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\{af79f858-4b25-4ca4-822b-b5db1be628fc}
[2009/07/15 06:48:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/07/24 14:17:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2009/07/01 16:31:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2009/02/24 15:31:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2008/06/22 11:22:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}
[2009/06/03 18:45:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\{FBF6D7FB-F305-4445-BB3D-FEF66579A033}
[2008/10/25 13:59:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\{fce36c1e-58d8-498a-b2a5-66ad1cedebbb}
[2008/06/22 11:22:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\browserstate@google.com
[2009/06/11 22:07:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\extensionlistdumper@sogame.cat
[2009/07/22 21:41:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\qtl.co.il@gmail.com
[2009/07/17 19:18:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\SkipScreen@SkipScreen
[2009/02/14 20:14:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\splash@aldreneo.com
[2008/09/06 03:18:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\tabsplitter@nathanhelton.helsoft
[2009/06/11 22:07:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\extensionlistdumper@sogame.cat
[2009/06/11 22:07:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\extensionlistdumper@sogame.cat\chrome
[2009/06/11 22:07:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\T\Application Data\mozilla\Firefox\Profiles\0zwfwcli.default\extensions\extensionlistdumper@sogame.cat\defaults
[2008/06/18 06:58:58 | 00,002,117 | ---- | M] () -- C:\Documents and Settings\T\Application Data\Mozilla\FireFox\Profiles\0zwfwcli.default\searchplugins\babylon.xml
[2009/07/03 15:34:00 | 00,001,157 | ---- | M] () -- C:\Documents and Settings\T\Application Data\Mozilla\FireFox\Profiles\0zwfwcli.default\searchplugins\freedict.xml
[2008/10/31 16:54:37 | 00,001,288 | ---- | M] () -- C:\Documents and Settings\T\Application Data\Mozilla\FireFox\Profiles\0zwfwcli.default\searchplugins\lastfm.xml
[2009/07/25 03:40:55 | 00,006,479 | ---- | M] () -- C:\Documents and Settings\T\Application Data\Mozilla\FireFox\Profiles\0zwfwcli.default\searchplugins\morfix-20.xml
[2008/06/01 00:37:00 | 00,001,312 | ---- | M] () -- C:\Documents and Settings\T\Application Data\Mozilla\FireFox\Profiles\0zwfwcli.default\searchplugins\wikipedia.xml
[2007/07/27 01:03:34 | 00,717,312 | ---- | M] (DivX,Inc.) -- C:\Program Files\mozilla firefox\plugins\npdivx32.dll
[2006/10/26 20:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL
[2007/03/09 11:35:00 | 00,365,056 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npupd62.dll

