Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with virus called kbiwkmiiqmamsr (Rootkit.TDSS)


  • This topic is locked This topic is locked
26 replies to this topic

#1 dal9796

dal9796

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 10 September 2009 - 08:58 PM

I get the following detection and removal report from Malwarebytes' AntiMalware (MBAM):

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmiiqmamsr (Rootkit.TDSS) -> Quarantined and deleted successfully.

However, after immediately rebooting and then rescanning, it always shows up again. Please help in deleting it and telling me how to prevent in future. I have included the DDS log and the attached files as per instructions.

Thanks for the help.

**** DDS LOG ****

DDS (Ver_09-07-30.01) - NTFSx86
Run by Lester at 19:32:57.89 on Thu 09/10/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.878 [GMT -4:00]

SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\System32\svchost.exe -k Cognizance
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
E:\Security\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
E:\Security\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\SysTools\PerfectDisk\PDAgent.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
E:\Other Apps\Sandboxie\SbieSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Windows\system32\vmnat.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
E:\Security\VMware Workstation\vmware-authd.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\Explorer.EXE
C:\WINDOWS\System32\wpcumi.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
E:\Security\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
E:\Other Apps\Directory Opus\dopusrt.exe
C:\WINDOWS\ehome\ehtray.exe
E:\Security\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Clipboard Magic401\ClipboardMagic.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
E:\Other Apps\Directory Opus\dopus.exe
E:\Communications\Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
F:\Utilities&Applications\Security\DDS.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: VeriSoft Access Manager: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\bioscrypt\verisoft\bin\ItIEAddIn.dll
uRun: [Directory Opus Desktop Dblclk] "e:\other apps\directory opus\dopusrt.exe" /dblclk
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] e:\security\superantispyware\SUPERAntiSpyware.exe
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [pdfFactory Pro Dispatcher v3] "c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe" /source=HKLM
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [FinePrint Dispatcher v5] "c:\windows\system32\spool\drivers\w32x86\3\fpdisp5a.exe" /source=HKLM
mRun: [avgnt] "e:\security\avira\antivir desktop\avgnt.exe" /min
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "e:\security\malwarebytes anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\lester\appdata\roaming\micros~1\windows\startm~1\programs\startup\clipbo~1.lnk - e:\clipboard magic401\ClipboardMagic.exe
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - e:\micros~1\office10\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
DPF: {06305358-99CE-4C47-B59C-939B76856C2B} - hxxp://download.microsoft.com/download/A/C/4/AC43418A-8C86-4205-803E-249B637EE96B/pmupd806.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - e:\security\superantispyware\SASWINLO.dll
AppInit_DLLs: APSHook.dll
SEH: Directory Opus Shell Execute Hook: {3cf9ece0-1a9f-11d2-8c73-00c06c2005de} - e:\other apps\directory opus\dopuslib.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - e:\security\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli ASWLNPkg

================= FIREFOX ===================

FF - ProfilePath - c:\users\lester\appdata\roaming\mozilla\firefox\profiles\lmt7g2o0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?sourceid=navclient-ff&ie=UTF-8&rlz=1B3GGGL_enCA321CA322
FF - plugin: e:\entertainment\vlc\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - e:\communications\firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\communications\firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\communications\firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
e:\communications\firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
e:\communications\firefox\greprefs\all.js - pref("media.cache_size", 51200);
e:\communications\firefox\greprefs\all.js - pref("media.ogg.enabled", true);
e:\communications\firefox\greprefs\all.js - pref("media.wave.enabled", true);
e:\communications\firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
e:\communications\firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
e:\communications\firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
e:\communications\firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
e:\communications\firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
e:\communications\firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
e:\communications\firefox\greprefs\all.js - pref("layout.css.dpi", -1);
e:\communications\firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
e:\communications\firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
e:\communications\firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
e:\communications\firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
e:\communications\firefox\greprefs\all.js - pref("geo.enabled", true);
e:\communications\firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
e:\communications\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
e:\communications\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
e:\communications\firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
e:\communications\firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
e:\communications\firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
e:\communications\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
e:\communications\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
e:\communications\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
e:\communications\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
e:\communications\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
e:\communications\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
e:\communications\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
e:\communications\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
e:\communications\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
e:\communications\firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
e:\communications\firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
e:\communications\firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
e:\communications\firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
e:\communications\firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
e:\communications\firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
e:\communications\firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
e:\communications\firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
e:\communications\firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
e:\communications\firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
e:\communications\firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
e:\communications\firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
e:\communications\firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
e:\communications\firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
e:\communications\firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\system32\drivers\tdrpm228.sys [2009-7-26 902592]
R1 SASDIFSV;SASDIFSV;e:\security\superantispyware\sasdifsv.sys [2009-9-4 9968]
R1 SASKUTIL;SASKUTIL;e:\security\superantispyware\SASKUTIL.SYS [2009-9-4 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\security\avira\antivir desktop\sched.exe [2009-4-22 108289]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2008-6-20 21504]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2008-6-20 21504]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 SASENUM;SASENUM;e:\security\superantispyware\SASENUM.SYS [2009-9-4 7408]
R3 SbieDrv;SbieDrv;e:\other apps\sandboxie\SbieDrv.sys [2009-4-13 107520]
S3 IACMZOZL;IACMZOZL;c:\users\lester\appdata\local\temp\IACMZOZL.exe [2008-1-5 478080]
S3 NSELGOO;NSELGOO;c:\users\lester\appdata\local\temp\NSELGOO.exe [2008-1-5 560000]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\drivers\s125bus.sys [2008-1-20 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\drivers\s125mdfl.sys [2008-1-20 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\drivers\s125mdm.sys [2008-1-20 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s125mgmt.sys [2008-1-20 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\drivers\s125obex.sys [2008-1-20 98696]

=============== Created Last 30 ================

2009-09-10 01:18 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-09-10 01:18 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-09-10 01:17 <DIR> --d----- c:\users\lester\appdata\roaming\SUPERAntiSpyware.com
2009-09-10 01:15 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-09-09 22:42 <DIR> --d----- c:\users\lester\appdata\roaming\Malwarebytes
2009-09-09 22:42 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-09 22:42 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-09-09 22:42 <DIR> --d----- c:\programdata\Malwarebytes
2009-09-09 22:42 <DIR> --d----- c:\progra~2\Malwarebytes
2009-09-09 14:59 <DIR> --d----- c:\program files\Trend Micro
2009-09-08 16:27 897,608 a------- c:\windows\system32\drivers\tcpip.sys
2009-09-08 16:27 104,960 a------- c:\windows\system32\netiohlp.dll
2009-09-08 16:27 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-09-08 16:27 19,968 a------- c:\windows\system32\ARP.EXE
2009-09-08 16:27 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-09-08 16:27 10,240 a------- c:\windows\system32\finger.exe
2009-09-08 16:27 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-09-08 16:27 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-09-08 16:27 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-09-08 16:27 17,920 a------- c:\windows\system32\netevent.dll
2009-09-08 16:26 2,501,921 a------- c:\windows\system32\wlan.tmf
2009-09-08 16:26 513,024 a------- c:\windows\system32\wlansvc.dll
2009-09-08 16:26 302,592 a------- c:\windows\system32\wlansec.dll
2009-09-08 16:26 293,376 a------- c:\windows\system32\wlanmsm.dll
2009-09-08 16:26 127,488 a------- c:\windows\system32\L2SecHC.dll
2009-09-08 16:26 2,868,224 a------- c:\windows\system32\mf.dll
2009-09-03 01:07 <DIR> --d----- c:\programdata\is-707LQ
2009-09-03 01:07 <DIR> --d----- c:\progra~2\is-707LQ
2009-09-03 01:07 3,782,688 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-09-03 01:07 47,492 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-09-02 17:49 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-09-02 17:49 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-01 15:34 <DIR> --d----- c:\windows\pss
2009-08-26 10:38 <DIR> --d----- c:\windows\system32\EventProviders
2009-08-26 09:59 <DIR> --d----- c:\programdata\NVIDIA
2009-08-26 09:16 2,048 a------- c:\windows\system32\tzres.dll
2009-08-26 09:12 139,260 a------- c:\programdata\nvModes.dat
2009-08-26 09:12 139,260 a------- c:\progra~2\nvModes.dat
2009-08-26 08:35 <DIR> --d----- c:\programdata\NortonInstaller
2009-08-26 08:35 <DIR> --d----- c:\progra~2\NortonInstaller
2009-08-16 13:38 499,712 a------- c:\windows\system32\kerberos.dll
2009-08-16 13:38 213,504 a------- c:\windows\system32\msv1_0.dll
2009-08-16 13:38 175,104 a------- c:\windows\system32\wdigest.dll
2009-08-16 13:38 1,256,448 a------- c:\windows\system32\lsasrv.dll
2009-08-16 13:38 439,896 a------- c:\windows\system32\drivers\ksecdd.sys
2009-08-16 13:38 270,848 a------- c:\windows\system32\schannel.dll
2009-08-16 13:38 72,704 a------- c:\windows\system32\secur32.dll
2009-08-16 13:38 9,728 a------- c:\windows\system32\lsass.exe
2009-08-13 20:32 15,360 a------- c:\windows\system32\TSD32.DLL
2009-08-13 20:32 8,192 a------- c:\windows\system32\TSSOFT32.ACM
2009-08-13 20:32 947,472 a------- c:\windows\system32\msjava.dll
2009-08-13 20:32 <DIR> --d----- c:\programdata\1stWorks
2009-08-13 20:32 <DIR> --d----- c:\program files\1stWORKS
2009-08-13 20:32 <DIR> --d----- c:\progra~2\1stWorks
2009-08-11 19:48 71,680 a------- c:\windows\system32\atl.dll
2009-08-11 19:48 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-11 19:48 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-11 19:47 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-11 19:47 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-11 19:47 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-11 19:47 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-11 19:47 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-11 19:47 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-11 19:47 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-11 19:47 18,432 a------- c:\windows\system32\amcompat.tlb

==================== Find3M ====================

2009-09-01 01:24 143,360 a------- c:\windows\inf\infstrng.dat
2009-09-01 01:24 86,016 a------- c:\windows\inf\infpub.dat
2009-08-28 08:39 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 08:38 2,153,984 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 08:38 541,696 a------- c:\windows\apppatch\AcLayers.dll
2009-08-28 08:38 459,776 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-26 10:27 143,360 a------- c:\windows\inf\infstor.dat
2009-08-26 10:13 319,456 a------- c:\windows\DIFxAPI.dll
2009-08-24 17:28 109,278 a------- c:\users\lester\appdata\roaming\nvModes.dat
2009-08-05 19:30 60,744 a------- c:\users\lester\g2mdlhlpx.exe
2009-08-05 19:27 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-26 13:30 902,592 a------- c:\windows\system32\drivers\tdrpm228.sys
2009-07-26 13:30 44,704 a------- c:\windows\system32\drivers\tifsfilt.sys
2009-07-26 13:30 540,000 a------- c:\windows\system32\drivers\timntr.sys
2009-07-26 13:30 138,208 a------- c:\windows\system32\drivers\snapman.sys
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-18 12:06 827,904 a------- c:\windows\system32\wininet.dll
2009-07-18 12:01 78,336 a------- c:\windows\system32\ieencode.dll
2009-07-18 05:46 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-06-15 11:24 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 11:20 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 11:20 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 08:52 289,792 a------- c:\windows\system32\atmfd.dll
2009-06-11 19:59 34 a------- c:\users\lester\jagex_runescape_preferences.dat
2008-06-21 18:25 174 a--sh--- c:\program files\desktop.ini
2008-06-21 18:10 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-03 02:26 0 a------- c:\users\lester\appdata\roaming\wklnhst.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2006-12-02 19:43 108 a--shr-- c:\windows\neoqaz2.dll

============= FINISH: 19:34:44.88 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:30 AM

Posted 26 September 2009 - 12:15 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 dal9796

dal9796
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 27 September 2009 - 09:16 PM

Hello and thanks for your help and time -- it is much appreciated. My problem has not changed from original post, but I'll describe it again:

When I run MBAM, I get the following detection and removal report from Malwarebytes' AntiMalware (MBAM):

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmiiqmamsr (Rootkit.TDSS) -> Quarantined and deleted successfully.

However, after immediately rebooting and then rescanning, it always shows up again. Please help in deleting it and telling me how to prevent in future. I have included the DDS log and the attached files as per instructions. I have saved the "Attach.txt" but have not attached it until you instruct me to.

Thanks for the help.

**** DDS LOG ****

DDS (Ver_09-09-24.01) - NTFSx86
Run by Lester at 22:03:59.10 on Sun 09/27/2009
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.1279 [GMT -4:00]

SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\System32\svchost.exe -k Cognizance
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
E:\Security\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
E:\Security\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\SysTools\PerfectDisk\PDAgent.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
E:\Other Apps\Sandboxie\SbieSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Windows\system32\vmnat.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
E:\Security\VMware Workstation\vmware-authd.exe
C:\Windows\system32\vmnetdhcp.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\Explorer.EXE
C:\WINDOWS\System32\wpcumi.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
E:\Security\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\System32\rundll32.exe
E:\Other Apps\Directory Opus\dopusrt.exe
C:\WINDOWS\ehome\ehtray.exe
E:\Security\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
E:\Clipboard Magic401\ClipboardMagic.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
E:\Other Apps\Win32pad\win32pad.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
E:\Other Apps\Sandboxie\SbieCtrl.exe
E:\Finance\KeePass\KeePass.exe
E:\Other Apps\Directory Opus\dopus.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
F:\TEMP\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: PDFXChange 4.0: {42dfa04f-0f16-418e-b80c-ab97a5afad39} - e:\business\pdf-xchange 4 pro\pdfsaver\PXCIEAddin4.dll
BHO: PDF-XChange Viewer IE-Plugin: {c5d07eb6-bbce-4dae-acbb-d13a8d28cb1f} - e:\business\pdf-xchange 4 pro\pdf-xchange pdf viewer\pdf viewer\PDFXCviewIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: VeriSoft Access Manager: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\bioscrypt\verisoft\bin\ItIEAddIn.dll
TB: PDFXChange 4.0: {42dfa04f-0f16-418e-b80c-ab97a5afad39} - e:\business\pdf-xchange 4 pro\pdfsaver\PXCIEAddin4.dll
uRun: [Directory Opus Desktop Dblclk] "e:\other apps\directory opus\dopusrt.exe" /dblclk
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SUPERAntiSpyware] e:\security\superantispyware\SUPERAntiSpyware.exe
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [pdfFactory Pro Dispatcher v3] "c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe" /source=HKLM
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [FinePrint Dispatcher v5] "c:\windows\system32\spool\drivers\w32x86\3\fpdisp5a.exe" /source=HKLM
mRun: [avgnt] "e:\security\avira\antivir desktop\avgnt.exe" /min
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Malwarebytes Anti-Malware (reboot)] "e:\security\malwarebytes anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mRunOnce: [Malwarebytes' Anti-Malware] e:\security\malwarebytes anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\lester\appdata\roaming\micros~1\windows\startm~1\programs\startup\clipbo~1.lnk - e:\clipboard magic401\ClipboardMagic.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - e:\micros~1\office10\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
DPF: {06305358-99CE-4C47-B59C-939B76856C2B} - hxxp://download.microsoft.com/download/A/C/4/AC43418A-8C86-4205-803E-249B637EE96B/pmupd806.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - e:\security\superantispyware\SASWINLO.dll
AppInit_DLLs: APSHook.dll
SEH: Directory Opus Shell Execute Hook: {3cf9ece0-1a9f-11d2-8c73-00c06c2005de} - e:\other apps\directory opus\dopuslib.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - e:\security\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli ASWLNPkg

