Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkits, trojans, and on and on.


  • This topic is locked This topic is locked
16 replies to this topic

#1 polskamachina

polskamachina

  • Malware Response Team
  • 4,004 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 PM

Posted 21 August 2009 - 04:58 PM

This Compaq laptop with XP did not have any AV software installed. It finally just stopped at logon with a data execution prevention notice. The desktop icons did not appear or the start menu. I booted back to safe mode and was able to download the malwarebytes and superantispyware programs from another pc and load it onto the infected pc. After several scans, I am sure there is still much more work to be done. Here are the logs as requested by the forum operators. Thanks for your help.


DDS (Ver_09-07-30.01) - NTFSx86 MINIMAL
Run by Luis Torres at 14:44:34.28 on Fri 08/21/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.766 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
E:\Adaware\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://m.www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mStart Page = about:blank
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-system: Wallpaper =
IE: Crawler Search - tbr:iemenu
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\aatp.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Authentication Packages = msv1_0 c:\windows\system32\khfGaYQk

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\luisto~1\applic~1\mozilla\firefox\profiles\few5pkw3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - component: c:\documents and settings\all users\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\all users\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S0 Winah06;Winah06;c:\windows\system32\drivers\winah06.sys --> c:\windows\system32\drivers\Winah06.sys [?]
S0 Winfm63;Winfm63;c:\windows\system32\drivers\winfm63.sys --> c:\windows\system32\drivers\Winfm63.sys [?]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
S2 Akamai;Akamai;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]
S2 gupdate1c9a59929fb59cc;Google Update Service (gupdate1c9a59929fb59cc);c:\program files\google\update\GoogleUpdate.exe [2009-3-15 133104]
S2 ikviw;ikviw;c:\windows\system32\drivers\ysdzb.sys [2009-8-21 61440]
S2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-9-27 10664]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-6-22 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-6-22 8320]
S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [2008-6-2 264576]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]
S3 TEUSBMU;Panasonic Analog PBX USB Main Unit driver;c:\windows\system32\drivers\TEUSBMU.sys [2006-8-8 20992]
S4 dlci_device;dlci_device;c:\windows\system32\dlcicoms.exe -service --> c:\windows\system32\dlcicoms.exe -service [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-11 24576]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-08-21 14:34 61,440 a------- c:\windows\system32\drivers\ysdzb.sys
2009-08-21 13:37 <DIR> --d----- c:\documents and settings\luis torres\DoctorWeb
2009-08-21 10:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-21 10:41 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-21 10:41 <DIR> --d----- c:\docume~1\luisto~1\applic~1\SUPERAntiSpyware.com
2009-08-21 10:15 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-20 17:22 744,960 a------- c:\windows\system32\wscsvc32.exe
2009-08-20 17:22 257,536 a------- c:\windows\system32\resdll.dll
2009-08-20 16:25 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

==================== Find3M ====================

2009-08-21 13:44 111,616 a------- c:\windows\system32\netdde.exe
2009-08-21 13:43 45,056 a------- c:\windows\system32\alg.exe
2009-08-21 13:43 1,055,232 a------- c:\windows\explorer.exe
2009-08-20 17:20 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-08-17 16:35 19,900,703 a------- c:\program files\PROCESSLIST.DB
2009-08-17 16:35 1,217,765 a------- c:\program files\PROCESSLISTRELATED.DB
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-28 20:12 90,112 a------- c:\windows\DUMP6755.tmp
2009-07-03 10:26 90,112 a------- c:\windows\DUMP5ee8.tmp
2009-07-02 23:39 262,144 a------- C:\ntuser.dat
2009-07-02 13:59 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-07-02 13:59 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-05-05 18:41 1,118 a------- c:\docume~1\luisto~1\applic~1\wklnhst.dat
2007-12-24 13:53 4,096 a------- c:\documents and settings\luis torres\repl.dat
2006-07-26 08:43 410,624 a------- c:\documents and settings\luis torres\remote.exe
2008-06-02 13:52 5,755 a--sh--- c:\windows\system32\kQYaGfhk.ini2

============= FINISH: 14:45:51.50 ===============


Malwarebytes' Anti-Malware 1.40
Database version: 2658
Windows 5.1.2600 Service Pack 3 (Safe Mode)

8/21/2009 2:32:33 PM
mbam-log-2009-08-21 (14-32-33).txt

Scan type: Quick Scan
Objects scanned: 110540
Time elapsed: 16 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 19
Registry Values Infected: 15
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{99410cde-6f16-42ce-9d49-3807f78f0287} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1f158a1e-a687-4a11-9679-b3ac64b86a1c} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{54a3f8b7-228e-4ed8-895b-de832b2c3959} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bfc08cff-c737-4433-bd5a-0ee7efcfee54} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\evdoserver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\evdoserver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\evdoserver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mEv (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mms (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Internet Explorer\msimg32.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dvdpaly.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\EvdoServer.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wiwow64.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\db.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tmp0_89601201390.bk.old (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sofatnet.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Luis Torres\Local Settings\Temp\win32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:50 PM

Posted 23 August 2009 - 04:11 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 polskamachina

polskamachina
  • Topic Starter

  • Malware Response Team
  • 4,004 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 PM

Posted 24 August 2009 - 12:29 PM

Hi Sam,

I got the following message after attempting run ComboFix: "!!ALERT!! It is NOT SAFE to continue! The contents of the ComboFix package has been compromised. Please download a fresh copy..." etc, etc. "You may be infected with a file patching virus 'Virut'

So I downloaded it again and got the same message when trying to run it.

Thanks for you help in this matter.

#4 polskamachina

polskamachina
  • Topic Starter

  • Malware Response Team
  • 4,004 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 PM

Posted 24 August 2009 - 12:30 PM

By the way, I downloaded it in both normal mode and safe mode and got the same message.

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:50 PM

Posted 24 August 2009 - 01:41 PM

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Note: If you have problems with DrWeb shutting down before it completes the scan you can perform a custom scan and select individual folders to scan. In that case start with C:\Windows\System32


Please post the contents of the log from DrWeb in your next reply.



====================


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 polskamachina

polskamachina
  • Topic Starter

  • Malware Response Team
  • 4,004 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 PM

Posted 25 August 2009 - 10:48 AM

I ran the Dr. Web Cure-it in safe mode. It ran for 6 hours, found about 135 infections which it either cured or deleted. The infections were in all types of files. Mp3's, exe, dll. Then, the computer just turned off as I was watching the scan in operation. I restarted the computer the next day and did the express scan, it found one infection in the windows\system32 folder. I'm fairly certain it was one of the same files that was infected the first time I ran the scan. I then tried to run Combo-fix and still got the error message that I had to redownload it. So what's the next step?

Thanks.

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:50 PM

Posted 25 August 2009 - 12:27 PM

Please post a new Rootrepeal log.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 polskamachina

polskamachina
  • Topic Starter

  • Malware Response Team
  • 4,004 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 PM

Posted 25 August 2009 - 01:40 PM

Just a quick note before we leave the Dr. Web program. Every time I've tried to run it since this morning, I get a bsod with a page_fault_in_nonpaged_area error. The .sys file that it singles out changes each time the program crashes. One of them was, M0aks14b.sys. The file names usually don't make much sense if that's of any help. Now for the OTL log. (There is also an extras.txt file which I did not paste. Let me know if you need to see that too.)

Thanks!

