Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32/Rootkit.Agent.ODG trojan and Win32/Olmarik.JU trojan


  • This topic is locked This topic is locked
20 replies to this topic

#1 high_octane

high_octane

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:10:55 PM

Posted 18 August 2009 - 01:30 PM

My computer has been infected with Win32/Rootkit.Agent.ODG trojan and Win32/Olmarik.JU trojan. AVG, ESET NOD32, and Avira couldn't delete it, and I want to delete it. It redirected all Google searches and slows down my computer. Can you please help me. Thanks ahead to anyone who can help.
Here is the HJT logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:28:51 PM, on 18/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\EPSON Projector\EPSON USB Display V1.4\EMP_UDSA.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MailFrontier\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\forcefield.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.dogpile.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: WinAVI FLVSense - {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll
O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [AGRSMMSG] "AGRSMMSG.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [ATIModeChange] "Ati2mdxx.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ChkAdmin] "C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE"
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\RunServices: [CPQDFWAG] "C:\WINDOWS\Cpqdiag\CpqDfwAg.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\RunOnce: [UniblueRegistryBooster] "C:\Program Files\Uniblue\RegistryBooster 2009\launcher.exe" delay 20000
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3867072624-390493748-37123352-501\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Guest')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ZAFFRegisterTrustChecker] "C:\WINDOWS\system32\regsvr32.exe" -s "C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustChecker.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ZAFFRegisterTrustChecker] "C:\WINDOWS\system32\regsvr32.exe" -s "C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustChecker.dll" (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Program Files\WinAVI FLV Converter\flv_link.htm
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Avira Firewall (AntiVirFirewallService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe
O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Insight Web Agent (cpqWebDmi) - Hewlett-Packard Company - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: EMP_UDSA - SEIKO EPSON CORPORATION - C:\Program Files\EPSON Projector\EPSON USB Display V1.4\EMP_UDSA.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 16429 bytes

Edited by high_octane, 18 August 2009 - 01:34 PM.


BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:55 PM

Posted 24 August 2009 - 10:46 PM

Hello and :thumbup2: to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.

-----------------------------------------------------------

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:)

#3 high_octane

high_octane
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:10:55 PM

Posted 25 August 2009 - 12:40 AM

here is the DDS log that you wanted
btw thanks for helping me :thumbup2:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 1:31:41.79 on 25/08/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.354 [GMT -4:00]

AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
FW: Avira Firewall *enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\EPSON Projector\EPSON USB Display V1.4\EMP_UDSA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MailFrontier\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\forcefield.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.dogpile.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mWinlogon: UIHost=c:\windows\system32\logonui.exe
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: ForceField Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: WinAVI FLVSense: {e8df67a1-b618-4f3f-9e7c-cbe175adef5b} - c:\program files\winavi flv converter\FLVTune.dll
TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} -
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: ForceField Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] "c:\windows\system32\ime\tintlgnt\TINTSETP.EXE" /SYNC
mRun: [PHIME2002A] "c:\windows\system32\ime\tintlgnt\TINTSETP.EXE" /IMEName
mRun: [AGRSMMSG] "AGRSMMSG.exe"
mRun: [SynTPLpr] "c:\program files\synaptics\syntp\SynTPLpr.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [ATIModeChange] "Ati2mdxx.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [ChkAdmin] "c:\progra~1\compaq\compaq~1\CHKADMIN.EXE"
mRun: [eabconfg.cpl] "c:\program files\hpq\quick launch buttons\EabServr.exe" /Start
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Lexmark 1200 Series] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe" -H
mRun: [NeroFilterCheck] "c:\program files\common files\nero\lib\NeroCheck.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRunServices: [CPQDFWAG] "c:\windows\cpqdiag\CpqDfwAg.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [ZAFFRegisterTrustChecker] "c:\windows\system32\regsvr32.exe" -s "c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustChecker.dll"
dRunOnce: [ZAFFRegisterTrustCheckerIE] "c:\windows\system32\regsvr32.exe" -s "c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\windows search.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: &Download FLV by WinAVI... - c:\program files\winavi flv converter\flv_link.htm
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - {EC83A912-7EF4-410D-9CC7-3BDAA709CA71} - c:\program files\winavi flv converter\FLVTune.dll
LSP: c:\program files\avira\antivir desktop\avsda.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\opjqsme5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.dogpile.com/
FF - component: c:\documents and settings\administrator\application data\idm\idmmzcc2\components\idmmzcc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [2009-1-2 149376]
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [2009-8-11 97608]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-11 11608]
R1 ClntMgmt;HP Client Management Driver;c:\windows\system32\drivers\Clntmgmt.sys [2007-11-2 55336]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-4-9 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-4-9 94360]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-9 353672]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\ACEDRV11.sys [2008-1-23 501560]
R2 AntiVirFirewallService;Avira Firewall;c:\program files\avira\antivir desktop\avfwsvc.exe [2009-8-11 388865]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2009-8-11 194817]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-11 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-11 185089]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2009-8-11 434945]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-11 55656]
R2 cpqWebDmi;Insight Web Agent;c:\progra~1\compaq\compaq~1\cpqweb~1\WebDmi.exe [2007-11-2 24576]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-4-9 731840]
R2 EMP_UDSA;EMP_UDSA;c:\program files\epson projector\epson usb display v1.4\EMP_UDSA.exe [2009-4-6 94208]
R2 ISWKL;ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-2-12 21136]
R2 IswSvc;ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-2-12 394632]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-7-13 604416]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2009-7-14 598856]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [2009-8-11 69632]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [2007-11-2 182101]
R3 eppvad_simple;EPSON Projector UD Audio Device;c:\windows\system32\drivers\EMP_UDAU.sys [2009-4-6 17664]
R3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2009-2-12 54928]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [2007-11-2 5689]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-4-13 107520]
R3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;c:\windows\system32\drivers\ar5211.sys [2007-11-2 322560]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-8-10 29208]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-8-10 29208]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2008-12-28 1527900]
S3 UPnPService;UPnPService;c:\program files\common files\magix shared\upnpservice\UPnPService.exe [2009-1-3 544768]

=============== Created Last 30 ================

2009-08-21 00:59 <DIR> --d----- c:\docume~1\admini~1\applic~1\Windows Search
2009-08-19 14:31 <DIR> --d----- c:\program files\SpywareBlaster
2009-08-18 14:28 <DIR> --d----- c:\program files\Trend Micro
2009-08-18 02:01 <DIR> --d----- c:\docume~1\admini~1\applic~1\Uniblue
2009-08-18 01:55 <DIR> --d----- c:\program files\Uniblue
2009-08-17 00:47 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-17 00:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-16 22:52 <DIR> --d----- c:\program files\Enigma Software Group
2009-08-12 15:25 <DIR> --d----- c:\windows\system32\URTTEMP
2009-08-12 15:17 <DIR> --d----- c:\docume~1\admini~1\applic~1\Windows Desktop Search
2009-08-12 15:14 <DIR> --d----- c:\windows\system32\GroupPolicy
2009-08-12 15:14 <DIR> --d----- c:\program files\Windows Desktop Search
2009-08-12 15:14 192,000 -c------ c:\windows\system32\dllcache\offfilt.dll
2009-08-12 15:14 98,304 -c------ c:\windows\system32\dllcache\nlhtml.dll
2009-08-12 15:14 29,696 -c------ c:\windows\system32\dllcache\mimefilt.dll
2009-08-12 15:13 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 15:12 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-08-12 15:12 58,880 -c------ c:\windows\system32\dllcache\atl.dll
2009-08-12 15:12 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-12 15:11 132,096 -c------ c:\windows\system32\dllcache\wkssvc.dll
2009-08-12 15:11 84,992 -c------ c:\windows\system32\dllcache\avifil32.dll
2009-08-12 15:10 136,192 -c------ c:\windows\system32\dllcache\msv1_0.dll
2009-08-12 15:10 92,928 -c------ c:\windows\system32\dllcache\ksecdd.sys
2009-08-12 15:10 54,272 -c------ c:\windows\system32\dllcache\wdigest.dll
2009-08-12 15:10 301,568 -c------ c:\windows\system32\dllcache\kerberos.dll
2009-08-12 15:10 80,896 -c------ c:\windows\system32\dllcache\tlntsess.exe
2009-08-12 15:10 76,288 -c------ c:\windows\system32\dllcache\telnet.exe
2009-08-12 00:39 <DIR> --d----- c:\program files\Sony Setup
2009-08-11 11:41 <DIR> --d----- c:\docume~1\admini~1\applic~1\Avira
2009-08-11 11:32 97,608 a------- c:\windows\system32\drivers\avfwot.sys
2009-08-11 11:32 69,632 a------- c:\windows\system32\drivers\avfwim.sys
2009-08-11 11:32 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-11 11:31 <DIR> --d----- c:\program files\Avira
2009-08-11 11:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-08-11 00:00 <DIR> --d----- c:\docume~1\admini~1\applic~1\AVGTOOLBAR
2009-08-10 23:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-08-10 23:37 50,968 a------- c:\windows\system32\avgfwdx.dll
2009-08-10 23:37 29,208 a------- c:\windows\system32\drivers\avgfwdx.sys
2009-08-07 12:53 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-06 17:32 <DIR> --d----- C:\c85e5d217ecb3e3394
2009-08-06 12:00 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-08-05 19:28 <DIR> --d----- c:\program files\ESET
2009-08-05 17:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-05 12:37 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-08-05 12:37 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-05 12:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-05 12:37 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-05 12:37 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-14 17:55 2,328,704 a------- c:\windows\system32\TUKernel.exe
2009-07-13 23:51 604,416 a------- c:\windows\system32\TUProgSt.exe
2009-07-13 23:51 361,216 a------- c:\windows\system32\TuneUpDefragService.exe
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 16:53 4,212 a---hr-- c:\windows\system32\zllictbl.dat
2009-07-11 02:03 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-07-11 02:00 418,480 a------- c:\windows\system32\wrap_oal.dll
2009-07-11 02:00 115,432 a------- c:\windows\system32\OpenAL32.dll
2009-07-04 01:32 82,564 a---h--- c:\windows\system32\mlfcache.dat
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 00:31 30,208 a------- c:\windows\x32dott.exe
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-01-09 18:37 1,214,776 a------- c:\program files\7-Zip.rar
2008-03-31 16:12 32,768 a--sh--- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat
2008-03-31 16:12 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-06-26 16:55 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062620080627\index.dat

============= FINISH: 1:34:27.72 ===============

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:55 AM

Posted 30 August 2009 - 05:29 AM

Hello and welcome to Bleeping Computer

We apologize for the new delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Pleaseinclude a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Avir Antivir, Zonealarm Antivirus or ESET NOD32.

You also have several Firewalls install, please choose either Antivir Firewall or Zonealarm and remove the other one.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click Posted Image on your desktop.
  • Click on the report tab, then click scan
  • Check all seven boxes:
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Shadow SSDT
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 high_octane