================= FIREFOX ===================

FF - ProfilePath - c:\users\lester\appdata\roaming\mozilla\firefox\profiles\lmt7g2o0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?sourceid=navclient-ff&ie=UTF-8&rlz=1R0GGGL_en&hl=en&source=iglk
FF - prefs.js: network.proxy.type - 4
FF - plugin: e:\entertainment\vlc\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - e:\communications\firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\communications\firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\communications\firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\system32\drivers\tdrpm228.sys [2009-7-26 902592]
R1 SASDIFSV;SASDIFSV;e:\security\superantispyware\sasdifsv.sys [2009-9-4 9968]
R1 SASKUTIL;SASKUTIL;e:\security\superantispyware\SASKUTIL.SYS [2009-9-4 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\security\avira\antivir desktop\sched.exe [2009-4-22 108289]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2008-6-20 21504]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2008-6-20 21504]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2009-6-2 4233728]
R3 SASENUM;SASENUM;e:\security\superantispyware\SASENUM.SYS [2009-9-4 7408]
R3 SbieDrv;SbieDrv;e:\other apps\sandboxie\SbieDrv.sys [2009-4-13 107520]
S3 IACMZOZL;IACMZOZL;c:\users\lester\appdata\local\temp\IACMZOZL.exe [2008-1-5 478080]
S3 NSELGOO;NSELGOO;c:\users\lester\appdata\local\temp\NSELGOO.exe [2008-1-5 560000]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\drivers\s125bus.sys [2008-1-20 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\drivers\s125mdfl.sys [2008-1-20 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\drivers\s125mdm.sys [2008-1-20 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s125mgmt.sys [2008-1-20 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\drivers\s125obex.sys [2008-1-20 98696]
S3 UY;UY;c:\users\lester\appdata\local\temp\UY.exe [2009-9-11 383872]

=============== Created Last 30 ================

2009-09-24 15:49 <DIR> --d----- c:\windows\system32\eu-ES
2009-09-24 15:49 <DIR> --d----- c:\windows\system32\ca-ES
2009-09-24 15:49 <DIR> --d----- c:\windows\system32\vi-VN
2009-09-20 08:49 116,842 a------- c:\windows\hpqins00.dat
2009-09-20 08:46 <DIR> --d----- c:\programdata\HP Product Assistant
2009-09-19 16:42 <DIR> --d----- c:\programdata\WEBREG
2009-09-19 16:42 <DIR> --d----- c:\progra~2\WEBREG
2009-09-19 16:35 <DIR> --d----- c:\program files\common files\Hewlett-Packard
2009-09-19 16:34 <DIR> --d----- c:\program files\common files\HP
2009-09-19 16:25 148,956 a------- c:\windows\hpoins19.dat
2009-09-19 16:25 258,048 a------- c:\windows\system32\hpzids01.dll
2009-09-19 16:25 675,840 a------- c:\windows\system32\hpowiav1.dll
2009-09-19 16:25 573,440 a------- c:\windows\system32\hpotscl1.dll
2009-09-19 16:25 303,104 a------- c:\windows\system32\hpovst01.dll
2009-09-19 16:25 26,952 a------- c:\windows\hpomdl19.dat
2009-09-15 11:17 53,016 a------- c:\windows\system32\pxc40pm.dll
2009-09-10 01:18 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-09-10 01:18 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-09-10 01:17 <DIR> --d----- c:\users\lester\appdata\roaming\SUPERAntiSpyware.com
2009-09-10 01:15 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-09-09 22:42 <DIR> --d----- c:\users\lester\appdata\roaming\Malwarebytes
2009-09-09 22:42 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-09 22:42 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-09 22:42 <DIR> --d----- c:\programdata\Malwarebytes
2009-09-09 22:42 <DIR> --d----- c:\progra~2\Malwarebytes
2009-09-09 14:59 <DIR> --d----- c:\program files\Trend Micro
2009-09-08 16:27 904,776 a------- c:\windows\system32\drivers\tcpip.sys
2009-09-08 16:27 105,984 a------- c:\windows\system32\netiohlp.dll
2009-09-08 16:27 30,720 a------- c:\windows\system32\drivers\tcpipreg.sys
2009-09-08 16:27 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-09-08 16:27 19,968 a------- c:\windows\system32\ARP.EXE
2009-09-08 16:27 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-09-08 16:27 10,240 a------- c:\windows\system32\finger.exe
2009-09-08 16:27 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-09-08 16:27 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-09-08 16:27 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-09-08 16:27 17,920 a------- c:\windows\system32\netevent.dll
2009-09-03 01:07 <DIR> --d----- c:\programdata\is-707LQ
2009-09-03 01:07 <DIR> --d----- c:\progra~2\is-707LQ
2009-09-03 01:07 3,782,688 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-09-03 01:07 47,492 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-09-02 17:49 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-09-02 17:49 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-01 15:34 <DIR> --d----- c:\windows\pss

==================== Find3M ====================

2009-09-26 00:28 139,316 a------- c:\programdata\nvModes.dat
2009-09-26 00:28 139,316 a------- c:\progra~2\nvModes.dat
2009-09-24 16:06 143,360 a------- c:\windows\inf\infstrng.dat
2009-09-24 16:06 143,360 a------- c:\windows\inf\infstor.dat
2009-09-24 16:06 86,016 a------- c:\windows\inf\infpub.dat
2009-09-24 15:49 665,600 a------- c:\windows\inf\drvindex.dat
2009-09-20 08:53 319,456 a------- c:\windows\DIFxAPI.dll
2009-08-28 22:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 22:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-28 22:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 22:30 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-08-24 17:28 109,278 a------- c:\users\lester\appdata\roaming\nvModes.dat
2009-08-05 19:30 60,744 a------- c:\users\lester\g2mdlhlpx.exe
2009-08-05 19:27 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-18 12:01 78,336 a------- c:\windows\system32\ieencode.dll
2009-07-18 07:35 828,416 a------- c:\windows\system32\wininet.dll
2009-07-17 09:54 71,680 a------- c:\windows\system32\atl.dll
2009-07-15 08:40 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-07-15 08:39 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-07-15 08:39 4,096 a------- c:\windows\system32\dxmasf.dll
2009-07-15 08:39 7,680 a------- c:\windows\system32\spwmp.dll
2009-07-11 15:01 513,536 a------- c:\windows\system32\wlansvc.dll
2009-07-11 15:01 302,592 a------- c:\windows\system32\wlansec.dll
2009-07-11 15:01 293,376 a------- c:\windows\system32\wlanmsm.dll
2009-07-11 15:01 65,024 a------- c:\windows\system32\wlanapi.dll
2009-07-11 13:03 127,488 a------- c:\windows\system32\L2SecHC.dll
2009-06-11 19:59 34 a------- c:\users\lester\jagex_runescape_preferences.dat
2008-06-21 18:25 174 a--sh--- c:\program files\desktop.ini
2008-01-03 02:26 0 a------- c:\users\lester\appdata\roaming\wklnhst.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2006-12-02 19:43 108 a--shr-- c:\windows\neoqaz2.dll

============= FINISH: 22:07:35.11 ===============

Let me know what to do next.

Thanks,
Lester

#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:30 AM

Posted 29 September 2009 - 11:13 AM

Hello, dal9796 and again
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards.







Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2


Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 dal9796

dal9796
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 29 September 2009 - 05:54 PM

Hi Tom, thank you for helping me. I'm posting the ComboFix.txt log below. Note that I'd also like to uninstall Spybot S&D (I already uninstalled it but Combo-Fix detected that it is still active and it shows up at the beginning part of the log also. If you know how I can do this, let me know.

ComboFix 09-09-28.01 - Lester 09/29/2009 17:56.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.1343 [GMT -4:00]
Running from: c:\users\Lester\Desktop\Combo-Fix.exe
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
ADS - Windows: deleted 108 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3679741911-215977776-1854041364-1001
c:\$recycle.bin\S-1-5-21-3679741911-215977776-1854041364-500
c:\$recycle.bin\S-1-5-21-974106560-4158444355-3744590665-500
c:\windows\neoqaz2.dll

.
((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))
.

2009-09-29 22:04 . 2009-09-29 22:04 -------- d-----w- c:\users\User 2\AppData\Local\temp
2009-09-29 22:04 . 2009-09-29 22:04 -------- d-----w- c:\users\User 1\AppData\Local\temp
2009-09-29 22:04 . 2009-09-29 22:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-24 19:49 . 2009-09-24 19:51 -------- d-----w- c:\windows\system32\ca-ES
2009-09-24 19:49 . 2009-09-24 19:50 -------- d-----w- c:\windows\system32\eu-ES
2009-09-24 19:49 . 2009-09-24 19:50 -------- d-----w- c:\windows\system32\vi-VN
2009-09-20 12:49 . 2009-09-20 12:52 116842 ----a-w- c:\windows\hpqins00.dat
2009-09-20 12:46 . 2009-09-20 12:46 -------- d-----w- c:\programdata\HP Product Assistant
2009-09-19 20:42 . 2009-09-19 20:42 -------- d-----w- c:\programdata\WEBREG
2009-09-19 20:35 . 2009-09-19 20:35 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-09-19 20:34 . 2009-09-19 20:39 -------- d-----w- c:\program files\Common Files\HP
2009-09-19 20:25 . 2009-09-19 20:42 148956 ----a-w- c:\windows\hpoins19.dat
2009-09-19 20:25 . 2006-11-20 21:36 258048 ----a-w- c:\windows\system32\hpzids01.dll
2009-09-19 20:25 . 2006-12-16 06:19 675840 ----a-w- c:\windows\system32\hpowiav1.dll
2009-09-19 20:25 . 2006-12-16 06:19 303104 ----a-w- c:\windows\system32\hpovst01.dll
2009-09-19 20:25 . 2006-12-16 06:19 573440 ----a-w- c:\windows\system32\hpotscl1.dll
2009-09-19 20:25 . 2007-03-13 19:52 26952 ----a-w- c:\windows\hpomdl19.dat
2009-09-15 15:17 . 2009-06-19 20:39 53016 ----a-w- c:\windows\system32\pxc40pm.dll
2009-09-11 19:26 . 2009-09-18 12:23 -------- d-----w- c:\program files\Google
2009-09-10 05:18 . 2009-09-10 05:18 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-09-10 05:17 . 2009-09-10 05:17 -------- d-----w- c:\users\Lester\AppData\Roaming\SUPERAntiSpyware.com
2009-09-10 05:15 . 2009-09-10 05:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-10 02:42 . 2009-09-10 02:42 -------- d-----w- c:\users\Lester\AppData\Roaming\Malwarebytes
2009-09-10 02:42 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 02:42 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 02:42 . 2009-09-10 02:42 -------- d-----w- c:\programdata\Malwarebytes
2009-09-09 18:59 . 2009-09-09 18:59 -------- d-----w- c:\program files\Trend Micro
2009-09-08 20:27 . 2009-08-14 16:27 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-08 20:27 . 2009-08-14 13:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-08 20:27 . 2009-08-14 13:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-08 20:27 . 2009-08-14 13:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-08 20:27 . 2009-08-14 13:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-08 20:27 . 2009-08-14 13:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-08 20:27 . 2009-08-14 13:49 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-08 20:27 . 2009-08-14 13:48 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-09-08 20:27 . 2009-08-14 13:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-08 20:27 . 2009-08-14 15:53 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-08 20:27 . 2009-08-14 13:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-03 05:07 . 2009-09-03 05:07 -------- d-----w- c:\programdata\is-707LQ
2009-09-03 05:07 . 2009-09-04 02:03 3782688 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-02 21:49 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-02 21:49 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-29 18:50 . 2009-08-26 13:12 139316 ----a-w- c:\programdata\nvModes.dat
2009-09-29 15:17 . 2008-01-05 16:10 8268 ----a-w- c:\users\Lester\AppData\Local\d3d9caps.dat
2009-09-29 13:28 . 2008-01-07 01:08 -------- d-----w- c:\programdata\VMware
2009-09-29 13:26 . 2007-06-10 17:17 12 ----a-w- c:\windows\bthservsdp.dat
2009-09-27 01:00 . 2008-03-17 04:55 -------- d-----w- c:\users\Lester\AppData\Roaming\uTorrent
2009-09-25 02:23 . 2009-08-26 13:59 -------- d-----w- c:\programdata\NVIDIA
2009-09-24 19:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-09-24 19:51 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-24 19:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-09-24 19:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-09-24 19:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-09-24 19:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-09-24 19:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-09-20 12:53 . 2007-05-12 17:18 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-09-20 12:53 . 2007-05-12 17:18 -------- d-----w- c:\program files\Realtek
2009-09-19 20:43 . 2007-12-31 21:12 98464 ----a-w- c:\users\Lester\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-19 20:43 . 2008-01-03 21:16 -------- d-----w- c:\users\Lester\AppData\Roaming\HP
2009-09-19 20:38 . 2007-05-12 16:52 -------- d-----w- c:\program files\HP
2009-09-19 20:36 . 2007-05-12 17:02 -------- d-----w- c:\programdata\HP
2009-09-13 17:27 . 2007-05-12 16:31 -------- d-----w- c:\programdata\Roxio
2009-09-10 05:08 . 2008-01-05 15:38 -------- d-----w- c:\programdata\Lavasoft
2009-09-07 23:09 . 2007-05-12 16:48 -------- d-----w- c:\programdata\Microsoft Help
2009-09-07 22:37 . 2008-01-07 01:20 -------- d-----w- c:\users\Lester\AppData\Roaming\VMware
2009-09-04 02:03 . 2009-09-03 05:07 47492 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-01 18:41 . 2008-03-21 20:39 -------- d-----w- c:\users\User 1\AppData\Roaming\VMware
2009-08-29 22:17 . 2008-03-21 20:39 98920 ----a-w- c:\users\User 1\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-26 14:26 . 2008-01-04 16:03 -------- d-----w- c:\program files\Microsoft IntelliPoint
2009-08-26 12:35 . 2009-08-26 12:35 -------- d-----w- c:\programdata\NortonInstaller
2009-08-26 12:25 . 2009-02-26 02:19 -------- d-----w- c:\program files\Java
2009-08-24 21:28 . 2008-01-04 04:37 109278 ----a-w- c:\users\Lester\AppData\Roaming\nvModes.dat
2009-08-22 22:47 . 2009-04-04 01:06 -------- d-----w- c:\users\User 1\AppData\Roaming\uTorrent
2009-08-20 13:19 . 2008-03-21 23:27 -------- d-----w- c:\users\User 2\AppData\Roaming\VMware
2009-08-18 17:19 . 2008-03-22 00:05 54342 ----a-w- c:\users\User 1\AppData\Roaming\nvModes.dat
2009-08-14 00:32 . 2009-08-14 00:32 -------- d-----w- c:\programdata\1stWorks
2009-08-14 00:32 . 2009-08-14 00:32 -------- d-----w- c:\program files\1stWORKS
2009-08-12 04:01 . 2007-05-12 17:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-12 02:32 . 2007-05-12 16:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-09 16:10 . 2009-08-09 16:00 -------- d-----w- c:\users\User 1\AppData\Roaming\CyberMatrix
2009-08-05 23:30 . 2009-08-05 23:30 60744 ----a-w- c:\users\Lester\g2mdlhlpx.exe
2009-08-05 23:27 . 2009-04-23 00:59 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-03 14:01 . 2009-08-03 14:01 -------- d-----w- c:\program files\Citrix
2009-08-03 11:57 . 2009-08-03 11:57 -------- d-----w- c:\users\Lester\AppData\Roaming\Sync App Settings
2009-08-03 11:30 . 2009-08-03 11:30 -------- d-----w- c:\programdata\Sync App Settings
2009-07-31 13:32 . 2009-05-16 17:13 34 ----a-w- c:\users\User 2\jagex_runescape_preferences.dat
2009-07-26 17:30 . 2009-07-26 17:30 902592 ----a-w- c:\windows\system32\drivers\tdrpm228.sys
2009-07-26 17:30 . 2009-07-26 17:30 44704 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2009-07-26 17:30 . 2009-07-26 17:30 540000 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-07-26 17:30 . 2009-07-26 17:30 138208 ----a-w- c:\windows\system32\drivers\snapman.sys
2009-07-25 09:23 . 2009-02-26 02:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-24 00:34 . 2008-03-22 15:46 27430 ----a-w- c:\users\User 2\AppData\Roaming\nvModes.dat
2009-07-18 16:01 . 2009-08-03 11:14 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-18 11:35 . 2009-08-03 11:14 828416 ----a-w- c:\windows\system32\wininet.dll
2009-07-17 13:54 . 2009-08-11 23:48 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-11 23:47 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-11 23:47 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-11 23:47 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-11 23:47 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-11 19:01 . 2009-09-08 20:26 513536 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:01 . 2009-09-08 20:26 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:01 . 2009-09-08 20:26 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:01 . 2009-09-08 20:26 65024 ----a-w- c:\windows\system32\wlanapi.dll
2009-07-11 17:03 . 2009-09-08 20:26 127488 ----a-w- c:\windows\system32\L2SecHC.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Directory Opus Desktop Dblclk"="e:\other apps\Directory Opus\dopusrt.exe" [2008-10-27 275952]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SUPERAntiSpyware"="e:\security\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-18 1998576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-06-09 7539232]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-04-24 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"pdfFactory Pro Dispatcher v3"="c:\windows\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2007-11-07 507904]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"FinePrint Dispatcher v5"="c:\windows\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2007-11-07 507904]
"avgnt"="e:\security\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"Malwarebytes Anti-Malware (reboot)"="e:\security\Malwarebytes Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