-----

OTL logfile created on: 8/25/2009 11:23:22 AM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Utility\DrWebCureIt
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.42 Mb Total Physical Memory | 601.06 Mb Available Physical Memory | 59.25% Memory free
2.39 Gb Paging File | 1.99 Gb Available in Paging File | 83.41% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 31.25 Gb Free Space | 55.92% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TORRES
Current User Name: Luis Torres
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2009/08/21 13:44:00 | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\System32\brsvc01a.exe
PRC - [2009/08/25 08:34:10 | 00,069,632 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\System32\brss01a.exe
PRC - [2009/03/04 20:56:18 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/03/15 11:09:07 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe
PRC - [2009/08/21 13:42:26 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
PRC - [2009/08/21 13:43:53 | 01,055,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/05/26 21:06:32 | 00,079,088 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
PRC - [2009/04/24 22:27:50 | 00,636,088 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/08/21 13:45:24 | 00,249,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2009/08/25 11:20:27 | 00,060,928 | ---- | M] (Heaventools Software) -- C:\WINDOWS\System32\reader_s.exe
PRC - [2009/08/25 11:20:27 | 00,019,456 | ---- | M] () -- C:\WINDOWS\System32\E.tmp
PRC - [2008/04/13 17:12:14 | 00,410,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.exe
PRC - [2009/08/25 11:20:28 | 00,104,960 | ---- | M] () -- C:\WINDOWS\services.exe
PRC - [2008/04/13 17:12:14 | 00,410,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.exe
PRC - [2009/08/25 11:20:28 | 00,104,960 | ---- | M] () -- C:\WINDOWS\services.exe
PRC - [2009/08/25 11:20:28 | 00,104,960 | ---- | M] () -- C:\WINDOWS\services.exe
PRC - [2009/08/25 11:22:53 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Utility\DrWebCureIt\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/06/23 11:30:11 | 00,774,144 | ---- | M] () -- c:\program files\common files\akamai\rswin_3538.dll -- (Akamai [Auto | Running])
SRV - [2009/03/26 15:31:20 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Disabled | Stopped])
SRV - [2005/09/23 08:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2006/05/15 18:24:33 | 00,100,032 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler [Disabled | Stopped])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Disabled | Stopped])
SRV - File not found -- -- (brmfrmps [Auto | Stopped])
SRV - [2009/08/21 13:44:00 | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\System32\brsvc01a.exe -- (Brother XP spl Service [Auto | Running])
SRV - [2005/09/23 08:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2006/12/07 22:17:44 | 00,537,480 | ---- | M] ( ) -- C:\WINDOWS\System32\dlcicoms.exe -- (dlci_device [Disabled | Stopped])
SRV - [2009/08/21 13:43:57 | 00,036,864 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/03/15 11:09:07 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9a59929fb59cc [Auto | Stopped])
SRV - [2009/03/24 09:47:00 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto | Stopped])
SRV - [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2009/08/21 13:42:53 | 00,098,304 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HPQ\SHARED\HPQWMI.exe -- (hpqwmi [On_Demand | Stopped])
SRV - [2009/08/21 13:42:37 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2009/08/21 13:43:56 | 00,741,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/04/02 16:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [Disabled | Stopped])
SRV - [2009/03/04 20:56:18 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2006/05/15 18:24:33 | 02,086,592 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate [Disabled | Stopped])
SRV - [2009/08/21 13:42:51 | 00,303,104 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\Common Files\Motive\McciCMService.exe -- (McciCMService [Disabled | Stopped])
SRV - [2009/08/21 13:43:57 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2009/08/21 13:44:33 | 00,077,824 | ---- | M] (HP) -- C:\WINDOWS\System32\HPHipm11.exe -- (Pml Driver HPH11 [Disabled | Stopped])
SRV - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort [Auto | Running])
SRV - [2009/08/21 13:43:30 | 00,638,464 | ---- | M] (Nokia.) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer [Disabled | Stopped])
SRV - [2009/08/21 13:42:26 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default) [Auto | Running])
SRV - [2007/01/19 13:54:14 | 00,097,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
SRV - [2009/08/21 13:43:41 | 00,024,576 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Disabled | Stopped])
SRV - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend [Auto | Running])
SRV - [2009/08/21 13:43:43 | 00,913,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2004/10/06 01:29:50 | 00,129,280 | R--- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\System32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])
DRV - [2005/04/13 03:12:38 | 01,066,278 | R--- | M] (Agere Systems) -- C:\WINDOWS\System32\DRIVERS\AGRSM.sys -- (AgereSoftModem [On_Demand | Running])
DRV - [2005/01/31 10:23:08 | 00,109,319 | R--- | M] (Alps Electric Co., Ltd.) -- C:\WINDOWS\System32\DRIVERS\Apfiltr.sys -- (ApfiltrService [On_Demand | Running])
DRV - [2003/12/19 20:15:50 | 00,015,263 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\System32\Drivers\BrScnUsb.sys -- (BrScnUsb [On_Demand | Stopped])
DRV - [2004/06/12 04:27:18 | 00,051,712 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\System32\Drivers\BrSerIf.sys -- (BrSerIf [On_Demand | Stopped])
DRV - [2004/01/10 03:28:18 | 00,011,648 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\System32\Drivers\BrUsbSer.sys -- (BrUsbSer [On_Demand | Stopped])
DRV - [2006/01/06 12:07:26 | 00,050,896 | ---- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\hphid411.sys -- (Dot4 HPH11 [On_Demand | Stopped])
DRV - [2006/01/06 12:07:27 | 00,016,112 | ---- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\hphipr11.sys -- (Dot4Print HPH11 [On_Demand | Stopped])
DRV - [2006/01/06 12:07:27 | 00,050,276 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\System32\Drivers\hphs2k11.sys -- (Dot4Storage HPH11 [On_Demand | Stopped])
DRV - [2006/01/06 12:07:27 | 00,018,928 | ---- | M] (HP) -- C:\WINDOWS\System32\drivers\hphius11.sys -- (Dot4Usb HPH11 [On_Demand | Stopped])
DRV - [2006/05/18 16:48:50 | 00,047,249 | ---- | M] (FTDI Ltd.) -- C:\WINDOWS\System32\drivers\ftdibus.sys -- (FTDIBUS [On_Demand | Stopped])
DRV - [2003/11/10 22:09:48 | 00,057,372 | R--- | M] (FTDI Ltd.) -- C:\WINDOWS\System32\drivers\ftser2k.sys -- (FTSER2K [On_Demand | Stopped])
DRV - [2009/03/19 16:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2006/09/27 17:12:30 | 00,010,664 | ---- | M] (Applied Networking Inc.) -- C:\WINDOWS\System32\DRIVERS\gan_adapter.sys -- (hamachi_oem [On_Demand | Stopped])
DRV - [2005/02/08 04:00:12 | 00,804,572 | R--- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2008/05/14 13:39:24 | 00,008,413 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\drivers\mcstrm.sys -- (MCSTRM [Auto | Running])
DRV - [2002/09/20 03:53:34 | 00,235,100 | R--- | M] (Analog Devices Inc) -- C:\WINDOWS\System32\drivers\MidiSyn.sys -- (MidiSyn [On_Demand | Stopped])
DRV - [2009/01/26 15:13:41 | 00,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50 [On_Demand | Stopped])
DRV - [2009/01/26 15:13:39 | 00,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50 [On_Demand | Stopped])
DRV - [2009/03/19 14:48:18 | 00,136,704 | ---- | M] (Nokia) -- C:\WINDOWS\System32\drivers\nmwcdnsu.sys -- (nmwcdnsu [On_Demand | Stopped])
DRV - [2009/03/19 14:48:12 | 00,008,320 | ---- | M] (Nokia) -- C:\WINDOWS\System32\drivers\nmwcdnsuc.sys -- (nmwcdnsuc [On_Demand | Stopped])
DRV - [2009/08/25 11:21:20 | 00,626,336 | ---- | M] () -- C:\WINDOWS\System32\drivers\ntfs.sys -- (Ntfs [Disabled | Running])
DRV - [2005/04/01 17:59:14 | 00,065,152 | ---- | M] (Novatel Wireless Inc.) -- C:\WINDOWS\System32\DRIVERS\nwusbmdm.sys -- (NWUSBModem [On_Demand | Stopped])
DRV - [2005/04/01 17:59:14 | 00,065,152 | ---- | M] (Novatel Wireless Inc.) -- C:\WINDOWS\System32\DRIVERS\nwusbser.sys -- (NWUSBPort [On_Demand | Stopped])
DRV - [2004/06/18 10:36:24 | 00,016,772 | ---- | M] (Palm, Inc.) -- C:\WINDOWS\System32\drivers\PalmUSBD.sys -- (PalmUSBD [On_Demand | Stopped])
DRV - [2008/08/26 10:26:12 | 00,018,816 | ---- | M] (Nokia) -- C:\WINDOWS\System32\DRIVERS\pccsmcfd.sys -- (pccsmcfd [On_Demand | Stopped])
DRV - [2004/08/04 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2005/04/25 02:03:00 | 00,020,640 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2004/08/03 15:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\System32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Running])
DRV - [2007/07/18 08:40:08 | 00,264,576 | R--- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\DRIVERS\RTL8187B.sys -- (RTL8187B [On_Demand | Stopped])
DRV - [2009/08/05 16:06:28 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2009/08/05 16:06:30 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
DRV - [2009/08/05 16:06:28 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2004/04/26 01:49:56 | 00,381,056 | R--- | M] (Sensaura) -- C:\WINDOWS\System32\drivers\senfilt.sys -- (senfilt [On_Demand | Running])
DRV - [2004/09/01 11:17:46 | 00,259,648 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\System32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
DRV - [2005/01/14 06:36:20 | 00,020,992 | R--- | M] (Panasonic Communications Co., Ltd.) -- C:\WINDOWS\System32\Drivers\TEUSBMU.sys -- (TEUSBMU [On_Demand | Stopped])
DRV - [2005/04/04 09:25:36 | 00,160,768 | R--- | M] (Texas Instruments) -- C:\WINDOWS\System32\drivers\tifm21.sys -- (tifm21 [On_Demand | Running])
DRV - [2008/04/13 11:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
DRV - [2005/06/20 07:42:24 | 03,281,408 | R--- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\w29n51.sys -- (w29n51 [On_Demand | Stopped])
DRV - [2008/04/13 11:45:38 | 00,031,744 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\wceusbsh.sys -- (wceusbsh [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/
IE - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Search,AutoSearch = http://ie.search.msn.com/{SUB_RFC1766}/src...autosearch.aspx
IE - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
IE - URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1004336348-152049171-725345543-1004\S-1-5-21-1004336348-152049171-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Live Search"
FF - prefs.js..browser.search.defaulturl: "http://search.live.com/results.aspx?FORM=SOLTDF&q="
FF - prefs.js..browser.search.selectedEngine: "Live Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:0.7.5.4
FF - prefs.js..extensions.enabledItems: {3112ca9c-de6d-4884-a869-9855de68056c}:3.1.20081010W
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}:6.0.12
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: bkmrksync@nokia.com:1.0.0.712
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.5.1.20080205
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.1
FF - prefs.js..keyword.URL: "http://search.live.com/results.aspx?FORM=SOLTDF&q="


FF - HKLM\software\mozilla\FireFox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2008/11/16 10:38:34 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\FireFox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/03/04 20:56:19 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\FireFox\Extensions\\bkmrksync@nokia.com: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2009/06/22 20:23:14 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/04/17 22:17:57 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/04/17 22:19:58 | 00,000,000 | ---D | M]