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (no name) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - No CLSID value found.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll (Kaspersky Lab)
O3 - HKU\S-1-5-21-796845957-1275210071-682003330-1003\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.EXE (Logitech, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\App\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.EXE (Realtek Semiconductor Corp.)
O4 - HKU\S-1-5-21-796845957-1275210071-682003330-1003..\Run: [DAEMON Tools Lite] C:\App\DAEMON Tools Lite\daemon.exe (DT Soft Ltd)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2008/09/30 12:56:33 | 00,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\T\Start Menu\Programs\Startup\Logitech Mouse and Keyboard Settings.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O4 - Startup: C:\Documents and Settings\T\Start Menu\Programs\Startup\Shortcut to RivaTuner.lnk = C:\App\RivaTuner v2.24\RivaTuner.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 95
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-796845957-1275210071-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-796845957-1275210071-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll (Kaspersky Lab)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll (Kaspersky Lab)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70} http://callme.co.il/SIP/VaxSIPUserAgentCAB.cab (VaxSIPUserAgentCAB Control)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.2.cab (DLM Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdat...b?1237307026281 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1237307008265 (MUWebControl Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab (Minesweeper Flags Class)
O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\mzvkbd.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\mzvkbd3.dll (Kaspersky Lab)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AutorunsDisabled: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\System32\klogon.dll (Kaspersky Lab)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll (Logitech, Inc.)
O24 - Desktop Components:0 () -
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - Reg Error: Key error. File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/06/12 23:06:30 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/06/18 09:41:17 | 00,000,000 | ---D | M] - C:\Autoruns -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/07/25 19:13:33 | 44,169,636 | ---- | C] () -- C:\Documents and Settings\T\Desktop\Dark Light.rar
[2009/07/25 19:13:21 | 77,538,843 | ---- | C] () -- C:\Documents and Settings\T\Desktop\2005_-_Dark_Light.rar
[2009/07/25 17:32:27 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\T\Desktop\OTL.exe
[2009/07/25 17:21:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\T\Application Data\Malwarebytes
[2009/07/25 17:21:28 | 00,000,624 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/07/25 17:21:26 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/07/25 17:21:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/07/25 17:21:21 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/07/25 17:20:30 | 03,775,176 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\T\Desktop\mbam-setup.exe
[2009/07/25 15:13:33 | 00,286,208 | ---- | C] () -- C:\Documents and Settings\T\Desktop\gamer.exe
[2009/07/18 14:23:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\T\Application Data\My Battle for Middle-earth Files
[2009/07/16 20:24:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\T\My Documents\LOTR The Return of the King ™ Data
[2009/07/10 14:13:57 | 79,810,1856 | ---- | C] () -- C:\Documents and Settings\T\My Documents\OJ_J4500.iso
[2009/07/10 14:13:54 | 00,000,050 | ---- | C] () -- C:\Documents and Settings\T\My Documents\OJ_J4500.iso.toc
[2009/07/10 12:15:09 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\T\Desktop\HijackThis.exe
[2009/07/03 20:29:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\T\My Documents\DOK
[2009/07/02 16:51:55 | 00,043,812 | ---- | C] () -- C:\Documents and Settings\T\Desktop\the_sopranos_s02e13_-_funhouse.srt
[2009/07/02 16:51:32 | 00,055,981 | ---- | C] () -- C:\Documents and Settings\T\Desktop\the_sopranos_s02e12_-_knight_in_white_satin_armor.srt
[2009/07/02 16:51:09 | 00,051,673 | ---- | C] () -- C:\Documents and Settings\T\Desktop\the_sopranos_s02e11_-_house_arrest.srt
[2009/07/01 16:45:08 | 00,052,796 | ---- | C] () -- C:\Documents and Settings\T\Desktop\the_sopranos_s02e10_-_bust_out.srt
[2009/07/01 16:44:29 | 00,047,699 | ---- | C] () -- C:\Documents and Settings\T\Desktop\the_sopranos_s02e09_-_from_where_to_eternity.srt
[2009/06/29 18:37:12 | 43,881,2672 | ---- | C] () -- C:\Documents and Settings\T\Desktop\The Sopranos - S02E10 - Bust-Out.avi
[2009/06/29 18:33:12 | 43,782,1440 | ---- | C] () -- C:\Documents and Settings\T\Desktop\The Sopranos - S02E12 - The Knight in White Satin Armor.avi
[2009/06/29 18:22:12 | 45,428,1216 | ---- | C] () -- C:\Documents and Settings\T\Desktop\The Sopranos - S02E13 - Funhouse.avi
[2009/06/29 18:05:12 | 35,352,7808 | ---- | C] () -- C:\Documents and Settings\T\Desktop\The Sopranos - S02E09 - From Where to Eternity.avi
[2009/06/29 17:27:12 | 42,758,1440 | ---- | C] () -- C:\Documents and Settings\T\Desktop\The Sopranos - S02E11 - House Arrest.avi
[2009/06/28 17:22:12 | 01,204,219 | ---- | C] () -- C:\Documents and Settings\T\Desktop\spacesniffer_1_1_0_0.zip
[2009/06/27 20:18:24 | 00,000,388 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/06/27 20:06:07 | 00,000,841 | ---- | C] () -- C:\Documents and Settings\T\Desktop\Spybot - Search & Destroy.lnk
[2009/06/27 18:15:16 | 30,813,9130 | ---- | C] () -- C:\Documents and Settings\T\Desktop\Srugim.S01E10.XviD-Nir-Mil-www.tvnetil.co.il.avi
[2009/02/04 18:59:36 | 00,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.INI
[2009/01/15 14:34:15 | 00,100,368 | ---- | C] () -- C:\WINDOWS\System32\drivers\VBoxDrv.sys
[2008/12/02 12:17:01 | 00,001,778 | ---- | C] () -- C:\WINDOWS\Sandboxie.ini
[2008/11/12 14:54:00 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/11/12 14:54:00 | 01,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/11/12 14:54:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/11/12 14:54:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/10/24 19:52:22 | 00,000,000 | ---- | C] () -- C:\WINDOWS\graphedit.INI
[2008/10/07 09:13:30 | 00,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/07/16 11:20:04 | 00,000,316 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2008/06/23 22:58:03 | 00,000,120 | ---- | C] () -- C:\WINDOWS\disney.ini
[2008/06/07 14:30:45 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/06/07 14:30:45 | 00,755,027 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/06/07 14:30:45 | 00,159,839 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/06/07 14:30:44 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/06/07 14:30:44 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/01/25 12:56:10 | 00,000,087 | ---- | C] () -- C:\WINDOWS\TDW.INI
[2007/11/05 16:31:47 | 00,279,712 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2007/11/05 16:31:47 | 00,025,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2007/11/05 16:14:00 | 00,009,728 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/11/01 14:53:22 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2007/09/23 16:03:20 | 00,000,032 | ---- | C] () -- C:\WINDOWS\CD_Start.INI
[2007/09/05 19:00:56 | 00,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2007/08/26 16:25:55 | 00,000,315 | ---- | C] () -- C:\WINDOWS\doom3.ini
[2007/08/07 19:22:22 | 00,141,180 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2007/08/06 19:57:49 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/07/01 19:06:25 | 00,003,972 | ---- | C] () -- C:\WINDOWS\System32\drivers\PciBus.sys
[2007/06/21 02:58:30 | 00,000,758 | ---- | C] () -- C:\WINDOWS\Sof2.INI
[2007/06/18 22:25:59 | 00,721,904 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2007/06/17 00:03:29 | 00,098,892 | ---- | C] () -- C:\WINDOWS\System32\PPPoEWin.sys
[2007/06/17 00:03:29 | 00,098,892 | ---- | C] () -- C:\WINDOWS\System32\drivers\PPPoEWin.sys
[2004/08/04 01:56:44 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2002/10/16 00:54:04 | 00,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2001/08/23 14:00:00 | 00,000,908 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 14:00:00 | 00,000,303 | ---- | C] () -- C:\WINDOWS\SYSTEM.INI
[1996/04/03 21:33:26 | 00,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Files - Modified Within 30 Days ==========