c:\users\User 1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\users\Lester\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Clipboard Magic.lnk - e:\clipboard magic401\ClipboardMagic.exe [2008-1-4 687104]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= "e:\other apps\Directory Opus\dopuslib.dll" [2008-10-27 693744]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\security\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- e:\security\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\APSHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:3b,20,65,fe,52,3d,ca,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{A8F7E893-D8DA-4DF1-A51B-4F2315F02EDF}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{47DDD09A-61C6-4A83-A10F-A81F0D25A8B4}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E50D077B-F1A0-4523-AF63-ABEBAABF0E63}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{DB81D00D-CCC7-4E12-8B7C-0C04F61D3D29}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{338C3B67-A6CB-470A-BAC8-D6E246EC46D4}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E48151A9-6885-4560-8BC4-0F737E7DE350}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D8832AF1-7367-4565-9280-500D1D4535C5}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4BDD73EC-36E4-44E3-99D5-B97EB42CC9A5}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B53FE2D3-54A5-4490-93B7-7608CB64E3FB}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C7539C9D-9A89-429C-BA53-97BB48B5ED7A}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"TCP Query User{669A006E-82D8-49A3-AB80-C6B1A01CC043}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{AA9C5BD4-BDD1-4BC8-AD08-C3AC2A1ABB46}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{644C3BDA-FAE9-46C1-BE94-13083B577B0E}e:\\surftools\\utorrent\\utorrent.exe"= UDP:e:\surftools\utorrent\utorrent.exe:uTorrent
"UDP Query User{02192F4C-A3AA-41A7-8083-39A92A6EC9BA}e:\\surftools\\utorrent\\utorrent.exe"= TCP:e:\surftools\utorrent\utorrent.exe:uTorrent
"TCP Query User{46308B47-D94A-4CCD-8F77-2DA938D11AB1}e:\\entertainment\\ares ultra\\ares ultra.exe"= UDP:e:\entertainment\ares ultra\ares ultra.exe:Ares Ultra
"UDP Query User{F9760B63-8FEF-4D3F-A17E-D59D30CD23F2}e:\\entertainment\\ares ultra\\ares ultra.exe"= TCP:e:\entertainment\ares ultra\ares ultra.exe:Ares Ultra
"TCP Query User{D4100C44-630E-4A1A-8AFC-6B218453D4EA}e:\\surftools\\getright63c\\getright.exe"= UDP:e:\surftools\getright63c\getright.exe:GetRight® Download Manager. www.GetRight.com
"UDP Query User{D0509BD1-CCAB-4555-93E8-FF45E5FF98C8}e:\\surftools\\getright63c\\getright.exe"= TCP:e:\surftools\getright63c\getright.exe:GetRight® Download Manager. www.GetRight.com
"TCP Query User{54932F8A-6A4D-4E63-A63B-2BD6EFC0475A}e:\\communications\\firefox\\firefox.exe"= UDP:e:\communications\firefox\firefox.exe:Firefox
"UDP Query User{A4C50B8F-BD9B-4791-90DA-5045D8948BD0}e:\\communications\\firefox\\firefox.exe"= TCP:e:\communications\firefox\firefox.exe:Firefox
"TCP Query User{D309BC56-F55E-4C75-B768-DBDA8F1B4639}c:\\program files\\1stworks\\hotcommcl\\bin\\hotcomm.exe"= UDP:c:\program files\1stworks\hotcommcl\bin\hotcomm.exe:hotComm CL Client
"UDP Query User{82FEB0D3-1EDE-4A00-99F3-CBEF2A32F1B9}c:\\program files\\1stworks\\hotcommcl\\bin\\hotcomm.exe"= TCP:c:\program files\1stworks\hotcommcl\bin\hotcomm.exe:hotComm CL Client
"TCP Query User{D8D30459-A582-4399-9A2A-F1F0EE241FF8}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{04FD20E2-9339-4312-A281-E862A481B993}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{2C8E8200-E41B-4DA4-9EDC-F16103AB63E0}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F005A3F4-C03F-4C17-9C4F-03A6C783C55B}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D5B32F8D-14C6-4E47-8509-D45F34EE4D0D}"= UDP:c:\users\Lester\AppData\Local\Temp\7zS2F4A.tmp\SymNRT.exe:Norton Removal Tool
"{8D19E054-554A-4CA4-BE47-C3EF9D96FD79}"= TCP:c:\users\Lester\AppData\Local\Temp\7zS2F4A.tmp\SymNRT.exe:Norton Removal Tool

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\System32\drivers\tdrpm228.sys [7/26/2009 1:30 PM 902592]
R1 SASDIFSV;SASDIFSV;e:\security\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;e:\security\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\security\Avira\AntiVir Desktop\sched.exe [4/22/2009 8:59 PM 108289]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [6/20/2008 10:39 PM 21504]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [6/20/2008 10:39 PM 21504]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [6/2/2009 5:20 PM 4233728]
R3 SASENUM;SASENUM;e:\security\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]
R3 SbieDrv;SbieDrv;e:\other apps\Sandboxie\SbieDrv.sys [4/13/2009 12:51 PM 107520]
S3 IACMZOZL;IACMZOZL;c:\users\Lester\AppData\Local\Temp\IACMZOZL.exe --> c:\users\Lester\AppData\Local\Temp\IACMZOZL.exe [?]
S3 NSELGOO;NSELGOO;c:\users\Lester\AppData\Local\Temp\NSELGOO.exe --> c:\users\Lester\AppData\Local\Temp\NSELGOO.exe [?]
S3 UY;UY;c:\users\Lester\AppData\Local\Temp\UY.exe --> c:\users\Lester\AppData\Local\Temp\UY.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
Cognizance REG_MULTI_SZ ASBroker ASChannel
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - e:\micros~1\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\Lester\AppData\Roaming\Mozilla\Firefox\Profiles\lmt7g2o0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?sourceid=navclient-ff&ie=UTF-8&rlz=1R0GGGL_en&hl=en&source=iglk
FF - prefs.js: network.proxy.type - 4
FF - plugin: e:\entertainment\VLC\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe
AddRemove-{9A986603-03C1-45D0-9B18-A1695A55E51A} - c:\users\Lester\AppData\Local\{EE624160-0B32-484D-8A30-920BDF5095D9}\TweakVista_Setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-29 18:05
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000020

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1072)
c:\windows\system32\APSHook.dll

- - - - - - - > 'lsass.exe'(968)
c:\windows\system32\APSHook.dll
c:\program files\Bioscrypt\VeriSoft\bin\ASWLNPkg.dll
c:\program files\Bioscrypt\VeriSoft\bin\ItMsg.dll
c:\program files\Bioscrypt\VeriSoft\bin\brand.dll
.
Completion time: 2009-09-29 18:10
ComboFix-quarantined-files.txt 2009-09-29 22:09

Pre-Run: 70,108,651,520 bytes free
Post-Run: 77,786,181,632 bytes free

312 --- E O F --- 2009-09-29 12:52

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:30 AM

Posted 01 October 2009 - 10:47 AM

Hi,




Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

SecCenter::
{ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

Folder::
c:\users\Lester\AppData\Roaming\uTorrent
c:\users\User 1\AppData\Roaming\uTorrent

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{669A006E-82D8-49A3-AB80-C6B1A01CC043}c:\\program files\\utorrent\\utorrent.exe"=-
"UDP Query User{AA9C5BD4-BDD1-4BC8-AD08-C3AC2A1ABB46}c:\\program files\\utorrent\\utorrent.exe"=-
"TCP Query User{644C3BDA-FAE9-46C1-BE94-13083B577B0E}e:\\surftools\\utorrent\\utorrent.exe"=-
"UDP Query User{02192F4C-A3AA-41A7-8083-39A92A6EC9BA}e:\\surftools\\utorrent\\utorrent.exe"=-

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.







Step 2

Please update your version of Malwarebytes and run a quick scan, and post back with the content of the logfile.







Please post back with:
  • Combofix-Logfile
  • Malwarebytes-Logfile

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 dal9796

dal9796
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 01 October 2009 - 05:47 PM

I've done as instructed and below are the posting of the Combo-Fix log and the MBAM log (it is fairly short). For sure the MBAM log no longer shows the infection -- so maybe we're done (fingers crossed).

Thanks for all you help.