[2009/03/02 12:19:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Luis Torres\Application Data\mozilla\Extensions
[2009/03/02 12:19:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Luis Torres\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/08/20 17:22:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Luis Torres\Application Data\mozilla\Firefox\Profiles\few5pkw3.default\extensions
[2009/08/20 17:22:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Luis Torres\Application Data\mozilla\Firefox\Profiles\few5pkw3.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2008/06/02 16:59:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Luis Torres\Application Data\mozilla\Firefox\Profiles\few5pkw3.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/03/06 21:03:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Luis Torres\Application Data\mozilla\Firefox\Profiles\few5pkw3.default\extensions\DefaultManager@Microsoft
[2009/08/20 17:22:10 | 00,001,958 | ---- | M] () -- C:\Documents and Settings\Luis Torres\Application Data\Mozilla\FireFox\Profiles\few5pkw3.default\searchplugins\bing.xml
[2009/03/04 20:56:43 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2008/11/16 10:38:28 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/03/04 20:56:44 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
[2008/07/02 18:52:45 | 00,023,040 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2008/07/02 18:52:46 | 00,134,144 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/03/04 20:56:18 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2008/07/02 18:52:47 | 00,065,536 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2007/03/22 19:23:30 | 00,017,248 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL
[2008/10/14 22:33:30 | 00,095,600 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2009/04/17 22:19:56 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2009/04/17 22:19:56 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/04/17 22:19:57 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2009/04/17 22:19:57 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2009/04/17 22:19:57 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2009/04/17 22:19:57 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2009/04/17 22:19:58 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2008/07/02 09:31:38 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2008/07/02 09:31:38 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008/07/02 09:31:38 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/07/02 09:31:38 | 00,002,642 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2008/07/02 09:31:38 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/07/02 09:31:38 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2008/07/02 09:31:38 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (26 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 jL.chura.pl
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\..\Toolbar\WebBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found.
O3 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O3 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll File not found
O4 - HKLM..\Run: [32765] C:\WINDOWS\System32\E.tmp.exe File not found
O4 - HKLM..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe (Heaventools Software)
O4 - HKLM..\Run: [Regedit32] C:\WINDOWS\System32\regedit.exe File not found
O4 - HKLM..\Run: [services] C:\WINDOWS\services.exe ()
O4 - HKU\.DEFAULT..\Run: [reader_s] C:\Documents and Settings\Luis Torres\reader_s.exe (Heaventools Software)
O4 - HKU\S-1-5-18..\Run: [reader_s] C:\Documents and Settings\Luis Torres\reader_s.exe (Heaventools Software)
O4 - HKU\S-1-5-21-1004336348-152049171-725345543-1004..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\S-1-5-21-1004336348-152049171-725345543-1004..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 0
O7 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClassicShell = 0
O7 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceActiveDesktopOn = 0
O7 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O7 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0
O7 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: Wallpaper =
O7 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: Crawler Search - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mctp {d7b95390-b1c5-11d0-b111-0080c712fe82} - C:\Program Files\Microsoft ActiveSync\aatp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O30 - LSA: Authentication Packages - (C:\WINDOWS\system32\khfGaYQk) - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/07/20 23:03:44 | 00,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{1aceb6a4-ad30-11dc-a7c4-0013ce410e03}\Shell - "" = AutoRun
O33 - MountPoints2\{1aceb6a4-ad30-11dc-a7c4-0013ce410e03}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1aceb6a4-ad30-11dc-a7c4-0013ce410e03}\Shell\AutoRun\command - "" = E:\LapNetWizard.exe -- File not found
O33 - MountPoints2\{23108222-b742-11dc-a7d6-0013ce410e03}\Shell - "" = AutoRun
O33 - MountPoints2\{23108222-b742-11dc-a7d6-0013ce410e03}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{23108222-b742-11dc-a7d6-0013ce410e03}\Shell\AutoRun\command - "" = E:\LapNetWizard.exe -- File not found
O33 - MountPoints2\{2d0e6bc4-26d7-11de-ab48-0016d3000c8d}\Shell - "" = AutoRun
O33 - MountPoints2\{2d0e6bc4-26d7-11de-ab48-0016d3000c8d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{2d0e6bc4-26d7-11de-ab48-0016d3000c8d}\Shell\AutoRun\command - "" = E:\LapNetWizard.exe -- File not found
O33 - MountPoints2\{362f7c0c-4c7d-11dd-a8dc-0016d3000c8d}\Shell - "" = AutoRun
O33 - MountPoints2\{362f7c0c-4c7d-11dd-a8dc-0016d3000c8d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{362f7c0c-4c7d-11dd-a8dc-0016d3000c8d}\Shell\AutoRun\command - "" = E:\LapNetWizard.exe -- File not found
O33 - MountPoints2\{647e9064-b053-11dc-a7cf-0016d3000c8d}\Shell - "" = AutoRun
O33 - MountPoints2\{647e9064-b053-11dc-a7cf-0016d3000c8d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{647e9064-b053-11dc-a7cf-0016d3000c8d}\Shell\AutoRun\command - "" = E:\LapNetWizard.exe -- File not found
O33 - MountPoints2\{8f319b00-ace3-11dc-a7c2-0013ce410e03}\Shell - "" = AutoRun
O33 - MountPoints2\{8f319b00-ace3-11dc-a7c2-0013ce410e03}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8f319b00-ace3-11dc-a7c2-0013ce410e03}\Shell\AutoRun\command - "" = E:\LapNetWizard.exe -- File not found
O33 - MountPoints2\{8f319b02-ace3-11dc-a7c2-0013ce410e03}\Shell - "" = AutoRun
O33 - MountPoints2\{8f319b02-ace3-11dc-a7c2-0013ce410e03}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8f319b02-ace3-11dc-a7c2-0013ce410e03}\Shell\AutoRun\command - "" = E:\LapNetWizard.exe -- File not found
O33 - MountPoints2\{99449f52-e0fd-11dc-a810-0013ce410e03}\Shell - "" = AutoRun
O33 - MountPoints2\{99449f52-e0fd-11dc-a810-0013ce410e03}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{99449f52-e0fd-11dc-a810-0013ce410e03}\Shell\AutoRun\command - "" = E:\LapNetWizard.exe -- File not found
O33 - MountPoints2\{d5db57a0-d263-11dd-aabc-0016d3000c8d}\Shell - "" = AutoRun
O33 - MountPoints2\{d5db57a0-d263-11dd-aabc-0016d3000c8d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d5db57a0-d263-11dd-aabc-0016d3000c8d}\Shell\AutoRun\command - "" = E:\DPFMate.exe -- File not found
O33 - MountPoints2\{e216ce08-af7f-11dc-a7cd-0013ce410e03}\Shell - "" = AutoRun
O33 - MountPoints2\{e216ce08-af7f-11dc-a7cd-0013ce410e03}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e216ce08-af7f-11dc-a7cd-0013ce410e03}\Shell\AutoRun\command - "" = E:\LapNetWizard.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/08/25 11:10:26 | 10,637,68064 | -HS- | C] () -- C:\hiberfil.sys
[2009/08/25 08:55:41 | 00,104,960 | ---- | C] () -- C:\WINDOWS\services.exe
[2009/08/25 08:55:41 | 00,000,000 | ---D | C] -- C:\Program Files\Protection System
[2009/08/25 08:55:41 | 00,000,000 | ---- | C] () -- C:\WINDOWS\sc.exe
[2009/08/25 08:55:40 | 00,001,601 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\youporn.com.lnk
[2009/08/25 08:55:40 | 00,001,601 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\nudetube.com.lnk
[2009/08/25 08:55:39 | 00,001,601 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\pornotube.com.lnk
[2009/08/25 08:55:38 | 00,626,336 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ntfs.sys
[2009/08/25 08:55:35 | 00,060,928 | ---- | C] (Heaventools Software) -- C:\WINDOWS\System32\reader_s.exe
[2009/08/24 12:08:35 | 00,012,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\mouhid.sys
[2009/08/24 10:15:18 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SC.INS
[2009/08/24 10:10:46 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/08/21 17:16:35 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Luis Torres\Desktop\HijackThis.lnk
[2009/08/21 17:16:34 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/08/21 10:57:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/08/21 10:42:47 | 19,900,703 | ---- | C] () -- C:\Program Files\PROCESSLIST.DB
[2009/08/21 10:42:47 | 01,217,765 | ---- | C] () -- C:\Program Files\PROCESSLISTRELATED.DB
[2009/08/21 10:41:55 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/08/21 10:41:51 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/08/21 10:41:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Luis Torres\Application Data\SUPERAntiSpyware.com
[2009/08/21 10:15:26 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/08/20 17:34:53 | 03,976,714 | ---- | C] () -- C:\WINDOWS\System32\uactmp.db
[2009/08/20 17:23:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Luis Torres\Local Settings\Application Data\PCHealth
[2009/08/20 17:22:34 | 01,110,399 | ---- | C] () -- C:\WINDOWS\System32\UACkfcbbgomuy.db
[2009/08/20 17:22:09 | 00,744,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wscsvc32.exe
[2009/08/20 17:22:09 | 00,257,536 | ---- | C] () -- C:\WINDOWS\System32\resdll.dll
[2009/08/20 16:25:34 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/12/07 20:51:13 | 00,000,170 | ---- | C] () -- C:\WINDOWS\settings.ini
[2008/12/07 20:51:12 | 00,009,277 | ---- | C] () -- C:\WINDOWS\AmvTransform.ini
[2008/12/07 20:51:12 | 00,008,157 | ---- | C] () -- C:\WINDOWS\AmvPlayer.ini
[2008/12/07 20:51:12 | 00,007,454 | ---- | C] () -- C:\WINDOWS\Disktool.INI
[2008/12/07 20:51:12 | 00,003,677 | ---- | C] () -- C:\WINDOWS\SoundCon.INI
[2008/12/07 20:51:11 | 00,008,913 | ---- | C] () -- C:\WINDOWS\fwupgrade.ini
[2008/10/31 11:45:19 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2008/06/02 13:02:57 | 00,000,748 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/06/02 06:54:44 | 01,505,715 | -HS- | C] () -- C:\WINDOWS\System32\tfvgsamy.ini
[2008/05/31 22:55:22 | 01,506,092 | -HS- | C] () -- C:\WINDOWS\System32\gtkiyhhk.ini
[2008/05/30 22:56:27 | 01,513,792 | -HS- | C] () -- C:\WINDOWS\System32\hgxywttb.ini
[2008/05/30 22:56:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\bnlyyltj.dll
[2008/05/29 21:16:22 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\ipjcxbpx.dll
[2008/05/28 21:14:52 | 00,033,745 | -HS- | C] () -- C:\WINDOWS\System32\wrxmlkmw.ini
[2008/05/27 21:04:46 | 00,005,755 | -HS- | C] () -- C:\WINDOWS\System32\kQYaGfhk.ini2
[2008/05/27 21:04:45 | 00,005,755 | -HS- | C] () -- C:\WINDOWS\System32\kQYaGfhk.ini
[2007/07/20 11:38:35 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\DLPRMON.DLL
[2007/07/20 11:38:35 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\DLPMONUI.DLL
[2007/07/20 11:35:25 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlcivs.dll
[2007/07/20 11:35:23 | 00,344,064 | ---- | C] () -- C:\WINDOWS\System32\dlcicoin.dll
[2007/07/20 11:34:56 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\dlcicnv4.dll
[2007/07/20 11:34:40 | 00,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\dlciinpa.dll
[2007/07/20 11:34:40 | 00,397,312 | ---- | C] ( ) -- C:\WINDOWS\System32\dlciiesc.dll
[2007/07/20 11:34:40 | 00,323,584 | ---- | C] ( ) -- C:\WINDOWS\System32\DLCIhcp.dll
[2007/07/20 11:34:40 | 00,274,432 | ---- | C] () -- C:\WINDOWS\System32\DLCIinst.dll
[2007/07/20 11:34:39 | 01,224,704 | ---- | C] ( ) -- C:\WINDOWS\System32\dlciserv.dll
[2007/07/20 11:34:39 | 00,991,232 | ---- | C] ( ) -- C:\WINDOWS\System32\dlciusb1.dll
[2007/07/20 11:34:39 | 00,434,176 | ---- | C] () -- C:\WINDOWS\System32\dlciutil.dll
[2007/07/20 11:34:38 | 00,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcipmui.dll
[2007/07/20 11:34:38 | 00,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcilmpm.dll
[2007/07/20 11:34:38 | 00,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlciinsb.dll
[2007/07/20 11:34:38 | 00,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\dlciprox.dll
[2007/07/20 11:34:38 | 00,135,168 | ---- | C] () -- C:\WINDOWS\System32\dlcijswr.dll
[2007/07/20 11:34:38 | 00,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcipplc.dll
[2007/07/20 11:34:37 | 00,696,320 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcihbn3.dll
[2007/07/20 11:34:37 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\dlciins.dll
[2007/07/20 11:34:37 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\dlciinsr.dll
[2007/07/20 11:34:36 | 00,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcicomc.dll
[2007/07/20 11:34:36 | 00,421,888 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcicomm.dll
[2007/07/20 11:34:36 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\dlcicub.dll
[2007/07/20 11:34:36 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\dlcicu.dll
[2007/07/20 11:34:36 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\dlcicur.dll
[2007/07/20 11:34:35 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\DLCIcfg.dll
[2007/01/03 22:04:46 | 00,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.dll
[2006/09/07 18:29:45 | 00,000,034 | ---- | C] () -- C:\WINDOWS\hpfsched.ini
[2006/09/07 18:28:09 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\hpodinet.dll
[2006/08/24 14:22:10 | 00,000,236 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2006/08/24 14:22:10 | 00,000,092 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2006/08/10 20:31:50 | 00,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2006/08/08 07:49:48 | 00,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2006/08/07 11:43:36 | 00,000,419 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2006/08/07 11:43:36 | 00,000,079 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2006/08/07 11:43:36 | 00,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2006/08/05 17:44:26 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/07/24 21:59:42 | 00,000,335 | ---- | C] () -- C:\WINDOWS\Trpmaker.INI
[2006/07/24 21:56:26 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\PlugFile.dll
[2006/07/24 21:56:25 | 00,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2006/07/24 21:56:24 | 00,038,688 | ---- | C] () -- C:\WINDOWS\System32\Leaddib.drv
[2006/07/24 21:56:24 | 00,011,136 | ---- | C] () -- C:\WINDOWS\System32\Fprun300.dll
[2006/07/20 22:46:07 | 00,015,669 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/07/20 22:42:58 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006/07/20 22:42:58 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006/07/20 22:42:58 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006/07/20 22:42:58 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006/07/20 22:42:58 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006/07/20 22:42:58 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/05/24 18:04:14 | 00,000,133 | ---- | C] () -- C:\WINDOWS\System32\ftdiun2k.ini
[2005/07/01 04:47:08 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/03/24 04:58:36 | 00,053,315 | ---- | C] () -- C:\WINDOWS\System32\Sswiadrv.dll
[2005/02/01 21:39:32 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\WIAEH.dll
[2004/11/17 02:16:16 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\WIAIPH.dll
[2004/10/15 02:09:28 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\WIASTIIO.dll
[2004/09/16 14:26:40 | 00,012,634 | ---- | C] () -- C:\WINDOWS\System32\drivers\ADFUUD.SYS
[2004/09/16 14:26:40 | 00,012,634 | ---- | C] () -- C:\WINDOWS\ADFUUD.SYS
[2004/08/04 05:00:00 | 00,626,336 | ---- | C] () -- C:\WINDOWS\System32\drivers\ntfs.sys
[2004/08/04 05:00:00 | 00,000,757 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 05:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/01/13 12:46:34 | 00,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/04 10:16:34 | 00,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\drivers\*.tmp files]
[9 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[2009/08/25 11:22:39 | 00,532,044 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/08/25 11:22:39 | 00,447,996 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/08/25 11:22:39 | 00,074,664 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/08/25 11:21:36 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/08/25 11:21:20 | 00,626,336 | ---- | M] () -- C:\WINDOWS\System32\drivers\ntfs.sys
[2009/08/25 11:21:20 | 00,626,336 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ntfs.sys
[2009/08/25 11:20:28 | 00,104,960 | ---- | M] () -- C:\WINDOWS\services.exe
[2009/08/25 11:20:27 | 00,060,928 | ---- | M] (Heaventools Software) -- C:\WINDOWS\System32\reader_s.exe
[2009/08/25 11:18:29 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/25 11:18:26 | 00,002,048 | ---- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/25 11:18:26 | 00,000,026 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/08/25 11:18:25 | 10,637,68064 | -HS- | M] () -- C:\hiberfil.sys
[2009/08/25 10:28:35 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/08/25 08:55:41 | 00,000,000 | ---- | M] () -- C:\WINDOWS\SC.INS
[2009/08/25 08:55:41 | 00,000,000 | ---- | M] () -- C:\WINDOWS\sc.exe
[2009/08/25 08:55:40 | 00,001,601 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\youporn.com.lnk
[2009/08/25 08:55:40 | 00,001,601 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\pornotube.com.lnk
[2009/08/25 08:55:40 | 00,001,601 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\nudetube.com.lnk
[2009/08/25 08:50:05 | 00,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2009/08/25 08:45:00 | 00,000,256 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2009/08/25 08:34:10 | 00,069,632 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\System32\brss01a.exe
[2009/08/25 08:30:48 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009/08/24 18:54:22 | 00,220,672 | ---- | M] (Soeperman Enterprises Ltd.) -- C:\Documents and Settings\Luis Torres\Desktop\HijackThis.exe
[2009/08/24 10:15:14 | 00,361,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\TCPIP.SYS
[2009/08/24 10:15:13 | 00,361,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\TCPIP.SYS
[2009/08/24 10:06:43 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/21 17:16:35 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Luis Torres\Desktop\HijackThis.lnk
[2009/08/21 13:45:20 | 00,290,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\vssvc.exe
[2009/08/21 13:45:19 | 00,026,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\userinit.exe
[2009/08/21 13:45:17 | 00,018,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ups.exe
[2009/08/21 13:45:13 | 00,090,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\smlogsvc.exe
[2009/08/21 13:45:13 | 00,058,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\spoolsv.exe
[2009/08/21 13:45:12 | 00,045,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\shmgrate.exe
[2009/08/21 13:45:09 | 00,141,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\sessmgr.exe
[2009/08/21 13:45:08 | 00,096,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\scardsvr.exe
[2009/08/21 13:45:07 | 00,033,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\rundll32.exe
[2009/08/21 13:45:06 | 00,133,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\rsvp.exe
[2009/08/21 13:45:05 | 00,012,288 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\regsvr32.exe
[2009/08/21 13:45:01 | 00,032,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ntsd.exe
[2009/08/21 13:44:57 | 00,111,616 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\netdde.exe
[2009/08/21 13:44:54 | 00,079,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msiexec.exe
[2009/08/21 13:44:48 | 00,006,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtc.exe
[2009/08/21 13:44:46 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mnmsrvc.exe
[2009/08/21 13:44:44 | 00,515,072 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\logonui.exe
[2009/08/21 13:44:43 | 00,221,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\logon.scr
[2009/08/21 13:44:43 | 00,075,776 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\locator.exe
[2009/08/21 13:44:38 | 00,151,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\imapi.exe
[2009/08/21 13:44:37 | 00,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieudinit.exe
[2009/08/21 13:44:34 | 00,071,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ie4uinit.exe
[2009/08/21 13:44:33 | 00,077,824 | ---- | M] (HP) -- C:\WINDOWS\System32\hphipm11.exe
[2009/08/21 13:44:31 | 00,011,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dumprep.exe
[2009/08/21 13:44:08 | 00,225,280 | ---- | M] (Microsoft Corp., Veritas Software) -- C:\WINDOWS\System32\dmadmin.exe
[2009/08/21 13:44:08 | 00,005,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllhost.exe
[2009/08/21 13:44:03 | 00,015,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ctfmon.exe
[2009/08/21 13:44:01 | 00,033,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\clipsrv.exe
[2009/08/21 13:44:01 | 00,006,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cisvc.exe
[2009/08/21 13:44:00 | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\System32\brsvc01a.exe
[2009/08/21 13:43:57 | 00,045,056 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\alg.exe
[2009/08/21 13:43:53 | 01,055,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
[2009/08/21 10:56:30 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Luis Torres\Application Data\bcrypt.html
[2009/08/21 10:56:29 | 03,976,714 | ---- | M] () -- C:\WINDOWS\System32\uactmp.db
[2009/08/21 10:41:55 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/08/21 10:25:43 | 04,435,024 | -H-- | M] () -- C:\Documents and Settings\Luis Torres\Local Settings\Application Data\IconCache.db
[2009/08/20 18:02:00 | 00,000,215 | -HS- | M] () -- C:\boot.ini
[2009/08/20 17:22:53 | 01,110,399 | ---- | M] () -- C:\WINDOWS\System32\UACkfcbbgomuy.db
[2009/08/20 17:22:10 | 00,744,960 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wscsvc32.exe
[2009/08/20 17:22:09 | 00,257,536 | ---- | M] () -- C:\WINDOWS\System32\resdll.dll
[2009/08/20 16:25:39 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/17 16:35:38 | 19,900,703 | ---- | M] () -- C:\Program Files\PROCESSLIST.DB
[2009/08/17 16:35:10 | 01,217,765 | ---- | M] () -- C:\Program Files\PROCESSLISTRELATED.DB
[2009/08/03 13:36:28 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/03 13:36:06 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:50 PM