[8 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2009/07/25 22:49:12 | 00,203,188 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/07/25 22:47:44 | 00,002,228 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/07/25 22:47:43 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/07/25 22:47:41 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/07/25 22:46:00 | 01,576,840 | -H-- | M] () -- C:\Documents and Settings\T\Local Settings\Application Data\IconCache.db
[2009/07/25 17:32:30 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\T\Desktop\OTL.exe
[2009/07/25 17:21:28 | 00,000,624 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/07/25 15:13:34 | 00,286,208 | ---- | M] () -- C:\Documents and Settings\T\Desktop\gamer.exe
[2009/07/25 04:05:08 | 00,021,504 | ---- | M] () -- C:\Documents and Settings\T\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/24 19:32:13 | 00,000,555 | ---- | M] () -- C:\Documents and Settings\T\My Documents\My Sharing Folders.lnk
[2009/07/24 14:42:36 | 00,001,778 | ---- | M] () -- C:\WINDOWS\Sandboxie.ini
[2009/07/20 23:01:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/07/14 06:47:14 | 00,288,048 | ---- | M] (BitTorrent, Inc.) -- C:\utorrent.exe
[2009/07/13 13:36:34 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/07/13 13:36:12 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/07/10 14:16:07 | 79,810,1856 | ---- | M] () -- C:\Documents and Settings\T\My Documents\OJ_J4500.iso
[2009/07/10 14:13:56 | 00,000,050 | ---- | M] () -- C:\Documents and Settings\T\My Documents\OJ_J4500.iso.toc
[2009/07/09 19:15:39 | 00,296,976 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2009/07/09 19:15:39 | 00,128,016 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\kl1.sys
[2009/07/01 23:12:24 | 00,000,908 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/07/01 23:12:24 | 00,000,303 | ---- | M] () -- C:\WINDOWS\SYSTEM.INI
[2009/07/01 23:12:24 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2009/06/30 11:34:13 | 45,428,1216 | ---- | M] () -- C:\Documents and Settings\T\Desktop\The Sopranos - S02E13 - Funhouse.avi
[2009/06/30 11:34:10 | 43,782,1440 | ---- | M] () -- C:\Documents and Settings\T\Desktop\The Sopranos - S02E12 - The Knight in White Satin Armor.avi
[2009/06/30 11:34:06 | 43,881,2672 | ---- | M] () -- C:\Documents and Settings\T\Desktop\The Sopranos - S02E10 - Bust-Out.avi
[2009/06/30 11:13:12 | 42,758,1440 | ---- | M] () -- C:\Documents and Settings\T\Desktop\The Sopranos - S02E11 - House Arrest.avi
[2009/06/30 10:51:33 | 35,352,7808 | ---- | M] () -- C:\Documents and Settings\T\Desktop\The Sopranos - S02E09 - From Where to Eternity.avi
[2009/06/27 21:49:52 | 00,000,388 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/06/27 20:06:07 | 00,000,841 | ---- | M] () -- C:\Documents and Settings\T\Desktop\Spybot - Search & Destroy.lnk
[2009/06/26 20:31:39 | 01,204,219 | ---- | M] () -- C:\Documents and Settings\T\Desktop\spacesniffer_1_1_0_0.zip
[2009/06/26 20:02:27 | 00,001,436 | ---- | M] () -- C:\Documents and Settings\T\Desktop\CCleaner.lnk
< End of report >



Extras.txt:

OTL Extras logfile created on: 7/25/2009 22:51:05 - Run 1
OTL by OldTimer - Version 3.0.10.3 Folder = C:\Documents and Settings\T\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.47 Gb Available Physical Memory | 73.66% Memory free
3.84 Gb Paging File | 3.49 Gb Available in Paging File | 90.75% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 68.40 Gb Free Space | 22.95% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: T
Current User Name: T
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.js [@ = SubtitleWorkshop] -- C:\App\URUSoft\Subtitle Workshop\SubtitleWorkshop.exe ()

[HKEY_USERS\S-1-5-21-796845957-1275210071-682003330-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\App\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Connect
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Connect
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Connect
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Connect
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Connect
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Connect
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Connect
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Connect
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Connect
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Connect
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Connect
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Connect
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"8767:TCP" = 8767:TCP:*:Enabled:Teamspeak
"8767:UDP" = 8767:UDP:*:Enabled:TeamSpeak
"3306:TCP" = 3306:TCP:*:Enabled:WOW
"3306:UDP" = 3306:UDP:*:Enabled:WOW
"3724:TCP" = 3724:TCP:*:Enabled:WOW2
"3724:UDP" = 3724:UDP:*:Enabled:Wow2
"57976:TCP" = 57976:TCP:*:Enabled:Pando Media Booster
"57976:UDP" = 57976:UDP:*:Enabled:Pando Media Booster