ComboFix 09-09-28.01 - Lester 10/01/2009 18:08.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.1383 [GMT -4:00]
Running from: c:\users\Lester\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Lester\Desktop\CFScript.txt
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Lester\AppData\Roaming\uTorrent
c:\users\Lester\AppData\Roaming\uTorrent\(2005) Disney Girlz Rock.torrent
c:\users\Lester\AppData\Roaming\uTorrent\(2008) Disney Girlz Rock 2.torrent
c:\users\Lester\AppData\Roaming\uTorrent\(NDS) 0428 - Trauma Center - Under The Knife (E)(Legacy).zip.torrent
c:\users\Lester\AppData\Roaming\uTorrent\011 - Jonas Brothers - Burnin' Up [Torrent Tatty] (™ Hollywood Promo YouTube).MP3.torrent
c:\users\Lester\AppData\Roaming\uTorrent\0122_-_Trauma_Center_-_Under_the_Knife_(US).zip.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Acronis True Image Home 2009 12 Build 9791.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Acronis True Image Home 2009 v12.0.0.9770-IND.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Acronis True Image Home 2009 v12.0.9709 Patch REZMAN1984.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Akon - Right Now (Na Na Na) [Single][2008] - 320kbps - I.Tunes_.torrent
c:\users\Lester\AppData\Roaming\uTorrent\All I Ever Wanted.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Aly And AJ - Insomniatic [2007][CD+SkidVid+Cov]192Kbps.torrent
c:\users\Lester\AppData\Roaming\uTorrent\AnyDVD & AnyDVD HD v6.5.7.1 FINAL + Reg By ChattChitto.torrent
c:\users\Lester\AppData\Roaming\uTorrent\AnyDVD & AnyDVD HD v6.5.7.1 Final Full.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Britney Spears - Circus [2008] [128kbps].torrent
c:\users\Lester\AppData\Roaming\uTorrent\Brittany Spears-Circus-G515.torrent
c:\users\Lester\AppData\Roaming\uTorrent\bt2final.iso.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Cascada - Everytime We Touch.torrent
c:\users\Lester\AppData\Roaming\uTorrent\CCD5314+key.zip.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Chris Brown-Exclusive-Retail-2007-CR.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Chris Brown - Exclusive [2007] Studio Smash RnB Album.rar.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Chris Brown - Exclusive The Forever Edition - 2008.(www.lokotorrents.com).torrent
c:\users\Lester\AppData\Roaming\uTorrent\Chris Brown - Exclusive The Forever Edition [2008].torrent
c:\users\Lester\AppData\Roaming\uTorrent\Chris Brown - Exclusive.[www.lokotorrents.com].torrent
c:\users\Lester\AppData\Roaming\uTorrent\David Archuleta - Crush (New Single) (williswho.com).torrent
c:\users\Lester\AppData\Roaming\uTorrent\Demi.Lovato-Dont.Forget.(2008).MP3.[BajandoAlbums.CoM].rar.torrent
c:\users\Lester\AppData\Roaming\uTorrent\dht.dat
c:\users\Lester\AppData\Roaming\uTorrent\dht.dat.old
c:\users\Lester\AppData\Roaming\uTorrent\Disney Complete Vol 1.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Eminem-Crack.A.Bottle.Ft.Dr.Dre.&.50 Cent.mp3.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Fergie - The Dutchess.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Flo Rida Ft. Will I Am - In The Ayer.mp3.torrent
c:\users\Lester\AppData\Roaming\uTorrent\FloRida Ft. Kesha - Right Round.mp3.torrent
c:\users\Lester\AppData\Roaming\uTorrent\GetRight.Pro.v6.3c.WinAll.Incl.Patch-CU.rar.torrent
c:\users\Lester\AppData\Roaming\uTorrent\GPSoftware Directory Opus v9.1.1.7 Multilanguage.torrent
c:\users\Lester\AppData\Roaming\uTorrent\GPSoftware.Directory.Opus.x86.v9.1.1.7-NoPE.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Green Day.rar.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Hannah Montana - Songs From And Inspired By The Hit TV Series.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Hannah Montana 2 Meet Miley Cyrus Tabsman H33T Release.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Hannah.Montana.2-Meet.Miley.Cyrus.OST.2007.FLAC.torrent
c:\users\Lester\AppData\Roaming\uTorrent\High School Music Complete Collection [Pandora89].rar.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Hilary Duff - Dignity [2007][CD+SkidVid+Cov].torrent
c:\users\Lester\AppData\Roaming\uTorrent\Hilary Duff - Dignity Tour.(www.lokotorrents.com).torrent
c:\users\Lester\AppData\Roaming\uTorrent\Hilary Duff - Girl Can Rock - [2004].zip.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Hilary.Duff.Dignity.2007.Pop.[WwW.LoKoTorrents.CoM].LKT.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Ideepthroat Compilation - 103 Clips Of Heather Brooke (Deepthroat, Blowjob, Cumshot, Swallow, bleep).mpg.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Jason Mraz - We Sing We Dance We Steal Things (MP3) 2Lions.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Jonas Brothers - A little bit Longer [2008].torrent
c:\users\Lester\AppData\Roaming\uTorrent\Jonas Brothers.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Kardinal Offishall - Dangerous (Ft. Akon).mp3.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Kardinal Offishall - Not 4 Sale[2008][MP3@320kbps]-antecho.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Katie Melua - Call Off The Search[2003][CD+2Vid+Covers].torrent
c:\users\Lester\AppData\Roaming\uTorrent\Katie Melua - Pictures.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Katie Melua - Piece By Piece - 2005.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Katie_Melua-Pictures-2007-KATiEMELUA.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Kelly Clarkson-All I Ever Wanted[DE][2009][CD+SkidVid_XviD+Cov].torrent
c:\users\Lester\AppData\Roaming\uTorrent\Kelly Clarkson - All I Ever Wanted & Bonus (2009) - Pop.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Kelly.Clarkson.-.All.I.Ever.Wanted.(2009).Pop.LanzamientosMp3.es.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Key.AnyDVD.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Lady Gaga - Just Dance.mp3.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Lady GaGa - The Fame [2008][CD+SkidVid_XviD+Cov]320Kbps.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Leona Lewis.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Lil.Wayne-Lil.Wayne.And.Friends.5-(Bootleg)-2008-[NoFS].torrent
c:\users\Lester\AppData\Roaming\uTorrent\Lil.Wayne-Tha.Carter.III.Retail-2008.torrent
c:\users\Lester\AppData\Roaming\uTorrent\mbdhc_jenny_hendrix.wmv.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Norah Jones - Come Away with Me [2002][CD+2 SkidVids+Cov].torrent
c:\users\Lester\AppData\Roaming\uTorrent\Norah Jones - Feels Like Home.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Norah Jones - Not Too Late [2007].torrent
c:\users\Lester\AppData\Roaming\uTorrent\Now Thats What I Call Music 71, 2CD, 2008-Raven2007, (A BlueDragonRG Music Release).torrent
c:\users\Lester\AppData\Roaming\uTorrent\Pussycat Dolls - PCD[SE] [2005][CD+4Vids+Covers].torrent
c:\users\Lester\AppData\Roaming\uTorrent\Quicken - Home and Business 2008 - Canadian Version.iso.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Quicken - Home and Business 2008 - Canadian Version.nrg.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Rebecca Linares & Jenny Hendrix - Secretary's Day 2.avi.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Replay.Video.Capture.v3.1B-PlanB.1.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Replay.Video.Capture.v3.1B-PLANB.torrent
c:\users\Lester\AppData\Roaming\uTorrent\resume.dat
c:\users\Lester\AppData\Roaming\uTorrent\resume.dat.old
c:\users\Lester\AppData\Roaming\uTorrent\Rihanna - Disturbia.mp3.torrent
c:\users\Lester\AppData\Roaming\uTorrent\rss.dat
c:\users\Lester\AppData\Roaming\uTorrent\rss.dat.old
c:\users\Lester\AppData\Roaming\uTorrent\Sarah Connor - Green Eyed Soul.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Sarah Connor - Key To My Soul.torrent
c:\users\Lester\AppData\Roaming\uTorrent\settings.dat
c:\users\Lester\AppData\Roaming\uTorrent\settings.dat.old
c:\users\Lester\AppData\Roaming\uTorrent\Soulja Boy-Souljaboytellem.Com (2007) Rap & Hip-Hop.torrent
c:\users\Lester\AppData\Roaming\uTorrent\top 40.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Twilight Soundtrack 2008.torrent
c:\users\Lester\AppData\Roaming\uTorrent\Twilight Soundtrack.torrent
c:\users\Lester\AppData\Roaming\uTorrent\UBER 1337 PORTABLE PACK.zip.torrent
c:\users\Lester\AppData\Roaming\uTorrent\USA Top 100 - Pop - 2009 - BigGod.torrent
c:\users\Lester\AppData\Roaming\uTorrent\utorrent.lng
c:\users\Lester\AppData\Roaming\uTorrent\VA-Camp Rock-OST-2008.[WwW.GureTorrents.CoM][By Bloop].torrent
c:\users\User 1\AppData\Roaming\uTorrent
c:\users\User 1\AppData\Roaming\uTorrent\[NDS-ENG] Hannah Montana The Movie (EUR)(BAHAMUT).rar.torrent
c:\users\User 1\AppData\Roaming\uTorrent\[NDS-ROMS]Collection of 569 English Games[Cole0561020].torrent
c:\users\User 1\AppData\Roaming\uTorrent\[NDS] 807 (US)(EUR) Roms from 0000-3000.1.torrent
c:\users\User 1\AppData\Roaming\uTorrent\[NDS] 807 (US)(EUR) Roms from 0000-3000.torrent
c:\users\User 1\AppData\Roaming\uTorrent\[NDS]Hannah Montana The Movie [EUR][ESPALNDS.com].zip.torrent
c:\users\User 1\AppData\Roaming\uTorrent\03 - Martie.torrent
c:\users\User 1\AppData\Roaming\uTorrent\2009 - Masterpiece Theatre.torrent
c:\users\User 1\AppData\Roaming\uTorrent\About You Now.mp3.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Ashley Tisdale - Guilty Pleasure (2009) - Pop [www.torrentazos.com].torrent
c:\users\User 1\AppData\Roaming\uTorrent\Billy Talent - 2006 - Billy Talent II (320kbps).torrent
c:\users\User 1\AppData\Roaming\uTorrent\Billy Talent 3.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Black Eyed Peas - Monkey Bus [2005][CD+3 SkidVid_XviD+Cov].torrent
c:\users\User 1\AppData\Roaming\uTorrent\Black Eyed Peas -The E.N.D. [DE] [2009][2CD+SkidVid_XviD+Cov].torrent
c:\users\User 1\AppData\Roaming\uTorrent\Britney Spears - Discography (1999-2007) [320] (7 CD).torrent
c:\users\User 1\AppData\Roaming\uTorrent\Britney Spears - If U Seek Amy (Dance Remixes).torrent
c:\users\User 1\AppData\Roaming\uTorrent\Demi Lovato - Here We Go Again -2009.torrent
c:\users\User 1\AppData\Roaming\uTorrent\dht.dat
c:\users\User 1\AppData\Roaming\uTorrent\dht.dat.old
c:\users\User 1\AppData\Roaming\uTorrent\Eminem - White.America.2.[TK].torrent
c:\users\User 1\AppData\Roaming\uTorrent\Faber Drive - G-Get Up And Dance (Single).torrent
c:\users\User 1\AppData\Roaming\uTorrent\Fifa Street 2.cso.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Game CSO.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Get Up and Dance.mp3.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Hannah Montana - Complete Song collection 041308.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Hannah Montana - Hannah Montana 3-OST-2009-VAG seeded by www.p2p-crew.to.1.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Hannah Montana - Hannah Montana 3-OST-2009-VAG seeded by www.p2p-crew.to.2.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Hannah Montana - Hannah Montana 3-OST-2009-VAG seeded by www.p2p-crew.to.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Hannah Montana 3.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Hannah Montana Hits Remixed 2008 MP3 Scratchy (SeCtIoN8 ReLeAsE SharegoRG).torrent
c:\users\User 1\AppData\Roaming\uTorrent\Hannah Montana The Movie (2009) [OST] [PBX].torrent
c:\users\User 1\AppData\Roaming\uTorrent\Hannah Montana The Movie TS XVID - STG.1.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Hannah Montana The Movie TS XVID - STG.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Hannah_Montana_-_He_Could_Be_The_One.mp4.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Happy Gilmore (1996) [DVDRip].torrent
c:\users\User 1\AppData\Roaming\uTorrent\Jonas Brothers - Lines Vines & Trying Times (2009 - 320).torrent
c:\users\User 1\AppData\Roaming\uTorrent\Jonas Brothers - The 3D Concert Experience.torrent
c:\users\User 1\AppData\Roaming\uTorrent\July 2009.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Justin Bieber - One Time [PROMO].mp3.1.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Justin Bieber - One Time [PROMO].mp3.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Lady GaGa-The Fame (UK Retail) (2009) [WwW.LoKoTorrents.CoM].torrent
c:\users\User 1\AppData\Roaming\uTorrent\Lady GaGa - The Fame [2008][CD+SkidVid_XviD+Cov]320Kbps.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Led Zeppelin.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Marianas Trench - Masterpiece Theatre (2009).torrent
c:\users\User 1\AppData\Roaming\uTorrent\Miley Cyrus - Party in The USA [2009].mp3.torrent
c:\users\User 1\AppData\Roaming\uTorrent\NFS-Undercover-PsPNooB.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Now Thats What I Call Music 72(pongo1128).torrent
c:\users\User 1\AppData\Roaming\uTorrent\Now Thats What I Call Music 73(pongo1128).1.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Now Thats What I Call Music 73(pongo1128).2.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Now Thats What I Call Music 73(pongo1128).torrent
c:\users\User 1\AppData\Roaming\uTorrent\Pitbull - Hotel Room Service (Promo) DJLeak.com.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Pitbull - Rebelution (Limited Edition) 2009.torrent
c:\users\User 1\AppData\Roaming\uTorrent\PSP ISOS.torrent
c:\users\User 1\AppData\Roaming\uTorrent\PSX_CRASH_BASH.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Rap_ & _Hip _Hop _Ballads_ vol_6_[tfile.ru].torrent
c:\users\User 1\AppData\Roaming\uTorrent\resume.dat
c:\users\User 1\AppData\Roaming\uTorrent\resume.dat.old
c:\users\User 1\AppData\Roaming\uTorrent\Rihanna - Good Girl Gone Bad [2007][CD+SkidVid+Cov].torrent
c:\users\User 1\AppData\Roaming\uTorrent\Rihanna.Ultimate.Collection.(2009).R&B.LanzamientosMp3.es.torrent
c:\users\User 1\AppData\Roaming\uTorrent\rss.dat
c:\users\User 1\AppData\Roaming\uTorrent\rss.dat.old
c:\users\User 1\AppData\Roaming\uTorrent\settings.dat
c:\users\User 1\AppData\Roaming\uTorrent\settings.dat.old
c:\users\User 1\AppData\Roaming\uTorrent\Shakira - She Wolf-2009.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Simple Plan.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Step.Brothers.UNRATED.DVDRip.XviD-DiAMOND.[Movie-Torrentz].torrent
c:\users\User 1\AppData\Roaming\uTorrent\Superbad UNRATED (PSP, iPod, Zune).torrent
c:\users\User 1\AppData\Roaming\uTorrent\T.I. - Whatever You Like (Promo CDS)-TNas11.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Taylor Swift.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Teardrops On My Guitar (Collection) [Bonuses].torrent
c:\users\User 1\AppData\Roaming\uTorrent\Top 40 singles USA 02.05.2009.torrent
c:\users\User 1\AppData\Roaming\uTorrent\TOP.1000.of.the.last.30.years.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Twilight (Original Motion Picture Soundtrack).torrent
c:\users\User 1\AppData\Roaming\uTorrent\Twilight Soundtracks.torrent
c:\users\User 1\AppData\Roaming\uTorrent\Twilight.Zone.The.Movie.1983.720p.BluRay.AAC.x264-JackBauer.torrent
c:\users\User 1\AppData\Roaming\uTorrent\utorrent.lng
c:\users\User 1\AppData\Roaming\uTorrent\VA - Bravo Hits Vol.66 (2009) - Pop [www.torrentazos.com].torrent
c:\users\User 1\AppData\Roaming\uTorrent\VA.-.Disney.Channel.Playlist.(2009).LanzamientosMp3.es.torrent

.
((((((((((((((((((((((((( Files Created from 2009-09-01 to 2009-10-01 )))))))))))))))))))))))))))))))
.

2009-10-01 22:16 . 2009-10-01 22:16 -------- d-----w- c:\users\User 2\AppData\Local\temp
2009-10-01 22:16 . 2009-10-01 22:16 -------- d-----w- c:\users\User 1\AppData\Local\temp
2009-10-01 22:16 . 2009-10-01 22:16 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-10-01 22:16 . 2009-10-01 22:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-29 21:54 . 2009-09-29 22:10 -------- d-----w- C:\Combo-Fix
2009-09-24 19:49 . 2009-09-24 19:51 -------- d-----w- c:\windows\system32\ca-ES
2009-09-24 19:49 . 2009-09-24 19:50 -------- d-----w- c:\windows\system32\eu-ES
2009-09-24 19:49 . 2009-09-24 19:50 -------- d-----w- c:\windows\system32\vi-VN
2009-09-20 12:49 . 2009-09-20 12:52 116842 ----a-w- c:\windows\hpqins00.dat
2009-09-20 12:46 . 2009-09-20 12:46 -------- d-----w- c:\programdata\HP Product Assistant
2009-09-19 20:42 . 2009-09-19 20:42 -------- d-----w- c:\programdata\WEBREG
2009-09-19 20:35 . 2009-09-19 20:35 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-09-19 20:34 . 2009-09-19 20:39 -------- d-----w- c:\program files\Common Files\HP
2009-09-19 20:25 . 2009-09-19 20:42 148956 ----a-w- c:\windows\hpoins19.dat
2009-09-19 20:25 . 2006-11-20 21:36 258048 ----a-w- c:\windows\system32\hpzids01.dll
2009-09-19 20:25 . 2006-12-16 06:19 675840 ----a-w- c:\windows\system32\hpowiav1.dll
2009-09-19 20:25 . 2006-12-16 06:19 303104 ----a-w- c:\windows\system32\hpovst01.dll
2009-09-19 20:25 . 2006-12-16 06:19 573440 ----a-w- c:\windows\system32\hpotscl1.dll
2009-09-19 20:25 . 2007-03-13 19:52 26952 ----a-w- c:\windows\hpomdl19.dat
2009-09-15 15:17 . 2009-06-19 20:39 53016 ----a-w- c:\windows\system32\pxc40pm.dll
2009-09-11 19:26 . 2009-09-18 12:23 -------- d-----w- c:\program files\Google
2009-09-10 05:18 . 2009-09-10 05:18 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-09-10 05:17 . 2009-09-10 05:17 -------- d-----w- c:\users\Lester\AppData\Roaming\SUPERAntiSpyware.com
2009-09-10 05:15 . 2009-09-10 05:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-10 02:42 . 2009-09-10 02:42 -------- d-----w- c:\users\Lester\AppData\Roaming\Malwarebytes
2009-09-10 02:42 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 02:42 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 02:42 . 2009-09-10 02:42 -------- d-----w- c:\programdata\Malwarebytes
2009-09-09 18:59 . 2009-09-09 18:59 -------- d-----w- c:\program files\Trend Micro
2009-09-08 20:27 . 2009-08-14 16:27 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-08 20:27 . 2009-08-14 13:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-08 20:27 . 2009-08-14 13:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-08 20:27 . 2009-08-14 13:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-08 20:27 . 2009-08-14 13:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-08 20:27 . 2009-08-14 13:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-08 20:27 . 2009-08-14 13:49 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-08 20:27 . 2009-08-14 13:48 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-09-08 20:27 . 2009-08-14 13:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-08 20:27 . 2009-08-14 15:53 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-08 20:27 . 2009-08-14 13:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-03 05:07 . 2009-09-03 05:07 -------- d-----w- c:\programdata\is-707LQ
2009-09-03 05:07 . 2009-09-04 02:03 3782688 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-02 21:49 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-02 21:49 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-01 16:44 . 2009-08-26 13:12 139260 ----a-w- c:\programdata\nvModes.dat
2009-10-01 12:23 . 2008-01-07 01:08 -------- d-----w- c:\programdata\VMware
2009-10-01 05:04 . 2007-06-10 17:17 12 ----a-w- c:\windows\bthservsdp.dat
2009-10-01 03:02 . 2008-01-05 16:10 8268 ----a-w- c:\users\Lester\AppData\Local\d3d9caps.dat
2009-09-30 18:27 . 2007-05-12 16:31 -------- d-----w- c:\programdata\Roxio
2009-09-25 02:23 . 2009-08-26 13:59 -------- d-----w- c:\programdata\NVIDIA
2009-09-24 19:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-09-24 19:51 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-24 19:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-09-24 19:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-09-24 19:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-09-24 19:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-09-24 19:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-09-20 12:53 . 2007-05-12 17:18 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-09-20 12:53 . 2007-05-12 17:18 -------- d-----w- c:\program files\Realtek
2009-09-19 20:43 . 2007-12-31 21:12 98464 ----a-w- c:\users\Lester\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-19 20:43 . 2008-01-03 21:16 -------- d-----w- c:\users\Lester\AppData\Roaming\HP
2009-09-19 20:38 . 2007-05-12 16:52 -------- d-----w- c:\program files\HP
2009-09-19 20:36 . 2007-05-12 17:02 -------- d-----w- c:\programdata\HP
2009-09-10 05:08 . 2008-01-05 15:38 -------- d-----w- c:\programdata\Lavasoft
2009-09-07 23:09 . 2007-05-12 16:48 -------- d-----w- c:\programdata\Microsoft Help
2009-09-07 22:37 . 2008-01-07 01:20 -------- d-----w- c:\users\Lester\AppData\Roaming\VMware
2009-09-04 02:03 . 2009-09-03 05:07 47492 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-01 18:41 . 2008-03-21 20:39 -------- d-----w- c:\users\User 1\AppData\Roaming\VMware
2009-08-29 22:17 . 2008-03-21 20:39 98920 ----a-w- c:\users\User 1\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-26 14:26 . 2008-01-04 16:03 -------- d-----w- c:\program files\Microsoft IntelliPoint
2009-08-26 12:35 . 2009-08-26 12:35 -------- d-----w- c:\programdata\NortonInstaller
2009-08-26 12:25 . 2009-02-26 02:19 -------- d-----w- c:\program files\Java
2009-08-24 21:28 . 2008-01-04 04:37 109278 ----a-w- c:\users\Lester\AppData\Roaming\nvModes.dat
2009-08-20 13:19 . 2008-03-21 23:27 -------- d-----w- c:\users\User 2\AppData\Roaming\VMware
2009-08-18 17:19 . 2008-03-22 00:05 54342 ----a-w- c:\users\User 1\AppData\Roaming\nvModes.dat
2009-08-14 00:32 . 2009-08-14 00:32 -------- d-----w- c:\programdata\1stWorks
2009-08-14 00:32 . 2009-08-14 00:32 -------- d-----w- c:\program files\1stWORKS
2009-08-12 04:01 . 2007-05-12 17:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-12 02:32 . 2007-05-12 16:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-09 16:10 . 2009-08-09 16:00 -------- d-----w- c:\users\User 1\AppData\Roaming\CyberMatrix
2009-08-05 23:30 . 2009-08-05 23:30 60744 ----a-w- c:\users\Lester\g2mdlhlpx.exe
2009-08-05 23:27 . 2009-04-23 00:59 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-03 14:01 . 2009-08-03 14:01 -------- d-----w- c:\program files\Citrix
2009-08-03 11:57 . 2009-08-03 11:57 -------- d-----w- c:\users\Lester\AppData\Roaming\Sync App Settings
2009-08-03 11:30 . 2009-08-03 11:30 -------- d-----w- c:\programdata\Sync App Settings
2009-07-31 13:32 . 2009-05-16 17:13 34 ----a-w- c:\users\User 2\jagex_runescape_preferences.dat
2009-07-26 17:30 . 2009-07-26 17:30 902592 ----a-w- c:\windows\system32\drivers\tdrpm228.sys
2009-07-26 17:30 . 2009-07-26 17:30 44704 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2009-07-26 17:30 . 2009-07-26 17:30 540000 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-07-26 17:30 . 2009-07-26 17:30 138208 ----a-w- c:\windows\system32\drivers\snapman.sys
2009-07-25 09:23 . 2009-02-26 02:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-24 00:34 . 2008-03-22 15:46 27430 ----a-w- c:\users\User 2\AppData\Roaming\nvModes.dat
2009-07-18 16:01 . 2009-08-03 11:14 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-18 11:35 . 2009-08-03 11:14 828416 ----a-w- c:\windows\system32\wininet.dll
2009-07-17 13:54 . 2009-08-11 23:48 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-11 23:47 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-11 23:47 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-11 23:47 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-11 23:47 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-11 19:01 . 2009-09-08 20:26 513536 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:01 . 2009-09-08 20:26 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:01 . 2009-09-08 20:26 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:01 . 2009-09-08 20:26 65024 ----a-w- c:\windows\system32\wlanapi.dll
2009-07-11 17:03 . 2009-09-08 20:26 127488 ----a-w- c:\windows\system32\L2SecHC.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-29_22.05.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-12 16:06 . 2009-10-01 12:27 61484 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-10-01 12:27 81500 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-12-31 20:45 . 2009-10-01 12:27 13928 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3679741911-215977776-1854041364-1000_UserData.bin
- 2007-06-10 17:23 . 2009-09-28 22:46 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-06-10 17:23 . 2009-09-30 22:48 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-06-10 17:23 . 2009-09-28 22:46 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-06-10 17:23 . 2009-09-30 22:48 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-06-10 17:23 . 2009-09-30 22:48 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-06-10 17:23 . 2009-09-28 22:46 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-10-01 12:22 . 2009-10-01 12:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-09-29 13:28 . 2009-09-29 13:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-09-29 13:28 . 2009-09-29 13:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-10-01 12:22 . 2009-10-01 12:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-08-22 01:28 . 2009-10-01 02:24 281394 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2009-09-22 21:22 . 2009-10-01 17:58 276354 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2006-11-02 10:33 . 2009-10-01 12:29 598368 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-09-29 13:34 598368 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-09-29 13:34 102560 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-10-01 12:29 102560 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Directory Opus Desktop Dblclk"="e:\other apps\Directory Opus\dopusrt.exe" [2008-10-27 275952]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SUPERAntiSpyware"="e:\security\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-18 1998576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-06-09 7539232]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-04-24 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"pdfFactory Pro Dispatcher v3"="c:\windows\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2007-11-07 507904]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"FinePrint Dispatcher v5"="c:\windows\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2007-11-07 507904]
"avgnt"="e:\security\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"Malwarebytes Anti-Malware (reboot)"="e:\security\Malwarebytes Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