Posted 25 August 2009 - 01:58 PM

You forgot the Rootrepeal log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 polskamachina

polskamachina
  • Topic Starter

  • Malware Response Team
  • 4,004 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 PM

Posted 25 August 2009 - 02:30 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/25 12:16
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAAD4A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B8D000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9EDD000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\$ntservicepackuninstall$\ndis.sys
Status: Size mismatch (API: 182656, Raw: 182912)

Path: C:\Program Files\MP3 Player Utilities 3.5.02\RDiskUtility\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: c:\windows\system32\dllcache\ndis.sys
Status: Size mismatch (API: 182656, Raw: 212224)

Path: c:\windows\system32\drivers\ndis.sys
Status: Size mismatch (API: 182656, Raw: 212224)

Path: c:\documents and settings\luis torres\local settings\temporary internet files\content.ie5\fiwpus4s\topic251397[1].htm
Status: Allocation size mismatch (API: 106496, Raw: 262144)

Path: c:\documents and settings\luis torres\local settings\temporary internet files\content.ie5\fiwpus4s\search[2].htm
Status: Allocation size mismatch (API: 28672, Raw: 49152)

Path: C:\Documents and Settings\Guest\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Luis Torres\Application Data\Macromedia\Flash Player\#SharedObjects\KMEVJWV2\video.google.com\s
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Luis Torres\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Guest\Application Data\Macromedia\Flash Player\#SharedObjects\XH9LVZMG\v.netlogstatic.com\v4.00\1512\s
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Stealth Objects
-------------------
Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 220) Address: 0x01000000 Size: 40960

Object: Hidden Module [Name: reader_s.exe]
Process: reader_s.exe (PID: 2672) Address: 0x00400000 Size: 606208

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 3776) Address: 0x01000000 Size: 40960

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACwswwxirput.sys

==EOF==

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:50 PM

Posted 25 August 2009 - 02:50 PM

Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O1 - Hosts: 127.0.0.1 jL.chura.pl
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
    O3 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\..\Toolbar\WebBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found.
    O3 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
    O3 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll File not found
    O4 - HKLM..\Run: [32765] C:\WINDOWS\System32\E.tmp.exe File not found
    O4 - HKLM..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe (Heaventools Software)
    O4 - HKLM..\Run: [Regedit32] C:\WINDOWS\System32\regedit.exe File not found
    O4 - HKLM..\Run: [services] C:\WINDOWS\services.exe ()
    O4 - HKU\.DEFAULT..\Run: [reader_s] C:\Documents and Settings\Luis Torres\reader_s.exe (Heaventools Software)
    O4 - HKU\S-1-5-18..\Run: [reader_s] C:\Documents and Settings\Luis Torres\reader_s.exe (Heaventools Software)
    O30 - LSA: Authentication Packages - (C:\WINDOWS\system32\khfGaYQk) - File not found
    