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger -- (Logitech Inc.)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger -- (Logitech Inc.)
"C:\WINDOWS\system32\PnkBstrA.exe" = C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA -- File not found
"C:\WINDOWS\system32\PnkBstrB.exe" = C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB -- File not found
"C:\App\BPFTP Server\bpftpserver.exe" = C:\App\BPFTP Server\bpftpserver.exe:*:Enabled:BulletProof FTP Server (http://www.bpftpserver.com) -- File not found
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\utorrent.exe" = C:\utorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Games\Unreal Tournament 3\Binaries\UT3.exe" = C:\Games\Unreal Tournament 3\Binaries\UT3.exe:*:Enabled:Unreal Tournament 3 -- ()
"C:\App\IVT Corporation\BlueSoleil\BlueSoleil_.exe" = C:\App\IVT Corporation\BlueSoleil\BlueSoleil_.exe:*:Enabled:BlueSoleil -- File not found
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)
"C:\Program Files\Kontiki\KService.exe" = C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service -- File not found
"C:\App\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe" = C:\App\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe:*:Enabled:Sony Ericsson Media Manager 1.2 -- (Sony Creative Software Inc.)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{14574B7F-75D1-4718-B7F2-EBF6E2862A35}" = Company of Heroes - FAKEMSI
"{14C87AA7-08E6-419F-A165-998EBE5023D7}" = Oblivion - Knights of the Nine
"{152B782A-05F3-48EC-9AAC-4D3EB68D9E20}" = Quake 4™
"{1632FD86-1BA4-4FC4-8B25-A8C655D63F68}" = Sid Meier's Pirates!
"{16D919E6-F019-4E15-BFBE-4A85EF19DA57}" = Oblivion - Spell Tomes
"{199E6632-EB28-4F73-AECB-3E192EB92D18}" = Company of Heroes - FAKEMSI
"{20DEB77C-21D6-4D22-BB47-233E47613D57}" = Microsoft Games for Windows - LIVE Redistributable
"{21A127AE-2DAF-40B7-8374-34C3E629521C}" = Far Cry (Patch 1.3)
"{25724802-CC14-4B90-9F3B-3D6955EE27B1}" = Company of Heroes - FAKEMSI
"{259A8A5E-2886-4BED-9EF1-D5485282CCC3}" = Overlord
"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1
"{2F2E3D62-8B8C-448F-8900-451325E50948}" = Oblivion - Wizard's Tower
"{2FC099BD-AC9B-33EB-809C-D332E1B27C40}" = Microsoft .NET Framework 3.5
"{2FFE93F0-BB72-4E52-8761-354D1AAA9387}" = Sony Ericsson PC Suite 4.010.00
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{32C4A4EB-C97D-414E-99C5-38F8DFD31D5D}" = Company of Heroes - FAKEMSI
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
"{3C662203-292F-4E9D-AE02-281071C06903}" = Far Cry (Patch 1.33)
"{3E7940A4-495B-4DC5-B5C9-D2EE1DE9E5EF}" = Call of Juarez
"{3F290582-3F4E-4B96-009C-E0BABAA40C42}" = The Battle for Middle-earth ™
"{43DCF766-6838-4F9A-8C91-D92DA586DFA8}" = Microsoft Windows Journal Viewer
"{50193078-F553-4EBA-AA77-64C9FAA12F98}" = Company of Heroes - FAKEMSI
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{51D718D1-DA81-4FAD-919F-5C1CE3C33379}" = Company of Heroes - FAKEMSI
"{5A8892A3-36BB-411E-85AA-6AEA544D028B}" = Far Cry (Patch 1.4)
"{66F78C51-D108-4F0C-A93C-1CBE74CE338F}" = Company of Heroes - FAKEMSI
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6B2C675E-8040-431B-99C4-137DF4FBF75A}" = Thermal Analysis Tool
"{6D316D67-DA52-4659-9C98-F479963534D6}" = Audiosurf
"{6E298B0A-558C-4138-0096-740677B382CD}" = LOTR The Return of the King tm
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7CCEBC24-62DB-4280-A8EC-BFA49F167920}" = Software Update for Web Folders
"{7F3AD00A-1819-4B15-BB7D-08B3586336D7}" = 3DMark06
"{7F4B1592-222F-4E5F-A100-E5AFD61A0BB3}" = Company of Heroes - FAKEMSI
"{80D03817-7943-4839-8E96-B9F924C5E67D}" = Company of Heroes - FAKEMSI
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{926CC8AE-8414-43DF-8EB4-CF26D9C3C663}" =
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{97257926-3443-4DB5-93CF-2B3ADAD581CC}" = World Community Grid - BOINC Agent
"{97E5205F-EA4F-438F-B211-F1846419F1C1}" = Company of Heroes - FAKEMSI
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{99A40651-0BC2-4095-8F9A-A40FAB224FEF}" = PC Connectivity Solution
"{99A7722D-9ACB-43F3-A222-ABC7133F159E}" = Company of Heroes - FAKEMSI
"{9D8B0949-7C47-476F-9F06-F900D3B078EA}" = Kaspersky Internet Security 2010
"{9EB1504E-FD95-4BCD-8E93-B4039F59C469}" = Sony Ericsson Media Manager 1.2
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{A8DE8C34-7F51-4cc8-B326-C425793EE741}" = The Chronicles of Riddick: Escape From Butcher Bay
"{AC54E544-3E42-443C-A91D-A00A6974C592}" = NVIDIA PhysX v8.10.13
"{AD483998-2E9A-4405-83FF-6E503AF49CBB}" = Microsoft Virtual PC 2007 SP1
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BA801B94-C28D-46EE-B806-E1E021A3D519}" = Company of Heroes - FAKEMSI
"{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}" = Unreal Tournament 3
"{C93E361C-88DE-477B-BB94-AAB8BF52B209}" = Soldier of Fortune 2 - Game Launcher & Minimizer
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{D4D244D1-05E0-4D24-86A2-B2433C435671}" = Company of Heroes - FAKEMSI
"{D6DBDC2A-E72C-4284-B6AD-6B3B61B4DABC}" = Far Cry
"{D792A069-B96B-40BA-BCB4-E5651A6E5926}" = Far Cry (Patch 1)
"{E43ED0A0-C85E-40F0-807C-6A8A9D2FAEF3}_is1" = King's Bounty. The Legend (Remove Only)
"{E4406ED3-B04C-44F1-ABB4-08775B74934F}" = Call Of Cthulhu DCoTE
"{EAF636A9-F664-4703-A659-85A894DA264F}" = Company of Heroes - FAKEMSI
"{EE8592F6-FC2B-4AFD-B527-109D127C039F}" = Far Cry (Patch 1.31)
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F138762F-5A1F-4CF0-A5E1-1588EF6088A4}" = The Witcher Enhanced Edition
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"0C5EDC3653FED5B121F464339EAC12534D253B25" = Windows Driver Package - Nokia Modem (02/15/2007 3.1)
"24894EA20BE8E62AA4FC3DD3AA85785356B52BF5" = Windows Driver Package - Nokia Modem (08/08/2007 3.3)
"4077F884D1BB007055BDB83B621D87220A73F30F" = Windows Driver Package - Nokia (WUDFRd) WPD (06/01/2007 6.84.33.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"B726756F5B5A5AA9D798B399386FC6205A45F19E" = Windows Driver Package - Nokia Modem (02/15/2007 3.1)
"BTmod" = Oblivion - BTmod 2.20
"CCleaner" = CCleaner (remove only)
"CD8424B9400BFF7D34AA18F816C71322AC4BDAA7" = Windows Driver Package - Nokia Modem (05/24/2007 6.84.0.1)
"Company of Heroes" = Company of Heroes
"Dungeon Keeper 2" = Dungeon Keeper 2
"eMusic Promotion" = eMusic - 50 Free MP3 offer
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Foxit Reader" = Foxit Reader
"Guild Wars" = Guild Wars
"Heroes of Might and Magic® III" = Heroes of Might and Magic® III Complete
"HijackThis" = HijackThis 2.0.2
"Hoyle Card Games 3" = Hoyle Card Games 3
"InfraRecorder" = InfraRecorder
"InstallShield_{152B782A-05F3-48EC-9AAC-4D3EB68D9E20}" = Quake 4™
"InstallShield_{1632FD86-1BA4-4FC4-8B25-A8C655D63F68}" = Sid Meier's Pirates!
"InstallShield_{3E7940A4-495B-4DC5-B5C9-D2EE1DE9E5EF}" = Call of Juarez
"InstallShield_{D6DBDC2A-E72C-4284-B6AD-6B3B61B4DABC}" = Far Cry
"InstallWIX_{9D8B0949-7C47-476F-9F06-F900D3B078EA}" = Kaspersky Internet Security 2010
"KLiteCodecPack_is1" = K-Lite Codec Pack 3.9.5 (Full)
"LastFM_is1" = Last.fm 1.5.4.24567
"Launchy_21344213_is1" = Launchy 2.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5" = Microsoft .NET Framework 3.5
"Mozilla Firefox (3.5.1)" = Mozilla Firefox (3.5.1)
"Mp3tag" = Mp3tag v2.43
"NVIDIA Drivers" = NVIDIA Drivers
"OpenAL" = OpenAL
"Painkiller Black Edition" = Painkiller Black Edition
"RivaTuner" = RivaTuner v2.24
"Sandboxie" = Sandboxie 3.38
"Soldier of Fortune II - Double Helix" = Soldier of Fortune II - Double Helix
"SubtitleWorkshop" = Subtitle Workshop 2.51
"Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2
"The Ur-Quan Masters" = The Ur-Quan Masters 0.6.2
"Tibia_is1" = Tibia
"Update Service" = Update Service
"VGA USB Camera" = VGA USB Camera
"VobSub" = VobSub v2.23 (Remove Only)
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WIC" = Windows Imaging Component
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-796845957-1275210071-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"InstallShield_{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}" = Unreal Tournament 3
"World of Warcraft Trial" = World of Warcraft Trial