c:\users\User 1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\users\Lester\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Clipboard Magic.lnk - e:\clipboard magic401\ClipboardMagic.exe [2008-1-4 687104]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= "e:\other apps\Directory Opus\dopuslib.dll" [2008-10-27 693744]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\security\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- e:\security\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\APSHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:3b,20,65,fe,52,3d,ca,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{A8F7E893-D8DA-4DF1-A51B-4F2315F02EDF}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{47DDD09A-61C6-4A83-A10F-A81F0D25A8B4}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E50D077B-F1A0-4523-AF63-ABEBAABF0E63}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{DB81D00D-CCC7-4E12-8B7C-0C04F61D3D29}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{338C3B67-A6CB-470A-BAC8-D6E246EC46D4}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E48151A9-6885-4560-8BC4-0F737E7DE350}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D8832AF1-7367-4565-9280-500D1D4535C5}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4BDD73EC-36E4-44E3-99D5-B97EB42CC9A5}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B53FE2D3-54A5-4490-93B7-7608CB64E3FB}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C7539C9D-9A89-429C-BA53-97BB48B5ED7A}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"TCP Query User{46308B47-D94A-4CCD-8F77-2DA938D11AB1}e:\\entertainment\\ares ultra\\ares ultra.exe"= UDP:e:\entertainment\ares ultra\ares ultra.exe:Ares Ultra
"UDP Query User{F9760B63-8FEF-4D3F-A17E-D59D30CD23F2}e:\\entertainment\\ares ultra\\ares ultra.exe"= TCP:e:\entertainment\ares ultra\ares ultra.exe:Ares Ultra
"TCP Query User{D4100C44-630E-4A1A-8AFC-6B218453D4EA}e:\\surftools\\getright63c\\getright.exe"= UDP:e:\surftools\getright63c\getright.exe:GetRight® Download Manager. www.GetRight.com
"UDP Query User{D0509BD1-CCAB-4555-93E8-FF45E5FF98C8}e:\\surftools\\getright63c\\getright.exe"= TCP:e:\surftools\getright63c\getright.exe:GetRight® Download Manager. www.GetRight.com
"TCP Query User{54932F8A-6A4D-4E63-A63B-2BD6EFC0475A}e:\\communications\\firefox\\firefox.exe"= UDP:e:\communications\firefox\firefox.exe:Firefox
"UDP Query User{A4C50B8F-BD9B-4791-90DA-5045D8948BD0}e:\\communications\\firefox\\firefox.exe"= TCP:e:\communications\firefox\firefox.exe:Firefox
"TCP Query User{D309BC56-F55E-4C75-B768-DBDA8F1B4639}c:\\program files\\1stworks\\hotcommcl\\bin\\hotcomm.exe"= UDP:c:\program files\1stworks\hotcommcl\bin\hotcomm.exe:hotComm CL Client
"UDP Query User{82FEB0D3-1EDE-4A00-99F3-CBEF2A32F1B9}c:\\program files\\1stworks\\hotcommcl\\bin\\hotcomm.exe"= TCP:c:\program files\1stworks\hotcommcl\bin\hotcomm.exe:hotComm CL Client
"TCP Query User{D8D30459-A582-4399-9A2A-F1F0EE241FF8}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{04FD20E2-9339-4312-A281-E862A481B993}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{2C8E8200-E41B-4DA4-9EDC-F16103AB63E0}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F005A3F4-C03F-4C17-9C4F-03A6C783C55B}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D5B32F8D-14C6-4E47-8509-D45F34EE4D0D}"= UDP:c:\users\Lester\AppData\Local\Temp\7zS2F4A.tmp\SymNRT.exe:Norton Removal Tool
"{8D19E054-554A-4CA4-BE47-C3EF9D96FD79}"= TCP:c:\users\Lester\AppData\Local\Temp\7zS2F4A.tmp\SymNRT.exe:Norton Removal Tool

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\System32\drivers\tdrpm228.sys [7/26/2009 1:30 PM 902592]
R1 SASDIFSV;SASDIFSV;e:\security\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;e:\security\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\security\Avira\AntiVir Desktop\sched.exe [4/22/2009 8:59 PM 108289]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [6/20/2008 10:39 PM 21504]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [6/20/2008 10:39 PM 21504]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [6/2/2009 5:20 PM 4233728]
R3 SASENUM;SASENUM;e:\security\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]
R3 SbieDrv;SbieDrv;e:\other apps\Sandboxie\SbieDrv.sys [4/13/2009 12:51 PM 107520]
S3 IACMZOZL;IACMZOZL;c:\users\Lester\AppData\Local\Temp\IACMZOZL.exe --> c:\users\Lester\AppData\Local\Temp\IACMZOZL.exe [?]
S3 NSELGOO;NSELGOO;c:\users\Lester\AppData\Local\Temp\NSELGOO.exe --> c:\users\Lester\AppData\Local\Temp\NSELGOO.exe [?]
S3 UY;UY;c:\users\Lester\AppData\Local\Temp\UY.exe --> c:\users\Lester\AppData\Local\Temp\UY.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
Cognizance REG_MULTI_SZ ASBroker ASChannel
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - e:\micros~1\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\Lester\AppData\Roaming\Mozilla\Firefox\Profiles\lmt7g2o0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?sourceid=navclient-ff&ie=UTF-8&rlz=1R0GGGL_en&hl=en&source=iglk
FF - prefs.js: network.proxy.type - 4
FF - plugin: e:\entertainment\VLC\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-01 18:16
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000020

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(980)
c:\program files\Bioscrypt\VeriSoft\bin\ASWLNPkg.dll
c:\program files\Bioscrypt\VeriSoft\bin\ItMsg.dll
c:\program files\Bioscrypt\VeriSoft\bin\brand.dll
.
Completion time: 2009-10-01 18:20
ComboFix-quarantined-files.txt 2009-10-01 22:20

Pre-Run: 73,149,689,856 bytes free
Post-Run: 73,032,708,096 bytes free

484 --- E O F --- 2009-09-29 12:52


********* MBAM LOG START ********
Malwarebytes' Anti-Malware 1.41
Database version: 2889
Windows 6.0.6002 Service Pack 2

10/1/2009 6:32:37 PM
mbam-log-2009-10-01 (18-32-37).txt

Scan type: Quick Scan
Objects scanned: 109673
Time elapsed: 4 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
******* MBAM LOG END *********

#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:30 AM

Posted 02 October 2009 - 10:47 AM

Hi,


Great job :(



Now let's check for some leftovers.




Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 dal9796

dal9796
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 03 October 2009 - 11:57 AM

Here is the posting of the BitDefender Online Scan. If all is OK, can you advise what was the main culprit of the infection?


[General]
App = "楂䑴晥湥敤⁲湏楬敮匠慣湮牥 v8"
Date = 03:10:2009
Time = 11:45:23
Scan Path = C:\;D:\;E:\;F:\;R:\;

[Engines Info]
Virus Definitions = 4310517
Engine build = "AVCORE v2.1 Windows/i386 11.0.0.26 (Aug 27 2009)"
Scan plugins = 17
Archive plugins = 44
Unpack plugins = 8
E-mail plugins = 6
System plugins = 4

[Scan Statistics]
Folders = 29800
Files = 848695
Archives = 10651
Packed files = 43763
Identified viruses = 2
Infected files = 3
Warnings = 0
Suspect files = 0
Disinfected files = 0
Deleted files = 3
Copied files = 0
Moved files = 0
Renamed files = 0
I/O Errors = 55

[Scan Settings]
SecondAction = Delete
FirstAction = Disinfect
Heuristics = 1
Enable Warnings = 1
Exclude Ext =
Extensions = *;
Scan Emails = 1
Scan Archives = 1
Scan Packed = 1
Scan Files = 1
Scan Boot = 1
Verify Memory = 0

[Scan Results]
Line00000009 = "F:\Drive E from IPC\Utilities&Applications\Graphics\adobephotoshopelements3engtryouttofullpatchtechlord.zip=>CoolTypeUpdate.exe Infected with: Trojan.Generic.IS.562286"
Line00000008 = "F:\Drive E from IPC\Utilities&Applications\Graphics\adobephotoshopelements3engtryouttofullpatchtechlord.zip=>CoolTypeUpdate.exe Deleted"
Line00000007 = "F:\Drive E from IPC\Utilities&Applications\Graphics\adobephotoshopelements3engtryouttofullpatchtechlord.zip Updated"
Line00000006 = "F:\Drive E from IPC\Utilities&Applications\Other Apps\d-auto-maintenance-pro9p1.zip=>keygen.exe Infected with: Gen:Trojan.Heur.GM.0060010128"
Line00000005 = "F:\Drive E from IPC\Utilities&Applications\Other Apps\d-auto-maintenance-pro9p1.zip=>keygen.exe Disinfection failed"
Line00000004 = "F:\Drive E from IPC\Utilities&Applications\Other Apps\d-auto-maintenance-pro9p1.zip=>keygen.exe Deleted"
Line00000003 = "F:\Drive E from IPC\Utilities&Applications\Other Apps\d-auto-maintenance-pro9p1.zip Updated"
Line00000002 = "F:\Utilities&Applications\Graphics\adobephotoshopelements3engtryouttofullpatchtechlord.zip=>CoolTypeUpdate.exe Infected with: Trojan.Generic.IS.562286"
Line00000001 = "F:\Utilities&Applications\Graphics\adobephotoshopelements3engtryouttofullpatchtechlord.zip=>CoolTypeUpdate.exe Deleted"
Line00000000 = "F:\Utilities&Applications\Graphics\adobephotoshopelements3engtryouttofullpatchtechlord.zip Updated"


Thanks,
Les

#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:30 AM

Posted 03 October 2009 - 06:12 PM

Hi,

You were infected with a nasty rootkit/backdoor. See here for some informations.




Step 1

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 16...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.





Step 2

Please navigate in Windows Explorer to the following files and delete it:

F:\Drive E from IPC\Utilities&Applications\Graphics\adobephotoshopelements3engtryouttofullpatchtechlord.zip
F:\Drive E from IPC\Utilities&Applications\Other Apps\d-auto-maintenance-pro9p1.zip
F:\Utilities&Applications\Graphics\adobephotoshopelements3engtryouttofullpatchtechlord.zip

After that please empty the recycle bin.



The practice of using cracking tools, keygens, warez or any pirated software is not only considered illegal activity but it is a serious security risk.

Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.

http://www.trendmicro.com/vinfo/grayware/v...=CRCK_KEYGEN.BB

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

http://blog.trendmicro.com/crack-sites-dis...rux-and-fakeav/ When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a lot of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS. If you still need assistance please remove all cracked software from your system.