high_octane
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:10:55 PM

Posted 31 August 2009 - 11:44 AM

my eset nod32 told me that i have another virus called Win32/Kryptik.YL trojan now also
here are the OTL logs:
OTL logfile created on: 31/08/2009 12:15:26 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1023.36 Mb Total Physical Memory | 287.49 Mb Available Physical Memory | 28.09% Memory free
2.90 Gb Paging File | 1.59 Gb Available in Paging File | 54.77% Paging File free
Paging file location(s): C:\pagefile.sys 2048 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.94 Gb Total Space | 14.05 Gb Free Space | 50.29% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 298.01 Gb Total Space | 273.93 Gb Free Space | 91.92% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DADF523DD6E9458
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2003/12/02 18:55:06 | 00,385,024 | ---- | M] () -- C:\WINDOWS\System32\Ati2evxx.exe
PRC - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2009/03/31 19:20:50 | 02,404,232 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe
PRC - [2009/04/17 04:11:44 | 00,394,632 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
PRC - [2009/03/31 17:18:14 | 00,143,360 | ---- | M] (Kaspersky Lab.) -- C:\WINDOWS\System32\ZoneLabs\avsys\ScanningProcess.exe
PRC - [2006/04/17 13:42:14 | 00,311,296 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\System32\LEXBCES.EXE
PRC - [2006/04/17 13:41:24 | 00,174,592 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\System32\LEXPPS.EXE
PRC - [2009/05/13 16:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/05/11 10:37:59 | 00,388,865 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe
PRC - [2009/07/21 14:34:33 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2008/11/07 15:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/08/29 11:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2004/06/03 14:14:16 | 00,163,840 | ---- | M] (WIDCOMM, Inc.) -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
PRC - [2003/05/12 18:29:42 | 00,512,000 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
PRC - [2003/05/12 18:38:42 | 00,024,576 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Compaq\Compaq Management Agents\cpqWebDmi\Webdmi.exe
PRC - [2003/03/13 17:14:02 | 00,212,992 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
PRC - [2009/04/09 15:19:08 | 00,731,840 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PRC - [2008/05/28 13:19:10 | 00,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\EPSON Projector\EPSON USB Display V1.4\EMP_UDSA.exe
PRC - [2009/05/21 11:34:05 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2003/06/20 00:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PRC - [2007/09/20 10:51:46 | 00,853,288 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
PRC - [2009/04/13 12:51:16 | 00,053,760 | ---- | M] (tzuk) -- C:\Program Files\Sandboxie\SbieSvc.exe
PRC - [2002/09/20 17:50:10 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
PRC - [2009/07/13 23:51:33 | 00,604,416 | ---- | M] (TuneUp Software) -- C:\WINDOWS\System32\TUProgSt.exe
PRC - [2001/04/11 11:33:46 | 00,215,552 | ---- | M] (Intel) -- C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
PRC - [2007/11/26 14:47:40 | 00,598,856 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Washer\WasherSvc.exe
PRC - [2009/05/11 10:31:46 | 00,194,817 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
PRC - [2009/05/12 14:46:39 | 00,434,945 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
PRC - [2003/05/12 18:33:26 | 00,020,480 | ---- | M] (Compaq Computer Corporation) -- C:\Program Files\Compaq\Compaq Management Agents\Cpqdmi.exe
PRC - [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2003/05/30 12:01:26 | 00,088,267 | R--- | M] (Agere Systems) -- C:\WINDOWS\AGRSMMSG.exe
PRC - [2003/07/15 15:09:18 | 00,110,592 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2003/07/15 15:08:10 | 00,618,496 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2003/11/25 22:10:00 | 00,335,872 | ---- | M] (ATI Technologies, Inc.) -- C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
PRC - [2003/05/12 18:33:10 | 00,081,920 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Compaq\Compaq Management Agents\Chkadmin.exe
PRC - [2004/09/17 17:19:42 | 00,290,816 | ---- | M] (Hewlett-Packard ) -- C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
PRC - [2006/11/03 19:20:12 | 00,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006/07/13 01:22:50 | 00,057,344 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
PRC - [2008/05/02 00:15:46 | 00,015,872 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe
PRC - [2009/03/31 19:20:50 | 00,982,408 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2009/05/21 11:34:07 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2006/07/13 01:33:14 | 00,053,248 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
PRC - [2008/12/11 20:41:48 | 00,185,872 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/04/09 15:17:56 | 02,029,640 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
PRC - [2009/03/02 13:08:47 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2007/10/23 16:18:46 | 00,202,024 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
PRC - [2009/04/13 12:51:18 | 00,365,568 | ---- | M] (tzuk) -- C:\Program Files\Sandboxie\SbieCtrl.exe
PRC - [2009/03/05 16:07:20 | 02,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/01/08 16:31:26 | 00,342,848 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\DNA\btdna.exe
PRC - [2004/06/02 18:48:22 | 00,565,309 | ---- | M] (WIDCOMM, Inc.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2007/10/23 16:19:06 | 00,382,248 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
PRC - [2008/05/26 22:19:14 | 00,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PRC - [2007/10/23 16:19:06 | 01,410,344 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
PRC - [2009/03/31 19:20:50 | 00,176,520 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\ZoneLabs\UpdClient.exe
PRC - [2009/02/05 16:57:26 | 00,869,648 | ---- | M] (SonicWALL, Inc.) -- C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
PRC - [2009/04/17 04:11:40 | 00,546,184 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\forcefield.exe
PRC - [2009/04/17 04:11:42 | 01,017,224 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
PRC - [2009/04/17 04:11:42 | 01,017,224 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWMGR.exe
PRC - [2009/07/30 07:26:38 | 00,908,280 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/01/27 21:33:44 | 02,594,224 | ---- | M] (Tonec Inc.) -- C:\Program Files\Internet Download Manager\IDMan.exe
PRC - [2008/02/18 09:01:01 | 00,251,312 | ---- | M] (Tonec Inc.) -- C:\Program Files\Internet Download Manager\IEMonitor.exe
PRC - [2009/08/31 12:10:07 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/05/11 10:37:59 | 00,388,865 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe -- (AntiVirFirewallService [Auto | Running])
SRV - [2009/05/11 10:31:46 | 00,194,817 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avmailc.exe -- (AntiVirMailService [Auto | Running])
SRV - [2009/05/13 16:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService [Auto | Running])
SRV - [2009/07/21 14:34:33 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService [Auto | Running])
SRV - [2009/05/12 14:46:39 | 00,434,945 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE -- (AntiVirWebService [Auto | Running])
SRV - [2008/11/07 15:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2003/12/02 18:55:06 | 00,385,024 | ---- | M] () -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
SRV - [2008/08/29 11:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2004/06/03 14:14:16 | 00,163,840 | ---- | M] (WIDCOMM, Inc.) -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe -- (btwdins [Auto | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2003/05/12 18:29:42 | 00,512,000 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe -- (CPQALERT [Auto | Running])
SRV - [2003/05/12 18:33:26 | 00,020,480 | ---- | M] (Compaq Computer Corporation) -- C:\Program Files\Compaq\Compaq Management Agents\Cpqdmi.exe -- (cpqdmi [Auto | Running])
SRV - [2003/05/12 18:38:42 | 00,024,576 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Compaq\Compaq Management Agents\cpqWebDmi\Webdmi.exe -- (cpqWebDmi [Auto | Running])
SRV - [2003/03/13 17:14:02 | 00,212,992 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\Cpqdiag\Cpqdfwag.exe -- (DfwWebAgent [Auto | Running])
SRV - [2009/04/09 15:29:20 | 00,020,680 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv [On_Demand | Stopped])
SRV - [2009/04/09 15:19:08 | 00,731,840 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn [Auto | Running])
SRV - [2008/05/28 13:19:10 | 00,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\EPSON Projector\EPSON USB Display V1.4\EMP_UDSA.exe -- (EMP_UDSA [Auto | Running])
SRV - [2005/11/17 15:18:52 | 01,527,900 | ---- | M] (MAGIX®) -- C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/06/14 20:31:49 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2004/07/27 16:25:24 | 00,098,304 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HPQ\SHARED\HPQWMI.exe -- (hpqwmi [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2007/10/15 12:40:48 | 01,440,552 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe -- (InCDsrv [Auto | Stopped])
SRV - [2008/11/20 14:20:44 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
SRV - [2008/04/13 20:11:55 | 00,028,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\irmon.dll -- (Irmon [Auto | Running])
SRV - [2009/04/17 04:11:44 | 00,394,632 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe -- (IswSvc [Auto | Running])
SRV - [2009/05/21 11:34:05 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2006/04/17 13:42:14 | 00,311,296 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\System32\LEXBCES.EXE -- (LexBceS [Auto | Running])
SRV - [2003/06/20 00:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])
SRV - [2007/09/20 10:51:46 | 00,853,288 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe -- (Nero BackItUp Scheduler 3 [Auto | Running])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2007/10/23 16:19:06 | 00,382,248 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe -- (NMIndexingService [On_Demand | Running])
SRV - [2006/10/26 19:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2009/04/13 12:51:16 | 00,053,760 | ---- | M] (tzuk) -- C:\Program Files\Sandboxie\SbieSvc.exe -- (SbieSvc [Auto | Running])
SRV - [2002/09/20 17:50:10 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default) [Auto | Running])
SRV - [2009/07/13 23:51:22 | 00,361,216 | ---- | M] (TuneUp Software) -- C:\WINDOWS\System32\TuneUpDefragService.exe -- (TuneUp.Defrag [On_Demand | Stopped])
SRV - [2009/07/13 23:51:33 | 00,604,416 | ---- | M] (TuneUp Software) -- C:\WINDOWS\System32\TUProgSt.exe -- (TuneUp.ProgramStatisticsSvc [Auto | Running])
SRV - [2006/12/14 17:00:00 | 00,544,768 | ---- | M] (Magix AG) -- C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe -- (UPnPService [On_Demand | Stopped])
SRV - [2007/10/18 12:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
SRV - [2009/04/27 14:21:36 | 00,028,928 | ---- | M] (TuneUp Software) -- C:\WINDOWS\System32\uxtuneup.dll -- (UxTuneUp [Auto | Running])
SRV - [2009/03/31 19:20:50 | 02,404,232 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon [Auto | Running])
SRV - [2001/04/11 11:33:46 | 00,215,552 | ---- | M] (Intel) -- C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe -- (WIN32SL [Auto | Running])
SRV - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend [Auto | Running])
SRV - [2007/10/25 16:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - [2007/11/26 14:47:40 | 00,598,856 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Washer\WasherSvc.exe -- (wwEngineSvc [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2008/01/23 04:19:44 | 00,501,560 | ---- | M] (Protect Software GmbH) -- C:\WINDOWS\System32\drivers\acedrv11.sys -- (acedrv11 [Auto | Running])
DRV - [2003/03/13 14:34:48 | 00,100,224 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\System32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])
DRV - [2003/05/30 12:01:26 | 01,170,464 | R--- | M] (Agere Systems) -- C:\WINDOWS\System32\DRIVERS\AGRSM.sys -- (AgereSoftModem [On_Demand | Running])
DRV - [2003/12/02 18:57:02 | 00,641,536 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
DRV - [2009/02/24 13:06:20 | 00,069,632 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\DRIVERS\avfwim.sys -- (avfwim [On_Demand | Running])
DRV - [2009/05/08 14:13:50 | 00,097,608 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\DRIVERS\avfwot.sys -- (avfwot [System | Running])
DRV - [2009/08/10 23:37:43 | 00,029,208 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\DRIVERS\avgfwdx.sys -- (Avgfwdx [On_Demand | Stopped])
DRV - [2009/08/10 23:37:43 | 00,029,208 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\DRIVERS\avgfwdx.sys -- (Avgfwfd [On_Demand | Stopped])
DRV - [2009/02/13 12:35:05 | 00,011,608 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio [System | Running])
DRV - [2009/07/28 16:33:56 | 00,055,656 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\DRIVERS\avgntflt.sys -- (avgntflt [Auto | Running])
DRV - [2009/03/30 10:33:07 | 00,096,104 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\DRIVERS\avipbb.sys -- (avipbb [System | Running])
DRV - [2003/02/17 14:22:24 | 00,170,880 | R--- | M] (Broadcom Corporation) -- C:\WINDOWS\System32\DRIVERS\b57xp32.sys -- (b57w2k [On_Demand | Running])
DRV - [2004/06/02 18:07:28 | 01,240,938 | ---- | M] (WIDCOMM, Inc.) -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL [Boot | Running])
DRV - [2003/03/06 10:50:16 | 00,055,336 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\System32\Drivers\ClntMgmt.sys -- (ClntMgmt [System | Running])
DRV - [2003/07/29 00:49:00 | 00,182,101 | ---- | M] (O2 Micro ) -- C:\WINDOWS\System32\drivers\o2mmb.sys -- (CONAN [On_Demand | Running])
DRV - [2002/08/19 15:35:44 | 00,019,845 | ---- | M] () -- C:\WINDOWS\System32\drivers\cpqdfw.sys -- (cpqdfw [Auto | Running])
DRV - [1998/09/30 08:36:06 | 00,154,436 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\cqcpu.sys -- (cqcpu [Auto | Running])
DRV - [1999/05/19 15:00:50 | 00,018,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\cq_mem.sys -- (cq_mem [Auto | Running])
DRV - [2004/04/14 09:36:50 | 00,007,432 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\drivers\EABFiltr.sys -- (eabfiltr [System | Running])
DRV - [2003/06/06 13:46:16 | 00,005,220 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\drivers\eabusb.sys -- (eabusb [On_Demand | Stopped])
DRV - [2009/04/09 15:10:30 | 00,113,960 | ---- | M] (ESET) -- C:\WINDOWS\System32\DRIVERS\eamon.sys -- (eamon [Auto | Running])
DRV - [2009/04/09 15:18:02 | 00,107,256 | ---- | M] (ESET) -- C:\WINDOWS\System32\DRIVERS\ehdrv.sys -- (ehdrv [System | Running])
DRV - [2009/04/09 15:21:12 | 00,094,360 | ---- | M] (ESET) -- C:\WINDOWS\System32\DRIVERS\epfwtdir.sys -- (epfwtdir [System | Running])
DRV - [2008/05/14 20:06:06 | 00,017,664 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\System32\drivers\EMP_UDAU.sys -- (eppvad_simple [On_Demand | Running])
DRV - [2008/04/17 14:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2009/04/17 04:11:36 | 00,054,928 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\AK\icsak.sys -- (icsak [On_Demand | Running])
DRV - [2007/10/15 12:40:38 | 00,125,864 | ---- | M] (Nero AG) -- C:\WINDOWS\System32\drivers\InCDfs.sys -- (InCDfs [Disabled | Running])
DRV - [2007/10/15 12:40:38 | 00,038,952 | ---- | M] (Nero AG) -- C:\WINDOWS\System32\DRIVERS\InCDPass.sys -- (InCDPass [System | Running])
DRV - [2007/10/15 12:40:38 | 00,040,488 | ---- | M] (Nero AG) -- C:\WINDOWS\System32\drivers\InCDRm.sys -- (incdrm [System | Running])
DRV - [2009/04/17 04:11:36 | 00,021,136 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL [Auto | Running])
DRV - [2003/07/24 14:50:00 | 00,005,689 | ---- | M] (O2 Micro) -- C:\WINDOWS\System32\drivers\MbxStby.sys -- (MbxStby [On_Demand | Running])
DRV - [2004/08/04 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2009/04/13 12:51:14 | 00,107,520 | ---- | M] (tzuk) -- C:\Program Files\Sandboxie\SbieDrv.sys -- (SbieDrv [On_Demand | Running])
DRV - [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2001/08/17 08:10:28 | 00,035,913 | ---- | M] (SMC) -- C:\WINDOWS\System32\DRIVERS\smcirda.sys -- (SMCIRDA [On_Demand | Running])
DRV - [2003/07/18 16:06:40 | 00,578,048 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\System32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
DRV - [2008/11/17 02:24:00 | 00,051,688 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan [Boot | Running])
DRV - [2009/05/11 10:12:24 | 00,028,520 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\DRIVERS\ssmdrv.sys -- (ssmdrv [System | Running])
DRV - [2003/07/15 14:48:44 | 00,270,384 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\System32\DRIVERS\SynTP.sys -- (SynTP [On_Demand | Running])
DRV - [2008/04/13 15:40:50 | 00,149,376 | ---- | M] (M-Systems) -- C:\WINDOWS\system32\DRIVERS\tffsport.sys -- (tffsport [Boot | Running])
DRV - [2008/11/07 15:23:30 | 00,032,000 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2009/03/31 19:20:54 | 00,353,672 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdatant.sys -- (vsdatant [System | Running])
DRV - [2007/07/26 00:44:28 | 02,210,048 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\w29n51.sys -- (w29n51 [On_Demand | Stopped])
DRV - [2003/07/17 18:06:00 | 00,322,560 | ---- | M] (Atheros Communications, Inc.) -- C:\WINDOWS\System32\DRIVERS\ar5211.sys -- (WLAN_400_500_SERVICE [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3867072624-390493748-37123352-500\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-3867072624-390493748-37123352-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-21-3867072624-390493748-37123352-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.dogpile.com/
IE - URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-3867072624-390493748-37123352-500\S-1-5-21-3867072624-390493748-37123352-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3867072624-390493748-37123352-500\S-1-5-21-3867072624-390493748-37123352-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.dogpile.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.1
FF - prefs.js..extensions.enabledItems: {3112ca9c-de6d-4884-a869-9855de68056c}:5.0.20090805W
FF - prefs.js..extensions.enabledItems: mozilla_cc@internetdownloadmanager.com:5.3
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.2


FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/07 13:20:53 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared [2009/08/11 00:24:19 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/12 13:50:24 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/12 13:50:24 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

[2009/08/08 16:21:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions
[2009/08/08 16:21:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/08/24 13:44:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\opjqsme5.default\extensions
[2009/08/08 16:23:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\opjqsme5.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/08/08 16:23:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\opjqsme5.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/08/13 00:40:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\opjqsme5.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/08/08 16:20:24 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/08/08 16:20:24 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/07/30 07:26:53 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/07/30 07:26:54 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/02/06 12:44:28 | 01,447,296 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npLegitCheckPlugin.dll
[2009/07/30 07:26:55 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/07/30 03:24:20 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/07/30 03:24:20 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/07/24 00:12:56 | 00,001,519 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg_igeared.xml
[2009/07/30 03:24:20 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/07/30 03:24:20 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/07/30 03:24:20 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/07/30 03:24:20 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml

O1 HOSTS File: (321495 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 11016 more lines...
O2 - BHO: (IDMIEHlprObj Class) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll (Tonec Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (ForceField Toolbar Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (WinAVI FLVSense) - {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll (ZJMedia)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (ZoneAlarm Spy Blocker Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - Reg Error: Value error. File not found
O3 - HKLM\..\Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (ForceField Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKU\S-1-5-21-3867072624-390493748-37123352-500\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\S-1-5-21-3867072624-390493748-37123352-500\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AGRSMMSG] C:\WINDOWS\AGRSMMSG.exe (Agere Systems)
O4 - HKLM..\Run: [ATIModeChange] C:\WINDOWS\System32\Ati2mdxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [ChkAdmin] C:\Program Files\Compaq\Compaq Management Agents\Chkadmin.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe ()
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Lexmark 1200 Series] C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [NBKeyScan] C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe (Nero AG)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-21-3867072624-390493748-37123352-500..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\S-1-5-21-3867072624-390493748-37123352-500..\Run: [BitTorrent DNA] C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
O4 - HKU\S-1-5-21-3867072624-390493748-37123352-500..\Run: [SandboxieControl] C:\Program Files\Sandboxie\SbieCtrl.exe (tzuk)
O4 - HKU\S-1-5-21-3867072624-390493748-37123352-500..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-3867072624-390493748-37123352-500..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [ZAFFRegisterTrustChecker] C:\WINDOWS\System32\regsvr32.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [ZAFFRegisterTrustCheckerIE] C:\WINDOWS\System32\regsvr32.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [ZAFFRegisterTrustChecker] C:\WINDOWS\System32\regsvr32.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [ZAFFRegisterTrustCheckerIE] C:\WINDOWS\System32\regsvr32.exe (Microsoft Corporation)
O4 - HKLM..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe (Hewlett-Packard)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (WIDCOMM, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: verbosestatus = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3867072624-390493748-37123352-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3867072624-390493748-37123352-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-3867072624-390493748-37123352-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKU\S-1-5-21-3867072624-390493748-37123352-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentDocsOnExit = 1
O7 - HKU\S-1-5-21-3867072624-390493748-37123352-500_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Program Files\WinAVI FLV Converter\flv_link.htm ()
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm ()
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm ()
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll (ZJMedia)
O9 - Extra 'Tools' menuitem : WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll (ZJMedia)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira GmbH)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira GmbH)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira GmbH)
O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-3867072624-390493748-37123352-500\..Trusted Domains: 71 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\widimg {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\System32\btxppanel.dll (WIDCOMM, Inc.)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/02 13:02:50 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{560bae51-22c1-11de-8a09-000d9d920d69}\Shell - "" = AutoRun
O33 - MountPoints2\{560bae51-22c1-11de-8a09-000d9d920d69}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{560bae51-22c1-11de-8a09-000d9d920d69}\Shell\AutoRun\command - "" = F:\EMP_UDSe.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/08/31 12:12:01 | 00,464,491 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\RootRepeal.zip
[2009/08/31 12:10:05 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2009/08/26 15:03:24 | 01,604,576 | -H-- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2009/08/21 00:59:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Windows Search
[2009/08/20 20:50:23 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/08/19 14:31:39 | 00,000,702 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\SpywareBlaster.lnk
[2009/08/19 14:31:32 | 00,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2009/08/18 21:40:23 | 00,000,104 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\My Computer.lnk
[2009/08/18 14:28:09 | 00,001,740 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2009/08/18 14:28:09 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/08/18 02:01:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Uniblue
[2009/08/18 01:55:47 | 00,000,000 | ---D | C] -- C:\Program Files\Uniblue
[2009/08/17 00:47:28 | 00,000,979 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk
[2009/08/17 00:47:04 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/08/17 00:47:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/08/16 22:52:14 | 00,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2009/08/12 23:00:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\ApplicationHistory
[2009/08/12 15:25:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\URTTEMP
[2009/08/12 15:17:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
[2009/08/12 15:15:21 | 00,001,805 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2009/08/12 15:14:51 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\GroupPolicy
[2009/08/12 15:14:51 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Desktop Search
[2009/08/12 15:14:18 | 00,192,000 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\offfilt.dll
[2009/08/12 15:14:18 | 00,098,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\nlhtml.dll
[2009/08/12 15:14:18 | 00,029,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mimefilt.dll
[2009/08/12 15:13:11 | 00,128,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dhtmled.ocx
[2009/08/12 15:12:52 | 00,204,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mswebdvd.dll
[2009/08/12 15:12:29 | 00,058,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\atl.dll
[2009/08/12 15:12:09 | 01,315,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msoe.dll
[2009/08/12 15:11:46 | 00,132,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wkssvc.dll
[2009/08/12 15:11:27 | 00,084,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\avifil32.dll
[2009/08/12 15:10:56 | 00,136,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msv1_0.dll
[2009/08/12 15:10:56 | 00,092,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ksecdd.sys
[2009/08/12 15:10:56 | 00,054,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wdigest.dll
[2009/08/12 15:10:55 | 00,301,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kerberos.dll
[2009/08/12 15:10:32 | 00,080,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tlntsess.exe
[2009/08/12 15:10:32 | 00,076,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\telnet.exe
[2009/08/12 15:08:31 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\windowspowershell
[2009/08/12 00:39:26 | 00,000,000 | ---D | C] -- C:\Program Files\Sony Setup
[2009/08/11 21:43:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\WDC
[2009/08/11 11:41:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Avira
[2009/08/11 11:34:21 | 00,001,713 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2009/08/11 11:32:07 | 00,097,608 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avfwot.sys
[2009/08/11 11:32:07 | 00,096,104 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2009/08/11 11:32:07 | 00,069,632 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avfwim.sys
[2009/08/11 11:32:07 | 00,055,656 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2009/08/11 11:32:07 | 00,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2009/08/11 11:32:07 | 00,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2009/08/11 11:32:07 | 00,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2009/08/11 11:31:56 | 00,000,000 | ---D | C] -- C:\Program Files\Avira
[2009/08/11 11:31:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2009/08/11 00:00:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
[2009/08/10 23:45:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2009/08/10 23:37:43 | 00,050,968 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgfwdx.dll
[2009/08/10 23:37:43 | 00,029,208 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgfwdx.sys
[2009/08/08 16:20:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla
[2009/08/08 16:20:43 | 00,001,608 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/08/08 16:20:22 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/08/07 12:53:57 | 01,089,593 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ntprint.cat
[2009/08/06 17:32:41 | 00,000,000 | ---D | C] -- C:\c85e5d217ecb3e3394
[2009/08/06 12:00:28 | 00,000,000 | -H-D | C] -- C:\$AVG8.VAULT$
[2009/08/06 10:23:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\ESET
[2009/08/05 19:28:20 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2009/08/05 19:28:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ESET
[2009/08/05 17:35:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg8
[2009/08/05 16:48:21 | 10,731,39712 | -HS- | C] () -- C:\hiberfil.sys
[2009/08/05 12:37:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2009/08/05 12:37:30 | 00,000,714 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/05 12:37:26 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/05 12:37:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/08/05 12:37:24 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/08/05 12:37:24 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/07/03 00:50:56 | 00,000,066 | ---- | C] () -- C:\WINDOWS\Speed Video Converter.INI
[2009/07/03 00:31:13 | 00,001,532 | ---- | C] () -- C:\WINDOWS\Sandboxie.ini
[2008/12/28 04:36:34 | 00,000,570 | ---- | C] () -- C:\WINDOWS\BeatBox.INI
[2008/12/28 04:36:34 | 00,000,028 | ---- | C] () -- C:\WINDOWS\Robota.INI
[2008/12/28 02:43:06 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\mgxasio2.dll
[2008/12/28 02:06:57 | 00,120,200 | ---- | C] () -- C:\WINDOWS\System32\DLLDEV32i.dll
[2008/12/28 02:03:11 | 00,005,937 | ---- | C] () -- C:\WINDOWS\mgxoschk.ini
[2008/12/20 20:28:15 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/12/15 00:34:36 | 00,000,084 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2008/12/15 00:34:33 | 00,000,261 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2008/12/15 00:33:44 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxczvs.dll
[2008/12/15 00:33:08 | 00,000,270 | ---- | C] () -- C:\WINDOWS\System32\lxczcoin.ini
[2008/12/09 23:15:50 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/03/31 16:05:24 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/11/02 13:24:08 | 00,033,728 | ---- | C] () -- C:\WINDOWS\System32\drivers\cs_nt40.sys
[2007/11/02 13:23:26 | 00,001,784 | ---- | C] () -- C:\WINDOWS\ACT_CFG.INI
[2007/11/02 13:23:20 | 00,019,845 | ---- | C] () -- C:\WINDOWS\System32\drivers\Cpqdfw.sys
[2007/11/02 13:23:20 | 00,001,010 | ---- | C] () -- C:\WINDOWS\Cpqdiag.ini
[2007/11/02 13:17:43 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[2007/11/02 13:17:35 | 00,017,920 | ---- | C] () -- C:\WINDOWS\System32\drivers\CPQRS.sys
[2007/09/27 10:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2004/08/04 08:00:00 | 00,000,715 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 08:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/06/02 18:28:30 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2003/12/02 18:55:14 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[2003/01/07 16:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/05/16 00:29:04 | 00,000,607 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2001/11/23 19:18:00 | 00,000,597 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 14:56:00 | 01,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== Files - Modified Within 30 Days ==========

[3 C:\WINDOWS\*.tmp files]
[2009/08/31 12:12:37 | 00,464,491 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\RootRepeal.zip
[2009/08/31 12:10:07 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2009/08/31 12:07:51 | 00,005,964 | ---- | M] () -- C:\rollback.ini
[2009/08/31 12:01:32 | 00,000,502 | ---- | M] () -- C:\WINDOWS\tasks\1-Click Maintenance.job
[2009/08/31 11:55:04 | 00,000,144 | ---- | M] () -- C:\WINDOWS\System32\pdfl.dat
[2009/08/31 11:52:17 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/08/31 11:51:47 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/31 11:47:16 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/31 11:47:15 | 00,351,220 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2009/08/31 11:46:52 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/31 11:46:46 | 10,731,39712 | -HS- | M] () -- C:\hiberfil.sys
[2009/08/31 11:45:02 | 00,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{97A21F0B-270D-42E1-862E-BDAB92B3C445}.job
[2009/08/30 01:11:43 | 00,039,936 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/26 17:41:21 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/08/26 17:23:02 | 00,000,594 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\My Sharing Folders.lnk
[2009/08/26 15:28:19 | 00,001,532 | ---- | M] () -- C:\WINDOWS\Sandboxie.ini
[2009/08/26 15:03:26 | 01,604,576 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2009/08/26 01:01:41 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/08/19 14:31:39 | 00,000,702 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\SpywareBlaster.lnk
[2009/08/18 21:40:23 | 00,000,104 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\My Computer.lnk
[2009/08/18 21:38:05 | 00,554,470 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/08/18 21:38:05 | 00,465,200 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/08/18 21:38:05 | 00,079,302 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/08/18 14:28:09 | 00,001,740 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2009/08/18 01:29:48 | 00,321,495 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090825-123815.backup
[2009/08/18 01:29:48 | 00,321,495 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2009/08/17 13:37:14 | 00,321,495 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090818-012948.backup
[2009/08/17 01:24:03 | 00,321,495 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090817-133713.backup
[2009/08/17 01:16:56 | 00,000,979 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk
[2009/08/17 01:01:07 | 00,321,495 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090817-012403.backup
[2009/08/17 00:59:54 | 00,321,495 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090817-010107.backup
[2009/08/13 13:03:19 | 00,104,880 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/08/13 13:01:39 | 00,363,320 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/08/13 01:02:21 | 00,004,096 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\000009E8.LCS
[2009/08/13 01:02:05 | 00,000,570 | ---- | M] () -- C:\WINDOWS\BeatBox.INI
[2009/08/13 01:02:05 | 00,000,028 | ---- | M] () -- C:\WINDOWS\Robota.INI
[2009/08/13 00:56:46 | 00,005,937 | ---- | M] () -- C:\WINDOWS\mgxoschk.ini
[2009/08/12 15:15:21 | 00,001,805 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2009/08/12 13:44:08 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/08/11 11:34:21 | 00,001,713 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2009/08/10 23:37:43 | 00,050,968 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgfwdx.dll
[2009/08/10 23:37:43 | 00,029,208 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgfwdx.sys
[2009/08/08 16:20:43 | 00,001,608 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/08/05 12:37:30 | 00,000,714 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/05 05:01:48 | 00,204,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mswebdvd.dll
[2009/08/05 05:01:48 | 00,204,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mswebdvd.dll
[2009/08/03 13:36:28 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/03 13:36:06 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:888AFB86
< End of report >