    :Files
    C:\WINDOWS\system32\drivers\UACwswwxirput.sys
    C:\WINDOWS\System32\UACkfcbbgomuy.db
    C:\WINDOWS\System32\wscsvc32.exe
    C:\WINDOWS\System32\resdll.dll
    C:\WINDOWS\System32\uactmp.db
    C:\Documents and Settings\Luis Torres\Application Data\bcrypt.html
    C:\WINDOWS\services.exe
    C:\Program Files\Protection System
    C:\WINDOWS\sc.exe
    C:\Documents and Settings\All Users\Desktop\youporn.com.lnk
    C:\Documents and Settings\All Users\Desktop\nudetube.com.lnk
    C:\Documents and Settings\All Users\Desktop\pornotube.com.lnk
    C:\WINDOWS\System32\reader_s.exe
    C:\WINDOWS\System32\drivers\*.tmp 
    C:\WINDOWS\System32\*.tmp files
    C:\WINDOWS\*.tmp
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 polskamachina

polskamachina
  • Topic Starter

  • Malware Response Team
  • 4,004 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 PM

Posted 25 August 2009 - 03:19 PM

Here is the log after reboot:

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
127.0.0.1 jL.chura.pl removed from HOSTS file successfully
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll unregistered successfully.
C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll moved successfully.
Registry value HKEY_USERS\S-1-5-21-1004336348-152049171-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-1004336348-152049171-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4B3803EA-5230-4DC3-A7FC-33638F3D3542} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}\ not found.
Registry value HKEY_USERS\S-1-5-21-1004336348-152049171-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}\ not found.
Registry value HKEY_USERS\S-1-5-21-1004336348-152049171-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\32765 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\reader_s deleted successfully.
C:\WINDOWS\System32\reader_s.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Regedit32 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\services deleted successfully.
C:\WINDOWS\services.exe moved successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\reader_s deleted successfully.
C:\Documents and Settings\Luis Torres\reader_s.exe moved successfully.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\reader_s not found.
File C:\Documents and Settings\Luis Torres\reader_s.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\WINDOWS\system32\khfGaYQk deleted successfully.
========== FILES ==========
File\Folder C:\WINDOWS\system32\drivers\UACwswwxirput.sys not found.
C:\WINDOWS\System32\UACkfcbbgomuy.db moved successfully.
C:\WINDOWS\System32\wscsvc32.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\resdll.dll
C:\WINDOWS\System32\resdll.dll NOT unregistered.
C:\WINDOWS\System32\resdll.dll moved successfully.
C:\WINDOWS\System32\uactmp.db moved successfully.
C:\Documents and Settings\Luis Torres\Application Data\bcrypt.html moved successfully.
File\Folder C:\WINDOWS\services.exe not found.
C:\Program Files\Protection System moved successfully.
C:\WINDOWS\sc.exe moved successfully.
C:\Documents and Settings\All Users\Desktop\youporn.com.lnk moved successfully.
C:\Documents and Settings\All Users\Desktop\nudetube.com.lnk moved successfully.
C:\Documents and Settings\All Users\Desktop\pornotube.com.lnk moved successfully.
File\Folder C:\WINDOWS\System32\reader_s.exe not found.
C:\WINDOWS\System32\drivers\SET1.tmp moved successfully.
File\Folder C:\WINDOWS\System32\*.tmp files not found.
C:\WINDOWS\002693_.tmp moved successfully.
C:\WINDOWS\DUMP5ee8.tmp moved successfully.
C:\WINDOWS\DUMP6755.tmp moved successfully.
C:\WINDOWS\SET3.tmp moved successfully.
C:\WINDOWS\SET4.tmp moved successfully.
C:\WINDOWS\SET8.tmp moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Guest
->Temp folder emptied: 46730321 bytes
->Temporary Internet Files folder emptied: 3397100 bytes
->Java cache emptied: 813660 bytes
->FireFox cache emptied: 12764231 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: Luis Torres
->Temp folder emptied: 522825281 bytes
File delete failed. C:\Documents and Settings\Luis Torres\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 30992545 bytes
->Java cache emptied: 43407473 bytes
->FireFox cache emptied: 7859401 bytes
->Apple Safari cache emptied: 1085181 bytes

User: NetworkService
->Temp folder emptied: 4702 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 19442833 bytes
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_3b24.dat scheduled to be deleted on reboot.
Windows Temp folder emptied: 1255204 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 658.65 mb


OTL by OldTimer - Version 3.0.10.7 log created on 08252009_130337

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_3b24.dat not found!

Registry entries deleted on Reboot...