Step 3
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<





Please post back with:
  • Both RSIT-Logfiles

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 dal9796

dal9796
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 05 October 2009 - 09:18 PM

Sorry if you meant for me to ATTACH the files, but I figured I'd post them like I did before. Here's the log.txt and info.txt:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Lester at 2009-10-05 20:36:08
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 62 GB (57%) free of 110 GB
Total RAM: 2046 MB (66% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:36:43 PM, on 10/5/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\WINDOWS\System32\wpcumi.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
E:\Security\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\System32\rundll32.exe
E:\Other Apps\Directory Opus\dopusrt.exe
C:\WINDOWS\ehome\ehtray.exe
E:\Security\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
E:\Clipboard Magic401\ClipboardMagic.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
F:\Downloads to scan\RSIT.exe
C:\Program Files\trend micro\Lester.exe
E:\Communications\Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 255.255.255.255 hcurltest5
O1 - Hosts: 255.255.255.255 vnsjs1.1stworks.com
O1 - Hosts: 74.208.77.54 hcurltest1
O1 - Hosts: 82.165.161.232 hcurltest2
O2 - BHO: PXCIEaddin - {42DFA04F-0F16-418e-B80C-AB97A5AFAD39} - E:\Business\PDF-XChange 4 Pro\pdfSaver\PXCIEAddin4.dll
O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - E:\Business\PDF-XChange 4 Pro\PDF-XChange PDF Viewer\PDF Viewer\PDFXCviewIEPlugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O3 - Toolbar: PDFXChange 4.0 - {42DFA04F-0F16-418e-B80C-AB97A5AFAD39} - E:\Business\PDF-XChange 4 Pro\pdfSaver\PXCIEAddin4.dll
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\Windows\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\Windows\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [avgnt] "E:\Security\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "E:\Security\Malwarebytes Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Directory Opus Desktop Dblclk] "E:\Other Apps\Directory Opus\dopusrt.exe" /dblclk
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Security\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Clipboard Magic.lnk = E:\Clipboard Magic401\ClipboardMagic.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\APSHook.dll
O20 - Winlogon Notify: !SASWinLogon - E:\Security\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - E:\Security\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - E:\Security\Avira\AntiVir Desktop\avguard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: IACMZOZL - Unknown owner - C:\Users\Lester\AppData\Local\Temp\IACMZOZL.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NSELGOO - Unknown owner - C:\Users\Lester\AppData\Local\Temp\NSELGOO.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - E:\SysTools\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - E:\SysTools\PerfectDisk\PDEngine.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - E:\Other Apps\Sandboxie\SbieSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - E:\Security\VMware Workstation\vmware-ufad.exe
O23 - Service: UY - Unknown owner - C:\Users\Lester\AppData\Local\Temp\UY.exe (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - E:\Security\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe

--
End of file - 9631 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{42DFA04F-0F16-418e-B80C-AB97A5AFAD39}]
PDFXChange 4.0 - E:\Business\PDF-XChange 4 Pro\pdfSaver\PXCIEAddin4.dll [2009-06-19 265496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F}]
PDF-XChange Viewer IE-Plugin - E:\Business\PDF-XChange 4 Pro\PDF-XChange PDF Viewer\PDF Viewer\PDFXCviewIEPlugin.dll [2009-09-08 1108760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DF21F1DB-80C6-11D3-9483-B03D0EC10000}]
VeriSoft Access Manager - c:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll [2006-11-21 71192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{42DFA04F-0F16-418e-B80C-AB97A5AFAD39} - PDFXChange 4.0 - E:\Business\PDF-XChange 4 Pro\pdfSaver\PXCIEAddin4.dll [2009-06-19 265496]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"WPCUMI"=C:\Windows\system32\WpcUmi.exe [2006-11-02 176128]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"WAWifiMessage"=C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe [2007-01-10 317128]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-03-28 1045800]
"RtHDVCpl"=C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [2009-06-09 7539232]
"QPService"=C:\Program Files\HP\QuickPlay\QPService.exe [2007-04-23 176128]
"QlbCtrl"=C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [2007-02-13 159744]
"pdfFactory Pro Dispatcher v3"=C:\Windows\system32\spool\DRIVERS\W32X86\3\fppdis3a.exe [2007-11-07 507904]
"IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2009-06-01 1468296]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [2007-02-12 174872]
"hpWirelessAssistant"=C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [2007-03-01 472776]
"FinePrint Dispatcher v5"=C:\Windows\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe [2007-11-07 507904]
"avgnt"=E:\Security\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2006-12-10 49152]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2008-12-04 13556256]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2008-12-04 92704]
"Malwarebytes Anti-Malware (reboot)"=E:\Security\Malwarebytes Anti-Malware\mbam.exe [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"=C:\Windows\SMINST\launcher.exe [2006-11-07 44128]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Directory Opus Desktop Dblclk"=E:\Other Apps\Directory Opus\dopusrt.exe [2008-10-27 275952]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"SUPERAntiSpyware"=E:\Security\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-09-18 1998576]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Users\Lester\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Clipboard Magic.lnk - E:\Clipboard Magic401\ClipboardMagic.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\System32\APSHook.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
E:\Security\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"=E:\Other Apps\Directory Opus\dopuslib.dll [2008-10-27 693744]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=E:\Security\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
ASWLNPkg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"EnableShellExecuteHooks"=
"BindDirectlyToPropertySetStorage"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2009-10-05 20:36:09 ----D---- C:\Program Files\trend micro
2009-10-05 20:36:08 ----D---- C:\rsit
2009-10-05 16:49:02 ----A---- C:\Windows\system32\setupempdrv03.exe
2009-10-05 16:49:02 ----A---- C:\Windows\system32\EuEpmGdi.dll
2009-10-05 16:49:02 ----A---- C:\Windows\system32\BootMan.exe
2009-10-05 16:48:46 ----D---- C:\Program Files\EASEUS
2009-10-03 13:06:26 ----N---- C:\Windows\system32\MpSigStub.exe
2009-10-03 12:14:12 ----D---- C:\ProgramData\OfficeRecovery
2009-10-03 09:42:00 ----D---- C:\Windows\BDOSCAN8
2009-10-01 18:33:19 ----A---- C:\mbam-log-2009-10-01 (18-32-37).txt
2009-10-01 18:20:47 ----SHD---- C:\$RECYCLE.BIN
2009-10-01 18:20:46 ----A---- C:\ComboFix.txt
2009-10-01 18:05:49 ----D---- C:\Combo-Fix4074C
2009-09-29 18:10:01 ----A---- C:\ComboFix_09292009.txt
2009-09-29 17:54:36 ----A---- C:\Windows\zip.exe
2009-09-29 17:54:36 ----A---- C:\Windows\SWXCACLS.exe
2009-09-29 17:54:36 ----A---- C:\Windows\SWSC.exe
2009-09-29 17:54:36 ----A---- C:\Windows\SWREG.exe
2009-09-29 17:54:36 ----A---- C:\Windows\sed.exe
2009-09-29 17:54:36 ----A---- C:\Windows\PEV.exe
2009-09-29 17:54:36 ----A---- C:\Windows\NIRCMD.exe
2009-09-29 17:54:36 ----A---- C:\Windows\grep.exe
2009-09-29 17:54:30 ----D---- C:\Windows\ERDNT
2009-09-29 17:54:29 ----D---- C:\Combo-Fix
2009-09-29 17:50:19 ----D---- C:\Qoobox
2009-09-24 15:49:33 ----D---- C:\Windows\system32\eu-ES
2009-09-24 15:49:33 ----D---- C:\Windows\system32\ca-ES
2009-09-24 15:49:31 ----D---- C:\Windows\system32\vi-VN
2009-09-20 08:46:41 ----D---- C:\ProgramData\HP Product Assistant
2009-09-19 16:42:34 ----D---- C:\ProgramData\WEBREG
2009-09-19 16:35:17 ----D---- C:\Program Files\Common Files\Hewlett-Packard
2009-09-19 16:34:50 ----D---- C:\Program Files\Common Files\HP
2009-09-19 16:30:26 ----D---- C:\Config.Msi
2009-09-19 16:25:11 ----A---- C:\Windows\system32\hpzids01.dll
2009-09-19 16:25:10 ----A---- C:\Windows\system32\hpowiav1.dll
2009-09-19 16:25:10 ----A---- C:\Windows\system32\hpovst01.dll
2009-09-19 16:25:10 ----A---- C:\Windows\system32\hpotscl1.dll
2009-09-15 11:17:00 ----A---- C:\Windows\system32\pxc40pm.dll
2009-09-11 15:26:47 ----D---- C:\Program Files\Google
2009-09-10 01:18:30 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2009-09-10 01:17:29 ----D---- C:\Users\Lester\AppData\Roaming\SUPERAntiSpyware.com
2009-09-10 01:15:33 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-09-09 22:42:38 ----D---- C:\Users\Lester\AppData\Roaming\Malwarebytes
2009-09-09 22:42:31 ----D---- C:\ProgramData\Malwarebytes
2009-09-08 16:27:14 ----A---- C:\Windows\system32\TCPSVCS.EXE
2009-09-08 16:27:14 ----A---- C:\Windows\system32\NETSTAT.EXE
2009-09-08 16:27:14 ----A---- C:\Windows\system32\netiohlp.dll
2009-09-08 16:27:14 ----A---- C:\Windows\system32\MRINFO.EXE
2009-09-08 16:27:14 ----A---- C:\Windows\system32\HOSTNAME.EXE
2009-09-08 16:27:14 ----A---- C:\Windows\system32\finger.exe
2009-09-08 16:27:14 ----A---- C:\Windows\system32\ARP.EXE
2009-09-08 16:27:13 ----A---- C:\Windows\system32\ROUTE.EXE
2009-09-08 16:27:13 ----A---- C:\Windows\system32\netevent.dll
2009-09-08 16:26:41 ----A---- C:\Windows\system32\wlansvc.dll
2009-09-08 16:26:41 ----A---- C:\Windows\system32\wlanhlp.dll
2009-09-08 16:26:40 ----A---- C:\Windows\system32\wlansec.dll
2009-09-08 16:26:40 ----A---- C:\Windows\system32\wlanmsm.dll
2009-09-08 16:26:40 ----A---- C:\Windows\system32\wlanapi.dll
2009-09-08 16:26:40 ----A---- C:\Windows\system32\L2SecHC.dll
2009-09-08 16:26:34 ----A---- C:\Windows\system32\WMVCORE.DLL
2009-09-08 16:26:33 ----A---- C:\Windows\system32\mf.dll
2009-09-08 16:26:32 ----A---- C:\Windows\system32\rrinstaller.exe
2009-09-08 16:26:32 ----A---- C:\Windows\system32\mfps.dll
2009-09-08 16:26:32 ----A---- C:\Windows\system32\mfpmp.exe
2009-09-08 16:26:31 ----A---- C:\Windows\system32\mferror.dll
2009-09-08 16:26:29 ----A---- C:\Windows\system32\jscript.dll
2009-09-06 22:07:02 ----D---- C:\Program Files\Common Files\DESIGNER

======List of files/folders modified in the last 1 months======

2009-10-05 20:36:26 ----D---- C:\Windows\Temp
2009-10-05 20:36:09 ----RD---- C:\Program Files
2009-10-05 20:23:23 ----D---- C:\Windows\SMINST
2009-10-05 18:58:57 ----D---- C:\Windows\Prefetch
2009-10-05 18:38:57 ----SHD---- C:\System Volume Information
2009-10-05 18:33:11 ----D---- C:\ProgramData
2009-10-05 18:20:21 ----SHD---- C:\Windows\Installer
2009-10-05 16:49:02 ----D---- C:\Windows\System32
2009-10-05 16:35:49 ----D---- C:\Windows\tracing
2009-10-05 15:03:34 ----D---- C:\Windows\inf
2009-10-05 15:03:34 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-10-04 15:24:15 ----D---- C:\ProgramData\VMware
2009-10-03 09:42:02 ----SD---- C:\Windows\Downloaded Program Files
2009-10-03 09:42:01 ----AD---- C:\WINDOWS
2009-10-02 17:37:02 ----A---- C:\Windows\Sandboxie.ini
2009-10-01 18:20:50 ----D---- C:\Windows\system32\en-US
2009-10-01 18:16:14 ----N---- C:\Windows\system.ini
2009-10-01 18:12:24 ----D---- C:\Windows\system32\drivers
2009-10-01 18:12:24 ----D---- C:\Windows\AppPatch
2009-10-01 18:12:23 ----D---- C:\Program Files\Common Files
2009-09-30 14:27:41 ----D---- C:\ProgramData\Roxio
2009-09-30 13:13:00 ----D---- C:\Windows\system32\catroot2
2009-09-29 18:06:52 ----D---- C:\Windows\Tasks
2009-09-29 08:52:24 ----D---- C:\Windows\system32\RTCOM
2009-09-24 22:23:42 ----D---- C:\ProgramData\NVIDIA
2009-09-24 16:21:23 ----D---- C:\Windows\rescache
2009-09-24 16:18:17 ----D---- C:\Windows\Microsoft.NET
2009-09-24 16:18:09 ----RSD---- C:\Windows\assembly
2009-09-24 16:09:49 ----D---- C:\boot
2009-09-24 16:09:41 ----D---- C:\Windows\system32\catroot
2009-09-24 15:51:40 ----D---- C:\Program Files\Windows Mail
2009-09-24 15:51:40 ----D---- C:\Program Files\Windows Calendar
2009-09-24 15:51:39 ----D---- C:\Program Files\Movie Maker
2009-09-24 15:51:37 ----D---- C:\Program Files\Windows Sidebar
2009-09-24 15:51:36 ----D---- C:\Program Files\Windows Media Player
2009-09-24 15:51:36 ----D---- C:\Program Files\Windows Journal
2009-09-24 15:51:36 ----D---- C:\Program Files\Windows Collaboration
2009-09-24 15:51:36 ----D---- C:\Program Files\Internet Explorer
2009-09-24 15:51:33 ----D---- C:\Program Files\Windows Photo Gallery
2009-09-24 15:51:33 ----D---- C:\Program Files\Common Files\System
2009-09-24 15:51:26 ----D---- C:\Windows\servicing
2009-09-24 15:51:26 ----D---- C:\Program Files\Windows Defender
2009-09-24 15:51:25 ----D---- C:\Windows\ehome
2009-09-24 15:51:07 ----D---- C:\Windows\system32\XPSViewer
2009-09-24 15:51:07 ----D---- C:\Windows\IME
2009-09-24 15:51:06 ----D---- C:\Windows\system32\sk-SK
2009-09-24 15:51:06 ----D---- C:\Windows\system32\lv-LV
2009-09-24 15:51:06 ----D---- C:\Windows\system32\ko-KR
2009-09-24 15:51:06 ----D---- C:\Windows\system32\hr-HR
2009-09-24 15:51:06 ----D---- C:\Windows\system32\et-EE
2009-09-24 15:51:06 ----D---- C:\Windows\system32\da-DK
2009-09-24 15:50:59 ----D---- C:\Windows\system32\oobe
2009-09-24 15:50:59 ----D---- C:\Windows\system32\it-IT
2009-09-24 15:50:59 ----D---- C:\Windows\system32\el-GR
2009-09-24 15:50:59 ----D---- C:\Windows\system32\de-DE
2009-09-24 15:50:58 ----D---- C:\Windows\system32\migration
2009-09-24 15:50:52 ----D---- C:\Windows\system32\sv-SE
2009-09-24 15:50:52 ----D---- C:\Windows\system32\ru-RU
2009-09-24 15:50:52 ----D---- C:\Windows\system32\he-IL
2009-09-24 15:50:52 ----D---- C:\Windows\system32\fr-FR
2009-09-24 15:50:52 ----D---- C:\Windows\system32\AdvancedInstallers
2009-09-24 15:50:51 ----D---- C:\Windows\system32\SLUI
2009-09-24 15:50:51 ----D---- C:\Windows\system32\setup
2009-09-24 15:50:51 ----D---- C:\Windows\system32\pt-PT
2009-09-24 15:50:51 ----D---- C:\Windows\system32\hu-HU
2009-09-24 15:50:51 ----D---- C:\Windows\system32\fi-FI
2009-09-24 15:50:51 ----D---- C:\Windows\system32\cs-CZ
2009-09-24 15:50:50 ----D---- C:\Windows\system32\zh-CN
2009-09-24 15:50:50 ----D---- C:\Windows\system32\en
2009-09-24 15:50:49 ----D---- C:\Windows\system32\zh-TW
2009-09-24 15:50:49 ----D---- C:\Windows\system32\uk-UA
2009-09-24 15:50:49 ----D---- C:\Windows\system32\sr-Latn-CS
2009-09-24 15:50:49 ----D---- C:\Windows\system32\sl-SI
2009-09-24 15:50:49 ----D---- C:\Windows\system32\pl-PL
2009-09-24 15:50:49 ----D---- C:\Windows\system32\manifeststore
2009-09-24 15:50:49 ----D---- C:\Windows\system32\ja-JP
2009-09-24 15:50:49 ----D---- C:\Windows\system32\es-ES
2009-09-24 15:50:49 ----D---- C:\Windows\system32\bg-BG
2009-09-24 15:50:48 ----D---- C:\Windows\system32\ro-RO
2009-09-24 15:50:47 ----D---- C:\Windows\system32\th-TH
2009-09-24 15:50:46 ----D---- C:\Windows\system32\tr-TR
2009-09-24 15:50:45 ----D---- C:\Windows\system32\wbem
2009-09-24 15:50:43 ----D---- C:\Windows\system32\nl-NL
2009-09-24 15:50:43 ----D---- C:\Windows\system32\nb-NO
2009-09-24 15:50:43 ----D---- C:\Windows\system32\lt-LT
2009-09-24 15:50:43 ----D---- C:\Windows\system32\ar-SA
2009-09-24 15:50:41 ----D---- C:\Windows\system32\pt-BR
2009-09-24 15:50:41 ----D---- C:\Windows\system32\migwiz
2009-09-24 15:49:42 ----RSD---- C:\Windows\Fonts
2009-09-24 15:49:31 ----D---- C:\Windows\system32\Boot
2009-09-24 15:14:06 ----D---- C:\Windows\winsxs
2009-09-22 17:22:49 ----D---- C:\Windows\system32\WDI
2009-09-20 08:53:07 ----A---- C:\Windows\DIFxAPI.dll
2009-09-20 08:53:03 ----D---- C:\Program Files\Realtek
2009-09-19 16:43:08 ----D---- C:\Users\Lester\AppData\Roaming\HP
2009-09-19 16:40:08 ----A---- C:\Windows\win.ini
2009-09-19 16:38:57 ----D---- C:\Program Files\HP
2009-09-19 16:36:26 ----D---- C:\ProgramData\HP
2009-09-19 16:35:26 ----D---- C:\Windows\twain_32
2009-09-16 18:01:39 ----AD---- C:\ProgramData\TEMP
2009-09-11 15:26:47 ----D---- C:\Windows\system32\Tasks
2009-09-11 14:56:06 ----A---- C:\Windows\ntbtlog.txt
2009-09-10 01:08:35 ----DC---- C:\Windows\system32\DRVSTORE
2009-09-09 14:37:28 ----D---- C:\TEMP
2009-09-09 14:35:30 ----D---- C:\Program Files\Online Services
2009-09-07 19:09:12 ----D---- C:\ProgramData\Microsoft Help
2009-09-07 18:37:24 ----D---- C:\Users\Lester\AppData\Roaming\VMware
2009-09-06 22:06:50 ----D---- C:\Program Files\Common Files\microsoft shared