here is the extras OTL log:
OTL Extras logfile created on: 31/08/2009 12:15:26 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1023.36 Mb Total Physical Memory | 287.49 Mb Available Physical Memory | 28.09% Memory free
2.90 Gb Paging File | 1.59 Gb Available in Paging File | 54.77% Paging File free
Paging file location(s): C:\pagefile.sys 2048 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.94 Gb Total Space | 14.05 Gb Free Space | 50.29% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 298.01 Gb Total Space | 273.93 Gb Free Space | 91.92% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DADF523DD6E9458
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = SafariHTML] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLED.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3867072624-390493748-37123352-500\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:Enabled:DNA -- (BitTorrent, Inc.)
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- ()
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\WINDOWS\system32\ZoneLabs\vsmon.exe" = C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:TrueVector Service -- (Check Point Software Technologies LTD)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1881AE03-2BD4-11D4-86BF-00508B10AA88}" = Diagnostics for Windows
"{1E598659-6503-419E-8FB0-0C1EABF11033}" = Nero 8
"{2157961D-0507-44A8-BCF2-1EE2D439E8DF}" = Civilization III Complete Edition
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 14
"{318AB667-3230-41B5-A617-CB3BF748D371}" = iTunes
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{4CBD31CE-51DF-43C4-B3EC-7CCBAB0CD083}" = O2Micro MemoryCardBus Windows Driver
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{55A29068-F2CE-456C-9148-C869879E2357}" = TuneUp Utilities 2009
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{582D2A53-F426-4C5E-A2E6-43C1AB36B907}" = Safari
"{5C3DA2A1-03B2-44BD-B5AA-A44BD6E0C0C1}" = HP Integrated Wireless LAN W400-W500 Driver
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7148F0A8-6813-11D6-A77B-00B0D0142000}" = Java 2 Runtime Environment, SE v1.4.2
"{71A470E1-27E7-424E-803A-F9C0D41968D3}" = Remote Diagnostics Enabling Agent
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7650F538-6274-44EA-8F50-843479073333}" = EPSON USB Display
"{76756402-BF1E-4A0F-AFCC-0EE6CF58F58C}" = ESET NOD32 Antivirus
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B3F0113-E63C-4D6D-AF19-111A3165CCA2}" = Text-To-Speech-Runtime
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8BAC9DAB-9118-4D13-8CF4-78812CC4755C}" = ACID Pro 7.0
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90535871-81B9-4D99-8A13-A7EE97F2D7FE}" = Bluetooth by hp
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A040AC77-C1AA-4CC9-8931-9F648AF178F6}" = VC 9.0 Runtime
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.5
"{AC76BA86-7AD7-1033-7B44-A81300000003}_814" = KB408682
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B668CB7B-A9DF-43B6-8876-A373A8E1D438}" = HP Mobile Printing
"{B7E2A724-2774-4AC2-9F0A-B58C7319B6E6}" = Sony Vegas Pro 8.0
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEB326EC-8F40-47B2-BA22-BB092565D66F}" = Quick Launch Buttons 5.00 C2
"{D1696920-9794-4BBC-8A30-7A88763DE5A2}" = ABBYY FineReader 5.0 Sprint
"{E63E34A7-E552-412B-9E40-FD6FC5227ABA}_is1" = Uniblue RegistryBooster 2009
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F16F258A-6300-4A1C-BC49-7929EFF455E2}" = TIPCIxx20
"{F2545484-7B1C-484A-89B8-B0F8B38BC67F}" = O2Micro SmartCardBus Reader Windows Driver Installer
"{F958CA02-BB40-4007-894B-258729456EE4}" = QuickTime
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems AC'97 Modem
"All ATI Software" = ATI - Software Uninstall Utility
"ASIO4ALL" = ASIO4ALL
"ATI Display Driver" = ATI Display Driver
"Avira AntiVir Desktop" = Avira Premium Security Suite
"AviSynth" = AviSynth 2.5
"CCleaner" = CCleaner (remove only)
"Chess Nx_is1" = Chess Nx v6
"Collab" = Collab
"DVD Decrypter" = DVD Decrypter (Remove Only)
"Firebird SQL Server CA" = Firebird SQL Server - MAGIX Edition
"FL Studio 8" = FL Studio 8
"Free FLV Converter_is1" = Free FLV Converter V 5.1
"Handbrake" = Handbrake 0.9.2
"HijackThis" = HijackThis 2.0.2
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"IL Download Manager" = IL Download Manager
"InstallShield_{2157961D-0507-44A8-BCF2-1EE2D439E8DF}" = Civilization III Complete Edition
"InstallShield_{4CBD31CE-51DF-43C4-B3EC-7CCBAB0CD083}" = O2Micro MemoryCardBus Windows Driver
"InstallShield_{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"InstallShield_{F16F258A-6300-4A1C-BC49-7929EFF455E2}" = Texas Instruments PCIxx20 drivers.
"Internet Download Manager" = Internet Download Manager
"IntMgmt" = Insight Management Agent
"Lexmark 1200 Series" = Lexmark 1200 Series
"LimeWire" = LimeWire 4.18.8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Messenger Plus! Live" = Messenger Plus! Live
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MIKSOFT Mobile AMR converter_is1" = MIKSOFT Mobile AMR converter
"Mozilla Firefox (3.5.2)" = Mozilla Firefox (3.5.2)
"OpenAL" = OpenAL
"PoiZone" = PoiZone
"PROPLUS" = Microsoft Office Professional Plus 2007
"ProtectDisc Driver 11" = ProtectDisc Driver, Version 11
"RealPlayer 6.0" = RealPlayer
"SpywareBlaster_is1" = SpywareBlaster 4.2
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"SystemRequirementsLab" = System Requirements Lab
"Toxic Biohazard" = Toxic Biohazard
"Unlocker" = Unlocker 1.8.7
"WinAVI FLV Converter 1.0_is1" = WinAVI FLV Converter
"Window Washer" = Window Washer
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinNT Remote Services Deinstall Key" = Remote Services Driver
"WinRAR archiver" = WinRAR archiver
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"ZoneAlarm Extreme Security" = ZoneAlarm Extreme Security

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3867072624-390493748-37123352-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent 6.0.2
"BitTorrent DNA" = DNA
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 26/08/2009 12:13:53 AM | Computer Name = DADF523DD6E9458 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 26/08/2009 12:49:34 AM | Computer Name = DADF523DD6E9458 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 26/08/2009 2:43:31 PM | Computer Name = DADF523DD6E9458 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 26/08/2009 3:51:27 PM | Computer Name = DADF523DD6E9458 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 26/08/2009 5:07:19 PM | Computer Name = DADF523DD6E9458 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 26/08/2009 11:18:39 PM | Computer Name = DADF523DD6E9458 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 28/08/2009 2:03:06 AM | Computer Name = DADF523DD6E9458 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 30/08/2009 12:25:13 AM | Computer Name = DADF523DD6E9458 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 30/08/2009 12:34:32 AM | Computer Name = DADF523DD6E9458 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 31/08/2009 11:42:20 AM | Computer Name = DADF523DD6E9458 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

[ System Events ]
Error - 31/08/2009 11:44:41 AM | Computer Name = DADF523DD6E9458 | Source = Service Control Manager | ID = 7024
Description = The Java Quick Starter service terminated with service-specific error
1 (0x1).

Error - 31/08/2009 11:44:42 AM | Computer Name = DADF523DD6E9458 | Source = Service Control Manager | ID = 7034
Description = The InCD Helper service terminated unexpectedly. It has done this
1 time(s).

Error - 31/08/2009 11:44:42 AM | Computer Name = DADF523DD6E9458 | Source = Service Control Manager | ID = 7034
Description = The SoundMAX Agent Service service terminated unexpectedly. It has
done this 1 time(s).

Error - 31/08/2009 11:47:56 AM | Computer Name = DADF523DD6E9458 | Source = LDMS | ID = 16780239
Description = The Logical Disk Manager Service failed while registering for device
handle notifications on device \\?\ide#cdromteac_dw-224e-a__________________________a.2f____#5&1c049a71&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.
Win32 Error: 1381.

Error - 31/08/2009 11:49:00 AM | Computer Name = DADF523DD6E9458 | Source = Service Control Manager | ID = 7024
Description = The InCD Helper service terminated with service-specific error 1 (0x1).

Error - 31/08/2009 11:50:17 AM | Computer Name = DADF523DD6E9458 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.

Error - 31/08/2009 11:53:35 AM | Computer Name = DADF523DD6E9458 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service WSearch with
arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error - 31/08/2009 11:53:58 AM | Computer Name = DADF523DD6E9458 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service WSearch with
arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error - 31/08/2009 11:58:17 AM | Computer Name = DADF523DD6E9458 | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Update for Microsoft Silverlight (KB970363).

Error - 31/08/2009 11:59:00 AM | Computer Name = DADF523DD6E9458 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service WSearch with
arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

[ TuneUp Events ]
Error - 05/08/2009 12:38:03 PM | Computer Name = DADF523DD6E9458 | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-08-05 12:38:03', '\device\harddiskvolume1\program
files\malwarebytes' anti-malware\mbam.exe','4836',0)

Error - 05/08/2009 12:40:05 PM | Computer Name = DADF523DD6E9458 | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-08-05 12:40:05', '\device\harddiskvolume1\program
files\malwarebytes' anti-malware\mbam.exe','4296',0)

Error - 05/08/2009 1:04:10 PM | Computer Name = DADF523DD6E9458 | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-08-05 13:04:10', '\device\harddiskvolume1\program
files\malwarebytes' anti-malware\mbam.exe','4908',0)

Error - 05/08/2009 1:14:08 PM | Computer Name = DADF523DD6E9458 | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-08-05 13:14:08', '\device\harddiskvolume1\program
files\malwarebytes' anti-malware\mbam-dor.exe','4492',0)

Error - 05/08/2009 1:21:14 PM | Computer Name = DADF523DD6E9458 | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-08-05 13:21:14', '\device\harddiskvolume1\program
files\malwarebytes' anti-malware\mbam.exe','6084',0)

Error - 09/08/2009 3:11:45 PM | Computer Name = DADF523DD6E9458 | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-08-09 15:11:45', '\device\harddiskvolume1\program
files\malwarebytes' anti-malware\mbam.exe','8880',0)

Error - 09/08/2009 3:48:26 PM | Computer Name = DADF523DD6E9458 | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-08-09 15:48:26', '\device\harddiskvolume1\program
files\malwarebytes' anti-malware\mbam.exe','3480',0)

Error - 09/08/2009 4:14:18 PM | Computer Name = DADF523DD6E9458 | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-08-09 16:14:18', '\device\harddiskvolume1\program
files\malwarebytes' anti-malware\mbam.exe','4496',0)

Error - 11/08/2009 2:16:05 AM | Computer Name = DADF523DD6E9458 | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-08-11 02:16:05', '\device\harddiskvolume1\program
files\malwarebytes' anti-malware\mbam.exe','4196',0)

Error - 18/08/2009 1:48:19 AM | Computer Name = DADF523DD6E9458 | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2009-08-18 01:48:19', '\device\harddiskvolume1\program
files\malwarebytes' anti-malware\mbam.exe','3648',0)


< End of report >


this is the RootRepeal log:
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/31 12:30
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: hjgruisaoyktfn.sys
Image Path: C:\WINDOWS\system32\drivers\hjgruisaoyktfn.sys
Address: 0xAAED3000 Size: 163840 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9385000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xF7644000 Size: 81920 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\hjgruiaxvjbwex.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruibcevpppv.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruiboyxxmck.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruidlvykyij.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruifpxxnost.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruiibardllo.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruijeyfxxmb.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruilog.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruimkjlrdnj.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruimbcrncyvtn.tmp
Status: Invisible to the Windows API!

Path: c:\windows\internet logs\backup.rdb
Status: Size mismatch (API: 2220032, Raw: 2218496)

Path: C:\WINDOWS\system32\drivers\hjgruisaoyktfn.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\administrator\local settings\temp\iswtmp\logs\cplic.swl
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Stealth Objects
-------------------
Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: winlogon.exe (PID: 1772) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: services.exe (PID: 1980) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: lsass.exe (PID: 1992) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: Ati2evxx.exe (PID: 580) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruijeyfxxmb.dll]
Process: svchost.exe (PID: 800) Address: 0x006e0000 Size: 53248

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: svchost.exe (PID: 800) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: svchost.exe (PID: 1076) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: MsMpEng.exe (PID: 1240) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: svchost.exe (PID: 1340) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: svchost.exe (PID: 1528) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: svchost.exe (PID: 1836) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: svchost.exe (PID: 304) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: vsmon.exe (PID: 600) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: IswSvc.exe (PID: 1724) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: ScanningProcess.exe (PID: 1936) Address: 0x00910000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: LEXBCES.EXE (PID: 836) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: spoolsv.exe (PID: 616) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: LEXPPS.EXE (PID: 1300) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: sched.exe (PID: 1264) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: avfwsvc.exe (PID: 1632) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: avguard.exe (PID: 532) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: AppleMobileDeviceService.exe (PID: 1184) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: mDNSResponder.exe (PID: 1288) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: btwdins.exe (PID: 1120) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: cpqalert.exe (PID: 1144) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: WebDmi.exe (PID: 2068) Address: 0x003e0000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: Cpqdfwag.exe (PID: 2476) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: ekrn.exe (PID: 2768) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: EMP_UDSA.exe (PID: 3448) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: jqs.exe (PID: 4020) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: MDM.EXE (PID: 2080) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: NBService.exe (PID: 3384) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: SbieSvc.exe (PID: 3756) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: SMAgent.exe (PID: 4048) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: svchost.exe (PID: 920) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: TUProgSt.exe (PID: 2096) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: Win32sl.exe (PID: 2360) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: WasherSvc.exe (PID: 2512) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: avmailc.exe (PID: 2964) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: AVWEBGRD.EXE (PID: 3220) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: cpqdmi.exe (PID: 3536) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: alg.exe (PID: 2908) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: Explorer.EXE (PID: 2200) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: AGRSMMSG.exe (PID: 2408) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: SynTPLpr.exe (PID: 1160) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: SynTPEnh.exe (PID: 2932) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: atiptaxx.exe (PID: 3208) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: CHKADMIN.EXE (PID: 3080) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: EabServr.exe (PID: 1596) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: MSASCui.exe (PID: 1924) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: lxczbmgr.exe (PID: 1232) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: UnlockerAssistant.exe (PID: 2904) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: zlclient.exe (PID: 1156) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: jusched.exe (PID: 2860) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: lxczbmon.exe (PID: 536) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: realsched.exe (PID: 3352) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: egui.exe (PID: 3996) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: avgnt.exe (PID: 2432) Address: 0x00aa0000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: ctfmon.exe (PID: 2396) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: NMBgMonitor.exe (PID: 380) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: SbieCtrl.exe (PID: 2640) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: TeaTimer.exe (PID: 1448) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: btdna.exe (PID: 904) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: BTTray.exe (PID: 3952) Address: 0x003f0000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: NMIndexingService.exe (PID: 852) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: WindowsSearch.exe (PID: 504) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: NMIndexStoreSvr.exe (PID: 3812) Address: 0x003c0000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: mantispm.exe (PID: 5420) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: forcefield.exe (PID: 5072) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: ISWMGR.exe (PID: 2868) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: ISWMGR.exe (PID: 5068) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: firefox.exe (PID: 4180) Address: 0x01010000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: IDMan.exe (PID: 6092) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: IEMonitor.exe (PID: 3520) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: RootRepeal.exe (PID: 5780) Address: 0x10000000 Size: 32768