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/25/2009 11:52:22 | Computer Name = T | Source = Userenv | ID = 1502
Description = Windows cannot load the locally stored profile. Possible causes of
this error include insufficient security rights or a corrupt local profile. If
this problem persists, contact your network administrator. DETAIL - The process
cannot access the file because it is being used by another process.

Error - 6/25/2009 11:52:22 | Computer Name = T | Source = Userenv | ID = 1515
Description = Windows has backed up this user's profile. Windows will automatically
try to use the backed up profile the next time this user logs on.

Error - 6/25/2009 11:52:24 | Computer Name = T | Source = Userenv | ID = 1511
Description = Windows cannot find the local profile and is logging you on with a
temporary profile. Changes you make to this profile will be lost when you log off.

Error - 6/27/2009 16:54:25 | Computer Name = T | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 6/28/2009 16:46:21 | Computer Name = T | Source = Application Error | ID = 1000
Description = Faulting application spybotsd.exe, version 1.6.2.46, faulting module
spybotsd.exe, version 1.6.2.46, fault address 0x000049ee.

Error - 7/3/2009 07:48:29 | Computer Name = T | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 7/8/2009 12:50:55 | Computer Name = T | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 7/23/2009 16:32:22 | Computer Name = T | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
module kernel32.dll, version 5.1.2600.3119, fault address 0x00009db2.

Error - 7/23/2009 16:32:31 | Computer Name = T | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.

Error - 7/23/2009 16:33:28 | Computer Name = T | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
module kernel32.dll, version 5.1.2600.3119, fault address 0x00009db2.

[ System Events ]
Error - 7/17/2009 04:35:31 | Computer Name = T | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 7/17/2009 04:35:58 | Computer Name = T | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service upnphost with
arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}

Error - 7/17/2009 04:35:58 | Computer Name = T | Source = ipnathlp | ID = 30013
Description = The DHCP allocator has disabled itself on IP address 10.0.0.1, since
the IP address is outside the 192.168.0.0/255.255.255.0 scope from which addresses
are being allocated to DHCP clients. To enable the DHCP allocator on this IP address,
please
change the scope to include the IP address, or change the IP address to fall within
the scope.

Error - 7/17/2009 04:35:59 | Computer Name = T | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service upnphost with
arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}

Error - 7/17/2009 05:57:57 | Computer Name = T | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service upnphost with
arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}

Error - 7/17/2009 05:57:57 | Computer Name = T | Source = ipnathlp | ID = 30013
Description = The DHCP allocator has disabled itself on IP address 10.0.0.1, since
the IP address is outside the 192.168.0.0/255.255.255.0 scope from which addresses
are being allocated to DHCP clients. To enable the DHCP allocator on this IP address,
please
change the scope to include the IP address, or change the IP address to fall within
the scope.

Error - 7/17/2009 05:57:57 | Computer Name = T | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service upnphost with
arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}

Error - 7/17/2009 05:57:58 | Computer Name = T | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 7/17/2009 05:57:58 | Computer Name = T | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 7/17/2009 05:57:58 | Computer Name = T | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.