----------------------
This is the new log:
------------------------
OTL logfile created on: 8/25/2009 1:10:18 PM - Run 2
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Utility\OTL
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.42 Mb Total Physical Memory | 548.01 Mb Available Physical Memory | 54.02% Memory free
2.39 Gb Paging File | 1.93 Gb Available in Paging File | 80.69% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 31.91 Gb Free Space | 57.11% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TORRES
Current User Name: Luis Torres
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2009/08/21 13:44:00 | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\System32\brsvc01a.exe
PRC - [2009/08/25 08:34:10 | 00,069,632 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\System32\brss01a.exe
PRC - [2009/03/04 20:56:18 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/08/21 13:42:26 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
PRC - [2009/08/25 13:05:39 | 00,060,928 | ---- | M] (Heaventools Software) -- C:\WINDOWS\System32\reader_s.exe
PRC - [2009/08/25 13:05:40 | 00,019,456 | ---- | M] () -- C:\WINDOWS\System32\6.tmp
PRC - [2009/08/25 13:05:42 | 00,105,984 | ---- | M] () -- C:\WINDOWS\services.exe
PRC - [2008/04/13 17:12:14 | 00,410,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.exe
PRC - [2009/08/25 13:05:42 | 00,105,984 | ---- | M] () -- C:\WINDOWS\services.exe
PRC - [2008/04/13 17:12:14 | 00,410,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.exe
PRC - [2009/08/25 13:05:42 | 00,105,984 | ---- | M] () -- C:\WINDOWS\services.exe
PRC - [2008/04/13 17:12:14 | 00,410,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.exe
PRC - [2009/08/25 13:05:42 | 00,105,984 | ---- | M] () -- C:\WINDOWS\services.exe
PRC - [2008/04/13 17:12:14 | 00,410,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.exe
PRC - [2009/08/25 13:05:42 | 00,105,984 | ---- | M] () -- C:\WINDOWS\services.exe
PRC - [2009/08/21 13:43:53 | 01,055,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2008/04/13 17:12:29 | 00,090,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\notepad.exe
PRC - [2009/08/25 13:05:42 | 00,105,984 | ---- | M] () -- C:\WINDOWS\services.exe
PRC - [2009/08/25 13:05:39 | 00,060,928 | ---- | M] (Heaventools Software) -- C:\WINDOWS\System32\reader_s.exe
PRC - [2008/04/13 17:12:14 | 00,410,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.exe
PRC - [2009/08/25 13:05:42 | 00,105,984 | ---- | M] () -- C:\WINDOWS\services.exe
PRC - [2008/04/13 17:12:14 | 00,410,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.exe
PRC - [2009/05/26 21:06:32 | 00,079,088 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
PRC - [2009/08/25 13:05:42 | 00,105,984 | ---- | M] () -- C:\WINDOWS\services.exe
PRC - [2008/04/13 17:12:14 | 00,410,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.exe
PRC - [2009/08/25 13:05:42 | 00,105,984 | ---- | M] () -- C:\WINDOWS\services.exe
PRC - [2008/04/13 17:12:14 | 00,410,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.exe
PRC - [2009/08/25 13:05:42 | 00,105,984 | ---- | M] () -- C:\WINDOWS\services.exe
PRC - [2008/04/13 17:12:14 | 00,410,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.exe
PRC - [2009/08/25 13:05:42 | 00,105,984 | ---- | M] () -- C:\WINDOWS\services.exe
PRC - [2009/04/24 22:27:50 | 00,636,088 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/08/21 13:45:24 | 00,249,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2009/08/25 11:22:53 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Utility\OTL\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/08/25 12:18:33 | 00,782,336 | ---- | M] () -- c:\program files\common files\akamai\rswin_3550.dll -- (Akamai [Auto | Running])
SRV - [2009/03/26 15:31:20 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Disabled | Stopped])
SRV - [2005/09/23 08:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2006/05/15 18:24:33 | 00,100,032 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler [Disabled | Stopped])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Disabled | Stopped])
SRV - File not found -- -- (brmfrmps [Auto | Stopped])
SRV - [2009/08/21 13:44:00 | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\System32\brsvc01a.exe -- (Brother XP spl Service [Auto | Running])
SRV - [2005/09/23 08:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2006/12/07 22:17:44 | 00,537,480 | ---- | M] ( ) -- C:\WINDOWS\System32\dlcicoms.exe -- (dlci_device [Disabled | Stopped])
SRV - [2009/08/21 13:43:57 | 00,036,864 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/03/15 11:09:07 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9a59929fb59cc [Auto | Stopped])
SRV - [2009/03/24 09:47:00 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto | Stopped])
SRV - [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2009/08/21 13:42:53 | 00,098,304 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HPQ\SHARED\HPQWMI.exe -- (hpqwmi [On_Demand | Stopped])
SRV - [2009/08/21 13:42:37 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2009/08/21 13:43:56 | 00,741,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/04/02 16:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [Disabled | Stopped])
SRV - [2009/03/04 20:56:18 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2006/05/15 18:24:33 | 02,086,592 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate [Disabled | Stopped])
SRV - [2009/08/21 13:42:51 | 00,303,104 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\Common Files\Motive\McciCMService.exe -- (McciCMService [Disabled | Stopped])
SRV - [2009/08/21 13:43:57 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2009/08/21 13:44:33 | 00,077,824 | ---- | M] (HP) -- C:\WINDOWS\System32\HPHipm11.exe -- (Pml Driver HPH11 [Disabled | Stopped])
SRV - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort [Auto | Running])
SRV - [2009/08/21 13:43:30 | 00,638,464 | ---- | M] (Nokia.) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer [Disabled | Stopped])
SRV - [2009/08/21 13:42:26 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default) [Auto | Running])
SRV - [2007/01/19 13:54:14 | 00,097,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
SRV - [2009/08/21 13:43:41 | 00,024,576 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Disabled | Stopped])
SRV - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend [Auto | Running])
SRV - [2009/08/21 13:43:43 | 00,913,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2004/10/06 01:29:50 | 00,129,280 | R--- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\System32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])
DRV - [2005/04/13 03:12:38 | 01,066,278 | R--- | M] (Agere Systems) -- C:\WINDOWS\System32\DRIVERS\AGRSM.sys -- (AgereSoftModem [On_Demand | Running])
DRV - [2005/01/31 10:23:08 | 00,109,319 | R--- | M] (Alps Electric Co., Ltd.) -- C:\WINDOWS\System32\DRIVERS\Apfiltr.sys -- (ApfiltrService [On_Demand | Running])
DRV - [2003/12/19 20:15:50 | 00,015,263 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\System32\Drivers\BrScnUsb.sys -- (BrScnUsb [On_Demand | Stopped])
DRV - [2004/06/12 04:27:18 | 00,051,712 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\System32\Drivers\BrSerIf.sys -- (BrSerIf [On_Demand | Stopped])
DRV - [2004/01/10 03:28:18 | 00,011,648 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\System32\Drivers\BrUsbSer.sys -- (BrUsbSer [On_Demand | Stopped])
DRV - [2006/01/06 12:07:26 | 00,050,896 | ---- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\hphid411.sys -- (Dot4 HPH11 [On_Demand | Stopped])
DRV - [2006/01/06 12:07:27 | 00,016,112 | ---- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\hphipr11.sys -- (Dot4Print HPH11 [On_Demand | Stopped])
DRV - [2006/01/06 12:07:27 | 00,050,276 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\System32\Drivers\hphs2k11.sys -- (Dot4Storage HPH11 [On_Demand | Stopped])
DRV - [2006/01/06 12:07:27 | 00,018,928 | ---- | M] (HP) -- C:\WINDOWS\System32\drivers\hphius11.sys -- (Dot4Usb HPH11 [On_Demand | Stopped])
DRV - [2006/05/18 16:48:50 | 00,047,249 | ---- | M] (FTDI Ltd.) -- C:\WINDOWS\System32\drivers\ftdibus.sys -- (FTDIBUS [On_Demand | Stopped])
DRV - [2003/11/10 22:09:48 | 00,057,372 | R--- | M] (FTDI Ltd.) -- C:\WINDOWS\System32\drivers\ftser2k.sys -- (FTSER2K [On_Demand | Stopped])
DRV - [2009/03/19 16:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2006/09/27 17:12:30 | 00,010,664 | ---- | M] (Applied Networking Inc.) -- C:\WINDOWS\System32\DRIVERS\gan_adapter.sys -- (hamachi_oem [On_Demand | Stopped])
DRV - [2005/02/08 04:00:12 | 00,804,572 | R--- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2008/05/14 13:39:24 | 00,008,413 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\drivers\mcstrm.sys -- (MCSTRM [Auto | Running])
DRV - [2002/09/20 03:53:34 | 00,235,100 | R--- | M] (Analog Devices Inc) -- C:\WINDOWS\System32\drivers\MidiSyn.sys -- (MidiSyn [On_Demand | Stopped])
DRV - [2009/01/26 15:13:41 | 00,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50 [On_Demand | Stopped])
DRV - [2009/01/26 15:13:39 | 00,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50 [On_Demand | Stopped])
DRV - [2009/03/19 14:48:18 | 00,136,704 | ---- | M] (Nokia) -- C:\WINDOWS\System32\drivers\nmwcdnsu.sys -- (nmwcdnsu [On_Demand | Stopped])
DRV - [2009/03/19 14:48:12 | 00,008,320 | ---- | M] (Nokia) -- C:\WINDOWS\System32\drivers\nmwcdnsuc.sys -- (nmwcdnsuc [On_Demand | Stopped])
DRV - [2009/08/25 13:06:57 | 00,626,336 | ---- | M] () -- C:\WINDOWS\System32\drivers\ntfs.sys -- (Ntfs [Disabled | Running])
DRV - [2005/04/01 17:59:14 | 00,065,152 | ---- | M] (Novatel Wireless Inc.) -- C:\WINDOWS\System32\DRIVERS\nwusbmdm.sys -- (NWUSBModem [On_Demand | Stopped])
DRV - [2005/04/01 17:59:14 | 00,065,152 | ---- | M] (Novatel Wireless Inc.) -- C:\WINDOWS\System32\DRIVERS\nwusbser.sys -- (NWUSBPort [On_Demand | Stopped])
DRV - [2004/06/18 10:36:24 | 00,016,772 | ---- | M] (Palm, Inc.) -- C:\WINDOWS\System32\drivers\PalmUSBD.sys -- (PalmUSBD [On_Demand | Stopped])
DRV - [2008/08/26 10:26:12 | 00,018,816 | ---- | M] (Nokia) -- C:\WINDOWS\System32\DRIVERS\pccsmcfd.sys -- (pccsmcfd [On_Demand | Stopped])
DRV - [2004/08/04 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2005/04/25 02:03:00 | 00,020,640 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2004/08/03 15:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\System32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Running])
DRV - [2007/07/18 08:40:08 | 00,264,576 | R--- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\DRIVERS\RTL8187B.sys -- (RTL8187B [On_Demand | Stopped])
DRV - [2009/08/05 16:06:28 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2009/08/05 16:06:30 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
DRV - [2009/08/05 16:06:28 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2004/04/26 01:49:56 | 00,381,056 | R--- | M] (Sensaura) -- C:\WINDOWS\System32\drivers\senfilt.sys -- (senfilt [On_Demand | Running])
DRV - [2004/09/01 11:17:46 | 00,259,648 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\System32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
DRV - [2005/01/14 06:36:20 | 00,020,992 | R--- | M] (Panasonic Communications Co., Ltd.) -- C:\WINDOWS\System32\Drivers\TEUSBMU.sys -- (TEUSBMU [On_Demand | Stopped])
DRV - [2005/04/04 09:25:36 | 00,160,768 | R--- | M] (Texas Instruments) -- C:\WINDOWS\System32\drivers\tifm21.sys -- (tifm21 [On_Demand | Running])
DRV - [2008/04/13 11:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
DRV - [2005/06/20 07:42:24 | 03,281,408 | R--- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\w29n51.sys -- (w29n51 [On_Demand | Stopped])
DRV - [2008/04/13 11:45:38 | 00,031,744 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\wceusbsh.sys -- (wceusbsh [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/
IE - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Search,AutoSearch = http://ie.search.msn.com/{SUB_RFC1766}/src...autosearch.aspx
IE - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
IE - HKU\S-1-5-21-1004336348-152049171-725345543-1004\S-1-5-21-1004336348-152049171-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Live Search"
FF - prefs.js..browser.search.defaulturl: "http://search.live.com/results.aspx?FORM=SOLTDF&q="
FF - prefs.js..browser.search.selectedEngine: "Live Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:0.7.5.4
FF - prefs.js..extensions.enabledItems: {3112ca9c-de6d-4884-a869-9855de68056c}:3.1.20081010W
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}:6.0.12
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: bkmrksync@nokia.com:1.0.0.712
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.5.1.20080205
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.1
FF - prefs.js..keyword.URL: "http://search.live.com/results.aspx?FORM=SOLTDF&q="


FF - HKLM\software\mozilla\FireFox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2008/11/16 10:38:34 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\FireFox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/03/04 20:56:19 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\FireFox\Extensions\\bkmrksync@nokia.com: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2009/06/22 20:23:14 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/04/17 22:17:57 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/04/17 22:19:58 | 00,000,000 | ---D | M]