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\E:\Security\Avira\AntiVir Desktop\avgio.sys [2009-02-13 11608]
R1 avipbb;avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [2009-04-27 96104]
R1 eabfiltr;eabfiltr; C:\Windows\system32\DRIVERS\eabfiltr.sys [2006-11-30 8192]
R1 SASDIFSV;SASDIFSV; \??\E:\Security\SUPERAntiSpyware\SASDIFSV.SYS [2009-09-04 9968]
R1 SASKUTIL;SASKUTIL; \??\E:\Security\SUPERAntiSpyware\SASKUTIL.sys [2009-09-04 74480]
R1 ssmdrv;ssmdrv; C:\Windows\system32\DRIVERS\ssmdrv.sys [2009-06-13 28520]
R2 avgntflt;avgntflt; C:\Windows\system32\DRIVERS\avgntflt.sys [2009-08-05 55656]
R2 hcmon;VMware hcmon; \??\C:\Windows\system32\Drivers\hcmon.sys [2007-08-21 34864]
R2 MCSTRM;MCSTRM; C:\Windows\system32\drivers\MCSTRM.sys [2008-01-06 8413]
R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2007-02-24 39936]
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2007-01-23 42496]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2007-01-23 37376]
R2 tifsfilter;Acronis True Image FS Filter; C:\Windows\system32\DRIVERS\tifsfilt.sys [2009-07-26 44704]
R2 VMnetBridge;VMware Bridge Protocol; C:\Windows\system32\DRIVERS\vmnetbridge.sys [2007-08-21 28592]
R2 VMnetuserif;VMware Network Application Interface; \??\C:\Windows\system32\drivers\vmnetuserif.sys [2007-08-21 25008]
R2 vmx86;VMware vmx86; \??\C:\Windows\system32\Drivers\vmx86.sys [2007-08-21 924976]
R2 vstor2;Vstor2 Virtual Storage Driver; \??\C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vstor2.sys [2007-03-23 18480]
R2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver; \??\E:\Security\VMware Workstation\vstor2-ws60.sys [2007-08-07 19248]
R3 ATSWPDRV;AuthenTec TruePrint USB Driver (SwipeSensor); C:\Windows\system32\DRIVERS\ATSwpDrv.sys [2007-03-28 140424]
R3 BthEnum;Bluetooth Enumerator Service; C:\Windows\system32\DRIVERS\BthEnum.sys [2009-04-11 22528]
R3 BthPan;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys [2008-01-19 92160]
R3 BTHUSB;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys [2009-04-11 29696]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-19 14208]
R3 epmntdrv;epmntdrv; \??\C:\Windows\system32\epmntdrv.sys [2009-04-22 9728]
R3 EuGdiDrv;EuGdiDrv; \??\C:\Windows\system32\EuGdiDrv.sys [2009-04-22 3072]
R3 HBtnKey;HBtnKey; C:\Windows\system32\DRIVERS\cpqbttn.sys [2006-06-28 9472]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2009-06-09 2366752]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\Windows\system32\drivers\MODEMCSA.sys [2008-01-19 18432]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw5v32.sys [2009-05-29 4233728]
R3 NuidFltr;NUID filter driver; C:\Windows\system32\DRIVERS\NuidFltr.sys [2009-05-09 14736]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2008-12-04 7606688]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\Windows\system32\DRIVERS\point32k.sys [2009-06-01 30088]
R3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2009-04-11 148992]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2007-03-05 76288]
R3 SASENUM;SASENUM; \??\E:\Security\SUPERAntiSpyware\SASENUM.SYS [2009-09-04 7408]
R3 SbieDrv;SbieDrv; \??\E:\Other Apps\Sandboxie\SbieDrv.sys [2009-04-13 107520]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2009-04-11 89088]
R3 smserial;smserial; C:\Windows\system32\DRIVERS\smserial.sys [2009-05-05 1095808]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2008-03-28 199472]
R3 usbvideo;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-19 134016]
R3 vmkbd;VMware kbd; \??\C:\Windows\system32\drivers\VMkbd.sys [2007-08-21 20912]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-19 11264]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 464384]
S3 BTHPORT;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys [2009-04-11 507904]
S3 catchme;catchme; \??\C:\Users\Lester\AppData\Local\Temp\catchme.sys []
S3 Dot4;MS IEEE-1284.4 Driver; C:\Windows\system32\DRIVERS\Dot4.sys [2008-01-19 131584]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\Windows\system32\DRIVERS\Dot4Prt.sys [2008-01-19 16384]
S3 dot4usb;MS Dot4USB Filter Dot4USB Filter; C:\Windows\system32\DRIVERS\dot4usb.sys [2008-01-19 36864]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 E100B;Intel® PRO Adapter Driver; C:\Windows\system32\DRIVERS\e100b325.sys [2006-11-02 163328]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2006-11-02 200704]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-10-18 1380864]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 NETw4v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-03-01 2216448]
S3 nmwcd;Nokia USB Phone Parent; C:\Windows\system32\drivers\ccdcmb.sys [2008-05-02 17536]
S3 nmwcdc;Nokia USB Generic; C:\Windows\system32\drivers\ccdcmbo.sys [2008-05-02 20864]
S3 s125bus;Sony Ericsson Device 125 driver (WDM); C:\Windows\system32\DRIVERS\s125bus.sys [2007-04-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter; C:\Windows\system32\DRIVERS\s125mdfl.sys [2007-04-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver; C:\Windows\system32\DRIVERS\s125mdm.sys [2007-04-24 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM); C:\Windows\system32\DRIVERS\s125mgmt.sys [2007-04-24 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface; C:\Windows\system32\DRIVERS\s125obex.sys [2007-04-24 98696]
S3 upperdev;upperdev; C:\Windows\system32\DRIVERS\usbser_lowerflt.sys [2008-05-02 8064]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 usbser;Nokia USB Serial Port; C:\Windows\system32\DRIVERS\usbser.sys [2009-04-11 27648]
S3 UsbserFilt;UsbserFilt; C:\Windows\system32\DRIVERS\usbser_lowerfltj.sys [2008-05-02 8064]
S3 VMnetAdapter;VMware Virtual Ethernet Adapter Driver; C:\Windows\system32\DRIVERS\vmnetadapter.sys [2007-08-21 16816]
S3 winachsf;winachsf; C:\Windows\system32\DRIVERS\VSTCNXT3.SYS [2006-11-02 654336]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-19 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AcrSch2Svc;Acronis Scheduler2 Service; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [2009-06-22 618944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler; E:\Security\Avira\AntiVir Desktop\sched.exe [2009-06-13 108289]
R2 AntiVirService;Avira AntiVir Guard; E:\Security\Avira\AntiVir Desktop\avguard.exe [2009-08-05 185089]
R2 ASBroker;Logon Session Broker; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 ASChannel;Local Communication Channel; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R2 CLCapSvc;CyberLink Background Capture Service (CBCS); C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe [2007-04-23 262243]
R2 HP Health Check Service;HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [2007-09-19 65536]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R2 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2006-05-02 135168]
R2 IAANTMON;Intel® Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe [2007-02-12 355096]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-12-14 61440]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2008-12-04 203296]
R2 PDAgent;PDAgent; E:\SysTools\PerfectDisk\PDAgent.exe [2007-11-06 414984]
R2 SbieSvc;Sandboxie Service; E:\Other Apps\Sandboxie\SbieSvc.exe [2009-04-13 53760]
R2 VMAuthdService;VMware Authorization Service; E:\Security\VMware Workstation\vmware-authd.exe [2007-08-21 109104]
R2 VMnetDHCP;VMware DHCP Service; C:\Windows\system32\vmnetdhcp.exe [2007-08-21 121392]
R2 vmount2;VMware Virtual Mount Manager Extended; C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe [2007-03-23 269104]
R2 VMware NAT Service;VMware NAT Service; C:\Windows\system32\vmnat.exe [2007-08-21 150064]
R3 hpqcxs08;hpqcxs08; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R3 PDEngine;PDEngine; E:\SysTools\PerfectDisk\PDEngine.exe [2007-11-06 734472]
S2 CLSched;CyberLink Task Scheduler (CTS); C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe [2007-04-23 106593]
S2 Net Driver HPZ12;Net Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-19 21504]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-19 21504]
S3 GameConsoleService;GameConsoleService; C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe [2008-03-28 165416]
S3 IACMZOZL;IACMZOZL; C:\Users\Lester\AppData\Local\Temp\IACMZOZL.exe []
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 NSELGOO;NSELGOO; C:\Users\Lester\AppData\Local\Temp\NSELGOO.exe []
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2007-02-12 880640]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-02-17 74656]
S3 ufad-ws60;VMware Agent Service; E:\Security\VMware Workstation\vmware-ufad.exe [2007-08-07 186928]
S3 UY;UY; C:\Users\Lester\AppData\Local\Temp\UY.exe []