< End of report >

Edited by Joony, 25 July 2009 - 03:02 PM.


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:37 AM

Posted 25 July 2009 - 03:14 PM

Hi Joony,

You're welcome, for the help.

The problems that you are experiencing may well be due to the P2P programs that are visible in your logs.

The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case uTorrent and BitTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Back to the fix

MBAM has detected quite a bit of nasty malware which may return so we need to try something a bit more powerful (and permanent) :thumbup2:

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :)
Posted Image
m0le is a proud member of UNITE

#8 Joony

Joony
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 26 July 2009 - 10:23 AM

That's wired, my desktop image have been changed after running ComboFix, is this normal?
And, ComboFix haven't asked my to download Recovery Console

The log:
ComboFix 09-07-25.06 - T 07/26/2009 18:02.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.972.1033.18.2046.1522 [GMT 2:00]
Running from: c:\documents and settings\T\Desktop\Combo-Fix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\99849206.ini
c:\documents and settings\All Users\Documents\Monolith Productions\Desktop_.ini
c:\documents and settings\All Users\Documents\Monolith Productions\FEAR\Custom\AdditionalContent\Desktop_.ini
c:\documents and settings\All Users\Documents\Monolith Productions\FEAR\Custom\CompressedArch\Desktop_.ini
c:\documents and settings\All Users\Documents\Monolith Productions\FEAR\Custom\Desktop_.ini
c:\documents and settings\All Users\Documents\Monolith Productions\FEAR\Custom\DownloadedContent\Desktop_.ini
c:\documents and settings\All Users\Documents\Monolith Productions\FEAR\Desktop_.ini
c:\documents and settings\All Users\Documents\Monolith Productions\FEAR\pb\Desktop_.ini
c:\documents and settings\All Users\Documents\Monolith Productions\FEAR\Profiles\Desktop_.ini
c:\documents and settings\All Users\Documents\Monolith Productions\FEAR\Save\Desktop_.ini
c:\documents and settings\All Users\Documents\Monolith Productions\FEAR\Save\Profile000\Desktop_.ini
c:\documents and settings\All Users\Documents\Monolith Productions\FEAR\Save\Profile000\SinglePlayer\Checkpoint\Desktop_.ini
c:\documents and settings\All Users\Documents\Monolith Productions\FEAR\Save\Profile000\SinglePlayer\Checkpoint\Working\Desktop_.ini
c:\documents and settings\All Users\Documents\Monolith Productions\FEAR\Save\Profile000\SinglePlayer\Desktop_.ini
c:\documents and settings\All Users\Documents\Monolith Productions\FEAR\Save\Profile000\SinglePlayer\QuickSave\Desktop_.ini
c:\documents and settings\All Users\Documents\Monolith Productions\FEAR\Save\Profile000\SinglePlayer\QuickSave\Working\Desktop_.ini
c:\documents and settings\All Users\Documents\Monolith Productions\FEAR\Save\Profile000\SinglePlayer\Reload\Desktop_.ini
c:\documents and settings\All Users\Documents\Monolith Productions\FEAR\Save\Profile000\SinglePlayer\Reload\Working\Desktop_.ini
c:\documents and settings\All Users\Documents\Monolith Productions\FEAR\Save\Profile000\SinglePlayer\Slot01\Desktop_.ini
c:\documents and settings\All Users\Documents\Monolith Productions\FEAR\Save\Profile000\SinglePlayer\Slot01\Working\Desktop_.ini
c:\documents and settings\All Users\Documents\Monolith Productions\FEAR\Save\Profile000\SinglePlayer\Slot02\Desktop_.ini
c:\documents and settings\All Users\Documents\Monolith Productions\FEAR\Save\Profile000\SinglePlayer\Slot02\Working\Desktop_.ini
c:\documents and settings\All Users\Documents\Monolith Productions\FEAR\Save\Profile000\SinglePlayer\Working\Desktop_.ini
c:\documents and settings\All Users\Documents\Monolith Productions\FEAR\ServerOptions\Desktop_.ini
c:\documents and settings\All Users\Documents\My Music\Desktop_.ini
c:\documents and settings\All Users\Documents\My Music\My Playlists\Desktop_.ini
c:\documents and settings\All Users\Documents\My Music\Sample Music\Desktop_.ini
c:\documents and settings\All Users\Documents\My Music\Sample Playlists\002E87FC\Desktop_.ini
c:\documents and settings\All Users\Documents\My Music\Sample Playlists\Desktop_.ini
c:\documents and settings\All Users\Documents\My Music\Sync Playlists\002E880C\Desktop_.ini
c:\documents and settings\All Users\Documents\My Music\Sync Playlists\Desktop_.ini
c:\documents and settings\All Users\Documents\My Pictures\Desktop_.ini
c:\documents and settings\All Users\Documents\My Pictures\Sample Pictures\Desktop_.ini
c:\documents and settings\All Users\Documents\My Videos\Desktop_.ini
c:\documents and settings\All Users\Documents\The Club Game Save Data\Desktop_.ini
c:\documents and settings\All Users\Documents\TimeGate Studios\Desktop_.ini
c:\documents and settings\All Users\Documents\TimeGate Studios\FEARXP\Desktop_.ini
c:\documents and settings\All Users\Documents\TimeGate Studios\FEARXP\Profiles\Desktop_.ini
c:\documents and settings\All Users\Documents\TimeGate Studios\FEARXP\Save\Desktop_.ini
c:\documents and settings\All Users\Documents\TimeGate Studios\FEARXP\Save\Profile000\Desktop_.ini
c:\documents and settings\All Users\Documents\TimeGate Studios\FEARXP\Save\Profile000\SinglePlayer\Desktop_.ini
c:\documents and settings\All Users\Documents\TimeGate Studios\FEARXP\Save\Profile000\SinglePlayer\QuickSave\Desktop_.ini
c:\documents and settings\All Users\Documents\TimeGate Studios\FEARXP\Save\Profile000\SinglePlayer\QuickSave\Working\Desktop_.ini
c:\documents and settings\All Users\Documents\TimeGate Studios\FEARXP\Save\Profile000\SinglePlayer\Reload\Desktop_.ini
c:\documents and settings\All Users\Documents\TimeGate Studios\FEARXP\Save\Profile000\SinglePlayer\Reload\Working\Desktop_.ini
c:\documents and settings\All Users\Documents\TimeGate Studios\FEARXP\Save\Profile000\SinglePlayer\Working\Desktop_.ini
c:\documents and settings\All Users\Documents\TimeGate Studios\FEARXP\ServerOptions\Desktop_.ini
c:\program files\INSTALL.LOG
c:\program files\sys
c:\windows\dll
c:\windows\Installer\1caa960.msp
c:\windows\Installer\1caa961.msp
c:\windows\Installer\1caa962.msp
c:\windows\Installer\1caa963.msp
c:\windows\Installer\1caa964.msp
c:\windows\Installer\1caa965.msp
c:\windows\Installer\1caa966.msp
c:\windows\Installer\1caa967.msp
c:\windows\Installer\1caa968.msp
c:\windows\Installer\fae3b8.msi
c:\windows\kb913800.exe
c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security
c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security\System Security 2009 Support.lnk
c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security\System Security 2009.lnk