Object: Hidden Code [ETHREAD: 0x86afca20]
Process: System Address: 0x866a2790 Size: 1000

Hidden Services
-------------------
Service Name: hjgruigvkayxnh
Image Path: C:\WINDOWS\system32\drivers\hjgruisaoyktfn.sys

Shadow SSDT
-------------------
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaada6e70

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaada6f20

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaada6fe0

#: 489 Function Name: NtUserRegisterUserApiHook
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaada24c0

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaada5d60

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaada7250

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaada20a0

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaada2310

==EOF==

thank you for your help

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:55 AM

Posted 31 August 2009 - 12:54 PM

Hi,

anti virus programs

I was being serious when I said, that several anti virus programs will reduce the security of your system and my corrupt it beyond repair. Anti virus programs assume that they are the only program controlling the system, when another scanner tries to access their files they will assume malicious intent and fight back. The attacked anti virus program will believe to have found an infection and try to kill the first anti virus program.
I have seen PCs that wouldn't boot after one anti virus program got updated.
Please don't take this on the light side and remove all except one anti virus program. I guess it would be best to keep either Avira or Zonealarm as those seem to be complete suites also offering a firewall. If you wish to keep Eset, maybe you would like to install a free firewall. A tutorial on firewalls and suggestions for free firewalls can be found here: Link

P2P programs

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Emule, utorrent, Limewire). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."
Please uninstall these programs, or at least do not use them until we have finished cleaning your PC.

Registry Cleaners

I notice the presence of Uniblue RegistryBooster 2009 Registry Cleaner on your pc.

I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners

Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
The point we are trying to make is that the risk of using one far outweighs any benefit.
If it does work perfectly you will not see any difference
If it doesn't work properly you may end up with an expensive doorstop.


http://miekiemoes.blogspot.com/2008/02/reg...weaking_13.html
http://forums.whatthetech.com/Regcleaner_t42862.html


If you need help on removing programs from your PC, please let me know, I'll be happy to help you out. :thumbup2:

You have a rootkit on your machine. We're going to try to remove it, with the following instructions:
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    drivers to disable:hjgruigvkayxnhdrivers to delete:hjgruigvkayxnhfiles to delete:C:\WINDOWS\system32\drivers\hjgruisaoyktfn.sysC:\WINDOWS\system32\hjgruiaxvjbwex.datC:\WINDOWS\system32\hjgruibcevpppv.datC:\WINDOWS\system32\hjgruiboyxxmck.dllC:\WINDOWS\system32\hjgruidlvykyij.dll C:\WINDOWS\system32\hjgruifpxxnost.dllC:\WINDOWS\system32\hjgruiibardllo.datC:\WINDOWS\system32\hjgruijeyfxxmb.dllC:\WINDOWS\system32\hjgruilog.datC:\WINDOWS\system32\hjgruimkjlrdnj.datC:\WINDOWS\Temp\hjgruimbcrncyvtn.tmp
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log, along with a new OTL log in your next reply.
Afterwards please also run rootrepeal again and post the new rootrepeal log along with the logs from Avenger and OTL in your next reply.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 high_octane

high_octane
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:10:55 PM

Posted 31 August 2009 - 04:29 PM

I am going to uninstall Zonealarm, I want to do it after I get rid of the virus. I also don't use Limewire and uTorrent, but i will uninstall it after. I was also wondering if Ccleaner is okay to use since you said I shouldn't use Uniblue Registry Cleaner

I don't know what happened but after The Avenger completed the first step, my computer restarted and kept bringing up the Blue Screen of Death. I tried going into safe mode but BSOD still came up. Then, after four tries, my computer booted up normally. When I ran a RootRepeal scan, it said that I still had the drivers that i needed to delete.

Here is the log for RootRepeal after it booted up normally:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/31 17:13
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: hjgruisaoyktfn.sys
Image Path: C:\WINDOWS\system32\drivers\hjgruisaoyktfn.sys
Address: 0xAAED3000 Size: 163840 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAAF98000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xF7644000 Size: 81920 File Visible: No Signed: -
Status: -

Name: �虳졘蚞゘蚺
Image Path: �虳졘蚞゘蚺
Address: 0xF7DAA000 Size: 7936 File Visible: No Signed: -
Status: Hidden from the Windows API!

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\hjgruiaxvjbwex.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruibcevpppv.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruiboyxxmck.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruidlvykyij.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruifpxxnost.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruiibardllo.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruijeyfxxmb.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruilog.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruimkjlrdnj.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruispjwrecqhw.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\hjgruisaoyktfn.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\administrator\local settings\temp\iswtmp\logs\iswuilib.swl
Status: Allocation size mismatch (API: 96, Raw: 0)

SSDT
-------------------
#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x86566a60

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x86566e80

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x86567460

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x86567280

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x86566c90

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x865670b0

Stealth Objects
-------------------
Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: winlogon.exe (PID: 1540) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: services.exe (PID: 1708) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: lsass.exe (PID: 1720) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: Ati2evxx.exe (PID: 1108) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruijeyfxxmb.dll]
Process: svchost.exe (PID: 1160) Address: 0x006e0000 Size: 53248

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: svchost.exe (PID: 1160) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: svchost.exe (PID: 1484) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: MsMpEng.exe (PID: 1740) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: svchost.exe (PID: 1892) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: svchost.exe (PID: 260) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: svchost.exe (PID: 484) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: svchost.exe (PID: 784) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: vsmon.exe (PID: 916) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: IswSvc.exe (PID: 404) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: LEXBCES.EXE (PID: 1948) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: Explorer.EXE (PID: 228) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: spoolsv.exe (PID: 548) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: LEXPPS.EXE (PID: 736) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: sched.exe (PID: 424) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: avfwsvc.exe (PID: 812) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: avguard.exe (PID: 1772) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: AppleMobileDeviceService.exe (PID: 520) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: mDNSResponder.exe (PID: 1320) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: btwdins.exe (PID: 2196) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: cpqalert.exe (PID: 2500) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: WebDmi.exe (PID: 2924) Address: 0x003e0000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: AGRSMMSG.exe (PID: 3384) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: Cpqdfwag.exe (PID: 3400) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: SynTPLpr.exe (PID: 3556) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: SynTPEnh.exe (PID: 4012) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: atiptaxx.exe (PID: 2040) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: ekrn.exe (PID: 1272) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: CHKADMIN.EXE (PID: 1252) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: EabServr.exe (PID: 1604) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: MSASCui.exe (PID: 2088) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: lxczbmgr.exe (PID: 996) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: UnlockerAssistant.exe (PID: 2472) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: lxczbmon.exe (PID: 2880) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: zlclient.exe (PID: 3124) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: EMP_UDSA.exe (PID: 3456) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: jusched.exe (PID: 3688) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: realsched.exe (PID: 2036) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: egui.exe (PID: 476) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: avgnt.exe (PID: 992) Address: 0x00aa0000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: ctfmon.exe (PID: 2844) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: NMBgMonitor.exe (PID: 2960) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: SbieCtrl.exe (PID: 3060) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: TeaTimer.exe (PID: 3724) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: btdna.exe (PID: 3736) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: BTTray.exe (PID: 3992) Address: 0x003f0000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: WindowsSearch.exe (PID: 248) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: MDM.EXE (PID: 3632) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: NBService.exe (PID: 3444) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: SbieSvc.exe (PID: 2896) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: SMAgent.exe (PID: 3452) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: svchost.exe (PID: 3928) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: TUProgSt.exe (PID: 352) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: Win32sl.exe (PID: 2172) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: WasherSvc.exe (PID: 2772) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: avmailc.exe (PID: 756) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: AVWEBGRD.EXE (PID: 2680) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: cpqdmi.exe (PID: 1316) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: NMIndexingService.exe (PID: 3968) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: NMIndexStoreSvr.exe (PID: 884) Address: 0x003c0000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: alg.exe (PID: 3344) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: mantispm.exe (PID: 4176) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: forcefield.exe (PID: 5868) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: ISWMGR.exe (PID: 5764) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: ISWMGR.exe (PID: 5160) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruifpxxnost.dll]
Process: RootRepeal.exe (PID: 800) Address: 0x10000000 Size: 32768

Object: Hidden Code [ETHREAD: 0x869e38c0]
Process: System Address: 0x86565790 Size: 1000

Hidden Services
-------------------
Service Name: hjgruigvkayxnh
Image Path: C:\WINDOWS\system32\drivers\hjgruisaoyktfn.sys

Shadow SSDT
-------------------
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaada6e70

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaada6f20

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaada6fe0

#: 489 Function Name: NtUserRegisterUserApiHook
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaada24c0

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaada5d60

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaada7250

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaada20a0

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaada2310

==EOF==

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:55 AM

Posted 31 August 2009 - 04:51 PM

Hi,

Avenger did apparently not run correctly. Could you please check if C:\avenger.txt was created.

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 high_octane

high_octane
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:10:55 PM

Posted 01 September 2009 - 02:22 AM

I don't know what happened but my computer froze when I ran Combofix. I noticed that it got past stage 15, but the screen on my laptop turned off and I couldn't get the Combofix window back again. Then, a couple minutes later, a sound happened and the computer turned off. When I turned on the computer again, I did a RootRepeal scan.

Here is the log for the RootRepeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/01 03:07
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA966F000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xF73C4000 Size: 81920 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\program files\nero\nero8\nero backitup\biu1.txt
Status: Allocation size mismatch (API: 216, Raw: 0)

Path: c:\documents and settings\administrator\local settings\temp\iswtmp\logs\iswframe.swl
Status: Allocation size mismatch (API: 368, Raw: 96)

SSDT
-------------------
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x86bc1630

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaadcffc0

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaadccc80

#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7c9b3c6

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaadd0580

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaade4900

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaade4b10

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaade8b10

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7c9b3bc

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaadd0670

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaadcd210

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7c9b3cb

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7c9b3d5

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaade4280

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaadc98c0

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7c9b3da

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaade7f90

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaade8d90

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaadcd070

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaade6180

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaade5f40

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaade86f0

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7c9b3e4

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaadcfbe0

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7c9b3df

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaadd0190

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaadcd440

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaadc96a0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7c9b3d0

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x86bc1460

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x86bc1280

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaade5200

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaade5080

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x86bc10b0

#: 262 Function Name: NtUnloadDriver
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaadc9af0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0xf7c9b3b2

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x86e64da8]
Process: System Address: 0x86bbf790 Size: 1000

Shadow SSDT
-------------------
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaadcee70

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaadcef20

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaadcefe0

#: 489 Function Name: NtUserRegisterUserApiHook
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaadca4c0

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaadcdd60

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaadcf250

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaadca0a0

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaadca310

==EOF==

#10 high_octane

high_octane
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:10:55 PM

Posted 01 September 2009 - 02:52 AM

I noticed that the files that were causing the malware started to appear in the Windows folder, but everytime I tried to quarantine them with Eset, my computer would freeze.

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:55 AM

Posted 01 September 2009 - 03:03 AM

Hi,

I noticed that the files that were causing the malware started to appear in the Windows folder, but everytime I tried to quarantine them with Eset, my computer would freeze.

what were the names of the files you tried to quarantine?

Please check if you have a file C:\combofix.txt. If so, please post the content of the file here.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 high_octane

high_octane
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:10:55 PM

Posted 01 September 2009 - 10:41 AM

I couldn't find a C:\combofix.txt, but these are the names of the files I tried to quarantine.

C:\WINDOWS\system32\hjgruibcevpppv.dat
C:\WINDOWS\system32\hjgruiaxvjbwex.dat
C:\WINDOWS\system32\hjgruiboyxxmck.dll
C:\WINDOWS\system32\hjgruidlvykyij.dll
C:\WINDOWS\system32\hjgruifpxxnost.dll
C:\WINDOWS\Temp\hjgruispjwrecqhw.tmp

Everytime I tried to quarantine them, my computer froze except for C:\WINDOWS\Temp\hjgruispjwrecqhw.tmp.
I got to quarantine this with Eset NOD32.
The good thing is that I don't get BSOD anymore.

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:55 AM

Posted 01 September 2009 - 10:47 AM

Hi,

the files you were trying to quarantine were protected by a rootkit. ESET apparently did not see the entire infection and therefore couldn't remove the files, as they were protected by the rootkit.
It looks as if Combofix was able to disable the rootkit before crashing. However I would like you to run Combofix once more, to see if there is anything left over and to get a log.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 high_octane

high_octane
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:10:55 PM

Posted 01 September 2009 - 05:13 PM

Combofix ran well and finished this time. I also noticed that there are copies of the virus files in C:\Qoobox\Quarantine\C. All of the files have .vir as an ending. Should I delete this?

Thank you so much for your help. This virus and the BSOD's were really getting me mad.
I was also wondering if I could keep both Eset NOD32 and Avira on my computer, but delete Zonealarm. Would that still cause some system conflicts?