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2009-10-05 20:36:48

======Uninstall list======

-->"C:\Program Files\HP Games\Bejeweled 2 Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\Blackhawk Striker 2\Uninstall.exe"
-->"C:\Program Files\HP Games\Blasterball 3\Uninstall.exe"
-->"C:\Program Files\HP Games\Bookworm Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\Bounce Symphony\Uninstall.exe"
-->"C:\Program Files\HP Games\Cake Mania\Uninstall.exe"
-->"C:\Program Files\HP Games\Chuzzle Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\Crystal Maze\Uninstall.exe"
-->"C:\Program Files\HP Games\Diner Dash\Uninstall.exe"
-->"C:\Program Files\HP Games\Family Feud\Uninstall.exe"
-->"C:\Program Files\HP Games\FATE\Uninstall.exe"
-->"C:\Program Files\HP Games\Final Drive Fury\Uninstall.exe"
-->"C:\Program Files\HP Games\Flip Words\Uninstall.exe"
-->"C:\Program Files\HP Games\Insaniquarium Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\Jewel Quest\Uninstall.exe"
-->"C:\Program Files\HP Games\Lemonade Tycoon 2\Uninstall.exe"
-->"C:\Program Files\HP Games\Mah Jong Quest\Uninstall.exe"
-->"C:\Program Files\HP Games\My HP Game Console\Uninstall.exe"
-->"C:\Program Files\HP Games\Otto\Uninstall.exe"
-->"C:\Program Files\HP Games\Penguins!\Uninstall.exe"
-->"C:\Program Files\HP Games\Phoenix Assault\Uninstall.exe"
-->"C:\Program Files\HP Games\Polar Bowler\Uninstall.exe"
-->"C:\Program Files\HP Games\Polar Golfer\Uninstall.exe"
-->"C:\Program Files\HP Games\Puzzle Express\Uninstall.exe"
-->"C:\Program Files\HP Games\SCRABBLE\Uninstall.exe"
-->"C:\Program Files\HP Games\Snowboard SuperJam\Uninstall.exe"
-->"C:\Program Files\HP Games\SpongeBob SquarePants Krabby Quest\Uninstall.exe"
-->"C:\Program Files\HP Games\Super Granny\Uninstall.exe"
-->"C:\Program Files\HP Games\Tradewinds\Uninstall.exe"
-->"C:\Program Files\HP Games\Wheel of Fortune\Uninstall.exe"
-->"C:\Program Files\HP Games\Zuma Deluxe\Uninstall.exe"
32 Bit HP CIO Components Installer-->MsiExec.exe /I{2614F54E-A828-49FA-93BA-45A3F756BFAA}
7-Zip 4.57-->"E:\Utilities\7-Zip\Uninstall.exe"
Acronis True Image Home-->MsiExec.exe /X{D1E0E859-F46D-4708-A41D-ED90C0C1822A}
Activation Assistant for the 2007 Microsoft Office suites-->"C:\ProgramData\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE
ActiveCheck component for HP Active Support Library-->MsiExec.exe /X{254C37AA-6B72-4300-84F6-98A82419187E}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Allway Sync version 9.2.21-->"E:\Business\Allway Sync\unins000.exe"
AnswerWorks 5.0 English Runtime-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}\setup.exe" -l0x9 -uninst -removeonly
ASAP Utilities-->"E:\Utilities\ASAP Utilities\unins000.exe"
AuctionSieve-->E:\Business\AuctionSieve\Uninstall.exe
AuthenTec Fingerprint Sensor Minimum Install-->MsiExec.exe /I{B61B6668-A674-4A06-8405-51944D5CCDDD}
Avira AntiVir Personal - Free Antivirus-->E:\Security\Avira\AntiVir Desktop\setup.exe /REMOVE
BackupBuddy for Windows-->E:\Palm\BACKUP~1\UNWISE.EXE E:\Palm\BACKUP~1\INSTALL.LOG
Bulk Rename Utility 2, 7, 0, 1-->C:\PROGRA~2\TARMAI~1\{991B1~1\Setup.exe /remove /q0
CCleaner (remove only)-->"E:\SysTools\CCleaner\uninst.exe"
Clipboard Magic 4.01-->"E:\Clipboard Magic401\unins000.exe"
Digital Voice Editor 3-->C:\Program Files\InstallShield Installation Information\{6CCC133E-9A2F-4CAA-8866-75D029CD3AB3}\setup.exe -runfromtemp -l0x0009 UNINSTALL /z -removeonly
Directory Printer 3.6-->E:\Utilities\Dirprint\unins000.exe
EASEUS Partition Master 4.0 Server Edition-->"C:\Program Files\EASEUS\Partition Master 4.0 SE\unins000.exe"
ERUNT 1.1j-->E:\Security\ERUNT\unins000.exe
ESU for Microsoft Vista-->MsiExec.exe /X{1517A7CB-5F00-4A88-8F06-E89B6DB63784}
EXP 5.0-->C:\Windows\uninst.exe -f"e:\other apps\exp50\DeIsL2.isu" -c"e:\other apps\exp50\System\uninst.dll
FastStone Capture 5.3-->E:\Utilities\FastStone Capture53\uninst.exe
FileTouch 2.0-->E:\Utilities\FileTouch\unins000.exe
FinePrint-->C:\Windows\system32\spool\DRIVERS\W32X86\3\fpinst5.exe /uninstall
Foxit Reader-->E:\Business\Foxit Reader\Uninstall.exe
FreeUndelete-->MsiExec.exe /X{A35883BD-9C83-4625-82F3-90F86728C662}
GPSoftware Directory Opus-->"C:\Program Files\InstallShield Installation Information\{556DF27F-5B74-11D5-B876-004005E12EF1}\setup.exe" -runfromtemp -l0x0009 -DentalFloss -removeonly
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
hotComm® CL-->C:\PROGRA~1\1stWORKS\HOTCOM~1\UNWISE.EXE C:\PROGRA~1\1stWORKS\HOTCOM~1\CFG\INSTALL.LOG
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
HP Active Support Library 32 bit components-->MsiExec.exe /I{FAB0C302-CB18-4A7A-BA03-C3DC23101A68}
HP Active Support Library-->C:\Program Files\InstallShield Installation Information\{11BB336F-0E58-4977-B866-F24FA334616B}\setup.exe -runfromtemp -l0x0409
HP Customer Experience Enhancements-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB5E289E-76BF-4251-9F3F-9B763F681AE0}\setup.exe" -l0x9 -removeonly
HP Doc Viewer-->MsiExec.exe /I{082702D5-5DD8-4600-BCE5-48B15174687F}
HP Easy Setup - Frontend-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40F7AED3-0C7D-4582-99F6-484A515C73F2}\setup.exe" -l0x9 -removeonly
HP Help and Support-->MsiExec.exe /I{9061CEF2-51F5-42C9-8A70-9ED351C6597A}
HP Imaging Device Functions 8.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP OCR Software 8.0-->C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
HP Photosmart Essential-->MsiExec.exe /X{EB21A812-671B-4D08-B974-2A347F0D8F70}
HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B-->C:\Program Files\HP\Digital Imaging\{C916D86C-AB76-49c7-B0E4-A946E0FD9BC2}\setup\hpzscr01.exe -datfile hposcr19.dat -onestop -showdisconnect -forcereboot
HP Product Assistant-->MsiExec.exe /I{36FDBE6E-6684-462B-AE98-9A39A1B200CC}
HP Quick Launch Buttons 6.20 B1-->C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\setup.exe -runfromtemp -l0x0009 uninst
HP QuickPlay 3.2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\setup.exe" -uninstall
HP Solution Center 8.0-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Total Care Advisor-->MsiExec.exe /X{F6B29003-A078-4491-AFBE-62EFB6CFFE19}
HP Update-->MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
HP User Guides 0057-->MsiExec.exe /I{DDFD9BA2-8E26-4E49-92AE-882424DAB1BC}
HP Wireless Assistant-->MsiExec.exe /I{D32067CD-7409-4792-BFA0-1469BCD8F0C8}
HPAsset component for HP Active Support Library-->MsiExec.exe /X{669D4A35-146B-4314-89F1-1AC3D7B88367}
HPNetworkAssistant-->MsiExec.exe /I{228C6B46-64E2-404E-898A-EF0830603EF4}
Intel Matrix Storage Manager-->C:\Windows\system32\imsmudlg.exe -uninstall
IrfanView (remove only)-->E:\Graphics\Irfanview\iv_uninstall.exe
K-Lite Codec Pack 3.6.5 Standard-->"E:\Entertainment\K-Lite Codec Pack\unins000.exe"
Malwarebytes' Anti-Malware-->"E:\Security\Malwarebytes Anti-Malware\unins000.exe"
Marketvisionplus-->MsiExec.exe /X{FFFB5061-58FF-4EDE-8512-677EC3E1318C}
MathType 5-->"E:\Other Apps\MathType\Setup.exe" -R
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Motorola SM56 Speakerphone Modem-->rundll32.exe sm56co85.dll,SM56UnInstaller
Mozilla Firefox (3.0.6)-->E:\Communications\Firefox\uninstall\helper.exe
MSCU for Microsoft Vista-->MsiExec.exe /X{3FFB3B34-D639-4384-9AE9-DDE58430D86F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
muvee autoProducer 6.0-->C:\Program Files\InstallShield Installation Information\{0BFC200F-C45D-4271-AF34-4CA969225DEB}\setup.exe -runfromtemp -l0x0009 -removeonly
My HP Games-->"C:\Program Files\HP Games\Uninstall.exe"
Nokia Connectivity Cable Driver-->RUNDLL32.EXE nsesetup.dll,DoNTUninst
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
Palm Desktop-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BA0F44C2-A883-11D1-AD0A-006097D15E2C}\setup.exe" Uninstall
pdfFactory Pro-->C:\Windows\system32\spool\DRIVERS\W32X86\3\fppinst3.exe /uninstall
PDF-Viewer-->"E:\Business\PDF-XChange 4 Pro\PDF-XChange PDF Viewer\PDF Viewer\unins000.exe"
PDF-XChange 4 Pro-->"E:\Business\PDF-XChange 4 Pro\unins000.exe"
PerfectDisk-->MsiExec.exe /I{212F5777-1190-4DEF-8E4D-6B2F313B45E7}
POP Peeper-->E:\Communications\PopPeeper\Uninstall.exe
Quicken 2008-->MsiExec.exe /X{E503069C-7681-4AEF-ADBD-131957FE5D6D}
Realtek High Definition Audio Driver-->C:\Program Files\Realtek\Audio\HDA\RtlUpd.exe -r -m -nrg2709
Replay Video Capture-->"C:\Windows\Replay Video Capture\uninstall.exe" "/U:E:\Entertainment\Replay Video Capture\Uninstall\uninstall.xml"
Roxio Activation Module-->MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
Roxio Creator Audio-->MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
Roxio Creator Basic v9-->MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Copy-->MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
Roxio Creator Data-->MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
Roxio Creator EasyArchive-->MsiExec.exe /I{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}
Roxio Creator Tools-->MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
Roxio Express Labeler 3-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio MyDVD Basic v9-->MsiExec.exe /I{33C65B6A-5D73-4E3E-A1F9-127C27BD3F72}
Sandboxie 3.36-->"C:\Windows\Installer\SandboxieInstall.exe" /remove
Sony Ericsson Device Data-->MsiExec.exe /I{C92E7DF1-624A-4D95-A4C4-18CB491B44A4}
Sony Ericsson Drivers-->MsiExec.exe /I{C60BA916-9E44-4DA4-B11A-9E27B7624EF5}
Sony Ericsson PC Suite-->C:\Windows\Installer\{D6BF6477-8369-489F-8DE6-3731F4B88560}\Setup.exe /uninstall
Sony Ericsson PC Suite-->MsiExec.exe /I{25BEC3AB-5CD4-481D-9143-215C1BBB189E}
SpywareBlaster 4.2-->"E:\Security\SpywareBlaster\unins000.exe"
SUPERAntiSpyware Professional-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
thinkorswim-->E:\Finance\thinkorswim\uninstall.exe
ThumbsPlus version 5.01-R-->E:\Graphics\THUMBS~1\UNWISE.EXE E:\Graphics\THUMBS~1\INSTALL.LOG
Traderplus-->MsiExec.exe /X{D213C6B1-79C1-4561-A2B8-CB1D3A168092}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
VeriSoft Access Manager-->rundll32.exe "c:\Program Files\Bioscrypt\VeriSoft\Bin\SetupHelper.dll",ExecMain /Uninstall {0ABA40AF-288D-41F1-B735-C5155692CD7D}
VideoLAN VLC media player 0.8.6d-->E:\Entertainment\VLC\uninstall.exe
VMware Workstation-->MsiExec.exe /I{A3FF5CB2-FB35-4658-8751-9EDE1D65B3AA}
WMatch Version 2.1-->E:\Utilities\WMatch\unins000.exe

======Hosts File======

127.0.0.1 localhost
127.0.0.1 www.gpsoft.com.au
127.0.0.1 www.gpsoft.com
127.0.0.1 www.zabkat.com
127.0.0.1 fr.a2dfp.net
127.0.0.1 m.fr.a2dfp.net
127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]

======Security center information======

AS: AVG Anti-Spyware (disabled) (outdated)
AS: Windows Defender
AS: SUPERAntiSpyware

======System event log======

Computer Name: HomeLW-HPLT
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB969897(Security Update) into Staged(Staged) state
Record Number: 106696
Source Name: Microsoft-Windows-Servicing
Time Written: 20090612211812.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: HomeLW-HPLT
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB969897(Security Update) into Install Requested(Install Requested) state
Record Number: 106681
Source Name: Microsoft-Windows-Servicing
Time Written: 20090612211812.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: HomeLW-HPLT
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB969897(Security Update) into Install Requested(Install Requested) state
Record Number: 106679
Source Name: Microsoft-Windows-Servicing
Time Written: 20090612211812.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: HomeLW-HPLT
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB969897(Security Update) into Install Requested(Install Requested) state
Record Number: 106675
Source Name: Microsoft-Windows-Servicing
Time Written: 20090612211812.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: HomeLW-HPLT
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB969897(Security Update) into Install Requested(Install Requested) state
Record Number: 106669
Source Name: Microsoft-Windows-Servicing
Time Written: 20090612211812.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

=====Application event log=====

Computer Name: HomeLW-HPLT
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-3679741911-215977776-1854041364-1000:
Process 968 (\Device\HarddiskVolume1\WINDOWS\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3679741911-215977776-1854041364-1000

Record Number: 31409
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20080430042513.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: HomeLW-HPLT
Event Code: 4621
Message: The COM+ Event System could not remove the EventSystem.EventSubscription object {44762824-7786-43D0-BB16-BD1F595F2BDE}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}. The HRESULT was 80070005.
Record Number: 31407
Source Name: Microsoft-Windows-EventSystem
Time Written: 20080430042511.000000-000
Event Type: Error
User:

Computer Name: HomeLW-HPLT
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-3679741911-215977776-1854041364-1000_Classes:
Process 968 (\Device\HarddiskVolume1\WINDOWS\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3679741911-215977776-1854041364-1000_CLASSES

Record Number: 31264
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20080429045349.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: HomeLW-HPLT
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-3679741911-215977776-1854041364-1000:
Process 968 (\Device\HarddiskVolume1\WINDOWS\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3679741911-215977776-1854041364-1000

Record Number: 31263
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20080429045348.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: HomeLW-HPLT
Event Code: 4621
Message: The COM+ Event System could not remove the EventSystem.EventSubscription object {44762824-7786-43D0-BB16-BD1F595F2BDE}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}. The HRESULT was 80070005.
Record Number: 31260
Source Name: Microsoft-Windows-EventSystem
Time Written: 20080429045345.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: HomeLW-HPLT
Event Code: 4688
Message: A new process has been created.

Subject:
Security ID: S-1-5-18
Account Name: HOMELW-HPLT$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Process Information:
New Process ID: 0xe68
New Process Name: C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Creator Process ID: 0x384

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Record Number: 40665
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090502153803.930488-000
Event Type: Audit Success
User:

Computer Name: HomeLW-HPLT
Event Code: 4688
Message: A new process has been created.

Subject:
Security ID: S-1-5-21-3679741911-215977776-1854041364-1006
Account Name: User 1
Account Domain: HomeLW-HPLT
Logon ID: 0x564fb2

Process Information:
New Process ID: 0xba4
New Process Name: C:\Program Files\Windows Media Player\wmpnscfg.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Creator Process ID: 0x130c

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Record Number: 40664
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090502153803.244088-000
Event Type: Audit Success
User:

Computer Name: HomeLW-HPLT
Event Code: 4689
Message: A process has exited.

Subject:
Security ID: S-1-5-21-3679741911-215977776-1854041364-1006
Account Name: User 1
Account Domain: HomeLW-HPLT
Logon ID: 0x564fb2

Process Information:
Process ID: 0x11f8
Process Name: C:\WINDOWS\System32\rundll32.exe
Exit Status: 0x0
Record Number: 40663
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090502153803.150488-000
Event Type: Audit Success
User:

Computer Name: HomeLW-HPLT
Event Code: 4689
Message: A process has exited.

Subject:
Security ID: S-1-5-21-3679741911-215977776-1854041364-1006
Account Name: User 1
Account Domain: HomeLW-HPLT
Logon ID: 0x564fb2

Process Information:
Process ID: 0xf08
Process Name: C:\WINDOWS\System32\dllhost.exe
Exit Status: 0x0
Record Number: 40662
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090502153802.760488-000
Event Type: Audit Success
User:

Computer Name: HomeLW-HPLT
Event Code: 4689
Message: A process has exited.

Subject:
Security ID: S-1-5-21-3679741911-215977776-1854041364-1006
Account Name: User 1
Account Domain: HomeLW-HPLT
Logon ID: 0x564fb2

Process Information:
Process ID: 0xa1c
Process Name: C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
Exit Status: 0x0
Record Number: 40661
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090502153801.793288-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared;c:\Program Files\Bioscrypt\VeriSoft\bin;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\Common Files\Acronis\SnapAPI
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"PLATFORM"=MCD
"PCBRAND"=Pavilion
"OnlineServices"=Online Services
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
"USERPART"=E:

-----------------EOF-----------------


Let me know what to do next.

thanks,
Les

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:30 AM

Posted 06 October 2009 - 11:34 AM

Hi,

O1 - Hosts: 255.255.255.255 hcurltest5
O1 - Hosts: 255.255.255.255 vnsjs1.1stworks.com
O1 - Hosts: 74.208.77.54 hcurltest1
O1 - Hosts: 82.165.161.232 hcurltest2


Do you set these entries in the host-file? How is your system running?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 dal9796

dal9796
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 06 October 2009 - 06:00 PM

Glad you asked. THese 4 entries were at the end of the Host-file. I use the MVPS HOST file as the starting point and made a few small changes of my own. However, these 4 entries were not added by me. Are they dangerous?

#14 dal9796

dal9796
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 06 October 2009 - 06:02 PM

Oh, I forgot to answer the question re my system. I never really noticed anything wrong with my system except for the initial problem with the Cliccker.cn virus which was redirecting my Google search results. This was fixed by MBAM, but then it reported the TDSS rootkit. So I just wanted to make sure everything was clean.

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:30 AM

Posted 07 October 2009 - 10:54 AM

Hi,


I can't find anything about these entries, so it would be better to set the hostfile back.




Step 1

Download HostsXpert.zip
  • Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click "Restore Microsoft's Hosts file" and then click "OK".
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.




Step 2

Delete ComboFix and Clean Up
Click Start > Run > type combo-fix /u > OK (Note the space between combofix and /u)
Posted Image
Please advise if this step is missed for any reason as it performs some important actions.







Step 3
  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.







Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean :(



Practice Safe Internet

One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.

  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.

  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.

  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.

    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites

  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.

  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.

  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.

  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.

  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.

  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
Visit Microsoft's Windows Update Site Frequently

It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Make Internet Explorer 7 more secure
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.



Follow this list and your potential for being infected again will reduce dramatically.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users