.
((((((((((((((((((((((((( Files Created from 2009-06-26 to 2009-07-26 )))))))))))))))))))))))))))))))
.

2009-07-25 15:21 . 2009-07-25 15:21 -------- d-----w- c:\documents and settings\T\Application Data\Malwarebytes
2009-07-25 15:21 . 2009-07-13 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-25 15:21 . 2009-07-25 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-25 15:21 . 2009-07-13 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-18 12:23 . 2009-07-20 16:52 -------- d-----w- c:\documents and settings\T\Application Data\My Battle for Middle-earth Files
2009-07-09 17:15 . 2009-07-09 17:15 296976 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\sys\i386\5.1\klif.sys
2009-07-09 17:15 . 2009-07-09 17:15 128016 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\sys\i386\kl1.sys
2009-07-09 17:15 . 2009-07-09 17:15 128016 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\sys\i386\kl1.sys
2009-07-09 17:15 . 2009-07-09 17:15 296976 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\sys\i386\5.1\klif.sys
2009-07-01 14:45 . 2009-07-01 14:45 20 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\bases\apu\ForDiff\apu0003.dat.com
2009-06-28 14:46 . 2009-06-28 14:46 932368 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2009-06-28 14:46 . 2009-06-28 14:46 678416 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2009-06-28 14:46 . 2009-06-28 14:46 604688 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2009-06-28 14:46 . 2009-06-28 14:46 1096208 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2009-06-28 14:46 . 2009-06-28 14:46 522768 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-26 16:12 . 2009-06-24 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-07-26 15:58 . 2007-06-17 18:32 -------- d-----w- c:\documents and settings\T\Application Data\uTorrent
2009-07-19 19:42 . 2007-12-29 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-17 09:55 . 2009-02-07 18:29 -------- d-----w- c:\program files\Lavasoft
2009-07-15 16:43 . 2007-10-19 16:40 -------- d-----w- c:\documents and settings\T\Application Data\Winamp
2009-07-14 04:47 . 2007-06-17 18:32 288048 ----a-w- C:\utorrent.exe
2009-07-09 17:15 . 2009-05-24 13:30 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-07-06 21:26 . 2009-06-24 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\99849206
2009-06-27 20:54 . 2007-09-20 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-24 22:16 . 2009-06-24 22:16 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2009-06-24 22:13 . 2009-06-24 22:13 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-06-24 22:13 . 2009-06-24 22:13 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-06-24 22:12 . 2009-06-24 22:12 -------- d-----w- c:\program files\Kaspersky Lab
2009-06-24 22:12 . 2008-10-31 06:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-06-24 21:59 . 2009-02-22 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-06-24 19:38 . 2007-06-20 00:19 -------- d-----w- c:\documents and settings\T\Application Data\U3
2009-06-22 10:00 . 2009-04-18 16:43 -------- d-----w- c:\documents and settings\T\Application Data\DAEMON Tools Lite
2009-06-22 09:59 . 2009-06-22 09:59 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-06-21 09:06 . 2007-06-18 20:25 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-18 19:36 . 2007-12-29 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-11 20:07 . 2009-06-11 20:07 120832 ----a-w- c:\documents and settings\T\Application Data\Mozilla\Firefox\Profiles\0zwfwcli.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-06-04 16:00 . 2009-06-04 16:00 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.459\English\setup.exe
2009-05-31 08:21 . 2008-08-11 13:13 -------- d-----w- c:\documents and settings\T\Application Data\Tibia
2009-05-25 03:21 . 2009-05-25 03:21 219664 ----a-w- c:\windows\system32\klogon.dll
2009-05-25 03:18 . 2009-05-25 03:18 27507 ----a-w- c:\windows\system32\drivers\klopp.dat
2009-05-16 18:59 . 2009-05-16 18:59 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys
2009-05-13 15:46 . 2009-05-13 15:46 31760 ----a-w- c:\windows\system32\drivers\klim5.sys
2009-05-03 16:12 . 2007-06-19 07:50 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"DAEMON Tools Lite"="c:\app\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-05-25 303376]
"QuickTime Task"="c:\app\QuickTime\qttask.exe" [2008-09-06 413696]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-11-14 16270848]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-11-12 1630208]

c:\documents and settings\T\Start Menu\Programs\Startup\
Logitech Mouse and Keyboard Settings.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-10-10 805392]
Shortcut to RivaTuner.lnk - c:\app\RivaTuner v2.24\RivaTuner.exe [2009-2-25 2781184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-6-24 67128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 00:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
2007-03-15 16:17 183808 ----a-w- c:\windows\system32\WgaLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^T^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\T\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\utorrent.exe"=
"c:\\Games\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\App\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8767:TCP"= 8767:TCP:Teamspeak
"8767:UDP"= 8767:UDP:TeamSpeak
"3306:TCP"= 3306:TCP:WOW
"3306:UDP"= 3306:UDP:WOW
"3724:TCP"= 3724:TCP:WOW2
"3724:UDP"= 3724:UDP:Wow2
"57976:TCP"= 57976:TCP:Pando Media Booster
"57976:UDP"= 57976:UDP:Pando Media Booster