Here is the Combofix Log:

ComboFix 09-08-31.03 - Administrator 01/09/2009 17:45.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.465 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: Avira Firewall *disabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1804982807-1133249734-2558582972-500
c:\recycler\S-1-5-21-1844237615-1343024091-1060284298-500
c:\recycler\S-1-5-21-3711295879-3666256169-2073525276-500
c:\recycler\S-1-5-21-51525868-3394313851-3575892575-500
c:\windows\system32\Drivers\wihdsjys.sys
c:\windows\system32\hjgruibcevpppv.dat
c:\windows\system32\hjgruiboyxxmck.dll
c:\windows\system32\hjgruidlvykyij.dll
c:\windows\system32\hjgruilog.dat
c:\windows\system32\hjgruimkjlrdnj.dat

.
((((((((((((((((((((((((( Files Created from 2009-08-01 to 2009-09-01 )))))))))))))))))))))))))))))))
.

2009-09-01 19:26 . 2009-08-13 19:40 43008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\opjqsme5.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-09-01 19:26 . 2009-08-13 19:39 340480 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\opjqsme5.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-09-01 19:26 . 2009-08-13 19:39 346112 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\opjqsme5.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-09-01 07:15 . 2009-09-01 07:16 -------- d-----w- c:\windows\system32\NtmsData
2009-08-31 20:36 . 2009-08-31 20:36 0 ----a-w- C:\backup.reg
2009-08-21 04:59 . 2009-08-21 04:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2009-08-19 18:31 . 2009-08-19 18:43 -------- d-----w- c:\program files\SpywareBlaster
2009-08-18 18:28 . 2009-08-18 18:28 -------- d-----w- c:\program files\Trend Micro
2009-08-18 06:01 . 2009-08-18 06:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2009-08-18 05:55 . 2009-08-18 05:55 -------- d-----w- c:\program files\Uniblue
2009-08-17 04:47 . 2009-08-28 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-17 04:47 . 2009-08-17 04:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-17 02:52 . 2009-08-18 05:08 -------- d-----w- c:\program files\Enigma Software Group
2009-08-13 03:00 . 2009-08-13 03:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-08-12 19:25 . 2009-08-12 19:25 -------- d-----w- c:\windows\system32\URTTEMP
2009-08-12 19:17 . 2009-08-12 19:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2009-08-12 19:14 . 2009-08-13 03:09 -------- d-----w- c:\program files\Windows Desktop Search
2009-08-12 19:14 . 2009-08-12 19:14 -------- d-----w- c:\windows\system32\GroupPolicy
2009-08-12 19:14 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2009-08-12 19:14 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2009-08-12 19:14 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2009-08-12 19:12 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-12 19:12 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll
2009-08-12 19:12 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 19:11 . 2009-06-10 06:14 132096 -c----w- c:\windows\system32\dllcache\wkssvc.dll
2009-08-12 19:11 . 2009-06-10 14:13 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll
2009-08-12 19:10 . 2009-06-25 08:25 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll
2009-08-12 19:10 . 2009-06-25 08:25 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2009-08-12 19:10 . 2009-06-24 11:18 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2009-08-12 19:10 . 2009-06-25 08:25 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2009-08-12 19:10 . 2009-06-12 12:31 80896 -c----w- c:\windows\system32\dllcache\tlntsess.exe
2009-08-12 19:10 . 2009-06-12 12:31 76288 -c----w- c:\windows\system32\dllcache\telnet.exe
2009-08-12 16:52 . 2009-07-24 13:56 1062144 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-08-12 04:39 . 2009-08-12 04:39 -------- d-----w- c:\program files\Sony Setup
2009-08-11 15:41 . 2009-08-11 15:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
2009-08-11 15:32 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-11 15:32 . 2009-05-08 18:13 97608 ----a-w- c:\windows\system32\drivers\avfwot.sys
2009-08-11 15:32 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-08-11 15:32 . 2009-02-24 17:06 69632 ----a-w- c:\windows\system32\drivers\avfwim.sys
2009-08-11 15:32 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-08-11 15:32 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-08-11 15:31 . 2009-08-11 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-08-11 15:31 . 2009-08-11 15:31 -------- d-----w- c:\program files\Avira
2009-08-11 04:00 . 2009-08-11 04:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVGTOOLBAR
2009-08-11 03:45 . 2009-08-12 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-11 03:37 . 2009-08-11 03:37 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-08-11 03:37 . 2009-08-11 03:37 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-08-08 20:20 . 2009-08-08 20:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-07 16:42 . 2009-08-07 16:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-08-06 21:32 . 2009-08-06 21:33 -------- d-----w- C:\c85e5d217ecb3e3394
2009-08-06 16:00 . 2009-08-06 18:01 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-06 14:23 . 2009-08-06 14:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ESET
2009-08-05 23:28 . 2009-08-05 23:28 -------- d-----w- c:\program files\ESET
2009-08-05 23:28 . 2009-08-05 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-08-05 22:09 . 2009-08-05 21:36 487704 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtbapi.dll
2009-08-05 21:51 . 2009-08-05 21:35 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-08-05 21:51 . 2009-08-05 21:35 1437464 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-08-05 21:51 . 2009-08-05 21:35 587032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2009-08-05 21:51 . 2009-08-05 21:35 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-08-05 21:35 . 2009-08-13 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-05 16:37 . 2009-08-05 16:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-05 16:37 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-05 16:37 . 2009-08-05 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-05 16:37 . 2009-08-05 16:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 16:37 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-05 02:46 . 2009-08-05 02:46 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 21:53 . 2009-01-08 20:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\DNA
2009-09-01 20:55 . 2009-07-11 22:02 144 ----a-w- c:\windows\system32\pdfl.dat
2009-09-01 20:53 . 2009-01-08 20:31 -------- d-----w- c:\program files\DNA
2009-09-01 16:25 . 2009-01-28 01:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\DMCache
2009-08-31 17:18 . 2009-08-31 19:35 2221056 ----a-w- c:\windows\Internet Logs\xDB40.tmp
2009-08-26 22:20 . 2008-12-15 20:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2009-08-26 20:29 . 2009-08-26 21:07 2207744 ----a-w- c:\windows\Internet Logs\xDB3F.tmp
2009-08-26 20:29 . 2009-08-26 21:07 177664 ----a-w- c:\windows\Internet Logs\xDB3E.tmp
2009-08-25 21:28 . 2009-08-25 21:29 151040 ----a-w- c:\windows\Internet Logs\xDB3D.tmp
2009-08-25 19:18 . 2009-08-25 19:49 2196992 ----a-w- c:\windows\Internet Logs\xDB3C.tmp
2009-08-25 19:18 . 2009-08-25 19:49 2003968 ----a-w- c:\windows\Internet Logs\xDB3B.tmp
2009-08-19 18:44 . 2009-01-09 22:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-19 01:01 . 2009-08-19 01:03 2134016 ----a-w- c:\windows\Internet Logs\xDB3A.tmp
2009-08-18 20:50 . 2009-08-19 00:37 27648 ----a-w- c:\windows\Internet Logs\xDB39.tmp
2009-08-18 20:48 . 2009-08-18 20:49 221184 ----a-w- c:\windows\Internet Logs\xDB38.tmp
2009-08-18 06:41 . 2009-08-18 14:21 2124288 ----a-w- c:\windows\Internet Logs\xDB37.tmp
2009-08-18 06:41 . 2009-08-18 14:21 14848 ----a-w- c:\windows\Internet Logs\xDB36.tmp
2009-08-18 06:39 . 2009-08-18 06:40 666112 ----a-w- c:\windows\Internet Logs\xDB35.tmp
2009-08-17 02:33 . 2009-06-29 18:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-08-15 03:04 . 2009-08-15 03:37 2068992 ----a-w- c:\windows\Internet Logs\xDB34.tmp
2009-08-14 05:49 . 2009-08-14 15:13 896512 ----a-w- c:\windows\Internet Logs\xDB33.tmp
2009-08-13 17:03 . 2007-11-02 19:38 104880 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-13 05:09 . 2008-12-28 07:37 -------- d-----w- c:\documents and settings\All Users\Application Data\MAGIX
2009-08-12 16:43 . 2009-07-04 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-12 04:53 . 2009-04-07 01:20 -------- d-----w- c:\program files\VideoLAN
2009-08-12 04:49 . 2009-01-14 04:28 -------- d-----w- c:\program files\Any Video Converter
2009-08-12 04:49 . 2008-12-11 05:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Any Video Converter
2009-08-12 04:44 . 2008-12-28 06:06 -------- d-----w- c:\program files\MAGIX
2009-08-11 15:45 . 2009-08-11 15:47 1853952 ----a-w- c:\windows\Internet Logs\xDB32.tmp
2009-08-11 15:45 . 2009-08-11 15:47 181248 ----a-w- c:\windows\Internet Logs\xDB31.tmp
2009-08-11 03:24 . 2009-08-11 03:25 156672 ----a-w- c:\windows\Internet Logs\xDB2F.tmp
2009-08-11 03:24 . 2009-08-11 03:26 1779200 ----a-w- c:\windows\Internet Logs\xDB30.tmp
2009-08-10 16:41 . 2009-08-10 16:44 212480 ----a-w- c:\windows\Internet Logs\xDB2E.tmp
2009-08-09 05:07 . 2009-08-09 16:56 241152 ----a-w- c:\windows\Internet Logs\xDB2D.tmp
2009-08-09 02:36 . 2009-01-28 01:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\IDM
2009-08-08 05:30 . 2009-08-08 18:45 825856 ----a-w- c:\windows\Internet Logs\xDB2C.tmp
2009-08-07 00:26 . 2009-07-11 05:30 4125045 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-08-05 22:08 . 2009-08-05 22:10 838888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-08-05 21:36 . 2009-08-05 22:09 11952 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsstx.dll
2009-08-05 21:36 . 2009-08-05 22:10 325896 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-08-05 21:36 . 2009-08-05 22:09 27784 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmfx86.sys
2009-08-05 21:36 . 2009-08-05 22:09 79128 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgpp.dll
2009-08-05 21:25 . 2009-08-05 21:26 104960 ----a-w- c:\windows\Internet Logs\xDB2B.tmp
2009-08-05 19:34 . 2009-08-05 19:36 1623040 ----a-w- c:\windows\Internet Logs\xDB2A.tmp
2009-08-05 19:34 . 2009-08-05 19:36 139776 ----a-w- c:\windows\Internet Logs\xDB29.tmp
2009-08-05 18:12 . 2009-08-05 18:14 42496 ----a-w- c:\windows\Internet Logs\xDB28.tmp
2009-08-05 17:15 . 2009-08-05 17:16 140288 ----a-w- c:\windows\Internet Logs\xDB27.tmp
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 05:03 . 2009-08-05 14:51 1597952 ----a-w- c:\windows\Internet Logs\xDB26.tmp
2009-08-04 04:44 . 2009-08-04 15:58 114176 ----a-w- c:\windows\Internet Logs\xDB24.tmp
2009-08-04 04:44 . 2009-08-04 15:58 1587712 ----a-w- c:\windows\Internet Logs\xDB25.tmp
2009-08-03 19:08 . 2009-08-04 00:02 165376 ----a-w- c:\windows\Internet Logs\xDB23.tmp
2009-08-03 06:40 . 2009-08-03 06:40 133987 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_02_23_35_32_small.dmp.zip
2009-08-03 03:33 . 2009-08-03 03:35 234496 ----a-w- c:\windows\Internet Logs\xDB22.tmp
2009-08-01 03:18 . 2009-08-01 22:54 143872 ----a-w- c:\windows\Internet Logs\xDB20.tmp
2009-08-01 03:18 . 2009-08-01 22:54 1574912 ----a-w- c:\windows\Internet Logs\xDB21.tmp
2009-07-31 18:16 . 2009-08-01 00:04 213504 ----a-w- c:\windows\Internet Logs\xDB1E.tmp
2009-07-31 18:16 . 2009-08-01 00:04 1566720 ----a-w- c:\windows\Internet Logs\xDB1F.tmp
2009-07-28 19:17 . 2009-07-28 21:01 311808 ----a-w- c:\windows\Internet Logs\xDB1D.tmp
2009-07-26 23:01 . 2009-07-26 23:01 102425 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2009_07_26_00_05_21_small.dmp.zip
2009-07-25 04:28 . 2009-07-25 18:57 133632 ----a-w- c:\windows\Internet Logs\xDB1C.tmp
2009-07-25 03:50 . 2009-07-25 03:52 2746368 ----a-w- c:\windows\Internet Logs\xDB1A.tmp
2009-07-25 03:49 . 2009-07-25 03:52 2746368 ----a-w- c:\windows\Internet Logs\xDB1B.tmp
2009-07-24 21:04 . 2009-07-25 01:16 2745856 ----a-w- c:\windows\Internet Logs\xDB19.tmp
2009-07-24 21:04 . 2009-07-25 01:16 53248 ----a-w- c:\windows\Internet Logs\xDB18.tmp
2009-07-24 19:00 . 2009-07-24 19:44 98816 ----a-w- c:\windows\Internet Logs\xDB17.tmp
2009-07-24 05:22 . 2009-07-24 13:12 2745344 ----a-w- c:\windows\Internet Logs\xDB16.tmp
2009-07-23 18:06 . 2009-07-23 20:06 150528 ----a-w- c:\windows\Internet Logs\xDB15.tmp
2009-07-22 15:21 . 2009-07-22 22:17 2741760 ----a-w- c:\windows\Internet Logs\xDB14.tmp
2009-07-21 22:37 . 2009-07-21 22:38 2738176 ----a-w- c:\windows\Internet Logs\xDB13.tmp
2009-07-21 22:37 . 2009-07-21 22:38 107008 ----a-w- c:\windows\Internet Logs\xDB12.tmp
2009-07-20 22:05 . 2009-07-11 22:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\#ISW.FS#
2009-07-20 19:19 . 2009-07-20 21:23 2733568 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2009-07-20 19:18 . 2009-07-20 21:23 91136 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2009-07-17 19:33 . 2009-07-19 19:36 35328 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 17:31 . 2009-07-17 19:24 38400 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2009-07-17 05:15 . 2009-07-17 14:11 37888 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2009-07-17 05:05 . 2009-07-17 05:07 2727936 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2009-07-17 05:05 . 2009-07-17 05:07 82432 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2009-07-16 18:06 . 2009-07-16 21:04 197632 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2009-07-15 15:55 . 2009-07-15 15:56 43008 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2009-07-15 15:55 . 2009-07-15 15:56 2710016 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2009-07-15 15:54 . 2009-07-14 23:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot
2009-07-15 15:54 . 2009-07-14 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2009-07-15 15:38 . 2009-07-15 15:39 606720 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2009-07-15 15:34 . 2009-07-15 15:34 -------- d-----w- c:\program files\MSSOAP
2009-07-15 15:33 . 2009-07-14 23:06 -------- d-----w- c:\program files\Webroot
2009-07-15 06:04 . 2009-07-15 14:06 2692096 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2009-07-14 23:06 . 2009-07-14 23:06 -------- d-----w- c:\program files\Common Files\Webroot Shared
2009-07-14 22:58 . 2009-07-14 22:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\WinAVI
2009-07-14 22:57 . 2009-07-14 22:57 -------- d-----w- c:\program files\WinAVI FLV Converter
2009-07-14 22:43 . 2009-07-14 22:43 -------- d-----w- c:\program files\CCleaner
2009-07-14 21:59 . 2009-07-14 21:59 2729984 ----a-w- c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe
2009-07-14 21:55 . 2009-07-14 21:55 2328704 ----a-w- c:\windows\system32\TUKernel.exe
2009-07-14 20:32 . 2009-07-14 20:32 -------- d-----w- c:\program files\Diskeeper Corporation
2009-07-14 20:14 . 2009-07-14 20:16 316416 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2009-07-14 03:51 . 2009-07-14 03:51 604416 ----a-w- c:\windows\system32\TUProgSt.exe
2009-07-14 03:51 . 2009-07-14 03:51 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-07-14 03:51 . 2009-07-14 03:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\TuneUp Software
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 13:56 1062144 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2009-04-13 365568]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-10 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-08 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 618496]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-26 335872]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]
"ChkAdmin"="c:\progra~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2003-05-12 81920]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 290816]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-03-31 982408]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-12 185872]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-04-09 2029640]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-05-30 88267]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 434528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ZAFFRegisterTrustChecker"="-s" [X]
"ZAFFRegisterTrustCheckerIE"="-s" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-6-2 565309]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"InCD"="c:\program files\Nero\Nero8\InCD\InCD.exe"
"SecurDisc"="c:\program files\Nero\Nero8\InCD\NBHGui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [02/01/2009 11:42 PM 149376]
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [11/08/2009 11:32 AM 97608]
R1 ClntMgmt;HP Client Management Driver;c:\windows\system32\drivers\Clntmgmt.sys [02/11/2007 1:17 PM 55336]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [09/04/2009 3:18 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [09/04/2009 3:21 PM 94360]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\ACEDRV11.sys [23/01/2008 4:19 AM 501560]
R2 AntiVirFirewallService;Avira Firewall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [11/08/2009 11:32 AM 388865]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [11/08/2009 11:32 AM 194817]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/08/2009 11:32 AM 108289]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [11/08/2009 11:32 AM 434945]
R2 cpqWebDmi;Insight Web Agent;c:\progra~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe [02/11/2007 1:24 PM 24576]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [09/04/2009 3:19 PM 731840]
R2 EMP_UDSA;EMP_UDSA;c:\program files\EPSON Projector\EPSON USB Display V1.4\EMP_UDSA.exe [06/04/2009 12:55 PM 94208]
R2 ISWKL;ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [12/02/2009 6:12 AM 21136]
R2 IswSvc;ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [12/02/2009 6:12 AM 394632]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [13/07/2009 11:51 PM 604416]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 7:19 PM 13592]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [14/07/2009 7:03 PM 598856]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [11/08/2009 11:32 AM 69632]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [02/11/2007 1:15 PM 182101]
R3 eppvad_simple;EPSON Projector UD Audio Device;c:\windows\system32\drivers\EMP_UDAU.sys [06/04/2009 12:55 PM 17664]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [12/02/2009 6:11 AM 54928]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [02/11/2007 1:15 PM 5689]
R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [13/04/2009 12:51 PM 107520]
R3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;c:\windows\system32\drivers\ar5211.sys [02/11/2007 1:21 PM 322560]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [10/08/2009 11:37 PM 29208]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [10/08/2009 11:37 PM 29208]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [28/12/2008 2:45 AM 1527900]
S3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [03/01/2009 1:58 AM 544768]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-01 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 19:37]