[2009/03/02 12:19:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Luis Torres\Application Data\mozilla\Extensions
[2009/03/02 12:19:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Luis Torres\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/08/20 17:22:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Luis Torres\Application Data\mozilla\Firefox\Profiles\few5pkw3.default\extensions
[2009/08/20 17:22:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Luis Torres\Application Data\mozilla\Firefox\Profiles\few5pkw3.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2008/06/02 16:59:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Luis Torres\Application Data\mozilla\Firefox\Profiles\few5pkw3.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/03/06 21:03:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Luis Torres\Application Data\mozilla\Firefox\Profiles\few5pkw3.default\extensions\DefaultManager@Microsoft
[2009/08/20 17:22:10 | 00,001,958 | ---- | M] () -- C:\Documents and Settings\Luis Torres\Application Data\Mozilla\FireFox\Profiles\few5pkw3.default\searchplugins\bing.xml
[2009/03/04 20:56:43 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2008/11/16 10:38:28 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/03/04 20:56:44 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
[2008/07/02 18:52:45 | 00,023,040 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2008/07/02 18:52:46 | 00,134,144 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/03/04 20:56:18 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2008/07/02 18:52:47 | 00,065,536 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2007/03/22 19:23:30 | 00,017,248 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL
[2008/10/14 22:33:30 | 00,095,600 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2009/04/17 22:19:56 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2009/04/17 22:19:56 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/04/17 22:19:57 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2009/04/17 22:19:57 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2009/04/17 22:19:57 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2009/04/17 22:19:57 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2009/04/17 22:19:58 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2008/07/02 09:31:38 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2008/07/02 09:31:38 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008/07/02 09:31:38 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/07/02 09:31:38 | 00,002,642 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2008/07/02 09:31:38 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/07/02 09:31:38 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2008/07/02 09:31:38 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (8 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O4 - HKLM..\Run: [23380] C:\WINDOWS\System32\6.tmp.exe File not found
O4 - HKLM..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe (Heaventools Software)
O4 - HKLM..\Run: [Regedit32] C:\WINDOWS\System32\regedit.exe File not found
O4 - HKLM..\Run: [services] C:\WINDOWS\services.exe ()
O4 - HKU\.DEFAULT..\Run: [reader_s] C:\WINDOWS\System32\config\systemprofile\reader_s.exe (Heaventools Software)
O4 - HKU\.DEFAULT..\Run: [systemprofile] C:\WINDOWS\System32\config\systemprofile\systemprofile.exe ()
O4 - HKU\S-1-5-18..\Run: [reader_s] C:\WINDOWS\System32\config\systemprofile\reader_s.exe (Heaventools Software)
O4 - HKU\S-1-5-18..\Run: [systemprofile] C:\WINDOWS\System32\config\systemprofile\systemprofile.exe ()
O4 - HKU\S-1-5-21-1004336348-152049171-725345543-1004..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\S-1-5-21-1004336348-152049171-725345543-1004..\Run: [reader_s] C:\Documents and Settings\Luis Torres\reader_s.exe File not found
O4 - HKU\S-1-5-21-1004336348-152049171-725345543-1004..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 0
O7 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClassicShell = 0
O7 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceActiveDesktopOn = 0
O7 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O7 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0
O7 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: Wallpaper =
O7 - HKU\S-1-5-21-1004336348-152049171-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: Crawler Search - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mctp {d7b95390-b1c5-11d0-b111-0080c712fe82} - C:\Program Files\Microsoft ActiveSync\aatp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/07/20 23:03:44 | 00,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{1aceb6a4-ad30-11dc-a7c4-0013ce410e03}\Shell - "" = AutoRun
O33 - MountPoints2\{1aceb6a4-ad30-11dc-a7c4-0013ce410e03}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1aceb6a4-ad30-11dc-a7c4-0013ce410e03}\Shell\AutoRun\command - "" = E:\LapNetWizard.exe -- File not found
O33 - MountPoints2\{23108222-b742-11dc-a7d6-0013ce410e03}\Shell - "" = AutoRun
O33 - MountPoints2\{23108222-b742-11dc-a7d6-0013ce410e03}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{23108222-b742-11dc-a7d6-0013ce410e03}\Shell\AutoRun\command - "" = E:\LapNetWizard.exe -- File not found
O33 - MountPoints2\{2d0e6bc4-26d7-11de-ab48-0016d3000c8d}\Shell - "" = AutoRun
O33 - MountPoints2\{2d0e6bc4-26d7-11de-ab48-0016d3000c8d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{2d0e6bc4-26d7-11de-ab48-0016d3000c8d}\Shell\AutoRun\command - "" = E:\LapNetWizard.exe -- File not found
O33 - MountPoints2\{362f7c0c-4c7d-11dd-a8dc-0016d3000c8d}\Shell - "" = AutoRun
O33 - MountPoints2\{362f7c0c-4c7d-11dd-a8dc-0016d3000c8d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{362f7c0c-4c7d-11dd-a8dc-0016d3000c8d}\Shell\AutoRun\command - "" = E:\LapNetWizard.exe -- File not found
O33 - MountPoints2\{647e9064-b053-11dc-a7cf-0016d3000c8d}\Shell - "" = AutoRun
O33 - MountPoints2\{647e9064-b053-11dc-a7cf-0016d3000c8d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{647e9064-b053-11dc-a7cf-0016d3000c8d}\Shell\AutoRun\command - "" = E:\LapNetWizard.exe -- File not found
O33 - MountPoints2\{8f319b00-ace3-11dc-a7c2-0013ce410e03}\Shell - "" = AutoRun
O33 - MountPoints2\{8f319b00-ace3-11dc-a7c2-0013ce410e03}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8f319b00-ace3-11dc-a7c2-0013ce410e03}\Shell\AutoRun\command - "" = E:\LapNetWizard.exe -- File not found
O33 - MountPoints2\{8f319b02-ace3-11dc-a7c2-0013ce410e03}\Shell - "" = AutoRun
O33 - MountPoints2\{8f319b02-ace3-11dc-a7c2-0013ce410e03}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8f319b02-ace3-11dc-a7c2-0013ce410e03}\Shell\AutoRun\command - "" = E:\LapNetWizard.exe -- File not found
O33 - MountPoints2\{99449f52-e0fd-11dc-a810-0013ce410e03}\Shell - "" = AutoRun
O33 - MountPoints2\{99449f52-e0fd-11dc-a810-0013ce410e03}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{99449f52-e0fd-11dc-a810-0013ce410e03}\Shell\AutoRun\command - "" = E:\LapNetWizard.exe -- File not found
O33 - MountPoints2\{d5db57a0-d263-11dd-aabc-0016d3000c8d}\Shell - "" = AutoRun
O33 - MountPoints2\{d5db57a0-d263-11dd-aabc-0016d3000c8d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d5db57a0-d263-11dd-aabc-0016d3000c8d}\Shell\AutoRun\command - "" = E:\DPFMate.exe -- File not found
O33 - MountPoints2\{e216ce08-af7f-11dc-a7cd-0013ce410e03}\Shell - "" = AutoRun
O33 - MountPoints2\{e216ce08-af7f-11dc-a7cd-0013ce410e03}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e216ce08-af7f-11dc-a7cd-0013ce410e03}\Shell\AutoRun\command - "" = E:\LapNetWizard.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/08/25 13:05:43 | 00,105,984 | ---- | C] () -- C:\WINDOWS\services.exe
[2009/08/25 13:05:39 | 00,060,928 | ---- | C] (Heaventools Software) -- C:\WINDOWS\System32\reader_s.exe
[2009/08/25 13:03:37 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/08/25 12:16:12 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Luis Torres\Desktop\settings.dat
[2009/08/25 11:10:26 | 10,637,68064 | -HS- | C] () -- C:\hiberfil.sys
[2009/08/25 08:55:38 | 00,626,336 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ntfs.sys
[2009/08/24 12:08:35 | 00,012,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\mouhid.sys
[2009/08/24 10:15:18 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SC.INS
[2009/08/24 10:10:46 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/08/21 17:16:35 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Luis Torres\Desktop\HijackThis.lnk
[2009/08/21 17:16:34 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/08/21 10:57:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/08/21 10:42:47 | 19,900,703 | ---- | C] () -- C:\Program Files\PROCESSLIST.DB
[2009/08/21 10:42:47 | 01,217,765 | ---- | C] () -- C:\Program Files\PROCESSLISTRELATED.DB
[2009/08/21 10:41:55 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/08/21 10:41:51 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/08/21 10:41:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Luis Torres\Application Data\SUPERAntiSpyware.com
[2009/08/21 10:15:26 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/08/20 17:23:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Luis Torres\Local Settings\Application Data\PCHealth
[2009/08/20 16:25:34 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/12/07 20:51:13 | 00,000,170 | ---- | C] () -- C:\WINDOWS\settings.ini
[2008/12/07 20:51:12 | 00,009,277 | ---- | C] () -- C:\WINDOWS\AmvTransform.ini
[2008/12/07 20:51:12 | 00,008,157 | ---- | C] () -- C:\WINDOWS\AmvPlayer.ini
[2008/12/07 20:51:12 | 00,007,454 | ---- | C] () -- C:\WINDOWS\Disktool.INI
[2008/12/07 20:51:12 | 00,003,677 | ---- | C] () -- C:\WINDOWS\SoundCon.INI
[2008/12/07 20:51:11 | 00,008,913 | ---- | C] () -- C:\WINDOWS\fwupgrade.ini
[2008/10/31 11:45:19 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2008/06/02 13:02:57 | 00,000,748 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/06/02 06:54:44 | 01,505,715 | -HS- | C] () -- C:\WINDOWS\System32\tfvgsamy.ini
[2008/05/31 22:55:22 | 01,506,092 | -HS- | C] () -- C:\WINDOWS\System32\gtkiyhhk.ini
[2008/05/30 22:56:27 | 01,513,792 | -HS- | C] () -- C:\WINDOWS\System32\hgxywttb.ini
[2008/05/30 22:56:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\bnlyyltj.dll
[2008/05/29 21:16:22 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\ipjcxbpx.dll
[2008/05/28 21:14:52 | 00,033,745 | -HS- | C] () -- C:\WINDOWS\System32\wrxmlkmw.ini
[2008/05/27 21:04:46 | 00,005,755 | -HS- | C] () -- C:\WINDOWS\System32\kQYaGfhk.ini2
[2008/05/27 21:04:45 | 00,005,755 | -HS- | C] () -- C:\WINDOWS\System32\kQYaGfhk.ini
[2007/07/20 11:38:35 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\DLPRMON.DLL
[2007/07/20 11:38:35 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\DLPMONUI.DLL
[2007/07/20 11:35:25 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlcivs.dll
[2007/07/20 11:35:23 | 00,344,064 | ---- | C] () -- C:\WINDOWS\System32\dlcicoin.dll
[2007/07/20 11:34:56 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\dlcicnv4.dll
[2007/07/20 11:34:40 | 00,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\dlciinpa.dll
[2007/07/20 11:34:40 | 00,397,312 | ---- | C] ( ) -- C:\WINDOWS\System32\dlciiesc.dll
[2007/07/20 11:34:40 | 00,323,584 | ---- | C] ( ) -- C:\WINDOWS\System32\DLCIhcp.dll
[2007/07/20 11:34:40 | 00,274,432 | ---- | C] () -- C:\WINDOWS\System32\DLCIinst.dll
[2007/07/20 11:34:39 | 01,224,704 | ---- | C] ( ) -- C:\WINDOWS\System32\dlciserv.dll
[2007/07/20 11:34:39 | 00,991,232 | ---- | C] ( ) -- C:\WINDOWS\System32\dlciusb1.dll
[2007/07/20 11:34:39 | 00,434,176 | ---- | C] () -- C:\WINDOWS\System32\dlciutil.dll
[2007/07/20 11:34:38 | 00,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcipmui.dll
[2007/07/20 11:34:38 | 00,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcilmpm.dll
[2007/07/20 11:34:38 | 00,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlciinsb.dll
[2007/07/20 11:34:38 | 00,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\dlciprox.dll
[2007/07/20 11:34:38 | 00,135,168 | ---- | C] () -- C:\WINDOWS\System32\dlcijswr.dll
[2007/07/20 11:34:38 | 00,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcipplc.dll
[2007/07/20 11:34:37 | 00,696,320 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcihbn3.dll
[2007/07/20 11:34:37 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\dlciins.dll
[2007/07/20 11:34:37 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\dlciinsr.dll
[2007/07/20 11:34:36 | 00,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcicomc.dll
[2007/07/20 11:34:36 | 00,421,888 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcicomm.dll
[2007/07/20 11:34:36 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\dlcicub.dll
[2007/07/20 11:34:36 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\dlcicu.dll
[2007/07/20 11:34:36 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\dlcicur.dll
[2007/07/20 11:34:35 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\DLCIcfg.dll
[2007/01/03 22:04:46 | 00,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.dll
[2006/09/07 18:29:45 | 00,000,034 | ---- | C] () -- C:\WINDOWS\hpfsched.ini
[2006/09/07 18:28:09 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\hpodinet.dll
[2006/08/24 14:22:10 | 00,000,236 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2006/08/24 14:22:10 | 00,000,092 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2006/08/10 20:31:50 | 00,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2006/08/08 07:49:48 | 00,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2006/08/07 11:43:36 | 00,000,419 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2006/08/07 11:43:36 | 00,000,079 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2006/08/07 11:43:36 | 00,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2006/08/05 17:44:26 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/07/24 21:59:42 | 00,000,335 | ---- | C] () -- C:\WINDOWS\Trpmaker.INI
[2006/07/24 21:56:26 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\PlugFile.dll
[2006/07/24 21:56:25 | 00,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2006/07/24 21:56:24 | 00,038,688 | ---- | C] () -- C:\WINDOWS\System32\Leaddib.drv
[2006/07/24 21:56:24 | 00,011,136 | ---- | C] () -- C:\WINDOWS\System32\Fprun300.dll
[2006/07/20 22:46:07 | 00,015,669 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/07/20 22:42:58 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006/07/20 22:42:58 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006/07/20 22:42:58 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006/07/20 22:42:58 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006/07/20 22:42:58 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006/07/20 22:42:58 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/05/24 18:04:14 | 00,000,133 | ---- | C] () -- C:\WINDOWS\System32\ftdiun2k.ini
[2005/07/01 04:47:08 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/03/24 04:58:36 | 00,053,315 | ---- | C] () -- C:\WINDOWS\System32\Sswiadrv.dll
[2005/02/01 21:39:32 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\WIAEH.dll
[2004/11/17 02:16:16 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\WIAIPH.dll
[2004/10/15 02:09:28 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\WIASTIIO.dll
[2004/09/16 14:26:40 | 00,012,634 | ---- | C] () -- C:\WINDOWS\System32\drivers\ADFUUD.SYS
[2004/09/16 14:26:40 | 00,012,634 | ---- | C] () -- C:\WINDOWS\ADFUUD.SYS
[2004/08/04 05:00:00 | 00,626,336 | ---- | C] () -- C:\WINDOWS\System32\drivers\ntfs.sys
[2004/08/04 05:00:00 | 00,000,757 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 05:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/01/13 12:46:34 | 00,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/04 10:16:34 | 00,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll

========== Files - Modified Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[2009/08/25 13:09:35 | 00,532,044 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/08/25 13:09:35 | 00,447,996 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/08/25 13:09:35 | 00,074,664 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/08/25 13:08:22 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/08/25 13:06:57 | 00,626,336 | ---- | M] () -- C:\WINDOWS\System32\drivers\ntfs.sys
[2009/08/25 13:06:57 | 00,626,336 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ntfs.sys
[2009/08/25 13:05:42 | 00,105,984 | ---- | M] () -- C:\WINDOWS\services.exe
[2009/08/25 13:05:39 | 00,060,928 | ---- | M] (Heaventools Software) -- C:\WINDOWS\System32\reader_s.exe
[2009/08/25 13:05:18 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/25 13:05:15 | 00,002,048 | ---- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/25 13:05:14 | 10,637,68064 | -HS- | M] () -- C:\hiberfil.sys
[2009/08/25 13:03:38 | 00,000,008 | RH-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/08/25 12:50:00 | 00,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2009/08/25 12:45:00 | 00,000,256 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2009/08/25 12:16:12 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Luis Torres\Desktop\settings.dat
[2009/08/25 10:28:35 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/08/25 08:55:41 | 00,000,000 | ---- | M] () -- C:\WINDOWS\SC.INS
[2009/08/25 08:34:10 | 00,069,632 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\System32\brss01a.exe
[2009/08/25 08:30:48 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009/08/24 18:54:22 | 00,220,672 | ---- | M] (Soeperman Enterprises Ltd.) -- C:\Documents and Settings\Luis Torres\Desktop\HijackThis.exe
[2009/08/24 10:15:14 | 00,361,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\TCPIP.SYS
[2009/08/24 10:15:13 | 00,361,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\TCPIP.SYS
[2009/08/24 10:06:43 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/21 17:16:35 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Luis Torres\Desktop\HijackThis.lnk
[2009/08/21 13:45:20 | 00,290,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\vssvc.exe
[2009/08/21 13:45:19 | 00,026,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\userinit.exe
[2009/08/21 13:45:17 | 00,018,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ups.exe
[2009/08/21 13:45:13 | 00,090,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\smlogsvc.exe
[2009/08/21 13:45:13 | 00,058,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\spoolsv.exe
[2009/08/21 13:45:12 | 00,045,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\shmgrate.exe
[2009/08/21 13:45:09 | 00,141,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\sessmgr.exe
[2009/08/21 13:45:08 | 00,096,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\scardsvr.exe
[2009/08/21 13:45:07 | 00,033,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\rundll32.exe
[2009/08/21 13:45:06 | 00,133,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\rsvp.exe
[2009/08/21 13:45:05 | 00,012,288 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\regsvr32.exe
[2009/08/21 13:45:01 | 00,032,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ntsd.exe
[2009/08/21 13:44:57 | 00,111,616 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\netdde.exe
[2009/08/21 13:44:54 | 00,079,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msiexec.exe
[2009/08/21 13:44:48 | 00,006,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtc.exe
[2009/08/21 13:44:46 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mnmsrvc.exe
[2009/08/21 13:44:44 | 00,515,072 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\logonui.exe
[2009/08/21 13:44:43 | 00,221,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\logon.scr
[2009/08/21 13:44:43 | 00,075,776 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\locator.exe
[2009/08/21 13:44:38 | 00,151,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\imapi.exe
[2009/08/21 13:44:37 | 00,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieudinit.exe
[2009/08/21 13:44:34 | 00,071,168 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ie4uinit.exe
[2009/08/21 13:44:33 | 00,077,824 | ---- | M] (HP) -- C:\WINDOWS\System32\hphipm11.exe
[2009/08/21 13:44:31 | 00,011,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dumprep.exe
[2009/08/21 13:44:08 | 00,225,280 | ---- | M] (Microsoft Corp., Veritas Software) -- C:\WINDOWS\System32\dmadmin.exe
[2009/08/21 13:44:08 | 00,005,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllhost.exe
[2009/08/21 13:44:03 | 00,015,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ctfmon.exe
[2009/08/21 13:44:01 | 00,033,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\clipsrv.exe
[2009/08/21 13:44:01 | 00,006,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cisvc.exe
[2009/08/21 13:44:00 | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\System32\brsvc01a.exe
[2009/08/21 13:43:57 | 00,045,056 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\alg.exe
[2009/08/21 13:43:53 | 01,055,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
[2009/08/21 10:41:55 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/08/21 10:25:43 | 04,435,024 | -H-- | M] () -- C:\Documents and Settings\Luis Torres\Local Settings\Application Data\IconCache.db
[2009/08/20 18:02:00 | 00,000,215 | -HS- | M] () -- C:\boot.ini
[2009/08/20 16:25:39 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/17 16:35:38 | 19,900,703 | ---- | M] () -- C:\Program Files\PROCESSLIST.DB
[2009/08/17 16:35:10 | 01,217,765 | ---- | M] () -- C:\Program Files\PROCESSLISTRELATED.DB
[2009/08/03 13:36:28 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/03 13:36:06 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:50 PM

Posted 25 August 2009 - 05:40 PM

1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\UACwswwxirput.sys
C:\WINDOWS\services.exe
C:\WINDOWS\System32\reader_s.exe
C:\Documents and Settings\Luis Torres\Desktop\settings.dat
C:\WINDOWS\System32\tfvgsamy.ini
C:\WINDOWS\System32\gtkiyhhk.ini
C:\WINDOWS\System32\hgxywttb.ini
C:\WINDOWS\System32\bnlyyltj.dll
C:\WINDOWS\System32\ipjcxbpx.dll
C:\WINDOWS\System32\wrxmlkmw.ini
C:\WINDOWS\System32\kQYaGfhk.ini2
C:\WINDOWS\System32\kQYaGfhk.ini

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.



Also post a new log from Rootrepeal and a log from Combofix if you can get it to run.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 polskamachina

polskamachina
  • Topic Starter

  • Malware Response Team
  • 4,004 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 PM

Posted 25 August 2009 - 06:36 PM

Avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "UACd.sys" deleted successfully.

Error: file "C:\WINDOWS\system32\drivers\UACwswwxirput.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\UACwswwxirput.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\services.exe" deleted successfully.
File "C:\WINDOWS\System32\reader_s.exe" deleted successfully.
File "C:\Documents and Settings\Luis Torres\Desktop\settings.dat" deleted successfully.
File "C:\WINDOWS\System32\tfvgsamy.ini" deleted successfully.
File "C:\WINDOWS\System32\gtkiyhhk.ini" deleted successfully.
File "C:\WINDOWS\System32\hgxywttb.ini" deleted successfully.
File "C:\WINDOWS\System32\bnlyyltj.dll" deleted successfully.
File "C:\WINDOWS\System32\ipjcxbpx.dll" deleted successfully.
File "C:\WINDOWS\System32\wrxmlkmw.ini" deleted successfully.
File "C:\WINDOWS\System32\kQYaGfhk.ini2" deleted successfully.
File "C:\WINDOWS\System32\kQYaGfhk.ini" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

-------------------
RootRepeal log:
------------------

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/25 16:06
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAAD4A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B34000 Size: 8192 File Visible: No Signed: -
Status: -

Name: pcjojs.sys
Image Path: pcjojs.sys
Address: 0xF75FC000 Size: 61440 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAA259000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\$ntservicepackuninstall$\ndis.sys
Status: Size mismatch (API: 182656, Raw: 182912)

Path: c:\system volume information\_restore{1648af88-33f5-41ad-b09a-6483ee87514b}\rp1\a0000026.exe
Status: Allocation size mismatch (API: 479232, Raw: 135168)

Path: c:\windows\system32\dllcache\ndis.sys
Status: Size mismatch (API: 182656, Raw: 212224)

Path: c:\windows\system32\drivers\ndis.sys
Status: Size mismatch (API: 182656, Raw: 212224)

Path: C:\Program Files\MP3 Player Utilities 3.5.02\RDiskUtility\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Guest\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Luis Torres\Application Data\Macromedia\Flash Player\#SharedObjects\KMEVJWV2\video.google.com\s
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Luis Torres\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Guest\Application Data\Macromedia\Flash Player\#SharedObjects\XH9LVZMG\v.netlogstatic.com\v4.00\1512\s
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Stealth Objects
-------------------
Object: Hidden Module [Name: reader_s.exe]
Process: reader_s.exe (PID: 2080) Address: 0x00400000 Size: 606208

Object: Hidden Module [Name: reader_s.exe]
Process: reader_s.exe (PID: 3792) Address: 0x00400000 Size: 606208

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 1528) Address: 0x01000000 Size: 40960

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 3596) Address: 0x01000000 Size: 40960

==EOF==

Combofix still gives me the message that I may be infected and need to redownload.

Thanks for your help.

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:50 PM

Posted 26 August 2009 - 09:57 AM

I'm afraid it's not looking good here. Almost certainly you have a Virut infection and that it not something that we can clean up.

You have been infected with a polymorphic file infector named Virut. This infection will spread to every executable file in your computer, and unfortunately the only cure for it is to Reformat and Reinstall.

Right now, the best thing you can do is to backup, preferably to CD, all your important data, documents, pictures, movies, and songs.

DO NOT backup any applications or installers and DO NOT backup any files with the following extensions:
  • .exe
  • .scr
  • .htm
  • .html
  • .xml
  • .zip
  • .rar
  • .doc
  • .jpg
  • .pdf
For more information on Virut, and why you need to reformat, have a read of miekiemoes blog here.

To find out how to carry out an XP Reformat and Reinstall, please see this page. If you are using Vista, then check this page instead.

Once you have reformatted and reinstalled Windows, have a look at this page for some useful tips on staying clean, along with links to some freeware to help.

To find out more information about how you may have got infected in the first place, you can read this article.

I am sorry I cannot give any better news.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users