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [12/15/2008 20:41 33808]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/13/2009 17:46 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 20:59 19472]
R3 SbieDrv;SbieDrv;c:\app\Sandboxie\SbieDrv.sys [5/28/2009 15:32 108032]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\everestultimate_build_1043_xvwplkj3lms\kerneld.wnt [6/19/2007 01:35 20856]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [6/24/2009 20:46 13224]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [3/14/2008 11:17 81832]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [3/14/2008 11:17 13864]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [3/14/2008 11:17 107304]
S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [3/14/2008 11:17 99112]
S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [3/14/2008 11:31 21928]
S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [3/14/2008 11:17 97320]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [3/14/2008 11:30 97704]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys --> c:\windows\system32\DRIVERS\VBoxNetFlt.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.il/
uInternet Settings,ProxyOverride = localhost;<local>
uInternet Settings,ProxyServer = 82.5.185.111:7212
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {1F368DBB-20A5-42CA-8E95-081E39D933D8} = 192.168.0.1,192.169.0.1
TCP: {FBA140B0-E390-4DEA-8840-5BCBDE8CA70A} = 192.115.106.35,62.219.186.7
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70} - hxxp://callme.co.il/SIP/VaxSIPUserAgentCAB.cab
FF - ProfilePath - c:\documents and settings\T\Application Data\Mozilla\Firefox\Profiles\0zwfwcli.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\app\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\app\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\app\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\app\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\app\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\app\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\app\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\app\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: c:\app\QuickTime\Plugins\npqtplugin7.dll

---- FIREFOX POLICIES ----
c:\app\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\app\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\app\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\app\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\app\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\app\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\app\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\app\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\app\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\app\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\app\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\app\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\app\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\app\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\app\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\app\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\app\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\app\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\app\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\app\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-26 18:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\everestultimate_build_1043_xvwplkj3lms\kerneld.wnt"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-796845957-1275210071-682003330-1003\RemoteAccess\Profile\x *]
"EnableAutodisconnect"=dword:00000001
"EnableExitDisconnect"=dword:00000001
"DisconnectIdleTime"=dword:00000014

[HKEY_USERS\S-1-5-21-796845957-1275210071-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e7,d1,cc,7d,1c,b2,70,04,59,87,c5,91,8d,06,73,52,b1,92,e8,32,50,70,f0,
82,fc,88,3d,b7,72,50,16,b5,5e,48,59,0c,b2,13,5c,a7,15,24,9f,a5,fe,ac,5b,61,\
"??"=hex:91,c3,b0,4c,81,37,c1,12,83,70,98,45,fc,0e,e5,29

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
"Appinit_Dlls"="c:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1128)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(1292)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\apps\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\app\Sandboxie\SbieSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2009-07-26 18:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-26 16:14

Pre-Run: 73,643,094,016 bytes free
Post-Run: 73,662,468,096 bytes free

325 --- E O F --- 2008-09-11 01:02

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:37 AM

Posted 26 July 2009 - 07:07 PM

Hi Joony,

Yes, Combofix does remove the desktop when run sometimes. I can't discuss the tool's actions though.

The log itself is clean so that's a good start. How is the PC now?

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Then

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#10 Joony

Joony
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 27 July 2009 - 03:31 PM

Thanks again!

Well my computer is still somewhat slow, but I guess that now it has nothing to do with viruses and stuff like that

MBAM log:

Malwarebytes' Anti-Malware 1.39
Database version: 2511
Windows 5.1.2600 Service Pack 2

7/27/2009 21:00:38
mbam-log-2009-07-27 (21-00-38).txt

Scan type: Full Scan (C:\|)
Objects scanned: 213991
Time elapsed: 1 hour(s), 43 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


The ESET have found no threats and therefore the is no List of Found Threads

I've added a screen shot

Attached Files



#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:37 AM

Posted 27 July 2009 - 03:52 PM

Well, that's a clean log :thumbup2: .

I recommend that you read this tutorial on the site which explains what you can do to speed up your PC.

I would also recommend that you take a look at this tool, StartupLite.

Please download StartupLite. to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

Meanwhile...

Good stuff! :)

Let's do some housekeeping

Delete ComboFix and Clean Up
Click Start > Run and type combofix /u click OK (Note the space between combofix and /u)
Posted Image
Please advise if this step is missed for any reason as it performs some important actions.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

Then close Firefox and then reopen it.


I recommend that you download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Here's some advice on how you can keep your PC clean

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


That's it Joony, happy surfing!

Cheers,


m0le
Posted Image
m0le is a proud member of UNITE

#12 Joony

Joony
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 29 July 2009 - 09:29 AM

:thumbup2:

Thanks a lot m0le!
You have saved me!

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:37 AM

Posted 29 July 2009 - 12:46 PM

Glad I could help Joony :thumbup2:
Posted Image
m0le is a proud member of UNITE

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:37 AM

Posted 01 August 2009 - 04:02 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :thumbup2:

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users