2009-08-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2009-09-01 c:\windows\Tasks\User_Feed_Synchronization-{97A21F0B-270D-42E1-862E-BDAB92B3C445}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
Notify-crypt32chain - (no file)


.
------- Supplementary Scan -------
.
uStart Page = www.dogpile.com/
uInternet Settings,ProxyOverride = *.local
IE: &Download FLV by WinAVI... - c:\program files\WinAVI FLV Converter\flv_link.htm
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\opjqsme5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.dogpile.com/
FF - component: c:\documents and settings\Administrator\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 17:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?3?7?4??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3867072624-390493748-37123352-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,b9,8b,ce,97,80,08,49,80,2e,7e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,b9,8b,ce,97,80,08,49,80,2e,7e,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,b9,8b,ce,97,80,08,49,80,2e,7e,\

[HKEY_USERS\S-1-5-21-3867072624-390493748-37123352-500\Software\SecuROM\License information*]
"datasecu"=hex:4b,eb,f9,ec,1d,c2,ed,1c,07,2e,86,50,a1,b7,41,b7,f8,d0,68,5b,5e,
a4,a7,65,bc,1b,3b,17,87,91,35,d8,c9,01,a3,92,de,d0,2d,ea,1e,1a,c2,f4,57,f6,\
"rkeysecu"=hex:9f,ca,16,75,83,0a,d6,fd,d2,a5,ab,cb,c1,0d,12,f7

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):b8,53,f7,e0,bd,a4,97,66,88,f7,94,71,3d,ea,cf,cb,2b,07,a4,d7,e0,
78,ff,20,e4,6d,13,b2,68,ed,a8,55,f4,86,85,c7,9f,bd,5b,e3,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{fb7674c4-5f89-427a-af9b-be23ff7d0edb}]
@Denied: (Full) (Everyone)
"Model"=dword:000000c9
"Therad"=dword:00000015
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,3b,18,4a,18,1b,2d,76,99,92,2d,3a,f2,f8,fd,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1828)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'lsass.exe'(1964)
c:\program files\Avira\AntiVir Desktop\avsda.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
.
Completion time: 2009-09-01 18:01
ComboFix-quarantined-files.txt 2009-09-01 22:01

Pre-Run: 14,796,988,416 bytes free
Post-Run: 14,817,701,888 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
398 --- E O F --- 2009-08-31 17:17

#15 high_octane

high_octane
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:10:55 PM

Posted 01 September 2009 - 05:18 PM

Combofix ran well and finished this time. I also noticed that there are copies of the virus files in C:\Qoobox\Quarantine\C. All of the files have .vir as an ending. Should I delete this?

Thank you so much for your help. This virus and the BSOD's were really getting me mad.
I was also wondering if I could keep both Eset NOD32 and Avira on my computer, but delete Zonealarm. Would that still cause some system conflicts?

Here is the Combofix Log:

ComboFix 09-08-31.03 - Administrator 01/09/2009 17:45.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.465 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: Avira Firewall *disabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1804982807-1133249734-2558582972-500
c:\recycler\S-1-5-21-1844237615-1343024091-1060284298-500
c:\recycler\S-1-5-21-3711295879-3666256169-2073525276-500
c:\recycler\S-1-5-21-51525868-3394313851-3575892575-500
c:\windows\system32\Drivers\wihdsjys.sys
c:\windows\system32\hjgruibcevpppv.dat
c:\windows\system32\hjgruiboyxxmck.dll
c:\windows\system32\hjgruidlvykyij.dll
c:\windows\system32\hjgruilog.dat
c:\windows\system32\hjgruimkjlrdnj.dat

.
((((((((((((((((((((((((( Files Created from 2009-08-01 to 2009-09-01 )))))))))))))))))))))))))))))))
.

2009-09-01 19:26 . 2009-08-13 19:40 43008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\opjqsme5.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-09-01 19:26 . 2009-08-13 19:39 340480 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\opjqsme5.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-09-01 19:26 . 2009-08-13 19:39 346112 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\opjqsme5.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-09-01 07:15 . 2009-09-01 07:16 -------- d-----w- c:\windows\system32\NtmsData
2009-08-31 20:36 . 2009-08-31 20:36 0 ----a-w- C:\backup.reg
2009-08-21 04:59 . 2009-08-21 04:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2009-08-19 18:31 . 2009-08-19 18:43 -------- d-----w- c:\program files\SpywareBlaster
2009-08-18 18:28 . 2009-08-18 18:28 -------- d-----w- c:\program files\Trend Micro
2009-08-18 06:01 . 2009-08-18 06:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2009-08-18 05:55 . 2009-08-18 05:55 -------- d-----w- c:\program files\Uniblue
2009-08-17 04:47 . 2009-08-28 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-17 04:47 . 2009-08-17 04:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-17 02:52 . 2009-08-18 05:08 -------- d-----w- c:\program files\Enigma Software Group
2009-08-13 03:00 . 2009-08-13 03:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-08-12 19:25 . 2009-08-12 19:25 -------- d-----w- c:\windows\system32\URTTEMP
2009-08-12 19:17 . 2009-08-12 19:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2009-08-12 19:14 . 2009-08-13 03:09 -------- d-----w- c:\program files\Windows Desktop Search
2009-08-12 19:14 . 2009-08-12 19:14 -------- d-----w- c:\windows\system32\GroupPolicy
2009-08-12 19:14 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2009-08-12 19:14 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2009-08-12 19:14 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2009-08-12 19:12 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-12 19:12 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll
2009-08-12 19:12 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 19:11 . 2009-06-10 06:14 132096 -c----w- c:\windows\system32\dllcache\wkssvc.dll
2009-08-12 19:11 . 2009-06-10 14:13 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll
2009-08-12 19:10 . 2009-06-25 08:25 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll
2009-08-12 19:10 . 2009-06-25 08:25 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2009-08-12 19:10 . 2009-06-24 11:18 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2009-08-12 19:10 . 2009-06-25 08:25 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2009-08-12 19:10 . 2009-06-12 12:31 80896 -c----w- c:\windows\system32\dllcache\tlntsess.exe
2009-08-12 19:10 . 2009-06-12 12:31 76288 -c----w- c:\windows\system32\dllcache\telnet.exe
2009-08-12 16:52 . 2009-07-24 13:56 1062144 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-08-12 04:39 . 2009-08-12 04:39 -------- d-----w- c:\program files\Sony Setup
2009-08-11 15:41 . 2009-08-11 15:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
2009-08-11 15:32 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-11 15:32 . 2009-05-08 18:13 97608 ----a-w- c:\windows\system32\drivers\avfwot.sys
2009-08-11 15:32 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-08-11 15:32 . 2009-02-24 17:06 69632 ----a-w- c:\windows\system32\drivers\avfwim.sys
2009-08-11 15:32 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-08-11 15:32 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-08-11 15:31 . 2009-08-11 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-08-11 15:31 . 2009-08-11 15:31 -------- d-----w- c:\program files\Avira
2009-08-11 04:00 . 2009-08-11 04:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVGTOOLBAR
2009-08-11 03:45 . 2009-08-12 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-11 03:37 . 2009-08-11 03:37 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-08-11 03:37 . 2009-08-11 03:37 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-08-08 20:20 . 2009-08-08 20:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-07 16:42 . 2009-08-07 16:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-08-06 21:32 . 2009-08-06 21:33 -------- d-----w- C:\c85e5d217ecb3e3394
2009-08-06 16:00 . 2009-08-06 18:01 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-06 14:23 . 2009-08-06 14:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ESET
2009-08-05 23:28 . 2009-08-05 23:28 -------- d-----w- c:\program files\ESET
2009-08-05 23:28 . 2009-08-05 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-08-05 22:09 . 2009-08-05 21:36 487704 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtbapi.dll
2009-08-05 21:51 . 2009-08-05 21:35 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-08-05 21:51 . 2009-08-05 21:35 1437464 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-08-05 21:51 . 2009-08-05 21:35 587032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2009-08-05 21:51 . 2009-08-05 21:35 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-08-05 21:35 . 2009-08-13 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-05 16:37 . 2009-08-05 16:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-05 16:37 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-05 16:37 . 2009-08-05 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-05 16:37 . 2009-08-05 16:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 16:37 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-05 02:46 . 2009-08-05 02:46 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 21:53 . 2009-01-08 20:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\DNA
2009-09-01 20:55 . 2009-07-11 22:02 144 ----a-w- c:\windows\system32\pdfl.dat
2009-09-01 20:53 . 2009-01-08 20:31 -------- d-----w- c:\program files\DNA
2009-09-01 16:25 . 2009-01-28 01:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\DMCache
2009-08-31 17:18 . 2009-08-31 19:35 2221056 ----a-w- c:\windows\Internet Logs\xDB40.tmp
2009-08-26 22:20 . 2008-12-15 20:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2009-08-26 20:29 . 2009-08-26 21:07 2207744 ----a-w- c:\windows\Internet Logs\xDB3F.tmp
2009-08-26 20:29 . 2009-08-26 21:07 177664 ----a-w- c:\windows\Internet Logs\xDB3E.tmp
2009-08-25 21:28 . 2009-08-25 21:29 151040 ----a-w- c:\windows\Internet Logs\xDB3D.tmp
2009-08-25 19:18 . 2009-08-25 19:49 2196992 ----a-w- c:\windows\Internet Logs\xDB3C.tmp
2009-08-25 19:18 . 2009-08-25 19:49 2003968 ----a-w- c:\windows\Internet Logs\xDB3B.tmp
2009-08-19 18:44 . 2009-01-09 22:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-19 01:01 . 2009-08-19 01:03 2134016 ----a-w- c:\windows\Internet Logs\xDB3A.tmp
2009-08-18 20:50 . 2009-08-19 00:37 27648 ----a-w- c:\windows\Internet Logs\xDB39.tmp
2009-08-18 20:48 . 2009-08-18 20:49 221184 ----a-w- c:\windows\Internet Logs\xDB38.tmp
2009-08-18 06:41 . 2009-08-18 14:21 2124288 ----a-w- c:\windows\Internet Logs\xDB37.tmp
2009-08-18 06:41 . 2009-08-18 14:21 14848 ----a-w- c:\windows\Internet Logs\xDB36.tmp
2009-08-18 06:39 . 2009-08-18 06:40 666112 ----a-w- c:\windows\Internet Logs\xDB35.tmp
2009-08-17 02:33 . 2009-06-29 18:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-08-15 03:04 . 2009-08-15 03:37 2068992 ----a-w- c:\windows\Internet Logs\xDB34.tmp
2009-08-14 05:49 . 2009-08-14 15:13 896512 ----a-w- c:\windows\Internet Logs\xDB33.tmp
2009-08-13 17:03 . 2007-11-02 19:38 104880 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-13 05:09 . 2008-12-28 07:37 -------- d-----w- c:\documents and settings\All Users\Application Data\MAGIX
2009-08-12 16:43 . 2009-07-04 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-12 04:53 . 2009-04-07 01:20 -------- d-----w- c:\program files\VideoLAN
2009-08-12 04:49 . 2009-01-14 04:28 -------- d-----w- c:\program files\Any Video Converter
2009-08-12 04:49 . 2008-12-11 05:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Any Video Converter
2009-08-12 04:44 . 2008-12-28 06:06 -------- d-----w- c:\program files\MAGIX
2009-08-11 15:45 . 2009-08-11 15:47 1853952 ----a-w- c:\windows\Internet Logs\xDB32.tmp
2009-08-11 15:45 . 2009-08-11 15:47 181248 ----a-w- c:\windows\Internet Logs\xDB31.tmp
2009-08-11 03:24 . 2009-08-11 03:25 156672 ----a-w- c:\windows\Internet Logs\xDB2F.tmp
2009-08-11 03:24 . 2009-08-11 03:26 1779200 ----a-w- c:\windows\Internet Logs\xDB30.tmp
2009-08-10 16:41 . 2009-08-10 16:44 212480 ----a-w- c:\windows\Internet Logs\xDB2E.tmp
2009-08-09 05:07 . 2009-08-09 16:56 241152 ----a-w- c:\windows\Internet Logs\xDB2D.tmp
2009-08-09 02:36 . 2009-01-28 01:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\IDM
2009-08-08 05:30 . 2009-08-08 18:45 825856 ----a-w- c:\windows\Internet Logs\xDB2C.tmp
2009-08-07 00:26 . 2009-07-11 05:30 4125045 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-08-05 22:08 . 2009-08-05 22:10 838888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-08-05 21:36 . 2009-08-05 22:09 11952 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsstx.dll
2009-08-05 21:36 . 2009-08-05 22:10 325896 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-08-05 21:36 . 2009-08-05 22:09 27784 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmfx86.sys
2009-08-05 21:36 . 2009-08-05 22:09 79128 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgpp.dll
2009-08-05 21:25 . 2009-08-05 21:26 104960 ----a-w- c:\windows\Internet Logs\xDB2B.tmp
2009-08-05 19:34 . 2009-08-05 19:36 1623040 ----a-w- c:\windows\Internet Logs\xDB2A.tmp
2009-08-05 19:34 . 2009-08-05 19:36 139776 ----a-w- c:\windows\Internet Logs\xDB29.tmp
2009-08-05 18:12 . 2009-08-05 18:14 42496 ----a-w- c:\windows\Internet Logs\xDB28.tmp
2009-08-05 17:15 . 2009-08-05 17:16 140288 ----a-w- c:\windows\Internet Logs\xDB27.tmp
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 05:03 . 2009-08-05 14:51 1597952 ----a-w- c:\windows\Internet Logs\xDB26.tmp
2009-08-04 04:44 . 2009-08-04 15:58 114176 ----a-w- c:\windows\Internet Logs\xDB24.tmp
2009-08-04 04:44 . 2009-08-04 15:58 1587712 ----a-w- c:\windows\Internet Logs\xDB25.tmp
2009-08-03 19:08 . 2009-08-04 00:02 165376 ----a-w- c:\windows\Internet Logs\xDB23.tmp
2009-08-03 06:40 . 2009-08-03 06:40 133987 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_02_23_35_32_small.dmp.zip
2009-08-03 03:33 . 2009-08-03 03:35 234496 ----a-w- c:\windows\Internet Logs\xDB22.tmp
2009-08-01 03:18 . 2009-08-01 22:54 143872 ----a-w- c:\windows\Internet Logs\xDB20.tmp
2009-08-01 03:18 . 2009-08-01 22:54 1574912 ----a-w- c:\windows\Internet Logs\xDB21.tmp
2009-07-31 18:16 . 2009-08-01 00:04 213504 ----a-w- c:\windows\Internet Logs\xDB1E.tmp
2009-07-31 18:16 . 2009-08-01 00:04 1566720 ----a-w- c:\windows\Internet Logs\xDB1F.tmp
2009-07-28 19:17 . 2009-07-28 21:01 311808 ----a-w- c:\windows\Internet Logs\xDB1D.tmp
2009-07-26 23:01 . 2009-07-26 23:01 102425 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2009_07_26_00_05_21_small.dmp.zip
2009-07-25 04:28 . 2009-07-25 18:57 133632 ----a-w- c:\windows\Internet Logs\xDB1C.tmp
2009-07-25 03:50 . 2009-07-25 03:52 2746368 ----a-w- c:\windows\Internet Logs\xDB1A.tmp
2009-07-25 03:49 . 2009-07-25 03:52 2746368 ----a-w- c:\windows\Internet Logs\xDB1B.tmp
2009-07-24 21:04 . 2009-07-25 01:16 2745856 ----a-w- c:\windows\Internet Logs\xDB19.tmp
2009-07-24 21:04 . 2009-07-25 01:16 53248 ----a-w- c:\windows\Internet Logs\xDB18.tmp
2009-07-24 19:00 . 2009-07-24 19:44 98816 ----a-w- c:\windows\Internet Logs\xDB17.tmp
2009-07-24 05:22 . 2009-07-24 13:12 2745344 ----a-w- c:\windows\Internet Logs\xDB16.tmp
2009-07-23 18:06 . 2009-07-23 20:06 150528 ----a-w- c:\windows\Internet Logs\xDB15.tmp
2009-07-22 15:21 . 2009-07-22 22:17 2741760 ----a-w- c:\windows\Internet Logs\xDB14.tmp
2009-07-21 22:37 . 2009-07-21 22:38 2738176 ----a-w- c:\windows\Internet Logs\xDB13.tmp
2009-07-21 22:37 . 2009-07-21 22:38 107008 ----a-w- c:\windows\Internet Logs\xDB12.tmp
2009-07-20 22:05 . 2009-07-11 22:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\#ISW.FS#
2009-07-20 19:19 . 2009-07-20 21:23 2733568 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2009-07-20 19:18 . 2009-07-20 21:23 91136 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2009-07-17 19:33 . 2009-07-19 19:36 35328 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 17:31 . 2009-07-17 19:24 38400 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2009-07-17 05:15 . 2009-07-17 14:11 37888 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2009-07-17 05:05 . 2009-07-17 05:07 2727936 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2009-07-17 05:05 . 2009-07-17 05:07 82432 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2009-07-16 18:06 . 2009-07-16 21:04 197632 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2009-07-15 15:55 . 2009-07-15 15:56 43008 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2009-07-15 15:55 . 2009-07-15 15:56 2710016 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2009-07-15 15:54 . 2009-07-14 23:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot
2009-07-15 15:54 . 2009-07-14 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2009-07-15 15:38 . 2009-07-15 15:39 606720 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2009-07-15 15:34 . 2009-07-15 15:34 -------- d-----w- c:\program files\MSSOAP
2009-07-15 15:33 . 2009-07-14 23:06 -------- d-----w- c:\program files\Webroot
2009-07-15 06:04 . 2009-07-15 14:06 2692096 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2009-07-14 23:06 . 2009-07-14 23:06 -------- d-----w- c:\program files\Common Files\Webroot Shared
2009-07-14 22:58 . 2009-07-14 22:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\WinAVI
2009-07-14 22:57 . 2009-07-14 22:57 -------- d-----w- c:\program files\WinAVI FLV Converter
2009-07-14 22:43 . 2009-07-14 22:43 -------- d-----w- c:\program files\CCleaner
2009-07-14 21:59 . 2009-07-14 21:59 2729984 ----a-w- c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe
2009-07-14 21:55 . 2009-07-14 21:55 2328704 ----a-w- c:\windows\system32\TUKernel.exe
2009-07-14 20:32 . 2009-07-14 20:32 -------- d-----w- c:\program files\Diskeeper Corporation
2009-07-14 20:14 . 2009-07-14 20:16 316416 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2009-07-14 03:51 . 2009-07-14 03:51 604416 ----a-w- c:\windows\system32\TUProgSt.exe
2009-07-14 03:51 . 2009-07-14 03:51 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-07-14 03:51 . 2009-07-14 03:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\TuneUp Software
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 13:56 1062144 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2009-04-13 365568]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-10 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-08 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 618496]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-26 335872]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]
"ChkAdmin"="c:\progra~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2003-05-12 81920]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 290816]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-03-31 982408]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-12 185872]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-04-09 2029640]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-05-30 88267]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 434528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ZAFFRegisterTrustChecker"="-s" [X]
"ZAFFRegisterTrustCheckerIE"="-s" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-6-2 565309]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"InCD"="c:\program files\Nero\Nero8\InCD\InCD.exe"
"SecurDisc"="c:\program files\Nero\Nero8\InCD\NBHGui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [02/01/2009 11:42 PM 149376]
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [11/08/2009 11:32 AM 97608]
R1 ClntMgmt;HP Client Management Driver;c:\windows\system32\drivers\Clntmgmt.sys [02/11/2007 1:17 PM 55336]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [09/04/2009 3:18 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [09/04/2009 3:21 PM 94360]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\ACEDRV11.sys [23/01/2008 4:19 AM 501560]
R2 AntiVirFirewallService;Avira Firewall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [11/08/2009 11:32 AM 388865]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [11/08/2009 11:32 AM 194817]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/08/2009 11:32 AM 108289]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [11/08/2009 11:32 AM 434945]
R2 cpqWebDmi;Insight Web Agent;c:\progra~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe [02/11/2007 1:24 PM 24576]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [09/04/2009 3:19 PM 731840]
R2 EMP_UDSA;EMP_UDSA;c:\program files\EPSON Projector\EPSON USB Display V1.4\EMP_UDSA.exe [06/04/2009 12:55 PM 94208]
R2 ISWKL;ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [12/02/2009 6:12 AM 21136]
R2 IswSvc;ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [12/02/2009 6:12 AM 394632]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [13/07/2009 11:51 PM 604416]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 7:19 PM 13592]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [14/07/2009 7:03 PM 598856]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [11/08/2009 11:32 AM 69632]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [02/11/2007 1:15 PM 182101]
R3 eppvad_simple;EPSON Projector UD Audio Device;c:\windows\system32\drivers\EMP_UDAU.sys [06/04/2009 12:55 PM 17664]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [12/02/2009 6:11 AM 54928]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [02/11/2007 1:15 PM 5689]
R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [13/04/2009 12:51 PM 107520]
R3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;c:\windows\system32\drivers\ar5211.sys [02/11/2007 1:21 PM 322560]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [10/08/2009 11:37 PM 29208]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [10/08/2009 11:37 PM 29208]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [28/12/2008 2:45 AM 1527900]
S3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [03/01/2009 1:58 AM 544768]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-01 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 19:37]

2009-08-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2009-09-01 c:\windows\Tasks\User_Feed_Synchronization-{97A21F0B-270D-42E1-862E-BDAB92B3C445}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
Notify-crypt32chain - (no file)


.
------- Supplementary Scan -------
.
uStart Page = www.dogpile.com/
uInternet Settings,ProxyOverride = *.local
IE: &Download FLV by WinAVI... - c:\program files\WinAVI FLV Converter\flv_link.htm
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\opjqsme5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.dogpile.com/
FF - component: c:\documents and settings\Administrator\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 17:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?3?7?4??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3867072624-390493748-37123352-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,b9,8b,ce,97,80,08,49,80,2e,7e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,b9,8b,ce,97,80,08,49,80,2e,7e,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,b9,8b,ce,97,80,08,49,80,2e,7e,\

[HKEY_USERS\S-1-5-21-3867072624-390493748-37123352-500\Software\SecuROM\License information*]
"datasecu"=hex:4b,eb,f9,ec,1d,c2,ed,1c,07,2e,86,50,a1,b7,41,b7,f8,d0,68,5b,5e,
a4,a7,65,bc,1b,3b,17,87,91,35,d8,c9,01,a3,92,de,d0,2d,ea,1e,1a,c2,f4,57,f6,\
"rkeysecu"=hex:9f,ca,16,75,83,0a,d6,fd,d2,a5,ab,cb,c1,0d,12,f7

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):b8,53,f7,e0,bd,a4,97,66,88,f7,94,71,3d,ea,cf,cb,2b,07,a4,d7,e0,
78,ff,20,e4,6d,13,b2,68,ed,a8,55,f4,86,85,c7,9f,bd,5b,e3,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{fb7674c4-5f89-427a-af9b-be23ff7d0edb}]
@Denied: (Full) (Everyone)
"Model"=dword:000000c9
"Therad"=dword:00000015
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,3b,18,4a,18,1b,2d,76,99,92,2d,3a,f2,f8,fd,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1828)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'lsass.exe'(1964)
c:\program files\Avira\AntiVir Desktop\avsda.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
.
Completion time: 2009-09-01 18:01
ComboFix-quarantined-files.txt 2009-09-01 22:01

Pre-Run: 14,796,988,416 bytes free
Post-Run: 14,817,701,888 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
398 --- E O F --- 2009-08-31 17:17




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users